security authorization strategy
TRANSCRIPT
![Page 1: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/1.jpg)
Security Authorization Strategy
User and Group Usage
October 1st. 2009 Eguibar Information Technology S.L. © 2015 1
![Page 2: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/2.jpg)
Table of Contents
1. IT Business Requirements
2. Groups Usage Definition
3. Groups Usage Implementation
4. Policy Best Practices
5. Group Strategy based on IT Delegation Model
6. Microsoft Recommended Best Practices
7. Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 2
![Page 3: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/3.jpg)
IT Business Requirements
October 1st. 2009 Eguibar Information Technology S.L. © 2015 3
![Page 4: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/4.jpg)
IT Business Requirements
� Simplify the security assignment to the end user.
� Reduce overall time for authorization management.
� Authorizations have to be removed when changing departments.
� Authorizations on “temporary leave” have to be considered.
� Record each user access on corresponding company DB.
� Prepare environment for data privacy (including compliancy).
� Allow consistent Security Audits on the environment.
� Perform a regular Risk and Health Assessment Program for Active
Directory (ADRAP) to identify and mitigate risks regarding infrastructure,
policies, security, procedures, capacity, etc.
� Provide the AD with IT Management Organizational data.
� Facilitate the implementation of external management tools.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 4
![Page 5: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/5.jpg)
Groups Usage Definition
October 1st. 2009 Eguibar Information Technology S.L. © 2015 5
![Page 6: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/6.jpg)
Groups Usage Definition
Object Description Usage
User Representation of a person. Identity within the directory. Can have direct ACL but
not recommended. An exception is Home Folder.
Global
Group
Group of users with a common
interest.
Intended to group Users and/or other Global Groups.
Can have direct ACL but not recommended. Tool to
provide Active Directory with Business Organization.
Local
Group
Group which controls access to a
given resource. Local Group is within
the server. Domain Local Group is
within Active Directory.
For each type of access, these kind of groups will
control who has granted/denied access. These groups
have direct ACL. These groups can have users, but is
not recommended.
ACL Access Control List. List of objects (recommended to be Local Group) with
granted or denied access to certain resource.
Resource Any piece of information that its
access and has to be controlled.
Resource can be an application, a file, a folder, a
printer, etc. Any electronic information, subject of
controlling access to it, is considered a resource.
Universal
Group
A Group of Groups with the widest
scope (all infrastructure scope)
This is also known as a Cross-Domain group, and is
recommended to be used for collaboration between
domains and should only contain Global Groups. Can
have direct ACL and individual users, but not
recommended
October 1st. 2009 Eguibar Information Technology S.L. © 2015 6
![Page 7: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/7.jpg)
Groups Usage Implementation
October 1st. 2009 Eguibar Information Technology S.L. © 2015 7
![Page 8: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/8.jpg)
Groups Usage Implementation (1/3)
http://technet.microsoft.com/en-
us/library/cc755692(WS.10).aspx
a) Do not assign ACL to individual
users. The ONLY valid exception is
the Home Folder.
b) Users are members ONLY of
Global Groups (avoid adding users
to Local Groups, Domain Local
Groups or Universal Groups).
c) Global Groups can be nested
within other Global Groups (also
Universal Groups).
October 1st. 2009 Eguibar Information Technology S.L. © 2015 8
![Page 9: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/9.jpg)
Groups Usage Implementation (2/3)
http://technet.microsoft.com/en-
us/library/cc755692(WS.10).aspx
d) Global Groups (or Universal
Groups) are members (nested)
within Local Groups and/or Domain
Local Groups.
e) Local Groups will be granted
Access Control List (ACL) to the
corresponding resource. Individual
Local Group based on the given
ACL if different access levels are
needed (Read Access, Change
Access, FullControl Access…).
October 1st. 2009 Eguibar Information Technology S.L. © 2015 9
![Page 10: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/10.jpg)
Groups Usage Implementation (3/3)
http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx
a) No direct permission to user.
b) Users as members of Global Groups
c) Global Groups nested into Global Groups (or Universal Groups).
d) Global Groups (or Universal) nested within Local Groups / Domain Local Groups.
e) Local Groups granted ACL to the corresponding resource.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 10
![Page 11: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/11.jpg)
Policy Best Practices
October 1st. 2009 Eguibar Information Technology S.L. © 2015 11
![Page 12: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/12.jpg)
Policy Best Practices
It is recommended to create a policy stating the Business Delegation rules
concerning IT systems and Infrastructure.
� Policy should be flexible to accommodate all business units.
� Policy should provide enough business organization to the IT systems
implemented.
� Avoid reproducing the company organization chart into the directory.
Instead reproduce the functional organization.
� The policy must follow manufacturer best practices as well as standard
security practices from the design and governance point of view.
� The policy should be Technical Agnostic, and should focus on the
functional organization.
� The policy is the input information for any related external provider.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 12
![Page 13: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/13.jpg)
Group Strategy based on IT
Delegation Model
October 1st. 2009 Eguibar Information Technology S.L. © 2015 13
![Page 14: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/14.jpg)
Group Strategy based on IT Delegation Model
October 1st. 2009 Eguibar Information Technology S.L. © 2015 14
![Page 15: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/15.jpg)
Microsoft Recommended Best
Practices
October 1st. 2009 Eguibar Information Technology S.L. © 2015 15
![Page 16: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/16.jpg)
Microsoft Recommended Best Practices (1/2)
Security is a must nowadays, and should always start from the governance of the
systems.
� It is recommended to create a policy regarding data compliancy within the
organization.
� The policy should be flexible enough to accommodate all business needs, but strong
to avoid security leaks.
� Create a data security category and enforce its usage.
� Confidential data (around 5% of total data); Private data (15% of total data);
Common data (60% of total data) and Public data (20% of total data).
� Grant and Revoke access based on the Administration Delegation Model and the
given category.
� Avoid mixing data of different security levels.
� Create Delegated Areas (Shares or Sub-Folders) based on access category and not
by common or parent area.
� Prepare data for security auditing and data compliancy.
October 1st. 2009 Eguibar Information Technology S.L. © 2015 16
![Page 17: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/17.jpg)
Microsoft Recommended Best Practices (2/2)
� Create Global Groups for each Department
� Create Global Groups for each Project
� Assign users to the corresponding Global Groups
� If required authorization can’t be covered by the above Global
Groups, it is necessary to create Sub-Groups
� If security categories are required (e.g. Confidential Data) create
separate shares and separate groupings.
� Use Universal Groups to group different areas (or Global Groups)
and/or to cross boundaries (ej. Different forest)
� Implement best practices process (as shown on the result of
Microsoft® Risk and Health Assessment Program for Active
Directory – ADRAP)
October 1st. 2009 Eguibar Information Technology S.L. © 2015 17
![Page 18: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/18.jpg)
Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 18
![Page 19: Security Authorization Strategy](https://reader031.vdocuments.mx/reader031/viewer/2022021812/589c0f711a28ab007e8b45cf/html5/thumbnails/19.jpg)
Example
October 1st. 2009 Eguibar Information Technology S.L. © 2015 19