Ms - MSL - Coloc - Esf Active Directory Roe

Enterprise Server Farm (ESF)
Active Directory [for Windows

Server 2003]
Rules of Engagement
Application Management Team

Version 1.6
March 4, 2011
SECURITY WARNING
The information contained herein is proprietary to the Commonwealth of Pennsylvania and must not be
disclosed to un-authorized personnel. The recipient of this document, by its retention and use, agrees to
protect the information contained herein. Readers are advised that this document may be subject to the
terms of a non-disclosure agreement.
DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM
THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.
COMMONWEALTH OF PENNSYLVANIA
ENTERPRISE SERVER FARM
Version History
Date
Version
Modified By / Approved By
Section(s)
Comment
4/03/2007
1.0
K. Will
All
Initial draft
5/24/2007
S. Sharma
Incorporated S. Sharma comments:

Replace Windows 2000 references with Windows 2003;
move Total Cost of Ownership reference, add Maintenance
and Backup sections
10/19/200
7
1.1
02/25/200
8
1.2
11/14/2008
1.3
03/17/200
9
C. Reber
All
Updated format to new template design.

Updated URLs.
S. White
1.2
Updates to flow in 1.2 per S. White.
C Reber
Cover Page
Insert new OA logo on cover page
1.4
C Reber
All
Update URLs
07/15/200
9
1.5
C Reber
1.1
Update ECSA to reflect new CA2 designation. Update URLs

for the deployment process.
03/04/2011
1.6
C Reber
3.6
Remove references to MOM
C. Reber
4.01/2009
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 2 OF 27
Table of Contents
1
ESF OVERVIEW & ESF INFRASTRUCTURE.............................................................................5
1.1 ESF OVERVIEW................................................................................................................................5

1.1.1
ESF Engagement Process......................................................................................................5
1.1.2
ESF Deployment Process.......................................................................................................5
1.1.3
Commonwealth Application Certification and Accreditation (CA 2).......................................5
1.2 ESF INFRASTRUCTURE.....................................................................................................................6
1.2.1
External DMZ Security Zone.................................................................................................6
1.2.2
Internal Services Security Zone.............................................................................................6
1.2.3
Internal DMZ Security Zone..................................................................................................6
2 ACTIVE DIRECTORY IMPLEMENTATION................................................................................7
2.1 PURPOSE / OVERVIEW......................................................................................................................7
2.1.1
Benefits..................................................................................................................................7
2.2 ASSUMPTIONS..................................................................................................................................7
2.3 SCHEMATIC DIAGRAM / DIAGRAM DESCRIPTION DETAILS.............................................................8
2.3.1
ESF LAN (Extranet)...............................................................................................................8
2.3.2
Internet Access.......................................................................................................................9
2.3.3
Business Logic Layer (BLL)...................................................................................................9
2.4 PREREQUISITES..............................................................................................................................10
2.5 IMPLEMENTATION DETAILS............................................................................................................11
2.5.1
ESF Active Directory Implementation Details & Schematic Diagrams................................11
2.5.2
Location and Role of Domain Controllers...........................................................................11
2.5.3
APPS Domain......................................................................................................................12
2.5.4
USER Domain and MUSER Domain...................................................................................12
3 ACTIVE DIRECTORY RULES OF ENGAGEMENT.................................................................14
3.1 RULES OF ENGAGEMENT OVERVIEW.............................................................................................14
3.2 NAMING CONVENTIONS.................................................................................................................14
3.2.1
Server Names.......................................................................................................................14
3.2.2
Service Accounts..................................................................................................................14
3.2.3
User Accounts......................................................................................................................15
3.3 SERVICES........................................................................................................................................15
3.3.1
Applications Residing in Managed Services........................................................................15
3.3.2
Applications Residing in ESF Co-Location..........................................................................15
3.3.3
Applications Residing in Agency Location...........................................................................16
3.4 ESF GROUP POLICY OBJECTS (GPOS)..........................................................................................18
3.5 ROLES AND RESPONSIBILITIES.......................................................................................................21
3.6 MONITORING..................................................................................................................................22
3.7 SECURITY.......................................................................................................................................22
3.7.1
Windows 2003 Authentication Architecture.........................................................................22
3.7.2
Windows Methods of Authentication....................................................................................23
3.7.3
Certificate Authentication....................................................................................................23
3.7.4
Forms Authentication..........................................................................................................23
3.7.5
Recommended Authentication Methods...............................................................................23
3.7.6
Application Security.............................................................................................................24
3.8 BACKUP AND RECOVERY...............................................................................................................24
3.9 CHANGE MANAGEMENT................................................................................................................24
3.10
MAINTENANCE...........................................................................................................................24
4 ACTIVE DIRECTORY AND APPLICATION DEVELOPMENT RESOURCES......................25
4.1 ACTIVE DIRECTORY RESOURCES...................................................................................................25
4.2 APPLICATION DEVELOPMENT RESOURCES.....................................................................................26
5 APPENDIX A SCHEMA MANAGEMENT PROCESS.............................................................27
PAGE 3 OF 27
PAGE 4 OF 27
1 ESF Overview & ESF Infrastructure

This section contains standard information that is included in all ROE documents.
1.1
ESF OVERVIEW
The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) provides Hosting Services for
Agency Web-Based and Agency Specific applications. Its mission is to maintain a high level of security,
availability, reliability, and management of the Commonwealth of Pennsylvania's mission critical web
applications.
Refer to Enterprise Server Farm, for a full description of the ESF and all hosting and service offerings.
1.1.1
ESF Engagement Process
If your agency is considering deploying applications in the ESF, examine the ESF web site to understand
the ESF Services Portfolio, and then contact your Service Coordinator (SC). SCs are liaisons between
agencies and the ESF. They answer preliminary questions and coordinate meetings with ESF personnel to
ensure consistent communication on simple or complex projects.
Refer to ESF Getting Started, for an overview of the benefits, services, and options for hosting your
application at the CTC ESF.
Refer to ESF Services Coordinator, to identify your agency Service Coordinator.
1.1.2
ESF Deployment Process
The ESF follows a well-defined deployment process for all application deployments. Application
development is performed at the agency or contractor location while the ESF houses both a staging and a
production environment, which are mirror images of each other. This structured deployment and testing
process ensures a stable application in production. Prior to entering the ESF, every new application is
required to undergo a security assessment.
Refer to Deploying in Managed Services to review MS deployment process documents
Refer to Deploying in Managed Services Lite to review MSL deployment process documents.
1.1.3
Commonwealth Application Certification and Accreditation (CA2)
Refer to Commonwealth Policy ITB-SEC005 regarding "Commonwealth Application Certification and

Accreditation"
Click https://www.sqca.state.pa.us to initiate the Commonwealth Application Certification and
Accreditation (CA2) Process.
PAGE 5 OF 27
1.2
ESF INFRASTRUCTURE
The ESF Web Farm architecture is segmented into security zones that are isolated from each other via
firewalls. The ESF Network contains the External DMZ security zone, the Internal Services security zone,
and the Internal DMZ security zone. These three primary networks are either, physically or logically,
connected to one another.
1.2.1
External DMZ Security Zone
The External DMZ security zone contains Internet-facing servers that are connected to the Enterprise
DMZ. ESF-managed web servers (such as Managed Services) and Agency-managed servers (such as CoLocation servers) both exist in the External DMZ Security zone. Managed Services and Co-Location
servers are on separate subnets secured by either firewalls or Access Control Lists (ACLs).
1.2.2
Internal Services Security Zone
The Internal Services security zone contains Managed Services database servers and other application
servers from which dynamic content is obtained by web servers.
1.2.3
Internal DMZ Security Zone
The Internal DMZ security zone contains the Managed Web and application servers that need to be
accessible only from the Commonwealth Metropolitan Area Network (MAN). This Security Zone also
contains internal Co-Location databases and web and application servers that are isolated from the
Managed Services servers.
When ESF Domain Controllers intercommunicate in a security zone, all communications use standard
RPC and do not require IPSEC encryption or authentication. Domain Controller-to-Domain Controller
communications between security zones only use IPSEC with Authentication Headers (AH).
Other host-to-AD Component communication in the Managed Services portion of the Enterprise Server
Farm does not require IPSEC. However, IPSEC is required for all communications between entities
outside the Managed Services and ESF AD components.
PAGE 6 OF 27
2 Active Directory Implementation

2.1
PURPOSE / OVERVIEW
The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) uses the Windows Server 2003
Active Directory (AD) and server infrastructure to separate the Commonwealths enterprise AD forest
applications from those applications that can be accessed internally and externally. The Applications
Management Team (AMT) manages the ESF Active Directory environment.
2.1.1
Benefits
Based on a study conducted by Gartner, the Total Cost of Ownership for the ESF AD is a fraction of an
in-agency Active Directory solution that includes hardware, software, operations, and facilities.
Your agency gains these benefits when you use ESF AD:
2.2
OA provides a secure location to host the Active Directory and dependent functions (such as
DNS).
The application can use existing authentication and authorization data from either the APPS
domain (ESF) or the internal PA.LCL domain (CWOPA), which provides the agencys internal
users with single sign-on to its application.
Windows 2003 Active Directory schema changes to accommodate applications can be made in the
ESF AD forest, the PA.LCL forest, or both at the discretion of the Architectural Standards
Committee and Schema Management Board. See Appendix A Schema Management Process for
details.
Internal IT staff is freed up to work on agency strategic initiatives.
AMT will provide 24x7 monitoring, management, and support to provide increased reliability,
availability, scalability, and security as well as improve application authentication through ESF
Active Directory.
ESF Active Directory is highly available with built-in redundancy, disaster recovery, and multiple
locations for access.
ESF has the knowledge and expertise to maintain and manage Active Directory and is fully
engaged with Unisys and Microsoft to diagnose, troubleshoot, and resolve any issues or problems.
ASSUMPTIONS
This document assumes that the reader has a basic understanding of AD concepts including:
Forests
Domains
Organization Units (OUs)
Objects
Schema
DNS
AD Management Principles
Note: Appendix B Active Directory and Application Development Resources contains references that
discuss each of these assumptions in depth.
PAGE 7 OF 27
2.3
SCHEMATIC DIAGRAM / DIAGRAM DESCRIPTION DETAILS
The network architecture is the key component of the functionality and security of the ESF LAN
(Extranet).
This diagram shows how ESF network deployment relates to Active Directory. Three primary networks
within the deployment are either logically or physically connected to one another to make up the ESF
network:
2.3.1
ESF LAN (Extranet)

Internet Access
Business Logic Layer (BLL)
ESF LAN (Extranet)
The Extranet resides in the CTC Internet Zone (Demilitarized Zone or DMZ) and contains Internet
Information Services (IIS), domain controllers, and other AD infrastructure such as DNS and WINS.
Through router security permissions or the Access Control Lists (ACLs) on the router/firewall between
CWOPA and the Extranet, all traffic that originates from CWOPA is allowed into the Extranet. If a
resource on CWOPA is pushing data to a server on the Extranet, all communication is allowed.
In reverse, all traffic originating from the Extranet is blocked going back to CWOPA. If a batch job
attempts to run a process from an Extranet machine that initiates communication back into CWOPA, the
traffic is blocked by the ACLs on the router between CWOPA and the Extranet. Data on CWOPA servers
is either pushed to the Extranet from the CWOPA resource or the CWOPA resource must reside in the
Extranet. Within the Extranet, all servers are homed to the same network and are allowed to communicate
with one another assuming appropriate rights between resources.
PAGE 8 OF 27
The servers located in the Extranet communicate back to CWOPA through Internet Protocol Security
(IPSec). This table shows the approved ports and associated functions for Active Directory
communication that is allowed to traverse from the Extranet to internal Active Directory servers:
Ports and Protocols Accessible from DMZ to CWOPA Internal Network
Protocol
Description
50
Encapsulating Security Protocol (ESP) for IPSEC
51
Authentication Header (AH) for IPSEC
Port
2.3.2
Type
Description
20 and 21
TCP and UDP
FTP
25
TCP and UDP
SMTP (outbound only)
80
TCP and UDP
http
443
UDP
SSL
Internet Access
The external firewall (Internet-facing) manages traffic between the Internet and the Extranet. Clients
accessing web sites in the Extranet are allowed to connect via the Internet once the proper credentials are
supplied to the Active Directory.
Ports Accessible from Internet to Extranet (DMZ) Network
Port
2.3.3
Type
Description
53
TCP and UDP
DNS name resolution and zone transfers
88
TCP and UDP
Kerberos
389
TCP and UDP
LDAP
500
UDP
ISAKMP for IPSEC
Business Logic Layer (BLL)
The current design of the ESF DMZ allows only Internet services such as http, https, and other basic
services like FTP and SMTP through the Internet-facing side of the DMZ. All management and database
access to co-located servers is via an intranet-only routable back-end address through the Business Logic
Layer (BLL).
BLL ensures that agency traffic including management traffic such as FTP, web administration, backups,
terminal services, or other remote management software and back-end data traffic such as database traffic
between the co-located server and the agency have a secure, higher-speed path that is not available from
the Internet.
To facilitate this design, a network card is added to every co-located server and configured with an
intranet routable address. The default gateway is left blank for this interface, and persistent routes are
added for each agency server or management station that needs BLL access.
BLL security advantages are:
Only http, https, FTP, and SMTP access are allowed from the Internet
Separate paths exist for public and agency data
BLL cannot be reached directly from the Internet
PAGE 9 OF 27
BLL performance advantages are:

Separate NICs and ingress/egress paths for front and back end access provide more aggregate
bandwidth via less congested facilities
Fewer hops and higher speed links between web farm Co-Location area and the agencies
Because persistent routes need to be added to allow proper routing to agency systems across the BLL,
front-end access from these same systems can be problematic. Traffic that is sent to the front-end from
such a host may be routed back across the BLL, and the return traffic is sourced from the BLL address
rather than the co-located servers front-end address. When this traffic reaches the agency host
originating the traffic, it is dropped as invalid.
To improve security, ESF operating policy states that front-end access to a co-located server is not
supported for any system that accesses that same server via the BLL. However, we understand that in
some cases agencies may not be able to discontinue such front-end access from management stations or
servers.
2.4
PREREQUISITES
Applications must meet these requirements to use ESF AD in the ESF:
The application must be integrated to run on the Windows 2003 Server family of operating
systems and must be able to use integrated security (Active Directory Authentication).
AMT has full administrative access over the Active Directory Forest.
The ESF Forest trusts the CWOPA (PA.LCL) domain. This trust facilitates the Single Sign-On
security model whereby user accounts in CWOPA can be used to grant access to the applications
in the ESF.
If you have a non-Windows based application or other situation not identified in this document
that requires Active Directory or any directory service, engage the Architectural Standards
Committee at ascmembers@state.pa.us to discuss business requirements, architecture, and
possible solutions. See Appendix A Schema Management Process for details.
PAGE 10 OF 27
2.5
2.5.1
IMPLEMENTATION DETAILS
ESF Active Directory Implementation Details & Schematic Diagrams
ESF implemented a single forest/multiple domain model for Active Directory. An empty root called
ROOT.STATE.PA.US resides within the forest. This domain houses the Enterprise Admins role, Schema
Admins role, and forest-wide FSMO roles. Applications reside in APPS.STATE.PA.US and user accounts
are divided among two domains: USER.APPS.STATE.PA (USER) and MUSER.APPS.STATE.PA.US
(MUSER).
USER houses non-managed users or self-registered users similar to a typical portal user with customized
content like PA PowerPort. USER domain security is commensurate with requirements for Internet
applications. MUSER houses managed users, constituents, and vendors that must access line-of-business
applications or other applications where authorization and security are critical. The sponsoring agency
performs user, group, and authorization management similar to the way CWOPA is managed.
This diagram shows a high-level view of the CWOPA and ESF Active Directory namespace as defined in
the functional specification.
2.5.2
Location and Role of Domain Controllers
Click this link to get the most up-to-date information about the domain controllers within this
environment: http://www.oaesf.state.pa.us/sites/esf/Services
PAGE 11 OF 27
ESF Active Directory Organization Units (OUs)

This diagram shows the Organization Units (OUs) for the ESF Active Directory namespace as defined in
the functional specification. Applications reside in APPS.STATE.PA.US (APPS) and user accounts reside
in USER.APPS.STATE.PA (USER) and MUSER.APPS.STATE.PA.US (MUSER).
2.5.3
APPS Domain
AMT controls and manages the APPS domain and defines and maintains all levels of OU structure. AMT
recommendations for OUs in the APPS domain are:
OU depth should not exceed four levels
The top level OU is the Agency OU and consists of the agencys 2-digit code
The second level consists of the servers OU and service accounts OU
Lower level OU recommendations are:
6 characters maximum length; optional if it applies to the agencys IT administration model
Groups may be placed in all OUs starting from the Agency OU
OUs are locked down by default with changes initiated through the initial deployment process or a service
request (Remedy ticket). Currently, delegated permissions over OUs within the APPS domain are not
supported. Machine accounts are ONLY created by AMT through the initial deployment process or a
service request.
Delegated permission to the APPS domain is restricted to maintain stability and security for all agencies
and applications. ESF personnel handle all change requests including, but not limited to, server
creation/deletion, service account setup, and group policy placement. (GPO creation and management are
discussed in depth in a later section.)
2.5.4
USER Domain and MUSER Domain
All self-registered users are housed in the PALogin OU for the USER domain. AMT defines and
maintains the top three levels of the MUSER OU structure.
AMT recommendations for OUs in the MUSER domain are:
OU depth should not exceed four levels
The top level OU is the Agency OU and consists of the agencys 2-digit code
The second level consists of the application name and user container
AMT creates OUs below the application name but the agency administers them
Lower level OU recommendations are:
6 characters maximum length if it applies to the agencys IT administration model
Groups may be placed in all OUs starting from the Agency OU
PAGE 12 OF 27
AMT gives agencies delegated permissions over their OUs. An agency can administer only that portion of
the directory that pertains to them (their own OU). Since the MUSER.APPS.STATE.PA.US domain
enforces tighter security policies, ESF Tools is the only supported means of maintaining user accounts in
the MUSER domain. Submit a request for ESF personnel to configure ESF Tools access for the agency
application.
Within the MUSER.APPS.STATE.PA.US domain:
Agency Administrators can create, delete, or modify user and group objects and apply OU group
policies to users. The agency provides the policy and ESF provides installation assistance.
Authorized MUSER OUAdmins can use the ESF Tools website: https://www.esftools.state.pa.us/
to create, modify, and delete users within the agencys OUs; create Commonwealth employee
accounts and vendor accounts; reset passwords; and unlock accounts. However, the ESF Tools
cannot change incorrectly-entered employee IDs.
OUAdmins can also use the Active Directory Users and Computers Management Console Snap-in
to perform various tasks.
OUAdmins can perform these roles with the ESF Tool and Active Directory Users and Computers
Management Console Snap-in:
Role
ESF Tool
Delegate OU-App-OUADMIN membership

Enable/disable an account
X
X
Create/delete/modify groups
X
X
Create/delete/modify users
Modify all properties of a user (reset password, group memberships, and all other
properties) except Employee ID, SamAccountName, and FullName (CN)
AD Users and Computers
PAGE 13 OF 27
3 Active Directory Rules of Engagement

3.1
RULES OF ENGAGEMENT OVERVIEW
This section discusses ESF Standards and aspects of services provided for the Active Directory.
3.2
NAMING CONVENTIONS
Naming conventions provide a standard approach to naming different objects and help to troubleshoot and
locate objects. All objects also need a detailed description of use. Naming conventions are as follows:
Naming conventions provide a standard approach to naming different objects within Active Directory and
help to troubleshoot and locate objects. All objects also need a detailed description of use. A description
field is available for all User, InetOrgPerson, Computer, Group, OU and Container objects within Active
Directory.
3.2.1
Server Names
When a server name is based on location, browsing or searching by the first part of the server name
returns all servers from all agencies (for example, searching on HBG returns all HBG servers from all
agencies). Since multiple agencies exist in the same location, use the two-digit agency code at the front
of the server name to locate an agencys servers, rather than the location name.
As all new servers are built, the recommended naming standard is AALLLFFEXXX, where:
AA = Agency code
LLL = Location code; for example: CTC = Commonwealth Technology Center, WLO = Willow
Oaks, CAM = Cameron Street
FF = Function code; for example: BT = BizTalk, EX = Exchange Server, IS = Web Server, SQ =
SQL Server, AP = Application
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production,
R=Disaster Recovery
XXX = Unique number that increments based on use
The recommended cluster naming standard is Server name\SC(E)(XXX), where:
SC = Server Cluster
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production,
R=Disaster Recovery
XXX = Unique number; for example: 001 (should be the same as the servers name)
If the application is hosted and managed by ESF, the predefined two-digit code is EN for Enterprise.
3.2.2
Service Accounts
As an agency has more applications hosted in the Applications AD, more service accounts must be used
for applications. The recommended naming standard is AASRVFFEXXX, where:
AA = Agency code
SRV = Service account; for example: CTC = Commonwealth Technology Center, WLO = Willow
Oaks, CAM = Cameron Street
FF = Function code; for example: BT = BizTalk, EX = Exchange Server, IS = Web Server, SQ =
SQL Server, AP = Application
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production
XXX = Unique number that increments based on use
If the application is hosted and managed by ESF, the predefined two-digit code is EN for Enterprise.
PAGE 14 OF 27
3.2.3
User Accounts
The Enterprise Server team performs an initial bulk creation of user accounts based on an Excel
spreadsheet that the agency provides. Follow this naming standard for these accounts:
A user name has three parts: a first name, a last name, and a middle initial. Use these parts to construct a
user account name where the variables are FirstName, LastName and MiddleName and %n represents an
integer number of characters of the variable from the left. For example, %5Godzilla is equal to Godzi. If a
particular user account name already exists, follow this list until a unique user name is found:
1 - %1FirstName%9LastName
2 - %2FirstName%8LastName
10 -%1FirstName%1MiddleName%8LastName
11 -%2FirstName%1MiddleName%7LastName
18 -%1LastName%9FirstName
19 -%2LastName%8FirstName
27 -%1MiddleName%1FirstName%8LastName
28 -%1MiddleName%2FirstName%7LastName
35 -%1FirstName%8LastName%1MiddleName
36 -%2FirstName%7LastName%1MiddleName
43 -%1MiddleName%8LastName%1FirstName
44 -%1MiddleName%7LastName%2FirstName
If you exhaust all these options, use numbers from 01 to 99 as suffixes to these options in order based on
availability. User names should not exceed 12 characters (10 characters without numerals).
3.3
SERVICES
The ESF AD is a critical part of the Enterprise Architecture for single sign-on, security, and identity
management. Applications can leverage the ESF Active Directory in three scenarios: as part of Managed
Services, as a Co-Location customer, or for Active Directory benefits only. Within this section, front-end
represents all servers and services such as the web servers, portal services, and applications, and back-end
represents servers and services whose resources the front-end servers use for information or data.
The ESF AD Forest is optimized for use in an Internet Data Center or hosting environment rather than a
distributed corporate-like or CWOPA environment. The ESF AD is optimized to rapidly replicate
directory data, handle a high volume of authentication requests per second, and facilitate tightly managed
services for high reliability, availability and security. The directory is deployed in a centralized model to
optimally accommodate these requirements.
3.3.1
Applications Residing in Managed Services
Managed Services is where ESF provides complete management for either or both front-end and backend servers and services located in the ESF. Managed Services uses the ESF Active Directory and is the
ideal way for an agency to leverage the full enterprise infrastructure of single sign-on, identity
management, security, and directory services. All servers, users, groups, and policies are maintained in
Active Directory similar to the way that Commonwealth employee user accounts and mailboxes are
maintained in CWOPA.
3.3.2
Applications Residing in ESF Co-Location
Co-Location hosting is for agencies that want to retain full management responsibility for day-to-day
hosting within a secure and conditioned environment. The CTC ESF provides a highly secure and
conditioned environment with access to high bandwidth and security-enhanced Internet connectivity.
Co-Location services also provide the benefits of Active Directory for its customers. Co-Location
customers can add their servers into Active Directory to leverage single sign-on, integrated security,
added server management through group policy, and complete integration with the enterprise
PAGE 15 OF 27
infrastructure. Directory-enabled applications should reside in Co-Location or Managed Services for

optimal directory accessibility and performance.
Certain server or service configurations such as IPSEC are required for all communication with the
domain. Contact your AAM for details.
Applications Residing in ESF Co-Location
3.3.3
Applications Residing in Agency Location
Some agencies choose to house all of their servers in a location outside the physical and logical locale of
the ESF. Agencies that need to leverage the enterprise architecture and have identified requirements to
use the ESF Active Directory can leverage the ESF AD services across the network. This configuration
requires careful planning and analysis to avoid unexpected problems. Agencies in this situation should
contact their AAM immediately for further assistance.
Another Active Directory option for remote use of directory services is to distribute a domain controller
to a remote site (decentralized domain controllers). The ESF AD is deployed and optimized for a high
volume hosting environment and therefore requires architectural changes to accommodate a distributed
architecture. Accommodating this requirement involves multiple design and facility considerations that an
agency may or may not be able to fulfill. Some factors that affect the decision for decentralized domain
controllers are:
ESF AD design considerations for remote placement of domain controllers such as site
topology/GC placement, replication latency, and secure network transmissions
ESF or agency access to physical remote domain controllers add cost and risk to managing and
securing the Forest
Post-deployment management and monitoring of ESF changes to domain controllers involves
added complexity and cost
ESF must actively manage the real available bandwidth or bandwidth guarantees from agency to
ESF for Active Directory operations
PAGE 16 OF 27
This list demonstrates why decentralized domain controllers are the least preferred method and not a
currently supported solution. However the ESF is committed to addressing the emerging business needs
of the Commonwealth.
If your agency requires a distributed domain controller or remote use of the ESF Active Directory, contact
your AAM to request a consultation. Please include the nature of your request and all relevant
information.
Applications Residing in Agency Location
PAGE 17 OF 27
3.4
ESF GROUP POLICY OBJECTS (GPOS)
ESF implements domain policies that include password, machine account, and user account policies. The
agency maintains and applies group policy at the OU level in Co-Location. The current ESF domain
policy for MUSER.APPS.STATE.PA.US is:
Policy
Default
Setting
Setting
Configuration
Password Policy
Enforce password history
Maximum password age
42
60
Mimimum password age
Mimimum password length
Passwords must meet complexity requirements
Disabled
Enabled
Store passwords using reverse encryption
Disabled
Disabled
24 is the maximum value
Account Lockout Policy

Account lockout duration
Disabled
Account is locked out

until Administrator
unlocks it
Not applied to APPS domain
Account lockout threshold
Disabled
Accounts locked out after 5 failed attempts
Reset account lockout counter after
Disabled
720
Failed attempt reset after 12 hours
Audit Policy
Audit account logon events
No auditing
Success, Failure
Audit account management
No auditing
Success, Failure
Audit directory service access
No auditing
No auditing
Audit logon events
No auditing
Success, Failure
Audit object access
No auditing
Failure
Audit policy change
No auditing
Success, Failure
Audit privilege use
No auditing
Failure
Audit process tracking
No auditing
No auditing
Audit system events
No auditing
Failure
Security Options
Allow system to be shut down without having to log on
Disabled
Restrict CD-ROM access to locally logged-on user only
Enable
Restrict floppy access to locally logged-on user only
Enable
Smart card removal behavior
No action
File servers may need to share CD-ROMs
Force logoff
Event Log Policy

Maximum application log size
512 kilobytes
5056 kilobytes
Maximum security log size
512 kilobytes
10240 kilobytes
Maximum system log size
512 kilobytes
5056 kilobytes
PAGE 18 OF 27
Policy
Default
Setting
Setting
Prevent Local Guest group from accessing application log
Disabled
Enabled
Prevent Local Guest group from accessing security log
Disabled
Enabled
Prevent Local Guest group from accessing system log
Disabled
Enabled
Retain application log
Not defined
Retain security log
Not defined
Retain system log
Not defined
Retention method for application log
As needed
Retention method for security log
As needed
Retention method for system log
As needed
Event Log ACL
Not configured
Enabled
Configuration
Configure the Registry so that only domain

administrators can clear event logs
System Services
Alerter
Automatic
Computer Browser
Automatic
DHCP Client
Automatic
Distributed File System
Automatic
Distributed Link Tracking Client
Automatic
Distributed Transaction Coordinator
Automatic
DNS Client
Automatic
Event Log
Automatic
IPSEC Services
Automatic
License Logging
Automatic
Local Disk Manager
Automatic
Messenger
Automatic
Net Logon
Automatic
Plug and Play
Automatic
Print Spooler
Automatic
Protected Storage
Automatic
Remote Procedure Call (RPC)
Automatic
Remote Registry
Automatic
Removable Storage
Automatic
Secondary Logon
Automatic
Security Accounts Manager
Automatic
Server
Automatic
Smptsvc
Automatic
System Event Notification
Automatic
PAGE 19 OF 27
Policy
Default
Setting
Setting
Task Scheduler
Automatic
TCP/IP NetBIOS Helper
Automatic
Windows Time
Automatic
Workstation
Automatic
Application Management
Manual
ClipBook
Manual
Network DDE
Manual
Network DDE DSDM
Manual
Remote Access Connection Manager
Manual
Rsvp
Manual
Configuration
File System Policy

\Winnt and all subfolders
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Domain Users
Read
\Winnt\Repair
Administators
Full Control
\Winnt\System32\config
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Domain Users
List
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Power Users (w/s only)
Full Control
Domain Users
Read
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Everyone
None
\Winnt\System32\spool
<log partition>
Control Panel
Hide Screen Saver tab
Not configured
Not configured
Users should not be able to change the

screen saver
Screen saver executable name
Not configured
Not configured
32-bit logon screen saver
Password protect the screen saver
Not configured
Not configured
Password protection needed
Screen saver timeout
Not configured
Not configured
Terminal Services
Set time limit for disconnected sessions
Not configured
Enabled
End a disconnected session: 1 day
Set time limit for active but idle Terminal Services

sessions
Not configured
Enabled
Idle session limit: 1 day
PAGE 20 OF 27
Policy
Default
Setting
Setting
Terminate session when time limits are reached
Not configured
Enabled
3.5
Configuration
ROLES AND RESPONSIBILITIES
This table outlines the administrative and management task responsibilities for ESF, Customer, and
combined AMT and Customer. AMT has completed most of its responsibilities in setting up Active
Directory.
Role/Responsibility
ESF Reponsibility
Customer Responsibility
Domain Management
FSMO
Replication
Domain Policy
Password Policy
Schema Management
Group Policy (Common)
X
Domain Controller
Maintain operating system
Apply service packs/security rollup

packages/patches
Apply security templates
Disaster recovery
Deploy/Install DC
X
OU Management
Create top level (Agency OU)
Permissions on top level
Create Secondary/Tertiary
Permissions on second and third level OU
Create group policies
X (OU only for agency in Co-Location)
User Management
Create users
Create groups
Modify users
Modify groups
Delete users
Delete groups
Create machine accounts
Delete machine accounts
PAGE 21 OF 27
3.6
MONITORING
Since Active Directory is such a critical component of the ESF infrastructure and the applications running
in this environment, monitoring and managing Active Directory is essential to ensure the availability and
performance of agency business applications.
ESF operations deliver an enterprise-class solution for operations management and monitoring of
Windows servers, Windows infrastructure including Active Directory, and .NET Enterprise Servers such
as SQL Server.
ESF manages critical functions to ensure that Active Directory services are operational and performing at
a high degree of reliability. The Active Directory Health Indicators that ESF considers critical are:
Ability for users to log on quickly to access to network resources
Quick responses to LDAP queries
Consistent data on all domain controllers
Replication occurs within expected timeframes
Quick response to correcting outages
All role masters up and running
Stable CPU usage on domain controllers
Reduced WAN traffic
To monitor these AD critical functions, MOM uses these indicators to ensure ESF AD health:
No errors or warnings in relevant logs such as AD, FRS, LSASS, and many more
Replication latency
CPU utilization
Free space
Disk queue length
LDAP ping/Query times
Cache hit rates
Role holder priorities
3.7
3.7.1
SECURITY
Windows 2003 Authentication Architecture
Windows 2003 is built upon two basic authentication types: local (or interactive) authentication and
network (or non-interactive) authentication. Each authentication type has a slightly different architecture.
A local authentication occurs when a user logs on through a user interface. (For example, a user initiates a
workstation logon sequence such as CTRL-ALT-DEL to authenticate to a Windows 2003 machine or
domain.) This type of authentication is not currently implemented or supported in the ESF infrastructure.
However, to accommodate an agencys unique needs, this requirement involves decisions regarding:
VPN access from the agency to the ESF Datacenter (Changes to firewall rules)
Terminal Server access to applications that reside in the ESF for interactive use (Infrastructure
considerations)
A network authentication occurs when a client application calls the Security Support Provider Interface
(SSPI) to establish a secure network connection. This type of authentication is supported in ESF and is the
primary focus for the guidance provided in this document. Windows 2003 authentication architecture
updates include:
Kerberos; the new default authentication protocol that is implemented as both an Authentication
Package and a Security Support Provider (SSP)
The Negotiate package; an SSP that permits two network entities to negotiate an authentication
protocol
Authentication credentials stored in the Active Directory that replace the NT4 SAM on domain
controllers
PAGE 22 OF 27
3.7.2
Windows Methods of Authentication
Windows methods of authentication through IIS are:

Method
Description
Anonymous
All users authenticate as the IUSR_machinename account.

Use only for unrestricted parts of the site.
Basic
Basic authentication requests a user name and password for verification, but the user's details are transmitted to the server in
clear text. Security is not very good because the packets can be intercepted and credentials stolen.
Security can be increased by using the Secure Sockets Layer (SSL), which provides a secure communications channel for the
transfer of sensitive information.
Digest
Digest authentication requests a user name and password before allowing access to the restricted areas of a site. Digest
authentication does not send the credentials using clear text as basic authentication does; instead it uses a hashing mechanism to
encrypt the data before transmission.
Integrated
In integrated Windows authentication the users NT domain or Active Directory service account is used for authentication. Since
integrated Windows encrypts transmitted data, it is ideal for intranet solutions.
3.7.3
Certificate Authentication
Certificate authentication uses a certificate, or key, stored on the client's computer to verify the user's
identification. The certificate is automatically presented for authentication when a restricted resource is
requested. If a certificate is not present, access is granted using the guest account. Certificates can be
mapped to a single NT domain or Active Directory account (many-to-one mapping) or each certificate
can be mapped to a separate account (one-to-one mapping).
3.7.4
Forms Authentication
Forms authentication uses a custom web page to request a user's logon credentials for restricted areas of a
web site. The logon form does not perform user verification; it is solely for collecting authentication
details. Custom code validates the user's credentials against a data store for authentication. After the user
has been authenticated, a token is returned. The token verifies the user for each subsequent access to a
restricted part of a web site.
Use cookies or a custom mechanism such as a unique identifier in the URL query string or hidden fields
to identify users after they have logged on.
3.7.5
Recommended Authentication Methods
We recommend these authentication methods:

Method
Description
Intranet site
We recommend Integrated Windows authentication if the web site meets this criteria:
All users have an NT domain or Active Directory account.
Access is exclusively through Internet Explorer.
No unrestricted areas exist.
Any one of three forms of authentication are suitable if the web site meets this criteria:
Users are from both internal and external sources.
Some unrestricted areas exist.
Extranet site
Suitable authentications are:

Basic authentication
Certificate authentication
Forms authentication
Certificate authentication provides seamless authentication by allowing associated certificates to NT domain or Active Directory
accounts. Certificate authentication is a very secure solution for sensitive data stored on the web site.
Use forms authentication if you do not want to create NT domain or Active Directory accounts for your external users. We also
prefer forms authentication if the cost of managing certificates outweighs the added security value.
Basic authentication requests a user name and password for verification. SSL provides a secure communications channel for the
transfer of sensitive information.
PAGE 23 OF 27
After a user is authenticated, verify access rights for the requested resource. If the resource is a file
system resource such as a template file, check the ACL. If the user is:
Listed in the ACL and has sufficient privileges to perform the requested function, grant access.
Not listed in the ACL or does not have sufficient access privileges, deny access to the resource.
3.7.6
Application Security
PALogin Application
External constituents must have a PALogin account to have access and single sign-on to all ESF web
sites. Accounts that use PALogin to login to the state websites are housed within the
USER.APPS.STATE.PA.US domain. This domain does not have any account restrictions such as
lockout, minimum password length, or password strength. The constituent manages these accounts (for
example, changing a password). These Internet user accounts do not have any access to the internal
PA.LCL environment.
SQL Authentication
Use digest authentication or integrated security for SQL service. Do not use built-in SA account or
account database. SQL security can be shared ESF SQL or agency-owned SQL (installed in the agency
location or ESF Co-Location). For ESF shared SQL, give owners permissions for SA type rights to
their database but not the entire server. For agency-owned SQL, use digest authentication or integrated
security with Active Directory.
Application Authentication
Use digest authentication or integrated security for applications. Do not use built-in authentication /
authorization.
Terminal Services Authentication
Use certificates or integrated security for Terminal Services. Do not use digest or basic model
authentication.
3.8
BACKUP AND RECOVERY
ESF performs a full backup of Managed Services servers nightly, Monday through Friday, and
incremental backups on Sundays. Tapes are sent to an off-site facility weekly. The ESF also maintains a
weekly, monthly, and yearly tape archive. Daily and weekly tapes are redeployed in the rotation scheme;
yearly backups are retained for seven years.
Refer to this site for an overview of ESF Managed Services Backup and Recovery policies, procedures,
and licensing: ESF BACKUP AND RECOVERY OVERVIEW
3.9
CHANGE MANAGEMENT
Refer to ESF CHANGE MANAGEMENT PROCESS AND PROCEDURES to review standard ESF
change management processes.
3.10 MAINTENANCE
The agency specifies available maintenance windows for the ESF to perform maintenance for each
application. The ESF performs Enterprise maintenance that affects a large number of applications during
the Enterprise maintenance window.
PAGE 24 OF 27
4 Active Directory and Application Development Resources

This appendix summarizes important references to Active Directory concepts and components.
4.1
ACTIVE DIRECTORY RESOURCES
Designing and Deploying Directory and Security Services:

http://technet2.microsoft.com/windowsserver/en/library/d2ff1315-1712-48e4-acdc8cae1b593eb11033.mspx?mfr=true
Best Practice Guide for Securing Windows Server Active Directory Installations
http://technet.microsoft.com/en-us/library/cc773365.aspx
Windows Server 2003 Deployment Guide
http://technet2.microsoft.com/windowsserver/en/library/c283b699-6124-4c3a-87ef865443d7ea4b1033.mspx?mfr=true
Designing a Managed Environment
http://technet2.microsoft.com/windowsserver/en/library/3ddb5bec-a454-4e9b-a6e7397ee7c4ea3a1033.mspx?mfr=true
Deploying Domain Name System (DNS)
http://technet2.microsoft.com/WindowsServer/f/?en/library/5af19b48-61b9-4acf-899d18a9031a7d081033.mspx
Windows DNS Technical Reference
http://technet2.microsoft.com/windowsserver/en/library/99cffde7-11a5-4c01-9a032405c7ead7541033.mspx?mfr=true
Integrating Active Directory into an Existing DNS Infrastructure
http://technet2.microsoft.com/WindowsServer/f/?en/library/bd38fa48-8167-4af8-ba1fde3589a43c481033.mspx
FSMO Placement and Optimization on Active Directory Domain Controllers
http://support.microsoft.com/default.aspx?scid=KB;en-us;223346
For non-Microsoft-specific DNS information, see Albitz, Paul, and Cricket Liu. DNS and BIND
Sebastopol: OReilly & Associates, Inc., 2001
PAGE 25 OF 27
4.2
APPLICATION DEVELOPMENT RESOURCES
The Active Directory provides rich support for locating and working with AD objects. Review these links
to documents, sites, and sample code that helps with the deployment, administration, and development of
applications built upon Active Directory, Active Directory Services Interface (ADSI), and Directory
Services.
Active Directory Schema http://msdn2.microsoft.com/en-us/library/ms674984.aspx
ADSI http://msdn2.microsoft.com/en-us/library/aa772170.aspx
Using Active Directory Roles Sample http://msdn2.microsoft.com/en-us/library/ms741720.aspx
PAGE 26 OF 27
5 Appendix A Schema Management Process

The ESF works closely with and participates in the Architectural Standards Committee (ASC). The ASC
works with agencies to understand evolving business requirements and help to leverage, protect, and
extend the existing Commonwealth infrastructure. This document describes Active Directory as it exists
today in ESF. The AD product and AD in the Commonwealth (CWOPA) is vastly more complex and
encompassing.
When you think about the schema, remember:
Schema changes are global. An entire forest has a single schema that is globally replicated. A copy of the
schema exists on every domain controller in the forest. When you extend the schema, you do so for the
entire forest.
Schema additions are not reversible. When a new class or attribute is added to the schema, it cannot be
removed. An existing attribute or class can be disabled but not removed. See Disabling Existing Classes
and Attributes at http://msdn2.microsoft.com/en-us/library/ms675903.aspx for more information
Disabling a class or attribute does not affect existing instances of the class or attribute, but it prevents new
instances from being created. You cannot disable an attribute if it is included in any class that is not
disabled.
Because the schema is a key part of the directory that affects the entire forest, special restrictions apply to
schema extensions. To reduce the possibility of schema changes by one application breaking other
applications and to maintain schema consistency, the ESF enforces restrictions on the type of schema
changes that an application or user is allowed to make.
To engage the ASC, an agency works through their AAM:
Contact your AAM (see ESF Engagement Process)
Create an e-mail addressed to your AAM and include as much of this information as possible:
Problem statement
Business case
Business impact
Requirements
Diagrams and functional specifications
Contact information
The Commonwealths appointed technical representative (team technical lead), Microsoft Premier
Support, and other appropriate individuals pre-screen the request to ensure that the object/attribute size,
numbers, and rate of change do not exceed the recommended AD maximums. In addition, the technical
representative identifies any currently unused attributes that might be adapted, or any Commonwealthdeveloped, currently used attributes which might fulfill the need.
If approved, the requested attributes and object classes are assigned new names and object identifiers
(OIDs) - which are documented by a commonwealth appointed technical representative.
To ensure that the modifications have been correctly inserted into the Active Directory, application
developers load the schema modifications into a test forest and validate them with Microsoft, the
operations team, and other members of applicable team(s).
PAGE 27 OF 27

Ms - MSL - Coloc - Esf Active Directory Roe

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Ms - MSL - Coloc - Esf Active Directory Roe

Hochgeladen von

Copyright:

Verfügbare Formate

Enterprise Server Farm (ESF)

Active Directory [for Windows

Application Management Team

ENTERPRISE SERVER FARM

Incorporated S. Sharma comments:

Updated format to new template design.

Updates to flow in 1.2 per S. White.

Insert new OA logo on cover page

Update ECSA to reflect new CA2 designation. Update URLs

Remove references to MOM

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

ESF OVERVIEW & ESF INFRASTRUCTURE.............................................................................5

1.1 ESF OVERVIEW................................................................................................................................5

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

ENTERPRISE SERVER FARM

1 ESF Overview & ESF Infrastructure

ESF Engagement Process

ESF Deployment Process

Commonwealth Application Certification and Accreditation (CA2)

Refer to Commonwealth Policy ITB-SEC005 regarding "Commonwealth Application Certification and

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

External DMZ Security Zone

Internal Services Security Zone

Internal DMZ Security Zone

ENTERPRISE SERVER FARM

2 Active Directory Implementation

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

SCHEMATIC DIAGRAM / DIAGRAM DESCRIPTION DETAILS

ESF LAN (Extranet)

ESF LAN (Extranet)

ENTERPRISE SERVER FARM

Encapsulating Security Protocol (ESP) for IPSEC

Authentication Header (AH) for IPSEC

TCP and UDP

TCP and UDP

SMTP (outbound only)

TCP and UDP

TCP and UDP

DNS name resolution and zone transfers

TCP and UDP

TCP and UDP

ISAKMP for IPSEC

Business Logic Layer (BLL)

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

BLL performance advantages are:

Applications must meet these requirements to use ESF AD in the ESF:

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

Location and Role of Domain Controllers

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

ESF Active Directory Organization Units (OUs)

USER Domain and MUSER Domain

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

ENTERPRISE SERVER FARM

Delegate OU-App-OUADMIN membership

ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT

AD Users and Computers