5.1 Security Considerations for Implementers

Active Directory requires authentication to access the directory via LDAP. This authentication is performed via SASL, using the GSS-SPNEGO protocol as described in [MS-ADTS] section 5.1.1.

Active Directory performs authorization on each access to each object in the directory, as described in [MS-ADTS] section 5.1.3. The discretionary access control list (DACL), if any, found in the nTSecurityDescriptor attribute ([MS-ADA3] section 2.37) of the object is used in this process. This algorithm controls that DACL only for the mSMQConfiguration ([MS-ADSC] section 2.163), mSMQQueue ([MS-ADSC] section 2.166), site ([MS-ADSC] section 2.258), and mSMQEnterpriseSettings ([MS-ADSC] section 2.164) objects; for all of the other Active Directory objects listed in section 2.2.1, the defaults supplied by Active Directory are used.

The following sections describe, for each combination of object and operation, the requested access mask that is compared to the granted rights in the DACL evaluation process used by Active Directory and described in [MS-ADTS] section 5.1.3.3.2. If the required access is not granted, Active Directory returns a failure.