The following excerpt is from Chapter 6 of the MCSE Exam Cram 2 book "Designing security for a
Microsoft Windows Server 2003 network" written by Ed Tittel, courtesy of Sams Publishing. Click to
check out the complete book
excerpt series or go straight to the practice
exam if you think you're ready to be tested.
Designing an access control strategy for directory services
The design of each network is unique in regard to access control. Many factors can affect your decisions, such as whether you want to manage the entire network yourself or delegate some responsibility, and how sensitive the information is and how tightly you need to control access to it. Some standards are built in to Windows Server 2003 servers that you can follow. You need to understand access control strategy in regard to the following concepts:
- Creating a delegation strategy
- Analyzing auditing requirements
- Designing an appropriate group strategy for accessing resources
- Designing a permission structure for directory service objects
Creating a delegation strategy
Your job as a network administrator is to control all aspects of the functionality and data on your network. This can be a monumental task on a large network. For example, your network might include many different geographical locations, making management by one person a difficult task. Also, a manager at a remote location might know better than you what type and level of network management is needed at that location. For these reasons, network administrators sometimes delegate the ability to manage certain aspects of a network to other managers.
NOTE: Delegation of control does not mean that you are shifting responsibility. You are still responsible for overall network management and need to follow up on any tasks that you delegate.
In Windows Server 2003, a user does not have to be a network administrator to handle some network management tasks. You can use the structure of the system to delegate the necessary control over only the appropriate objects and attributes for each user that you designate. Windows Server 2003 Active Directory provides the means to control every object's access to every other object. To create an effective delegation strategy, you need to understand the concept and the use of the following components of Active Directory:
- Organizational units (OUs)
- Discretionary access control lists (DACLs)
- Delegation of Control Wizard
Basically, everything in Active Directory is an object. This includes users, computers, resources, Group Policies and even connections. Each of these objects is fully controllable as to what it can do to other objects and what other objects can do to it. You can place objects into containers, such as domains, OUs and sites to better manage those objects. You can create new objects when needed to represent the physical or logical characteristics of your network. Each object is unique and is represented to your Active Directory with a security descriptor. Even if you were to delete an object and re-create an object with the same name, the new object would be totally new to your Active Directory.
An organizational unit (OU) is a container that is used to group objects into logical units. OUs have two primary purposes. First, OUs are used to control the distribution of Group Policies to groups of computers and users. Second, OUs are used to delegate administrative authority. You can delegate to a user the right to manage all of the objects that are in a certain OU. You can then determine which objects you place into the OU.
Discretionary access control lists
As we discussed previously, every object in Active Directory is fully controllable. The discretionary access control lists (DACLs) provide this control. Each object has its own DACL, and each DACL has a set of access control entries (ACEs) that can be set to allow or to deny permissions to another object in Active Directory. These permissions include full control, read, write, create all child objects, delete all child objects and many other special permissions. You can implicitly deny permissions by simply not allowing them, or you can explicitly deny permissions by selecting Deny. Figure 6.1 shows a DACL.
Figure 6.1 Each object in Active Directory has its own discretionary access control list.
ALERT: You need to be careful about explicitly denying any permissions because an explicit deny applied to a user or group overrides any other permissions that user might have had through another group membership.
Delegation of Control Wizard
As you might have noticed, the DACLs can be complex and confusing in regard to the correct settings to apply for a desired result. For this reason, the Delegation of Control Wizard focuses instead on the desired result. You simply select the tasks that you want the user to be allowed to perform, and the wizard changes the DACLs so that the user has the permissions to perform the selected tasks.
You access the Delegation of Control Wizard by rightclicking a selected container in Active Directory users and computers or Active Directory sites and services and then clicking delegate control. You can then choose the user or group to which you want to delegate control. Next, you choose tasks from a list or you can create a custom task. Figure 6.2 shows the Delegation of Control Wizard. You can only use the wizard to give additional permissions, not to take them away. To take away control, you need to modify the appropriate DACLs manually.
Figure 6.2 The Delegation of Control Wizard focuses on the tasks being delegated and sets the DACLs automatically.
ALERT: You can use the Delegation of Control Wizard to add tasks that a user is delegated to perform, not to take away control. To remove control, you need to modify the DACLs manually.
Click for the next excerpt in this series: Analyzing auditing requirements