Unified Directory Policy

I. Preamble

Students and employees at the University of Alaska are a mobile group. Students may move from campus to campus and employees frequently move and travel between campuses during routine work. There is a need for a single set of electronic identity credentials (usernames and passwords) that work at all UA campuses and permit users to access local resources. The Unified Directory (UD) service provides a centralized Active Directory for the University of Alaska.

II. Executive Summary

The purpose of this policy is to provide requirements and specific recommendations for the successful operation of the Unified Directory.

III. Scope

This policy applies to computer support personnel across the University of Alaska Anchorage MAU. It covers information regarding the design and naming conventions for UD, responsibilities for computer support personnel and compliance guidelines.

This is in addition to the relevant policies and regulations that govern Information Technology at the University of Alaska such as, but not limited to, the following:

IV. Statement of Policy

  1. General

    1. UD Forest

      The AD.ALASKA.EDU forest is composed of the domains UA.AD.ALASKA.EDU and APPS.AD.ALASKA.EDU. The UA.AD.ALASKA.EDU domain will house all user and workstation accounts for the University. Organizational Units (OUs) will be created for each Major Academic Units (MAU) and for departments and departmental user groups will be created therein. OU administrators will be delegated full control over any child objects created within their OUs.

    2. Forest Schema & Data Visibility

      The schema is a definition of all object classes and their attributes contained within active directory. The schema may be dynamically extended through the approval of the UD Change Advisory Board (CAB) and acknowledgment of the MAU CABs. Any proposed schema modification will be evaluated based on potential conflicts; Data Ownership, Privacy, Security, etc. Once the UD CAB has approved changes to the schema the MAU CABs will be notified. Schema testing in a staged environment will occur before and during the request for modifications. Changes will only be implemented after two weeks of successful testing with no major issues identified. The data populated in AD reflects a view of Banner. The Unified Directory is updated using Banner data on a daily refresh cycle. New accounts are updated nightly.

    3. Account Synchronization

      The UD will be regularly populated by a directory synchronization process involving a tool that extracts data from Banner and populates the objects in UD. Accounts will be automatically disabled for employees within 24-hours after they are terminated in Banner and student accounts will be disabled after three semesters without enrollment in at least one course during the next automated provisioning run.

    4. Account Creation & Password

      Accounts with UD are maintained centrally through the use of an automated account management system. When a person becomes affiliated with the University of Alaska and is entered into Banner an account will be automatically created for them in the Unified Directory. Similarly, when a person is no longer affiliated with the University, their account will be disabled within UD when their status is updated within Banner. Centrally maintained accounts follow the UA Username standard. Only centralized AD accounts are allowed to use the UA Username standard, departmental and service accounts should follow the recommended naming conventions for UD defined below.

      In the cases where departmental accounts must be created a service request should be submitted to the central MAU IT Services support desk.

      Account passwords must meet the requirements of the university password policy as defined in the Password Complexity Requirements knowledge base article.

    5. Account Roles

      There are seven identified roles that are applicable at the university. An individual may have one, or more, of these roles assigned to their identity at some time during their association with the University of Alaska system.

      • Student - A person who has been admitted, is currently enrolled, or has been enrolled within the past three semesters. Privileges are automatically created when a person is admitted/enrolled by Enrollment Services as a student in Banner. Privileges included:
        • UA identity credentials permitting electronic access to campus and university services that require access; Students "claim" their identities at UAA's self-service identity portal (https://me.uaa.alaska.edu)
        • UAA e-mail address
        • UAA student e-mail service
        • Student privileges are revoked upon graduation or after 3 consecutive semesters without enrollment
      • Employee - A person who currently holds a faculty or staff position at the University. Privileges are automatically created when a person receives employee status and a work assignment from HR Services is entered in Banner. Privileges include:
        • UA identity credentials permitting electronic access to campus and university services that require access; Employees "claim" their identities at UAA's self-service identity portal (https://me.uaa.alaska.edu)
        • UAA e-mail address
        • UAA employee Exchange™ service
        • UAA personal network file storage
        • Employee privileges are revoked with 24-hours of termination in Banner.
      • Alumni - A University graduate (baccalaureate, graduate degree) who has applied for Alumni privileges prior to graduation. Current students who are within 3 months of graduation may apply for Alumni privileges at Alumni Relations. Privileges include:
        • Retain their UA identity
        • UAA e-mail address. Alumni will lose access to UAA student e-mail service, but retain their e-mail address. This permits them to forward all e-mail sent to their UAA e-mail address to a personal 3rd party e-mail service.
        • Alumni privileges are granted for 5-years (renewable)
      • Retiree - A University employee who has applied for Retiree privileges prior to formal retirement. Current employees who are within 3 months of retirement may apply for Retiree privileges at HR Services. Privileges include:
        • Retain their UA identity
        • Retain their UAA e-mail address
        • Retain their UAA employee Exchange™ service
        • Retiree privileges are granted for 5-years (renewable)
      • Emeritus - A person who is awarded Emeritus status by the Chancellor's office. Emeritus status is exclusively granted by the Chancellor's office. Privileges include:
        • Retain their UA identity
        • Retain their UAA e-mail address
        • Retain their UAA employee Exchange™ service
        • Retain their UAA personal network storage (limited to 3GB)
        • Emeriti privileges are granted for 5-years (renewable)
      • Affiliate - A person who is working for a University department and is not an employee. This may include some forms of consultants as well as affiliate faculty (e.g. WWAMI faculty). Privileges are automatically created when an Affiliate is entered into Banner by HR Services. Privileges include:
        • UA identity credentials permitting electronic access to campus and university services that require access; Affiliates "claim" their identities at UAA's self-service Identity portal (https://me.uaa.alaska.edu)
        • UAA e-mail address
        • UAA employee Exchange™ service
        • UAA personal network file storage
        • Affiliate privileges are revoked within 24-hours of termination in Banner
      • Patron - A person who doesn't already hold Student, Employee, Alumni, Retiree, or Emeritus status, who is performing work for a UA-affiliated department and who is sponsored by a UA Department Manager. A sponsoring UA manager requests Patron status for a person who meets these criteria. Privileges are automatically created when a Patron is entered into Banner by the IT Call Center. Privileges include:
        • UA identity credentials permitting electronic access to campus and university services that require access; Patrons "claim" their identities at UAA's self-service identity portal (https://me.uaa.alaska.edu)
        • UAA e-mail address. They will be able to set a forward for this e-mail address to direct all messages received to a personal 3rd party e-mail service
        • Patron privileges are granted for 1-year (renewable)
    6. Forest Security

      The resources within UD are only accessible by domain members who have been specifically granted access to the resource by their administrators. By default, all enabled domain members have user access to resources when initially created. Administrators are encouraged to apply the appropriate ACLs and group permissions to objects they wish to secure form other users in UD. All domain controllers and servers maintained by MAU IT Services and OIT are routinely monitored for security vulnerabilities and critical patches are immediately applied. UD requires all OU & Domain administrators to routinely evaluate their systems (both workstations & servers) for vulnerabilities and patch them in a timely fashion.

    7. AD DNS

      UD DNS services are centrally maintained by MAU IT departments. All computers participating in UD should utilize the UD DNS servers as their primary DNS servers.

    8. Support for OU Admins

      There will be several resources available to administrators for problem resolution. Administrators are required to attend a UD Active Directory course provided by MAU central IT departments. Administrators will be provided a mailing list which will be monitored by Enterprise Administrators. Employees and students should continue to use their local helpdesk or call center for support.

    9. Exchange E-mail

      The UD provides a global address list for the entire domain. UAA and UAS operate Exchange e-mail services for use by their respective staff and faculty.

    10. AD Communication

      Most communication will occur via the appropriate mailing list

    11. Root Backup & Disaster Recover Solution

      Each MAU is responsible for using disaster recovery strategies for maintaining business continuity.

    12. OU Design & Delegation

      Top-level OU's have been created for each MAU and will be maintained by the MAU central IT department. Additional OU's have been created for each Community Campus and major College/School/Organization. Administration can be delegated to an administrative security group which will hold access controls for administrators of the department identified by appropriate management. OU administrators have the ability to create child objects within their OUs. It is required that everyone adheres to the naming standard described below when creating objects within UD.

    13. Software License Compliance

      It is the responsibility of the department to ensure that all their desktops and servers are properly licensed. Although some CALs may be offered by MAU IT departments for specific Microsoft products, Administrators are strongly encouraged to stay abreast of all licensing needs within their environments.

  2. Role Types and Responsibilities

    1. Workstation Operator Responsibilities

      • Work closely with Organizational Unit Administrators, Domain Administrators, Enterprise Administrators, and MAU CABs.
      • Adhere to MAU device naming standards.
      • Unlimited workstation joins & disjoins from the domain.
    2. User Account Operator Responsibilities

      • Work closely with Organizational Unit Administrators, Domain Administrators, Enterprise Administrators, and MAU CABs.
      • Assist university patrons with identity password resets.
    3. Organizational Unit Administrator Responsibilities

      • Work closely with Domain Administrators, Enterprise Administrators, and MAU CABs.
      • Adhere to MAU device naming standards.
      • Provide UD support to their department.
      • Administer the writable attributes of the groups within their OU.
      • Add, Delete, & Maintain objects within their OU.
      • Add, Delete, Maintain & Troubleshoot GPOs.
      • Delegate administrative functions to authorized accounts & ensure policy compliance.
      • Maintain proper security groups and authorization policies.
      • Server licensing required to be current.
      • Member server OS & hardware maintenance.
      • Keep workstations and member servers within their OUs secure.
      • Service packs & hotfixes should be keep up to date where applicable.
      • Servers should never be more than 1 service pack behind the current (except where required for business need).
      • Monitor member servers regularly.
      • Work with MAU IT to assure business continuity of member servers via monitoring, backups, and planning.
      • Follow all Workstation Operator responsibilities.
    4. Domain Administrator Responsibilities

      • Support staff required to have working knowledge of Active Directory
      • Maintain a well-documented infrastructure diagram of their respective environments, including descriptions of all services provided by servers participating in UD.
      • Must conform to and help evolve the DC standard build.
      • Abide by UD naming standards.
      • Maintain the appropriate level of security and patch revisions on their domain controllers.
      • Must coordinate any maintenance that may affect the UD (i.e. replication)
      • Keep current with proposed changes to the UD that is communicated by the UD CAB and other domain administrators.
      • Manage and maintain all local services, account creation and OU structures.
      • Keep a current contact list available for all OU Administrators.
      • Maintain internal change management procedures.
      • Keep highly available DCs, notifying the UD CAB when the server may become unavailable.
      • Must have a minimum of two (2) DCs. At least one of which must be a physical server.
      • DCs must be physically secured.
      • DCs should have a current hardware agreement with the vendor.
      • Adhere to secure account management process (disable/delete old accounts, automate process if applicable).
      • Must be on-call to resolve issues with your DCs after normal business hours.
      • Must have onsite support to resolve issues within your scope.
      • Must have disaster recover & backup/recover solution for your DCs
      • Coordinate with other domain administrators for unscheduled outages or major upgrades
      • Utilize DC diagnostic tools such as DCDIAG
      • Perform authoritative restore for AD objects in their domain.
      • Work closely with the Enterprise Administrators, and MAU CABs.
      • Follow all OU administrator responsibilities.
    5. Enterprise Administrator Responsibilities

      • Must participate in Schema update discussions & decisions.
      • Must participate in UD CAB.
      • Must train domain administrators in appropriate UD polices & procedures.
      • Follow all Domain Administrator responsibilities.
  3. Naming Conventions

    1. Purpose

      Provide a naming convention for all units within the University of Alaska Unified Directory that unique identifies workstations, servers, users, groups, OUs, GPOs and distribution lists in NetBIOS, DNS, and LDAP name-spaces. The only possible way to ensure UD can be used effectively is to enforce naming standards. Aside from avoiding name collisions, naming standards will allow users and administrators to efficiently search through thousands of objects and locate their resource and data.

    2. User Account Names

      UD user objects have account names and distinguished names that identify them within the Unified Directory. Most user accounts within the domain will be centrally managed and will have unique names. The user account name shall be identical to the UA Username already assigned to the person within Banner.

    3. Device Names

      UD workstations, servers, printers, network equipment and other objects should follow the recommended naming conventions of their MAU.

    4. Groups

      Unified Directory has two basic group types, security and distribution groups. These two group types have sub-categories that define as being domain local, global or universal. Follow the guidelines below when creating groups:

      • UAA - UD Group Naming Conventions knowledge base article
    5. Group Policy Objects

      When naming GPOs please use the following guidelines:

      mau_geo_dept_name

      • mau = The name of the major unit the department is associated with (e.g. UAA, UAS, UAF, SW)
      • geo = The geographical campus associated with the department (e.g. Anchorage, MatSu, etc.)
      • dept = the department, school, or college OU name
      • name = the name that identifies the purpose of the policy

      EXAMPLE: uaa_anc_it_OpenLabsIeSecuritySettings

  4. Security Practices

    1. Types of Security

      The Unified Directory follows a Role Based Security Model (RBSM) as the guiding standard for access control.

      These are the security standards employed by the UD.

      • Physical Security - The physical location of the asset as well as measures taken to prevent unauthorized personnel from gaining access to the assets.
      • Directory Service Security - Security measure required to protect user and computer objects within directory services and administration of directory services.
      • Application Security - Security measures required to protect access to or manipulation of application based assets and databases that they are tied to.
    2. Physical Security

      Physical security is concerned with the access control to sensitive facilities, or locations within a UA facility.

      • Visitors
        • Will need to check in upon arrival
        • Will need to have an IT escort while in any sensitive area
      • Assets: Inventory is kept in a secure location.
      • Access control lists and access codes will be maintained by the appropriate MAU operations and administrative teams.
      • Surveillance: Cameras are recommended in all sensitive areas and surveillance footage should be archived for a minimum of 60 days.
    3. Directory Service Security

      Directory Service Security: Access to the UA directory services is built on a Role Based Security Model (RBSM). All access of Domain Admins or higher will be documented. Any changes to the Enterprise Administrator group must be approved by the UASYS_CAB following the UD CAB process. There are seven main security groups within UA that are granted access to administer directory services;

      • Workstation Operators have access to join and disjoin an unlimited number of workstations to the UA domain.
      • User Account Operators have the permissions needed to create/manage/delete Users and Groups in the UA domain (except for the Domain Controllers OU, Administrators group, Domain Admins groups and their members) to assist university patrons with identity management.
      • OU Admins have the permissions needed to create/delete security groups and machine accounts based on the needs of the department. Assignment of this level of permission should follow the guidelines documented within this policy.
      • Domain Administrators in the UA domain have full control of the UA domain. Assignment of this level of permission should follow the guidelines documented within this policy.
      • Domain Administrators in the APPS domain have full control of the APPS domain. Assignment of this level of permission should follow the guidelines documented within this policy.
      • Enterprise Administrators have full control of the entire forest including AD, UA, and APPS domains. Assignment of this level of permission should follow guidelines documented within this policy. Each MAU is responsible for retaining one or more qualified EA.
    4. Application Security

      Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrades/patches, or maintenance of the application.

      1. Directory Enabled

        Application security will be using one of the three strategies all with the goal of aligning with a centralized directory.

        • Best: Authentication is done against the directory. Authorization uses security groups from the directory.
        • Better: Authentication is done against the directory. Authorization uses application specific groups or roles.
        • Matched: Authentication and authorization are done using application users and groups. Usernames match directory usernames. Group names and roles match comparable directory groups.
      2. Encryption

        Applications will use SSL encryption for sensitive data that traverses outside of the CASE environments. Examples include HTTPS for web apps, VPN for data apps, LDAPS for Elmo, sensitive communications like payroll or employee records.

      3. Service Accounts

        Wherever possible services/processes should run as domain user service accounts in the APPS domain to enforce a least privileged model and facilitate SSO. Domain user service accounts should follow the password policies.

  5. Compliance

    It is the responsibility of each UD administrator to maintain their UD environment as per the above specifications and guidelines. Department heads will be notified upon repeated violations by an UD administrator and explained the impact it has on the entire University UD infrastructure. In cases of gross negligence or refusal to adhere to the agreed policy, MAU IT departments will take the necessary steps to ensure the integrity and ongoing operations of the Unified Directory.

    1. Enforcement

      Active monitoring and auditing will be done for policy compliance. Failure to comply with this policy can result in:

      • Notification of supervisor
      • Revocation of privileges
      • Disciplinary action
      • Legal action