10 - Windows Server 2003 Authorization

Abstract

This chapter focuses on the authorization service that protects against unauthorized use and explains the interaction between an entity and a resource. The discussion begins with authorization basics and later on explains the Windows authorization model. Authorization always deals with two entities: a subject and an object, which the subject wants to access. In Active Directory, a subject can be a security principal such as a user. The object can be file resources hosted on a file server, eMails on a mailbox server.. Authorization between the subject and the object is typically executed and enforced by a third entity that is generally referred to as the reference monitor. In a Windows environment, this third entity is known as the Security Reference Monitor (SRM). The SRM runs in the highly privileged OS kernel mode and checks all access to resources as requested by code that is running in user mode. To ease access control management in large distributed computing environment, Windows include authorization intermediaries, that is, groups and user rights. Groups provide a way to group entities with similar capabilities, whereas, user rights define the capabilities of subjects to manage system resources and to perform system-related tasks. The Chapter also provides an overview of the Windows 2000 authorization changes and Windows 2003 authorization changes. The former one includes the new ACL editor, ACL inheritance, controlling inheritance, object type-based ACEs, and ACL evaluation process. The changes in the latter one are increased restrictive authorization settings, effective permissions, default AD security descriptor changes, AD link value replication and group membership updates, quota for AD objects, hiding data in the file systems and shares, and the confidential bit for AD attributes. The chapter concludes with the discussion on authorization manager, Windows Server 2003 RBAC architecture and its major components, and list of authorization tools.