3rd party applications can verify group membership via a simple AD/LDAP lookup - these apps might be storing the group name and resolving on that, or saving the group's SID and querying directly for that.Windows, as a platform, allows and encourages applications (3rd party, MS products, and OS addons) to use AD group membership as an RBAC mechanism: (Though it is possible to specify a specific user to grant these privileges to, it is intended - and functions as - a RBAC model).īut wait, that's just in the OS itself. However, this is usually and internal OS protection mechanism, and is usually not leveraged for real access control (other than the built-in UAC). There is some implementation of MAC - i.e.There are a few distinct exceptions to this: role), but you're still creating an ACE - and that is what will be verified on access). (What I mean is, you can create an ACE (access control entry) for a group (i.e. Using AD groups allows you to abstract that into an RBAC-type model, but internally it's still a DAC model. Windows, at its core, is mostly based on the DAC model of access control.Įverything in the OS is securable with an ACL - files, folders, registry, named pipes, sockets, shares, etc etc. Solving this will take some strategic work (which is why I recommended not moving this to SF). Let me preface what will probably be a longish answer with "There is no simple solution".
0 Comments
Leave a Reply. |