A fundamental relationship exists between the Directory and Security Services integrated into the Windows NT operating system. The Directory Service stores domain security policy information, such as domain-wide password restrictions and system access privileges that have direct bearing on the use of the system. The security-related objects in the Directory must be securely managed to avoid unauthorized changes that affect overall system security. The Windows NT operating system implements the object-based security model and access control for all objects in the Directory. Every object in the Directory Service has a unique security descriptor that defines access permissions required to read or update the object properties.
The diagram below shows the fundamental relationship between Directory and operating system Security services.
Figure 2: Relationship between Directory and Security Services
The Directory Service uses impersonation and Windows NT access verification to determine if a Directory Service client request can read or update the desired object. This means LDAP client requests to the directory require the operating system to enforce access control, rather than having the Directory Service itself make the access control decisions.
The Windows NT security model provides a unified and consistent implementation of access control to all domain resources based on group membership. Windows NT security components can trust the security related information stored in the directory. For example, the Windows NT authentication service stores encrypted password information in the secure portion of the directory user objects. The operating system trusts that security policy information is stored securely and that account restrictions or group membership is not changed by anyone without authorized access. In addition, security policy information for overall domain management is kept in the directory.
This fundamental relationship of Security and Directory Services is only achieved by complete integration of the Directory Service with the Windows NT operating system, and is not otherwise available.
The next version of Windows NT domains will be organized into a hierarchical domain tree. The trust relationships between domains allow users with accounts defined in one domain to be authenticated by resource servers in another domain. In Windows NT 4.0, and earlier versions, interdomain trust relationships are defined by one-way Trusted Domain accounts between Domain Controllers. Management of the trust relationships between account domains and resource domains on a large network is a complex task.
The next generation Windows NT Directory Service supports two forms of trust relationships:
The diagram below shows the two styles of trust relationship.
Figure 3: Domain Trust Relationships
Transitive trust between domains simplifies the management of interdomain trust accounts. Domains that are members of the domain tree define a two-way trust relationship with the parent domain in the tree. All domains implicitly trust other domains in the tree. If there are specific domains that do not want two-way trust, explicit one-way trust accounts can be defined. For organizations with multiple domains, the overall number of explicit one-way trust relationships is significantly reduced.
Delegation of administration is a valuable tool for organizations to confine the security administration to apply only to defined subsets of the entire organization's domain. The important requirement is to grant rights to manage a small set of users or groups, within their area of responsibility, and at the same time, not give permissions to manage accounts in other parts of the organization.
Delegation of responsibility to create new users or groups is defined at the level of an Organizational Unit (OU), or container, where the accounts are created. Group administrators for one Organizational Unit will not necessarily have the ability to create and manage accounts for another Organizational Unit within a Domain. However, domain-wide policy settings and access rights defined at higher levels in the Directory tree can apply throughout the tree using inheritance of access rights.
There are three ways to define the delegation of administration responsibilities:
The Directory Service Administration user interface makes it easy to view the delegation information defined for containers. Adding new delegation of permissions is also easy to do by selecting who you want to delegate permission to and choosing what permissions they need.
Integrating the security account repository with the Windows NT Directory Service provides real benefits to manage the Enterprise. Performance, ease of administration, and scalability for large organizations are the direct result. Internet-based Enterprises can use Domain trees and hierarchical OUs to organize accounts for business partners, frequent customers, or suppliers with specific access rights to their system.
Large organizations typically depend on many individuals or groups to secure and manage the network account infrastructure. They need the ability to grant access rights for specific operations, such as resetting user passwords, or disabling accounts, to specific groups without also granting the permission to create new accounts or change other properties of user accounts.
The security architecture for Directory Service objects uses Windows NT security descriptors to control object access. Every object in the Directory has a unique security descriptor. The Access Control List (ACL) in the security descriptor is a list of entries that grant or deny specific access rights to individuals or groups. Access rights can be granted or denied with different levels of scope on the object. Access rights can be defined on any of the following levels:
The user that creates an object is granted the default access permissions for read/write access to all properties. Granting or denying object access permissions to a property set is a convenient way to define permissions for a group of related properties. The grouping of properties is defined by the property set attribute of a property in the schema. The property set relationship can be customized by changing the schema. Finally, the definition of access rights on a per-property level provides the highest level of granularity of permissions. Definition of per-property access is available on all objects in the Windows NT Directory Service.
Container objects in the directory also support fine-grain access with respect to who has permissions to create child objects, and what type of child objects they may create. For example, the access control defined on an Organizational Unit (OU) can define who is allowed to create user objects (accounts) in this container. Another entry in the access control for the OU might define who is allowed to create printer objects. Fine grain access control on directory containers is an effective way to maintain organization of the directory name space.
A new implementation of the "ACL Editor," the common dialog control for viewing or changing object security permissions, provides an easy-to-use interface for defining access rights to Directory Service objects by property set or individual properties. The ACL Editor also supports defining "inherited" access rights on container objects that flow down to all subobjects in that portion of the directory tree.
Inheritance of access rights refers to how access control information defined at higher level containers of the Directory flows down to sub-containers and leaf objects. There are generally two models for implementing inherited access rights: dynamic and static inheritance. Dynamic inheritance determines the effective access rights to an object by evaluating the permissions defined explicitly on the object, and those defined for all parent objects in the directory. This allows flexibility to change access control on portions of the directory tree by making changes to a specific container that automatically affects all subcontainers and leaf objects. The trade-off to this flexibility is the performance cost to evaluate effective access rights at the time a client requests a read/write to a specific directory object.
Windows NT implements a static form of inheritance of access rights, referred to as "Create Time" inheritance, as is discussed in the OLE DS documentation. Access control information can be defined on containers that will flow down to the child objects of the container. When the child object is created, the inherited rights from the container are merged with default access rights on the new object. Any future changes to inherited access rights at higher levels in the tree must be propagated down to all affected child objects. New inherited access rights are propagated by the Directory Service to the object for which they apply, based on options for how the new rights are defined.
Performance for access control verification is very fast, using the static model of inheritance of access rights. Access checks are a frequent and necessary operation which the operating system is designed to optimize, not just for directory object access, but for the file system, and all other Windows NT system objects.