Windows Small Business Server 2011 : Understanding Windows SBS Security Principles

- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

Security is essentially a matter of controlling access to network resources. In theory, one can create a perfectly secure system simply by denying everyone access to it, but this is hardly a feasible solution for a data network. Some of the basic security principles for the small business network administrator to consider are as follows:

  • Allow users to access the network resources they need to perform their jobs.

  • Prevent unauthorized network users from accessing administrative tools and settings.

  • Allow network users to access the Internet without providing Internet users unrestricted access to the network.

The following sections examine the primary mechanisms and design decisions in Windows SBS 2011 that enable administrators to realize these goals.

Authenticating Users

Authentication, one of the two fundamental security functions, is the process of verifying a user’s identity in preparation for granting that user access to a protected resource. To authenticate a user, a system requires at least one of the following:

  • Something the user knows The most common form of authentication requires users to supply a piece of information, such as a password, which the system already possesses. The complicating factor in this type of authentication is the security of the passwords, which can conceivably be intercepted during transmission or compromised by the user. Windows SBS 2011 uses password-based authentication by default, with authentication protocols that protect the passwords from capture during network transmission.

  • Something the user has Some security systems require users to possess a smart card or other identifying device that they must supply to the computer before they can access protected resources. Windows SBS 2011 supports smart card authentication, but it is not configured to do so by default. The main drawback of this authentication method is the additional cost for the cards and the card reader hardware. Smart cards can also be easily lost or stolen, so users are nearly always required to provide a password as well.

  • Something the user is Some security systems require users to confirm their identities by scanning physiological characteristics, such as fingerprints. This technology is known as biometrics. Biometrical authentication is one of the most secure systems available because fingerprints and other physiological characteristics are difficult to spoof or steal. Windows Server 2008 R2 does not include direct support for biometrical authentication (although Windows 7 now does, in the form of the Windows Biometric framework), but it does support modular authentication protocols that enable the system to interact with third-party hardware and software authentication solutions.

Active Directory Domain Services (AD DS) is responsible for authenticating network users in Windows SBS 2011. When you create user accounts, you specify passwords for them, which AD DS stores in its database. When users log on from their workstations, they type their passwords as part of the authentication process.

The biggest problem with password-based authentication is the tendency of the passwords to be compromised. There are two potential avenues of compromise: the network and the users themselves. If client applications transmit passwords over the network in clear text, it is possible for someone to capture the network packets and read the passwords inside them. Even if a client application encrypts the passwords before transmitting them, a potential intruder can often identify the data string that contains the encrypted password and use it to create an illicit logon by replaying it back to a server, still in its encrypted form.

To protect the user passwords, AD DS uses Kerberos, an advanced authentication protocol that enables clients to log on without transmitting passwords over the network in any form, clear or encrypted. Named for the three-headed dog of Greek mythology that guards the entrance to Hades, Kerberos is a highly complex protocol that requires three elements to function: the client attempting to access a protected resource, the server hosting the protected resource, and an authentication provider. In Windows SBS 2011, the AD DS domain controller is the authentication provider, and it is involved in every security transaction, even when a user accesses a resource on another server. To avoid transmitting passwords over the network, Kerberos uses cryptographic values derived from the passwords to create unique tickets that clients and servers exchange to gain access to protected resources. Because the tickets are generated for a specific use at a specific time, intruders capturing the packets cannot replay them or derive user passwords from them.

Passwords are also vulnerable to low-tech forms of compromise, typically resulting from users’ sloppy or naive security habits. Users often write passwords down, give them to coworkers for the sake of convenience, or are duped into supplying them through social engineering. To address these problems, Windows SBS 2011 uses Group Policy settings to compel users to change their passwords at regular intervals. You can modify these settings to suit the security needs of your organization.


Social engineering is the term used to define the process by which intruders gain access to protected resources by manipulating users into providing their credentials or other information. For example, a friendly stranger claiming to be from the company’s IT department calls a user on the phone and says that he has been instructed to upgrade the user’s account, but he needs the user’s password to do so. The user, without verifying the caller’s identity, supplies the password and thinks no more of it. In many cases, social engineering is a far easier and more effective tactic for penetrating a network’s security than other high-tech alternatives.

Authorizing Users

The other fundamental security function is authorization, which is defined as the process of specifying which protected resources an authenticated user is permitted to access. Authentication confirms the user’s identity, but authorization actually provides access to the network resources. In Windows SBS 2011, various permission systems authorize users to access protected resources.

Although they function in much the same way, Windows SBS 2011 has separate permission systems for each of the following resources:

  • NTFS files and folders

  • Folder shares

  • Printer shares

  • AD DS objects

  • Registry keys

Permissions are flags that enable a particular user or group of users to perform specific actions on a specific resource. For example, a user who possesses the Read permission for an NTFS file is allowed to read the contents of the file, but the user cannot modify the file nor do anything other than read it without additional permissions.

Windows stores permissions as a part of the objects they protect. Each protected element has an access control list (ACL) that consists of individual access control entries (ACEs). Each ACE consists of a security principal (the user, group, or computer receiving access) and the permissions assigned to that security principal. In Windows SBS 2011, when you open the Properties sheet for a file, the Security tab contains the interface you can use to modify the file’s ACL, as shown in Figure 1. Other elements, such as folder and printer shares, AD DS objects, and registry keys, have different types of permissions, but you use the same interface to manage them.

The Security tab on a file’s Properties sheet.

Figure 1. The Security tab on a file’s Properties sheet.

In Windows SBS 2011, as with all the other Windows operating systems, permissions are always a part of the protected element, not the entity receiving access to that element. Each file on an NTFS volume, for example, has an ACL specifying the users and groups that can access it. If you move the file to another NTFS drive, the ACL goes with it. However, user and group objects in the AD DS database do not have a list of the files and other resources they are permitted to access.

Combining Permissions

Access control—the process of regulating who can use specific system resources—is one of the fundamental tasks of the network administrator. Windows SBS 2011, like all of the Windows operating systems, uses permissions to control access to shares, file systems, printers, and many other resources.

Shared folders have their own independent set of permissions, completely separate from the other Windows permission systems, such as the NTFS permissions you use to control access to files and folders. The main difference between share permissions and NTFS permissions is that share permissions apply only when a user attempts to access a protected resource over the network. NTFS permissions apply both over the network and on the local console.

For example, users who have the NTFS permissions needed to access a server folder, but who lack share permissions for that same folder, can access it from the server console, but not over the network. Users that have share permissions but lack NTFS permissions cannot access the folder at all.


The FAT file systems that Windows Server 2008 R2 supports have no built-in access control capabilities. Therefore, a computer with FAT volumes must rely on share permissions, as they are the only form of access control available. However, in today’s computing environment, there are few—if any—compelling reasons to use the FAT file systems, so the need to rely on share permissions for access control is now a rarity.

Because users must have both share and NTFS permissions to access a particular resource from the network, many administrators choose to avoid confusion by using only one of the available permission systems. NTFS permissions are the logical choice because they provide more comprehensive and flexible protection. In fact, this is the approach that Windows SBS 2011 takes in its default shares. All three of the default shares that Windows SBS 2011 creates for user access have the Allow Full Control permission assigned to the Everyone special identity, which means that all network users can connect to them without restriction. To control access to the shares on a granular level, Windows SBS 2011 assigns NTFS permissions.


A special identity is a Windows element that stands for all objects sharing a specific trait or condition. For example, assigning permissions to the Authenticated Users special identity causes all users that are logged on to the domain to receive those permissions.

Establishing Permission Policies

One of the key elements of network administration is making sure that all the people sharing responsibility for a specific function are on the same page with regard to how they should use that function. In small businesses, this is sometimes not a big problem because there are only a few administrators (or maybe only one) who need to receive the word. On the other hand, administration on small business networks is often more informal than it is on larger ones, and administrators are less likely to establish policies and see to it that everyone follows them.

With regard to share and NTFS permission systems, it is important for someone to decide early on how administrators should use them on this particular network and see to it that those decisions are enforced. In some cases, this might simply be a matter of one person declaring that administrators should leave all share permissions wide open and use only NTFS permissions to secure resources. Other permission policies might dictate that administrators use Allow permissions, but not Deny permissions, and specify when and if administrators can block or otherwise control permission inheritance.

It is certainly not required that administrators of small business networks avoid using share permissions for access control, but it is recommended. Using share permissions and NTFS permissions is like having two locked doors that require two different keys to get into your house. Sure, it’s safer, but consider carefully whether it is really necessary.

Whichever combination of permissions you choose to employ on your network, failure to create explicit policies in these matters can lead to chaos in the future when a user cannot gain access to a resource. If one administrator prefers to use share instead of NTFS permissions, or Deny instead of Allow permissions, or explicit permissions on every folder instead of inherited ones, troubleshooting becomes a nightmare, with everyone trying to maintain their own standards at the same time.
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 11) - Region and Language, System
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 10) - Programs and Features
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 9) - Notification Area Icons, Performance Information and Tools
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 8) - Fonts
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 7) - Ease of Access Center
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 6) - Devices and Printers
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 5) - AutoPlay
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 4) - AutoPlay
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 3) - Action Center
  •  Windows Management and Maintenance : The Windows 7 Control Panel (part 2)
    Top 10
    Free Mobile And Desktop Apps For Accessing Restricted Websites
    MASERATI QUATTROPORTE; DIESEL : Lure of Italian limos
    TOYOTA CAMRY 2; 2.5 : Camry now more comely
    KIA SORENTO 2.2CRDi : Fuel-sipping slugger
    How To Setup, Password Protect & Encrypt Wireless Internet Connection
    Emulate And Run iPad Apps On Windows, Mac OS X & Linux With iPadian
    Backup & Restore Game Progress From Any Game With SaveGameProgress
    Generate A Facebook Timeline Cover Using A Free App
    New App for Women ‘Remix’ Offers Fashion Advice & Style Tips
    SG50 Ferrari F12berlinetta : Prancing Horse for Lion City's 50th
    - Messages forwarded by Outlook rule go nowhere
    - Create and Deploy Windows 7 Image
    - How do I check to see if my exchange 2003 is an open relay? (not using a open relay tester tool online, but on the console)
    - Creating and using an unencrypted cookie in ASP.NET
    - Directories
    - Poor Performance on Sharepoint 2010 Server
    - SBS 2008 ~ The e-mail alias already exists...
    - Public to Private IP - DNS Changes
    - Send Email from Winform application
    - How to create a .mdb file from ms sql server database.......
    programming4us programming4us