Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.
Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects.
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.
Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.
Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.
Example:
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Showing posts with label Authorization. Show all posts
Showing posts with label Authorization. Show all posts
Wednesday, March 4, 2020
Saturday, February 1, 2020
Windows Server: Active Directory and its Fundamentals
Active Directory
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.
Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects.
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.
Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.
Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.
Example:
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Microsoft developed a directory service for a Microsoft Domain network and this directory service is referred to as Active Directory. It is included in most Windows Server Operating Systems as a set of processes and services.
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
To understand above sentences we need to understand what Directory Service, Microsoft Domain, Domain Controller is. Lets find out what it is.
Directory Service
To administer, manage, locate and organize everyday items and network resources we require a share information infrastructure. Everyday items and network resources can include any or all of files, folders, users, groups, printers, volumes, devices, telephone numbers and other objects.
Directory Service is a service or infrastructure to map the names of network resources to their respective network addresses. It is a critical component of a network operating system. Such service is provided by a server and that server is known as directory server. Each network resources is called object.
What directory service does is, it defines a namespace for the network. Namespace assigns a name, called unique identifier, to each of above mentioned objects. Directories have a set of rules determining how network resources are named and identified; basic requirement is that the identifiers need to be unique and unambiguous.
When user uses a directory services there is no need for user to remember the physical address of a network resource. User can locate the resource using name. However, some directory services may include access control mechanism which could limit the accessibility and availability of directory information to authorized users.
Microsoft Domain
Microsoft domain is a computer network in which all user accounts, computers, printers and other security principals are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers.
Each user who uses computers within a domain receives a unique user account that can be assigned access to resources within the domain. Active directory is the Windows component in charge of maintaining that central database.
Domain Controller
On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests (logging in, checking permissions, etc.) within a Windows domain.
In other words, a server running Active Directory Domain Services (AD DS) is called a domain controller. It authenticates and authorizes all users and computers in a Windows Domain type network. It assigns and enforces security policies for all computers and installing or updating software.
Example:
When a user logs into a computer that is part of windows domain, Active Directory is the one that checks thus submitted password and determines whether the user is a system administrator or normal user. Also, it allows management and storage of information at admin level and provides authentication and authorization mechanisms.
Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Thursday, January 9, 2020
CISSP: Other Security Concepts
Other Security Concepts
- Identification:Claiming to be an identity when attempting to access a secured area or system. E.g. username
- Authentication: Proving that you are that identity. E.g. password
- Authorization: Defining the permissions (i.e., allow/grant and/or deny) of a resource and object access for a specific identity
- Auditing: Recording a log of the events and activities related to the system and subjects
- Accounting(aka accountability): Reviewing logs files to check for compliance and violations in order to hold subjects accountable for their actions. Human accountability is ultimately dependent on the strength of the authentication process.
Note: Identification, Authentication and Auditing are required to establish Accountability.
Tuesday, January 2, 2018
Cryptogrpahy: AAA - Authorization
The second A in the AAA model refers to authorization. All right, the user has gone through identification to say he is someone and authentication to prove it. Now what? Do we let him see anything he wants? Do we let him do anything he wants? Authorization means that based on the user's credentials, we let him do certain things, we let him see certain things but not others. This is tied into the principle of least privilege, which states users and even devices, programs, and processes should be granted enough permissions to do their required functions and not a single drop more. Any authorization beyond normal job functions opens the door for either accidental or malicious violations of confidentiality, integrity, and availability. This is specifically why the recommendation is to never use an administrator or a root account on a system but rather an account with limited privileges. If your system gets infected with malware, it will run with the privileges of the user. Your account is granting authorization beyond that principle of least privilege. Of course, you can escalate your privileges when necessary or even use temporarily an administrator account, but this way, at least, it's not constant.
Subscribe to:
Posts (Atom)