Windows Server 2003 (Part 2)

The next feature that this domain level offers is constrained delegation. To understand this concept, first you will need to know about delegation. Consider this example where delegation would come into play. An administrator wants to install an application on a user’s computer. He sends his username and password to the client’s computer which allows him access. The administrator then sends a command to the client’s computer telling the client to connect a file server to get the install files.

In order for the client’s computer to do this, it needs a username and password to access the file server. In order to protect the install files, you would want to make them available only to an administrator. This is where the problem comes in. In order for the client’s computer to access the shared file, it needs to pass on the administrator’s credentials to the file server. When this occurs, it is called delegation.

The problem with delegation is that a virus on the client’s computer could get the administrator’s username and password and use it to access any computer on the network. This is why delegation in this form is disabled by default.

With the Windows-Server-2003 domain functional level, you can enable delegation but may restrict it to particular services to be accessed. This provides a safer way to use delegation than previously. To illustrate this, I will open Active Directory users and computers from the start menu.

I will navigate to the computer’s organizational units and select the properties for one of the computer accounts. Once I select the delegation tab, I can see the current delegation is set to off, which is the default. The next option is to trust delegation but only when using Kerberos.

Kerberos is a great security protocol but a problem could occur if the administrator’s computer was to become compromised and thus computer was trusted for delegation. This computer could then be used as a stepping stone to access any computer on the network.

The next option is added by the Windows-Server-2003 domain functional level. This allows you to trust the computer for delegation but to specify which services are allowed. If hackers were to take advantage of delegation, they would be limited to the services listed and thus the possible damage they could do is reduced.

By default Kerberos will be used, but if you need to, you can change the option to accept any valid protocol. If I now select “add”, I can select the users or computers that I want this computer account to be trusted to use.

If I only wanted the computer account to be trusted to read install media stored on DC1 (domain Controller), I would select CIFS, a protocol used by Windows File Sharing. What this means is that an administrator could send their username and password to this computer telling it to install an application. The application install files are located on DC1. In order to access these files, DC1 will need a username and password. Since the work station is trusted for delegation for file sharing only and only to DC1, it can pass the administrator’s username and password to DC1 to access the files. For ultimate security you could make the file share on DC1 read only. 

Other remaining features will be discussed in Windows Server 2003 (Part 2) Windows Server 2003 (Part 2).