| You control access to network resources with the components of the Windows Server 2003 security model. The key components you need to know about are the ones used for authentication and access controls. Authentication Protocols Windows Server 2003 authentication is implemented as a two-part process. That process consists of interactive logon and network authentication. When a user logs on to a computer, the interactive logon process authenticates the user's logon, which confirms the user's identity to the local computer and grants access to Active Directory directory service. Afterward, whenever the user accesses network resources, network authentication is used to determine whether the user has permission to do so. Windows Server 2003 supports many network authentication protocols. The key protocols are: -
Kerberos v5 A standard Internet protocol for authenticating users and systems. It's the primary authentication mechanism for Windows Server 2003. -
NT LAN Manager (NTLM) The primary Microsoft Windows NT authentication protocol. It's used to authenticate computers in a Windows NT domain. -
Secure Socket Layer/Transport Layer Security (SSL/TLS) The primary authentication mechanism used when accessing secure Web servers. -
.NET Passport Authentication Passport authentication can be enabled for Microsoft Internet Information Services (IIS) 6.0. This enables you to use Active Directory information to authenticate Internet, intranet, and extranet users. For details, see Chapter 7 , "Enhancing Web Server Security," of the Microsoft IIS 6.0 Administrator's Pocket Consultant (Microsoft Press, 2003). A key feature of the Windows Server 2003 authentication model is that it supports Single Sign-On. Single Sign-On works in the following way: -
A user logs on to the domain by using a logon name and password or by swiping a smart card into a card reader. -
The interactive logon process authenticates the user's access. With a local account, the credentials are authenticated locally and the user is granted access to the local computer. With a domain account, the credentials are authenticated in Active Directory and the user has access to network resources. -
Now the user can authenticate to any computer in the domain through the network authentication process. With domain accounts, the network authentication process is automatic (through Single Sign-On). With local accounts, on the other hand, users must provide a user name and password every time they access a network resource. Access Controls Active Directory is object-based. Users, computers, groups, shared resources, and many other entities are all defined as objects. Access controls are applied to these objects with security descriptors. Security descriptors do the following: -
List the users and groups that are granted access to objects -
Specify permissions the users and groups have been assigned -
Track events that should be audited for objects -
Define ownership of objects Individual entries in the security descriptor are referred to as access control entries (ACEs). Active Directory objects can inherit ACEs from their parent objects. This means that permissions for a parent object can be applied to a child object. For example, all members of the Domain Admins group inherit permissions granted to this group . When working with ACEs, keep the following points in mind: -
ACEs are created with inheritance enabled by default. -
Inheritance takes place immediately after the ACE is written. -
All ACEs contain information specifying whether the permission is inherited or explicitly assigned to the related object. |
![Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant](/icons/blank_book.jpg "Microsoft Windows Server 2003 Administrator[ap]s Pocket Consultant"){kind=icon}