Active Directory Governance and Policies

Committee Members: John Salguero, PMP IT Program Manager Jonathan Hardy Franklin College Senior Manager James Brannon Franklin College Systems Administrator Jim Metcalf Terry College IT Manager Chris Balthrop College of Environment & Design Systems Administrator Doug Lloyd EITS Systems Administrator Stephanie Ayers EITS Systems Administrator Wayne Crotts College of Public Health Systems Administrator Michael Jacobson Office of VP for Research Systems Administrator Seth Filkins Undergraduate Admissions Systems Administrator

This Committee recommends that, the person accountable for the acceptance or rejection of proposals and recommendations will be Dr. Tim Chester, CIO.

Overall Challenges or Drivers       Most of challenges are organizational rather than technical Difficulty enforcing campus policies and procedures Competing/Higher IT priorities Lack of ownership of identity management by a central group Lack of institutional senior management’s support and enforcement Problems with our institution’s technologies/infrastructure

ENTERPRISE INFORMATION TECHNOLOGY SERVICES 2/28/2012 Page 1 of 9

Active Directory Governance Model Oversight Policies
Governance Committee’s Charter       An honest and thorough job of formulating/writing the policies. Enforcement is Out-of-scope for this committee in this phase. Support and direction from upper management will be required for enforcement to be successful. Consider this a living document comprised of a sub-set of Active Directory Policies. The document will grow as Active Directory is refined at UGA, and more scenarios are discovered by the Colleges/Departments. Main focus of this committee is to engage a cross-section of UGA departments and colleges in refining the Active Directory

Membership  Committee composition will be dependent on the participation in the EITS managed Active Directory. o Chair,  Holds voting rights  This persons role is that of a facilitator  Should be appointed by the Office of the CIO  Should represent the interests of the UGA campuses as a whole  Communicate with Office of the CIO o Secretary,  Holds voting rights  Communications, specifically  Dissemination of proposed policy changes (a week before the vote)  Meeting summary to be uploaded to a wiki page  Calendaring and scheduling  Voting request (call for votes) will go to UGANET, ITMF o Remedy queue point person/coordinator  Holds voting rights  Disseminate policy change requests to the committee from the Remedy queue o Members/college reps,  Holds voting rights  Tenants of EITS managed Active Directory  Those with a trust in EITS managed Active Directory o Advisors/consultants – UGA, and/or EITS  Do not hold voting rights  People with expertise  Managing an AD domain or their own OU  Future participants ENTERPRISE INFORMATION TECHNOLOGY SERVICES 2/28/2012 Page 2 of 9

Active Directory Governance Model Oversight Policies
 Accountable parties for accepting, rejecting, and enforcing proposals from the committee will be: o Office of the CIO  Dr. Tim Chester, CIO  Danna Gianforte, Associate CIO Representation expectations o A cross-section of UGA is required o College/Department and Administrative level representative required Meetings o Types of meetings  General Meeting  Frequency – every Thursday at 10:00 until March 8th, 2012.  Purpose – administrative planning and changes for the committee  Voting meeting  Frequency – once a month, dates TBD after March 8th, 2012  Purpose – discuss, plan, and vote on implementation of policy changes and Active Directory enhancements

Active Directory Governance Model Oversight Policies
Policy acceptance  Submission guidelines o Deadlines a week before scheduled vote o Submit ticket/document to Help Desk and attach document o The Remedy point person will disseminate these submissions to the rest of the committee  Voting structure, Percentage required o Tabled – require more participation  Policy must be represented to the committee at the voting meeting o No-shows will be tabled for a maximum of 2 months before voting  Voting o Any unrepresented motions/tickets will be denied and closed Change Management Process  Use Remedy as a central repository for tickets submitted to the EITS Help Desk  Change/amendment of policies o Proposals submitted to accountable person– submit a ticket to the Help Desk o If it is denied – explanation is required  Proposals/tickets accepted 1 week before deadline  Schedule for implementation will be decided at the time of vote

As part of our charter the creation of policies will take the following format:  Policy #, Background – why policy is put in place Definition – explanation of how the policy is implemented and what the policy controls are. Guidelines – rules of implementation. Revision: 2.8 Date: Thursday February 23, 2012 Approvals: Office of the CIO, TBD

Active Directory Governance Model Oversight Policies
1. Requirements for z-acct. Background: The z-account is provided to the OU admin and allows them to create child objects within their local OU. Once the z-acct is provided to the local OU Admin he/she can perform changes without coordinating with EITS Admins. If an OU admin does not have the appropriate level of expertise, the following risks could materialize: deletion of own OU, loss of authentication, accidental deletion of OU objects. Keep in mind that OU admin accounts can be compromised as well. Definition: Local admin account for College/Department level. Guidelines: requirements for AD OU Admin account: i. 12 months of Active Directory experience, or ii. MS Certified Professional 2003 Server or later, or iii. MS IT Academy training suggested:

1. Fundamentals of Windows Server 2008 Active Directory 2. Configuring Windows Server 2008 AD Domain Services 3. Installing and Configuring Windows 7 Client 4. Planning and Managing Windows 7 Desktop Environments 2. Roaming Profiles  Background: Risk: if clients use roaming profiles, as they are stored in the Domain Controller, they could fill up the hard drive space for the domain controllers. More research to be done by EITS. Considering the size of today’s profiles, large profiles require large amount of bandwidth, thus degrading network performance across the University. Definition: Roaming profiles are not allowed. Is this currently being enforced? Guidelines: suitable alternative to roaming profiles would be re-directed folders.

3. Allowable accounts in MSMYID  Background: the following user account policy for MSMYID is being implemented to reduce conflicts with the centralized identity management solution. Definition: only three types of accounts are allowed in MSMYID. A z-account, saccount, and user accounts that are synced via edir. (need to add/evaluate ENTERPRISE INFORMATION TECHNOLOGY SERVICES 2/28/2012

Active Directory Governance Model Oversight Policies
definitions for additional managed accounts. Review current limitations on naming conventions to help avoid conflicts with z- and s- accounts. Coordinate with identity management.) pending review from INFOSEC/ID Management(Kristi Wall resend meeting invite) i. A z- account is used for OU Administrators and is a protected naming convention. ii. An s- account is used for Services that need to authenticate to the directory, and is a protected naming convention. Guidelines: an EITS administrator will create the root z-account for an OU. After that, the OU administrator is allowed to create additional z-admin accounts for additional OU administrators and s-accounts for service applications such as, backup products, anti-virus products, and management products. i. z-accounts belonging to OU admins shall not be used to create any other type of user accounts in the domain, with the exception of the above noted z- and s- admin accounts. ii. Z- and s- admin accounts shall not be used as generic, common user accounts.

iii. EITS reserves the right to monitor and/or edit accounts not meeting the above criteria without prior notice to the OU administrator. (change management process to be developed and applied here. Repercussions: deletion causes disruption of services provided by colleges/units IT staff; creation of duplicate accounts, creation additional work for Sys admins, recursive loop error, ability to properly manage permissions) I don’t understand what the question is here. This is not option nor negotiable. Accounts have to be protected in the directory at all costs. UGA has a central ID management system and it must be used/followed. If an account is created and it is outside the parameters listed above it will be disabled/deleted without prejudice.

Finished editing: Thursday Feb. 23 4. Trusts only 1 per college or 1 per top level department 5. Joining msmyid mandates that the organization (College/Department) has an OU in the domain  Background: An OU is used as a boundary and to keep computers and ENTERPRISE INFORMATION TECHNOLOGY SERVICES 2/28/2012 Page 6 of 9

Active Directory Governance Model Oversight Policies
objects grouped together in an Active Directory (AD). One per college or department is needed so that OU admins may administer the computers servers and objects for which they are responsible. Definition: An OU or Organizational Unit is a container in AD that allows Enterprise or Domain Administrators to Delegate rights and permissions to the appropriate OU administrator. The OU may contain computers, servers, printers, objects and in some domains user accounts. Guidelines: i. Once the OU is created for the College or Department it is up to the department to manage the OU and its contents. ii. EITS’s CTS may be engaged for departments that do not have a full time System Administrator or IT professional who meets all the requirements for a Z admin account. iii. ETIS may have policies at the root of the domain that cannot be blocked at the OU level. iv. Review Better Business Practices document (recommendations) and create new guidelines as appropriate/necessary. v. Create a template of recommended default container (OU) structure. vi. Allow exceptions process to let colleges/departments/support groups make their own determinations.

6. User access from off‐campus to on-campus resources – follow INFOSEC guidelines. Available VIA VPN only. 7. EITS AD full-time staff members will be the only Enterprise Admin accounts and Domain Accounts. 8. Domain controller policies: a. OU admin should not have access to the enterprise Active Directory Domain Controllers b. OU Admin should not have access to change configuration enterprise AD domain. They should have read only access to the sysvol. (requires more review/analysis) c. An OU Admin should not have remote access to the enterprise AD domain hardware. Mon. Feb. 20 – review after this point ENTERPRISE INFORMATION TECHNOLOGY SERVICES 2/28/2012 Page 7 of 9

Active Directory Governance Model Oversight Policies
9. Domain controller recommendations: d. No physical or remote access to the DC 10. Configuration specific policies e. OU admins will not be able to override enforced enterprise GPOs created at the domain level. For example, GPOs used to apply password and security settings, as well as those used to enforce federal regulations, UGA policies, such as FERPA, HIPAA, etc. f. How are enterprise GPOs governed? This committee will formulate the policies and submit them for approval. More analysis required. g. If (GPO) is a centralized resource run by EITS, then (GPO) will be an enterprise GPO. (GPO exits or is managed at the Domain Controller level) h. Need representation from INFOSEC. Submit this document to INFOSEC. i. Require a definition for overrides to GPOs. Enforce GPOs blocking. They cannot be blocked. Examples: i. WSUS – is it going to be enforced in the future?

1. Issues after enforcement (elaborate) ii. JAVA and Flash – deployments to be handled at the departmental level. 1. Issues after enforcement (elaborate) j. Exceptions granted to departments who show a valid business need. 11. Group policies should be closely managed, otherwise, this could become uncontrollable. k. Risk: admin z-accts could create a GPO that could cause a load into the DC. l. Repercussion: MSmyID performance degradation, crash the directory, m. Scripts put in the SYSVOL (loading up SYSVOL) how large will SYSVOL be? 12. Naming conventions – Guideline – refer to AD Best Practices document 13. Scan machines before joining AD (for SSNs, and any other sensitive material/information, or financial information; plus FERPA, AND OR HIPAA). Reference UGA-INFOSEC policy regarding use of assets database.  Is there a guideline on how this should be done? Checklist, procedures, tools (INFOSEC will provide)

Active Directory Governance Model Oversight Policies
14. Immediate/timely disablement of appropriate accounts on user’s departure is the responsibility of the OU admin. a. The OU Admin is responsible for securing accounts and objects within their OU. b. For MYID accounts OU Admin can only make a request. i. To EITS Help Desk c. Scenarios to be determined based on user’s privilege level i. Regular user ii. Admin user iii. OU admin user 1. Need to research the impact of removing the account. 2. (z-acct) must be done ASAP d. Moves to different department within UGA e. Promotions, changes in user’s role and scope, job function, etc. 15. Appropriate guest access. Requires more analysis from the ID Management perspective. f. Wireless guest access, call the help desk to get a temporary account g. To Active Directory, call the help desk to get a temporary MYID account. h. Temporary access. Definition of temporary required. (INFOSEC) see UGA Policy already in place. Link to be included, for any policy 16. Non‐institutional user access to our resources for outside collaborations. Further analysis required. Requires more analysis from the ID Management perspective. (INFOSEC) i. j. k. l. Call the help desk to get a temporary MYID account. Temporary access. Definition of temporary required. When does it become permanent? A review of this process is required. (INFOSEC) LINK OF EXISTING POLICY?