Export (0) Print
Expand All
0 out of 3 rated this helpful - Rate this topic

DFSR Security Model

The Distributed File System Replication (DFSR) service provides two types of security:

  • Active Directory security
  • WMI security

During startup and polling cycles, DFSR downloads configuration information from the Active Directory, creates corresponding registry keys (if they do not already exist), and maintains the access-control lists (ACL) on the registry keys. Hence the security and delegation model is managed through Active Directory security and cached locally to be imposed by the WMI interfaces.

Active Directory Security

Every object and every attribute in the Active Directory can have an associated security descriptor. DFSR simplifies security delegation by taking advantage of the Active Directory security model as well as ACL inheritance. Each class of DFSR objects in the Active Directory is grouped under a container object.

The default Active Directory object allows the following access.

UserAccess
Authenticated users
ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_READ_CONTROL
Domain administrators

Creator/owner

LocalSystem account

ADS_RIGHT_DS_READ_PROP
ADS_RIGHT_DS_WRITE_PROP
ADS_RIGHT_DS_CONTROL_ACCESS
ADS_RIGHT_ACTRL_DS_LIST
ADS_RIGHT_DS_LIST_OBJECT
ADS_RIGHT_DS_CREATE_CHILD
ADS_RIGHT_DS_DELETE_CHILD
ADS_RIGHT_DS_READ_CONTROL
ADS_RIGHT_DS_WRITE_DAC
ADS_RIGHT_DS_WRITE_OWNER
ADS_RIGHT_DS_DELETE_TREE
ADS_RIGHT_DS_SELF

 

WMI Security

The WMI interface provides security through the registry interface. Any operation on a replication group or one of its replicated folders is verified with an access check on the corresponding registry key.

The following table summarizes the categories of operations provided by the DFSR WMI classes and the required permissions that must be granted to the registry key.

OperationPermissions
Read configuration dataREAD
Write configuration dataWRITE
Read monitoring dataSPECIAL
Write monitoring dataWRITE

 

The following table summarizes the relationship between the DFSR permissions to AD objects and the related registry key access masks.

DFSR accessKey accessActive directory access
READKEY_READADS_RIGHT_DS_READ_PROP
WRITEKEY_WRITEADS_RIGHT_DS_WRITE_PROP
SPECIALKEY_NOTIFYADS_RIGHT_DS_CONTROL_ACCESS

 

 

 

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.