Large Numbers of ACEs in ACLs Impair Directory Service Performance (271876)

MORE INFORMATION

ACLs on directory service objects allow very granular access control by supporting the following access control features:

• Property Permissions: Read and Write permission on property sets and individual properties of an object.
• Child Create and Delete Permissions: Create Child and Delete Child permission for each type of child object.
• Extended Rights: Permissions for individual special operations, known collectively as Extended Rights, on an object
• Validated Writes: Permission to perform validated writes to properties that support validated writes (such as, semantic value checking enforced during updates, and so forth).

Although complex access control is sometimes required to support business security policy, use of complex access control may result in ACLs with very large numbers of permission entries. To illustrate, an individual permission entry is created for each of the following types of permissions:

• Read <PropertySetName> or Write <PropertySetName>
• Read <PropertyName> or Write <PropertyName>
• Create <ChildObjectType> Objects or Delete <ChildObjectType> Objects
• <SpecificExtendedRight>
• Validated write to <ValidatableProperty> or <SpecificValidatedOperation>

The cost in computing resources (the hard disk and the CPU) of performing an access check on an object is directly proportional to the number of ACEs in the ACL on that object. Because a search typically must perform access checks against a number of objects, the total cost of access checking during a search rises very quickly with the number of ACEs on each object searched. When the number of ACEs is very large, the performance of access checks may be reduced to an undesirable level.

A second, less obvious problem occurs with caching. Parts of the Active Directory database are cached in physical memory. When objects are cached, their security descriptors are cached as well. If the security descriptors on many objects in the database are large, fewer objects will be cached, and overall directory performance may suffer as a result of fewer cache hits.

Use the following guidelines, listed in order of importance, to minimize the number of permission entries on a Directory Service object ACL:

• Allow Full Control, rather than individual permissions, if the intention is to grant full access to the object.
• Allow Read All Properties or Write All Properties if fine-grained access to properties is not required.
• Allow Read or Write access to Property Sets, rather than individual Properties, when access to a subset of all properties is required.
• Allow Create All Child Objects or Delete All Child Objects if there is no need to grant, create, or delete child permission to a subset of child object types.
• Allow All Extended Rights permission if fine-grained access to individual Extended Rights is not required.
• Allow All Validated Writes permission if fine-grained access to individual Validated Writes is not required.

The above recommendations apply to Deny ACEs as well as Allow ACEs. The guidelines associated with property permissions are the most critical, because the potential number of individual property permissions is much greater than the potential number of child object types, extended rights, and validated rights.

Other Best Practices:

• Minimize the number of inheritable ACEs that apply to child objects, so that excessive numbers of ACEs are not propagated to a whole subtree of objects.
• Use groups to delegate authority over the directory using ACLs. If one set of users needs read permissions, and another set of users needs change permissions, then create one group for each set of users, and use the groups in the ACL. If multiple global groups need the same access, create a local group containing the global groups, and assign permissions to the local group.