Locality Switch

You’ve just made some changes to your Group Policies, and are now waiting for it to update on the clients to see what the result is. Surly there must be a better way!

There is: It’s a command line tool called gpupdate, and it’s real simple.

Sit yourself down in front of a computer on the domain, and load up a command prompt. The quickest and dirtiest way to get it working is to type gpupdate /force - this will just force the system to grab all computer and user policies and apply them. If it needs the user to logoff and then log back on again, it will prompt you to do so, unless you add the /logoff switch to the end – this will force it to logoff.

All your waiting is over.

So, you have an Active Directory. It’s running alright, but you know it can be better. You don’t quite know what would make it better, but you know it can be better. But how?

Today, I’m going to show you how to configure your Active Directory network to run smoother, be more secure and more resistant to disasters which could occur.

Multiple Domain Controllers

Having multiple controllers will protect you against hardware failure in one machine, network congestion when everyone logs on in the morning, and also helps you run perform maintenance easier. For example, restarting your only domain controller to do software updates will prevent anyone doing anything on the network until it fully restarts; this isn’t good for productivity, and may cause people to loose faith in the network if it happens regularly.

The initial cost of purchasing multiple servers and multiple licenses may be high at first, but is a wise investment. Even having two controllers will significantly benefit any Active Directory network.

Strict Password Policies

Passwords are the key to your network. Even if a single user’s account is compromised, the effects can be detrimental to an organisation; the effects of this have been well reported, such as when the corporate account of a Twitter staff member was accessed, and confidential business documents leaked.

The best way to ensure password security is to apply a password security policy through Group Policy. This will ensure your user’s passwords contain a mixture of upper and lower case characters, as well as numerals. It’s also a good idea to ensure passwords are changed regularly; the Active Directory default is 100 days, but I suggest changing it to 60 days.

For extra sensitive accounts, it would be a good idea to have this set at an even lower interval. For example, Administrator accounts should be set to 30 days.

Folder Redirection, not just roaming profiles

Logon and logoff times can be dramatically improved if you avoid storing data in roaming profiles. In case you didn’t already know, roaming profiles are copied off the server and onto the local machine at logon time, and then copied back to the server at logoff. After a while profiles can grow to massive sizes, especially if you have all of your documents stored in there.

Do your network a favor, and use folder redirection to store all of the documents directly on the server, rather than in the profiles. If necessary, allow offline folders to synchronise these redirected folders (especially on laptops!); offline folder synchronisation is  much more smarter than plain old roaming profiles.

Distributed File System (DFS)

Having your network shares stored on only one server is a bad idea. What if that server fails? What happens to your files? Not good!

You need to take advantage of Microsoft’s Distributed File System, which allows you to have the same network share stored on multiple servers and synchronised automatically. If one server goes down, then the other servers in the DFS cluster will take over. This system compliments the idea of Multiple Domain Controllers beautifully.

Domain Controllers never run other services

Domain controllers should be really secure machines. They are the backbone of the network; you don’t want anything compromising the security. I recommend that other services are not installed on domain controllers. Keep the web services, terminal services, update services, databases and antivirus management systems away from the domain controller servers!

I acknowledge that it can be hard to do this if you’re on a tight budget. The cheapest and safest configuration I can think of consists of three servers:

1. Domain controller / file server (DFS)
2. Backup Domain controller / file server (DFS)
3. The Everything else server (Web, database, updates, terminal services, etc.)

If you’re struggling to get hardware for these servers, try Ebay or a e-waste recycling centre. If you’re not for profit, Donortec can help you with the software licensing.

Remote sites? Read Only Domain Controllers

Remember what I just said about Domain Controller security? Well, if you have any servers at a remote site which you don’t have direct control over the physical security, I recommend you have your remote server  setup as a Read Only Domain Controller.

This means that any changes to the directory can only be made back to a non-read only domain controller (i.e. at your head office). The benefit to this is that if someone gets physical access to the server, they can’t make directory changes which could be detrimental to the entire network. If you don’t have a fast link to the main servers, it will also improve access speed for the remote site.

Enforced Client Health

It’s important to ensure your client computers meet certain security requirements. For example, should ensure your clients have anti-malware software installed. The easiest way to ensure security software installed is to have some checks performed in the machine startup scripts. Check to see if certain software is installed, and if it isn’t, then perform the install automatically.

As far as configuration of the software goes, you would want to ensure everything is in a manages environment. Using software such as Symantec Endpoint Protection or AVG Network Edition can help you establish this by providing a central management system for this software.

You could take this one step further and implement Network Access Protection. For smaller networks it may not be justified, but in larger networks of larger complexity and having larger security requirements, I highly recommend this.

Strict NTFS ACLs

You want your access control at the NTFS level, not the share level. Setting all of your permissions at the share level is just asking for trouble; it won’t help you if someone gets physical access to the drive. Have all of your users in appropriate groups, and assign access to folders and shares based on what group they are in.

Don’t give too many people too much access. In fact, don’t give anyone access to anything they don’t need. Some organisations have an Everyone drive, where everything is stored; in the majority of cases, this isn’t a brilliant idea. When was the last time someone in the promotions department needed access to the payroll? Or someone on reception needed access to confidential corporate forecasts? Not often, I’m sure.

The best policy to adopt is that each department gets access to their own department’s folder, until a case arises where they need access to another department’s files.

Also, while it may be tempting to take advantage of the Everyone security group to allow every user access to certain files, it is best not to. Instead, have a security group which encompasses all of your users.  Remember, the Everyone group includes IIS users and guest accounts – you probably don’t want these accounts to have access to your files.

In Conclusion…

I’ve presented some easy (and some not so easy) ways to secure, optimise and utilise best practices in an Active Directory environment. Hopefully you can implement some of these tips, as well as find other ways to improve your network. Feel free to post any further suggestions in the comments.

You have an Active Directory and an intranet/extranet, but want to tie them together onto the same username/password system? It couldn’t be easier, using PHP’s LDAP Extension.

In case you didn’t already know, Microsoft’s Active Directory uses the LDAP protocol to store and communicate it’s data. As this is an open protocol, there’s plenty you can integrate it with. In this article, I’ll focus on PHP.

It’s really easy to get started integrating PHP with LDAP. There’s many truly great and in depth articles on this subject, such as one from Developer.com. If you want long explanations, head they way. Over here, I’ve got a quick and dirty example:

<?php

$username = "administrator";
$password = "MYSecur3Password4";
$server = "192.168.10.5";

$connect = ldap_connect($server);
$bind = ldap_bind($connect, $username, $password);

if($bind == TRUE) {
echo "LDAP Connect Success!";
} else {
echo "LDAP Connect Failure!";
}

?>

That will do a really simple connect to your Active Directory server, such as a Microsoft Windows Server 2008. You can modify this code to grab the username and password as user input from a login form, and then authenticate against that.

However, you must always check to make sure the username and password fields are not empty, or else it will probably authenticate anonymously and return a TRUE value. Here’s a modified example to grab the data from a logon form as POST data:

<?php

if(empty($_POST['username']) || empty($_POST['password'])) {
die("Username or Password field was left blank. Please try again.");
}

$username = $_POST['username'];
$password = $_POST['username'];
$server = "192.168.10.5";

$connect = ldap_connect($server);
$bind = ldap_bind($connect, $username, $password);

if($bind == TRUE) {
echo "LDAP Connect Success!";
} else {
echo "LDAP Connect Failure!";
}

?>

So, that’s the basics. However, it’s probably not much good if you want to do anything else than a quick authentication check. The PHP LDAP Extension supports a myriad of fancy things, from searching to editing and even deleting records. But you don’t want to do that manually. What you really want to do it use a library such as the adLDAP library, and use that to do all sorts of fancy things.

Here’s the feature list:

• User authentication
• Group management
• User management
• Contact management
• Exchange mailbox creation

It’s really worth checking out. They even provide info on how to achieve a seamless signon for within your domain. Here’s the IIS/PHP instructions:

Format the machine and install Linux (recommended), or remove anonymous access from the directory with the IIS management console, the username is available with $_SERVER[“LOGON_USER”].

Seamless authentication with Apache on Windows can be achieved with mod-auth-sspi

[ From: Seamless Authentication - adLDAP Wiki ]

So, there you have it. Active Directory authentication with PHP.

Yesterday I briefly outlined the benefits of using an Active Directory, and explained some advantages of the features such as Group Policy and DFS Replication.

This is all very well and good, but by now I’m sure you’re wondering how you can get started with all of this. You have two options:

1. Hire someone with knowledge on the platform (like me!)
2. Start learning it all yourself

Option one is for anyone who really wants a top class network without too much hassle. I would recommend this option if you don’t want to spend hours upon hours of learning Windows Server, practicing, throwing it away and starting again, etc. It is the sensible option.

Option two is for people like me who love to learn something new, and can really commit themselves to learning all there is to learn about Windows Server. It’s not for the faint hearted, nor for those who don’t have the time. I also must say that you don’t want to learn about Windows Server if you don’t have any knowledge of computer networking concepts, etc.

How do you start learning Windows Server?

The first thing to do would to download the evaluation copy of Windows Server 2008, and install it on a spare PC, or a virtual machine. Have a play and fiddle around. It can be run for up to 120 days, and after that you can reinstall to keep playing with it.

Then, you really need to start going through a set of structured lessons which covers the platform, concepts, technologies, jargon, and so on. There’s heaps of people who will sell you video lessons on the subject matter. However, I suggest you take a look at the offerings from Train Signals. Train Signal offer an eight video set on Windows Server 2008, which takes you through all the basics, and then some of the more advanced stuff. It is all downloadable, and costs nothing!

After you have completed their series, you will then have the knowledge to go through all of the other roles in Windows Server, and learn it yourself, with the aid of the internet.

If you want other some website to read with articles on Windows Server, I suggest you look at Windows Networking, Windows IT Pro and Techrepublic. They’re all usually a great read.

I wish you well with your quest to learn about Windows Server. Remember, don’t apply anything to a real live network until you are confident you know what you are doing. If in doubt, consult someone with some experience in the matter.

In computers, centralised management is great. Centralised management of all your users and computers can save you both time and sanity. If you’re running more than a few computers, then you really need to start thinking about ways to centralise everything. You need a directory.

A directory is where details are stored about objects. One example of an object could be a user. Another could be a computer. You get the picture?

Each operating system has a different flavour of directory. On Mac, you have Open Directory (through OS X Server). On Linux, there is Samba. Windows has Active Directory. Each one of these really shares a common protocol, which is LDAP (Lightweight Directory Access Protocol).

Thing is, a directory by itself is very boring – all it does is store objects. How dull.

A directory gets exciting when you add in extra features which make managing these objects much more easier. Today I’m going to explain the advantages of using Active Directory technologies. I’m focusing on AD rather than other platforms because it is what I am farmiliar with, and I know how well it can work and how much potential it has to make your life easier.

Starting from the top: Active Directory is a directory service built into the Windows Server platform (e.g. Windows Server 2008). It is the fundamental way Windows server-client networks are structured – if at work you log on to a domain, then you are really logging on to an Active Directory (99% of the time).

A domain allows anyone to logon to any computer, and have all their settings and preferences come with them. This is one of the key advantages to installing an Active Directory network. If you have more than a few computers on your network, you should seriously be considering an Active Directory.

Active Directory is great because it has extra functinality designed specifically to manage Windows clients. Such functionality includes Group Policy, NTFS domain security, Windows Server Update Services, software deployment and Domain File Services. Each one plays a very specific role, and all of them can be useful to you.

Group Policy would have to be my favourite management tools. In a nutshell, it allows you to configure settings (policies) to groups of people. Want to define one set of settings for every Internet Explorer browser in the building? Group Policy can do that. Want to define a common desktop background? Group Policy can do that. Want to have a set of mapped drives for just your office staff? Group policy can do that.

Group Policy is great for security because you control every aspect of every computer. I would go so far to say there are no limits to the power of Group Policy – if a certain restriction isn’t built into Group Policy, you can write it yourself!

Active Directory also allows you to deploy software to groups of computers. Have you just bought a site licence for some office-productivity package, and need to install it on 15 computers? Set it up on your Active Directory, and the software will install automatically on the next restart of each computer.

Another great thing about Active Directory is that you can setup distributed file storage between multiple servers, using Domain File Services Replication (DFS Replication). This is great if you have more than one server, because you can set up it to automatically sync files so if one server goes down, the other one will take over. This is awesome in radio, because you don’t have to go off air of one computer crashes!

Six hundred words about Active Directory, and I haven’t scratched the surface! All of this is great, if you know how to install and configure it all properly. That’s why I’ve decided to share some tips with you tomorrow about how to start learning about the Windows Server platform. Then, next week I hope to share with you some tips on how to get all of this software really cheap, assuming that you are a non-profit organisation, of course.

Make sure you check back tomorrow!