1
00:00:06,350 --> 00:00:14,510
Having a secure authentication process is one of the most important security components of your domain

2
00:00:14,510 --> 00:00:22,000
environment, and you should consider the following factors when implementing secure authentication.

3
00:00:22,250 --> 00:00:31,640
You have to consider securing user accounts and passwords secure in groups with elevated permissions,

4
00:00:31,850 --> 00:00:40,580
ordered in critical object changes, deploy and secure authentication and secure network activity,

5
00:00:40,820 --> 00:00:45,710
establishing the provisioning and cleanup processes.

6
00:00:45,890 --> 00:00:49,840
Now, let's talk about each of these aspects in more detail.

7
00:00:50,090 --> 00:00:53,120
Secure user accounts and passwords.

8
00:00:53,240 --> 00:00:58,010
It is very important to secure user accounts and passwords.

9
00:00:58,160 --> 00:01:07,280
And you do this by configuring and utilizing technical components such as configuring passwords and

10
00:01:07,280 --> 00:01:17,780
account policies, and also by educating your users about how to create and use complex and landslip

11
00:01:17,780 --> 00:01:18,680
passwords.

12
00:01:18,840 --> 00:01:28,410
If your support Lancy passwords teacher users how to use pass phrases to replace passwords.

13
00:01:28,610 --> 00:01:33,320
The next aspect is to secure groups with elevated permissions.

14
00:01:33,470 --> 00:01:37,550
Every organization has groups with elevated permissions.

15
00:01:37,820 --> 00:01:44,600
These groups include the domain admins, schema admins and Enterprise Edmands groups.

16
00:01:44,810 --> 00:01:50,480
Implementing secure management processes for these groups is important.

17
00:01:50,750 --> 00:01:59,750
For example, you might limit who knows the passwords for members of these groups and ensure that all

18
00:01:59,750 --> 00:02:07,520
administrators have special administrative accounts and that they are signing only with those accounts

19
00:02:07,520 --> 00:02:11,780
when performing administrative tasks for these groups.

20
00:02:11,960 --> 00:02:17,400
You can also use the restricted group settings and group policy.

21
00:02:17,660 --> 00:02:21,800
The next aspect is to deploy secure authentication.

22
00:02:22,040 --> 00:02:31,460
To factor authentication is the key to achieve heightened security beyond regular username and password

23
00:02:31,460 --> 00:02:32,450
credentials.

24
00:02:32,600 --> 00:02:42,500
It is common to use smart cards to secure authentication or implement multifactor authentication with

25
00:02:42,500 --> 00:02:43,760
mobile phones.

26
00:02:43,910 --> 00:02:53,180
Smart cards have a stored certificate that acts as a user credentials to sign in rather than a username

27
00:02:53,180 --> 00:02:55,460
and password to authenticate.

28
00:02:55,460 --> 00:03:06,500
By using a smart card, you must possess the card and you must have the personal ID number or peon or

29
00:03:06,650 --> 00:03:09,170
password to unlock the private key.

30
00:03:09,470 --> 00:03:17,480
The combination of the public key known to the domain controller and the private key on the smart card

31
00:03:17,720 --> 00:03:22,460
enables the domain controller to authenticate the user.

32
00:03:22,670 --> 00:03:30,950
You also can enforce the use of smart cards if users want to access additional apps.

33
00:03:31,190 --> 00:03:36,010
And across our roads if you use smart phones.

34
00:03:36,080 --> 00:03:44,780
The second factor for authentication, you can require users to use the application, text message or

35
00:03:44,960 --> 00:03:47,610
phone to prove their identity.

36
00:03:47,900 --> 00:03:51,770
Next one is to secure network activity.

37
00:03:52,010 --> 00:03:59,470
Secure in your network is necessary when trying to achieve a secure client server infrastructure.

38
00:03:59,690 --> 00:04:08,840
If your organization supports wireless networks, ensure that all networks with access to your organization's

39
00:04:09,080 --> 00:04:18,440
servers are secure, preferably by using certificates if required, provide public or guest networks

40
00:04:18,440 --> 00:04:27,410
to allow customers, partners or other non employees to have Internet access rather than allowing them

41
00:04:27,620 --> 00:04:28,360
access.

42
00:04:28,370 --> 00:04:32,510
The corporate network for your wired networks.

43
00:04:32,660 --> 00:04:41,540
Consider device health at the station to prevent unknown devices from connecting to your network for

44
00:04:41,540 --> 00:04:45,950
critical servers that host highly confidential information.

45
00:04:46,190 --> 00:04:56,250
Consider enforcing Internet protocol security or IP sex signatures or encryption to secure network communication.

46
00:04:56,510 --> 00:05:05,450
The next aspect is to establish the provisioning and cleanup processes, basically provisioning in.

47
00:05:06,070 --> 00:05:16,300
As a new employee, by creating their account, group memberships, mailbox and other components that

48
00:05:16,300 --> 00:05:23,500
they need to work in your organization, although provisioning is important, you should remember that

49
00:05:23,710 --> 00:05:32,230
often forgotten the provision and is even more important, you must define and establish processes for

50
00:05:32,380 --> 00:05:34,460
employees who resigned.

51
00:05:34,720 --> 00:05:43,240
Also, consider other reasons an employee might take leave, such as parental leave, define what type

52
00:05:43,240 --> 00:05:46,240
of access, if any, is necessary.

53
00:05:46,480 --> 00:05:53,560
Additionally, you should decide whether to deactivate accounts, delete accounts or remove accounts

54
00:05:53,560 --> 00:06:02,770
from certain groups such as general distribution lists or critical human resources apps, and decide

55
00:06:02,950 --> 00:06:10,360
whether to allow or prevent access by users who are outside your organization's network.

56
00:06:10,780 --> 00:06:19,630
Clean cleanup process also as necessary for domain members such as for client computers, because they

57
00:06:19,630 --> 00:06:28,810
also are allowed to authenticate against the domain and a malicious user may utilize their credentials

58
00:06:28,810 --> 00:06:30,760
to compromise their network.

59
00:06:30,910 --> 00:06:40,090
Furthermore, ensure that there are no client computers or users that were created, but which have

60
00:06:40,090 --> 00:06:47,080
not been used to connect to the domain leaders because their passwords are default.

61
00:06:47,350 --> 00:06:55,870
Well known passwords which are malicious user might discover and to utilize and last but not least respectless

62
00:06:55,870 --> 00:06:58,420
to secure client computers.

63
00:06:58,610 --> 00:07:06,580
If you want to secure your A.D.s and active director domain controllers, you must secure your client

64
00:07:06,580 --> 00:07:12,660
computers, client computers, cash that last turn lagoon's by default.

65
00:07:12,910 --> 00:07:20,650
Therefore, if a computer if a client computer is lost, you need to have a process by which you track

66
00:07:20,650 --> 00:07:29,530
accounts that silentium within the password change interval and you need to know how to reset passwords

67
00:07:29,680 --> 00:07:31,710
after a loss is reported.

68
00:07:31,900 --> 00:07:40,000
You also need to protect your internal network from client computers that connect from wired or wireless

69
00:07:40,000 --> 00:07:45,820
networks from homes, hotels and airports to protect client computers.

70
00:07:45,820 --> 00:07:54,160
Ensure that Glan computers have all security updates installed, that they have car antivirus protection

71
00:07:54,160 --> 00:08:03,340
and a host based firewall, and consider using driver encryption such as a bit longer drive encryption.