Sunday, August 23, 2009

Windows Server 2008 - ADDS ADCS ADFS ADLDS ADRMS - is it really all AD?

As Microsoft has continued to promote Windows Server 2008, one of the challenges for me has been to wade through the hype in order to figure out why something that in Windows 2000 was cheerfully known as "Active Directory" is no longer what I thought it was. At its core, the term Active Directory still refers to the mainstay backbone of Microsoft based security environments: "trust" and "secure logon authentication." In addition, it still refers to a searchable information store. But leave it to the marketing guys at M$ to realize that "Active Directory" has the connotation of being an indispensable part of a Windows network.
Windows Server 2008 Active Directory Administration: Win Server 08 ADAAs Windows as matured, a supplements to the core operating system appeared over the last five years or so. These features, installable as additional features or available as free downloads, had various names, but all in some way dealt with the issues of "trust", "secure logon authentication", or "searchable information store". Let's examine them, and why they now bear the AD prefix, even if they are not a part of what we have traditionally referred to as Active Directory.
ADDS - Active Directory Directory Services. O.K., this one really is what you think it is. The database of users, computers, and groups, logically divided by Organizational Units, held in at least one domain, used to centrally manage a network.

ADLDS - Active Directory Lightweight Directory Services. This one, formerly known as ADAM (Active Directory Application Mode), is designed to be an information store that web applications can use for a database of user accounts and their properties, without having to actually connect to ADDS. Since multiple instances of this service can be installed on the same machine under different ports, it is an easy way to allow LDAP searching programs (again, usually web apps) to authenticate and determine user account capabilities, without mangling or compromising the security of the internal ADDS environment. Why prefix it with AD if it's not AD? Because it still deals with the core issues of a secure logon (for a user against the web app) and an information store.

ADFS - Active Directory Federation Services. This service is all about allowing a remote company to establish a non-ADDS trust with your company. What's wrong with using an ADDS trust? Nothing, in and of itself, but the process of allowing that access may open up ports and communication protocols over the internet that you do not want to allow. ADFS, which travels over standard HTTP ports, provides a secure means of Trust (Ah, the AD tie in) between two ADDS (or other) environments, without having to weaken security.

ADRMS - Active Directory Rights Management Services. A service to lock down content (such as Word documents or Emails) so that it is not subject to misuse (such as restricting printing or saving a copy of a document, or preventing the forwarding of a confidential email). This Windows service requires the use of an Active Directory user account in order to be trusted to open the document. (Perhaps a better name would be AD-Integrated Rights Management Services). Still, the key here is that documents can only be opened once a "secure logon authentication" has been established, and the document recognizes that it "trusts" the end user. What if the end user isn't in my company? Then my domain will need to trust theirs, either through a Windows domain trust, or a Federation trust (see ADFS above).

ADCS - Active Directory Certificate Services. - This is the service that allows users, computers, and services to request and receive certificates that can be used for confidentiality (you know, encrypting stuff) and integrity (you know, digitally signing stuff). This service can run in a standalone mode in a workgroup, and never see a domain controller in its entire life! However, if it is installed in a domain and installed as an Enterprise Certificate Authority (Read as: Active Directory-Integrated) then the server is automatically trusted by all members of the domain, and it becomes much easier to request certificates (perhaps through group policy), and they are automatically granted by the server to all domain members. Certificates are used for "Trust" and, in some cases, for "secure logon authentication".

I hope this brief overview of these topics has shed some light on why they all bear the AD prefix. Microsoft has their eyes on the prize when it comes to "trust", "secure logon authentication", and "searchable information store" through the Active Directory name. In our age where perimeter security is no longer considered secure and realms of trust guarded by the mechanisms of authentication are the true definitions of our security boundaries, these AD technologies are all designed to let you allow just enough access to get the job done, and no more.

No comments:

Post a Comment

Thank you for providing comments. Please... no advertising your amazing products on my blog. Thank You.