Index

A

Access control

policy, 423

role-based (RBAC), 417–28

Access control entries (ACEs), 332

inherited, 340

object type-based, 345–54

property-based, 349–50

Access control lists (ACLs)

in canonical order, 356–57

content, 332

discretionary, 333

elements, 332

inheritance, 337

in noncanonical order, 357

system, 333

types of, 333

version 4, 335

See also ACL editor; ACL evaluation

Access tokens

checking, 330

content, viewing, 331

Accinfo.dll, 65

Account lockouts, 60–67

defined, 60–61

disabling accounts and, 61

management tools, 64–67

policy, 63–64

policy settings, 63

process, 61–63

suggested policy settings, 64

ACL editor, 336–37

AD authorization information display, 348

GUI, 337

inheritance in, 339, 340

object independency, 336

object type-based ACEs in, 347

permissions display, 337

property-based ACEs in, 350, 351

setting inheritance in, 344

warning message, 343

See also Access control lists (ACLs)

ACL evaluation, 354–58

basic process, 354–55

canonical order, 355–56

example 1, 356

example 2, 357

missing DACLs and, 358

rules, 354

rules and order, 355–58

See also Access control lists (ACLs)

Active Directory (AD), 452–59

creation of PKI-related information in, 455

default, security descriptor changes, 361–63

domains, 33

functions, 34

link value replication, 363–64

LSA subprocess, 30–31

NTAUTH store, 520

object quotas, 364–67

permissions, 345

PKI integration, 453

PKI-related entries, 453–57

property sets, 350

querying, for PKI-related information, 458–59

security-specific replication mechanisms, 67–68

Windows Server 2003 PKI information, 453–55

AD4Unix AD schema, 272

AD-base mapping, 230–31

AD Domains and Trusts MMC snap-in, 72, 83

AD/LDAP repositories, 286–96

Administrative delegation, 381–90

defined, 381

examples, 387–90

guidelines, 386

help-desk scenario, 387

necessity, 382

networking service management delegation scenario, 388–90

organizational units (OUs), 382–83

setting up, 383–86

third-party AD delegation tools, 390

user self-management scenario, 387–88

Administrative templates, 692

Administrator groups, 374–77

Administrators, 377

Domain Admins, 375–76

on domain controllers, 375

Enterprise Admins, 376

list of, 375

on member servers, 375

See also Groups

Administrator pyramid, 374

Administrators group, 377

AdminSDHolder, 377–78

ADSIEdit tool, 458

Alockout.dll, 65

Aloinfo.exe, 65–66

Anonymous access, 123–24

enabling auditing for, 124

security options, 123

Application policies, 508–11

defined, 508

in end-entity/CA certificates, 510

example, 511

predefined, 509–10

Application programming interfaces (APIs), 317

authentication, 318

cloneprincipal, 358

CryptoAPI, 459–63

DPAPI, 487–89

Auditing, 712–20

enabling, for anonymous access, 124

enabling, for event categories, 126

Event Logs, 712–16

Event Viewer, 712–16

object-level, 718

setting up, 716–19

systems, 5

Audit policies

categories, 717

recommended for domain controllers, 718

Authenticating domain controller, 115

Authentication

APIs, 318

authorities, 102

basic, 214–18

certificate-based, 223–39

common protocols, 104

database, 108

delegation, 135–36, 164–74

digest, 218–21

event logging, 126–30

HTTP, 211–21

IIS, 207–40

integrated Windows, 221–23

interactive, 107–8

Kerberos, 113

methods overview, 105

multifactor, 103–4

mutual, 135

noninteractive, 108–11

NTLM-based, 116–20

packages, 107, 108

Passport-based, 223

process, 102

qualifying, 103–6

selective, 88–90

servers, 7, 158

strong, 105

troubleshooting, 125–32

Windows, 101–32

Windows and UNIX comparison, 261–62

Authentication architecture, 106–11

for interactive authentication, 107–8

for noninteractive authentication, 108–11

terminology, 106–7

Authentication infrastructures, 5, 7–9

authentication servers, 7

defined, 7, 102

software products, 7–8

terminology, 101–3

Web, 7

See also Trusted security infrastructures (TSIs)

Authenticators

content, 184

ticket relationship, 179

See also Kerberos

Authority Information Access (AIA)

configuring, from CA properties, 625

method, 584–85

settings, 618, 624–25

storage location, 625

Authorization, 329–91

basics, 329–30

decentralization to centralization shift, 12

decision making, 11

enforcement, 11

generic model, 329

intermediaries, 367–79

policy authorities, 13

policy management, 11

restrictive, settings, 359–60

scripts, 424

setting, based on object type, 346

setting, based on property, 346–50

setting, with extended rights, 350–54

tools, 390–91

Windows 2000 changes, 335–59

Windows 2003 changes, 359–67

Windows model, 330–34

Authorization infrastructures, 5

authorization policy authorities, 13

scope, 11

See also Trusted security infrastructures (TSIs)

Authorization Manager, 417

administration interface to, 423

architecture overview, 422

Authorization Policy Store, 424

authorization script support, 424

centralized access policy database, 422

concept illustration, 425

concepts, 424–26

deployment scenarios, 426–28

dynamic group support, 424

features, 424

hierarchical role model, 426

integrating, into trusted application model, 427

querying, 422

role-based access model, 417

Automatic Certificate Request Setup Wizard, 548, 549

Automatic key archival/recovery, 570–73

configuring, 573–74

process, 570–72

Automatic updates, 707

configuring, with GPO, 708

dialog box, 709

registry keys, 708