In this chapter, we've given the vast topic of security a fair shake. We began by examining what security means in the intranet context. Narrowing it down to interactions between a web browser and a web server, we examined the specifics of where security measures should be implemented. We found that authentication of the client is a big and essential issue in intranet security. While simple on the surface, this is a complex task underneath and no standard implementation exists today. However, an all-Microsoft solution in an intranet environment can provide a secured environment with security features which can be transparent to an authorized end-user.
Laying the foundation for a more in-depth coverage of security, we examined all the fundamentals of Windows NT security. We covered the basic client/server security model, and stressed the importance of impersonation. We discovered the built-in and designed-in nature of Windows NT security and resolved the definitions of many security-specific terminologies.
We finally extend our discussion of security to the bigger picture of IIS, ISAPI Server Extensions, and DCOM distributed software components. Authentication is vital to proper IIS operations; we learnt about the anonymous user account created by IIS, and saw the importance of impersonation when accessing protected resources. ISAPI server extensions must work in harmony with the IIS and Windows NT security philosophy. This means the implementer must be careful not to grant the client process more access rights than it has. It also means a judicial use of impersonation wherever system resources are accessed.
In our DCOM security coverage, we examined the DCOM security blanket which significantly optimizes the security negotiation process. We discussed Access Security, Launch Security, and Call Security. The importance of fine-grain security control was stressed during our discussion, and we concluded with a comprehensive discussion of the APIs and COM interfaces available for both client and servers to set, discover, and manipulate security parameters.
The message is clear in this chapter. Security in the intranet context, or the distributed component computing context, is a nontrivial matter. A functional, secure computing environment requires careful planning and design. The Windows NT security model gives a solid and robust foundation upon which we can build more elaborate security schemes appropriate for our intranet project, using many of the new Win32 API and COM interfaces available.