1.6 Microsoft and the challenge of TSIs


This book focuses on how Microsoft has provided built-in support for TSIs in the latest versions of its enterprise server operating system Windows Server 2003. These built-in TSI features are introduced in Section 1.6.1. We will also look at other Microsoft products that are not bundled with Windows Server 2003 and that can provide TSI services. These other Microsoft products will not be covered in detail in this book.

1.6.1 Windows server 2003 as a TSI security building block

Table 1.6 shows the TSI building blocks that come bundled with the Windows Server 2003 server operating system. The table shows only the software that Microsoft sells as a product. It doesn’t show the free Microsoft tools—a good example is Microsoft Software Update Services (SUS).

Table 1.6: Microsoft TSI Services Built into Windows Server 2003

Windows Feature

TSI Service

Discussed In

Kerberos authentication infrastructure

Authentication infrastructure

Chapter 5

Web server authentication infrastructure

Authentication infrastructure

Chapter 6

Passport authentication infrastructure

Authentication infrastructure

Chapter 7

Authorization manager and framework

Authorization infrastructure

Chapter 12

Malicious mobile code protection

Authorization and security administration infrastructure

Chapter 11

Public key infrastructure

Key management infrastructure

Chapters 13–16

Built-in auditing system

Auditing infrastructure

Chapter 18

Built-in Security Policy enforcement (using group policy objects)

Security administration infrastructure

Chapter 18

Security patch management

Security administration infrastructure

Chapter 18

1.6.2 Other microsoft TSI building blocks

Table 1.7 provides an overview of other Microsoft software products that can be used to provide TSI services. The Microsoft Identity Integration Server 2003 (MIIS), the Microsoft Operations Manager (MOM), the Microsoft Systems Management Server (SMS), and the Microsoft Provisioning System (MPS), Microsoft Services for UNIX, are available now. TrustBridge is the name of a TSI product that will be released sometime near the end of 2003. Trustbridge will not be discussed in this chapter, but we will return to it in Chapter 9. The same is true for the Rights Management Service (RMS), which is discussed in Chapter 12, and Services for UNIX 3.0 (SFU 3.0), which are discussed in Chapter 8.

Table 1.7: Other Microsoft Software Providing TSI Services

Microsoft Software

TSI Service

More Information At

Microsoft Identity Integration Server (MIIS)—formerly known as MMS

Identity, authentication and authorization data management—security management infrastructure

http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx

Microsoft Provisioning System (MPS)

Security management infrastructure—provisioning

http://www.microsoft.com/serviceproviders/mps

Microsoft Operations Manager (MOM)

Security management and auditing infrastructure

http://www.microsoft.com/mom

Microsoft Systems Management Server (SMS)

Security management and auditing infrastructure and

http://www.microsoft.com/sms

Microsoft Services for UNIX 3.0 (SFU 3.0)

Security management and authentication infrastructure

http://www.microsoft.com/windows/sfu

TrustBridge (code name for product to be released in 2004)

Authentication and authorization infrastructure

http://www.microsoft.com/presspass/press/2002/jun02/06-06trustbridgepr.asp

Rights Management Services

Authorization infrastructure

http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx

Microsoft Indentity Integration Server

Microsoft Indentity Integration Server 2003 (MIIS) is Microsoft’s metadirectory solution. MIIS was formerly called Microsoft Metadirectory Services (MMS) In the context of trusted security infrastructures, MIIS can be used as the central repository for security-related information such as identities and authorization data. Microsoft bought the core MIIS engine from a company called Zoomit back in 1999. MIIS stores and integrates information stored in different directories or data sources into a unified view called the metaverse. Figure 1.6 shows the MIIS architecture.

click to expand
Figure 1.6: MIIS 3.0 architecture.

Besides the metaverse, you will notice two other typical MIIS terms in Figure 1.6: management agents and connector spaces. A connector space (CS) is a representation of the objects and their associated attributes from a connected system (an HR system, another directory, and so forth) in the MIIS data repository. A management agent (MA) is the mechanism that processes and replicates data between a connected system and its MIIS connector space. MIIS ships with the following MAs: Active Directory (AD), Active Directory Application Mode (ADAM), Attribute value pair text files, Delimited text files, Directory Services Markup Language (DSML), Fixed width text files, LDAP Directory Interchange Format (LDIF), Lotus Notes/

Domino 4.6 and 5.0, Microsoft NT 4 Domains, Microsoft Exchange 5.5, 2000 and 2003, Microsoft SQL 7 and 2000, Novell eDirectory v8.6.2 and v8.7.

Microsoft also provides a free reduced functionality version of MIIS: the Identity Integration Feature Pack. This add-on package for Windows Server 2003 can synchronize identity information between AD, AD Application Mode (ADAM), Exchange 2000 Server and Exchange Server 2003. It can also automate the provisioning of identity data between these different data sources. You can download it from http://www.microsoft.com/downloads/details.aspxFamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5&Display-Lang=en.

click to expand
Figure 1.7: MOM architecture.

Microsoft Operations Manager

Microsoft Operations Manager (MOM) is Microsoft’s solution for enterprise-wide event and performance management. In the context of trusted security infrastructures, MOM can be used to build a centralized auditing infrastructure. Microsoft licensed MOM’s core engine from NetIQ and rebranded it. MOM’s highly flexible and distributed architecture is illustrated in Figure 1.7.

Out-of-the-box MOM includes agents for the following platforms, applications, and services (as part of the base management pack): Windows 2000, Active Directory, Internet Information Server, Windows 2000 Terminal Server, Distributed Transaction Coordinator, WINS, DHCP, RRAS, Transaction Server, Message Queue Server, DNS, MOM, and SMS. MS also provides optional agents (as part of application management packs) for the following MS applications: Exchange, SNA Server, ISA Server, Proxy Sever, SQL Server, Commerce Server, Site Server, and Biztalk Server. Other agents covering many more applications and platforms (including non-Microsoft platforms and applications) are available from third-party software vendors.

Microsoft Systems Management Server

The functionality of Microsoft’s Systems Management Server (SMS) is often confused with the functionality of Microsoft’s MOM. Although there are some small overlaps, both products have different focus areas. Whereas MOM is focusing on performance monitoring and log consolidation, the SMS’s key strengths are in the areas of software distribution, hardware and software inventories, and help desk functions.

The latest SMS release is SMS 2003, which Microsoft released late 2003. Many enterprises are still using SMS 2.0. In 2003 Microsoft released an interesting add-on called the Software Update Services (SUS) Feature Pack that specifically extends SMS 2.0’s capabilities in the security patch management space for the Windows OSs and the MS Office applications. The SUS Feature Pack functionality is included out-of-the-box in SMS 2003.

Figure 1.8 gives an overview of the SMS architecture. As for MOM, this architecture is highly flexible and distributed. Figure 1.8 does not show SMS’s hierarchical site capabilities consisting of primary and secondary sites.

click to expand
Figure 1.8: SMS architecture.

Provisioning system

The Microsoft Provisioning System (MPS) is Microsoft’s provisioning solution. It is built on Microsoft-centric XML technology and provides a provisioning solution for some of the core Microsoft applications such as Active Directory, Exchange, FrontPage, SharePoint Team Services, and IIS. MPS can be extended to cover other applications as well (by building custom MPS providers). Figure 1.9 gives an overview of the MPS architecture. MPS is not a true Microsoft product offering, but rather a collection of different Microsoft technologies. It is currently available only through specific Microsoft partners such as eQuest Technologies (more information is available at http://www.eqinc.com/Servs/Microsoft%20Provisioning% 20System%20Development.htm).

click to expand
Figure 1.9: MPS architecture.




Windows Server 2003 Security Infrastructures
Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)
ISBN: 1555582834
EAN: 2147483647
Year: 2003
Pages: 137
Authors: Jan De Clercq

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net