Security Authorization Strategy
0 likes209 views
This document provides guidance on implementing a user and group strategy for security authorization. It discusses defining groups for users, global groups, local groups, and universal groups. It recommends best practices such as not assigning access control lists (ACLs) directly to users, only adding users to global groups, and nesting global and universal groups within local groups which are granted ACLs. The document also discusses creating policies to govern IT systems and infrastructure based on business delegation models and data security categories. It recommends practices from Microsoft such as regular risk assessments and implementing groups based on departments, projects, and security categories.
Security Authorization Strategy
- 1. Security Authorization Strategy User and Group Usage October 1st. 2009 Eguibar Information Technology S.L. © 2015 1
- 2. Table of Contents 1. IT Business Requirements 2. Groups Usage Definition 3. Groups Usage Implementation 4. Policy Best Practices 5. Group Strategy based on IT Delegation Model 6. Microsoft Recommended Best Practices 7. Example October 1st. 2009 Eguibar Information Technology S.L. © 2015 2
- 3. IT Business Requirements October 1st. 2009 Eguibar Information Technology S.L. © 2015 3
- 4. IT Business Requirements Simplify the security assignment to the end user. Reduce overall time for authorization management. Authorizations have to be removed when changing departments. Authorizations on “temporary leave” have to be considered. Record each user access on corresponding company DB. Prepare environment for data privacy (including compliancy). Allow consistent Security Audits on the environment. Perform a regular Risk and Health Assessment Program for Active Directory (ADRAP) to identify and mitigate risks regarding infrastructure, policies, security, procedures, capacity, etc. Provide the AD with IT Management Organizational data. Facilitate the implementation of external management tools. October 1st. 2009 Eguibar Information Technology S.L. © 2015 4
- 5. Groups Usage Definition October 1st. 2009 Eguibar Information Technology S.L. © 2015 5
- 6. Groups Usage Definition Object Description Usage User Representation of a person. Identity within the directory. Can have direct ACL but not recommended. An exception is Home Folder. Global Group Group of users with a common interest. Intended to group Users and/or other Global Groups. Can have direct ACL but not recommended. Tool to provide Active Directory with Business Organization. Local Group Group which controls access to a given resource. Local Group is within the server. Domain Local Group is within Active Directory. For each type of access, these kind of groups will control who has granted/denied access. These groups have direct ACL. These groups can have users, but is not recommended. ACL Access Control List. List of objects (recommended to be Local Group) with granted or denied access to certain resource. Resource Any piece of information that its access and has to be controlled. Resource can be an application, a file, a folder, a printer, etc. Any electronic information, subject of controlling access to it, is considered a resource. Universal Group A Group of Groups with the widest scope (all infrastructure scope) This is also known as a Cross-Domain group, and is recommended to be used for collaboration between domains and should only contain Global Groups. Can have direct ACL and individual users, but not recommended October 1st. 2009 Eguibar Information Technology S.L. © 2015 6
- 7. Groups Usage Implementation October 1st. 2009 Eguibar Information Technology S.L. © 2015 7
- 8. Groups Usage Implementation (1/3) http://technet.microsoft.com/en- us/library/cc755692(WS.10).aspx a) Do not assign ACL to individual users. The ONLY valid exception is the Home Folder. b) Users are members ONLY of Global Groups (avoid adding users to Local Groups, Domain Local Groups or Universal Groups). c) Global Groups can be nested within other Global Groups (also Universal Groups). October 1st. 2009 Eguibar Information Technology S.L. © 2015 8
- 9. Groups Usage Implementation (2/3) http://technet.microsoft.com/en- us/library/cc755692(WS.10).aspx d) Global Groups (or Universal Groups) are members (nested) within Local Groups and/or Domain Local Groups. e) Local Groups will be granted Access Control List (ACL) to the corresponding resource. Individual Local Group based on the given ACL if different access levels are needed (Read Access, Change Access, FullControl Access…). October 1st. 2009 Eguibar Information Technology S.L. © 2015 9
- 10. Groups Usage Implementation (3/3) http://technet.microsoft.com/en-us/library/cc755692(WS.10).aspx a) No direct permission to user. b) Users as members of Global Groups c) Global Groups nested into Global Groups (or Universal Groups). d) Global Groups (or Universal) nested within Local Groups / Domain Local Groups. e) Local Groups granted ACL to the corresponding resource. October 1st. 2009 Eguibar Information Technology S.L. © 2015 10
- 11. Policy Best Practices October 1st. 2009 Eguibar Information Technology S.L. © 2015 11
- 12. Policy Best Practices It is recommended to create a policy stating the Business Delegation rules concerning IT systems and Infrastructure. Policy should be flexible to accommodate all business units. Policy should provide enough business organization to the IT systems implemented. Avoid reproducing the company organization chart into the directory. Instead reproduce the functional organization. The policy must follow manufacturer best practices as well as standard security practices from the design and governance point of view. The policy should be Technical Agnostic, and should focus on the functional organization. The policy is the input information for any related external provider. October 1st. 2009 Eguibar Information Technology S.L. © 2015 12
- 13. Group Strategy based on IT Delegation Model October 1st. 2009 Eguibar Information Technology S.L. © 2015 13
- 14. Group Strategy based on IT Delegation Model October 1st. 2009 Eguibar Information Technology S.L. © 2015 14
- 15. Microsoft Recommended Best Practices October 1st. 2009 Eguibar Information Technology S.L. © 2015 15
- 16. Microsoft Recommended Best Practices (1/2) Security is a must nowadays, and should always start from the governance of the systems. It is recommended to create a policy regarding data compliancy within the organization. The policy should be flexible enough to accommodate all business needs, but strong to avoid security leaks. Create a data security category and enforce its usage. Confidential data (around 5% of total data); Private data (15% of total data); Common data (60% of total data) and Public data (20% of total data). Grant and Revoke access based on the Administration Delegation Model and the given category. Avoid mixing data of different security levels. Create Delegated Areas (Shares or Sub-Folders) based on access category and not by common or parent area. Prepare data for security auditing and data compliancy. October 1st. 2009 Eguibar Information Technology S.L. © 2015 16
- 17. Microsoft Recommended Best Practices (2/2) Create Global Groups for each Department Create Global Groups for each Project Assign users to the corresponding Global Groups If required authorization can’t be covered by the above Global Groups, it is necessary to create Sub-Groups If security categories are required (e.g. Confidential Data) create separate shares and separate groupings. Use Universal Groups to group different areas (or Global Groups) and/or to cross boundaries (ej. Different forest) Implement best practices process (as shown on the result of Microsoft® Risk and Health Assessment Program for Active Directory – ADRAP) October 1st. 2009 Eguibar Information Technology S.L. © 2015 17
- 18. Example October 1st. 2009 Eguibar Information Technology S.L. © 2015 18
- 19. Example October 1st. 2009 Eguibar Information Technology S.L. © 2015 19