Beruflich Dokumente
Kultur Dokumente
SECURITY WARNING
The information contained herein is proprietary to the Commonwealth of Pennsylvania and must not be
disclosed to un-authorized personnel. The recipient of this document, by its retention and use, agrees to
protect the information contained herein. Readers are advised that this document may be subject to the
terms of a non-disclosure agreement.
DO NOT DISCLOSE ANY OF THIS INFORMATION WITHOUT OBTAINING PERMISSION FROM
THE MANAGEMENT RESPONSIBLE FOR THIS DOCUMENT.
COMMONWEALTH OF PENNSYLVANIA
Version History
Date
Version
Modified By / Approved By
Section(s)
Comment
4/03/2007
1.0
K. Will
All
Initial draft
5/24/2007
S. Sharma
10/19/200
7
1.1
02/25/200
8
1.2
11/14/2008
1.3
03/17/200
9
C. Reber
All
S. White
1.2
C Reber
Cover Page
1.4
C Reber
All
Update URLs
07/15/200
9
1.5
C Reber
1.1
03/04/2011
1.6
C Reber
3.6
C. Reber
4.01/2009
PAGE 2 OF 27
COMMONWEALTH OF PENNSYLVANIA
Table of Contents
1
PAGE 3 OF 27
COMMONWEALTH OF PENNSYLVANIA
PAGE 4 OF 27
COMMONWEALTH OF PENNSYLVANIA
1.1
ESF OVERVIEW
The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) provides Hosting Services for
Agency Web-Based and Agency Specific applications. Its mission is to maintain a high level of security,
availability, reliability, and management of the Commonwealth of Pennsylvania's mission critical web
applications.
Refer to Enterprise Server Farm, for a full description of the ESF and all hosting and service offerings.
1.1.1
If your agency is considering deploying applications in the ESF, examine the ESF web site to understand
the ESF Services Portfolio, and then contact your Service Coordinator (SC). SCs are liaisons between
agencies and the ESF. They answer preliminary questions and coordinate meetings with ESF personnel to
ensure consistent communication on simple or complex projects.
Refer to ESF Getting Started, for an overview of the benefits, services, and options for hosting your
application at the CTC ESF.
Refer to ESF Services Coordinator, to identify your agency Service Coordinator.
1.1.2
The ESF follows a well-defined deployment process for all application deployments. Application
development is performed at the agency or contractor location while the ESF houses both a staging and a
production environment, which are mirror images of each other. This structured deployment and testing
process ensures a stable application in production. Prior to entering the ESF, every new application is
required to undergo a security assessment.
Refer to Deploying in Managed Services to review MS deployment process documents
Refer to Deploying in Managed Services Lite to review MSL deployment process documents.
1.1.3
PAGE 5 OF 27
COMMONWEALTH OF PENNSYLVANIA
1.2
ESF INFRASTRUCTURE
The ESF Web Farm architecture is segmented into security zones that are isolated from each other via
firewalls. The ESF Network contains the External DMZ security zone, the Internal Services security zone,
and the Internal DMZ security zone. These three primary networks are either, physically or logically,
connected to one another.
1.2.1
The External DMZ security zone contains Internet-facing servers that are connected to the Enterprise
DMZ. ESF-managed web servers (such as Managed Services) and Agency-managed servers (such as CoLocation servers) both exist in the External DMZ Security zone. Managed Services and Co-Location
servers are on separate subnets secured by either firewalls or Access Control Lists (ACLs).
1.2.2
The Internal Services security zone contains Managed Services database servers and other application
servers from which dynamic content is obtained by web servers.
1.2.3
The Internal DMZ security zone contains the Managed Web and application servers that need to be
accessible only from the Commonwealth Metropolitan Area Network (MAN). This Security Zone also
contains internal Co-Location databases and web and application servers that are isolated from the
Managed Services servers.
When ESF Domain Controllers intercommunicate in a security zone, all communications use standard
RPC and do not require IPSEC encryption or authentication. Domain Controller-to-Domain Controller
communications between security zones only use IPSEC with Authentication Headers (AH).
Other host-to-AD Component communication in the Managed Services portion of the Enterprise Server
Farm does not require IPSEC. However, IPSEC is required for all communications between entities
outside the Managed Services and ESF AD components.
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 6 OF 27
COMMONWEALTH OF PENNSYLVANIA
PURPOSE / OVERVIEW
The Commonwealth of Pennsylvanias Enterprise Server Farm (ESF) uses the Windows Server 2003
Active Directory (AD) and server infrastructure to separate the Commonwealths enterprise AD forest
applications from those applications that can be accessed internally and externally. The Applications
Management Team (AMT) manages the ESF Active Directory environment.
2.1.1
Benefits
Based on a study conducted by Gartner, the Total Cost of Ownership for the ESF AD is a fraction of an
in-agency Active Directory solution that includes hardware, software, operations, and facilities.
Your agency gains these benefits when you use ESF AD:
2.2
OA provides a secure location to host the Active Directory and dependent functions (such as
DNS).
The application can use existing authentication and authorization data from either the APPS
domain (ESF) or the internal PA.LCL domain (CWOPA), which provides the agencys internal
users with single sign-on to its application.
Windows 2003 Active Directory schema changes to accommodate applications can be made in the
ESF AD forest, the PA.LCL forest, or both at the discretion of the Architectural Standards
Committee and Schema Management Board. See Appendix A Schema Management Process for
details.
Internal IT staff is freed up to work on agency strategic initiatives.
AMT will provide 24x7 monitoring, management, and support to provide increased reliability,
availability, scalability, and security as well as improve application authentication through ESF
Active Directory.
ESF Active Directory is highly available with built-in redundancy, disaster recovery, and multiple
locations for access.
ESF has the knowledge and expertise to maintain and manage Active Directory and is fully
engaged with Unisys and Microsoft to diagnose, troubleshoot, and resolve any issues or problems.
ASSUMPTIONS
This document assumes that the reader has a basic understanding of AD concepts including:
Forests
Domains
Organization Units (OUs)
Objects
Schema
DNS
AD Management Principles
Note: Appendix B Active Directory and Application Development Resources contains references that
discuss each of these assumptions in depth.
PAGE 7 OF 27
COMMONWEALTH OF PENNSYLVANIA
2.3
The network architecture is the key component of the functionality and security of the ESF LAN
(Extranet).
This diagram shows how ESF network deployment relates to Active Directory. Three primary networks
within the deployment are either logically or physically connected to one another to make up the ESF
network:
2.3.1
The Extranet resides in the CTC Internet Zone (Demilitarized Zone or DMZ) and contains Internet
Information Services (IIS), domain controllers, and other AD infrastructure such as DNS and WINS.
Through router security permissions or the Access Control Lists (ACLs) on the router/firewall between
CWOPA and the Extranet, all traffic that originates from CWOPA is allowed into the Extranet. If a
resource on CWOPA is pushing data to a server on the Extranet, all communication is allowed.
In reverse, all traffic originating from the Extranet is blocked going back to CWOPA. If a batch job
attempts to run a process from an Extranet machine that initiates communication back into CWOPA, the
traffic is blocked by the ACLs on the router between CWOPA and the Extranet. Data on CWOPA servers
is either pushed to the Extranet from the CWOPA resource or the CWOPA resource must reside in the
Extranet. Within the Extranet, all servers are homed to the same network and are allowed to communicate
with one another assuming appropriate rights between resources.
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 8 OF 27
COMMONWEALTH OF PENNSYLVANIA
The servers located in the Extranet communicate back to CWOPA through Internet Protocol Security
(IPSec). This table shows the approved ports and associated functions for Active Directory
communication that is allowed to traverse from the Extranet to internal Active Directory servers:
Ports and Protocols Accessible from DMZ to CWOPA Internal Network
Protocol
Description
50
51
Port
2.3.2
Type
Description
20 and 21
FTP
25
80
http
443
UDP
SSL
Internet Access
The external firewall (Internet-facing) manages traffic between the Internet and the Extranet. Clients
accessing web sites in the Extranet are allowed to connect via the Internet once the proper credentials are
supplied to the Active Directory.
Ports Accessible from Internet to Extranet (DMZ) Network
Port
2.3.3
Type
Description
53
88
Kerberos
389
LDAP
500
UDP
The current design of the ESF DMZ allows only Internet services such as http, https, and other basic
services like FTP and SMTP through the Internet-facing side of the DMZ. All management and database
access to co-located servers is via an intranet-only routable back-end address through the Business Logic
Layer (BLL).
BLL ensures that agency traffic including management traffic such as FTP, web administration, backups,
terminal services, or other remote management software and back-end data traffic such as database traffic
between the co-located server and the agency have a secure, higher-speed path that is not available from
the Internet.
To facilitate this design, a network card is added to every co-located server and configured with an
intranet routable address. The default gateway is left blank for this interface, and persistent routes are
added for each agency server or management station that needs BLL access.
BLL security advantages are:
Only http, https, FTP, and SMTP access are allowed from the Internet
Separate paths exist for public and agency data
BLL cannot be reached directly from the Internet
PAGE 9 OF 27
COMMONWEALTH OF PENNSYLVANIA
2.4
PREREQUISITES
The application must be integrated to run on the Windows 2003 Server family of operating
systems and must be able to use integrated security (Active Directory Authentication).
AMT has full administrative access over the Active Directory Forest.
The ESF Forest trusts the CWOPA (PA.LCL) domain. This trust facilitates the Single Sign-On
security model whereby user accounts in CWOPA can be used to grant access to the applications
in the ESF.
If you have a non-Windows based application or other situation not identified in this document
that requires Active Directory or any directory service, engage the Architectural Standards
Committee at ascmembers@state.pa.us to discuss business requirements, architecture, and
possible solutions. See Appendix A Schema Management Process for details.
PAGE 10 OF 27
COMMONWEALTH OF PENNSYLVANIA
2.5
2.5.1
IMPLEMENTATION DETAILS
ESF Active Directory Implementation Details & Schematic Diagrams
ESF implemented a single forest/multiple domain model for Active Directory. An empty root called
ROOT.STATE.PA.US resides within the forest. This domain houses the Enterprise Admins role, Schema
Admins role, and forest-wide FSMO roles. Applications reside in APPS.STATE.PA.US and user accounts
are divided among two domains: USER.APPS.STATE.PA (USER) and MUSER.APPS.STATE.PA.US
(MUSER).
USER houses non-managed users or self-registered users similar to a typical portal user with customized
content like PA PowerPort. USER domain security is commensurate with requirements for Internet
applications. MUSER houses managed users, constituents, and vendors that must access line-of-business
applications or other applications where authorization and security are critical. The sponsoring agency
performs user, group, and authorization management similar to the way CWOPA is managed.
This diagram shows a high-level view of the CWOPA and ESF Active Directory namespace as defined in
the functional specification.
2.5.2
Click this link to get the most up-to-date information about the domain controllers within this
environment: http://www.oaesf.state.pa.us/sites/esf/Services
PAGE 11 OF 27
COMMONWEALTH OF PENNSYLVANIA
2.5.3
APPS Domain
AMT controls and manages the APPS domain and defines and maintains all levels of OU structure. AMT
recommendations for OUs in the APPS domain are:
OU depth should not exceed four levels
The top level OU is the Agency OU and consists of the agencys 2-digit code
The second level consists of the servers OU and service accounts OU
Lower level OU recommendations are:
6 characters maximum length; optional if it applies to the agencys IT administration model
Groups may be placed in all OUs starting from the Agency OU
OUs are locked down by default with changes initiated through the initial deployment process or a service
request (Remedy ticket). Currently, delegated permissions over OUs within the APPS domain are not
supported. Machine accounts are ONLY created by AMT through the initial deployment process or a
service request.
Delegated permission to the APPS domain is restricted to maintain stability and security for all agencies
and applications. ESF personnel handle all change requests including, but not limited to, server
creation/deletion, service account setup, and group policy placement. (GPO creation and management are
discussed in depth in a later section.)
2.5.4
All self-registered users are housed in the PALogin OU for the USER domain. AMT defines and
maintains the top three levels of the MUSER OU structure.
AMT recommendations for OUs in the MUSER domain are:
OU depth should not exceed four levels
The top level OU is the Agency OU and consists of the agencys 2-digit code
The second level consists of the application name and user container
AMT creates OUs below the application name but the agency administers them
Lower level OU recommendations are:
6 characters maximum length if it applies to the agencys IT administration model
Groups may be placed in all OUs starting from the Agency OU
PAGE 12 OF 27
COMMONWEALTH OF PENNSYLVANIA
AMT gives agencies delegated permissions over their OUs. An agency can administer only that portion of
the directory that pertains to them (their own OU). Since the MUSER.APPS.STATE.PA.US domain
enforces tighter security policies, ESF Tools is the only supported means of maintaining user accounts in
the MUSER domain. Submit a request for ESF personnel to configure ESF Tools access for the agency
application.
Within the MUSER.APPS.STATE.PA.US domain:
Agency Administrators can create, delete, or modify user and group objects and apply OU group
policies to users. The agency provides the policy and ESF provides installation assistance.
Authorized MUSER OUAdmins can use the ESF Tools website: https://www.esftools.state.pa.us/
to create, modify, and delete users within the agencys OUs; create Commonwealth employee
accounts and vendor accounts; reset passwords; and unlock accounts. However, the ESF Tools
cannot change incorrectly-entered employee IDs.
OUAdmins can also use the Active Directory Users and Computers Management Console Snap-in
to perform various tasks.
OUAdmins can perform these roles with the ESF Tool and Active Directory Users and Computers
Management Console Snap-in:
Role
ESF Tool
X
X
Create/delete/modify groups
X
X
Create/delete/modify users
Modify all properties of a user (reset password, group memberships, and all other
properties) except Employee ID, SamAccountName, and FullName (CN)
PAGE 13 OF 27
COMMONWEALTH OF PENNSYLVANIA
This section discusses ESF Standards and aspects of services provided for the Active Directory.
3.2
NAMING CONVENTIONS
Naming conventions provide a standard approach to naming different objects and help to troubleshoot and
locate objects. All objects also need a detailed description of use. Naming conventions are as follows:
Naming conventions provide a standard approach to naming different objects within Active Directory and
help to troubleshoot and locate objects. All objects also need a detailed description of use. A description
field is available for all User, InetOrgPerson, Computer, Group, OU and Container objects within Active
Directory.
3.2.1
Server Names
When a server name is based on location, browsing or searching by the first part of the server name
returns all servers from all agencies (for example, searching on HBG returns all HBG servers from all
agencies). Since multiple agencies exist in the same location, use the two-digit agency code at the front
of the server name to locate an agencys servers, rather than the location name.
As all new servers are built, the recommended naming standard is AALLLFFEXXX, where:
AA = Agency code
LLL = Location code; for example: CTC = Commonwealth Technology Center, WLO = Willow
Oaks, CAM = Cameron Street
FF = Function code; for example: BT = BizTalk, EX = Exchange Server, IS = Web Server, SQ =
SQL Server, AP = Application
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production,
R=Disaster Recovery
XXX = Unique number that increments based on use
The recommended cluster naming standard is Server name\SC(E)(XXX), where:
SC = Server Cluster
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production,
R=Disaster Recovery
XXX = Unique number; for example: 001 (should be the same as the servers name)
If the application is hosted and managed by ESF, the predefined two-digit code is EN for Enterprise.
3.2.2
Service Accounts
As an agency has more applications hosted in the Applications AD, more service accounts must be used
for applications. The recommended naming standard is AASRVFFEXXX, where:
AA = Agency code
SRV = Service account; for example: CTC = Commonwealth Technology Center, WLO = Willow
Oaks, CAM = Cameron Street
FF = Function code; for example: BT = BizTalk, EX = Exchange Server, IS = Web Server, SQ =
SQL Server, AP = Application
E = Environment; for example: T = Test lab, S = Staging, D = Development, P = Production
XXX = Unique number that increments based on use
If the application is hosted and managed by ESF, the predefined two-digit code is EN for Enterprise.
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 14 OF 27
COMMONWEALTH OF PENNSYLVANIA
3.2.3
User Accounts
The Enterprise Server team performs an initial bulk creation of user accounts based on an Excel
spreadsheet that the agency provides. Follow this naming standard for these accounts:
A user name has three parts: a first name, a last name, and a middle initial. Use these parts to construct a
user account name where the variables are FirstName, LastName and MiddleName and %n represents an
integer number of characters of the variable from the left. For example, %5Godzilla is equal to Godzi. If a
particular user account name already exists, follow this list until a unique user name is found:
1 - %1FirstName%9LastName
2 - %2FirstName%8LastName
10 -%1FirstName%1MiddleName%8LastName
11 -%2FirstName%1MiddleName%7LastName
18 -%1LastName%9FirstName
19 -%2LastName%8FirstName
27 -%1MiddleName%1FirstName%8LastName
28 -%1MiddleName%2FirstName%7LastName
35 -%1FirstName%8LastName%1MiddleName
36 -%2FirstName%7LastName%1MiddleName
43 -%1MiddleName%8LastName%1FirstName
44 -%1MiddleName%7LastName%2FirstName
If you exhaust all these options, use numbers from 01 to 99 as suffixes to these options in order based on
availability. User names should not exceed 12 characters (10 characters without numerals).
3.3
SERVICES
The ESF AD is a critical part of the Enterprise Architecture for single sign-on, security, and identity
management. Applications can leverage the ESF Active Directory in three scenarios: as part of Managed
Services, as a Co-Location customer, or for Active Directory benefits only. Within this section, front-end
represents all servers and services such as the web servers, portal services, and applications, and back-end
represents servers and services whose resources the front-end servers use for information or data.
The ESF AD Forest is optimized for use in an Internet Data Center or hosting environment rather than a
distributed corporate-like or CWOPA environment. The ESF AD is optimized to rapidly replicate
directory data, handle a high volume of authentication requests per second, and facilitate tightly managed
services for high reliability, availability and security. The directory is deployed in a centralized model to
optimally accommodate these requirements.
3.3.1
Managed Services is where ESF provides complete management for either or both front-end and backend servers and services located in the ESF. Managed Services uses the ESF Active Directory and is the
ideal way for an agency to leverage the full enterprise infrastructure of single sign-on, identity
management, security, and directory services. All servers, users, groups, and policies are maintained in
Active Directory similar to the way that Commonwealth employee user accounts and mailboxes are
maintained in CWOPA.
3.3.2
Co-Location hosting is for agencies that want to retain full management responsibility for day-to-day
hosting within a secure and conditioned environment. The CTC ESF provides a highly secure and
conditioned environment with access to high bandwidth and security-enhanced Internet connectivity.
Co-Location services also provide the benefits of Active Directory for its customers. Co-Location
customers can add their servers into Active Directory to leverage single sign-on, integrated security,
added server management through group policy, and complete integration with the enterprise
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 15 OF 27
COMMONWEALTH OF PENNSYLVANIA
3.3.3
Some agencies choose to house all of their servers in a location outside the physical and logical locale of
the ESF. Agencies that need to leverage the enterprise architecture and have identified requirements to
use the ESF Active Directory can leverage the ESF AD services across the network. This configuration
requires careful planning and analysis to avoid unexpected problems. Agencies in this situation should
contact their AAM immediately for further assistance.
Another Active Directory option for remote use of directory services is to distribute a domain controller
to a remote site (decentralized domain controllers). The ESF AD is deployed and optimized for a high
volume hosting environment and therefore requires architectural changes to accommodate a distributed
architecture. Accommodating this requirement involves multiple design and facility considerations that an
agency may or may not be able to fulfill. Some factors that affect the decision for decentralized domain
controllers are:
ESF AD design considerations for remote placement of domain controllers such as site
topology/GC placement, replication latency, and secure network transmissions
ESF or agency access to physical remote domain controllers add cost and risk to managing and
securing the Forest
Post-deployment management and monitoring of ESF changes to domain controllers involves
added complexity and cost
ESF must actively manage the real available bandwidth or bandwidth guarantees from agency to
ESF for Active Directory operations
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 16 OF 27
COMMONWEALTH OF PENNSYLVANIA
This list demonstrates why decentralized domain controllers are the least preferred method and not a
currently supported solution. However the ESF is committed to addressing the emerging business needs
of the Commonwealth.
If your agency requires a distributed domain controller or remote use of the ESF Active Directory, contact
your AAM to request a consultation. Please include the nature of your request and all relevant
information.
PAGE 17 OF 27
COMMONWEALTH OF PENNSYLVANIA
3.4
ESF implements domain policies that include password, machine account, and user account policies. The
agency maintains and applies group policy at the OU level in Co-Location. The current ESF domain
policy for MUSER.APPS.STATE.PA.US is:
Policy
Default
Setting
Setting
Configuration
Password Policy
Enforce password history
42
60
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
720
Audit Policy
Audit account logon events
No auditing
Success, Failure
No auditing
Success, Failure
No auditing
No auditing
No auditing
Success, Failure
No auditing
Failure
No auditing
Success, Failure
No auditing
Failure
No auditing
No auditing
No auditing
Failure
Security Options
Allow system to be shut down without having to log on
Disabled
Enable
Enable
No action
Force logoff
512 kilobytes
5056 kilobytes
512 kilobytes
10240 kilobytes
512 kilobytes
5056 kilobytes
PAGE 18 OF 27
COMMONWEALTH OF PENNSYLVANIA
Policy
Default
Setting
Setting
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Not defined
Not defined
Not defined
As needed
As needed
As needed
Not configured
Enabled
Configuration
System Services
Alerter
Automatic
Computer Browser
Automatic
DHCP Client
Automatic
Automatic
Automatic
Automatic
DNS Client
Automatic
Event Log
Automatic
IPSEC Services
Automatic
License Logging
Automatic
Automatic
Messenger
Automatic
Net Logon
Automatic
Automatic
Print Spooler
Automatic
Protected Storage
Automatic
Automatic
Remote Registry
Automatic
Removable Storage
Automatic
Secondary Logon
Automatic
Automatic
Server
Automatic
Smptsvc
Automatic
Automatic
PAGE 19 OF 27
COMMONWEALTH OF PENNSYLVANIA
Policy
Default
Setting
Setting
Task Scheduler
Automatic
Automatic
Windows Time
Automatic
Workstation
Automatic
Application Management
Manual
ClipBook
Manual
Network DDE
Manual
Manual
Manual
Rsvp
Manual
Configuration
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Domain Users
Read
\Winnt\Repair
Administators
Full Control
\Winnt\System32\config
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Domain Users
List
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Full Control
Domain Users
Read
Administators
Full Control
SYSTEM
Full Control
CREATOR/OWNER
Full Control
Everyone
None
\Winnt\System32\spool
<log partition>
Control Panel
Hide Screen Saver tab
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Not configured
Terminal Services
Set time limit for disconnected sessions
Not configured
Enabled
Not configured
Enabled
PAGE 20 OF 27
COMMONWEALTH OF PENNSYLVANIA
Policy
Default
Setting
Setting
Not configured
Enabled
3.5
Configuration
This table outlines the administrative and management task responsibilities for ESF, Customer, and
combined AMT and Customer. AMT has completed most of its responsibilities in setting up Active
Directory.
Role/Responsibility
ESF Reponsibility
Customer Responsibility
Domain Management
FSMO
Replication
Domain Policy
Password Policy
Schema Management
X
Domain Controller
Disaster recovery
Deploy/Install DC
X
OU Management
Create Secondary/Tertiary
User Management
Create users
Create groups
Modify users
Modify groups
Delete users
Delete groups
PAGE 21 OF 27
COMMONWEALTH OF PENNSYLVANIA
3.6
MONITORING
Since Active Directory is such a critical component of the ESF infrastructure and the applications running
in this environment, monitoring and managing Active Directory is essential to ensure the availability and
performance of agency business applications.
ESF operations deliver an enterprise-class solution for operations management and monitoring of
Windows servers, Windows infrastructure including Active Directory, and .NET Enterprise Servers such
as SQL Server.
ESF manages critical functions to ensure that Active Directory services are operational and performing at
a high degree of reliability. The Active Directory Health Indicators that ESF considers critical are:
Ability for users to log on quickly to access to network resources
Quick responses to LDAP queries
Consistent data on all domain controllers
Replication occurs within expected timeframes
Quick response to correcting outages
All role masters up and running
Stable CPU usage on domain controllers
Reduced WAN traffic
To monitor these AD critical functions, MOM uses these indicators to ensure ESF AD health:
No errors or warnings in relevant logs such as AD, FRS, LSASS, and many more
Replication latency
CPU utilization
Free space
Disk queue length
LDAP ping/Query times
Cache hit rates
Role holder priorities
3.7
3.7.1
SECURITY
Windows 2003 Authentication Architecture
Windows 2003 is built upon two basic authentication types: local (or interactive) authentication and
network (or non-interactive) authentication. Each authentication type has a slightly different architecture.
A local authentication occurs when a user logs on through a user interface. (For example, a user initiates a
workstation logon sequence such as CTRL-ALT-DEL to authenticate to a Windows 2003 machine or
domain.) This type of authentication is not currently implemented or supported in the ESF infrastructure.
However, to accommodate an agencys unique needs, this requirement involves decisions regarding:
VPN access from the agency to the ESF Datacenter (Changes to firewall rules)
Terminal Server access to applications that reside in the ESF for interactive use (Infrastructure
considerations)
A network authentication occurs when a client application calls the Security Support Provider Interface
(SSPI) to establish a secure network connection. This type of authentication is supported in ESF and is the
primary focus for the guidance provided in this document. Windows 2003 authentication architecture
updates include:
Kerberos; the new default authentication protocol that is implemented as both an Authentication
Package and a Security Support Provider (SSP)
The Negotiate package; an SSP that permits two network entities to negotiate an authentication
protocol
Authentication credentials stored in the Active Directory that replace the NT4 SAM on domain
controllers
ESF ACTIVE DIRECTORY RULES OF ENGAGEMENT
PAGE 22 OF 27
COMMONWEALTH OF PENNSYLVANIA
3.7.2
Description
Anonymous
Basic
Basic authentication requests a user name and password for verification, but the user's details are transmitted to the server in
clear text. Security is not very good because the packets can be intercepted and credentials stolen.
Security can be increased by using the Secure Sockets Layer (SSL), which provides a secure communications channel for the
transfer of sensitive information.
Digest
Digest authentication requests a user name and password before allowing access to the restricted areas of a site. Digest
authentication does not send the credentials using clear text as basic authentication does; instead it uses a hashing mechanism to
encrypt the data before transmission.
Integrated
In integrated Windows authentication the users NT domain or Active Directory service account is used for authentication. Since
integrated Windows encrypts transmitted data, it is ideal for intranet solutions.
3.7.3
Certificate Authentication
Certificate authentication uses a certificate, or key, stored on the client's computer to verify the user's
identification. The certificate is automatically presented for authentication when a restricted resource is
requested. If a certificate is not present, access is granted using the guest account. Certificates can be
mapped to a single NT domain or Active Directory account (many-to-one mapping) or each certificate
can be mapped to a separate account (one-to-one mapping).
3.7.4
Forms Authentication
Forms authentication uses a custom web page to request a user's logon credentials for restricted areas of a
web site. The logon form does not perform user verification; it is solely for collecting authentication
details. Custom code validates the user's credentials against a data store for authentication. After the user
has been authenticated, a token is returned. The token verifies the user for each subsequent access to a
restricted part of a web site.
Use cookies or a custom mechanism such as a unique identifier in the URL query string or hidden fields
to identify users after they have logged on.
3.7.5
Description
Intranet site
We recommend Integrated Windows authentication if the web site meets this criteria:
All users have an NT domain or Active Directory account.
Access is exclusively through Internet Explorer.
No unrestricted areas exist.
Any one of three forms of authentication are suitable if the web site meets this criteria:
Users are from both internal and external sources.
Some unrestricted areas exist.
Extranet site
PAGE 23 OF 27
COMMONWEALTH OF PENNSYLVANIA
After a user is authenticated, verify access rights for the requested resource. If the resource is a file
system resource such as a template file, check the ACL. If the user is:
Listed in the ACL and has sufficient privileges to perform the requested function, grant access.
Not listed in the ACL or does not have sufficient access privileges, deny access to the resource.
3.7.6
Application Security
PALogin Application
External constituents must have a PALogin account to have access and single sign-on to all ESF web
sites. Accounts that use PALogin to login to the state websites are housed within the
USER.APPS.STATE.PA.US domain. This domain does not have any account restrictions such as
lockout, minimum password length, or password strength. The constituent manages these accounts (for
example, changing a password). These Internet user accounts do not have any access to the internal
PA.LCL environment.
SQL Authentication
Use digest authentication or integrated security for SQL service. Do not use built-in SA account or
account database. SQL security can be shared ESF SQL or agency-owned SQL (installed in the agency
location or ESF Co-Location). For ESF shared SQL, give owners permissions for SA type rights to
their database but not the entire server. For agency-owned SQL, use digest authentication or integrated
security with Active Directory.
Application Authentication
Use digest authentication or integrated security for applications. Do not use built-in authentication /
authorization.
Terminal Services Authentication
Use certificates or integrated security for Terminal Services. Do not use digest or basic model
authentication.
3.8
ESF performs a full backup of Managed Services servers nightly, Monday through Friday, and
incremental backups on Sundays. Tapes are sent to an off-site facility weekly. The ESF also maintains a
weekly, monthly, and yearly tape archive. Daily and weekly tapes are redeployed in the rotation scheme;
yearly backups are retained for seven years.
Refer to this site for an overview of ESF Managed Services Backup and Recovery policies, procedures,
and licensing: ESF BACKUP AND RECOVERY OVERVIEW
3.9
CHANGE MANAGEMENT
Refer to ESF CHANGE MANAGEMENT PROCESS AND PROCEDURES to review standard ESF
change management processes.
3.10 MAINTENANCE
The agency specifies available maintenance windows for the ESF to perform maintenance for each
application. The ESF performs Enterprise maintenance that affects a large number of applications during
the Enterprise maintenance window.
PAGE 24 OF 27
COMMONWEALTH OF PENNSYLVANIA
4.1
PAGE 25 OF 27
COMMONWEALTH OF PENNSYLVANIA
4.2
The Active Directory provides rich support for locating and working with AD objects. Review these links
to documents, sites, and sample code that helps with the deployment, administration, and development of
applications built upon Active Directory, Active Directory Services Interface (ADSI), and Directory
Services.
Active Directory Schema http://msdn2.microsoft.com/en-us/library/ms674984.aspx
ADSI http://msdn2.microsoft.com/en-us/library/aa772170.aspx
Using Active Directory Roles Sample http://msdn2.microsoft.com/en-us/library/ms741720.aspx
PAGE 26 OF 27
COMMONWEALTH OF PENNSYLVANIA
PAGE 27 OF 27