Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | neil-blankenship |
View: | 213 times |
Download: | 0 times |
Name: Hatem elbuhaisiName no: 120100071
University of Palestine
Miss : yasmen elboboo
Chairing Information Technology
Hands-On Microsoft Windows Server 2003 Active Directory
1
Explain basic security concepts in an Active Directory computer network,
including discretionary access control lists (DACLs), system access control lists
(SACLs), and security principalsDemonstrate the use of DACLs to control
access to objects in Active DirectoryDemonstrate the use of DACLs to control
access to network resourcesDescribe the user authentication process
in an Active Directory domain
Hands-On Microsoft Windows Server 2003 Active Directory
2
Security principals can be given permissions to access a resource
Groups can also be granted permissions
A security principal can be a user, an InetOrgPerson object, a computer, or a
security groupA contact is not a security principal
Hands-On Microsoft Windows Server 2003 Active Directory
3
Unique binary valueOften expressed in Security
Descriptor Definition Language (SDDL) format
S-1-identifier authority-subauthority identifier-domain identifier-relative
identifier
Hands-On Microsoft Windows Server 2003 Active Directory
4
Same structure as a DACLDetermines if the access is auditedCan track changes and log ons
Hands-On Microsoft Windows Server 2003 Active Directory
5
“Implicit deny” occurs when no ACE is found
ACEs are normally used to grant accessDeny is used to override an allow as a
member of a groupOwners always have access
Hands-On Microsoft Windows Server 2003 Active Directory
6
Permissions can be inherited from parent objects such as OUs
Each ACE is marked to indicate whether it was directly applied or inherited
Hands-On Microsoft Windows Server 2003 Active Directory
7
There is no good reason to grant permissions explicitly to individual users
In a single-domain forest, use global groups
Hands-On Microsoft Windows Server 2003 Active Directory
8
If using machine local accounts, use machine local groups
Hands-On Microsoft Windows Server 2003 Active Directory
9
If using a small number of domains and one site
Assign users to global groupsAssign global groups to domain local groupsGrant permissions to the domain local groups
Hands-On Microsoft Windows Server 2003 Active Directory
10
Using only universal groups works well in single-domain environments, but not in a large forest
Using domain local, global, and universal groups is the best approach for the same group to access
resources in different domains
Hands-On Microsoft Windows Server 2003 Active Directory
11
Control can be delegated with precision using Active Directory
Hands-On Microsoft Windows Server 2003 Active Directory
12
The exact and granular permissions available
Hands-On Microsoft Windows Server 2003 Active Directory
14
Protecting objects is essentialMost protected resources use a DACL similar
in format to Active Directory objects
Hands-On Microsoft Windows Server 2003 Active Directory
15
Three possible identification factors for authentication
Something you knowSomething you haveSomething you are
Two-factor authentication uses a password and an additional factor to increase security,
such asSecurIDBiometric devicesSmart cards
Hands-On Microsoft Windows Server 2003 Active Directory
18