Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

اذهب
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Windows Server 2003 Security: A Technical Reference

By Table of Contents | Index

If you''''re a working Windows administrator, security is your #1 challenge. Now there''''s a single-source reference you can rely on for authoritative, independent help with every Windows Server security feature, tool, and option: Windows Server 2003 SecurityRenowned Windows security expert Roberta Bragg has brought together information that was formerly scattered through dozens of books and hundreds of online sources. She goes beyond facts and procedures, sharing powerful insights drawn from decades in IT administration and security. You''''ll find expert implementation tips and realistic best practices for every Windows environment, from workgroup servers to global domain architectures. Learn how to: Reflect the core principles of information security throughout your plans and processes Establish effective authentication and passwords Restrict access to servers, application software, and data Make the most of the Encrypting File System (EFS) Use Active Directory''''s security features and secure Active Directory itself Develop, implement, and troubleshoot group policies Deploy a secure Public Key Infrastructure (PKI) Secure remote access using VPNs via IPSec, SSL, SMB signing, LDAP signing, and more Audit and monitor your systems, detect intrusions, and respond appropriately Maintain security and protect business continuity on an ongoing basis"Once again, Roberta Bragg proves why she is a leading authority in the security field! It''''s clear that Roberta has had a great deal of experience in real-world security design and implementation. I''''m grateful that this book provides clarity on what is often a baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical Hacker James@accusource.net"Full of relevant and insightful information. Certain to be a staple reference book for anyone dealing with Windows Server 2003 security. Roberta Bragg''''s Windows Server 2003 Security is a MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation phil.cox@systemexperts.com"Few people in the security world understand and appreciate every aspect of network security like Roberta Bragg. She is as formidable a security mind as I have ever met, and this is augmented by her ability to communicate the concepts clearly, concisely, and with a rapier wit. I have enjoyed working with Roberta more than I have on any of the other 20 some odd books to which I have contributed. She is a giant in the field of network security."Bob Reinsch bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do things and then tells you how to do it! It is a comprehensive guide to Windows security that provides the information you need to secure your systems. Read it and apply the information."Richard Siddaway, MCSE rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically accurate. It will be a valuable resource for network administrators and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg writes and I have ''''always'''' found her writing to be perfectly focused on issues I ''''need'''' to know in my workplace when dealing with my users. Her concise writing style and simple solutions bring me back to her columns time after time. When I heard she had written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding common pitfalls, and her easy to follow guidelines on how to lock down my network and user environments (those darned users!) has me (and my clients) much more comfortable with our Win2k3 Server deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra Vista AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows Security Information Technology Consultant harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more than just lucid coverage of how things work, but also offers sound advice on how to make them work better."Chris Quirk; MVP Windows shell/user cquirke@mvps.org"This book is an invaluable resource for anyone concerned about the security of Windows Server 2003. Despite the amount and complexity of the material presented, Roberta delivers very readable and clear coverage on most of the security-related aspects of Microsoft''''s flagship operative system. Highly recommended reading!"Valery Pryamikov, Security MVP, Harper Security Consulting valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel Corp. bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for administrators who manage Microsoft Windows 2003 servers in their organizations. The best practices for strengthening security controls are well organized, with practical examples shared throughout the book. If you work with Windows 2003, you need this great resource."Harry L. Waldron CPCU, CCP, AAI Microsoft MVPWindows Security Information Technology Consultant
توضیحات
افزودن یادداشت جدید







Authorization Manager Framework


The Authorization Manager Framework enables the development and administration of Role-Based Access Control (RBAC) programs. Developers use the Authorization Manager Framework's Authorization Manager RBAC application programming interface (API) to develop the application, including the definition of user roles. Administrators use the Authorization Manager Microsoft Management Console snap-in to manage the applications by assigning user groups to role definitions.

Before you can administer these applications, you must understand how they are developed and how they work. The secret to understanding and championing Authorization Manager is to understand that it moves the responsibility for partitioning access to information resources from the administrator to the application.

The Authorization Manager application is pre-programmed to respond to the role of the user interacting with the program. The role, defined as part of the application, is explicitly designed to provide rights and permissions that allow the role holder to do her job and no more. The role might be allowed, for example, to run only certain parts of the program and only read some data while having permission to write, delete, or otherwise manipulate other data. At first glance, this may appear to provide control over computer system resources to the developer. However, in a properly managed development environment, developers work from and are held accountable to specifications developed by the data owners. An application developed to print payroll checks, for example, might have roles such as payroll clerk and payroll manager. Payroll department staff must develop the specifications that define what each role is allowed to do within the program and what files and printers role users may access. Payroll management approves the design and tells IT which employees should be assigned which roll. The system administrator maintains application control by assigning the correct users to the application roles.

The ordinary application, by comparison, does a poor job of granting and denying access to resources. The ordinary application sees data storage as a gray landscape of objects that it can or cannot manipulate depending primarily on the security context of the user. If it needs to interact with the internal processes of the computer, the ordinary application switches context and operates as programmed in ignorance of the security context of the user. Thus, management of the ordinary application is fractured. Authorization to run the application is separate from the right to access resources. To manage ordinary applications, the system administrator must only decide who is authorized to run the application. She manages resources that the application might use separately. The administrator protects resources by determining what rights a user should be granted or denied and which objects a user should have permission to access. Application authorization and resource authorization are disconnected. In addition, while the administrator may grant a user permission to execute a specific program, she may not grant the user the right to run some part of the application while denying the user access to other parts of the application. There are exceptions to this. Both database applications and COM+ applications may have roles defined within their structure. Database administrators assign users to database roles.

In a well-defined and relatively static environment, the system administrator can manage the ordinary application and the burden of assigning rights and permissions. In the well-managed environment, data owners define who should do what with their data, and the administrator can mold the operating system authorization design to fit these requirements. In a relatively static environment, change is slow, so there is time to make these decisions for new applications and weigh the impact on older ones. Many organizations do not provide a well-defined or relatively static environment, though. Change often occurs rapidly, data owners and administrators sometimes don't communicate well, and applications are often adopted that require elevated privileges to run, not because of the way they must function, but because they were poorly written.

The secret to successfully adopting Authorization Manager is to realize that it will not solve the problems created by the past. It cannot be put to use to manage wayward applications or magically relieve the administrator of the burden of assigning rights and permissions. What Authorization Manager can do is provide the infrastructure for which applications can be developed to change the paradigm for the system administrator. For all Authorization Manager applications, the administrator does not need to assign individual users or groups access to objects; she merely has to respond to application owners' identification of which users should play what role in the application.

If this concept appeals to you, you will need to work with data owners and application developers to produce applications that can be managed by Authorization Manager. Writing applications that support RBAC is not within the scope of this book; however, managing such applications with Authorization Manager is. You may be asked to administer such an application, or you may be key in recommending that applications be written that are Authorization Manager-enabled and thus can provide RBAC.

NOTE: Authorization Manager on Other Platforms

The Authorization Manager RBAC API can be obtained for Windows 2000 from http://www.microsoft.com/downloads/details.aspx?FamilyID=7edde11f-bcea-4773-a292-84525f23baf7&displaylang=en and can be used to develop Authorization Manager applications. Authorization Manager applications can only be administered using the Authorization Manager snap-in from a Windows Server 2003 server or a Windows XP Professional computer on which the Windows Server 2003 Administration Pack for XP has been installed. However, to create Authorization Manager stores in the Active Directory, the domain must be in Windows Server 2003 functional mode.

The following information can help you understand the basics of Authorization Manager and the steps that will need to be taken to use it.


Role-Based Access Control in Windows


Role-based access control is available without Authorization Manager for Windows systems based on NT technologies. Implementing RBAC in previous versions of Windows required administrators to develop roles by doing the following:

Creating Windows groups.

Assigning appropriate user rights to these groups.

ACLing resources such as files, folders, registry keys, and Active Directory objects.

Adding Windows accounts into and removing them from these Windows groups as individuals joined or left the company or changed roles within the company.

Working with developers to introduce custom roles into applications. This includes working with .NET applications, COM+ applications, and applications based on prior programming paradigms.


There is nothing wrong with this model. However, much of its success relied upon the administration of permissions on a large number of objects. Get it right, and people can do their jobs, nothing more. Get it wrong, and the wrong people often have access they shouldn't, and those who officially require rights and permissions may be blocked from doing their work. Frustration becomes part of every administrator's and user's day. Eventually, wide holes in security may be created just so that users can do their jobs. It's especially difficult to scale this model when there is high turnover in personnel and rapidly changing job functions. In addition, although the model is highly flexible and offers granular control when it comes to object permissions, it cannot manage the use of software at a granular level.

The issue has not been that a way was needed to do RBAC control, but rather how the following details should be handled:

Defining the roles. Who does what on which computer systems with what applications? What do people do?

Translating the job into a set of object permissions. For each role, what programs do they need access to? Which files? Printers? Registry keys?

Assigning the responsibility for creating the job/rights/permissions mapping. Who should be figuring all this out?

Determining responsibility for implementation, maintenance, and audit of roles and role assignment. Who should actually configure the computer, make sure it's working the way it's supposed to, and audit the role and role assignments? Are the right people in the right roles? Are the roles defined correctly?


Authorization Manager removes the granular details of role development from the system administrator. Developers create the applications that define the roles based on specifications provided by those who know how the new applications should run. Developers assign object permissions and rights of code execution within the role definition in their application. Once a role is defined, it can be assigned to a group. Administrators simply add Windows users or groups to these groups to allow users or group members to perform the role. Administrators and data owners can participate in the design of the application and its roles. Data owners determine which individuals within the organization should play which role.

By comparison, ACLs attempt to manage software restrictions by setting permissions such as "execute" or "deny execute," and software restriction policies are based on the use of special designations that prevent or allow software to run. Authorization Manager-enabled applications define roles, which are then limited to certain operations within the application. With authorization, you define not only who can run an application, but also what role they can play within that software. This means that users are not only restricted to using only specific applications, but also to only executing some of the code within an application. Roles can also be confined to the use of a subset of the resources used by the application and limited with permissions as to what they can do with the resource. Authorization Manager is the administrative tool used to expose the underlying application, role, and resource partitions, and to assign users to roles. The use of well-defined roles to control system access is known as role-based security.

Authorization Manager Basics


Authorization Manager provides a single interface that administrators can use to manage multiple applications. Authorization Manager-enabled applications, however, must be written to contain the necessary components to provide a deeper level of access control.

Application developers define the components that define the roles within the application. The application installation program populates the authorization policy, a set of rules that define the application roles. The authorization policy is stored in the authorization store and exposed in the Authorization Manager snap-in for use by the administrator. If the installation program does not deliver the authorization policy, components can be created directly in the Authorization Manager.

NOTE: Administrator's Role

The administrator's main responsibility is to assign Application Groups, Windows Groups, and Users to roles and to add users to groups, thus conferring upon them the appropriate role. However, administrators should understand how the process works so that they may understand the rights and permissions granted on their systems when a user is given a role.

To aid your understanding of how Authorization Manager applications work, the sections that follow both define the components and provide instructions on how they can be created in Authorization Manager. To perform many of these operations, you will need to change the operation mode of the Authorization Store from Administrator mode to Developer mode. Administrators cannot create applications, authorization stores, or operations and cannot change application names or version numbers. To change to Developer mode, add the Authorization Manager to an MMC console, and then do this:


1.

Right-click on the Authorization Manager node and select Options.

2.

Select Developer mode, as shown in Figure 4-1.

Figure 4-1. The operations available in Authorization Manager depend on the mode that is set.

3.

Click OK.


A complete Authorization Manager application requires the development of the following components:

Authorization Store
The repository for the security policy.

Groups
Entities that can be assigned roles.

Application
Defines the relationship between the applications written to be managed by Authorization Manager and the authorization store.

Scope
A file folder or other resource used by an application.

Roles
A collection of related tasks that must be accomplished.

Tasks
A collection of operations.

Authorization Scripts
Scripts that check a user's authorization to perform a task.

Operations
Lower-level operating system.


Authorization Store

An Authorization Manager-based application reads its security policy from its Authorization Store during startup. The security policy consists of rules that indicate what a specific role can do. There is no default Authorization Store; instead, an Authorization Store is created for a specific purpose. Authorization Stores can reside in the Active Directory or in the NTFS file system (local or remote) in an XML file. Secure the file using ACLs. Table 4-1 illustrates the differences between the two types of stores.

Table 4-1. Authorization Store Definition

Active Directory

XML

Delegation support

At the Authorization Store, application, and scope level

Not supported. Secured by its ACEs.

Authorization specification

URL with the prefix MMSLDAP:// or LDAP distinguished name (DN) like CN=store, CN=data, DN=mycompany, or DN=com

URL with the prefix MSXML:// or path such as C:\stores\thisstore.xml or \\servera\sharea\thisstore.xml

Windows Support

Windows Server 2003 domain functional level only

NTFS partition (including one on Windows 2000 servers)

Audit Support for Runtime auditing

Authorization Store level and application level

Authorization Store level and application level

Audit Support for Authorization Store change auditing

Authorization Store, application, and scope

Authorization Store level only

An Authorization Store can be created programmatically, or manually in the Authorization Manager. When items such as groups, roles, operations tasks, and so forth are created in the Authorization Manager console, their information is added to the Authorization Store. To create a store, follow these steps:


1.

Open Authorization Manager.

2.

Right-click on the computer container and select Create New Authorization Store.

3.

Select XML or Active Directory for the store location and enter the name and location of the store.

4.

Enter a description, as shown in Figure 4-2.

Figure 4-2. The Authorization Store is created by specifying a name and location for its storage.

5.

Click OK to add the store. Figure 4-3 shows the store added to the Authorization Manager console.

Figure 4-3. After creation, the store is displayed in the Authorization Manager console.

[View full size image]


NOTE: Delegation

Delegation in the Active Directory is a way of assigning administrative responsibility to users who are not members of the Administrators group. Delegation is accomplished by assigning user group permissions on Active Directory objects. Because an Authorization Store that is stored in the Active Directory is an object, you can delegate authority over the store and the objects within it. XML-based Authorization Stores are not in the Active Directory and do not support delegation.

Groups

Groups are used to assign roles to users. Roles are assigned to groups, and administrators place user accounts in groups. Special groups can be created in Authorization Manager, or Windows groups can be used. If Authorization Manager groups are used, they can be created just for use by an application or even a scope within the application. The group nomenclature is as follows:

Application Groups
A group of users in an Authorization Manager application. They can be created at all three levels in the console: Authorization Store, Application, and Scope. A group created in an upper level can be used at a lower level, but a group created at a lower level cannot be used at an upper level. Application groups are either Application Basic Groups or LDAP Query Groups.

Application Basic Group
Includes a list of members and a list of non-_members. A list of non-members is used to deny access to some subset of the larger, allowed access group. A group, therefore, might be provided access to the application but denied access to some subset of the application. Non-membership takes precedence over membership. Basic groups can be Windows Users and Groups or LDAP Query Groups.

Lightweight Directory Access Protocol (LDAP) Query Groups
This is a dynamic group defined by an LDAP query. Any user attribute can be part of the LDAP query. For example, a query group could consist of all those users who live within the city limits of Chicago. Over time, this group might change. Other groups may be more volatile. An example would be all those users who had a birthday during the current month.

Windows Users and Groups
These are standard user accounts and groups, either default or custom. When a role is assigned to a group, you can choose Windows Users and Groups or an Application Group.


To add a group:


1.

Right-click the Groups node of the Authorization Store, Application, or Scope and select New Application Group.

2.

Enter a name and description for the Application Group.

3.

Select either LDAP query or Basic group type, as shown in Figure 4-4.

Figure 4-4. The group type is selected during group creation.

4.

Click OK and view the created group, as shown in Figure 4-5.

Figure 4-5. Groups live within the Groups container.

[View full size image]


Application

The development of each Authorization Manager-based application determines how roles will function within the application. The assignment of roles and users to groups defines who can perform which roles. The application object in Authorization Manager is created within its Authorization Store and contains the objects that define the RBAC present in the application. An application can exist in only one Authorization Store, but an Authorization Store can contain multiple applications. Table 4-2 lists common tasks the Authorization Manager application supports and compares them to the processing within an ordinary application.

Table 4-2. Application Tasks Comparison

Authorization Management

Ordinary Application

1

During application development: define roles, implement operations, and roll operations into tasks.

May define roles, but typically does not. Role definition may mean that administrators can run some applications or operations while both users and administrators can run others.

2

The installation process creates the Authorization Store, operations, tasks, and application-based roles, in addition to defining files or databases used for application data.

The installation process defines files or databases to hold application data and places configuration data in the registry or in a file.

3

At runtime, the application uses the Authorization Manager to connect to the Authorization Store and read the security policy.

At runtime, the application may check configuration information in files or registry hives. During processing, authorization for access to objects is determined by user rights and permissions assigned by administrators.

4

When clients connect to an application, an application context is created.

When a user starts an application, the application runs in the user's security context.

5

Before a client uses an application, custom application behavior is developed based on roles. During operation, each user role may present a different UI based on his role.

Before a client can use the application, custom behavior is defined primarily by the user's rights and permissions on objects. The user interface may show error messages if a user's rights and permissions do not match those required to run the application.

6

When a client attempts to perform an operation, an access check is performed to see if the user's role includes the right to perform the operation.

When the application attempts to perform an operation, an access check is performed to see if the user has the right or permission needed to perform the operation.

When you manage or participate in the development of an Authorization Manager application, you can manage roles in a different and very natural way. To create an Application object in the Authorization Manager, follow these steps:


1.

Right-click on the Authorization Store node and select Create New Application.

2.

Enter a name, description, and version number for the application, as shown in Figure 4-6.

Figure 4-6. Applications are containers created to hold the security policy as defined in roles, groups, operations, and tasks.

3.

Click OK and view the application in Authorization Manager, as shown in Figure 4-7.

Figure 4-7. Applications are created within their Authorization Store.

[View full size image]


Scope

Scopes are created within each application to restrict access to resources. A scope specifies resources such as file system folders, Active Directory containers, types of files (such as all *.doc files), URLs, and registry hives. You create Authorization Manager groups, role assignments, role definitions, or task definitions and assign them to the application scope rather than the application. (Operations, however, cannot be defined at the scope level.)

The groups created within the scope have access to the resources they define, while groups created in the application can be assigned access to resources in the entire application including the scope. Using scopes is a good way to restrict the access of some users while empowering others.

A scope can be an NTFS folder, an Active Directory container, a collection of files identified by a mask such as *.doc (a file-masked collection), a URL, and so on. These containers are identified in the Authorization Manager within the Application container.

To create a scope:


1.

Right-click on the Application node and select New Scope.

2.

Enter a name and description for the scope, as shown in Fig- ure 4-8. Note that the name is a folder path. Names must represent real locations.

3.

Click OK.


Figure 4-8. Scope names must represent real locations.

You must be careful when creating scopes to make sure they identify resources in a manner that the application can understand. Two things are important here. First, the resource should be identified by location, such as by using file paths, registry hives, or complete URLs, or by identifying existing Active Directory Organizational Units. Second, the application itself must be able to understand the resource. Web-based applications might have URLs as scope identifiers, while file-based applications might use file paths.

To effectively limit access to resources by using their location, follow these steps:


1.

Create scopes for resources that need more granular protection.

2.

Create application groups in these scopes. Figure 4-9 shows the C:\IT Files scope created within the Itmgmt application. Note how group containers are created at the Authorization Store, Application, and Scope level and how definitions and role assignments are created at both the Scope and Application level. In the figure, any groups created in the Groups container of the C:\IT Files scope can only be granted access to files at that level. Groups created at the Application level may be granted access to all resources in the application, and groups created in the Authorization Store can be granted access to resources in all applications defined in the Authorization Store.

Figure 4-9. The group location determines the resources that may be accessed by its members.

[View full size image]

3.

Assign users to these groups who should have access to these resources.

4.

Create groups at the Application level.

5.

Assign users to Application-level groups that should have access to all resources in the application.

6.

Create groups at the Authorization Store level. Assign users to these groups who need access to all applications in the Authorization Store.


NOTE: Reasons to Use Authorization Manager Groups

You should use Authorization Manager groups for two reasons. First, using these groups provides more control over object access. Second, when Authorization Manager groups are used, the application may be more easily used in both workgroup and domain situations. This is because workgroup machines have different Windows groups from those that are available in the Active Directory. An application designed using Active Directory-based groups could not be used in a workgroup. Note, however, that an application developed specifically for an Active Directory environment may have no useful purpose in a workgroup. You should make your decisions on the types of groups to use based on the application requirements.

Roles, Tasks, Authorization Scripts, and Operations

In an Authorization Manager application, tasks, operations, and authorization scripts define roles. Tasks are composed of lower-level tasks, operations, and authorization scripts. Operations are single units of lower-level operating system functionality. For example, a Help Desk task might be "reset password" for users within a specific organizational unit (OU). A task created within the application might be named ResetPassword. An operation, also created in the application, includes a reference to a number identifying the actual code within the application that allows the user to reset passwords for users within his assigned OU. The operation is assigned to the task, and the task is assigned to the help desk role. Finally, when the role definition is complete, it is assigned to the group created to identify users who will be assigned the help desk role.

When the application is written, operations are programmed. During the development of an Authorization Manager application, the elements for each role are written. During the application's installation, the tasks and operations that define the role populate the Authorization Manager, along with the groups and other application components.

You may have to manually add roles, authorization scripts, tasks, and operations to the Authorization Manager. Just remember that they must correspond to the programmed application, and the numbers defined in the operations forge the links between the Authorization Manager and the application code.

Roles

Before you can control authorization by using roles, the roles must be defined. You do this by adding defined tasks and operations to the roles. Roles can be defined across multiple applications but managed from a single location. Roles can also be confined to specific applications and even to limited resources within the application.

The first step is to identify the roles required. To define roles, think of each one as an abstraction that corresponds to real-world operations and tasks. Help desk operator and systems administrator are roles that might be defined if the application were built to control systems operations. Payroll clerk, accountant, and accounting manager are roles that might be defined for an accounting application. During the development process, a specification based on the real-world tasks of each type of employee is identified. Each task is further broken down into smaller steps or operations.

A well-designed role is one that maps to a job category or responsibility. You can easily find loose role definitions in job titles, but you will need to search beyond the title to determine what it is that the individual actually does. Remember that many employees participate in discrete business functions, and job titles do not always map to specific roles within an application. The process of building a role within an application consists of the following tasks:

Selecting a name

Providing a definition

Specifying lower-level tasks, roles, and operations that are part of the new role. Authorization rules may be written in scripts such as VBScript. Tasks become part of a role definition and can be added or viewed in the Role Definition container.


While the approval for membership in a specific application role is not an administrative task, the actual assignment of a user account to a role is. As usual, understanding what access and rights you are conferring with this assignment is critical. You need to know when a user's access or activity is normal and approved, and when it might represent a breach of conduct, such as an attack upon the system.

NOTE: There's More Than One Way to Create the Role

You can, of course, create all operations first, and then create each task and assign operations to the tasks as you create them. You'd follow this operation by creating roles and adding tasks to them as you create them.

To create and define a role in Authorization Manager, you must create tasks and operations and assign them appropriately. The first step in creating a role in the Authorization Manager is to create the role definition. To do so, follow these steps:


1.

Expand the Application container, and then expand the Definitions container.

2.

Right-click Role Definitions and select New Role Definition.

3.

Enter a name and description for the role, as displayed in Figure 4-10.

Figure 4-10. Roles are defined by the tasks defined for them and the authorization scripts written for them.

4.

If lower-level roles, tasks, or authorization scripts have been defined for this role, add them to the role definitions using the Add button.

5.

Click OK.


Tasks

Roles are composed of tasks. Tasks are collections of operations, authorization scripts, and possible other tasks. Tasks must be well defined and must be associated with roles. Well-designed tasks represent recognizable work items. Examples of well-defined tasks are as follows:

Change password

Enable an account

Create a user

Submit an expense

Approve an expense

Sign a check


Examples of tasks that are not well defined are:

Manage employees

Supervise the accounting department

Help users with their computers


To determine which tasks should be defined for a specific role, you will need to identify the things that might define what a person performing a role does. For example, a network administrator might change the ACLs on a router. A help desk person might change passwords or reset locked out accounts. Like roles, tasks are defined in the Authorization Manager by identifying a name and description. A task consists of lower-level tasks or operations and authorization scripts.

To create a task, perform the following steps:


1.

Right-click the Task Definitions container and select New Task Definition.

2.

Enter a name and description for the task, as displayed in Figure 4-11.

Figure 4-11. Tasks are defined by operations and authorization scripts.

3.

If lower-level tasks, operations, or authorization scripts have been built for this role, then they can be added using the Add button.

4.

Click OK.


Operations

Operations are a set of permissions associated with system-level or API-level security procedures. Examples would be WriteAttributes or ReadAttributes. Operations are building blocks for tasks. Operations are set only at the application level, not at the Authorization Store or scope level. The definition of an operation includes a name, description, and an operation number. The operation number is used within the application to identify the operation. The operation number is critical because it ties all actions between the Authorization Manager and the application. Because tasks include operations, roles specify the tasks that can be accomplished, and groups are assigned roles, when you add a user to a group, you are giving the user whatever low-level operations make up the tasks assigned to the role.

WARNING: Prevent Operations Number Errors

The number must be an integer from zero to 2147483647. If you must manually enter the number, be sure that it is correct; an incorrect number will cause a bug in the application.

For example, if a number of operations defines the lower-level actions necessary to format the hard drive, and the operations make up the "format disk" task, which in turn is assigned to the Server Manager role, which is assigned to the Application Group ServerManager, then by putting a user in the ServerManager Application Group, you have given her the right to format the hard drive.

To create an operation, do the following:


1.

Right-click the Operation Definitions container and select New Operation Definition.

2.

Enter a name, description, and operation number, as displayed in Figure 4-12. The operation number must exist within the application code.

Figure 4-12. Operations are defined by an operation number.

3.

Click OK.


Create Authorization Scripts

Authorization scripts are created to implement authorization rules. An authorization rule tests conditions to determine if a user has the right or permission required to perform a specific task. For example, users may belong to a group that has been assigned a role. The role is defined by tasks that empower a role member to complete some task, such as reading a file. An authorization rule can be used to take into consideration the operating systems rights and object permissions assigned to the user. If the file permissions do not allow the user to read the file, then he will not be allowed to, even though the members of his Application Manager Application group may normally do so. Scripts can be written in VBScript or Jscript and are usually written by programmers.

Define Tasks

Define the task by assigning operations:


1.

Double-click the task you want to define.

2.

Select the Operations tab.

3.

Click to select the operations necessary to define this task, as shown in Figure 4-13.

Figure 4-13. Operations are added to tasks.

4.

Click OK.


Define Roles

Finally, you must define the role by assigning it a list of tasks it may perform:


1.

Double-click on the role you want to define.

2.

Click on the Definitions page.

3.

Select the tasks that define the role, as shown in Figure 4-14.

Figure 4-14. Tasks are added to roles.

4.

If there are authorization scripts that should be added, click the Authorization Scripts button. Enter the script or a path to its location and then click OK.

5.

Click OK.


Assign Roles to Groups

Finally, assign roles to groups:


1.

Right-click the Role Assignments container and select Assign Roles.

2.

Select roles from the Add Role dialogbox, as shown in Figure 4-15, and then click OK.

Figure 4-15. Add defined roles to the Roles Assignment container.

3.

The role(s) will be added to the Role Assignments container. Right-click on the role you wish to assign and select Assign Groups or Assign Windows Users and Groups.

4.

If Assign Groups is selected, select the application group, as shown in Figure 4-16.

Figure 4-16. Assign the appropriate groups to each role.

5.

If Assign Windows Users and Groups is selected, use the object picker to select the group or users to be given this role.

6.

Click OK.


Authorization Manager Basics Summary

Within Authorization Manager and within specific applications, each role is assigned the right to exercise tasks and operations. The role is assigned to a group, and the group becomes the interface that you, as administrator, will use to assign Windows accounts or groups authorization to use an application and work with resources. Instead of managing resources for the application, you will manage actions and workflow. For example, instead of using the Delegation of Control wizard or directly assigning a user account or group the reset password permission on the OU, you will simply add the user's account to the group in Authorization Manager that has been assigned the help desk role.

If access to objects and the rights to run parts of the application are defined, then the administrative role is simple. Instead of hundreds of discrete actions in which you create Windows groups and assign them rights, permissionss on Active Directory objects, file objects, registry hives, and other resources, you simply place user accounts or Windows groups into the groups that define the roles.

NOTE: Administrators Need to Know

Administrators are not responsible for building Authorization Manager applications, defining roles, scripting tasks, or authorizing operations. These are developer functions and can be carried out programmatically or by using the Authorization Manager in Developer mode. The administrator's main responsibility is to assign Application groups and Windows groups and users to roles and to add users to groups, thus conferring upon them the appropriate role. However, administrators should understand how the process works so that they may understand the rights and permissions granted on their systems when a user is given a role.

The Authorization Store contains the information required to build the security policy for the application and physically represent it in the Authorization Manager. When the Authorization Store is located in the NTFS file system, it is represented in an XML file. Figure 4-17 is the XML file created by adding the objects defined in the exercises in this section.

Figure 4-17. The Authorization Store XML file holds the security policy for the application.

[View full size image]

Auditing Authorization Manager


Event auditing for Authorization Manager Applications can be configured and events will be recorded in the Security event log. Two types of auditing of Authorization Manager are possible:

Runtime Auditing
Audits are generated when policy defined in the Authorization Store is used. Auditing can report success, failure, or both. Client context and access checks are audited. Runtime auditing can be defined for the Authorization Store and the application. It cannot be defined at the scope level.

Authorization Store change auditing
Audit records are generated when the Authorization Store is modified, regardless of location. Active Directory-based Authorization Store change auditing can be defined for Authorization Store, application, and scope. XML Authorization Store change auditing can only be defined at the Authorization Store level.


To turn on auditing, use the check boxes on the Auditing tab, as displayed in Figure 4-18. If auditing of a specific type is not available, the check box will not appear. If the success and failure boxes do not appear, auditing is being managed at a higher level. To change it, you will have to find where it is being managed (locally or Group Policy at the domain or OU level) and modify it there first. All applicable object auditing will be inherited. For example, object access auditing specified on a file in the file system that is a resource in an Authorization Store is inherited. To define auditing the following must apply:

You must have the Generate security audits privilege.

You must have the Manage auditing and security log privilege.

Object access auditing must be turned on either using Group Policy or Local Security Policy as appropriate.


Figure 4-18. Auditing is defined in the properties of the Authorization Store and the application.

Authorization Manager Administration


The administration of Authorization Manager-enabled applications is an easy task if administrators understand how it works and how Authorization Manager applications work. The primary task is to assign users to the groups used in the roles. The administrator may have to participate in the assignment of groups to roles and other tasks if the applications do not programmatically do so. However, like most administrative tasks, simple actions disguise complex operations. The knowledgeable administrator will understand these consequences, audit the activity, and restrain from duplicating or obviating the results by using her power to distribute access to resources and rights that should be left managed by the application.

It may be prudent to limit the number of administrators who can work with Authorization Manager. You can do so by defining the groups and users that may have Administrative access to Authorization Manager. Add or remove groups and users from the Security tab of the Authorization Store properties, as shown in Figure 4-19.

Figure 4-19. Adjust the number of administrators who can administer Authorization Manager applications.


/ 194