Windows NT Distributed Security Services Technology Preview

There are many areas where Windows NT security changes to support the Internet-based Enterprise. Some of the changes reflect advances in supporting large organizations through the use of the hierarchical Windows NT Directory Services. Other changes take advantage of the flexibility of the Windows NT security architecture to integrate authentication using Internet public-key certificates.

The list below introduces the new Windows NT security:

• The Windows NT Directory Service provides the store for all domain security policy and account information. The Directory Service provides replication and availability of account information to multiple Domain Controllers and is available for remote administration.
• The Windows NT Directory Service supports a hierarchical name space for user, group, and machine account information. Accounts can be grouped by Organizational Units rather than the flat domain account name space provided by earlier versions of Windows NT.
• Administrator rights to create and manage user or group accounts can be delegated to the level of Organizational Units. Access rights can be granted to individual properties on user objects to allow, for example, a specific individual or group to have the right only to reset passwords, but not to modify other account information.
• Windows NT Directory Service replication allows account updates to be made at any Domain Controller and not just the Primary Domain Controller (PDC). Directory Service replicas at other Domain Controllers, what used to be known as Backup Domain Controllers (BDCs), are updated and synchronized automatically.
• The Windows NT Domain Model changes using the Windows NT Directory Service to support a multilevel hierarchy tree of domains. Management of trust relationships between domains is simplified through tree-wide transitive trust throughout the domain tree.
• New authentication protocols based on Kerberos Version 5 and Secure using public-key certificates channels (Secure Sockets Layer 3.0 and Private Communications Technology [PCT] 1.0) become the primary distributed security protocols, in addition to supporting Windows NT LAN Manager authentication protocols for compatibility.
• The implementation of Secure channel security protocols (SSL 3.0/PCT) support strong client authentication by mapping user credentials in the form of public-key certificates to existing Windows NT accounts. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public-key security.
• Windows NT provides an Certificate Services for organizations to issue X.509 Version 3 certificates to their employees or business partners. Introduction of CryptoAPI Version 2 certificate library APIs and modules to handle public-key certificates can use standard format certificates issued by either a commercial Certificate Authority (CA), third party CA, or the Windows NT Certificate Server.
• System administrators define what CAs are trusted in their environment and therefore, which certificates are accepted for client authentication and access to resources.
• External users that do not have Windows NT accounts can be authenticated using public-key certificates and mapped to an existing Windows NT account. Access rights defined for the Windows NT account determine the resources the external users may use on the system. Client authentication using public-key certificates allows Windows NT to authenticate external users based on certificates issued by trusted Certificate Authorities.
• Windows NT users have easy-to-use tools and common interface dialogs for managing their personal private key/public key pairs and certificates they use to access Internet-based resources. Storage of personal security credentials use secure disk-based storage and are easily transported using Microsoft's proposed industry-standard protocol, Personal Information Exchange. The operating system also has integrated support for smart card devices.
• Encryption technology is engineered into the operating system in many ways to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX™ controls and Java Classes for Microsoft Internet Explorer 3.0, Windows NT will use digital signatures for image integrity of a variety of program components. In-house developers can also create signed software for distribution and virus protection.

In addition to these changes, we expect third parties to host dynamic password authentication services on Windows NT Server and integrate dynamic passwords with Windows NT Domain authentication. The APIs and documentation to support these third-party products are available in the Win32® SDK for Windows NT 4.0.

Each of the above new features of Windows NT security is described in more detail in the following sections.