Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The primary features of the Microsoft® Windows Server 2003 family security model are user authentication and access control. The Active Directory® directory service ensures that administrators can manage these features easily and efficiently. The following sections describe these features of the security model.
Interactive logon confirms the user's identification to the user's local computer or Active Directory account.
Network authentication confirms the user's identification to any network service that the user is attempting to access. To provide this type of authentication, the security system includes these authentication mechanisms: Kerberos V5, public key certificates, Secure Sockets Layer/Transport Layer Security (SSL/TLS), Digest, and NTLM (for compatibility with Windows NT® 4.0 systems).
Single sign-on makes it possible for users to access resources over the network without having to repeatedly supply their credentials. For the Windows Server 2003 family, users need to only authenticate once to access network resources; subsequent authentication is transparent to the user.
Authentication in the Windows Server 2003 family also includes two-factor authentication, such as smart cards. For more information, see Smart Cards.
For more information, see Authentication protocols overview.
Object-based access control
Along with user authentication, administrators are allowed to control access to resources or objects on the network. To do this, administrators assign security descriptors to objects that are stored in Active Directory. A security descriptor lists the users and groups that are granted access to an object and the specific permissions assigned to those users and groups. A security descriptor also specifies the various access events to be audited for an object. Examples of objects include files, printers, and services. By managing properties on objects, administrators can set permissions, assign ownership, and monitor user access.
Not only can administrators control access to a specific object, they can also control access to a specific attribute of that object. For example, through proper configuration of an object's security descriptor, a user could be allowed to access a subset of information, such as employees' names and phone numbers but not their home addresses. For more information, see Access Control.
For more information, see "Authorization and access control" at the Microsoft Windows Resource Kits Web site.
You can control security on your local computer or on multiple computers by controlling password policies, account lockout policies, Kerberos policies, auditing policies, user rights, and other policies. To create a systemwide policy, you can use security templates, apply templates using Security Configuration and Analysis or edit policies on the local computer, organizational unit, or domain. For more information, see Security Configuration Manager.
Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. For more information, see Auditing overview.
Active Directory and security
Active Directory provides protected storage of user account and group information by using access control on objects and user credentials. Because Active Directory stores not only user credentials but also access control information, users who log on to the network obtain both authentication and authorization to access system resources. For example, when a user logs on to the network, the security system authenticates the user with information stored in Active Directory. Then, when the user attempts to access a service on the network, the system checks the properties defined in the discretionary access control list (DACL) for that service.
Because Active Directory allows administrators to create group accounts, administrators can manage system security more efficiently. For example, by adjusting a file's properties, an administrator can permit all users in a group to read that file. In this way, access to objects in Active Directory is based on group membership.
Stored data (online or offline) can be protected using:
Network data protection
Network data within your site (local network and subnets) is secured by the authentication protocol. For an additional level of security, you can also choose to encrypt network data within a site. Using Internet Protocol security, you can encrypt all network communication for specific clients, or for all clients in a domain.
Network data passing in and out of your site (across intranets, extranets, or an Internet gateway) can be secured using the following utilities:
Internet Protocol Security (IPSec) Encryption. A suite of cryptography-based protection services and security protocols.
Routing and Remote Access. Configures remote access protocols and routing. For more information, see Routing Overview.
Internet Authentication Service (IAS). Provides security and authentication for dial-in users. For more information, see Internet Authentication Service.
Public key infrastructure
Public key encryption is an important aspect of security. For more information, see Deploying a Public Key Infrastructure.
The Windows Server 2003 family supports domain trusts and forest trusts.
Domain trust allows a user to authenticate to resources in another domain. For more information on establishing and managing domain trust relationships, see Trust direction.
In a Windows Server 2003 forest, administrators can create a forest to extend two-way transitivity beyond the scope of a single forest to a second Windows Server 2003 forest. For more information, see Forest trusts.
For more information about authorization and access control, see "Domain Trust" at the Microsoft Windows Resource Kits Web site.