✔
Activity Frequency: DailyAdministrative accounts are high-priced commodities in every network. Gone are the days when they had to be handed out generally to almost anyone who complained loud enough. In today’s Windows Server 2003 network, you can and should define just the right amount of access rights for each and everyone who interacts with your system. Therefore, you should have very few administrative accounts at the domain or forest level and have many more specialty administrative accounts that focus on granting just the right amount of access to do a specific job. These accounts and the accesses they grant should be managed or at least reviewed on a daily basis.
Several procedures support the assignation of appropriate rights and permissions to administrative accounts. Some are assigned through the integration of built-in security groups such as Server or Backup Operators, while others are assigned through the association with User Rights Assignment policies to the accounts, or rather the groups that contain these accounts. Three tools support the assignation of appropriate rights:
• Active Directory Users and Computers to create the accounts and assign them to either built-in or custom administrative groups
• Group Policy Management Console to locate and edit the appropriate GPO
• Group Policy Editor to actually assign the user rights In addition, you might use the Computer Management console to assign local rights to domain groups and accounts.
1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
To modify user rights, useProcedure DC-16to edit the appropriate GPO, usually one that will affect all of the objects you want to modify. Locate theUser Rights Assignmentsetting (Computer Policy | Security
Settings | Local Policies | User Rights Assignment) and assign appropriate settings to administrative accounts. Remember, it is always easier to assign rights to a group than to individual objects, thus it is a good idea to regroup administrative accounts into administrative groups. Use Procedure DC-16again to ensure proper use of these accounts.
In addition, in today’s enterprise network, you must also manage service accounts—accounts that are granted enough administrative privilege to support the operation of specific services in your network. For example, you might use service accounts to run antivirus engines or scheduled tasks (seeProcedure GS-19). The advantage of using a service account to operate a given service or automated task is that you can also use the Security Event Log to review the proper operation of the service. A success event is written in this log each time the service uses its privileged access or logs on.
Service accounts in particular must have specific settings and properties:
• Account must have a complex name
• Account must have a complex password at least 15 characters long
• Password never expires
• User cannot change password
• Act as part of the operating system right
• Log on as a service
SECURITY SCAN The last two settings should beapplied with alacrity, especially Act as part of the operating system, because they grant extremely high access levels to the service.
The last two settings must be set in a GPO under theUser Rights Assignmentsettings. Remember to regroup service accounts into service groups as well.
Service accounts present the additional operational overhead of requiring regular password changes. This cannot be limited to simply changing the password in Active Directory Users and Computers because when service accounts are assigned to services, you must give them the account’s password for the service to work properly. This means you also need to modify the password in the service Properties dialog box. Use Procedure GS-02to do so.
SCRIPT CENTER
The Microsoft TechNet Script Center includes a WSH sample script that lets you change service account passwords. This script can be found at http://www.microsoft.com/technet/treeview/ default.asp?url=/technet/scriptcenter/services/ scrsvc01.asp?frame=true. It also lets you change administrative user account passwords. A series of scripts affecting user accounts can be found at http:// www.microsoft.com/technet/treeview/default.asp?url=/ technet/scriptcenter/user/default.asp?frame=true.GS-06: Activity Log Maintenance
✔
Activity Frequency: DailyPart of your job is also to record both what you do and what you need to do to maintain or repair the network on an ongoing basis. This is the reason why you should keep a Daily Activity Log. Ideally, this log will be electronic and transportable so that you can make annotations whenever you need to. It can be stored in either a Tablet PC or a Pocket PC that you carry with you at all times. The Tablet PC is more useful because it supports a fully working version of Windows and allows you to run both Windows Server 2003 help files (seeProcedure GS-21) or run virtual machines to simulate problematic situations. In addition, Microsoft OneNote is ideally suited to logging daily activities.
If both devices are unattainable, you should at least use a paper logbook that you carry at all times. You can maintain this log as best suits you, but it is sometimes better to
note activities as you perform them than to wait for a specific time of day.
TIP
A sample Daily Activity Log can be found on the companion web site at www.Reso-net.com/PocketAdmin.GS-07: Uptime Report Management
✔
Activity Frequency: WeeklyOnce a week, you’ll need to produce an uptime report for all servers. This helps you track the status of various servers and identify which configurations are best in your environment. There are several tools you can use to produce these reports.
The last line in the report generated by thesrvinfo
command used inProcedure GS-02identifies how long a server has been in operation. A second command,
systeminfo, gives you information on the server you are examining as well as how long it has been running. A third tool,uptime, is designed specifically to report on server uptime. This tool is available as a download only. Search foruptimeat www.microsoft.com/download. Using the last tool and a little ingenuity, you can produce your uptime reports automatically:
1.Download and installuptime.exeinto the C:\Toolkit folder.
2.Create a command file that contains the following code line, one for each server in your network:
uptime \\servername
3.Save the command file when done.
4.UseProcedure GS-19to assign the command file to a weekly schedule task.
5.In the scheduled task, use the following command to assign output to a text file:
commandfile.cmd >filename.txt 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
Theuptimecommand will thus create the report for you every week. All you have to do is locate the output file and review the results.