OU Delegation

Imagine your infrastructure now contains several OUs of computers and users and you want to delegate them to different admin groups, including the rights to set their own group policies. How do you do this?

Launch "Active Directory Users and Computer". Right click on the OUs that you want to delegate and select "Delegate Control". Select the delegated groups and tasks. For full delegation, select "Create a custom task to delegate" and select all permissions subsequently as follows:



To assign the rights to create Group Policy, launch "Group Policy Management Console" and click on "Group Policy Objects". Click "Delegation" tab on right plane and add the delegated groups as follows:

Native VHD mount in W2K8 R2

Another new feature in W2K8 R2 - you can now create and mount Virtual Hard Disk (VHD). Go to Server Manager -> Storage. Expand into Disk Management, mouse over to More Actions. Create & mount VHD just like what you do for a new physical hard disk.


What about turning on Bitlocker to encrypt virtual volume? Add "Bitlocker" feature on the Server Manager. After reboot, go to control panel -> Bitlocker Drive Encryption. Hey, the VHD is ready for you to encrypt (See picture below). Next, instead of storing the key on the TPM, we will enrol a smart card to encrypt this virtual volume. We will update again when we are ready.

TrueCrypt on Present-V

While office applications (e.g. MS Office 07) can be easily delivered remotely via RDP, we wonder if we can have a secure vault for confidential document processing. The free open source TrueCrypt comes to our minds. You can create encrypted Virtual Hard Disk (VHD) and mount it on a logical drive. As these VHDs are file-based, they can be easily moved around and easy on back-up.

We have tested that TrueCrypt works perfectly well on Present-V and we even managed to place its symmetric keyfile into a PKCS#11 smart token for enhanced security. For quicker startup, we wrote a script (see command-line usage) that can auto-mount the VHD on the first available drive.

As the process is running on the terminal server, only one drive can be mounted for each process on each server, i.e. you can't mount 2 VHDs on the same E: drive on the same host. That would place a logical limit of 26 (alphabets) - 3 (reserved A,B,C) = 23 users (assuming 1 user = 1 process) on each terminal server. Thanks to the free Hyper-V in Windows 2008, this constraint can be easily worked around. With the in-built Session Broker, the load can be balanced among a pool of several Virtual Machines (VMs) in a DNS round-robin style.

Present-V's stumbling block

Our team has succeeded in setting up a full fledge Present-V POC, which is somewhat similar to this Microsoft IT POC, albeit in a smaller way. We have also implemented smartcard for both authentication & secure email purposes.

During the process, we learnt that the biggest stumbling block is the applications to be delivered. Besides running on a Windows Server 08 platform, the application must be able to support multi-users and multi-sessions. We found out that virtualizing those ancient legacy applications (which were built for Win9x, single user and single computer) are near impossible when those application developers were either already gone or near retirement!

Read-Only Domain Controller for Remote Sites

A typical enterprise is characterized by a HQ hub site and several remote branch offices. Should a domain controller (DC) be placed in the branch office?

• Yes, it should. If not, all authentication and Kerberos ticketing activities will be directed to HQ, which might choke a slow & unreliable WAN link. In the event of WAN link failure, all activities will come to a halt.
  
• No, it shouldn't. It poises serious security challenges. DC contains the entire domain schema, including all object attributes, such as user secrets & confidential information. If the DC is accessed or stolen, it will compromise the entire AD integrity. Furthermore, if the data in the remote DC is corrupted or outdated from a backup restore, it will be replicated to the entire domain.

What a dilemma! Windows 2008, however, introduces the new Read-Only Domain Controller (RODC). RODC will receive all Kerberos requests from the clients and redirect to the hub site. But the requested data and user credentials can also be cached locally by configuring a password replication policy (PRP). It reduces reliance on WAN links & maintains only a small subset of the entire domain (restricting to only the users & machines logging on to that particular RODC). Even if the RODC were stolen, the compromise is limited to that small subset of user credentials that you can still manage to revoke. Furthermore, you just need a forest functional level of Windows 2003. In other words, RODC is supported in a hybrid mix environment of Windows Server 2003 and 2008 domain controllers.