DISTRIBUCION DE POISSON

roductions to the on for enterprise n he security of ente ases.

d Access

module and this networks runnin erprise resources

s lesson, Active D g Windows. IDA such as files, em

Directory is mail,

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

An IDA infrastructure should do the following:

• Store information about users, groups, computers and other identities. An identity is, as you've learned, a representation of an entity that will perform actions on the enterprise network. For example, a user will open documents from a shared folder on a server. You know that the document will be secured with permissions on an ACL. Access to the document is managed by the security subsystem of the server, which compares the identity of the user with the identities on ACL to determine whether the user's request for access will be granted or denied. Computers, groups, services, and other objects also

perform actions on the network; they must be represented by identities.

Among the information stored about an identity are properties that uniquely identify the object, such as a user name or an SID, and the password for the identity. The identity store is therefore one component of an IDA

infrastructure. The Active Directory data store, also known as the directory, is an identity store. The directory itself is hosted on and managed by a domain controller—a server performing the AD DS role.

• Authenticate an identity. The server will not grant access to the user unless the server verifies that the identity presented in the access request is valid. To validate the identity, the user provides secrets known only to the user and the IDA infrastructure. Those secrets are compared with the information in the identity store in a process called authentication.

In an Active Directory domain, a protocol called Kerberos is used to authenticate identities. When a user or a computer logs on to the domain, Kerberos authenticates the credentials and issues an information package called a ticket granting ticket (TGT). Before the user connects to the server to request the document, a Kerberos request is sent to a domain controller along with the TGT that serves to identify the authenticated user. The domain controller issues the user another information package called a service ticket that identifies the authenticated user to the server. The user presents the service ticket to the server, which accepts the service ticket as proof that the user has been authenticated.

These Kerberos transactions result in a single network logon or single sign-on.

After the user or computer has initially logged on and has been granted a TGT, the user is authenticated within the entire domain and can be granted service tickets that identify the user to any service. All of this ticket activity is managed by the Kerberos clients and services built into Windows, and is transparent to the user.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

• Control access. The IDA infrastructure is responsible for protecting confidential information such as the information stored in the document.

Access to confidential information must be managed according to the enterprise policies. The ACL on the document reflects a security policy that contains permissions that specify access levels for particular identities. The security subsystem of the server in this example is performing the access control functionality in the IDA infrastructure.

• Provide an audit trail. An enterprise may want to monitor changes to and activities within the IDA infrastructure, so it must provide a mechanism to manage auditing.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1 ^Active

e Directory I

oints

is the most prom mponent of IDA of Windows Serv usly separate com ive Directory Ligh ive Directory Cer ive Directory Rig ive Directory Fed f these services pl rations and scena

DA Services

minent componen that is supported ver 2008, Microso mponents into an i htweight Directo rtificate Services ( hts Management deration Services lays a role in exte

arios.

nt of an IDA infras d by Windows Se oft has consolida integrated IDA pl ry Services (AD L (AD CS)

t Services (AD RM (AD FS)

ending IDA to sup

structure, but it is erver 2008 R2. W

ted a number of latform. These se LDS)

MS)

pport more comp

s not the With the

ervices

plex

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

^{AD LDS} AD LDS is essentially a stand-alone version of Active Directory that applications access by using Lightweight Directory Access Protocol (LDAP).

AD LDS is the replacement for Active Directory Application Mode (ADAM). The name of the previous version of the tool indicates its purpose: AD LDS is designed to provide support for directory-enabled applications. It can be used for

applications that require a directory store, but do not require the type of infrastructure provided by an Active Directory domain.

Each instance of AD LDS can have its own schema, configuration, and application partitions. This allows you to create a highly customized directory store without affecting your production IDA infrastructure, based on AD DS. Although AD LDS is not dependent on AD DS, in a domain environment, AD LDS can use AD DS authentication of Windows security principals, such as users, computers, and groups.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

AD LDS can be configured in a domain or non-domain environment, and it is even possible to run multiple instances on a single system, each with its own unique LDAP and Secure Sockets Layer (SSL) ports to ensure secure connection with each instance.

AD CS

AD CS extends the concept of trust so that a user, computer, organization, or service can prove its identity outside or inside the border of your Active Directory forest.

Certificates are issued from a certificate authority (CA). When a user, computer, or service uses a certificate to prove its identity, the client in the transaction must trust the issuing CA. A list of trusted root CAs, which includes VeriSign and Thawte, is maintained by Windows and updated as part of Windows Update.

The certificates can be used for numerous purposes in an enterprise network, including the creation of secure channels such as the SSL example mentioned in the AD LDS section. Additionally, the certificates can be used for virtual private networks (VPNs), wireless security, and authentication, such as smart card logon.

AD CS provides technologies and tools that help create and manage a public key infrastructure (PKI). Although AD CS can be run on a stand-alone server, it is much more common and much more powerful to run AD CS integrated with AD DS, which can act as a certificate store and provide a framework to manage the lifetime of certificates—how they are obtained, renewed, and revoked.

AD RMS

AD RMS creates a framework with which you can ensure the integrity of information, both within and outside your organization.

In a traditional model of information protection, ACLs are used to define how information can be accessed. For example, a user may be given the Read permission to a document. However, there is nothing to prevent that user from performing any number of actions after that document is opened. The user can make changes to the document and save it in any location, print the document, or forward the document by email to a user who otherwise does not have Read permission to the document.

AD RMS addresses these and other such scenarios by enforcing information use policies. AD RMS accomplishes this by using licenses and encryption to protect information and by having rights management–enabled applications that can consume the licenses, create usage policies, open protected content, and enforce usage policies.

B ET A C O U R SE W A R E E XP IR ES 4/ 18 /2 01 1

^{AD FS} AD FS allows an organization to extend the authority of the directory service for authenticating users across multiple organizations, platforms, and network environments.

The traditional Windows domains-trust relationship creates a trust in which the trusting domain allows the trusted domain to authenticate users, but the result is that all users in the trusted domain are trusted. Moreover, to maintain a trust, several firewall exceptions must be made that are not agreeable to many

organizations and certainly not suitable for supporting Web-facing applications. To overcome this problem, AD FS can be configured to maintain trusts by using common ports such as 80 and 443.

AD FS is extremely useful for extending a directory's authority in business-to-business and partnership scenarios, as well as for supporting single sign-on web applications.

In document ANÁLISIS DE DATOS CON STATGRAPHICS (página 129-132)