mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
note, formatting
This commit is contained in:
Mandi Ohlinger
GitHub
@ -107,10 +107,8 @@ The Administrator account can also be disabled when it is not required. Renaming
|
||||
|
||||
On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources.
|
||||
|
||||
**Note**
|
||||
When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards.
|
||||
|
||||
When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation.
|
||||
|
||||
@ -118,13 +116,11 @@ When Active Directory is installed on the first domain controller in the domain,
|
||||
|
||||
|Attribute|Value|
|
||||
|--- |--- |
|
||||
|Well-Known SID/RID|S-1-5-<domain>-500|
|
||||
|Well-Known SID/RID|S-1-5-`<domain>`-500|
|
||||
|Type|User|
|
||||
|Default container|CN=Users, DC=<domain>, DC=|
|
||||
|Default container|CN=Users, DC=`<domain>`, DC=|
|
||||
|Default members|N/A|
|
||||
|Default member of|Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.
|
||||
Group Policy Creator Owners, and Schema Admins in Active Directory
|
||||
Domain Users group|
|
||||
|Default member of|Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users. <br/><br/>Group Policy Creator Owners, and Schema Admins in Active Directory<br/><br/>Domain Users group|
|
||||
|Protected by ADMINSDHOLDER?|Yes|
|
||||
|Safe to move out of default container?|Yes|
|
||||
|Safe to delegate management of this group to non-service administrators?|No|
|
||||
@ -164,9 +160,9 @@ For details about the Guest account attributes, see the following table.
|
||||
|
||||
|Attribute|Value|
|
||||
|--- |--- |
|
||||
|Well-Known SID/RID|S-1-5-<domain>-501|
|
||||
|Well-Known SID/RID|S-1-5-`<domain>`-501|
|
||||
|Type|User|
|
||||
|Default container|CN=Users, DC=<domain>, DC=|
|
||||
|Default container|CN=Users, DC=`<domain>`, DC=|
|
||||
|Default members|None|
|
||||
|Default member of|Guests, Domain Guests|
|
||||
|Protected by ADMINSDHOLDER?|No|
|
||||
@ -184,9 +180,9 @@ HelpAssistant is the primary account that is used to establish a Remote Assistan
|
||||
|
||||
The SIDs that pertain to the default HelpAssistant account include:
|
||||
|
||||
- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
|
||||
- SID: S-1-5-`<domain>`-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
|
||||
|
||||
- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
|
||||
- SID: S-1-5-`<domain>`-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
|
||||
|
||||
For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
|
||||
|
||||
@ -196,9 +192,9 @@ For details about the HelpAssistant account attributes, see the following table.
|
||||
|
||||
|Attribute|Value|
|
||||
|--- |--- |
|
||||
|Well-Known SID/RID|S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon)|
|
||||
|Well-Known SID/RID|S-1-5-`<domain>`-13 (Terminal Server User), S-1-5-`<domain>`-14 (Remote Interactive Logon)|
|
||||
|Type|User|
|
||||
|Default container|CN=Users, DC=<domain>, DC=|
|
||||
|Default container|CN=Users, DC=`<domain>`, DC=|
|
||||
|Default members|None|
|
||||
|Default member of|Domain Guests<p>Guests|
|
||||
|Protected by ADMINSDHOLDER?|No|
|
||||
@ -242,8 +238,8 @@ For all account types (users, computers, and services)
|
||||
|
||||
Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected.
|
||||
|
||||
**Important**
|
||||
Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
|
||||
> [!IMPORTANT]
|
||||
> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer.
|
||||
|
||||
For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/).
|
||||
|
||||
@ -259,9 +255,9 @@ For details about the KRBTGT account attributes, see the following table.
|
||||
|
||||
|Attribute|Value|
|
||||
|--- |--- |
|
||||
|Well-Known SID/RID|S-1-5-<domain>-502|
|
||||
|Well-Known SID/RID|S-1-5-`<domain>`-502|
|
||||
|Type|User|
|
||||
|Default container|CN=Users, DC=<domain>, DC=|
|
||||
|Default container|CN=Users, DC=`<domain>`, DC=|
|
||||
|Default members|None|
|
||||
|Default member of|Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.|
|
||||
|Protected by ADMINSDHOLDER?|Yes|
|
||||
@ -280,9 +276,9 @@ Each default local account in Active Directory has a number of account settings
|
||||
|User must change password at next logon|Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.|
|
||||
|User cannot change password|Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.|
|
||||
|Password never expires|Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.|
|
||||
|Store passwords using reversible encryption|Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.<p>This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).|
|
||||
|Store passwords using reversible encryption|Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.<br/><br/>This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).|
|
||||
|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.|
|
||||
|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.<p>When this attribute is applied on the account, the effect is as follows:<li>The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process<li>Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.<li>Accounts with this attribute cannot be used to start services or run scheduled tasks.|
|
||||
|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.<br/><br/>When this attribute is applied on the account, the effect is as follows:<li>The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process<li>Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.<li>Accounts with this attribute cannot be used to start services or run scheduled tasks.|
|
||||
|Account is trusted for delegation|Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.|
|
||||
|Account is sensitive and cannot be delegated|Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.|
|
||||
|Use DES encryption types for this account|Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).<div class="alert"> **Note:** DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](/archive/blogs/askds/hunting-down-des-in-order-to-securely-deploy-kerberos)</div>|
|
||||
@ -346,8 +342,8 @@ Restrict Domain Admins accounts and other sensitive accounts to prevent them fro
|
||||
|
||||
- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights.
|
||||
|
||||
**Important**
|
||||
Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
|
||||
> [!IMPORTANT]
|
||||
> Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section.
|
||||
|
||||
|
||||
|
||||
@ -355,8 +351,8 @@ Ensure that sensitive administrator accounts cannot access email or browse the I
|
||||
|
||||
Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts).
|
||||
|
||||
**Note**
|
||||
If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
|
||||
> [!NOTE]
|
||||
> If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task.
|
||||
|
||||
|
||||
|
||||
@ -376,8 +372,8 @@ If the administrators in your environment can sign in locally to managed servers
|
||||
|
||||
The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings.
|
||||
|
||||
**Note**
|
||||
In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
|
||||
> [!NOTE]
|
||||
> In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure.
|
||||
|
||||
**To install administrative workstations in a domain and block Internet and email access (minimum)**
|
||||
|
||||
@ -385,7 +381,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
2. Create computer accounts for the new workstations.
|
||||
|
||||
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
|
||||
> [!NOTE]
|
||||
> You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
|
||||
|
||||
|
||||
|
||||
@ -413,8 +410,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
|
||||
|
||||
**Important**
|
||||
These instructions assume that the workstation is to be dedicated to domain administrators.
|
||||
> [!IMPORTANT]
|
||||
> These instructions assume that the workstation is to be dedicated to domain administrators.
|
||||
|
||||
|
||||
|
||||
@ -449,12 +446,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|Allow Automatic Updates immediate installation|Enabled|
|
||||
|Configure Automatic Updates|Enabled4 - Auto download and schedule the installation0 - Every day 03:00|
|
||||
|Enable Windows Update Power Management to automatically wake up the system to install scheduled updates|Enabled|
|
||||
|Specify intranet Microsoft Update service location|Enabled `http://<WSUSServername> http://<WSUSServername>` Where `>WSUSServername>` is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.|
|
||||
|Specify intranet Microsoft Update service location|Enabled `http://<WSUSServername> http://<WSUSServername>` Where `<WSUSServername>` is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.|
|
||||
|Automatic Updates detection frequency|6 hours|
|
||||
|Re-prompt for restart with scheduled installations|1 minute|
|
||||
|Delay restart for scheduled installations|5 minutes|
|
||||
|
||||
> **Note** This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates.
|
||||
> [!NOTE]
|
||||
> This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates.
|
||||
|
||||
12. Configure the inbound firewall to block all connections as follows:
|
||||
|
||||
@ -476,8 +474,8 @@ In this procedure, the workstations are dedicated to domain administrators. By s
|
||||
|
||||
It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer.
|
||||
|
||||
**Important**
|
||||
Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
|
||||
> [!IMPORTANT]
|
||||
> Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation.
|
||||
|
||||
|
||||
|
||||
@ -489,8 +487,8 @@ Restrict logon access to lower-trust servers and workstations by using the follo
|
||||
|
||||
- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators.
|
||||
|
||||
**Note**
|
||||
For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
|
||||
> [!NOTE]
|
||||
> For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations)
|
||||
|
||||
|
||||
|
||||
@ -498,7 +496,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
1. As a domain administrator, open the Group Policy Management Console (GPMC).
|
||||
|
||||
2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\*<domain>*, and then expand to **Group Policy Objects**.
|
||||
2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\`<domain>`, and then expand to **Group Policy Objects**.
|
||||
|
||||
3. Right-click **Group Policy Objects**, and > **New**.
|
||||
|
||||
@ -522,8 +520,8 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
> [!NOTE]
|
||||
> You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
@ -531,8 +529,8 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
8. Configure the user rights to deny batch and service logon rights for domain administrators as follows:
|
||||
|
||||
**Note**
|
||||
Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
|
||||
> [!NOTE]
|
||||
> Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services.
|
||||
|
||||
|
||||
|
||||
@ -544,8 +542,8 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
> [!NOTE]
|
||||
> You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
@ -557,14 +555,14 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
|
||||
|
||||
**Note**
|
||||
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
> [!NOTE]
|
||||
> You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
|
||||
|
||||
|
||||
|
||||
9. Link the GPO to the first Workstations OU.
|
||||
|
||||
Navigate to the *<forest>*\\Domains\\*<domain>*\\OU Path, and then:
|
||||
Navigate to the *<forest>*\\Domains\\`<domain>`\\OU Path, and then:
|
||||
|
||||
1. Right-click the workstation OU, and then > **Link an Existing GPO**.
|
||||
|
||||
@ -580,8 +578,8 @@ For this procedure, do not link accounts to the OU that contain workstations for
|
||||
|
||||
However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations).
|
||||
|
||||
**Important**
|
||||
If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
|
||||
> [!IMPORTANT]
|
||||
> If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators.
|
||||
|
||||
|
||||
|
||||
@ -618,4 +616,4 @@ In addition, installed applications and management agents on domain controllers
|
||||
|
||||
- [Security Principals](security-principals.md)
|
||||
|
||||
- [Access Control Overview](access-control.md)
|
||||
- [Access Control Overview](access-control.md)
|
||||
|
||||
Reference in New Issue
Block a user