Permissions in Software

Creation GS1 - 13 in Software Permissions

13

Discretionary Access Control List (DACL) This specifies the permissions assigned for the object to different users and groups The DACL is a data structure containing Access Control Entries (ACEs) Each ACE specifies the permission assigned for the object to a specific user or group, and whether that permission is allowed or denied

When a security principal (a user, group, computer, or service) wants to access an object within AD, it must first be authenticated For example, let s say a user wants to access an object within AD to view or modify the values of its attributes by using some tool When the user logs on to some domain, a domain controller authenticates the user s credentials and grants the user an access token An access token is a data structure associated with a security principal and contains the following information (we ll use the example of a user account as our security principal):

User SID This uniquely identifies the user within the enterprise Group SID This uniquely identifies the groups to which the user belongs User Rights This is a list of the privileges that the user has on the local machine

Once the security principal (that is, user) has an access token, he can try to access objects within AD To determine whether the user can access the object and the level of access it has, the user s access token is compared with the security descriptor attached to the object This matching process is done by the Windows 2000 security subsystem, of which AD itself is only a part In this matching process, the user SID from the user s access token is compared with each ACE within the DACL of the object s security descriptor (Figure 131) First the user SID is compared with each DenyACE in the DACL; if a match is found, then the user is denied access to the object and the matching process stops If no match is found in the DenyACE, the user SID is compared with each AllowACE in the DACL; if matches are found, the effective (cumulative) permission for the user to access the object is determined and access is granted; if no matches are found for the AllowACEs, then the user is denied access to the object What gives the Windows 2000 permissions model its real power is inheritance Inheritance is the process by which permissions assigned to a parent object are copied to a child object By default, all permissions assigned to parent objects (such as organizational units and other containers) in AD are copied to all child objects beneath that parent In

other words, you can apply permissions to an entire subtree of objects within the AD hierarchy at a single stroke You can also choose to override inheritance, if you like, as we will see later Inheritance simplifies the application of permissions in AD and makes them easier to manage This information is probably more than you ever wanted to know about the innards of Windows 2000 (and there s even deeper stuff we haven t covered), but it s important to understand the Windows 2000 permissions model because Exchange 2000 permissions are based on the same underlying mechanism

Windows 2000 controls access to objects in AD through permissions, and there are several different categories of permissions:

Standard permissions These permissions generally apply to all (or almost all) classes of objects within AD Object-specific permissions These permissions apply only to objects in certain classes Extended permissions These permissions apply only to objects managed by applications like Exchange, which extend the AD schema when installed

13

We won t cover all the possible permissions available for securing AD; instead, Table 131 presents a summary of the most common AD permissions that apply to a wide range of different objects (excluding those managed by Exchange, which are covered in the next section) Each of these permissions may be allowed or denied access by a specific security principal for different objects Some of these permissions are easy to understand, whereas others are a bit esoteric The table is provided for informational purposes only we don t want to get sidetracked in too much detail