Chapter 10: Windows Server 2003 Authorization
Once an entity has been authenticated, we need some way to restrict its access to the resources that are available on a computer or in a domain. In most environments, not just anyone can access every computer or domain resource. This is the goal of an authorization service: It protects against unauthorized use and provides an answer to the questions: What can an entity do with a resource and how can it interact with the resource?
10.1 Authorization basics
Authorization always deals with two entities (illustrated in Figure 10.1): a subject that wants to access an object. Authorization is typically executed and enforced by a third entity that is generally referred to as the reference monitor. In a Windows environment, this third entity is known as the Security Reference Monitor (SRM). The SRM is the only key security component of the Windows OS that is running in the highly privileged OS kernel mode. It checks all access to resources as requested by code that is running in user mode.
Figure 10.1: Generic authorization model.
Authorization not only deals with access to visible Windows objects such as files, printers, registry keys, and AD objects. It also deals with access to less visible objects such as system processes and threads. Authorization also controls the ability to perform system-related tasks, such as changing the system time or the ability to shut down the system. Microsoft calls these system-related tasks user rights.
EAN: 2147483647
Pages: 137
- Challenging the Unpredictable: Changeable Order Management Systems
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- Context Management of ERP Processes in Virtual Communities
- Intrinsic and Contextual Data Quality: The Effect of Media and Personal Involvement
- A Hybrid Clustering Technique to Improve Patient Data Quality