Windows Server\SBS Security [Microsoft Small Business Specialist Primer]

Howdy folks – I am the publisher for this 70-282 exam cram book and I like to hold virtual book readings by posting up passages. And di you know that my SBS 2008 book is now here at 🙂

Windows Server 2003 Security

When we talk about Windows Server 2003 Security we are also talking about SBS 2003 Security. For instance, when you manage resources through the SBS wizards for network users, you are effectively using Windows Server 2003 components to assign permissions and privileges to user and group accounts, determining which actions can be performed by users and which resources they can access. So please follow me for a little stroll into the Windows Server 2003 Security Model.

Authentication Protocols

Several network authentication protocols are supported by Windows Server 2003 that support a key feature, the Single Sign-On. The Single Sign-On allows a domain user to log on to the domain by using the user account credentials (username and password), or by swiping a smart card through the reader. The credentials are then authenticated in Active Directory (on a Domain Controller), and the user has access to network resources. At this point the user can authenticate on any resources (computers, shares) without having to authenticate again. The Single Sign-On authentication process is now automatic. The primary authentication protocols used by Windows Server 2003 are:

·          Kerberos v5 – This is the primary authentication mechanism in Win­dows Server 2003 and a standard Internet protocol used for authenticat­ing users and systems.

·          NT LAN Manager (NTLM) – Used to authenticate computers on a Windows NT domain.

·          Secure Sockets Layer/Transport Layer Security (SSL/TLS) – An authentication mechanism primarily used to access secure web servers.

·          .Net Passport Authentication – Used to enable Active Directory information to authenticate Internet, intranet and external users and is enabled through Internet Information Services (IIS)

Chapter 6Securing Windows Small Business Server 2003

Access Controls

Every time an administrator creates a new user account, group account or a shared resource, Active Directory defines this as an Object. Each object in Active Directory receives Access Control Entries (ACEs) by way of security descriptors . A security descriptor:

·                       Specifies permission that have been assigned to a user or a group.

·                       Defines ownership of an object.

·                       Lists users and groups that are granted access to objects.

·                       Tracks events for auditing of objects.

Then there are the Access Control Lists (ACLs) which are made up of ACEs. All objects in Active Directory are protected by an ACL; the ACL determines what objects a user or group is allowed to see, and what actions can be performed on the object. And while we are at it, let’s throw the Security Identifier (SID) into the mix to make this story whole. The SID is a unique identifier that is also generated when the user or group account is created, containing a unique domain security ID prefix and a unique relative ID. (Discussing these further is beyond the scope of this book and should be researched at http:\\ com\reskit.) This means that even if the name is changed on a user account, the SID will still be able to track the user account and apply the ACE to it.

The way this plays out in terms of security on the Windows Server (or SBS), is that at the time a user logs on to the domain, the server will create a security token that specifies the SID and ACE for the particular account for this session (until logoff). When the user tries to access another Active Directory object (computer, share, printer, etc.), the ACEs in the token will be compared to the ACL of the object which will then determine if the user has access to it and what functions the user can perform with the object.

IMPORTANT: ACEs can be inherited from their parent objects in Active Directory meaning that child objects have the same permis­sions as their parent. Hence, if a user account is made a member of the Domain Admin group, the user account inherits all the permis­sions granted to the Domain Admin group.


Harry Brelsford, CEO at SMB Nation (

MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)

PS – did you know my Windows Small Business Server 2008 (SBS 2008) book is almost here? Yes!


Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s