1 00:00:00,940 --> 00:00:04,950 Let's review some ways to restrict access to domain controllers. 2 00:00:04,950 --> 00:00:09,630 Actually, in the previous module, it was more holistic, 3 00:00:09,630 --> 00:00:10,210 wasn't it, 4 00:00:10,210 --> 00:00:13,020 looking at the motherboard and hardware security 5 00:00:13,020 --> 00:00:15,110 controls providing physical security. 6 00:00:15,110 --> 00:00:20,500 Here, it's much more software‑based, specifically dealing with accounts. 7 00:00:20,500 --> 00:00:21,170 Let's take a look. 8 00:00:21,170 --> 00:00:26,420 Remember from the previous lesson we learned about authentication policy silos? 9 00:00:26,420 --> 00:00:32,340 This provides us a way to restrict access to particular high‑value machines 10 00:00:32,340 --> 00:00:38,330 such that even domain administrators would not be allowed to sign in to a 11 00:00:38,330 --> 00:00:43,230 privileged access workstation or a Windows Server host that they shouldn't 12 00:00:43,230 --> 00:00:46,440 have access to by means of policy. 13 00:00:46,440 --> 00:00:49,310 We've been using Group Policy, speaking of policy, 14 00:00:49,310 --> 00:00:52,900 right along, and we've got user rights assignment, 15 00:00:52,900 --> 00:00:56,110 which comes into play in a more focused way in this module, 16 00:00:56,110 --> 00:00:56,460 actually. 17 00:00:56,460 --> 00:00:57,220 Hang on. 18 00:00:57,220 --> 00:01:00,360 We've got the Windows Defender Firewall, 19 00:01:00,360 --> 00:01:03,840 particularly the concept of network access groups. 20 00:01:03,840 --> 00:01:08,020 This is where we can configure the Windows Server built‑in firewall to 21 00:01:08,020 --> 00:01:13,340 create what is Microsoft termed as domain isolation, 22 00:01:13,340 --> 00:01:17,460 where you can use IPsec, Internet Protocol Security, 23 00:01:17,460 --> 00:01:23,940 to enforce particular communication rules between certain hosts in your domain. 24 00:01:23,940 --> 00:01:27,140 And then again, a callback to a previous lesson. 25 00:01:27,140 --> 00:01:30,240 We have the Protected Users global group, 26 00:01:30,240 --> 00:01:34,540 as well as in Group Policy the concept of restricted groups where we 27 00:01:34,540 --> 00:01:37,820 can buy policy assignment using Group Policy Objects, 28 00:01:37,820 --> 00:01:39,140 GPOs. 29 00:01:39,140 --> 00:01:41,850 We can enforce membership in particular groups, 30 00:01:41,850 --> 00:01:46,130 particularly built‑in groups like the local Administrators group on 31 00:01:46,130 --> 00:01:49,940 domain member servers and domain workstations. 32 00:01:49,940 --> 00:01:52,400 Active Directory Account Security and Delegation. 33 00:01:52,400 --> 00:01:56,770 Let's review some of the built‑in Active Directory groups. 34 00:01:56,770 --> 00:01:59,510 We're going to pay attention to the ones that have the 35 00:01:59,510 --> 00:02:01,870 most default permissions and user rights. 36 00:02:01,870 --> 00:02:05,270 In an Active Directory Domain Services domain, 37 00:02:05,270 --> 00:02:10,040 if you open the Active Directory Users and Computers application, 38 00:02:10,040 --> 00:02:12,300 for instance, you see there's a couple containers. 39 00:02:12,300 --> 00:02:16,280 Remember that containers are different from organizational units. 40 00:02:16,280 --> 00:02:19,990 We cannot link a Group Policy Object to one of the containers. 41 00:02:19,990 --> 00:02:24,240 But the built‑in container has your default domain local groups, 42 00:02:24,240 --> 00:02:28,420 which is the domain controller's equivalent of machine 43 00:02:28,420 --> 00:02:30,390 local groups that you would have on, say, 44 00:02:30,390 --> 00:02:31,010 your workstation. 45 00:02:31,010 --> 00:02:34,670 Here are the ones that you want to pay the most attention to are, 46 00:02:34,670 --> 00:02:38,560 of course, the built‑in administrators, the built‑in server operators, 47 00:02:38,560 --> 00:02:42,380 and then as you'll see in the demo, there's a number of other ones. 48 00:02:42,380 --> 00:02:48,150 Each of these groups has automatically attached permissions and user rights, 49 00:02:48,150 --> 00:02:52,930 and just out of the box, we know that we want to protect those high‑value groups. 50 00:02:52,930 --> 00:02:55,900 And we can do that in a number of ways that are 51 00:02:55,900 --> 00:02:59,150 built right into Windows Server or, optionally, 52 00:02:59,150 --> 00:03:01,880 can extend into those Microsoft cloud services. 53 00:03:01,880 --> 00:03:03,620 In the users container, 54 00:03:03,620 --> 00:03:07,990 this is where you see your built‑in universal and domain global groups. 55 00:03:07,990 --> 00:03:10,160 We have the default Administrator. 56 00:03:10,160 --> 00:03:13,880 This is the first account in a new forest in the forest root domain. 57 00:03:13,880 --> 00:03:17,240 Each domain has the Domain Admins global group. 58 00:03:17,240 --> 00:03:20,540 You've got the Enterprise Admins universal group. 59 00:03:20,540 --> 00:03:22,190 We've got Protected Users. 60 00:03:22,190 --> 00:03:23,440 We've got Schema Admins. 61 00:03:23,440 --> 00:03:27,320 These are just some of them, but they're among the highest privileged groups. 62 00:03:27,320 --> 00:03:27,800 So, again, 63 00:03:27,800 --> 00:03:29,440 they're the ones that you want to pay the most 64 00:03:29,440 --> 00:03:31,890 attention to from a security perspective. 65 00:03:31,890 --> 00:03:35,020 And a user right is different from a permission. 66 00:03:35,020 --> 00:03:38,240 In terms of a permission, like an NTFS permission, 67 00:03:38,240 --> 00:03:43,740 would allow create, read, update, or delete operations on an object or a file. 68 00:03:43,740 --> 00:03:49,180 User rights deal with actions, the ability to sign in to a workstation, 69 00:03:49,180 --> 00:03:53,700 the ability to sign on to a machine as a service as opposed 70 00:03:53,700 --> 00:03:56,740 to an ordinary interactive user account, 71 00:03:56,740 --> 00:03:57,450 that kind of stuff. 72 00:03:57,450 --> 00:04:02,340 Here I created a lucid chart diagram to show how those 73 00:04:02,340 --> 00:04:05,270 built‑in high‑privilege groups work together. 74 00:04:05,270 --> 00:04:08,750 We have, particularly in the first domain in your forest, 75 00:04:08,750 --> 00:04:14,640 the forest root domain, you've got that Enterprise Admins universal group. 76 00:04:14,640 --> 00:04:16,720 The only entity, or account, 77 00:04:16,720 --> 00:04:21,540 in there by default is going to be the forest root administrator account. 78 00:04:21,540 --> 00:04:25,760 Much more common in daily practice is to use the Domain Admins group, 79 00:04:25,760 --> 00:04:29,170 which is universal in a sense. 80 00:04:29,170 --> 00:04:34,970 I mean it is populated by default in the Administrators domain local group, 81 00:04:34,970 --> 00:04:38,280 so this means that if you make a user a member of 82 00:04:38,280 --> 00:04:41,540 the Domain Admins global group, they will automatically, 83 00:04:41,540 --> 00:04:46,240 by inheritance, be an administrator of every domain controller. 84 00:04:46,240 --> 00:04:48,580 But then across the domain, 85 00:04:48,580 --> 00:04:52,510 the Domain Admins global group is automatically populated into the 86 00:04:52,510 --> 00:04:56,090 local Administrators group for member servers and member workstations 87 00:04:56,090 --> 00:05:00,370 when those machines join the domain. This is what gives you 88 00:05:00,370 --> 00:05:03,540 out‑of‑the‑box reach across your domain. 89 00:05:03,540 --> 00:05:05,310 If you're a domain admin, 90 00:05:05,310 --> 00:05:08,430 you can sign in by default outside of something like an 91 00:05:08,430 --> 00:05:16,000 authentication policy silo. You can sign in as a local administrator on any domain member device.