Authorization Strategies

Authorization Strategies

Authorization controls user access to resources. Using access control lists (ACLs), security groups, and NTFS file permissions, you can make sure that users have access only to needed resources, such as files, drives, network shares, printers, and applications.

Security Groups

Security groups, user rights, and permissions can be used to manage security for numerous resources while maintaining fine-grained control of files and folders and user rights. The four main security groups include:

  • Domain local groups
  • Global groups
  • Universal groups
  • Computer local groups

Using security groups can streamline the process of managing access to resources. You can assign users to security groups, and then grant permissions to those groups. You can add and remove users in security groups according to their need for access to new resources. To create local users and place them within local security groups, use the Computer Management snap-in of MMC or the User Accounts option in Control Panel.

Within the domain local and computer local security groups there are preconfigured security groups to which you can assign users.

Administrators

Members of this group have total control of the local computer and have permissions to complete all tasks. A built-in account called Administrator is created and assigned to this group when Windows Vista is installed. When a computer is joined to a domain, the Domain Administrators group is added to the local Administrators group by default.

Power Users

Members of this group have read/write permissions to other parts of the system in addition to their own profile folders, can install applications, and can perform many administrative tasks. Members of this group have the same level of permissions as Users and Power Users in Windows XP Professional.

Users

Members of this group are authenticated users with read-only permissions for most parts of the system. They have read/write access only within their own profile folders. Users cannot read other users' data (unless it is in a shared folder), install applications that require modifying system directories or the registry, or perform administrative tasks.

Guests

Members of this group can log on using the built-in Guest account to perform limited tasks, including shutting down the computer. Users who do not have an account on the computer or whose account has been disabled (but not deleted) can log on using the Guest account. You can set rights and permissions for this account, which is a member of the built-in Guests group by default. The Guest account is enabled by default.

You can configure access control lists (ACLs) for resource groups or security groups and add or remove users or resources from these groups as needed. The ability to add and remove users makes user permissions easier to control and audit. It also reduces the need to change ACLs.

You can grant users permissions to access files and folders, and specify what tasks users can perform on them. You can also allow permissions to be inherited, so that permissions for a folder apply to all its subfolders and the files in them.

Group Policy

You can use Group Policy settings to assign permissions to resources and grant rights to users as follows:

  • To restrict which types of users can run certain applications. This reduces the risk of exposing the computer to unwanted applications, such as viruses.
  • To configure many rights and permissions for client computers. You can also configure rights and permissions on an individual computer to be used as the base image for desktop installations, to ensure standardized security management even if you do not use Active Directory.

Auditing features allow you to detect attempts to disable or circumvent protections on resources.

You can use preconfigured security templates that meet the security requirements for a given workstation or network. Security templates are files with preset security settings that can be applied to a local computer or to client computers in a domain by using Active Directory.

Community Additions

ADD
Show: