The next feature
that this domain level offers is constrained delegation. To understand this
concept, first you will need to know about delegation. Consider this example
where delegation would come into play. An administrator wants to install an
application on a user’s computer. He sends his username and password to the
client’s computer which allows him access. The administrator then sends a command
to the client’s computer telling the client to connect a file server to get the
install files.
In order for the
client’s computer to do this, it needs a username and password to access the
file server. In order to protect the install files, you would want to make them
available only to an administrator. This is where the problem comes in. In
order for the client’s computer to access the shared file, it needs to pass on
the administrator’s credentials to the file server. When this occurs, it is
called delegation.
The problem with
delegation is that a virus on the client’s computer could get the
administrator’s username and password and use it to access any computer on the
network. This is why delegation in this form is disabled by default.
With the Windows-Server-2003
domain functional level, you can enable delegation but may restrict it to particular
services to be accessed. This provides a safer way to use delegation than
previously. To illustrate this, I will open Active Directory users and
computers from the start menu.
I will navigate to
the computer’s organizational units and select the properties for one of the
computer accounts. Once I select the delegation tab, I can see the current
delegation is set to off, which is the default. The next option is to trust
delegation but only when using Kerberos.
Kerberos is a great
security protocol but a problem could occur if the administrator’s computer was
to become compromised and thus computer was trusted for delegation. This
computer could then be used as a stepping stone to access any computer on the
network.
The next option is
added by the Windows-Server-2003 domain functional level. This allows you to
trust the computer for delegation but to specify which services are allowed. If
hackers were to take advantage of delegation, they would be limited to the
services listed and thus the possible damage they could do is reduced.
By default Kerberos
will be used, but if you need to, you can change the option to accept any valid
protocol. If I now select “add”, I can select the users or computers that I
want this computer account to be trusted to use.
Other remaining
features will be discussed in Windows Server 2003 (Part 2) Windows Server 2003
(Part 2).