Windows 2000 Security Technologies

Windows 2000 includes a variety of distributed security technologies that make it possible for you to provide strong, scalable cryptography-based security for open networks or closed networks. One of the cornerstones of many modern electronic cryptographic technologies is public key technology. Many of the public key security functions of distributed security systems require a public key infrastructure (also known as a PKI). Windows 2000 includes a public key infrastructure that can support a wide range of public key information security solutions. You can use public key technology in conjunction with other security technologies to provide comprehensive protection for intranets, extranets, and the Internet.

The following Windows 2000 distributed security systems use public key technology:

• A network logon authentication that uses the Kerberos v5 authentication protocol, including logging on with smart cards (a permitted extension to the Kerberos protocol).
• A routing and remote access service that supports secure remote access to network resources. Routing and Remote Access supports the following:
  • Integration with Active Directory^™, the Windows 2000 directory service that makes it possible to manage remote user authentication through the use of domain network user accounts and Group Policy settings.
  • Remote Authentication Dial-in User Service (RADIUS), which makes it possible to manage remote user authentication through a variety of authentication protocols.
  • User authentication that is based on the Extensible Authentication Protocol and Transport Layer Security (EAP-TLS). Supports the authentication of users through public key certificates and the smart card logon process.
  • Confidential communication over public Internet lines by using the Layer 2 Tunneling Protocol (L2TP) and the Point-to-Point Tunneling Protocol (PPTP).
  • Remote network access and logging on through the virtual private networks and public Internet service providers.
• Microsoft® Internet Information Services, which supports Web site security through certificate mapping and secure channel communications with the Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) protocol, and Server Gated Cryptography (SGC) protocol.
• IP Security, which supports IP-level, end-to-end authentication, integrity, anti-replay, and encrypted communication over open IP networks, including the Internet.
• Encrypting File System (EFS), which makes it possible for a user to encrypt folders and files for safekeeping and allows an administrator to recover files when the user's private key is damaged or lost.

In addition, Windows 2000 distributed security technologies support a wide range of open standards for network and information security, as recommended by the Internet Engineering Task Force (IETF) and other standards bodies. For example, the Windows 2000 public key infrastructure is based on the open standards that are recommended by the Public Key Infrastructure (X.509) (PKIX) working group of the IETF. Because Windows 2000 security is based on open standards, the security solutions you implement can operate with many standards-compliant, third-party operating systems and security products.

Public key security in Windows 2000 is based on industry-standard public key technologies, such as the Diffie-Hellman (DH) algorithm, the RSA cryptographic algorithms developed by RSA Data Security, and the Digital Signature Algorithm. Windows 2000 security also makes use of the industry-standard, X.509 version 3 digital certificates that are issued by the certification authorities that you choose to trust. Many Windows 2000 security features use public key technology as well as certificates to provide authentication, integrity, confidentiality, and nonrepudiation for network and information security.

© 1985-2000 Microsoft Corporation. All rights reserved.