The default Windows 2000 Active Directory installation was not as secure as it could have been. It allowed anonymous queries to be executed, which could take up valuable processing resources, and it did not place any requirements on encrypting or signing traffic between clients and domain controllers. As a result, usernames, passwords, and search results could be sent over the network in clear text. Fortunately, with Windows Server 2003, things have been tightened up significantly. LDAP traffic is signed by default, and anonymous queries are disabled by default. Additionally, Transport Layer Security ( TLS), the more flexible cousin of Secure Sockets Layer ( SSL), is supported in Windows Server 2003, which allows for end-to-end encryption of traffic between domain controllers and clients.
Active Directory's ACL model provides ultimate flexibility for securing objects throughout a forest; you can restrict access down to the attribute level if you need to. With this flexibility comes increased complexity. An object's ACL is initially generated from the default ACL for the object's class, inherited permissions, and permissions directly applied on the object.
An ACL is a collection of ACEs, which defines the permission and properties that a security principal can use on the object to which the ACL is applied. Defining these entries and populating the ACL is the foundation of Active Directory security and delegation.
In this chapter, we will explore some of the common tasks of managing permissions in Active Directory. If you are looking for a detailed guide to Active Directory permissions, we suggest reading Chapter 11 in Active Directory, Third Edition, by Joe Richards et al. (O'Reilly).
In order for ACLs to be of use, a user must first authenticate to Active Directory. Kerberos is the primary network authentication system used by Active Directory. Kerberos is a standards-based system originally developed at MIT that has been widely implemented at universities. We will also be covering some Kerberos-related tasks in this chapter that you will be likely to encounter in an Active Directory environment. For a complete review of Kerberos, we recommend Kerberos: The Definitive Guide by Jason Garman (O'Reilly).