More about Objects, Rights, and Permissions

Previous page
Table of content
Next page
team lib

Before you can revel in the details of the rights and permissions that apply to Windows 2003, you should ponder some technical terminology. That's why we take a brief detour to dictionary-ville - right here, right now.

An object lesson

KEY CONCEPT 

Windows 2003 treats all user -accessible system resources - including users, groups, files, directories, printers, and processes - as objects. The term object has special meaning to programmers and tech-heads: This term refers to a named collection of attributes and values, plus a named collection of methods , which Microsoft calls services .

For example, a file object has a variety of attributes that you already know about if you've spent any time at all around computers: Files have names , types, lengths, owners , plus creation and modification dates. For an object, each attribute also has an associated value; therefore, the attributes and values of an object that is a file might be as follows :

  • Name : BOOT.INI.

  • Type: Configuration settings.

  • Contents: Information on how to boot Windows 2003. (Windows 2003 can locate and read the contents using the drive's file directory.

  • Size: About 1KB.

Attributes identify individual objects of some specific type - in this case, a type of file - and define what they contain, where they're located, and so on.

On the other hand, it may not be so readily apparent why methods or services are important for objects. If you examine a file object, you can see that its methods describe operations that you would want to apply to a file. Therefore, the methods or services that apply to file objects include things such as read, write, execute, delete, rename, and other typical file operations. In short, methods define the operations that can be applied to a particular object. Among other things, this makes objects pretty much self-defining because they include in their attributes complete descriptions of themselves and include in their methods or services complete descriptions of what you can do to them. Other object types have different associated methods or services that reflect the objects' capabilities and the data that the objects contain.

KEY CONCEPT 

When you examine the attributes for specific objects in Windows 2003, things start getting pretty interesting. Every single attribute of every single object has an ACL (this is sometimes pronounced ackle , to rhyme with cackle ). ACLs identify those individual user accounts or groups that may access a particular object (or one of its attributes) and also indicate which services each user or group may apply to that object (or one of its attributes). Administrators use ACLs to control access to objects (and, logically, their attributes), giving themselves free rein to troubleshoot objects while limiting ordinary users' abilities to accidentally (or purposefully) harm the system.

When is a file not an object?

KEY CONCEPT 

Windows 2003 uses objects for just about anything in its operating environment that users can access. In fact, NTFS volumes , directories, and files are Windows 2003 objects with associated attributes and a set of well-defined services that may be applied to those objects. However, because older FAT file systems (and the newer Windows 98 FAT32) do not include built-in support for ACLs, FAT and FAT32 files are not objects. Therefore, even though FAT and FAT32 volumes, directories, and files still have attributes similar to those for NTFS files (namely, name, type, creation date, modification date, and so forth), FAT and FAT32 volumes, directories, and files are not Windows 2003 objects, per se. The lack of built-in support for ACLs explains why FAT volumes and their contents are inherently insecure (because normal permissions don't apply to them).

More importantly, this also explains why the default logon behavior for Windows Server 2003 is to deny everyone but administrators, server operators, backup operators, and printer operators the right to log on locally. That's because anyone who can access a FAT or FAT32 volume can do anything they want to it. By denying ordinary users the right to log on to a Windows Server 2003 at its keyboard and requiring them to log on only through the network, Windows 2003 can control access to FAT and FAT32 volumes through shares. Shares function as Windows 2003 objects and therefore have built-in access controls.

Users have rights; objects have permissions

REMEMBER 

In Windows 2003, the standard terminology is to refer to user rights and object permissions . Because object permissions is rather vague, you usually hear permissions used in reference to a specific class of object, such as file permissions and printer permissions .

A user's rights define what he or she can do to objects (or their attributes) in the Windows 2003 environment. A user obtains rights to objects in one of three ways:

  • The rights are explicitly assigned to an individual user account.

  • The rights are assigned to the groups to which the user belongs. This is where users can be granted privileges to perform specific tasks , such as backing up files and directories.

  • The rights are assigned through the Group Policy window. To access that window, open one of the Active Directory Administrative tools, right-click a site, an organizational unit, a domain, or a local computer. Choose Properties, click the Group Policy tab, and then click Edit. You edit user rights in the Group Policy window under Computer Configuration Windows Settings SecuritySettings LocalPolicies User Rights Assignment.

When a user logs on to a Windows 2003 domain (or a stand-alone system), a special key called an access token is generated. The access token represents the user's explicit individual rights and the groups to which the user belongs. It takes some time to generate an access token, which is one reason why logging on to Windows 2003 isn't instantaneous.

Every object (and its attributes) in the Windows 2003 environment includes an attribute called permissions (which is found on the Security tab of each object). This permissions attribute includes an ACL that identifies all the users and groups allowed to access the object's attributes as well as the services that each user or group may apply to the object's attributes. Each time a user requests an object, Windows 2003 uses a built-in facility called the Security Reference Monitor (SRM) to check the user's access token against the permissions for that object. If the SRM finds that the user has permission, Windows 2003 fulfills the request; otherwise , the user is out of luck. It's possible for users to have access to specific attributes of objects, but not other attributes. For example, Nancy may be granted access to view part of JoAnne's account information, such as her telephone number, but not JoAnne's street address.

team lib

Previous page
Table of content
Next page
Windows Server 2003 for Dummies
Windows Server 2003 for Dummies
ISBN: 0764516337
EAN: 2147483647
Year: 2003
Pages: 195
Authors: Ed Tittel, James Michael Stewart
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Lotus Notes and Domino 6 Development (2nd Edition)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Ruby Cookbook (Cookbooks (OReilly))
File System Forensic Analysis
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy