| Tip 1. Create Your Own
Delegatable Administrative Tasks.
One of the wonderful things about Windows 2000 and Windows server
2003 is that you can delegate administrative tasks in your domains.
You no longer have to give full administrative privileges to help
desk employees, for example, when you just want them to be able
to reset passwords. You can delegate authority at many levels of
your Active Directory hierarchy and so limit authority in that manner
too. When you start the Delegation of Authority wizard, you're offered
some sample tasks that you can assign to groups, but the best value
comes from creating a custom task. It takes some research and testing
but in the end often just requires you to make a dozen or so extra
mouse clicks to select the different items and complete the definition.
Therein lies the problem. If you want to repeat the assignment,
say in another OU or domain, to a different group, you must repeat
the mouse clicks again. This is not only annoying, it can result
in error. The solution is obvious: Create your own delegatable tasks
and add them to the wizard. Once defined, you can simply click on
your custom task, and the wizard does the rest of the work. How,
you ask? Go grab a copy of knowledge base article 308404, "How to
customize the task list in the Delegation Wizard." You'll find it
here:
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B308404
Tip 2. Use Selective Authentication.
With Windows Server 2003 you can create a forest trust. This is
most helpful if you have multiple forests in your organization and
need to provide access to resources between the forests. You might
also wish to create a forest trust to share resources with trusted
partners. It's also a useful tool when companies with pre-existing
forests merge. Forest trusts provide the opportunity to have Kerberos-style
one- or two-way trusts between every domain in both forests. However,
that's perhaps not the best way to go. No problem. Windows Server
2003 offers the opportunity to turn on or off selective authentication.
You can set up a forest trust but selectively enable access to each
domain within the forest. If your goal is to empower users to share
most resources between forests, but need to protect some sensitive
data, use selective authentication to turn off access to those sensitive
domains. And that's not all. Selective authentication is also available
for external trusts. You can limit access to each and every server
in the trusting Windows Server 2003 domain.
Tip 3. Get Well Trained Before You Do Anything Else.
To build survivable networks for a hostile world, you must examine
every aspect of your computing environment. Join me for my 2-day
Windows Security Academy workshop at the MCP Magazine's TechMentor
Conference, September 2-6, in San Diego. Security isn't just about
what choices to make during installation or how to implement features
to patch your systems. You must develop a holistic approach to get
your Windows 2000 and Windows Server 2003 network secure and keep
it that way. This workshop will delve into all of the areas necessary
to do so.
-- Roberta Bragg
Founder, Have Computer Will Travel, Inc.
"Security Advisor" and "Security Watch" columnist for Microsoft
Certified Professional Magazine
Trainer, MCP Magazine's TechMentor Conference & Expo
|
