| technology | system admin - Matt Snyder
6 Ways to Secure Your Desktop with Active Directory
When faced with securing just one or a handful of Windows desktops, it's fairly easy to keep them secure. When your environment grows, though, it will become increasingly difficult to configure. In a Windows environment, an extremely powerful tool exists to help admins with this management: Active Directory.
Active Directory is a hierarchical framework of objects such as resources, services, user accounts, and groups — and sets the access permission and security on these objects. At its core, AD is simply a database of all these components and their attributes. Manipulating these objects and their attributes is a way to manage and secure your fleet of Windows PCs.
There are extremely complex layers to how this is all woven together. For now, let's focus on six components that you may see implemented in a typical Windows domain environment.
Active Directory provides multiple layers that go above the domain layer, but this will be the most common layer you will run across within most organizations. Simply put, a domain can be summed up in two words: authentication and authorization.
Let's say you splurge on a season pass to your favorite theme park. You pay the necessary fees to gain access to the park and any extra excursions or experiences. Your information is then documented and saved in the park's database.
When it comes to authentication in a domain, one of the first questions that must be answered is, "Who are you?" When you sit at a domain workstation, you provide your username and password to authenticate against the domain. You are then granted access to that station and other resources within the domain, such as file shares and other resources.
This is like providing your season pass at the entrance to the theme park. You swipe a card and the information on the card is compared to a master database to check to see if you have access to the park. If your information is valid, you are granted entrance into the park.
Authorization depends heavily on authentication and deals with access to trusted resources within the domain. When you pay for your season pass, you have general access to the park, but you also have access to specific excursions and experiences that you paid for as well. Think of this like a "ticket," which is the exact terminology used when dealing with this subject.
Your ticket contains information that resources can read to determine your level of access. Kerberos, the most common Windows domain authentication system grants a user a "ticket" upon successful authentication. When you browse to a file server, that server will look at the same ticket that was generated at authentication and will use this information to grant or deny access to its resources.
Authentication is a major layer of security in terms of who is able to log into a PC and who is not. If someone is looking to steal data from a computer, if they are not able to log in with valid domain credentials, they are hindered. Authorization is just as important, as it addresses what resources are available to the authenticated user. These two concepts are inseparable when it comes to security in a domain environment.
2. Login Scripts
Scripts are usually small files that have various instructions for applications to execute when they are opened or run. They are typically used to automate a set of repetitive or predictable instructions. They are excellent tools to use to not only to save time and increase efficiency, but allow for a predictable outcome — knowing that the same instructions are executed every single time.
People tend to forget steps when doing mundane and repetitive tasks, so scripts help to do these tasks with more accuracy, thus improving overall security by standardizing certain settings.
When it comes to login scripts — run when a user logs into a Windows computer — they can actually be run outside of a domain environment locally on a PC. However, they are typically implemented in a domain environment to have a standard set of commands or instructions for applications at the start of every startup, shutdown, user login, and logoff. Depending on what you are wanting to accomplish, you can have scripts execute during any one of these actions.
Login scripts, most often, are used in a domain environment. They can be used to attach one or more network printers; create shortcuts on the user desktop; map one or more network shares; or execute an application with specific parameters after a user logs in.
The usage of login scripts is becoming less frequent as more and more of the traditional uses are starting to be integrated into Group Policy. The drawback to login scripts is that the files either have to be staged in a central network location that the PC needs access to (which can cause a slow login process) or if the login script is stored locally on each PC. If you have to make a change, you then need to make a change to every file on every PC in the environment, — an administrative burden.
3. Group Policy
Group Policy is an integral part of the Active Directory environment. If you have a level of what you allow users to do on a Windows desktop, this will be a crucial tool. Almost every single setting in the Windows operating system can be configured using Group Policy. Group Policy can be managed locally on each PC, referred to as the local group policy. It also can be centrally managed from Active Directory.
Don't want users to change the time zone settings? Do you want Microsoft Edge to open a specific set of websites when it's run? Would you rather not let users be able to change the IP settings?
Group Policy is the answer to all of these questions and easily allows you to provide a secure and standardized desktop to all of your users. You also would be able to provide a different desktop experience along with different security settings for users based on their function within the company. Your systems engineering and IT support staff would typically be given a different level of access on a desktop than would a standard user. Group Policy allows you to differentiate the level of security based on a variety of factors.
As companies are focusing more on security, knowing how to properly architect Group Policy will become increasingly important in ensuring a secured desktop environment for your users.
4. Organizational Units
Organizational units, also referred to as OUs, are containers where computer and user objects reside inside your Active Directory structure. Each user and PC, along with other resources, will be represented by what's called an object in the structure. How you decide to secure your domain will usually determine how you structure these objects.
Think of a typical folder structure on a PC. Depending on how you organize your data, you will have a certain structure that makes sense to you. For example, I may have hundreds of pictures from my smartphone that I dumped onto my computer. I may start organizing them by year, then by location, and then activity with each level of organization being in its own folder. This way I can easily find what I'm looking for if I'm looking for Halloween pictures from 2015. Typically, user objects are kept separate from computer objects due to easier management of components like Group Policy.
There are quite a few schools of thought to how an OU structure should look like, but ultimately it needs to make sense to you and your team. It needs to be in a way that makes it easy to manage and make changes when you look to implement some new security measures in the environment.
5. Home Folders
In a domain environment, securing user data is crucial. You want to be able to provide a way for your users to store data securely. This can be accomplished by implementing home folders. Home folders give users a folder created specifically for them that only they are able to access.
Home folders are typically folders created on a central file server and the network path to that folder can be placed in an attribute of a user's domain account in Active Directory. When the user logs in, they can have this folder automatically mapped and ready for use.
For example, you may have a user John Smith who has a home folder named "jsmith" on a file server that only he has access to. He saves all of his documents, reports, pictures, and hopefully all work-related data in this folder. This helps with security in a few ways.
First, it ensures that only John has access to his data. Outside of a small group of IT administrators, no one else should have access to this data because the sharing and security settings on this folder are set to only allow him to access it. Secondly, this keeps the data off of the local PC. When data is saved on a network share, it is not present on the local device. This would be especially important for users with laptops due to the risk in people leaving laptops behind or if the device is stolen.
6. Folder Redirection
Folder redirection is a close cousin to the home folder. It is a setting inside of Group Policy designed to create a very convenient and seamless environment for your users while keeping data secure.
It is similar to a home drive in that data is being saved in another location. Sometimes this location can be a user's home folder, but it doesn't always have to be. When you set up folder redirection, you are forcing data saved in specific local folders to be "redirected" to a network folder. This keeps data backed up or synced with a remote location, and allows users to access data offline.
For example, our user John Smith has folder redirection set up to send all of the files in his local profile Documents folder to his home folder. When he saves documents locally in this folder and he is online and connected to his work environment, these files get synced to his home folder. Later on, he may be traveling and needs to work while away from the office. He can make changes and add new documents without any problems. When John brings his device back into his work environment, folder redirection will sync all this data to his home folder.
This is Just the Beginning
These basic concepts of securing Windows desktops by way of Active Directory are just scratching the surface. So much can be configured to provide a tightly secured and standardized environment.
This allows your users and company data to remain safe while delivering a desktop experience allowing users to maximize productivity. When it comes to Windows environments, Active Directory is a staple for management and security.