Designing a User and Computer Authentication Strategy | MCSE Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure Exam Cram 2 (Exam Cram 70-297)

Authentication is the process of verifying one's identity. Designing an authentication strategy prevents unauthorized users and computers from gaining access to a private network, accessing sensitive information, consuming network resources, and impersonating other users.

Designing a computer and user authentication strategy entails creating user accounts, establishing secure authentication methods, and establishing network authentication standards.

Identifying Common Authentication Requirements

Before you can implement an authentication strategy, you must first identify the authentication requirements for an organization. Consider the following points when assessing the current environment:

The number of domain controllers and where they are located Ensure that the current environment has enough domain controllers to service all the authentication requests. Also consider where the domain controllers are located and network connectivity. Slow network connections could result in the need for additional domain controllers.
The number of users and computers on the network This will affect the amount of authentication requests and the number of domain controllers required.
The operating systems and applications affect the authentication methods used Some operating systems and applications do not support Kerberos and therefore another methods of authentication will be required.
If a public key infrastructure is being used, determine the number of CAs Ensure that sufficient CAs are available to handle the amount of client requests.

Selecting Authentication Methods

Before a user can gain access to resources within a domain, he must first be authenticated by Active Directory. After he has been authenticated, a user can access resources on the network for which he has been granted permissions. In terms of authentication, Windows Server 2003 provides support for a number of different authentication methods, including

Kerberos
Public Key Infrastructure (PKI)
Smart Cards

The operating systems and application running on a network influence the authentication methods used. For example, pre Windows 2000 and non-Windows operating systems might not support the Kerberos authentication protocol and therefore another mechanism must be deployed as well.

Kerberos

Kerberos version 5 protocol is responsible for authentication within and between domains. That means users need provide only a single username and password at logon to gain access to resources throughout the forest.

Before a user is granted access to resources in another domain, the key distribution center (KDC) from each domain in the trust path must first authenticate the user.

The KDC has two roles: authenticating users and issuing session tickets to users so that they can identify themselves to other domains.

When a user attempts to access a resource in another domain, the KDC within the user's own domain issues the user a session ticket. The session ticket simply identifies the user to other servers in the forest.
Following the trust path, the user presents his session ticket to the KDC in the parent or child domain.
The user is then issued another session ticket from the KDC in this domain that identifies the user to the next domain in the trust path.
The user presents the session ticket to the KDC in the next domain in the trust path and is issued a session ticket for the server that contains the resource.
When the user presents his or her session ticket to the server with the desired resource, he is granted the appropriate access to that resource.

PKI Infrastructure

A public key certificate is the most secure authentication method and is ideal for nontrusted environments, remote access, access involving the Internet, and those computers that do not support Kerberos V5. This method requires a public key infrastructure (PKI) because each computer requires two keys: a public key and a private key.

Smart Cards

Windows Server 2003 supports smart cards for authentication. With this type of authentication, a user's credentials are stored on a card that is inserted into a smart card reader. To access the information stored on the card, the user must provide the correct PIN number. After the user has provided the correct PIN number, she can be the certificate stored on the smart card and authenticate to Active Directory. This method of authentication is more secure than Kerberos because a smart card and certificates are required to log on to the network.

LAN Manager Authentication

To remain backward compatible with earlier Windows operating systems, Windows Server 2003 supports LAN Manager authentication. However, due to the fact that LAN Manager is highly susceptible to attack, it should be enabled only if necessary.

Optimizing Authentication Using Shortcut Trust Relationships

When a user attempts to access a resource in another domain within the forest, the trust path must be followed. Depending on the structure of the Active Directory hierarchy, the trust path between two separate domains can be long.

In such cases, creating a shortcut trust can shorten the trust path. A shortcut trust is basically a transitive trust (a two-way trust); the difference is that it must be explicitly defined or created. Creating a shortcut trust between two separate domains within a forest can improve the authentication process.