Glossary of Terms
The Glossary explains many of the more advanced and unusual concepts involved with
truly effective Active Directory design and management as well as defining the essential
building blocks.
Here is a list of terms that we define – simply click on an expression to navigate
to the text:
Any explanation you need that you can’t find in the glossary? – Contact us and we’ll post and updated entry!
Active Directory Architecture
Active Directory Architecture - a distinction between Physical and Logical
The Physical is that part of the Architecture that offers availability of
directory services and replication of directory data.
The Logical is that part of the Architecture that allows the Active Directory
to Increase Security and ROI of the whole Windows Infrastructure.
The “Physical” is usually completed successfully because any failure is instantly
visible, for example:
- Users can’t log on properly
- Email delivery fails
The “Logical” commonly receives less attention (time and cost constraints,
specialist resource availability etc) than the Physical, but its lack of
completion goes un-noticed until a critical security, DR or Audit event occurs.
Some of the indicators of an incomplete Logical phase (an “under-optimised”
Active Directory) are:
- Limited implementation of strong security such as role-based authority
- Incomplete change control enforcement
- Compromised security audit trails
Back to the top
Active Directory Optimisation
Optimisation is the process of changing the Logical architecture of an Active
Directory implementation to increase its security and ROI. Physical architecture
is rarely affected.
In all cases this optimisation requires that existing structure is replaced by new.
There are two ways to effect this change:
The Traditional approach is to generate the new structures by iterative re-developments
of the existing architecture, often utilising specialist consultancy. This approach
is time consuming, expensive and intrusive. The process itself has deterred many
organisations from optimisation. A new alternative is now available using the Genesis
Exert System which quickly, easily and cost effectively optimises the Active Directory
with little or no disruption to the business
Back to the top
Hierarchical Authority
Hierarchal Authority is a description of the way that IT Administrative power is
organised within an organisation. The aim is to ensure that those in possession
of greater authority delegate reduced authority to those below them in such a way
that individuals of ‘lesser authorities’ cannot interfere with the management of
their peers.
Consider the way that operational authority is structured in most organisations:
Senior management layer:
At the Apex of any organisational hierarchy are the very few individuals that have
broad and far reaching powers. These individuals should have a deeper understanding
of the organisation and be fully aware of the effects that wielding their powers
will have. Senior managers will usually have a broad remit of responsibility.
For example: The Finance Director takes responsibility for all aspect of
financial management, and has the power to transfer any amount of money from the
company accounts to pay the company bills. This authority can be delegated as the
Finance Director sees fit. This breakdown and delineation
of actual power is called “Role-based Authority”.
The Middle Management Layer:
The middle managers are employed by the senior management to take responsibility
for a particular aspect of the running of the company. They receive their (delegated)
authority from their senior manager.
For example: In the finance department, the Director hires three managers.
Each will take responsibility for one of the key functions: Invoicing, Purchasing,
and Reporting. To each is delegated the power required to discharge their role,
for example the purchasing manager can sign of payments of up to £5000.
This is role based authority again…
Critically only the Finance Director can hire & fire individuals within the
Finance Department, or delegate authority to an individual in the Finance Department.
The Sales Director, who is a peer director, is not authorised to perform either
of these tasks within the Finance Department.
The Workforce:
The Workers are those employed by the middle managers to perform certain tasks.
Typically they are only given enough authority to enable them to perform their designated
tasks.
For example: In the finance department, the purchasing manger Hires ten
purchasing clerks who are responsible for tabulating received invoices and preparing
them for payment. But they must still get the signature of the Manager (or the Director
if the Manager is away) to enact the payment. Role
based authority once again…
Critically only the Purchasing Manager (or his line manager - the Finance Director)
can hire & fire individuals within the Purchasing Department, or delegate authority
to an individual in the Purchasing Department. The Invoicing Manager, who is a peer
manager, is not authorised to perform either of these tasks within the Purchasing
Department.
The following diagram is a representation of how a network Authority Structure may
look within a company with International offices:
Rules:
- “Enterprise Admin” can create a “Domain Admin”
- Only an “Enterprise Admin” or ”Domain Admin” can create a “Paris Admin” or “London
Admin”
- Only an “Enterprise Admin” or “Domain Admin” or ”London Admin” can create a “London
Server Admin”
Note: A “Paris Admin” cannot perform any of these tasks
- The Security Administrators have their own authority chain that is ‘external’ to
the main authority stream – this is an operational over-ride facility.
Back to the top
Privilege Elevation
Privilege Elevation is the goal of any many attacks against computer systems. The
aim is to find a way of obtaining authority greater than was originally assigned,
for example:
- A normal user trying to gain Admin powers over his workstation
- An email administrator trying to get control over the SQL databases
- A user administrator trying to reset a domain administrator’s password
Back to the top
Expert System
An Expert system is a computer system encoded with some of the expertise of a human
professional. Ideally it has a relatively simple interface, allowing a user with
limited understanding to step through a complex process, then combine the users
input with its in-build knowledge to produce a useful result that the user would
not have been able to create alone, for example:
- A program that asks you a series of questions and from your answers writes your
will is an expert system designed to reduce your reliance on lawyers.
- A computer that recognises patterns of data flowing across you network and alerts
you to potential issues is an expert system designed to help a network manager or
security specialist work more efficiently.
Genesis is an expert system designed to allow organisations to dramatically
reduce the time and cost requirement of Active Directory™ implementation.
Back to the top
Role Based Privileges
This is where a user or administrator is granted only those privileges that enable
them to discharge their duties.
For example: a member of the support team may need to add users, but they
don’t need to create computer accounts in the Active Directory (let’s say that that
task is handled by the “Network Team”), so granting them the privilege to create
computer accounts is an unnecessary risk to they infrastructure.
Back to the top
Role Separation
Role separation is the principle that administrative roles should be separated.
For example: London User Admins, Birmingham User Admins. Administrative
authorities, and their responsibilities, should be assigned to different network
user credentials. It may be that one individual has several different sets of credentials
to cover all aspects of their duties.
For example:
- An administrator would be able to perform most of his duties using normal user credentials
- sending email, writing documents, and so on. But when they need to, say, add a
new user, they would log on with different credentials - credentials that would
carry sufficient privileges to carry out this task. When the task has been completed
they would log out and return to their normal duties using normal credentials.
- The authority of a Domain Admin account is not required for 98% of normal operational
work. This authority is very high level Administrator authority and should not be
invoked (logged on with…) unless it is needed. Though sometimes impractical, it
is better practice for the administrator who is assigned a Domain Admin account
to also be assigned a lesser admin account with which to perform tasks that do not
need such very high level Administrator authority as Domain Admins.
Correct implementation of Role Separation minimises the potential of administrative
mistakes and lessens the chance of a third party gaining access to system resources
if the administrator is not present at the terminal upon which they were working.
Although very simple, Role Separation is often overlooked as a basic security measure.
Back to the top
Organisational Units
An object in the Active directory Database that is used to “contain” other objects
(especially the objects that are used to represent Users and Computers). OUs allow
objects to be “grouped” in the container so that various security and management
functions can be applied to them.
Back to the top
Organisational Unit (OU) Architecture
The OU architecture is the collection of OUs (and how they are interlinked) that
is devised to hold, and differentiate between the objects that represent the users
(normal and administrative), computers (servers, workstations, laptops etc), printers
etc.
Back to the top
Group Policy
Active Directory objects that are used to apply policy to groups of computers and/or
users contained within Active Directory containers. The type of policy includes
not only registry-based policy found in Windows NT Server 4.0, but is enabled by
Directory Services to store many types of policy data, for example:
- file deployment
- application deployment
- logon/logoff scripts
- startup/shutdown scripts
- domain security
- Internet Protocol security (IPSec), and so on.
The collections of policies are referred to as Group Policy objects (GPOs).
Back to the top
Group Policy Architecture
Group Policy Architecture is the layout of Group policy objects, their interaction,
security control and linkage with the active directory that determines what policy
will affect any given user when sitting at any given machine. It is the complex
aspect of Group Policy implementation.
Back to the top
ROI: Return On Investment
The financial return an investment will generate. A measure used in marketing or
cost justification. E.g. The installation will cost £10K, but will cut Admin costs
by £1k per month, giving full return on investment in 10 months.
Back to the top
TCO: Total Cost of Ownership
The cost to maintain a system or a piece of software over time. E.g. A workstation
costs £2000 per year in support staff time and part replacement.
Back to the top
GUID: Globally Unique Identifier
A Globally Unique Identifier or GUID is a pseudo-random number used in software
applications. Each generated GUID is "statistically guaranteed" to be unique. This
is based on the simple principle that the total number of unique keys ( or ) is
so large that the possibility of the same number being generated twice is virtually
zero
Back to the top
If you have any question in need of further clarification – please contact us