ADS Active Directory Service (Farsi User Guide)
Resource: Windows 2000 Server Resource kit Distributed Systems Guide

> Part2 > ADS > Part 1 > Active Directory Data Storage > ADS Architecture > Security Subsystem

Security Subsystem Architecture

Windows 2000 برای امنیت خود و ایجاد آن مدل امنیتی ایجاد کرده Windows Security Model .

این مدل یا Component مطمئن می شود از اینکه هیچ برنامه ای برای فردی که Authenticate نشده قابل دسترس نباشد .

این Component برای کار و اجرا از فایل Lsass.exe استفاده می کند .این فایل موارد زیر را پشتیبانی می کند.

  • Local Security Authority (LSA)
  • Net Logon service
  • Security Accounts Manager service
  • LSA Server service
  • Secure Sockets Layer
  • Kerberos v5 authentication protocol and NTLM authentication protocol

Security Subsystem موارد امنیتی بالا و نیز Policies را نگهداری می کند و نیز اعمال می کند بر روی Account های موجود در سیستم .

این عمل بر روی Domain نیز انجام می شود یعنی تک تک Domain های یک Forest  این قانون و روش را رعایت می کنند .

این اطلاعات در ADS ذخیره می شوند .

Local Security Authority (LSA)

این Component محافظت می کند از Subsystem و نگهداری می کند اطلاعات کامل سیستم را در این مورد یعنی اطلاعات امنیتی Local هر سیستمی را .

در اینجا منظور Local Security Policy می باشد .

در اصل موارد زیر وظایف سرویس LSA می باشد .

  • Manages local security policy.
  • Provides interactive user authentication services.
  • Generates tokens, which contain user and group information as well as information about the security privileges for that user. After the initial logon process is complete, all users are identified by their security identifier (SID) and the associated access tokens.
  • Manages the Audit policy and settings. When an audit alert is generated by the Security Reference Monitor, the LSA is charged with writing that alert to the appropriate system log.

Local Security Policy

این Component مهم موارد زیر را انجام می دهد .

  • The domains that are trusted to authenticate logon attempts.
  • Who can have access to the system and in what way (for example, interactively, over the network, or as a service).
  • Who is assigned privileges.
  • What security auditing is to be performed.
  • Default memory quotas (paged and nonpaged memory pool usage).

در شکل Figure 2.2 در زیر نمایشی از وظایف کاری LSA Security Subsystem Lsass.exe را مشاهده می کنید.

Security Subsystem سرویس دهی می کند هم در Kernal Mode و هم در User Mode برای امنیت دسترسی به هر Object

در ADS .

Figure 2.2 Active Directory Within the Local Security Authority (Lsass.exe)

The LSA has the following components:

Netlogon.dll. The Net Logon service. Net Logon maintains the computer's secure channel to a domain controller. It passes the user's credentials through a secure channel to the domain controller and returns the domain security identifiers and user rights for the user. In Windows 2000, the Net Logon service uses DNS to resolve names to the Internet Protocol (IP) addresses of domain controllers. Net Logon is the replication protocol for Microsoft® Windows NT® version 4.0 primary domain controllers and backup domain controllers.

Msv1_0.dll. The NTLM authentication protocol. This protocol authenticates clients that do not use Kerberos authentication.

Schannel.dll. The Secure Sockets Layer (SSL) authentication protocol. This protocol provides authentication over an encrypted channel instead of a less-secure clear channel.

Kerberos.dll. The Kerberos v5 authentication protocol.

Kdcsvc.dll. The Kerberos Key Distribution Center (KDC) service, which is responsible for granting ticket-granting tickets to clients.

Lsasrv.dll. The LSA server service, which enforces security policies.

Samsrv.dll. The Security Accounts Manager (SAM), which stores local security accounts, enforces locally stored policies, and supports APIs.

Ntdsa.dll. The directory service module, which supports the Windows 2000 replication protocol and Lightweight Directory Access Protocol (LDAP), and manages partitions of data.

Secur32.dll. The multiple authentication provider that holds all of the components together.

ADS Active Directory Service (Farsi User Guide)


> Part2 > ADS > Part 1 > Active Directory Data Storage > ADS Architecture > Security Subsystem