The default Windows 2000 Active Directory installation was not as secure as it could have been. It allowed anonymous queries to be executed, which could take up valuable processing resources, and it did not place any requirements on encrypting or signing traffic between clients and domain controllers. As a result, usernames, passwords, and search results could be sent over the network in clear text. Fortunately, with Windows Server 2003, things have been tightened up significantly. LDAP traffic is signed by default and anonymous queries are disabled by default. Additionally, Transport Layer Security (TLS), the more flexible cousin of Secure Sockets Layer (SSL), is supported in Windows Server 2003, which allows for end-to-end encryption of traffic between domain controllers and clients.

Active Directory’s Access Control List (ACL) model provides ultimate flexibility for securing objects throughout a forest. You can restrict access down to the attribute level if you need to. With this flexibility also comes increased complexity. An object’s ACL is initially generated from the default ACL for the object’s class, inherited permissions, and permissions directly applied on the object.

An ACL is a collection of ACE entries (Access Control Entry), which defines the permission and properties that a security principal can use on the object on which the ACL is applied. Defining these entries and populating the ACL is the foundation of Active ...