PKI Blog

Reference Attributes, Group Membership and Shifting Authoritative Sources

Posted by Sami Van Vliet on May 14, 2012 4:43:32 AM

A recent requirement for a project was to have users and groups provisioned from Domain B to Domain A. Simple enough, but a catch was that, as applications were migrated to Domain A, their groups would be “owned” by Domain A, which would now be the authoritative source for all group attributes (in this case, the authoritative source is determined by the OU the group is in in Domain B. The name of this OU is stored in the rules extension configuration file).

A custom rules extension is used to determine which management agent is authoritative, and to be sure the user objects being added to the member attribute are from the appropriate domain.

Read More

Topics: IT Security, Microsoft Security Partner, FIM, Reference Attributes, Group Membership, Forefront Identity Manager (FIM), Identity Management, Microsoft Forefront Identity Manager, Microsoft FIM, Blog

Determining Access in a Microsoft Network

Posted by CSS Technical Team on Apr 28, 2011 10:26:09 AM

Determining a comprehensive view of access rights in a Microsoft network can be a difficult task – as anyone that has undergone a recent audit can attest. The collection and organization of security data into detailed reports can take significant time and effort. There are multiple reasons that the process of gathering the data is difficult and time consuming, but the common factor is that security information is dispersed throughout multiple security stores.

In a Windows environment, security store information is dispersed in the following methods:

  • Security principals (users and groups) are dispersed across Active Directory and member server security databases (SAM)
  • Groups can be deeply nested (e.g. group A is in group B is in group C is in ....)
  • Group membership can span security databases (e.g. domain\domain admins is in server\Administrators)
  • A Windows domain can trust other Windows domains and external Kerberos realms
  • Access Control Lists (ACLs) exist on an object being secured
Read More

Topics: Microsoft Active Directory AD, Microsoft Security Partner, Security Audit, Auditors, Audit tool, Group Membership, Windows security, Distributed Authorization Reporting Tool, Group Nesting, Regulatory Compliance, Audit, Blog, DART, ACE, ACL, Security Tool

Posts by Topic

see all

Want to Learn more about CSS?