Object-Based Access Control

   

Along with user authentication, administrators are allowed to control access to resources or objects on the network. To do this, administrators assign security descriptors to objects that are stored in Active Directory. A security descriptor lists the users and groups that are granted access to an object and the specific permissions assigned to those users and groups. A security descriptor also specifies the various access events to be audited for an object. Examples of objects include users, computers, and organizational units (OUs). By managing properties on objects, administrators can set permissions, assign ownership, and monitor user access.

Not only can administrators control access to a specific object, they can also control access to a specific attribute of that object. For example, through proper configuration of an object's security descriptor, a user can be allowed to access only a subset of information, such as employees ' names and telephone numbers but not their home addresses. To secure a computer and its resources, you must take into consideration the rights that users will have:

  • You can secure a computer or multiple computers by granting users or groups specific user rights.

  • You can secure an object, such as a file or folder, by assigning permissions to allow users or groups to perform specific actions on that object.

Access Control Concepts

Permissions define the type of access granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat. Permissions are applied to any secured objects such as files, Active Directory objects, or registry objects. Permissions can be granted to any user, group , or computer. (It's good practice to assign permissions to groups.) The permissions attached to an object depend on the type of object. For example, the permissions that can be attached to a file are different from those that can be attached to a registry key. You can assign permissions for objects to the following:

  • Groups, users, and special identities in the domain

  • Groups and users in that domain and any trusted domains

  • Local groups and users on the computer where the object resides

When you set up permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print from it. If you need to change the permissions on an individual object, you can start the appropriate tool and change the properties for that object. For example, to change the permissions on a file, you can run Windows Explorer, right-click the filename, and click Properties. On the Security tab, you can change permissions on the file.

An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter which permissions are set on an object, the owner of the object can always change the permissions on an object.

Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder, when created, inherit the permissions of the folder. Only permissions marked to be inherited are inherited.

Effective Permissions

The Effective Permissions tab is a new, advanced option in Windows Server 2003. It lets you see all of the permissions that apply to a security principal for a given object, including the permissions derived from memberships in security groups. The Effective Permissions tab is shown in Figure 5-1.

Figure 5-1. The Effective Permissions tab is new with Windows Server 2003.

graphics/f05xo01.jpg

To view the effective permissions for a user or group, perform the following steps:

  1. On the Effective Permissions tab, click the Select button to open the Select User Or Group dialog box.

  2. In the Name box, type the name of the built-in security principal, group, or user for which you would like to view Effective Permissions.

  3. Optionally, click the Object Types button, and then select Built-In Security Principals, Groups, or Users.

  4. Click OK.

Note

If the security principal is network based, you can click Locations and select a target, or you can type in the domain name together with the group name, such as reskit\users. It's important to specify the correct object types and the locations for your search. Failure to do so will result in an error message and the suggestion that you refine your search before searching again.


User Rights

User rights grant specific privileges and logon rights to users and groups in your computing environment.

Object Auditing

You can audit users' access to objects. You can then view these security- related events in the security log with the Event Viewer.


   
Top


Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net