Overcome the Decentralized Nature of Windows Security

Security is probably one of the things I see companies spend the most time and effort on. Excepting, of course, for those companies who just don’t care (and yes, they’re out there), or who can’t spare the time that security requires. Why do Microsoft’s products have such complicated security? How does it work, and how can we leverage that architecture to make it better, more automated, and easier to control? I’ll focus on the file system for this article, but the same substantial truths apply to Active Directory, Exchange, services, SQL Server, the registry, SharePoint, and much more.


The problem with the base security architecture—that used by Windows, Active Directory, and some other products is that they’re complex. They’re also highly distributed, which leads to better performance for end users but makes it impossible to centrally report on permissions, and difficult to report on auditing activity. It’s impractical, using the native OS, to determine what resources a given user has access to. Yet that’s one of the most important questions we’re often called on to answer in the event of a security audit, a security breach, or other events. In this video I demonstrate the decentralized nature of Windows.


Microsoft is focusing on improving the situation over the long term, using new security mechanisms such as claims-based authentication. Until that happens and is fully integrated across the OS (and we all manage to migrate to it), we’re stuck with a security architecture that, frankly, few companies manage very well without outside help. What, then, are some best practices we can adopt to make security management more effective? What capabilities need to be added to our environment to enable better security controls, reporting, and auditing? This article that explains the 5 best practices for centralizing security explores some of those details and offers some answers.