3rd party applications can verify group membership via a simple AD/LDAP lookup - these apps might be storing the group name and resolving on that, or saving the group's SID and querying directly for that.Windows, as a platform, allows and encourages applications (3rd party, MS products, and OS addons) to use AD group membership as an RBAC mechanism:
(Though it is possible to specify a specific user to grant these privileges to, it is intended - and functions as - a RBAC model).īut wait, that's just in the OS itself. However, this is usually and internal OS protection mechanism, and is usually not leveraged for real access control (other than the built-in UAC).
Using AD groups allows you to abstract that into an RBAC-type model, but internally it's still a DAC model. Windows, at its core, is mostly based on the DAC model of access control.Įverything in the OS is securable with an ACL - files, folders, registry, named pipes, sockets, shares, etc etc. Solving this will take some strategic work (which is why I recommended not moving this to SF). Let me preface what will probably be a longish answer with "There is no simple solution".
0 kommentar(er)
