With this article, we conclude our discussion of Windows Server 2003 Active Directory related security improvements. This installment will cover the following:
We conclude our overview of Windows Server 2003 Active Directory related security improvements with a discussion of storing custom data, setting quotas for newly created objects, mandatory SMB signing, and using the AdminSDHolder mechanism to secure permissions for privileged groups.
Windows 2000 Active Directory replaced Windows NT 4.0 Security Account Manager Database, providing not only increased functionality and scalability, but also enhanced security through more-granular levels of permissions, sophisticated encryption, and two-way, resilient authentication protocol (with Kerberos). With the Windows 2003 platform, Microsoft takes full advantage of these features by allowing more flexibility in the way Active Directory information is partitioned and replicated.
Starting with Windows 2000, Active Directory has been divided into three “logical” partitions (physically residing in the NTDS.DIT file on each domain controller) — domain, configuration, and schema. The domain partitions store information specific to each domain (accessible primarily via Active Directory users and computers) and shared among all domain controllers in the same domain (partially replicated to all Global Catalogs in the forest).
The configuration partition contains forest-wide information (accessible primarily via Active Directory sites and services) and is shared among all domain controllers in the forest. The schema partition consists of definitions of all objects and their properties that can exist in the other two partitions; it is also shared forest-wide.
This mechanism for partitioning Active Directory data has been extended in Windows 2003 domains by the introduction of the application partition. Several features differentiate it from its three older counterparts:
Even though you cannot view the content of application partitions with ADSI Edit (which is typically used to gain read/write access to the other three types of partitions), you can use the LDP utility for this purpose. Both tools are part of the Windows Support Tools included with the installation CD.
Microsoft provides a couple of predefined application partitions intended for storing DNS Active Directory integrated zones. One of them, named DomainDnsZones, is created and replicated automatically across all domain-controller-based DNS servers in the same domain. The other, ForestDnsZones, exists and replicates across all domain-controller-based DNS servers in the forest. (This partition is used in Windows 2003 forest to store _msdcs Active Directory integrated zone.)
The two partitions correspond to two options available in the General tab of the zone Properties dialog box of Active Directory’s integrated DNS zone (in DNS Management MMC snap-in). In addition, one option, available on Windows 2000 domains, is to store the Active Directory integrated zone as part of domain partition (replicated to all domain controllers in a domain represented by the zone).
Although the majority of the data stored in Active Directory is fairly static, Microsoft notes that it is beneficial, both from a uniformity and a security perspective, to provide the ability to store dynamic data as well. It therefore included this functionality in the Windows 2003 platform.
Support for this feature is based on industry standards (described in RFC 2589) and is based on use of the Time To Live (TTL) parameter to newly created dynamic objects. Such objects will automatically self-destruct after the TTL expires (which also implies that dynamic objects are not tombstoned, like standard static Active Directory objects). Dynamic objects are allowed only in domain and application partitions.
The creation of dynamic objects is handled through applications, so it remains the responsibility of programmers. From an administrative point of view, you can control TTL-related parameters with the already familiar NTDSUTIL command line utility. This time, you must access Configurable Settings by typing Configurable Settings at the command prompt. Next, establish a connection to either the target domain controller or a domain by typing Connections and using Connect to server or Connect to domain command. After typing Quit, you will be back at the Configurable settings prompt. You can type Show values to determine the current settings for two properties associated with the TTL of dynamic objects:
You can change these values with the Set property To value command, where property can be either DynamicObjectDefaultTTL or DynamicObjectMinTTL and value represents the length of the respective one represented in seconds.
Windows 2003 Active Directory introduces a feature that is supposed to prevent denial of service attacks and incidents where a number of administratively created objects might exceed the acceptable size of an Active Directory database. New Object Quotas are evaluated on a per-partition basis, and they can be assigned to a user directly or indirectly through membership in a group to which quotas were assigned (objects owned by this user are counted and compared with the quota limit before a new object gets created). The quota limits are stored on a per-partition basis in the NTDS Quotas container. They can be managed using new command line utilities (DSADD, DSMOD, and DSQUERY) as well as via ADSI scripting or programming.
For example, to set a limit of 10 on the number of objects user John.Doe from domain ServerWatch.com can create, the following command prompt is executed (on a single line):
DSADD quota -part dc=ServerWatch,dc=com -acct ServerWatchJohn.Doe -qlimit 10 -desc "John.Doe's 10 object limit" |
which would result in the creation of an entry (and appropriate description) under the NTDS Quotas container of the domain partition of ServerWatch.com domain. Note that the limit takes into account the tombstoned objects as well, which means that newly deleted objects will count toward the quotas for the duration of the tombstoned interval (by default 60 days).
By default, communication involving domain controllers uses SMB signing. This configuration is enforced via Domain Controllers Group Policy. Signing increases security by minimizing the possibility of man-in-the-middle attacks, but at the same rate prevents communication with Windows 9x and Windows NT 4.0, pre-SP3 clients, unless they have Active Directory client installed.
Imagine a scenario where a privileged account is mistakenly placed in an organizational unit for which a non-privileged user was delegated elevated permissions. It is very likely you would want some built-in mechanism to prevent modifications to a privileged account based on permissions inherited from those assigned on the organizational unit level — right?
Fortunately, Microsoft provided such a mechanism in Windows 2000 and further enhances it in Windows 2003.
The solution applies to all members of so-called protected groups, which in the Windows 2000 domain includes Enterprise Admins, Schema Admins, Domain Admins, and Domain Local Administrators. In Windows 2003, the solution has been extended with the addition of Account Operators, Server Operators, Print Operators, Backup Operators, and Cert Publishers. Each of these groups is granted specific permissions on the
CN=AdminSDHolder,CN=System,DC=Domain,DC=com Active Directory object, where DC=Domain,DC=com represents the domain partition on which these groups reside. (You can check these permissions using ADSI Edit or Active Directory Users and Computers in Advanced View.) Permissions are then applied to each account that is a member of any of the protected groups, regardless of inheritance settings on a container where such accounts reside. If the permissions for some reason change, they are automatically reset (within 60-minute intervals) by a domain controller serving as PDC Emulator Operations Master. The PDC Emulator checks the Access Control List settings on each member of Protected Groups and, in case of mismatch, resets the permissions to match the ones set on the AdminSDHolder Active Directory object.
The next article in our “Exploring Windows Server 2003 Security” will cover the remaining authentication related enhancements in Windows server 2003, including Active Directory Application Mode, AKA “lightweight” Active Directory.
Marcin Policht obtained his Master of Computer Science degree about 20 years ago and has been since then working in the Information Technology field, handling variety of responsibilities, but focusing primarily on the areas of identity and access management, virtualization, system management, and, more recently private, hybrid, and public cloud services. He has authored the first book dedicated to Windows Management Instrumentation and co-written several others dealing with subjects ranging from core operating system features to high-availability solutions. His articles have been published on such Web sites as ServerWatch.com and DatabaseJournal.com. For his contributions to the Microsoft technical community, he has been awarded the title of Microsoft MVP over the last ten years.
ServerWatch is a top resource on servers. Explore the latest news, reviews and guides for server administrators now.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
