This book’s goal is to bridge the gap between THE WHAT of Active Directory (i.e. explaining what features are there and how they work) and THE HOW of day-to-day Active Directory management (i.e. providing recipes or scripts to solve certain atomic challenges within an overarching management paradigm) by exploring THE WHY and, more importantly, THE WHY NOT of various design options, management processes and features.
In almost every AD redesign, security audit or any AD-related engagement I was part of in the 25 years of my career I spent working with AD, I wished the customers and other parties “on the other side of the table” had read a book like this before sitting down with me. In a way, this book is my belated present to my previous clients, colleagues and maybe even competitors.
You can get the book from your favourite bookseller, and I strongly encourage you to do so – just give them the ISBN
979-8-8688-0940-8
. If you prefer to order online, the book is available there, too:
(these are NOT affiliate links 🙂 )
Table of Contents:
Introduction
Chapter 1: Problems with AD
1.1 Structural Challenges
1.2 Questionable Defaults
1.3 The Misunderstood AD
1.4 Patterns and Anti-patterns
Chapter 2: A Modern AD
2.1 Modern Work Requirements
2.2 Directory Security
2.3 Modern AD Tenets
2.4 Lookup, Authentication, Authorization, and Configuration
2.5 A Modern AD Is Hybrid – Cloud Integration
Chapter 3: Engineering Topology
3.1 Site Autonomy – If a WAN Link Goes Down
3.2 Forest and Domain Topologies
3.3 Naming Conventions for Domains
3.4 Sites and Subnets
3.5 AD Distribution and Placement
3.6 Read-Only Domain Controllers
3.7 Administration (Red) Forest
3.8 Modern Design Defaults
Chapter 4: Engineering Lookup
4.1 Disclosing Information vs. Preventing Reconnaissance
4.2 Structures, Permissions, and Defaults
4.3 Defining Visibility and Hiding the Crown Jewels in Plain Sight
4.4 Name Resolution and Service Location
4.5 Lookup in Perimeter Networks
4.6 Modern Defaults
Chapter 5: Engineering Authentication
5.1 Authentication Protocols in AD
5.2 Engineering Kerberos for Security and Usability
5.3 Getting Rid of NTLM
5.4 Service and Task Accounts
5.5 Computer Accounts
5.6 From Domain Join to Domain Takeover
5.7 Tickets from the Cloud
5.8 Certificate-Based Authentication
5.9 Engineering Trusts
5.10 Authentication in Perimeter Networks
Chapter 6: Engineering Authorization
6.1 Working with Groups and Object Hierarchies
6.2 Role-Based Access Control (RBAC) Models
6.3 Delegating Administrative Tasks
6.4 Modern Defaults
Chapter 7: Engineering Configuration
7.1 AD and Configuration Management
7.2 Engineering Group Policy
7.3 Advanced Group Policy Techniques
7.4 Engineering Domain Controllers
7.5 Securing Domain Controllers
7.6 Domain Join as Priority One Design Area
7.7 Default Containers
Chapter 8: Engineering Administration
8.1 Privileged Access
8.2 Delegation of Privileges While Reducing the Attack Surface
8.3 Using Automation
8.4 Using Desired State
Chapter 9: Building a Modern AD
9.1 Fast-Tracking Design
9.2 Secure from the Beginning
9.3 Creating Prerequisites
9.4 Preparing for Change
9.5 Preparing for Disaster
9.6 Deploying a Modern AD in a Secure Manner
9.7 Putting AD into Production
Chapter 10: Operating a Modern AD
10.1 Day-to-Day Operations
10.2 Incorporating New Technology
10.3 Security Operations
10.4 Backup and Restore
10.5 Disaster Recovery
10.6 Functional Monitoring
10.7 Security Monitoring
Chapter 11: Transitioning to a Modern AD
11.1 In Situ Modernization vs. Migration
11.2 In Situ Modernization
11.3 “Rejuvenation Migration”
11.4 Mergers and Acquisitions – Migrating into Existing Infrastructure
11.5 Migrating People and Processes Along with Systems
Chapter 12: Conclusion