Everywhere you look, you see the Internet. Electronic commerce, or e-commerce —doing business on the World Wide Web—is the latest and greatest thing in the corporate world. Many large and small companies are already conducting business with their customers and business partners over the Internet. More and more, employees in the field use local access to public networks, such as an Internet ser- vice provider (ISP, and then connect to remote corporate networks via virtual pri- vate networking (VPN).Windows 2000 is designed to support this growing and ever-changing area of distributed partnership and interbusiness access.
Security technologies are changing all the time as well.Windows 2000 sup- ports multiple security protocols and provides for a migration path to new tech- nologies as they become available.
By integrating Windows 2000’s security subsystem with Active Directory, Microsoft makes administration of external users easier. For instance, OUs can be created for users outside the organization who need access.
You can establish VPNs, using Point-to-Point Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP), both supported by Windows 2000, through which users can establish a secure connection to your company LAN from a remote location.
Active Directory’s domain trust model is another mechanism that is useful in setting up interbusiness relationships.The hierarchical structure of the Active Directory domain tree and the namespace integration with DNS make it easier to route information between separate domains in an enterprise network.
Finally,Windows 2000’s support of industrywide security protocol standards such as Kerberos, SSL, and X.509v3 certificates simplify the establishment of interbusiness communications over the Internet.
Summary
Computer security is of major concern to organizations today due to many fac- tors; greater levels of accessibility and connectivity make companies vulnerable to attacks from outsiders or even ill-intentioned insiders.This vulnerability is exacer- bated by an increasing number of people who have a combination of the tech- nical knowledge, the motive, and the opportunity to hack into corporate
networks. In response, the security services in the new Windows 2000 operating system have been drastically revamped and include many significant improve- ments over those of Windows NT.
The foundation of Windows 2000’s security subsystem is its role as one of many distributed services and its interaction and integration with directory ser- vices. By storing security information and policies in Active Directory, Microsoft has made them more granular, easier to manage, and more fault tolerant through AD replication.
Windows 2000, unlike NT, supports a multiplicity of security protocols.These include Microsoft’s proprietary NTLM for backward compatibility as well as industry-standard specifications such as the popular Kerberos protocol and Public Key Infrastructure with X.509v3 certificates. Microsoft has provided many secu- rity-related services and components with Windows 2000 Server, such as
Microsoft Certificate Server and the CryptoAPI. Finally, because security threats can come from either within the organization or across the global Internet to which most modern corporations are connected, Microsoft has designed
Windows 2000 with a dual focus to withstand both internal and external attacks. The growing phenomenon of interbusiness computer communications has also been taken into account and provisions made for creating an environment that allows remote access that is both convenient and safe.
The goals of high security—to protect against unauthorized access and to provide easy accessibility for those who are authorized—will always be at odds. In designing Windows 2000, Microsoft has attempted to balance these two con- flicting needs in a way that will provide companies with options that can be easily customized to fit their individual situations and desires.
As networks grow, the role of security in the enterprise will become an even bigger issue.Windows 2000’s modular design is intended to allow for adaptation in an ever-changing and increasingly connected world.
Solutions Fast Track
Windows 2000 Distributed Security Services
; The following security features make up distributed security services: ■ Active Directory security provides two-way transitive trusts, the
granular assignment of access rights, and the ability to delegate administration.
■ Multiple security protocols, such as Kerberos and NTLM, are supported in Windows 2000.
■ The Security Support Provider Interface reduces the amount of code needed at the application level to support multiple security.
■ Secure Socket Layer provides secure communications over the Internet. SSL utilizes a combination of public and secret key technology.
■ Microsoft Certificate Server (MCS) is built into Windows 2000 Server. MCS issues and manages the certificates for your company and trusted partners.
■ CryptoAPI is an application programming interface that allows applications to encrypt data using cryptographic service providers. CryptoAPI protects the user’s private key data during this process. ■ Single sign-on allows a user to log on to the domain just once and
authenticate to any computer in the domain.
Active Directory and Security
; Active Directory uses the transitive trust model within the forest.
; Active Directory replicates all Active Directory objects to every domain controller in a domain.This allows accessibility to the objects at the closest domain controller.
; Active Directory supports the delegation of administrative responsibilities to users or groups.
; Active Directory is made up of the Forest,Trees, Domains, Organizational Units, Sites, and Leaf objects.
Security Protocols
; NTLM authentication is slower than Kerberos authentication.
; NTLM performs one-way authentication. Kerberos provides mutual (two-way) authentication.
; NTLM trusts are one-way and nontransitive. Kerberos trusts are two- way and transitive.
; NTLM is proprietary and not compatible with non-Microsoft networks.
; Kerberos is a private key encryption protocol.
; Windows 2000 domain controllers run the Kerberos server service, which allows Kerberos passwords and identities to be stored in Active Directory.
Internet Single Sign-On
; Single sign-on (SSO) allows a user to log on once and access multiple computers, decreasing the amount of administrative support required.
; There are two parts to the single sign-on process in a Windows 2000 domain: interactive logon and network authentication.
; Interactive logon requires that users log on with a username and a pass- word or a smart card. Kerberos is the default authentication used for an interactive logon.
; Kerberos v5, Secure Socket Layer/Transport Layer Security, and NTLM can all be used for network authentication.