Security Enhancements

Previous page
Table of content
Next page
   

In the Windows Server 2003 family, Active Directory has been enhanced with some additional security features that make it easier to manage multiple forests and cross-domain trusts. In addition, the new Credential Manager provides a secure store of user credentials and X.509 certificates.

Forest Trust Management

Forest trust is a new type of Windows trust for managing the security relationship between two forests. This feature vastly simplifies cross-forest security administration and enables the trusting forest to enforce constraints on which security principal names it trusts other forests to authenticate. This feature includes the following:

  • A new trust type that allows all domains in one forest to (transitively) trust all domains in another forest, via a single trust link between the two forest root domains.

  • Forest trust is not transitive at the forest level across three or more forests. If Forest A trusts Forest B, and Forest B trusts Forest C, this does not create any trust relationship between Forest A and Forest C.

  • Forest trusts can be one-way or two-way.

  • A new wizard simplifies creating all types of trust links, especially forest trust.

  • A new property page lets you manage the trusted namespaces associated with forest trusts.

  • Trusted namespaces are used to route authentication and authorization requests for security principals whose accounts are maintained in a trusted forest.

  • The domain, user principal name (UPN), service principal name (SPN), and security identifier (SID) namespaces that a forest publishes are automatically collected when a forest trust is created and are refreshed by the Active Directory Domains And Trust user interface.

  • A forest is trusted to be authoritative for the namespaces it publishes, on a first-come, first-serve basis, as long as they do not collide with trusted namespaces from existing forest trust relationships.

  • Overlapping trusted namespaces are automatically prevented. Administrators can also manually disable individual trusted namespaces.

More Security Enhancements

Additional security enhancements to Active Directory include the following:

  • Cross-forest authentication.

    Cross-forest authentication enables secure access to resources when the user account is in one forest and the computer account is in another forest. This feature allows users to securely access resources in other forests, using either Kerberos or NTLM, without sacrificing the single-sign-on and administrative benefits of having only one user ID and password maintained in the user's home forest. Cross-forest authentication includes:

    • Name resolution.

      When Kerberos and NTLM cannot resolve a principal name on the local domain controller, they call a global catalog. When the global catalog cannot resolve the name, it calls a new cross-forest name matching function. The name matching function compares the security principal name with trusted namespaces from all trusted forests. If a match is found, it returns the trusted forest name as a routing hint.

    • Request routing.

      Kerberos and NTLM use routing hints to route authentication requests along the trust path from the originating domain to the probable target domain. For Kerberos, Key Distribution Centers (KDCs) generate referrals that follow the trust path, and the client chases them in standard Kerberos fashion. For NTLM, domain controllers chain the request across secure channels that follow the trust path , using pass-through authentication.

    • Authentication supported.

      Supported authentication methods include Kerberos and NTLM network logon for remote access to a server in another forest, Kerberos and NTLM interactive logon for physical logon outside the user's home forest, and Kerberos delegation to N- tier application in another forest. UPN credentials are fully supported.

  • Cross-forest authorization.

    Cross-forest authorization makes it easy for administrators to select users and groups from trusted forests for inclusion in local groups or ACLs. This feature maintains the integrity of the forest security boundary while allowing trust between forests. It enables the trusting forest to enforce constraints on which security identifiers (SIDs) it will accept when users from trusted forests attempt to access protected resources. Here's more information about authorization:

    • Group membership and ACL management.

      The object picker has been enhanced to support selection of user or group names from a trusted forest. Names must be typed in completely. Enumeration and wildcard searches are not supported.

    • Name-SID translation.

      The object picker and the ACL editor use system APIs to store SIDs in group-member and ACL entries and to translate them back to friendly names for display purposes. Name-SID translation APIs are enhanced to use cross-forest routing hints, and they leverage NTLM's secure channels between domain controllers along the trust path to resolve security principal names or SIDs from trusted forests.

    • SID filtering.

      SIDs are filtered when authorization data passes from the root domain of the trusted forest to the root domain of the trusting forest. The trusting forest will accept only SIDs that are relative to domains it trusts the other forest to manage. Any other SIDs are automatically discarded. SID filtering is automatically enforced for Kerberos and NTLM authentication, as well as name-SID translation.

  • Cross-certification enhancements.

    The Windows Server 2003 client cross-certification feature is enhanced by enabling the capability for department-level and global-level cross-certifications. For example, WinLogon will now be able to query for cross-certificates and download these into the "enterprise trust/enterprise store." As a chain is built, all cross-certificates will be downloaded.

  • IAS and cross-forest authentication.

    If Active Directory forests are in cross-forest mode with two-way trusts, the Internet Authentication Service/Remote Authentication Dial-In User Service (IAS/RADIUS) server can authenticate the user account in the other forest with this feature. This gives administrators the capability to easily integrate new forests with already existing IAS/RADIUS services in their forest.

  • Credential management.

    The Credential Manager feature provides a secure store of user credentials, including passwords and X.509 certificates. This will provide a consistent single-sign-on experience for users, including roaming users. For example, when a user accesses a line-of-business application within his or her company's network, the first attempt to access this application requires authentication and the user is prompted to supply a credential. After the user provides this credential, it is associated with the requesting application. In future access to this application, the saved credential is reused without user prompting.

   
Top

Previous page
Table of content
Next page
Introducing Microsoft Windows Server 2003
Introducing Microsoft Windows Server(TM) 2003
ISBN: 0735615705
EAN: 2147483647
Year: 2005
Pages: 153
Authors: Jerry Honeycutt
BUY ON AMAZON
Agile Project Management: Creating Innovative Products (2nd Edition)
Strategies for Information Technology Governance
Snort Cookbook
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Programming .Net Windows Applications
Microsoft Visual Basic .NET Programmers Cookbook (Pro-Developer)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy