Sunday, August 23, 2009
Windows Server 2008 - ADDS ADCS ADFS ADLDS ADRMS - is it really all AD?
ADLDS - Active Directory Lightweight Directory Services. This one, formerly known as ADAM (Active Directory Application Mode), is designed to be an information store that web applications can use for a database of user accounts and their properties, without having to actually connect to ADDS. Since multiple instances of this service can be installed on the same machine under different ports, it is an easy way to allow LDAP searching programs (again, usually web apps) to authenticate and determine user account capabilities, without mangling or compromising the security of the internal ADDS environment. Why prefix it with AD if it's not AD? Because it still deals with the core issues of a secure logon (for a user against the web app) and an information store.
ADFS - Active Directory Federation Services. This service is all about allowing a remote company to establish a non-ADDS trust with your company. What's wrong with using an ADDS trust? Nothing, in and of itself, but the process of allowing that access may open up ports and communication protocols over the internet that you do not want to allow. ADFS, which travels over standard HTTP ports, provides a secure means of Trust (Ah, the AD tie in) between two ADDS (or other) environments, without having to weaken security.
ADRMS - Active Directory Rights Management Services. A service to lock down content (such as Word documents or Emails) so that it is not subject to misuse (such as restricting printing or saving a copy of a document, or preventing the forwarding of a confidential email). This Windows service requires the use of an Active Directory user account in order to be trusted to open the document. (Perhaps a better name would be AD-Integrated Rights Management Services). Still, the key here is that documents can only be opened once a "secure logon authentication" has been established, and the document recognizes that it "trusts" the end user. What if the end user isn't in my company? Then my domain will need to trust theirs, either through a Windows domain trust, or a Federation trust (see ADFS above).
ADCS - Active Directory Certificate Services. - This is the service that allows users, computers, and services to request and receive certificates that can be used for confidentiality (you know, encrypting stuff) and integrity (you know, digitally signing stuff). This service can run in a standalone mode in a workgroup, and never see a domain controller in its entire life! However, if it is installed in a domain and installed as an Enterprise Certificate Authority (Read as: Active Directory-Integrated) then the server is automatically trusted by all members of the domain, and it becomes much easier to request certificates (perhaps through group policy), and they are automatically granted by the server to all domain members. Certificates are used for "Trust" and, in some cases, for "secure logon authentication".
I hope this brief overview of these topics has shed some light on why they all bear the AD prefix. Microsoft has their eyes on the prize when it comes to "trust", "secure logon authentication", and "searchable information store" through the Active Directory name. In our age where perimeter security is no longer considered secure and realms of trust guarded by the mechanisms of authentication are the true definitions of our security boundaries, these AD technologies are all designed to let you allow just enough access to get the job done, and no more.