DFSR Security Model
The Distributed File System Replication (DFSR) service provides two types of security:
- Active Directory security
- WMI security
During startup and polling cycles, DFSR downloads configuration information from the Active Directory, creates corresponding registry keys (if they do not already exist), and maintains the access-control lists (ACL) on the registry keys. Hence the security and delegation model is managed through Active Directory security and cached locally to be imposed by the WMI interfaces.
Active Directory Security
Every object and every attribute in the Active Directory can have an associated security descriptor. DFSR simplifies security delegation by taking advantage of the Active Directory security model as well as ACL inheritance. Each class of DFSR objects in the Active Directory is grouped under a container object.
The default Active Directory object allows the following access.
| User | Access |
|---|---|
| Authenticated users |
|
| Domain administrators Creator/owner LocalSystem account |
|
WMI Security
The WMI interface provides security through the registry interface. Any operation on a replication group or one of its replicated folders is verified with an access check on the corresponding registry key.
The following table summarizes the categories of operations provided by the DFSR WMI classes and the required permissions that must be granted to the registry key.
| Operation | Permissions |
|---|---|
| Read configuration data | READ |
| Write configuration data | WRITE |
| Read monitoring data | SPECIAL |
| Write monitoring data | WRITE |
The following table summarizes the relationship between the DFSR permissions to AD objects and the related registry key access masks.
| DFSR access | Key access | Active directory access |
|---|---|---|
| READ | KEY_READ | ADS_RIGHT_DS_READ_PROP |
| WRITE | KEY_WRITE | ADS_RIGHT_DS_WRITE_PROP |
| SPECIAL | KEY_NOTIFY | ADS_RIGHT_DS_CONTROL_ACCESS |
Send comments about this topic to Microsoft
Build date: 10/26/2012
