Mission-Critical Active Directory

In the following text we will focus on operating system security. Because many of the technologies explained in this section already existed in previous versions of the Windows NT operating system, we will focus on the differences in the way these technologies are implemented in the Windows 2000 operating system. Remember that operating system security is based upon three core services: authentication, authorization (or access control), and auditing. In this chapter we will focus on authorization and auditing; chapter 6 is dedicated to authentication.
Windows 2000 operating system security is (just like NT4) based upon the following core concepts: security principal, domain, SID, domain controller (DC), logon names, trust relationships, LSA, LSA policy, and secure channels.
In a Windows environment any entity that can be uniquely identified is a security principal. Users and machines are examples of security principals. Because security principals can be identified, they are unique within a certain environment and can be distinguished from one another. A new feature of Windows 2000 is that machines are now real security principals; they can identify themselves to any other principal; this was not the case in NT4.
As we explained previously, identification can use different identification methods (knowledge, biometric data, etc.). All of these methods use different credentials or things that uniquely identify an entity. Knowledge-based identification, for example, uses a user name and a password; biometric identification can use a fingerprint.
Besides credentials every security principal also...