An Overview on Authorization

Authentication is the first step in implementing a security strategy to protect your network resources and elements from unauthorized users, because it is the process that deals with identifying valid authorized network users from unauthorized users. Authentication therefore verifies the identity of users. The next step in securing your network resources and elements from unauthorized access is authorization. Authorization is the process that controls which objects an authenticated network user can access. Just because a user is authenticated, does not necessarily mean that the particular user is permitted to access all network resources. Authorization determines whether the user can indeed access, and perform the requested actions on the network resources, which the user is attempting to access.

Access to network resources is controlled by setting permissions for objects, and assigning rights to users. Permissions define the users, or groups which are permitted to access the network resource. Permissions also detail the type of access permitted to a particular network resource. Access to a network resource is controlled by the owner of that particular resource or object.

An effective authorization strategy should limit the access which a user needs to only those network resources which the particular user needs to accesses, to perform its daily duties. You can therefore also think of authorization as the process of differentiating between standard users, administrators, and guests. Individually assigning rights to users could become impractical in a large organization. Implementing groups and then assigning rights to groups is a more feasible solution. Groups facilitate simpler access management processes.Planning and Implementing an Authorization Solution

Authorization practically occurs each time that a user who has passed authentication, attempts to access the following objects or network resources:

  • Active Directory directory service objects

  • Files and folders

  • Shared folders

  • Network services

  • Windows Management Interface objects

  • Registry keys and values

  • Terminal Services connections

Because of the diverse number of object types that typically exists in a network environment, Windows Server 2003 attempts to simplify authorization management tasks. Assigning permissions to each particular object type could become a cumbersome task. Windows Server 2003 utilizes a standard authorization model or strategy for all types of network objects. The interface used to configure permissions for each type of object is very much the same as well. The standard authorization model utilizes the following components to implement authorization:

  • Access Control Lists (ACLs)

  • Inherited permissions

  • Standard Permissions

  • Special Permissions

Understanding Access Control Lists (ACLs)

ACLs hold information on the users or groups which are allowed or denied access to a particular object. What this means is that the ACL identifies those users who can access a particular resource. The ACL of an object is managed by the owner or creator of that particular object. An ACL contains access control entries (ACEs). The ACE is an entry in the ACL of an object which grants permissions to users/groups to access the object. A user is granted access to an object, if an ACL explicitly identifies the particular user, or if it explicitly identifies a group to which the particular user is a member of. Similarly, the user is denied access to the object when the ACL does not explicitly identify the user, or any group to which the user is a member of.

Access control lists (ACLs) consists of the following sets of permissions:

  • NTFS Permissions: These permissions are applied on files and folders. It is generally recommended to utilize NTFS permissions to control user access to files and folders.

  • Share Permissions Share permissions are applied for users who connect over the network to an object. It is recommended to keep share permissions at their default permission settings. NTFS permissions should be used to control user access to files and folders. This is because of the disadvantages associated with share permissions, including the following:

    • You cannot back up share permissions.

    • Any specified share permissions are no longer valid if the particular folder is unshared.

    • Share permissions cannot be inherited, or audited.

Understanding Standard Permissions and Special Permissions

When you configure the access control lists for the different object types, you can use standard permissions and special permissions.

  • Standard Permissions: Standard object permissions include the following permissions:

    • Reading the object

    • Reading the permissions of the object

    • Modifying the object

    • Modifying the permissions of the object

    • Deleting the object

    • Changing the owner of the object

  • Special permissions: When you specify a standard permission, a set of special permissions associated with the particular standard permission become available, and enable you to more finely manage the access which the user has to the object.

The standard and special permissions which can be applied to files and folders are listed in the following section

  • Standard Permissions for files and folders:

    • Full Control; users can create and delete files and folders, and change the permissions on files and folders.

    • Modify; users can read, change, and delete files and folders.

    • Read & Execute; users can read files, and execute applications attached to files.

    • List Folder Contents; users can list the contents of a folder.

    • Write; users can create files and folders.

    • Read; users can read files, and view the contents of a folder.

  • Special Permissions for files and folders:

    • Traverse Folder/Execute File; Traverse Folder enables a user to traverse folders, and Execute File enables users to run application files.

    • List Folder/Read Data; List Folder permits/denies users to view the names of subfolders and files, and Read Data allows users to read the file's content.

    • Read Attributes; permits/denies users to read the file/folder's attributes.

    • Read Extended Attributes; permits users to read the file/folder's extended attributes.

    • Create Files/Write Data; Create Files allows users to create files in folders, and Write Data permits users to change the current content of a file.

    • Create Folders/Append Data; Create Folders allows users to create folders in other folders, and Append Data allows users to implement changes at the end of a file. Existing file content cannot however be overwritten.

    • Write Attributes; allows/denies users to change the file/folder's attributes.

    • Write Extended Attributes; allows/denies users to change the file/folder's extended attributes.

    • Delete Subfolders and Files; enables users to delete subfolders and files.

    • Delete; enables users to delete files and folders.

    • Take Ownership; allows for the taking of ownership of the file/folder.

    • Read Permissions; allows the user to view the file/folder's permissions.

    • Change Permissions; allows the user to change the file/folder's permissions.

How to view, configure, or change special permissions for files and folders

  1. Open Windows Explorer

  2. Locate, and right-click the file or folder, and then select Properties frm the shortcut menu.

  3. When the Properties dialog box of the file or folder opens, click the Security tab.

  4. Click the Advanced button

    • If you want to configure a special permission for a user/group, click Add, and then enter the name of the user/group in the Name box. Click OK

    • If you want to view or change the special permissions for a user/group, select the user/group, and then click the View or Edit.

    • If you want to remove a user/group, and any associated special permissions, simply select the user/group, and then click Remove.

  5. If you are working with a folder, specify where the permission should be applied in Apply Onto, on the Permission Entry dialog box.

  6. Specify the Allow or Deny for each particular permission

  7. Click OK.

The standard permissions which can be applied to shares are summarized below.

  • Full Control; allows the user to read, write and change permissions on files and folders included in the share.

  • Change; allows users to read and write to files/folders contained by the share.

  • Read; allows users to read the files/folders contained by the share.

How to set share permissions

  1. Open the File Server Management console.

  2. Select Shared Folder, and then access the Shares subfolder.

  3. Locate and right-click the shared folder that you want to set permissions for, and select Properties from the shortcut menu.

  4. Click the Share Permissions tab.

  5. Specify the appropriate share permissions.

  6. Click OK.

The standard and special permissions which can be applied to Active Directory objects are listed in the following section.

  • Standard Permissions for Active Directory objects:

    • Full Control; users can perform all actions (read, write, change permissions, and so forth) on the particular Active Directory object.

    • Read; users can read or view the permissions, properties and contents of the Active Directory object.

    • Write; users can change the properties of the Active Directory object.

    • Create All Child Objects; users can create child objects in the container, if the particular object is a container (organizational unit).

    • Delete All Child Objects; users can delete child objects in the container, if the particular object is a container (organizational unit).

  • Special Permissions for Active Directory objects: There are a few special permissions which you can specify for Active Directory objects on the Advanced Security Settings dialog box for the object using the Active Directory Users and Computers console. For instance, for the Create All Child Objects, and Delete All Child Objects standard permission, you use special permissions to restrict the types of objects which the user can create or delete.

How to assign standard permissions for an Active Directory object

  1. Click Start, Administrative Tools, and Active Directory Users And Computers.

  2. Advanced Features should be enabled. Verify this on the View menu.

  3. Locate and right-click the Active Directory object which you want to assign permissions for, and click Properties on the shortcut menu.

  4. When the Properties dialog box of the object opens, click the Security tab.

  5. Click Add.

  6. When the Select Users, Computers, Or Groups dialog box opens, enter the name of the user/group for which you want to configure permissions. Click OK.

  7. Use the Allow and Deny checkboxes to add, change or deny permissions.

  8. Click OK.

The standard and special permissions which can be applied to printers are summarized below.

  • Standard Permissions for printers:

    • Print; enables users o connect to a printer, and to transmit documents to the printer for printing.

    • Manage Printers; users can perform all administrative tasks on the printer. This includes among other tasks, pausing and restarting the printer, changing printer permissions, and changing the properties of the printer.

    • Manage Documents, permits users to restart, cancel, pause, and rearrange the order of documents submitted by other users to the printer.

  • Special Permissions for printers: There are about 6 special permissions which can be assigned to users for printers.

How to change the standard permissions configured on a printer

  1. On the Start menu, access the Printers and Faxes folder.

  2. Right-click the printer for which you want to change standard permissions, and click Properties from the shortcut menu.

  3. In the Properties dialog box of the printer, click the Security tab

    • If you want to add a user/group to the list of users assigned permissions to the printer, click Add, and enter the name of the user/group.

    • If you want to modify the current permissions for a user/group, select the user/group, and then specify the permissions for the particular user/group.

    • If you want remove a user/group, select the user/group, and then click Remove

  4. Click OK

The standard and special permissions which can be applied to services are summarized below.

  • Standard Permissions for services:

    • Full Control; enables users to perform all functions on the particular service. This includes among other activities, changing the permissions of the service, and starting/stopping the service.

    • Read; users are only permitted to view the permissions, status, and dependencies of the service.

    • Start, Stop, And Pause; enables a user to start, pause, or stop the service.

    • Write; users are permitted to set whether the service should be started manually or automatically when the server reboots.

    • Delete; enables the user to delete the service

  • Special Permissions for services: As is the case with the other object types, there are over 10 special permissions which you can assign to users, for a service.

The standard and special permissions which can be applied to registry keys and values are summarized below.

  • Standard Permissions for registry keys and values:

    • Full Control; enables users to create new registry keys or values, and to edit and delete existing registry keys or values.

    • Read; users can only view registry subkeys and values.

  • Special Permissions for registry keys and values: There are over 10 special permissions for registry keys and values which you can assign to users.

Understanding Explicit Permissions, Inherited Permissions and Effective Permissions

Permissions that are directly set for an objects such as folders, files, or Active Directory objects are called explicit permissions. In an effort to ease the administrative tasks necessary to assign permissions, inherited permissions are used. Inherited permissions enable permissions to be propagated from a parent object to child objects. The default configuration for inherited permissions is that all newly created child objects automatically obtain the permissions specified on its associated parent object. You can stop a child object from inheriting the permissions of a parent object by clearing the Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects checkbox.

Because users can be assigned permissions from different sources, the actual permission effect is considered cumulative. Another way of saying this is that the permissions which are granted to a user or group are cumulative. Individual user permissions can be either the allowed permission or the denied permission for resource access. In addition to this, a user can be a member of many different groups. Groups can also be nested within other groups. When determining the effective permissions of a user, all the above has to be considered, while bearing in mind that any denied permissions always override allowed permissions. This includes inherited permissions.

Deciding on the appropriate ACL access method to implement for controlling access to resources

If you are dealing with a small organization that has roughly ten users or less, you can implement the User/ACL method to control access to resources. This method only tends to work optimally in small organizations that only need a small number of groups to manage resource access. In large organizations, the User/ACL method has the following shortcomings:

  • The ACLs would grow into unmanageable sizes, which would eventually lead to degraded performance.

  • Managing the User/ACL method in large organizations tends to lead to increased administrative costs.

  • Monitoring and troubleshooting user permissions to resources would be a time consuming task.

  • In large organizations, where user access requirements typically differ, an Administrator would have to manually manage and change the rights for users who need additional access to resources.

With the Account Group/ACL method for controlling access to resources, the global group in which users are placed, is added to the ACL. What this means is that permissions to resources is assigned on a per group basis. Using groups, you can configure the same permissions for all users in the group that need to access the resources. This in turn leads to simpler management. Global groups can also be added to the ACLs of any trusted domains. The Account Group/ACL method also has a few limitations. These are detailed below.

  • As the number of account groups which are added to a particular resource increases, the more complicated it can be to perform administrative tasks.

  • Deciding on the proper permissions needed for each group can be an intricate task.

With the Account Group/Resource Group method of controlling access to resources, users which have similar access requirements to resources are added to an account group. The Account Group/Resource Group method is the most feasible method to control access to resources in large organizations. The Account Group/Resource Group method has the following benefits:

  • To provide groups with access to the required resources, you merely have to add the necessary account groups into resource groups.

  • You no longer need to change permissions for each group individually. All you have to do is add the account group to the particular resource group which has desired permissions.

  • Account groups can be added to ACLs in trusted domains.

  • The Account Group/Resource Group method provides improved flexibility over the Account Group/ACL method and User/ACL method.

  • The Account Group/Resource Group method also simplifies administration typically needed to control access to resources.

Deciding on the appropriate Group strategy to implement for accessing resources

Groups assist in managing users, computers, and other objects; and in controlling access to network objects or resources. The group scopes available in Windows Server 2003 are briefly listed below.

  • Global Groups are used to group users or computers which belong to the same domain.

  • Domain Local groups can include users from any domain in the forest, and are used to control access to resources which reside in the same group as the particular Domain Local group.

  • Universal groups can include users and group from any domain in the forest. Universal groups can be used to control access to resources that reside in any domain.

The strategy which Microsoft recommends for implementing a permission structure to control access to resources is called AGDLP. This consists of the following steps:

  1. Add domain users to global groups.

  2. Add global groups to domain local groups.

  3. Assign the domain local groups the permissions on the particular resource(s).

When including Universal groups, the permission structure is known as AGUDLP.

  1. Add domain users to global groups.

  2. Add global groups to universal groups.

  3. Add universal groups to domain local groups.

  4. Assign the domain local groups the permissions on the particular resource(s).

A few key factors to remember when nesting or combining groups are summarized below. While nesting or combining groups can indeed significantly reduce network traffic and the administrative overhead necessary to manage access to resources, you have to take time to plan the group nesting strategy which you want to implement in your environment.

  • When planning your group nesting strategy, remember the following:

    • You can nest Domain local groups in other Domain Local groups.

    • You cannot however nest Domain local groups in Global groups or Universal groups.

    • You can nest Global groups in Domain Local groups, Universal groups and in other Global groups.

    • Universal groups can be nested in other Universal groups.

    • You can add Global groups to Universal groups.

    • You cannot add Universal groups to Global groups

  • You should record or document the description of each group, and the functionality of each group, so that you can readily access this information if you need to troubleshoot permission issues.

  • You should always strive to reduce the level of nesting required. Having the number of nested groups at a maximum of two levels or three levels is ideal.

How to troubleshoot authorization problems

Troubleshooting simple authorization issues typically involves the following process.

  1. Determine the effective permissions of the user for the particular object.

  2. Examine the effective permissions, and then assign the user or the group to which the user belongs; the necessary permissions to perform the required tasks.

To determine the effective permissions of a user,

  1. Examine the permissions of the particular object.

  2. Select the Advanced button.

  3. When the Advanced Security Settings dialog box opens, click the Effective Permissions tab.

  4. Click Select, and in the Select User, Computer, Or Group dialog box, enter the user's name for which you want to determine effective permissions. Click OK.

  5. Proceed to examine the permissions that the user has, and compare this to the permissions that the user requires. Click OK

  6. You can now assign any other necessary permission to the user.

For complex authorization problems, where it is more complicated to determine whether an application is attempting to access an Active Directory object, service, file, or registry value; you can enable and use failure auditing to determine which objects the application or user is unsuccessfully trying to access.

To enable failure auditing,

  1. Log on to the appropriate system or domain controller.

  2. Click Start, Administrative Tools.

  3. If you are logged on to a member server, or standalone server, click Local Security Policy.

  5. If you are logged on to a domain controller, click Domain Controller Security Policy.

  6. Proceed to expand Local Policies. Click Audit Policy.

  7. For Active Directory object access problems, double-click Audit Directory Service Access.

  8. For other object types, double-click Audit Object Access.

  9. Record the existing settings so that you can reconfigure them after you have troubleshooted the authorization problem at hand.

  10. Select Define These Policy Settings, and select Failure.

  11. Click OK.

Now that you have enabled failure auditing for either the Audit Directory Services Access policy or the Audit Object Access policy, the following step in troubleshooting the authorization problem is to enable auditing for the particular resource(s).

You can enable auditing for the files and folders object type by using the following steps:

  1. Open Windows Explorer

  2. Locate and right-click the file or folder which you want to enable auditing for, and then select Properties from the shortcut menu.

  3. When the Properties dialog box of the file/folder opens, click the Security tab, and then click Advanced.

  4. Click the Auditing tab.

  5. Record the current auditing settings, so that you can reconfigure them after you have completed troubleshooting the authorization problem.

  6. Click Add

  7. Enter the name of the particular user experiencing the problem in the Select User Or Group dialog box. Click OK.

  8. When the Auditing Entry dialog box appears, click the Failed checkbox for Full Control. This automatically checks all other Failed checkboxes. Click OK.

  9. An event will now be logged in the Security event log whenever the particular user is denied access to the resource.

  10. You can analyze these failure events using Event Viewer.