Chapter 3. AuthorizationLimiting System Access and Controlling User Behavior
Imagine you've come to my house for a visit. We've met and talked before, worked on a project together, or perhaps we know each other from church or because our boys attend the same high school. At the door, I greet you and invite you inside. What is it that keeps you from immediately going wherever you want? What prevents you from grabbing a beer from my refrigerator, knocking over the china cabinet, and kicking my dog?Surely you're grinning now; you've recognized my ployyou've equated my recognition of you as authentication and the use of biometrics (I recognize you by your appearance). And you've recognized my inviting you inside as authorization to enter the house, and the other activities as things you are not authorized to do. But I repeat: What prevents you from doing those things?I suspect that you won't have to think very long before you respond that our common cultural background instilled in us a set of common beliefs that tells us what is acceptable behavior when visiting someone for the first time.When we provide access to our information systems, computers, and networks to others, we cannot afford the luxury of making assumptions about their code of ethics or their understanding of what's considered appropriate. Instead, we must develop access control systems that prevent unwanted behavior. Our access control systems should transparently determine user behavior on the system or systems in our networks. Access controls define what someone is authorized to do after he has been authenticated. Windows Server 2003 authorization is determined by the evaluation of assigned rights, permissions, and restrictions. This chapter introduces the authorization process and defines users, groups, rights, permissions, and restrictions that determine access on a standalone Windows Server 2003 server. Later chapters expand on this introduction to provide the detail behind complex object permission structures and the options available within a Windows Server 2003 domain.
The access control systems available in Windows Server 2003 allow you to develop a granular system of control that enforces your organization's policy. You need to consider the access control mechanisms that are used, the rights and permissions that can be assigned, the types of security principals that can be granted to them, and the tools that are used to manage access. The time you spend exploring this information will depend on your experience with Windows.If you are new to Windows, then there is a wide range of information to learn and consider. Access control mechanisms are extremely important security controls, and you will want to dedicate a significant amount of time to understanding them. Your ability to understand advanced security paradigms such as Group Policy, IPSec, and certificate services will depend upon how well you grasp the basics developed here and in the next few chapters.If you are familiar with rights and permissions as used in Windows NT 4.0, you will find some subtle yet significant differences. There are new default groups and user rights. Areas to study include a new model of permission inheritance, the effective permissions model, and new tools for managing access control. You will also need time to adjust to object permissions as they apply to objects in the Active Directory.If you have been working with Windows 2000, you should be familiar with most of the processes, groups, user rights, and permissions in Windows Server 2003; however, you will find new groups, rights, and a few new concepts such as the ability of Windows Server 2003 domains to cache Universal Group membership and avoid the need to access Global Catalog Servers before authenticating users. Use the basic information presented here to ensure that your knowledge is complete.
Wherever you are in your understanding, take some time to ensure that you are aware of how these controls work in Windows Server 2003. |
|
لطفا منتظر باشید ...
Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
