Howdy folks – I am the publisher for this 70-282 exam cram book and I like to hold virtual book readings by posting up passages. And di you know that my SBS 2008 book is now here at www.smbnation.com. 🙂
Windows Server 2003 Security
When we talk about Windows Server 2003 Security we are also talking about SBS 2003 Security. For instance, when you manage resources through the SBS wizards for network users, you are effectively using Windows Server 2003 components to assign permissions and privileges to user and group accounts, determining which actions can be performed by users and which resources they can access. So please follow me for a little stroll into the Windows Server 2003 Security Model.
Several network authentication protocols are supported by Windows Server 2003 that support a key feature, the Single Sign-On. The Single Sign-On allows a domain user to log on to the domain by using the user account credentials (username and password), or by swiping a smart card through the reader. The credentials are then authenticated in Active Directory (on a Domain Controller), and the user has access to network resources. At this point the user can authenticate on any resources (computers, shares) without having to authenticate again. The Single Sign-On authentication process is now automatic. The primary authentication protocols used by Windows Server 2003 are:
· Kerberos v5 – This is the primary authentication mechanism in Windows Server 2003 and a standard Internet protocol used for authenticating users and systems.
· NT LAN Manager (NTLM) – Used to authenticate computers on a Windows NT domain.
· Secure Sockets Layer/Transport Layer Security (SSL/TLS) – An authentication mechanism primarily used to access secure web servers.
· .Net Passport Authentication – Used to enable Active Directory information to authenticate Internet, intranet and external users and is enabled through Internet Information Services (IIS)
Chapter 6 Securing Windows Small Business Server 2003
Every time an administrator creates a new user account, group account or a shared resource, Active Directory defines this as an Object. Each object in Active Directory receives Access Control Entries (ACEs) by way of security descriptors . A security descriptor:
· Specifies permission that have been assigned to a user or a group.
· Defines ownership of an object.
· Lists users and groups that are granted access to objects.
· Tracks events for auditing of objects.
Then there are the Access Control Lists (ACLs) which are made up of ACEs. All objects in Active Directory are protected by an ACL; the ACL determines what objects a user or group is allowed to see, and what actions can be performed on the object. And while we are at it, let’s throw the Security Identifier (SID) into the mix to make this story whole. The SID is a unique identifier that is also generated when the user or group account is created, containing a unique domain security ID prefix and a unique relative ID. (Discussing these further is beyond the scope of this book and should be researched at http:\\www.microsoft. com\reskit.) This means that even if the name is changed on a user account, the SID will still be able to track the user account and apply the ACE to it.
The way this plays out in terms of security on the Windows Server (or SBS), is that at the time a user logs on to the domain, the server will create a security token that specifies the SID and ACE for the particular account for this session (until logoff). When the user tries to access another Active Directory object (computer, share, printer, etc.), the ACEs in the token will be compared to the ACL of the object which will then determine if the user has access to it and what functions the user can perform with the object.
IMPORTANT: ACEs can be inherited from their parent objects in Active Directory meaning that child objects have the same permissions as their parent. Hence, if a user account is made a member of the Domain Admin group, the user account inherits all the permissions granted to the Domain Admin group.
Harry Brelsford, CEO at SMB Nation (www.smbnation.com)
MBA, MCSE, CNE, CLSE, CNP, MCP, MCT, SBSC (Microsoft Small Business Specialist)
PS – did you know my Windows Small Business Server 2008 (SBS 2008) book is almost here? Yes!