UVM Active Directory Policies

Version 0.4

Updated: 12/14/2005

1. Introduction
2. How to Join the UVM Active Directory Forest
3. Joining as an Organizational Unit (OU)
4. Joining as a Domain
5. Computer Accounts
6. User Accounts
7. Group Policy Objects (GPOs)
   7.1 GPO Naming Conventions
   7.2 GPO Processing
   7.3 GPO Delegation
   7.4 GPO Security
8. Authentication
9. Passwords
10. Software License Compliance
11. Network Services
12. Microsoft Exchange Servers
13. Internet Information Server IIS
14. Distributed File System (DFS)
15. Encrypted File System (EFS)
16. Security Policies and Windows Update Services
17. Enterprise Administration Responsibilities
18. Local Administration Responsibilities
 

1. Introduction

We anticipate that many departments and units, large and small, on the UVM Campus will elect to join the UVM Active Directory forest.  Most of the administrative responsibilities in the forest will be delegated to local administrators in these departments and units. Being a local administrator in the UVM Active Directory forest carries certain responsibilities and expectations. These policies are meant to delineate appropriate standards within the UVM Active Directory forest.

All local administrators in the UVM Active Directory forest must read and agree to the following policies, prior to being given an administrative account. Any local administrator who creates an administrative account for another local administrator must make sure the new administrator has read and agreed to these policies.

All UVM Active Directory local administrators (or their proxy) are expected to participate in the UVM Active Directory Planning Committee and attend its meetings.

2. How to Join the UVM Active Directory Forest

  1. Familarize yourself with:
    - Policies for UVM Active Directory OU Administrators, (this document)
    - UVM Active Directory Naming Standards,
    - Frequently Asked Questions,
    - UVM Active Directory design.

  2. Schedule a meeting with the UVM Active Directory project team by using the sign-on form. The UVM Active Directory team will discuss your requirements with you.  You will be required to:

3. Joining as an Organizational Unit (OU)

Departments with special workstation administration needs or departments that need to run their own Windows-based application servers are encouraged to join the UVM Active Directory as an Organizational Unit (OU). OUs are directory containers for directory objects (i.e., user, computer, and policy objects). The primary purpose of an OU is to make administration easier in terms of management and delegation. Control of an OU in the UVM Active Directory forest will be delegated to an OU "administrator group" object.  This group shall have the ability to manage computers, local security groups, and Group Policy Objects (GPOs) in their OU and sub-OUs.  (GPOs are sets of common configuration settings (such as software distribution settings, user environment settings, or workstation security policies).  GPOs assist in the management of directory objects such as computers and users.)  OU administrators will be allowed to apply GPOs for their OU only.

The UVM Active Directory Design calls for all general-use user accounts to be present the "People" OU.  This OU is populated and maintained by CIT.  Under no circumstances will "People" accounts be moved to departmental OUs.  User-level GPOs can be applied against computer objects in the departmental OU through the use of loopback policy processing.  For more on Group Policy processing, see "7. Group Policy Objects", below.

4. Joining as a Domain

Joining as a domain will not be allowed in most cases. Special circumstances may require this option, but in general it leads to no significant advantage for the joining group. Joining as a domain requires agreement to the policies contained in this document as well as to the additional responsibilities and limitations contained in Policies for UVM Active Directory Domain Administrators.

5. Computer Accounts

UVM Active Directory naming standards are recommended for computer account names. Naming conflicts are left to local administrators to resolve. Priority will go the OU original owner of the computer name.

Workstations must adhere to the UVM Active Directory DNS policy.  Workstations in the forest must be configured to turn off DDNS registration. This is enforced by a site GPO which should not be blocked.

6. User Accounts

UVM Active Directory naming standards are recommended for you local-OU administrative account names.  Creation of general-use accounts in local OUs should be avoided as the centrally maintained "People" OU will provide up-to-date accounts for all University affiliates.  Exceptions may be made for "temporary" accounts, such as accounts for short-term consultants and contractors.

Local OU administrators are responsible for the support of any accounts which they create. As a local administrator, it is up to you to educate your users on a regular basis so as to avoid common problems. The majority of issues you deal with will probably concern failed logins and security in the distributed Windows environment. For example, remembering to specify the correct domain during login (or the full UPN, "UVM NetID@uvm.edu", on the user field) is not something with which most people will be familiar.

Data replicated into the UVM Active Directory campus domain from the UVM LDAP Directory (e.g., name fields, address fields, phone numbers, etc.) will be subject to automatic updating and cannot be altered by OU administrators.  However, account attributes in the People OU must be modified for compatibility with various AD-integrated applications (such as Microsoft Exchange).  When necessary, the local administrators group will be granted access to these attributes.

Local administrators should make every effort to delete expired or unused administrative accounts in their OUs.

7. Group Policy Objects (GPOs)

Group Policy Objects are directory objects used to apply common configuration settings on computers and user objects. GPOs are associated with directory containers, and are thus applied indirectly to all user or computer objects within that container. Using GPOs, local administrators can perform tasks such as assigning a particular software installation to a set of computers, enforce security settings, or assign configuration options.

7.1 GPO Naming Conventions

UVM Active Directory naming standards are required for OU Administrator-generated GPOs.

7.2 GPO Processing

7.3 GPO Delegation

7.4 GPO Security

8. Authentication

Use of Kerberos v5 authentication protocol is encouraged for all applications in the UVM Active Directory.  Where Kerberos cannot be used, NTLMv2 authentication is allowed.

Use of legacy authentication protocols (all protocols prior to NTLMv2) is considered dangerous.  As technologies mature, use if pre-NTLMv2 authentication protocols will be disabled by Domain-level Group Policy as soon as this becomes technically feasible.

Clear-text authentication is not allowed in the UVM Active Directory infrastructure. Clear-text authentication will be turned off on all domain controllers. Administrative policies will disable clear-text authentication on all services with which it is commonly used ( IIS, Mac File and Print Services, FTP, Telnet).

9. Passwords

At this time, no password strength requirements are enforced.  However, CIT strongly recommends the use of password of at least eight characters in length, which contain a mix of alpha, numeric, and special (i.e. !@#$%^&*) characters.  Passwords should not contain ANY dictionary words.  Password changes can be initiated from the UVM Change Passphrase web page.

10. Software License Compliance

Participation in the UVM Active Directory forest does not entitle departments to licenses for operating systems or other software for departmental systems. The UVM Active Directory service includes only licenses for software required to operate the UVM Active Directory forest and Domain Controllers. Computer Client Access Licenses (CALs) for connecting to the AD service will be provided free-of-charge participating departments.  However, departments administrators should ensure that their workstations and servers are properly licensed for.  Required licenses include including workstation and server operating systems, server software, and any Client Access Licenses (CALs) required for server applications.

11. Network Services

Windows DNS Server Services must NOT be installed on any computer within the UVM Active Directory forest without prior consultation with CIT Network Services and the UVM Active Directory Enterprise Administrators. Windows workstations using central DNS services must be configured to turn off DDNS registration.  A site-wide GPO automatically disables DDNS registration for workstations in the forest. This policy should not be blocked. All UC Berkeley computers in the UVM Active Directory forest must have their primary DNS suffix correctly entered, and must be registered in DNS to communicate properly outside of the forest.

DHCP services must be coordinated with CIT Network Services and the UVM Active Directory Enterprise Administrators before joining the forest.

12. Microsoft Exchange Servers

Use of Microsoft Exchange version 2000 (or higher) is supported in the UVM Active Directory.  All Exchange instances will use the "UVM" Exchange organization name.  The ability to modify Exchange-specific user object attributes in the "People" OU will be delegated to container administrators in departments which run Exchange.

Exchange 2003 or higher is recommended as Kerberos authentication from Exchange clients is not supported prior to this version.

13. Internet Information Server (IIS)

By default, workstation IIS services are turned off through UVM Active Directory Group Policy. This helps to ensure that local workstations cannot start 'rogue' IIS web servers. Local administrators can override the UVM Active Directory GPOs governing IIS in order to implement a well-managed IIS web service or IIS test environment. "Well-managed" means that all security patches and fixes have been applied; all unnecessary IIS services have been turned off; and IIS is configured to not allow clear-text authentication.

14. Distributed File System (DFS)

Domain-rooted DFS is supported in the UVM Active Directory forest. Please contact the UVM Active Directory Enterprise Administrators if you wish to integrate with the domain-root DFS.

15. Encrypted File Services (EFS)

By default, EFS services are not enabled. Please be sure you understand the risks relating to lost encryption keys if you choose to override this policy.  The Enterprise Administrators will not provide assistance with recovery of encrypted files.

16.  Security Policies and Windows Server Update Services

By default, all workstations joined to the domain will receive a default set of required security policies.  The policies may not be overridden without the consent of the Enterprise Administrators.  Additionally, all workstations will receive automated critical updates from a centrally managed "Windows Server Update Server" (WSUS).  This policy may not be overridden unless the local OU administrator intends to run a service which accomplishes the same task.

17. Enterprise Administration Responsibilities

The UVM Active Directory Infrastructure is composed of many different computing, administrative and consulting services. This section provides a brief description of these services and specific contact information for each. In general, people who experience problems with a particular service should speak to their local UVM Active Directory administrator first. If the issue canít be resolved, then the local administrator raise the issue to the appropriate support group.

The CIT Client Services Group installs and maintains the server and support machines which run Active Directory for the AD and CAMPUS domains. A group within Client Services serve as Enterprise Administrators (EA). They install, configure, and maintain the Active Directory domain controllers for the AD and CAMPUS domains that support the UVM Active Directory infrastructure. The CIT Technical Support Group maintain the "uvm.edu" Kerberos Authentication servers (the UVM NetID authentication service), and the UVM LDAP Directory which feeds account information to the Active Directory.  Urgent problems related to domain controllers or infrastructure services should be reported by calling the CIT Helpdesk. For general discussion, this group can be contacted via e-mail.

The responsibilities of the Enterprise Administrators are to:

18. Local Administration Responsibilities

The responsibilities of local administrators are: