Example: Supplementary Authentication Strategies

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

An organization chose to extend its authentication framework by enabling delegation and constrained delegation. To achieve this, they assigned the right to enable delegated authentication to specific user accounts, identified the computer accounts that are to be trusted for delegation, and established who is responsible for applying these policies. This allowed them to strengthen the security of their system by limiting the resources to which computers that are trusted for delegation have access. For example, they enabled the Web interface human resources database to access confidential data stored in databases in other servers, assigned the trusted for delegation right to workstations, and restricted delegation on the domain administrator user account.

Figure 14.10 shows the worksheet that the organization created to document their supplementary authentication strategies.

Figure 14.10   Example of a Supplementary Authentication Strategies Worksheet