Active Directory Security
The following components are used to implement Active Directory security:
- Security Descriptors - Every object has a security descriptor which:
Access Control Lists that are contained in security descriptors:
- Defines the permissions that can be assigned to the object or object type.
- Contains the object owner security identifier (SID) which identifies the owner (security principle) of the object.
- Contains any group security identifiers (SID) which is used for compatability with systems not created by Microsoft.
- Discretionary Access Control List (DACL) - Contains security principle SIDS that have permission for an object.
- Security Access Control List (SACL) - Defines auditable events for specific objects.
- Security Identifiers (SIDs) - These are always unique numbers within a forest which are used to identify security principle objects. There are two SID types:
There are two parts of a SID which are:
- Domain - Identifies the domain the object was created in.
- Relative Identifier (RID) - Specifies the domain account object the object was created in.
- Security Principles - Objects that can have permissions assigned to them and each contain security identifiers. The following objects are security principles:
Objects inherit the permissions of the organizational unit that they were created in. Permissions can be applied to container objects such that they apply to:
- Only the object.
- The object and all its children.
- Only the children objects.
- Only specific child object types such as folders.
If inheritance is blocked from the container object, either previously inherited permissions are copied to the objects in the parent, orpreviously inherited permissions are removed from child objects meaning permissions must be manually set.
If an object is moved to another container object, the permissions directly assigned to that object remain. Any inherited permissions are lost and the object inherits permissions from its new container object unless inheritance is blocked.
In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers.
Access Control Lists
Every Active Directory object has an access control list (ACL). ACEs (Access control entries) are entries in an access control list (ACL). Each ACE contain security IDs for users and groups (security principles) along with the associated permissions for that user or group ID.