AGDLP

Last updated

AGDLP (an abbreviation of "account, global, domain local, permission") briefly summarizes Microsoft's recommendations for implementing role-based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. AGUDLP (for "account, global, universal, domain local, permission") and AGLP (for "account, global, local, permission") summarize similar RBAC implementation schemes in Active Directory forests and in Windows NT domains, respectively.

Contents

Details

Role based access controls (RBAC) simplify routine account management operations and facilitate security audits. [1] System administrators do not assign permissions directly to individual user accounts. Instead, individuals acquire access through their roles within an organization, which eliminates the need to edit a potentially large (and frequently changing) number of resource permissions and user rights assignments when creating, modifying, or deleting user accounts. Unlike traditional access control lists, permissions in RBAC describe meaningful operations within a particular application or system instead of the underlying low-level data object access methods. Storing roles and permissions in a centralized database or directory service simplifies the process of ascertaining and controlling role memberships and role permissions. [2] Auditors can analyze permissions assignments from a single location without having to understand the resource-specific implementation details of a particular access control.

RBAC in a single AD domain

Microsoft's implementation of RBAC leverages the different security group scopes featured in Active Directory: [3] [4]

Global security groups
Domain security groups with global scope represent business roles or job functions within the domain. These groups may contain accounts and other global groups from the same domain, and they can be used by resources in any domain in the forest. They can be changed frequently without causing global catalog replication.
Domain local security groups
Domain security groups with domain local scope describe the low-level permissions or user rights to which they are assigned. These groups can only be used by systems in the same domain. Domain local groups may contain accounts, global groups, and universal groups from any domain, as well as domain local groups from the same domain.

Global groups that represent business roles should contain only user or computer accounts. Likewise, domain local groups that describe resource permissions or user rights should contain only global groups that represent business roles. Accounts or business roles should never be granted permissions or rights directly, as this complicates subsequent rights analysis.

RBAC in AD forests

In multi-domain environments, the different domains within an AD forest may only be connected by WAN links or VPN connections, so special domain controllers called global catalog servers cache certain directory object classes and attribute types in order to reduce costly or slow inter-domain directory lookups. [5] Objects cached by the global catalog servers include universal groups but not global groups, making membership look-ups of universal groups much faster than similar queries of global groups. However, any change to a universal group triggers (potentially expensive) global catalog replication, and changes to universal groups require forest-wide security rights inappropriate in most large enterprises. These two limitations prevent universal security groups from completely replacing global security groups as the sole representatives of an enterprise's business roles. Instead, RBAC implementations in these environments use universal security groups to represent roles across the enterprise while retaining domain-specific global security groups, as illustrated by the abbreviation AGUDLP.

RBAC in non-AD domains

Domains in Windows NT 4.0 and earlier only have global (domain-level) and local (non-domain) groups and do not support group nesting at the domain level. [6] The abbreviation AGLP refers to these limitations as applied to RBAC implementations in older domains: Global groups represent business roles, while local groups (created on the domain member servers themselves) represent permissions or user rights.

Example

Given a shared folder, \\nyc-ex-svr-01\groups\bizdev; a business development group within the organization's marketing department, represented in Active Directory as the (existing) global security group "Business Development Team Member"; and a requirement that the entire group have read/write access to the shared folder, an administrator following AGDLP might implement the access control as follows:

  1. Create a new domain local security group in Active Directory named "Modify permission on \\nyc-ex-svr-01\groups\bizdev".
  2. Grant that domain local group the NTFS "Modify" permission set (read, write, execute/modify, delete) on the "bizdev" folder. (Note that NTFS permissions are different from share permissions.)
  3. Make the global group "Business Development Team Member" a member of the domain local group "Change permission on \\nyc-ex-svr-01\groups\bizdev".

To highlight the advantages of RBAC using this example, if the Business Development Team required additional permissions on the "bizdev" folder, a system administrator would only need to edit a single access control entry (ACE) instead of, in the worst case, editing as many ACEs as there are users with access to the folder.

Related Research Articles

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.

<span class="mw-page-title-main">Windows 2000</span> Fifth major release of Windows NT, released in 2000

Windows 2000 is a major release of the Windows NT operating system developed by Microsoft and oriented towards businesses. It was the direct successor to Windows NT 4.0, and was released to manufacturing on December 15, 1999, and was officially released to retail on February 17, 2000 and September 26, 2000 for Windows 2000 Datacenter Server. It was Microsoft's business operating system until the introduction of Windows XP Professional in 2001.

In computer security, an access-control list (ACL) is a list of permissions associated with a system resource. An ACL specifies which users or system processes are granted access to resources, as well as what operations are allowed on given resourcess. Each entry in a typical ACL specifies a subject and an operation. For instance,

In computer systems security, role-based access control (RBAC) or role-based security is an approach to restricting system access to authorized users, and to implementing mandatory access control (MAC) or discretionary access control (DAC).

The Encrypting File System (EFS) on Microsoft Windows is a feature introduced in version 3.0 of NTFS that provides filesystem-level encryption. The technology enables files to be transparently encrypted to protect confidential data from attackers with physical access to the computer.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

On Microsoft Servers, a domain controller (DC) is a server computer that responds to security authentication requests within a Windows domain. A domain is a concept introduced in Windows NT whereby a user may be granted access to a number of computer resources with the use of a single username and password combination.

Administrative shares are hidden network shares created by the Windows NT family of operating systems that allow system administrators to have remote access to every disk volume on a network-connected system. These shares may not be permanently deleted but may be disabled. Administrative shares cannot be accessed by users without administrative privileges.

<span class="mw-page-title-main">Windows Registry</span> Database for Microsoft Windows

The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.

<span class="mw-page-title-main">Group Policy</span> Feature of the Microsoft Windows NT family of operating systems

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy allows Group Policy Object management without Active Directory on standalone computers.

<span class="mw-page-title-main">Windows Server 2008</span> Fourth version of Windows Server, released in 2008

Windows Server 2008, codenamed "Longhorn Server", is the fourth release of the Windows Server operating system produced by Microsoft as part of the Windows NT family of the operating systems. It was released to manufacturing on February 4, 2008, and generally to retail on February 27, 2008. Derived from Windows Vista, Windows Server 2008 is the successor of Windows Server 2003 and the predecessor to Windows Server 2008 R2.

<span class="mw-page-title-main">User Account Control</span> Security software

User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed version also present in Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, Windows 8.1, Windows Server 2012 R2, Windows 10, and Windows 11. It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorises an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges and malware are kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorises it.

In the context of the Microsoft Windows NT line of operating systems, a Security Identifier (SID) is a unique, immutable identifier of a user, user group, or other security principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed without affecting the security attributes of objects that refer to the principal.

In computing, delegated administration or delegation of control describes the decentralization of role-based-access-control systems. Many enterprises use a centralized model of access control. For large organizations, this model scales poorly and IT teams become burdened with menial role-change requests. These requests — often used when hire, fire, and role-change events occur in an organization — can incur high latency times or suffer from weak security practices.

In computing, a shared resource, or network share, is a computer resource made available from one host to other hosts on a computer network. It is a device or piece of information on a computer that can be remotely accessed from another computer transparently as if it were a resource in the local machine. Network sharing is made possible by inter-process communication over the network.

File Replication Service (FRS) is a Microsoft Windows Server service for distributing shared files and Group Policy Objects. It replaced the Lan Manager Replication service, and has been partially replaced by Distributed File System Replication. It is also known as NTFRS after the name of the executable file that runs the service.

Inter-domain routing is data flow control and interaction between Primary Domain Controller (PDC) computers. This type of computer uses various computer protocols and services to operate. It is most commonly used to multicast between internet domains.

Attribute-based access control (ABAC), also known as policy-based access control for IAM, defines an access control paradigm whereby a subject's authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment attributes.

A roaming user profile is a file synchronization concept in the Windows NT family of operating systems that allows users with a computer joined to a Windows domain to log on to any computer on the same domain and access their documents and have a consistent desktop experience, such as applications remembering toolbar positions and preferences, or the desktop appearance staying the same, while keeping all related files stored locally, to not continuously depend on a fast and reliable network connection to a file server.

<span class="mw-page-title-main">Computer access control</span>

In computer security, general access control includes identification, authorization, authentication, access approval, and audit. A more narrow definition of access control would cover only access approval, whereby the system makes a decision to grant or reject an access request from an already authenticated subject, based on what the subject is authorized to access. Authentication and access control are often combined into a single operation, so that access is approved based on successful authentication, or based on an anonymous access token. Authentication methods and tokens include passwords, biometric scans, physical keys, electronic keys and devices, hidden paths, social barriers, and monitoring by humans and automated systems.

References

  1. Ferraiolo, D.F.; Kuhn, D.R. (October 1992). "Role Based Access Control" (PDF). 15th National Computer Security Conference. pp. 554–563.
  2. Sandhu, R.; Coyne, E.J.; Feinstein, H.L.; Youman, C.E. (August 1996). "Role-Based Access Control Models" (PDF). IEEE Computer. 29 (2): 38–47. CiteSeerX   10.1.1.50.7649 . doi:10.1109/2.485845. S2CID   1958270.
  3. Microsoft Corporation (2007-03-16). "Group Scopes: Active Directory". Microsoft Technet. Archived from the original on 14 March 2009. Retrieved 2009-04-28.
  4. Melber, Derek (2006-05-18). "How to Nest Users and Groups for Permissions". WindowsSecurity.com. Retrieved 2009-04-28.
  5. Microsoft Corporation (2005-01-21). "Understanding the Global Catalog: Active Directory". Microsoft Technet. Retrieved 2005-10-21.
  6. Stanek, William R. "Understanding User and Group Accounts". Microsoft Technet. Archived from the original on 27 April 2009. Retrieved 2009-04-28.