2.11.1 Security Elements

Directory objects are protected by security descriptors that contain access control lists (ACLs) that grant or deny permissions to security principals, either directly or through group membership, to read, update, or otherwise manipulate the object, as described in [MS-ADTS] section 5.1.3. However, it is the decision of the individual protocol what access checks to enforce when accessing the directory. That is, while some protocols enforce the authorization checks described in [MS-ADTS], other protocols substitute their own access checks, as described in that individual protocol's Technical Document.

In the Active Directory system, the following protocols perform access checks, as described in [MS-ADTS] section 5.1.3:

•  LDAP [LDAP]

• WS-Transfer [WXFR]

• WS-Enumeration [WSENUM]

• ADCAP [MS-ADCAP]

The following protocols substitute, in full or in part, a different access check methodology, as described in the protocol's Technical Document:

• DRSR [MS-DRSR]

• SAMR [MS-SAMR]

• SAMS [MS-SAMS]

• LSAD [MS-LSAD]

• LSAT [MS-LSAT]

• DSSP [MS-DSSP]

When performing an access check, the identity of the requestor, represented as a security identifier (SID), is used to compare the permissions that are required to perform a given operation to the permissions that are granted to that identity, in accord with the access check rules of the protocol in use. Each protocol specifies a means by which a requestor can prove (authenticate) its identity to the directory service so that the identity can be used in subsequent access check decisions. Each protocol's means of authentication is described in the corresponding protocol document, except that for WS-Transfer, WS-Enumeration, and ADCAP, it is instead described in [MS-ADDM] section 2.1.

The protocols provide mechanisms to digitally sign requests and responses to protect them from tampering while they are transferred over the network and to encrypt the traffic to prevent eavesdropping. For more information, see section 2.11.2.