[MUSIC] In this lesson we're going to discuss, what is authorization? Objectives of this lesson are really to define with authorization is, explain some scenarios where authorization is used and why it's extremely important in the Windows realm. And discuss why it's important to Windows security. What is authorization? Authorization is allowing or denying permissions based on who or what you are. So who meaning a user for example. So we've talked about Windows principals before and that's the A-L-S at the end, not the L-E-S. Windows principals are going to be a user, or a security token, or a system even. Also, what you are. What about a computer system, or a file folder, or, Really biometrics, for example. Those are all things that can authenticate or authorize somebody to access systems. It is really important in a practical business realm. So what about, let's say we're trying to protect our users? What if we're trying to protect user data inside of our data center? Yes, we may have door swipes that allow us to get through the door. And we are authorizing certain people to walk through that door to get access to that data center. So let's talk about another scenario real quick. So you invite me over and once I'm there I knock on the door, and you let me in, so now you've authenticated me. And you invite me in, and I start to dig through your trash or your refrigerator, and I start eating your food and drinking Coke out of a fridge. Or what if I decide to knock over your TV? Did you authorize me to do any of that? You knew who I was through authentication, biometrics, you saw my face, okay? But did you authorize me to destroy something? Probably not, same thing within computer systems. When we provide access to our systems, we are providing authorization, authentication. We talked about authentication in the previous lesson. Authorization allows us to get permissions based on again who or what we are. So think about in terms of somebody stealing information from an entity. You name one in the past several years that has been all over the news. I don't care what country you're watching this from. Edward Snowden, okay? He was authorized to get information, however, we need to lock that information down. He was not authorized to steal information. He was just authorized to look at information, make decisions as his job required. So we can't afford the luxury of taking into account somebody's code of ethics when we have computer systems. We need to ensure that authorization is always intact, especially on Windows systems, which provide a wealth of information on users, on company documents, all kinds of stuff that could really be damaging to our organization. So code of ethics plays a huge role in how we are authorizing users to do what. Maybe, if you look at any government agency, it doesn't matter again what country that you're from, but we have different levels of authorization. Here in the US we have secret, top secret, SCI even that allow us to do different things to different documents. Right, and through that authorization process, the level of security, the level of protection goes up at every level. We'll be talking about some of this authorization in the next lesson, and how that's applied into Windows. But regardless of code of ethics, what happens about accidental exposure? Can we afford accidentally to press the delete button on a file that's really important? If we weren't authorized to delete something or to view something, can we do it? No, that's why we put that kind of authorization in place to prevent not only the intentional but the accidental. Enterprise users have access to many types of tools and data. Organizational data security must remain intact through a comprehensive plan to ensure authorization must be met inside of Windows. Users in general rely on organizations to provide them access to data. However, it's users that generally cause instabilities in that authorization or in security in general. So we have to make sure we are technically preventing users from themselves, essentially. The biggest threat to organization is users. So if we start out with least privilege and build up from there we can guarantee or somewhat guarantee that we only can do a certain amount of damage if something happens to a user. The way Windows authenticates users is through Kerberos. And we already talked about this in a previous lesson. It is an essential part in protecting users' access. So in conclusion, over the next few lessons we're going to focus on how we actually provide authentication and authorization inside of Windows to groups and to users more specifically. But the users are an issue. So we have to focus on how we authorize users and authenticate them to do certain things to certain files and systems.