Summary | Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM

[Previous] [Next]

All accounts, often referred to as principals, in Windows 2000 must be authenticated by the operating system. An account is allowed to log on if the account's principals are valid and it has the appropriate privileges to access the computer.

Windows 95, Windows 98, Windows NT, and Windows 2000 all support the Windows NT Challenge/Response authentication protocol.

Windows 2000 supports the Kerberos V5 authentication protocol if Active Directory is installed.

Windows NT 4, Windows 2000 Professional, and Windows 2000 Server or Windows 2000 Advanced Server without Active Directory installed store user and group account information in the Security Accounts Manager database, the SAM. When Active Directory is installed, user and group information is stored as objects in Active Directory.

When Active Directory is installed, user accounts can be known by their SAM name in the form DOMAIN/Name or by their user principal name (UPN) in the form name@DNSName.

All user accounts and groups are represented internally as security identifiers or SIDs. SIDs have the form S-R-A-S-S-S-S—for example, S-1-5-21-397661181-626881882-18441761-1009.

Some SIDs are well-known SIDs; in other words, they are common to all instances of Windows 2000. An example includes the SID for the Everyone group: S-1-1-0. The Everyone group has the same SID on all computers running Windows NT and Windows 2000.

When a user logs on, Windows 2000 creates a token to represent that account. A token contains the user's SID, SIDs of the groups to which the user belongs, privileges, and so on.

Access or authorization in Windows 2000 is governed by access control lists. ACLs are associated with resources such as files. An ACL contains access control entries (ACEs), and each ACE contains information about what principal can do what to the resource.

Windows 2000 helps support the concept of least privilege by providing restricted tokens and secondary logon. Restricted tokens are normal tokens that have privileges and SIDs removed. Secondary logon allows a user to log on normally as a low privilege account yet perform high privilege actions by performing a secondary logon as a more privileged account before invoking the program. The RunAs command is one way to use secondary logon. You can also hold down the shift key and right-click a shortcut on the desktop, and choose Run As from the context menu.

Never log on to Windows 2000 as an administrator or as a member of the local administrators group unless you absolutely must do so. Instead, log on as a lower privilege account and use the secondary logon facility when you must run programs requiring higher privileges.

Windows 2000 supports impersonation, or a program's ability to act on behalf of a user. Impersonation is used to access local resources. Impersonation is usually implemented as a server with a pool of worker threads; when the server receives a client request, it takes a thread from the pool, authenticates the user, impersonates the user, accesses the resources on behalf of the user, and then reverts to the security context of the server. This means that all ACLs are honored appropriately.

Windows 2000 can delegate the client identity to remote computers. Rather than just being able to access local resources on behalf of the client, as in the case of impersonation, delegation supports the ability of accessing remote resources on behalf of the client. Delegation is supported on Windows 2000 only, and only when using the Kerberos authentication protocol, which requires Active Directory. The key to delegation is the concept of delegatable or forwardable tickets.

For delegation to work, the user account in question must not be marked as sensitive, all servers must be marked as trusted for delegation, and all processes handing the client request must start up with accounts trusted to delegate the client request.

Encrypting File System is a new feature in Windows 2000; it allows files and directories to be automatically encrypted and decrypted by the file owner. Recovery administrators have the ability to recover protected files if required.

IP Security, IPSec, is a new open standards-based feature of Windows 2000 for ensuring secure communication between computers. It can also be used to protect against attack by blocking IP protocols and ports.

The Security Configuration Editor toolset alleviates many administrative errors by providing an easy-to-use, consistent set of tools. It can deploy and audit security policy.