Designing Access Control for Active Directory
|
| < Day Day Up > |
|
Access control, as mentioned previously, is used to manage access to resources for security purposes. In Active Directory, specifically, access control is administered at the object level. This is accomplished by configuring different levels of permissions or access to objects. The permissions could be Full Control, Write, Read, and so on.
Access control for Active Directory objects relies on the Windows access control model, which is made up of the two basic components:
Access tokens Access tokens contain the information regarding a logged-on user.
Security descriptors Security descriptors contain the security information that protects an object.
When a user logs on successfully, the system will produce an access token that includes the identity and privileges of the user account. The system then uses the token to identify the user when their thread interacts with a securable object or attempts to perform some action that requires privileges. The following is a partial list of the elements that are contained in an access token:
-
The Security ID (SID)
-
SIDs for the groups of which the user is a member
-
Logon SID, which is a SID that persists only for the duration of the active logon session
-
List of the privileges possessed by the user or the groups to which the user belongs
-
An owner SID
-
The SID for the user’s primary group
-
The default DACL, which includes the creator/owner permissions, that is used when the user creates a securable object
-
The source of the access token
-
A value that indicates whether the token is a primary or an impersonation token
As a result of this information being assigned when a user logs on, certain conditions may require a user to log off and then back on in order to gain access to a recently modified permission. For example, a user is added to a security group while they are currently logged on. The access token that they have already received does not contain the SID for the newly assigned group and the user’s current thread will not be a member of the group. To rectify this situation, the user must acquire a new access token, which can easily be accomplished by logging off and back on again.
Table 5.1 shows the basic outline of the Windows (NT-based) access control model.
| Element | Description |
|---|---|
| Security descriptor | Every object in Active Directory has its own security descriptor that contains the security information that determines the access to the object. The descriptor can contain ACEs in DACLs. |
| Security context | When an attempt to access an object is made, the application will supply the credentials of the security principal that is making the access request. Once authenticated, the credentials that were supplied will determine the security context of the running application. The security context includes the group membership and the privileges that are associated with the originally supplied security principal. |
| Access check | The system will permit access to an object only if the security descriptor for the object grants the necessary access rights to the requesting security principal or to a group in which the principal has membership. |
Simply stated, the Windows access control model will not allow a principal to access an object that they have not been granted access to.
In the next sections, we will introduce to you the different types of permissions that are available for Active Directory objects. You will learn the best practices for assigning them and how to make dealing with assigned and inherited permissions more manageable.
|
| < Day Day Up > |
|
EAN: 2147483647
Pages: 168