Windows 2003 Security Services Reference
Windows 2003 Security Services
Interactive Logon Technical Reference - Security Services: Windows Server 2003
Introduces interactive logon and how users log on to a computer using either a local user account or a
domain user account. Explains typical interactive logon scenarios for Windows Server 2003 and client computers.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_intlg_intro.asp
IPSec Technical Reference - Security Services: Windows Server 2003
Internet Protocol security (IPSec) in the Microsoft Windows Server 2003 operating system helps protect networks
from active and passive attacks by securing IP packets through the use of packet filtering, cryptographic security
services, and the enforcement of trusted communications.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_ipsec_intro.asp
Domain and Forest Trusts Technical Reference - Security Services: Windows Server 2003
Introduces the trust technology that makes it possible to share resources across domains or forests that use the
Active Directory directory service.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_trust_intro.asp
Kerberos Authentication Technical Reference - Security Services: Windows Server 2003
Introduces the Windows Server 2003 implementation of the Kerberos protocol–including extensions for public key
authentication–and concepts such as SSPI, Kerberos SSP, and KDC.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_kerb_intro.asp
Permissions Technical Reference - Security Services: Windows Server 2003
Introduces how permissions allow the owner of a securable object, such as a file,
Active Directory object, or registry key, to control who can access the object.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_randp_intro.asp
Security Identifiers Technical Reference - Security Services: Windows Server 2003
Introduces where Security Identifiers (SIDs) fit in authentication and authorization processes.
Outlines how user and group SIDs are built into the access token. Introduces how the system
grants access to resources.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_sids_intro.asp
Security Principals Technical Reference - Security Services: Windows Server 2003
Introduces where security principals fit in the process of authorizing access to resources.
Describes the differences between security principals created in an Active Directory domain
and those created on a local computer.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_princ_intro.asp
Security Descriptors and Access Control Lists Technical Reference - Security Services: Windows Server 2003
Introduces where security descriptors and access control lists (ACLs) fit in the authorization process.
Outlines the information that is contained in the security descriptor of an object, including ACLs and
ownership and auditing information.
http://www.microsoft.com/resources/documentation/windowsserv/2003/all/techref/en-us/w2k3tr_acls_intro.asp
See Also:
Filed under: Security
Thanks a lot for this set of links. That might be very useful in any production that needs to keep secured. By the way, a nice article about ACL and their meaning for the enterprise networking. Some people forget to remember that as the article says “all securable objects on the network, have security descriptors to help control access to the objects”. Generally, you find people ready to control general file system access but not ready to control directory services access when the latter could be not less important for keeping the enterprise secure. It comes clear when you think about it in general that having a bad protection for the Active Directory data access can lead to disruptive processes within the data management. Any person, who gained an unlimited access to your active directory database can ruin all the protection system built within the domain as seizing the system administrator account SID sure allows doing anything after that. But having such a complicated object structure it is simply impossible to control access to Active Directory objects when it comes to practice. When the active directory service access procedure described say in this document http://www.microsoft.com/technet/security/guidance/serversecurity/tcg/tcgch03n.mspx within the security guide, represents a working way to get some information about changes made to AD security and objects and properties as a whole the I hardly find the default approach reliable. Mostly it’s because of time and overheads that arise when you start working with auditing policies. At the first sight, it’s should be very simple as you might think. You just set an applicable type of auditing (I usually select Failure auditing to filter the excess reporting data as I can tolerate it) and that’s it. But when it comes to the real life not all pictures and plots you drew in your mind become applicable. I tried working with policy logging, filtering and extracting logs with Eventcombmt and so forth and then I said myself “stop! I need to spend my time on more useful things” Thanks to the web I quickly found that there’s several products that can do auditing automatically and deliver the status. I liked Scriptlogic’s solution because its Active Administrator tool supports Active Directory reporting http://www.scriptlogic.com/products/activeadmin/auditing/active-directory-reporting.asp allowing to generate reports and get them delivered to the mailbox. Now when some of our IT team changes some AD attributes we always have a chance to track the changes in real time.