Part II: Technologies and Trade-Offs
Technologies and Trade-Offs
[Previous] [Next]
Chapter 3
Windows 2000 Security Overview
Microsoft Windows 2000 was designed as an extremely secure
operating system and includes
In the following sections, as listed below, we'll give an
overview of the security technologies implemented in Windows 2000
and explain the terminology
- Authenticated logon
- Authentication
- Privileges
-
User accounts and groups - Domains and workgroups
-
DOMAIN/Account names and user principal
names - Managing accounts
- Security identifiers (SIDs)
- Tokens
- Access control lists (ACLs)
- Impersonation
- Delegation
- Miscellaneous Windows 2000 security features
However, before we get started, it's important to discuss the security implications of a significant technology included with Windows 2000: the Active Directory service. (For non-security-related information about the Active Directory, see this book's bibliography.)
What Is a Service?Services are processes that start up when Windows 2000 starts up or on demand and that do not require any user interaction. Examples include Microsoft SQL Server, Internet Information Services (IIS), and the print spooler. You can look at the currently available services on your system by opening the Services tool.
One of the important new capabilities in Windows 2000 is the ability to perform a task in the event that a service fails:
- Right-click the service in question (for example, the IIS Admin Service).
- Choose Properties from the context menu.
- Click the Recovery tab.
- Look at the First Failure, Second Failure, and Subsequent Failures options.
The Impact of Active Directory
Active Directory is both a database about resources on a network—such as computers, users, and printers—and a directory service that makes the information in the database available to users and applications. Active Directory provides
By default, a machine running Windows 2000 Server does not have Active Directory installed. To install it, you must run the Active Directory Installation wizard, either by using the Dcpromo.exe tool at the command line or like so:
- Click Start.
- Select Programs, Administrative Tools, and then Configure Your Server.
- Select Active Directory, and click Start to start the wizard.
Once Active Directory is installed, a world of security possibilities opens up, as described in Table 3-1.
Table 3-1. Some of the advantages of Active Directory.
| Feature | Benefits |
|---|---|
| Kerberos V5 authentication | Single sign-on to multiple Windows 2000-based servers and other operating systems running the MIT Kerberos V5 authentication protocol. (Kerberos V5 is a fast, secure authentication protocol.) |
| Account delegation |
Kerberos authentication allows Windows 2000 to delegate
|
| Extensive public key support | Windows 2000 supports certificates and other public key technologies, but it is much more scalable and flexible when Active Directory is used because certificates can be associated automatically with the user accounts and machine accounts in the directory. |
|
|
Windows 2000 can use smartcards as an authentication mechanism when used in conjunction with Active Directory. |
| Easier administration |
In addition, an entire domain can be managed from a small number of tools. |
| Scalability | Active Directory is designed to hold millions of objects, such as users, computers, and printers, stored across thousands of machines. |