Identyfikatory zabezpieczeń i wpisów kontroli dostępu

Nasza ocena:

5
Wyświetleń: 518
Komentarze: 0
Notatek.pl

Pobierz ten dokument za darmo

Podgląd dokumentu
Identyfikatory zabezpieczeń i wpisów kontroli dostępu - strona 1 Identyfikatory zabezpieczeń i wpisów kontroli dostępu - strona 2

Fragment notatki:

Security Identifiers and Access Control Entries Each time that a computer or user account is created in a domain or on a local
computer, it is assigned a unique security identifier (SID). In networks running
Windows XP Professional and Windows 2000, operating system internal
processes refer to an account.s SID rather than to the account's user or group
name.
Each directory object, or resource, is protected by access control entries (ACEs) that identify which users or groups can gain access to that object. An
ACE is created for an object by granting permissions to a shared resource. Each
ACE contains the SID of each user or group who has permission to gain access
to that object and defines what level of access is allowed. For example, a user
might have read-only access to one set of files, Read and Write access to
another set of files, and no access to still another set of files.
When a user that has a valid user name and password logs on locally, the user
account.s credentials are checked against the local SAM, the account is
authenticated, and receives an access token. When a user on the same computer
logs on to a domain, the user.s credentials are authenticated through Active
Directory. When the user then attempts to gain access to any resource, the user
account.s SID is used to verify permissions.
A computer account.s SID is verified when the computer attempts to establish a
connection with a domain resource.
A user could possibly have a local user account and a domain user account that
have the same user names and passwords. However, because a SID is created
for each account, the SIDs for the two accounts would be different.
Users who log on to the local computer may still gain access to domain
resources, but each time they try to gain access to a domain resource, they will
be prompted for a valid domain user name and password. Entering this
information does not enable users to log on to the domain, but instead
establishes a session with the server on which the resource resides. Users will
then be able to gain access to resources on that particular server, but must
reenter their user names and passwords if they try to gain access to resources on
another server.
... zobacz całą notatkę



Komentarze użytkowników (0)

Zaloguj się, aby dodać komentarz