Learning the Right Lingo


Before I dive into a discussion of Windows 2000 security features, a little vocabulary-building is in order. Perhaps more than any other part of Windows, the security subsystem is rife with acronyms and subtle, difficult-to-grasp concepts. To help get you started, here’s quick tour of some of the important objects and principles you’re going to meet in this chapter; they’re covered in more detail later in the chapter, but this primer helps set the stage:

  • Many Windows objects, including user and computer accounts and some types of groups, have security identifiers (SIDs). The SID is a unique code that can be used to identify an account for access controls.

  • Objects that have SIDs can be used to make access control decisions. SID- carrying objects that can log on (user and computer accounts again) are known as security principals.

  • When a principal attempts to log on, its credentials are authenticated by the Windows Local Security Authority (LSA) service. The LSA can authenticate a principal against the local account database or a remote domain controller using a variety of different authentication algorithms.

  • Windows is responsible for providing access control services to Exchange. To do so, the Windows 2000 Security Reference Monitor (SRM) compares a requestor’s SID with the list of SIDs specified in an object’s permission list. If the requestor appears on the permission list, the request can be granted. This permission list is known as a discretionary access control list (DACL). The individual permissions listed in the DACL are access control entries (ACEs).

  • The DACL is contained in an object called the security descriptor (SD). Every object in a Windows 2000 system has an SD; along with the DACL, the SD indicates who owns the object and whether the SD was inherited or explicitly set. Exchange-specific objects like administrative groups and mailbox stores have a second SD, called the Admin SD, that contains Exchange-specific administrative permissions.

  • Windows objects can be grouped together in various types of groups. Some groups have SIDs and some do not.

With these concepts firmly in mind, let’s see how Windows 2000 provides the foundation services on which Exchange depends.




Secure Messaging with Microsoft Exchange Server 2000
Secure Messaging with Microsoft Exchange Server 2000
ISBN: 735618763
EAN: N/A
Year: 2003
Pages: 169

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net