This article gives an overview of the key concepts used in Active Directory. In simple terms, Active Directory (AD) is about managing resources.
AD can be understood as having a logical model and a physical model. The logical model is to model an organisation and its computer resources, while the physical model is used to implement an Active Directory solution that meets functional and nonfunctional requirements, such as performance. This information is stored in a hierarchical manner.
Logical model
Objects
The Active directory logical model is based around objects. In particular, users, printers, groups, and computers.These are examples of object classes. These objects contain attributes, such as the user's name.
Organisational units
Organisational units (OUs) are logical containers used to store resources (users, computers, groups, and other OUs). Administrative authority can be delegated to OUs. OUs are typically mapped against business departments, functions or geographic locations.
Domains
A domain is a logical grouping of network elements (computers, users, printers, etc). They serve as an administrative or security scope, under which groups and users can be controlled.
Each domain uses its own security policy, which can be derived from other higher-level domains. Group policies can be defined at the domain level. Example group policies include password policies and access to resources.
Domains can have relationships with other domains. They are structured in a tree-like structure: parent-child. This is called a domain tree.
Trust relationships can be established so that users in a trusted domain can use resources in the trusting domain.
Domains also form a scope for replication, allowing for decentralisation of administration and management of network traffic.
Forests
A forest is used group domain trees. In a forest, each tree uses the same schema, global catalog, and configuration information. Trusts are established between the top level domains in trees in the forest.
So the Active Directory logical model goes like this: objects into OUs into domains into trees, into forests.
Schemas
Active Directory provides a schema for its objects, which can be extended to meet business needs. The schema defines the object classes (such as User), and attributes that can be used.
It also provides an Access control list - based security mechanism for controlling access to and usage of resources.
Physical model
Active directory topology design is based around organisational needs and technical constraints especially those around network capacity.
Sites
Sites are used as groupings of IP subnets. Typically site topology is designed around the geographic location of the subnets in a domain, with the type of network link between them being a configuration element.
Sites are used to store topology information, expressed as computer and connection objects.
Domain controllers
Domain controllers send and receive replication traffic.
LDAP defines a naming standard.
Replication
Domain controller replication
Active Directory copies updates between Domain Controllers in a forest through a replication service.
File Replication
Active Directory provides a file replication service (FRS), used to replicate files between domain controllers. The files it replicates are those in the SYSVOL folder, and also Distributed File System (DFS) shared folders. FRS replicates files using the same replication topology as standard AD replication.
For IT professionals and developers:
| Title | Link |
|---|---|
|
Access Control with SharePoint Groups SharePoint groups are defined at the site collection level, and consist of a set of SPMember objects, being these either individuals or groups. Access control is achieved by assigning each group a permission level (called a role), and assigning this to a particular securable object (called a securable scope inside SharePoint). |
Read more... |
|
Claims Based authentication in SharePoint 2010 Microsoft have recently updated their protocols information for SharePoint, incorporating a number of SharePoint 2010 changes. Included in the updates is information about claims based authentication in SharePoint 2010. As we collect more information, this page will be updated. Some notes so far: The protocols mentioned are: |
Read more... |
|
Enterprise Search Custom Security Trimmer SharePoint's search engine can remove particular search results from view by using what Microsoft call a "security trimmer". A custom security trimmer is implemented as a .NET class that implements the ISecurityTrimmer interface, which provides for two methods: |
Read more... |
|
Understanding Active Directory (AD) This article gives an overview of the key concepts used in Active Directory. In simple terms, Active Directory (AD) is about managing resources. |
Read more... |
|
Using the People Picker Editor picker control Here is some code that demonstrates how to use the SharePoint People picker PeopleEditor control inside a WebPart.
|
Read more... |
Governance is fundamentally about making and enforcing decisions - ensuring they are made by the right people, and then put in to practice. Good governance informed by risk management and compliance concerns.
SharePoint governance centers around ensuring the success and continuity of business operations around a SharePoint deployment. The kinds of questions raised in considering SharePoint governance include:
- How do we ensure that we get business value from our SharePoint deployment
- Who should be granted access to what?
- Who pays for configuration changes to SharePoint?
- How do we ensure that key records are properly treated?
- How do we ensure that resources are properly allocated and managed?
- How do we ensure that security threats and vulnerabilities are properly treated?
These questions are answered by making decisions about responsibitilies and the use of controls, and by ensuring that mechanisms exist to ensure that these decisions are acted upon.
A SharePoint deployment typically crosses several business units, and encompasses existing and new relationships between these units.
The interfaces between business units should be based on exchange of value. "We'll do something for you if you do something for us". A key challenge in IT governance is building an appropriate exchange model - such as cost chargeback - to ensure that the IT department receives value in exchange for services offered. What makes this difficult is that different exchange models have different side-effects, and do not necessarily result in the kinds of behaviours desirable to align with broader corporate goals and strategies.
| Title | Link |
|---|---|
|
Administration accounts and roles Administration can occur at a number of levels of granularity in SharePoint. Microsoft refers to this as a three-tier administration model. The broadest, most powerful tier is that of Farm-level Administrators. This type of account provides control over the entire SharePoint farm. |
Read more... |
|
Risk Management with AS 4360:2004 The Australian standard AS/NZS 4360:2004 Risk Management - provides a description of a versatile and widely-applied risk management approach. It defines risk as "…the possibility of something happening that impacts on your objectives. It is the chance to either make a gain or a loss. It is measured in terms of likelihood and consequence." |
Read more... |
|
Security Governance SharePoint security governance is based around ensuring the confidentiality, integrity, and availability of information and services, while also ensuring that operational activities comply with relevant compliance requirements. |
Read more... |
|
Security Metrics Metrics are used to measure things. The problem they attempt to address is that of aligning organizational behavior with business goals. Good metrics provide visibility into performance, allowing for better informed decision-making, and can be used for forecasting and planning for future readiness and preparedness. |
Read more... |
Metrics are used to measure things. The problem they attempt to address is that of aligning organizational behavior with business goals. Good metrics provide visibility into performance, allowing for better informed decision-making, and can be used for forecasting and planning for future readiness and preparedness.
A key challenge in using metrics is determing appropriate metrics. One must determine what is important to a business, and then how to quantify it. In many cases, it is not easy or even possible to measure what is important, especially when 'soft' concepts like "market reputation" or "information security" are involved.
Metric framework
A generic framework for establishing metrics will start by identifying and assessing business goals, assess business activities in support of these goals, and then identify measurable components of business activities.
Types of metrics
Predictive metrics - used to predict future performance or outcomes.
Situational metrics - used to provide visibility of the current situation.
Security metrics
Security, being a non-tangible concept, is difficult to measure. Different organizations have different views regarding what constitutes an appropriate metric. A selection of views are summarised below.
Standard metrics
- Return on Investment (ROI) indicates the change in finances that has resulted from an investment. If the investment made (or saved) more money than it cost to acquire and implement, then the investment will have a positive ROI. Determining how much something cost to acquire is relatively easy - the difficulty in ROI-analysis is quantifying the return.
- Return on Security Investment (ROSI) is based around comparing the cost of a security solution against the impact of a risk occurring (Risk Exposure X Percentage of Risk Mitigation).
Jaquith's view on ROI
In "Security metrics" Andrew Jaquith argues that Return on investment (ROI) is not an appriopriate metric for security effectiveness."Analytical rigor receives little attention, while nebulous, nonquantitative mantras rule: “defense in
depth,” “security is a process,” and “there is no security by obscurity,” to name a few."
He recommends that risks be quantified in terms of the value of the assets they apply to. One metric he proposes is "level of effort to subvert", in contrast to a metric along the lines of "number of possible vulnerabilities".
