The default Windows 2000 Active Directory installation was not as secure as it could have been. It allowed anonymous queries to be executed, which could take up valuable processing resources, and it did not place any requirements on encrypting or signing traffic between clients and domain controllers. As a result, usernames, passwords, and search results could be sent over the network in clear text. Fortunately, with Windows Server 2003, things have been tightened up significantly. LDAP traffic is signed by default and anonymous queries are disabled by default. Additionally, Transport Layer Security (TLS), the more flexible cousin of Secure Sockets Layer (SSL), is supported in Windows Server 2003, which allows for end-to-end encryption of traffic between domain controllers and clients.
Active Directory's Access Control List (ACL) model provides ultimate flexibility for securing objects throughout a forest. You can restrict access down to the attribute level if you need to. With this flexibility also comes increased complexity. An object's ACL is initially generated from the default ACL for the object's class, inherited permissions, and permissions directly applied on the object.
An ACL is a collection of ACE entries (Access Control Entry), which defines the permission and properties that a security principal can use on the object on which the ACL is applied. Defining these entries and populating the ACL is the foundation of Active Directory security and delegation.
In this chapter, I will explore some of the common tasks around managing permissions in Active Directory. If you are looking for a detailed guide to Active Directory permissions, I suggest reading Chapter 11 in Active Directory, Second Edition (O'Reilly).
In order for ACLs to be of use, a user has to authenticate to Active Directory. Kerberos is the primary network authentication system used by Active Directory. Kerberos is a standards-based system that was originally developed at MIT, and has been widely implemented at universities. I will also be covering some Kerberos-related tasks that you likely to encounter in this chapter. For a complete review of Kerberos, I recommend Kerberos: The Definitive Guide (O'Reilly).