|
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM Authors: Howard M., Levy M., Waymire R. Published year: 1999 Pages: 26-28/138 |
Authenticated Logon
Authentication is the process of verifying the identity of something or someone, otherwise known as a principal . Windows 2000 requires that all principals be authenticated before they can use services in the operating system. A principal can be authenticated in two ways: interactively and across the network.
An interactive logon is generated when a user is physically present at the computer and enters credentials, such as a username and password or a smartcard and personal identification number (PIN). The account logging on must have the Logon Locally logon right; if it does not, the account will fail to log on.
A network logon is generated when the user is connecting to a network computer. The account logging on must have the Access This Computer From The Network logon right or the logon will fail. For example, when a user accesses a resource, such as a printer, on a network computer running Windows 2000, the remote Windows 2000 operating system will automatically attempt a network logon.
Two other types of logon exist—batch logon and service logon—but they are less used by users. Batch logon is usually reserved for applications that run as batch jobs, such as bank account reconciliation programs or very large print jobs. It is seldom used by Windows. Service logon is required by accounts used to start a Windows service such as Microsoft SQL Server or the print spooler service. The appropriate logon right is required to log on as a batch job (Logon As A Batch Job) or as a service (Logon As A Service).
Authentication
Windows 2000 supports many authentication protocols, including those used for dial-up authentication, Internet authentication, and network authentication. In the case of network authentication, Windows 2000 supports two protocols: Windows NT Challenge/Response (also called NTLM) and Kerberos V5.
NTLM is supported by Windows 95, Windows 98, Windows NT, and Windows 2000. In Windows 2000, it is the authentication mechanism used for computer communication between machines running Windows NT and Windows 2000. Kerberos V5 authentication is supported on Windows 2000 when Active Directory is installed, and it is the default authentication protocol.
For more information about NTLM, see "User Authentication with Windows NT" at http://support.microsoft.com/support/kb/articles/q102/7/16.asp . For an explanation of how Kerberos V5 works in Windows 2000, see Chapter 14, "An Introduction to Kerberos Authentication in Windows 2000."
[Previous] [Next]Privileges
Privileges, which, along with the logon rights mentioned in "Authenticated Logon" make up a general category called rights, relate to the authorization to perform an operation that affects an entire computer rather than specific objects only. (Access to specific objects is controlled by permissions.) Privileges are defined in a computer's security policy.
To view user privileges, log on using an account that has administrative authority and then open the Local Security Policy tool, which lets you view and edit security policies. Figure 3-1 shows this tool and the user rights assignment, or the granting of privileges, for the local computer.
Figure 3-1. User rights assignment in the Local Security Policy tool.
NOTE
You can grant and revoke user rights from the command line by using the NTRights.exe tool in the Microsoft Windows 2000 Server Resource Kit .
There are a number of user rights in Windows 2000 that are not available in Windows NT 4, including
- Deny access to this computer from the network
- Deny logon as a batch job
- Deny logon as a service
- Deny logon locally
These are the opposite of the normal logon rights discussed in "Authenticated Logon" and override those logon rights. If a user has both the Logon Locally right and the Deny Logon Locally right, he or she will not be able to log on locally. The main purpose of these privileges is to support the "allow everyone but x " type of scenario. If you wanted to support this scenario in Windows NT, you'd have to create a new group, add valid users and groups to the new group, and then apply the privileges to the group . This kind of situation is easier to implement with the new scheme of deny privileges in Windows 2000.
|
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM Authors: Howard M., Levy M., Waymire R. Published year: 1999 Pages: 26-28/138 |
Similar books
Similar materials
- Configuring ISA Logging and Monitoring
- MembershipProvider
- Section 10. Updating Adobe CS2 Automatically
- Accounting for Sales
- 12.1 Connecting the iPod to a Stereo System
- Section 23.2. Generated Content
- VB6 versus WinForms
- 13.2 Getting Access Control Information
- Principal Objects
- AUTHENTICATED ATTACKS