Presentation is loading. Please wait.

Presentation is loading. Please wait.

Autonomy of User Groups in Microsoft Windows Matthieu-P. Schapranow André Wendt.

Published byElaine McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "Autonomy of User Groups in Microsoft Windows Matthieu-P. Schapranow André Wendt."— Presentation transcript:

1 Autonomy of User Groups in Microsoft Windows Matthieu-P. Schapranow André Wendt

2  Matthieu-P. Schapranow, André Wendt, June 2oo5 2 Agenda Delegation Concepts Windows Authentication Access Control Lists and Entries Demonstration on demand (HPI Interaction example) Further possible solutions Why delegate control?

3  Matthieu-P. Schapranow, André Wendt, June 2oo5 3 Delegation Concepts  Reasons for task delegation Organizational structure Operational requirements Legal requirements …  Autonomy (manage independently) service autonomy data autonomy  Isolation (prevent others from) service isolation data isolation Which object control can be delegated?

4  Matthieu-P. Schapranow, André Wendt, June 2oo5 4 Delegation Concepts (contd.)  Abstract structures to delegate Organizational unit (OU) Domain Forest Organizational Unit Root and Child Domains (Child) DomainForest Where to start delegation of control?

5  Matthieu-P. Schapranow, André Wendt, June 2oo5 5 Delegation Concepts (contd.) Staff OU  OU per faculty Students OU  OU per year Extern OU  Multiple Sub-OUs

6  Matthieu-P. Schapranow, André Wendt, June 2oo5 6 Windows Authentication  Static access control once a user is logged-on, the Access Token is not changed whether access is granted is not determined at the time of access KDC

7  Matthieu-P. Schapranow, André Wendt, June 2oo5 7 Access Control Lists  Active Directory (AD) object permissions Windows in general: an attempt to access a securable object is subject to an access check same applies to AD objects – AD permissions control who can do what on those objects the three default permissions are read, write, and full control every AD object has these permissions some may have more (depending on object class)  Some directory service access rights are: read/modify permissions read/write all properties create/delete all child objects

8  Matthieu-P. Schapranow, André Wendt, June 2oo5 8 Access Control Lists (contd.)  Those permissions can be categorized into standard and special permissions  validated writes (validate a property value before writing it)  “extended rights” (sets of properties)  Group object comes with particular permissions: read/write group name read/write groupType read/write groupAttributes read/write members

9  Matthieu-P. Schapranow, André Wendt, June 2oo5 9 Access Control Entries for Groups

10  Matthieu-P. Schapranow, André Wendt, June 2oo5 10 Demonstration on demand (HPI Interaction example)

11  Matthieu-P. Schapranow, André Wendt, June 2oo5 11 Demonstration on demand (contd.)

12  Matthieu-P. Schapranow, André Wendt, June 2oo5 12 Demonstration on demand (contd.)

13  Matthieu-P. Schapranow, André Wendt, June 2oo5 13 Further ways to access the AD access and administration of groups via webserver  PHP-/ASP scripts  Requires access to AD for webserver process  Poses high security risk application programs written for that particular task  More effort  Security issues  Batch scripts  VB scripts VB scripts

14  Matthieu-P. Schapranow, André Wendt, June 2oo5 14 Pros vs. Cons  Pros: Fine granular (more than rwx) Simple way to delegate control Transparent and scalable  Cons: Single-sign-on credential Replicas need time (transitional trusts) Abandoned Groups ( Large Numbers of ACEs in ACLs Impair Directory Service Performance )

15  Matthieu-P. Schapranow, André Wendt, June 2oo5 15 Thank you for the attention! AAny questions?

16  Matthieu-P. Schapranow, André Wendt, June 2oo5 16 Literature Addison-Wesley, Inside Active Directory, 2002 Arkills, Brian and Wilper, Ross. Overview of Active Directory Security. June 4, 2002. (http://windows.stanford.edu/Public/Security/ADSecurityOverview.htm) Baur, Ralph. Windows 2000 – Active Directory. Microsoft GmbH. November 8, 1999. Hillman, Mary. Best Practices for Delegating Active Directory Administration. Microsoft Corporation, November 24, 2003. Meyer, Karl-Heinz et al. Securing the Windows Plattform. Presentation, Microsoft Corporation & HP Services, March 29, 2004 Microsoft Corperation, Windows NT 5.0 Operating System – Using the Delegation of Control Wizard, Beta 2 Technical Walkthrough, July 1998 Microsoft GmbH, Microsoft Windows Server 2003, Active Directory – technische Übersicht, July 2002 Microsoft Technet, Design Considerations for Delegation of Administration in Active Directory, June 2005. (http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/plan/addeladm.mspx)

Download ppt "Autonomy of User Groups in Microsoft Windows Matthieu-P. Schapranow André Wendt."

Similar presentations

Active Directory: Beyond The Basics

Active Directory: Beyond The Basics
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.

COMP091 OS1 Active Directory. Some History Early 1990s Windows for Workgroups introduced peer-to-peer networking based on SMB over netbios (tcp/ip still.
By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.

By Rashid Khan Lesson 5-Directory Assistance: Administration Using Active Directory Users and Computers.
Windows Server 2003 使用者群組管理 林寶森

Windows Server 2003 使用者群組管理 林寶森
1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.

1 Chapter Overview Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 4 Chapter 4: Planning the Active Directory and Security.

Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory

Introduction to Active Directory
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
Making Identity and Access Management Real – The Early Days Brian Lauge Pedersen Senior Technology Specialist.

Making Identity and Access Management Real – The Early Days Brian Lauge Pedersen Senior Technology Specialist.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.

1 Securing Network Resources Understanding NTFS Permissions Assigning NTFS Permissions Assigning Special Permissions Copying and Moving Files and Folders.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google