For all networks, systems administrators must keep track of who is accessing the network as well as control each user’s access to the various network resources. In most networks, information about users and their access rights are stored in a directory that provides user authentication and access control services.
A directory service typically contains sensitive information about the user and service accounts that have access to the enterprise network and information regarding directory-enabled applications and services as well as other network resources. This information is sensitive in that the unregulated disclosure and/or disruption in the provision of this information and related services can interfere with business operations.
Directory security is fundamentally focused on protecting information, service, and resource assets accessible through the enterprise network. In addition to protecting information stored within the directory, the authorization and access control mechanisms provided by the directory service protect the services and information stored within your network.
Implementing security for the information contained in and the resources protected by Microsoft’s directory service implementation----Active Directory (AD) ---- is not a simple task. Although AD provides powerful management capabilities, these features introduce complexities. You must understand AD, the network, the corporate environment, and the potential threats and vulnerabilities before you can effectively implement security.
In this chapter, we’ll explore directory security at a high level before moving onto an exploration of the possible threats and approaches to managing the directory service and information from a security perspective. In later chapters, we will delve into how the design of the directory impacts security and administration, then we will take an in depth look into Group Policies and delegation of directory administration.