Manage and maintain a server infrastructure
The 70-414 exam looks to stretch your understanding of planning, implementation, and management of an advanced Microsoft-based infrastructure. The tools and products included in the exam are used in enterprise-level networks and emphasize automation, high availability, and self-service. The first chapter of this book discusses objectives surrounding server infrastructure management. Within this chapter and indeed the entire book, you’ll find hands-on examples that directly tie to the exam objectives, and you’ll find numerous links to more information on TechNet.
Objectives in this chapter:
- Objective 1.1: Design an administrative model
- Objective 1.2: Design a monitoring strategy
- Objective 1.3: Plan and implement automated remediation
Objective 1.1: Design an administrative model
Designing an administrative model for an enterprise network involves a large amount of planning, especially in complex or highly structured enterprises. A good administrative model will enable delegation of authority while also enforcing the principle of least privilege. Many organizations have unique needs, but the overall administrative model can follow a common pattern. For example, an organization that’s geographically dispersed may allow personnel at remote locations to change passwords for users at that remote site.
Understanding administrative model design considerations
Typical enterprise administrative and privilege models use groups to assign and delegate permissions. Groups save time and administration overhead by combining similar users and computers into one entity that can then be assigned permissions.
Groups can have users and computers and are created as a security group or a distribution group. The security group type is covered in this chapter; distribution groups are typically used to create email distribution lists and aren’t covered in this book. Groups are also scoped, which means that they can apply locally to a computer, to a domain, or to an entire forest. Table 1-1 describes the three types of group scopes available in AD DS.
TABLE 1-1 Active Directory Domain Services group scope
User rights
Before looking at user rights, it’s important to agree on the definition of a user right. You can find a definition all the way back to Windows NT Server 4.0 in the “NT Server 4.0 Concepts and Planning Manual” on TechNet, where a right is defined as something that “authorized a user to perform certain actions on a computer system.” See http://technet.microsoft.com/enus/library/cc751446.aspx for more discussion on the definition.
What’s important to realize is the distinction between a right and a permission. A right defines what a user can do on a computer system, whereas permissions apply to objects. Rights can override permissions in certain instances. For example, if a user is a member of a group that has the right to back up a computer or has the Back Up Files and Directories right, that user inherently has read access to the files on the computer, even if permissions would normally deny such access.
More specifically, the Back Up Files and Directories right has the following permissions:
- Traverse Folder/Execute File
- List Folder/Read Data
- Read Attributes
- Read Extended Attributes
- Read Permissions
The Back Up Files and Directories right is just one example of this concept. Table 1-2 shows several other security-related user rights available with Windows Server 2012. An abbreviated constant name applies to each of the rights described in Table 1-2. The constant names are used for logging and can also be used for Windows PowerShell, as discussed later in this section.
TABLE 1-2 Additional security-related user rights
The constant name described in Table 1-2 can be used with Windows PowerShell cmdlets related to privileges:
- Get-Privilege
- Grant-Privilege
- Revoke-Privilege
- Test-Privilege
As described in Table 1-2, user rights generally shouldn’t be applied to accounts directly, but rather should be granted through the use of groups.
Built-in groups
Built-in groups, also called default groups, are added with the operating system. Many of the default groups have user rights assigned already. Certain rights also apply depending on the type of computer on which the right is being exercised. For example, the Allow Logon Locally right is granted to the following groups for logging on to workstations and servers:
- Administrators
- Backup Operators
- Users
By contrast, the following groups have the Allow Logon Locally right for domain controllers:
- Account Operators
- Administrators
- Backup Operators
- Print Operators
- Server Operators
Table 1-3 shows the local groups for a computer and the user rights granted to them by default.
AD DS also contains default groups. These groups are placed into either the Builtin or Users container.
Table 1-4 describes the groups in the Builtin container.
Table 1-5 describes the groups in the Users container.
TABLE 1-5 Groups in the Users container
Built-in groups are different from special identities. A special identity is a group for which membership cannot be modified, such as the Everyone group. Special identities include those in Table 1-6.
TABLE 1-6 Special identities
No comments:
Post a Comment