Security Framework
Security Principals and Identifiers
Security Principals:
Users, groups, computers, and services that can be authenticated
Each principal has a unique Security Identifier (SID)
SIDs never change, even if objects are renamed or moved
SID Structure:
Format: S-R-I-S-S-S-RID
Example: S-1-5-21-1234567890-1234567890-1234567890-1001
Components: Revision, Authority, Domain Identifier, Relative Identifier (RID)
Well-Known SIDs:
Everyone: S-1-1-0
Authenticated Users: S-1-5-11
Domain Admins: S-1-5-21-{domain}-512
Enterprise Admins: S-1-5-21-{domain}-519
Access Control Model
Discretionary Access Control:
Resource owners control access to their objects
Permissions granted through Access Control Lists (ACLs)
Flexible but can lead to permission sprawl
Access Control Lists (ACLs):
Discretionary Access Control List (DACL):
Contains Access Control Entries (ACEs) that grant or deny permissions
Processed in order until access decision is made
Empty DACL denies all access
System Access Control List (SACL):
Contains ACEs that specify auditing requirements
Defines what access attempts should be logged
Requires "Manage auditing and security log" privilege
Access Control Entries (ACEs):
Access Allowed ACE: Grants specific permissions
Access Denied ACE: Explicitly denies permissions
System Audit ACE: Specifies auditing requirements
Delegation of Control
Benefits of Delegation:
Implements principle of least privilege
Reduces administrative overhead
Distributes administrative responsibilities
Improves security by limiting scope of administrative accounts
Delegation Scenarios:
Help desk password reset permissions
Department-specific user management
Computer account management for technicians
Group membership management for managers
Delegation Best Practices:
Create custom OUs for delegated administration
Use role-based security groups for delegation
Regularly audit delegated permissions
Document delegation assignments
Last updated
Was this helpful?