DFSR Security Model
The Distributed File System Replication (DFSR) service provides two types of security:
- Active Directory security
- WMI security
During startup and polling cycles, DFSR downloads configuration information from the Active Directory, creates corresponding registry keys (if they do not already exist), and maintains the access-control lists (ACL) on the registry keys. Hence the security and delegation model is managed through Active Directory security and cached locally to be imposed by the WMI interfaces.
Active Directory Security
Every object and every attribute in the Active Directory can have an associated security descriptor. DFSR simplifies security delegation by taking advantage of the Active Directory security model as well as ACL inheritance. Each class of DFSR objects in the Active Directory is grouped under a container object.
The default Active Directory object allows the following access.
| User | Access |
|---|---|
| Authenticated users |
ADS_RIGHT_ACTRL_DS_LIST ADS_RIGHT_DS_LIST_OBJECT ADS_RIGHT_READ_CONTROL |
| Domain administrators Creator/owner LocalSystem account |
ADS_RIGHT_DS_WRITE_PROP ADS_RIGHT_DS_CONTROL_ACCESS ADS_RIGHT_ACTRL_DS_LIST ADS_RIGHT_DS_LIST_OBJECT ADS_RIGHT_DS_CREATE_CHILD ADS_RIGHT_DS_DELETE_CHILD ADS_RIGHT_DS_READ_CONTROL ADS_RIGHT_DS_WRITE_DAC ADS_RIGHT_DS_WRITE_OWNER ADS_RIGHT_DS_DELETE_TREE ADS_RIGHT_DS_SELF |
WMI Security
The WMI interface provides security through the registry interface. Any operation on a replication group or one of its replicated folders is verified with an access check on the corresponding registry key.
The following table summarizes the categories of operations provided by the DFSR WMI classes and the required permissions that must be granted to the registry key.
| Operation | Permissions |
|---|---|
| Read configuration data | READ |
| Write configuration data | WRITE |
| Read monitoring data | SPECIAL |
| Write monitoring data | WRITE |
The following table summarizes the relationship between the DFSR permissions to AD objects and the related registry key access masks.
| DFSR access | Key access | Active directory access |
|---|---|---|
| READ | KEY_READ | ADS_RIGHT_DS_READ_PROP |
| WRITE | KEY_WRITE | ADS_RIGHT_DS_WRITE_PROP |
| SPECIAL | KEY_NOTIFY | ADS_RIGHT_DS_CONTROL_ACCESS |