When designing access to Windows 2000 networks by heterogeneous, or non-Microsoft clients, you must ensure the integrity of the authentication process. Authentication associates users with a security principal within Active Directory. The credentials provided by the user authenticate the user with the network. Once the user is authenticated, authorization can take place to limit access to specific authorized resources.
After this lesson, you will be able to
Estimated lesson time: 30 minutes
File Services for Macintosh supports users authenticating with Active Directory from Macintosh client computers. File Services for Macintosh requires that Macintosh clients authenticate using accounts stored in Active Directory.
When authenticating with the Windows 2000 network, Macintosh users can use any of the following authentication methods:
NOTE
This process requires the password to be stored in reversibly encrypted format at the server.
NOTE
If your Windows 2000 network has multiple domains, the user should provide his account in the format domain\username, where domain denotes the domain where the user's account is located, to ensure that the logon request is forwarded to the correct domain. Not providing the domain prefix can lead to different results if the same username exists in multiple domains.
To maintain a minimum security level in your network, configure the File Server for Macintosh properties to limit authentication to specific methods. For example, you could limit authentication to MS-UAM.
You can also configure Macintosh-accessible volumes with a volume password that forces Macintosh users to provide the associated password before accessing the volume.
Use Table 16.2 when authenticating Macintosh clients in a Windows 2000 network.
Table 16.2 Securing Macintosh User Authentication
To | Include the Following in Your Security Plan |
---|---|
Allow unauthenticated access to Macintosh users | Enable the Guest account at the server hosting File Services for Macintosh. Enable Guest access for the Macintosh-accessible volume. Have Macintosh users connect to the volume as a guest. |
Allow all Macintosh clients to connect to the Windows 2000 server | Enable File Server for Macintosh to access Apple Clear Text authentication or enable Apple Clear Text or Microsoft authentication. |
Require encrypted authentication | Configure all user accounts for Macintosh users to store passwords in reversible encrypted format. Configure File Server for Macintosh properties to require Apple Encrypted authentication or Microsoft authentication. |
Restrict supported authentication methods | Configure File Server for Macintosh properties to accept only authentication requests using authorized methods. |
Limit access to a volume | Create a volume password that must be provided in addition to user credentials to gain access to a volume. |
Blue Yonder Airlines requires that Macintosh user authentication not allow interception of user passwords. To enforce this, configure File Services for Macintosh to only allow Apple Standard Encryption or the MS-UAM, as shown in Figure 16.1.
Figure 16.1 Configuring File Server for Macintosh to require encrypted authentication
The MS-UAM provides support for 14-character passwords but requires the installation of the MS-UAM at each Macintosh computer. Because all Macintosh computers are located in the same department, this shouldn't be difficult.
A Windows 2000 Server running FPNW emulates a NetWare 3.x server and allows NetWare clients to authenticate with the Windows 2000 server. NetWare clients can access file and print services hosted by the Windows 2000 server using native NetWare commands and utilities.
NOTE
FPNW requires that the NetWare clients connect to the FPNW server using IPX/SPX protocols. Configure the FPNW server to use the same frame type and internal network number to ensure connectivity by NetWare clients. Failure to do so can result in the FPNW server being unavailable to NetWare clients.
To allow users to authenticate with Active Directory by using a NetWare client, configure user accounts as NetWare-enabled accounts in Active Directory Users And Computers. A NetWare-enabled account allows you to define NetWare-specific properties, such as the NetWare logon script for the user. You can limit which user accounts can authenticate using NetWare clients by enabling only the required accounts to Maintain NetWare Compatible Login in Active Directory Users And Computers. By configuring the Concurrent Connections option for a user account, you can also limit the number of sessions that a NetWare client can establish.
Table 16.3 lists the design decisions you need to make when securing NetWare client authentication with a Windows 2000 network.
Table 16.3 Securing NetWare User Authentication
To | Do the Following |
---|---|
Allow NetWare clients to authenticate with a Windows 2000 Server | Install FPNW on a Windows 2000 server. Enable each required user account to maintain NetWare compatible login Install the IPX/SPX Compatible transport on the Windows 2000 server running FPNW. |
Limit the number of simultaneous connections by a single user account | Limit the number of concurrent connections in the NW Compatible tab of the Properties dialog box of a user account. |
Allow authentication by Windows for Workgroups 3.11,Windows 95, Windows 98, or Windows NT client computers | Windows for Workgroups 3.11, Windows 95, Windows 98, and Windows NT clients allow the installation of multiple network clients. Rather than install FPNW, consider deploying the Microsoft and NetWare clients to all client computers. |
Blue Yonder Airlines must install FPNW on the BYDATA server to allow NetWare clients to connect to the file server using native NetWare clients. Before installing FPNW, Blue Yonder Airlines should determine what operating systems are in use for the client computers at the Consolidated Messenger office. If the client computers are running Windows 95 or later, consider installing both Microsoft and NetWare clients on the computers. This would allow file access and authentication to both the Windows 2000 and NetWare networks. You could remove the NetWare client software once the NetWare server data is migrated to Windows 2000.
UNIX clients can use several methods to authenticate with a Windows 2000 network. The choice will depend primarily on the application that's used to access data on the Windows 2000 server.
NOTE
These applications can use either Secure Socket Layers (SSL) or Internet Protocol Security (IPSec) to encrypt transmissions between the client and the server and protect clear text authentication.
WARNING
To allow access to UNIX Samba servers, you must configure Group Policy to enable the Send Unencrypted Password To Connect To Third-Party SMB Servers setting. You have to carefully consider implementing this setting because it results in passwords being passed on the network in clear text format.
When you design secure authentication for UNIX clients, you should include the following in your security plan:
Blue Yonder Airlines must use NIS authentication to provide NFS access to UNIX users connecting to the BYDATA server. The NFS Server software requires you to configure Active Directory to act as an NIS server by using Server for NIS. You can import the existing NIS source files from the UNIX NIS servers by using the NIS To Active Directory Migration Wizard. Finally, configure User Name Mapping so that the UID provided by a UNIX client when accessing the resources on the BYDATA server is translated to a Windows 2000 security principal. Use Two-Way Password Synchronization to synchronize the passwords used for UNIX and Windows 2000 so that users won't have to reenter credentials.
Blue Yonder Airlines must establish a Kerberos inter-realm trust between the blueyonder.tld domain and the UNIX Kerberos realm to allow Active Directory users to authenticate with the UNIX database. Only an inter-realm trust allows the UNIX KDC to recognize user credentials from Active Directory.
Until a non-Microsoft user authenticates with the Windows 2000 network, there's no way to apply the Windows 2000 security model to the heterogeneous client sessions. You must ensure that your design doesn't weaken Windows 2000 security by allowing heterogeneous clients to authenticate using clear text. By using Windows 2000 add-on services, you can ensure that authentication is encrypted to protect the Windows 2000 user credentials.