Security information for Active Directory

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Security information for Active Directory

Active Directory® provides a secure directory environment for your organization using built-in logon authentication and user authorization, which are core features of the Local Security Authority (LSA). Logon authentication and user authorization are available by default and provide immediate protection for network access and network resources.

For information about additional security tools and features that you can use to further secure Active Directory, see Securing Active Directory and Active Directory Best practices.

Protecting access to the network

Active Directory requires confirmation of the identity of a user before allowing access to the network, a process known as authentication. Users only need to provide a single sign-on to the domain (or to trusted domains) to gain access to the network. Once Active Directory confirms the identity of the user, the LSA on the authenticating domain controller generates an access token that determines what level of access that user has on network resources. For more information about the authentication process, see Access control in Active Directory and Certificates and Authentication.

Active Directory supports a number of secure Internet-standard protocols and authentication mechanisms used to prove identity upon logon, including Kerberos V5, X.509 v3 certificates, smart cards, public key infrastructure (PKI) and Lightweight Directory Access Protocol (LDAP) using Secure Sockets Layer (SSL).

Authentication between domains occurs through trusts. A trust is a relationship established between two or more domains to allow users in one domain to be authenticated by a domain controller in another domain.

Trust relationships can be transitive or nontransitive but must always be present in order for users in one domain to access shared resources in another domain. For more information, see Trusts.

In addition to securing network access through authentication, Active Directory helps to protect shared resources by facilitating user authorization. Once a user logon has been authenticated by Active Directory, the user rights assigned to the user through security groups and the permissions assigned on the shared resource will determine if the user will be authorized to access that resource. This authorization process protects shared resources from unauthorized access and permits access to only authorized users or groups.

For more information about user rights and security groups, see Group types. For more information about the user rights assigned to default groups, see Default groups. For more information about authorization, see "Designing an Authorization Strategy" at the Microsoft Windows Resource Kits Web site.

For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site. For more information about authorization and access control, see "Authorization and Access Control" at the Microsoft Windows Resource Kits Web site.