Authentication

Authentication is the process of verifying that a person, an entity, or an object is who or what he, she, or it claims to be. Examples include confirming the source and integrity of information, such as verifying a digital signature or verifying the identity of a user or computer.

Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Windows Server 2003 family authentication enables single sign-on to all network resources. With single sign-on, a user can log on to the domain once, using a single password or smart card, and authenticate to any computer in the domain.

Authentication Types

In attempting to authenticate a user, several industry-standard types of authentication can be used, depending on a variety of factors. The types of authentication that the Windows Server 2003 family supports are as follows :

• Kerberos V5 authentication.

  This protocol is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.

• Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication.

  This protocol is used when a user attempts to access a secure Web server.

• NTLM authentication.

  This protocol is used when either the client or the server uses a previous version of Windows.

• Digest authentication.

  Digest authentication transmits credentials across the network as an MD5 hash or message digest.

• Passport authentication.

  Passport authentication is a user-authentication service that offers single-sign-on service.

Internet Information Services Security

When you use Internet Information Services (IIS), authentication is critical to security. IIS 6.0 is a full-featured Web server that provides the foundation for the Microsoft .NET Framework and existing Web applications and Web services. IIS 6.0 has been optimized to run Web applications and Web services in a hosting environment. Many new features have been included in IIS to enhance security, reliability, manageability, and performance.

Using IIS, you can isolate an individual Web application or multiple sites into a self-contained Web service process that communicates directly with the kernel. These self-contained Web service processes prevent one application or site from disrupting the Web services of other Web applications on the server. IIS also provides health monitoring capabilities to discover, recover, and prevent Web application failures.

Because security is an important consideration for a Web server, you can use IIS to protect your Web server from real-world attacks. IIS is a robust platform that provides the tools and features necessary to easily manage a secure server. For more information about security features in IIS 6.0, see Chapter 8 , "Internet Information Services."

Interactive Logon

Interactive logon confirms the user's identification to the user's local computer or Active Directory account. For more information about Active Directory and security, see Chapter 3 , "Active Directory."

Network Authentication

Network authentication confirms the user's identification to any network service that the user is attempting to access. To provide this type of authentication, the security system includes these authentication mechanisms:

• Kerberos V5

• Public key certificates

• Secure Sockets Layer/Transport Layer Security (SSL/TLS) Digest

• NTLM (for compatibility with Windows NT 4.0 “based systems)

Single Sign-On

Single sign-on makes it possible for users to access resources over the network without having to repeatedly supply their credentials. For the Windows Server 2003 family, users need to authenticate only once to access network resources; subsequent authentication is transparent to the user.

Two-Factor Authentication

Authentication in the Windows Server 2003 family also includes two-factor authentication, such as smart cards. Smart cards are a tamper-resistant and portable way to provide security solutions for tasks such as client authentication, logging on to a Windows Server 2003 family domain, code signing, and securing e-mail. Support for cryptographic smart cards is a key feature of the public key infrastructure (PKI) that Microsoft has integrated into Windows XP and the Windows Server 2003 family. Smart cards provide the following:

• Tamper-resistant storage for protecting private keys and other forms of personal information.

• Isolation of security-critical computations involving authentication, digital signatures, and key exchange from other parts of the computer that do not have a need to know. These operations are all performed on the smart card.

• Portability of credentials and other private information between computers at work, at home, or on the road.

Logging on to a network with a smart card provides a strong form of authentication because it uses cryptography-based identification and proof of possession when authenticating a user to a domain. For example, if a malicious person obtains a user's password, that person can assume the user's identity on the network simply through use of the password. Many people choose passwords they can remember easily, which makes passwords inherently weak and open to attack.

In the case of smart cards, that same malicious person would have to obtain both the user's smart card and the personal identification number (PIN) to impersonate the user. This combination is obviously more difficult to attack because an additional layer of information is needed to impersonate a user. An additional benefit is that, after a small number of unsuccessful PIN inputs occur consecutively, a smart card is locked, making a dictionary attack against a smart card extremely difficult. (Note that a PIN does not have to be a series of numbers ; it can also use other alphanumeric characters .) Smart cards are also resistant to undetected attacks because the card needs to be obtained by the malicious person, which is relatively easy for a user to know about.

To log on to a domain with a smart card, users do not need to press Ctrl+Alt+Del. They simply insert the smart card into the smart card reader, and the computer prompts them for their personal identification number (PIN) instead of their user name and password.