Home Articles & Tutorials Authentic

Home Articles & Tutorials Authentication, Access Control & Encryption

User Accounts, Group Accounts, and Access Control Lists

by Derek Melber [Published on 15 Aug. 2012 / Last Updated on 15 Aug. 2012]
9

This article looks at the importance of properly confinguring access control lists (ACLs).
Introduction

A wise man once taught me how to properly configure access control lists (ACLs), which I still preach today. However, I find that after so many years of network administration being so straightforward, that many don’t follow this easy to follow and best security practice. If users and groups are not handled correctly when granting access to resources, via ACLs, disaster is just waiting to occur on your networks. Think about it this way, if you just casually give out keys to your house without keeping track of them, how will you know in a year or two who has a key to your house? The answer is you won’t. The same sort of issue occurs on your networks. If you grant the wrong permissions to the wrong objects, you are going to end up not knowing who has access to what in a year or two. The damage that can come of this to your corporate data is nearly as bad as not knowing who has a key to your house.

Advertisement
First Things First

We need to understand what I mean by Access Control List (ACL). An ACL is a list of “who” has “what” access to a resource. We also need to understand what a definition of resource in a Windows environment is. Let’s assume that we have an Active Directory domain, which will expand our definition of resource. First, a resource is anything with an ACL. I know, you are to never define one term with another that is unknown. However, in this case there is not much other option. Here is a full list of objects in a Windows Active Directory enterprise with an ACL:

Files
Folders
Printers
Registry Keys
Services
Active Directory objects

Now, what is an ACL? An ACL is a list of users, groups, and computers with some level of access permission to the object. In order to access the ACL for an object, you need to first get to the object properties. This is typically a right-click away. Just right-click on the object, then select Properties from the menu. For example, an ACL for the System32 folder on my laptop is shown in Figure 1.

Figure 1: ACL for the System32 folder.

Note:
There are also permissions associated with Shared Folders, which are on the Sharing tab, which is next to the Security tab of the Properties dialog box for an object. These permissions related to shared folders are not in any way similar to the permissions on the Security tab. They might seem similar, but they are dramatically different.
Next, Scope of Users

There are two different types of user accounts in an Active Directory domain. There are local user accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These users can only be located on ACLs on resources that are on the computer where the user is stored.

There are also domain user accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these users are defined and stored. These user accounts can be placed on any ACL on any resource on any computer in the entire domain.
Next, Scope of Groups

There are two different types of group accounts in an Active Directory domain. There are local group accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These groups can only be located on ACLs on resources that are on the computer where the group is stored.

There are also domain group accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these groups are defined and stored. These group accounts can be placed on any ACL on any resource on any computer in the entire domain.

There are six different groups that can be created in Active Directory. The groups are defined as follows:

Universal Distribution Group –
Universal Security Group –
Global Distribution Group –
Global Security Group –
Domain Local Distribution Group –
Domain Local Security Group –

Any and all of the security groups that can be defined in Active Directory might show up on an ACL for a resource in the domain.
Correct User, Group, and ACL Usage

Now, we go back to my mentor who called the use of user accounts, group accounts, and ACLs a “mantra”. He was pretty clear about his use of the users, groups, and ACLs, as his main goals were ease of administration and security.

For a single domain, the ideal way to organize users, groups and ACLs is as follows:

Domain user accounts should be placed in global security groups
Global security groups should be placed into domain local groups (or local groups)
Domain local groups (or local groups) should be located on the ACL

Global security groups should be defined and used to organize users based on who they are. For example, you might have groups named Managers, Engineers, Accounts Payable, etc. Domain local groups (or local groups) should be defined and used to organize the global groups based on access to the resource. These groups might be named Full Control to DB, Read access to Intranet, Modify of Documents, etc.

The reason for the mantra is that I can determine who has access to any resource by looking at the resource, then enumerating the groups that are listed on the ACL and stored in AD.

Home Articles & Tutorials Authentication, Access Control & Encryption

User Accounts, Group Accounts, and Access Control Lists

by Derek Melber [Published on 15 Aug. 2012 / Last Updated on 15 Aug. 2012]
9

This article looks at the importance of properly confinguring access control lists (ACLs).
Introduction

A wise man once taught me how to properly configure access control lists (ACLs), which I still preach today. However, I find that after so many years of network administration being so straightforward, that many don’t follow this easy to follow and best security practice. If users and groups are not handled correctly when granting access to resources, via ACLs, disaster is just waiting to occur on your networks. Think about it this way, if you just casually give out keys to your house without keeping track of them, how will you know in a year or two who has a key to your house? The answer is you won’t. The same sort of issue occurs on your networks. If you grant the wrong permissions to the wrong objects, you are going to end up not knowing who has access to what in a year or two. The damage that can come of this to your corporate data is nearly as bad as not knowing who has a key to your house.

Advertisement
First Things First

We need to understand what I mean by Access Control List (ACL). An ACL is a list of “who” has “what” access to a resource. We also need to understand what a definition of resource in a Windows environment is. Let’s assume that we have an Active Directory domain, which will expand our definition of resource. First, a resource is anything with an ACL. I know, you are to never define one term with another that is unknown. However, in this case there is not much other option. Here is a full list of objects in a Windows Active Directory enterprise with an ACL:

Files
 Folders
 Printers
 Registry Keys
 Services
 Active Directory objects

Now, what is an ACL? An ACL is a list of users, groups, and computers with some level of access permission to the object. In order to access the ACL for an object, you need to first get to the object properties. This is typically a right-click away. Just right-click on the object, then select Properties from the menu. For example, an ACL for the System32 folder on my laptop is shown in Figure 1.

Figure 1: ACL for the System32 folder.

Note:
There are also permissions associated with Shared Folders, which are on the Sharing tab, which is next to the Security tab of the Properties dialog box for an object. These permissions related to shared folders are not in any way similar to the permissions on the Security tab. They might seem similar, but they are dramatically different.
Next, Scope of Users

There are two different types of user accounts in an Active Directory domain. There are local user accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These users can only be located on ACLs on resources that are on the computer where the user is stored.

There are also domain user accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these users are defined and stored. These user accounts can be placed on any ACL on any resource on any computer in the entire domain.
Next, Scope of Groups

There are two different types of group accounts in an Active Directory domain. There are local group accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These groups can only be located on ACLs on resources that are on the computer where the group is stored.

There are also domain group accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these groups are defined and stored. These group accounts can be placed on any ACL on any resource on any computer in the entire domain.

There are six different groups that can be created in Active Directory. The groups are defined as follows:

Universal Distribution Group –
 Universal Security Group –
 Global Distribution Group –
 Global Security Group –
 Domain Local Distribution Group –
 Domain Local Security Group –

Any and all of the security groups that can be defined in Active Directory might show up on an ACL for a resource in the domain.
Correct User, Group, and ACL Usage

Now, we go back to my mentor who called the use of user accounts, group accounts, and ACLs a “mantra”. He was pretty clear about his use of the users, groups, and ACLs, as his main goals were ease of administration and security.

For a single domain, the ideal way to organize users, groups and ACLs is as follows:

Domain user accounts should be placed in global security groups
 Global security groups should be placed into domain local groups (or local groups)
 Domain local groups (or local groups) should be located on the ACL

Global security groups should be defined and used to organize users based on who they are. For example, you might have groups named Managers, Engineers, Accounts Payable, etc. Domain local groups (or local groups) should be defined and used to organize the global groups based on access to the resource. These groups might be named Full Control to DB, Read access to Intranet, Modify of Documents, etc.

The reason for the mantra is that I can determine who has access to any resource by looking at the resource, then enumerating the groups that are listed on the ACL and stored in AD.

0/5000

Dari: -

Ke: -

Hasil (Bahasa Indonesia) 1: [Salinan]

Disalin!

Rumah artikel & Tutorial otentikasi, kontrol akses enkripsi Pengguna account, account Group, dan daftar kontrol aksesoleh Derek Melber [diterbitkan pada 15 Agustus 2012 / Terakhir Diperbarui pada 15 Agustus 2012]9Artikel ini melihat pentingnya benar confinguring daftar kontrol akses (ACL).PengenalanSeorang bijak pernah mengajari saya cara benar mengkonfigurasi daftar kontrol akses (ACL), yang masih memberitakan hari. Namun, saya menemukan bahwa setelah bertahun-tahun administrasi jaringan menjadi begitu sederhana, bahwa banyak tidak mengikuti ini mudah untuk mengikuti dan praktek keamanan terbaik. Jika pengguna dan kelompok yang tidak ditangani dengan benar saat pemberian akses ke sumber daya, melalui ACLs, bencana hanya menunggu untuk terjadi pada jaringan Anda. Berpikir tentang hal itu dengan cara ini, jika Anda hanya santai memberikan kunci rumah Anda tanpa menjaga melacak yang mereka, bagaimana Anda tahu dalam satu tahun atau dua yang memiliki kunci untuk rumah Anda? Jawabannya adalah Anda tidak akan. Jenis masalah yang sama terjadi pada jaringan Anda. Jika Anda memberikan izin yang salah untuk benda-benda yang salah, Anda akan berakhir tidak tahu siapa yang memiliki akses ke apa dalam satu atau dua tahun. Kerusakan yang dapat datang ini untuk data perusahaan Anda hampir sama buruknya tidak tahu siapa yang memiliki kunci untuk rumah Anda.IklanHal pertama yang pertamaKita perlu memahami apa yang saya maksud dengan daftar kontrol akses (ACL). Sebuah ACL adalah daftar "siapa" memiliki "apa" akses ke sumber daya. Kita juga perlu memahami apa definisi sumber daya dalam Windows lingkungan. Mari kita asumsikan bahwa kita memiliki domain Active Directory, yang akan memperluas definisi kita tentang sumber daya. Pertama, sumber daya adalah apa-apa dengan ACL. Aku tahu, Anda akan pernah mendefinisikan istilah satu dengan yang lain yang tidak diketahui. Namun, dalam kasus ini tidak ada banyak pilihan lain. Berikut adalah daftar lengkap dari objek di sebuah perusahaan Windows Active Directory dengan ACL: File Folder Printer Kunci registri Layanan Objek Active DirectorySekarang, apa adalah sebuah ACL? Sebuah ACL adalah daftar pengguna, grup, dan komputer dengan beberapa tingkat izin akses ke objek. Untuk mengakses ACL untuk suatu objek, Anda perlu untuk pertama kali mendapatkan untuk obyek properti. Biasanya ini adalah klik kanan pergi. Hanya klik kanan pada objek, kemudian pilih Properties dari menu. Sebagai contoh, ACL untuk folder System32 pada laptop saya ditunjukkan dalam gambar 1.Gambar 1: ACL untuk System32 folder.Catatan:Ada juga izin yang terkait dengan Shared folder, yang pada tab berbagi, yang terletak di sebelah tab Keamanan kotak dialog properti untuk objek. Izin ini berkaitan dengan folder berbagi yang tidak dengan cara apapun yang mirip dengan hak akses pada tab Keamanan. Mereka mungkin tampak mirip, tapi mereka sangat berbeda.Next, Scope of UsersThere are two different types of user accounts in an Active Directory domain. There are local user accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These users can only be located on ACLs on resources that are on the computer where the user is stored.There are also domain user accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these users are defined and stored. These user accounts can be placed on any ACL on any resource on any computer in the entire domain.Next, Scope of GroupsThere are two different types of group accounts in an Active Directory domain. There are local group accounts, which reside in the local security accounts manager (SAM) of every desktop and server (non-domain controller) in the entire domain. These groups can only be located on ACLs on resources that are on the computer where the group is stored.There are also domain group accounts, which are located on the domain controllers for the domain. The domain controllers house the Active Directory database, which is where these groups are defined and stored. These group accounts can be placed on any ACL on any resource on any computer in the entire domain.There are six different groups that can be created in Active Directory. The groups are defined as follows: Universal Distribution Group – Universal Security Group – Global Distribution Group – Global Security Group – Domain Local Distribution Group – Domain Local Security Group – Any and all of the security groups that can be defined in Active Directory might show up on an ACL for a resource in the domain.Correct User, Group, and ACL UsageNow, we go back to my mentor who called the use of user accounts, group accounts, and ACLs a “mantra”. He was pretty clear about his use of the users, groups, and ACLs, as his main goals were ease of administration and security.For a single domain, the ideal way to organize users, groups and ACLs is as follows: Domain user accounts should be placed in global security groups Global security groups should be placed into domain local groups (or local groups) Domain local groups (or local groups) should be located on the ACLGlobal security groups should be defined and used to organize users based on who they are. For example, you might have groups named Managers, Engineers, Accounts Payable, etc. Domain local groups (or local groups) should be defined and used to organize the global groups based on access to the resource. These groups might be named Full Control to DB, Read access to Intranet, Modify of Documents, etc.The reason for the mantra is that I can determine who has access to any resource by looking at the resource, then enumerating the groups that are listed on the ACL and stored in AD.

Sedang diterjemahkan, harap tunggu..

Hasil (Bahasa Indonesia) 2:[Salinan]

Disalin!

Sedang diterjemahkan, harap tunggu..

Hasil (Bahasa Indonesia) 3:[Salinan]

Disalin!

Sedang diterjemahkan, harap tunggu..

Bahasa lainnya

Dukungan alat penerjemahan: Afrikans, Albania, Amhara, Arab, Armenia, Azerbaijan, Bahasa Indonesia, Basque, Belanda, Belarussia, Bengali, Bosnia, Bulgaria, Burma, Cebuano, Ceko, Chichewa, China, Cina Tradisional, Denmark, Deteksi bahasa, Esperanto, Estonia, Farsi, Finlandia, Frisia, Gaelig, Gaelik Skotlandia, Galisia, Georgia, Gujarati, Hausa, Hawaii, Hindi, Hmong, Ibrani, Igbo, Inggris, Islan, Italia, Jawa, Jepang, Jerman, Kannada, Katala, Kazak, Khmer, Kinyarwanda, Kirghiz, Klingon, Korea, Korsika, Kreol Haiti, Kroat, Kurdi, Laos, Latin, Latvia, Lituania, Luksemburg, Magyar, Makedonia, Malagasi, Malayalam, Malta, Maori, Marathi, Melayu, Mongol, Nepal, Norsk, Odia (Oriya), Pashto, Polandia, Portugis, Prancis, Punjabi, Rumania, Rusia, Samoa, Serb, Sesotho, Shona, Sindhi, Sinhala, Slovakia, Slovenia, Somali, Spanyol, Sunda, Swahili, Swensk, Tagalog, Tajik, Tamil, Tatar, Telugu, Thai, Turki, Turkmen, Ukraina, Urdu, Uyghur, Uzbek, Vietnam, Wales, Xhosa, Yiddi, Yoruba, Yunani, Zulu, Bahasa terjemahan.