Planning Distributed Security |
To provide security for your Windows 2000 network, you must provide access for legitimate users but screen out intruders who are trying to break in. This means you must set up your security features to authenticate all user access to system resources. Authentication strategies set the level of protection against intruders trying to steal identities or impersonate users.
In Windows 2000, authentication for domain users is based on user accounts in Active Directory. Administrators manage these accounts using the Active Directory Users and Computers snap-in to the Microsoft Management Console (MMC). User accounts can be organized into containers called "organization units" that reflect the design of your Active Directory namespace. The default location for user accounts is the Users folder of this snap-in.
When a new user joins the organization, the administrator creates only a single account for that user rather than having to create half a dozen or more separate accounts on different servers and application databases. With the domain authentication service integrated with the enterprise directory, the single user account is also a directory entry for global address book information, as well as providing access to all network services. The user can log on at different client computers or laptops in the domain using only one password.
Windows 2000 automatically supports single sign-on for users within a domain forest. Domain trust relationships in the forest are bidirectional by default, so authentication in one domain is sufficient for referral or pass-through authentication to resources in other domains in the forest. The user logs on interactively at the beginning of a session, after which network security protocols (Kerberos v5 protocol, NTLM, and Secure Sockets Layer/Transport Layer Security) transparently prove the user's identity to all requested network services.
Windows 2000 optionally supports logging on with smart cards for strong authentication. The smart card is an identification card carried by the user that is used for interactive logon instead of a password. It can also be used for remote dial-up network connections and as a place to store public key certificates used for Secure Sockets Layer (SSL) client authentication or secure e-mail.
Authentication is not limited to users. Computers and services are also authenticated when they make network connections to other servers. For example, Windows 2000–based servers and client computers connect to their domain's Active Directory for policy information during startup. They authenticate to Active Directory and download computer policy from Active Directory before any user can log on to that computer. Computers and services also prove their identity to clients that request mutual authentication. Mutual authentication prevents an intruder from adding another computer as an imposter between the client and the real network server.
Computers and services can be "trusted for delegation," which means services can make other network connections "on behalf of" a user without knowing the user's password. The user must already have a mutually authenticated network connection to the service before the service can make a new network connection to another computer for that user. This is useful for multitier applications designed to use single sign-on capabilities across multiple computers. This feature is particularly useful in the context of an Encrypting File System (EFS) running on a file server. To use a service to delegate a network connection, use the Active Directory Users and Computers MMC snap-in. Then select the Trust computer for delegation check box on the property sheet.