Security Basics

In Windows NT4 the security features are a development of the original Microsoft LAN Manager roots, while in NT5 it changes completely to use a technology called Kerberos—a standardized system that has been under development by MIT and other software manufacturers for some time. NT5 also gains a new system of storing security and other information called the Active Directory Service.

However, the way that the security features are implemented underneath does not concern us in this book. What we're interested in is the things that we ought to be considering when we build DNA applications. This includes understanding the way that NT organizes details about each user, and the ways that it can control access to resources.

Domains And WorkGroups

Traditional PC networks involved the concept of a workgroup. In this situation, each machine stored its own copy of the permissions available to each user, identified each user as they logged onto the machine, and controlled access to the resources in just that machine. The major problem here was that, for a new user to be able to access resources on several machines, you had to update each machine with that user's details.

This is unlike a more usual client/server mainframe or mini-based environment where details of all users are kept on the server, and each client logs directly onto the server itself. To achieve this within a networked PC environment, there has to be one computer that is defined as the controller, and which stores all the security information.

Of course, in Windows NT, this is the Primary Domain Controller (PDC). All the other PCs on the network can also keep their own local security information (generally just for the resources they themselves contain), but the PDC stores the global information for all users for all common resources. A Backup Domain Controller (BDC) can also be set up to keep a read-only copy of the information; to help spread the load during busy periods, or to be promoted to the Primary Domain Controller if the existing one should fail.

For information about planning domains, trust relationships, and the other issues that are involved, see the Help file for User Manager, and the Books Online on the Windows NT Server CD-ROM. Alternatively, look out for one of the many books on the market that cover this topic in depth.

Network Protocols, Firewalls and Proxy Servers

If your network is connected to the Internet or another external network, you will also need to consider installing firewall or proxy server software, and multiple network cards, into the gateway machine. This hides the internal network from the outside world, while allowing internal users access to the external network.

There are whole books about network and Internet security, and if you are responsible for setting up the interface between your network and the outside world you should read up on these important topics. Look out for Professional Web Security (ISBN 1-861-00182-7) from Wrox Press, or visit Microsoft's Web site at http://www.microsoft.com/proxy/guide/firewall.asp.

© 1998 by Wrox Press. All rights reserved.