Authentication Overview


Microsoft Windows XP Professional assures security by using the following processes:

  • Authentication, which verifies the identity of something or someone.

  • Authorization, which allows you to control access to all network resources, such as files and printers.

Authentication takes place all around us. For example, you are required to authenticate your identity and purpose when crossing international borders or completing business transactions. Similarly, in Windows, the identity of a user or computer must be authenticated before the user or computer has access to files, folders, and applications.

The following discussion provides detailed information about the configuration, management, and maintenance of authentication functions for Windows XP Professional based clients, whether they are stand-alone clients or members of an Active Directory or other network environment.

New in Windows XP Professional

If you are already familiar with the security model in Microsoft Windows NT version 4.0 and Microsoft Windows 2000, you will recognize many of the features in Windows XP Professional. At the same time, you will also find a number of familiar features that have changed significantly, and new features that will improve your ability to manage system security.

The following are among the changed security-related features in Windows XP Professional:

  • Everyone membership. The built-in Everyone group includes Authenticated Users and Guests, but no longer includes members of the Anonymous group.

  • Simple sharing. By default, on Windows XP Professional systems that are not connected to a domain, all attempts to log on from across the network will be forced to use the Guest account. In addition, on computers that are using the simple sharing security model, the Security Properties dialog box is replaced by a simplified Shared Documents Properties dialog box.

  • Administrative ownership. In Windows NT 4.0 and Windows 2000, all resources such as files and folders that are created by a member of the Administrators group belong to the group as a whole. In Windows XP Professional, these resources by default belong to the individual who creates them.

  • Encrypting File System (EFS) recovery agent. In a Windows 2000 environment, if you attempt to configure an EFS recovery policy with no recovery agent certificates, EFS is automatically disabled. In a Windows XP Professional environment, the same action enables users to encrypt files without a Data Recovery Agent (DRA). In an environment with computers running both Microsoft Windows XP and Windows 2000, an empty EFS recovery policy turns off EFS on Windows 2000 based computers, but eliminates the requirement for a DRA only on Windows XP Professional based computers.

  • Permissions for installing printers. In order to install a local printer in Windows XP Professional, you must belong to the Power Users or Administrators group and have the Load/Unload Device Driver privilege. Administrators have this privilege by default, but it must be granted to Power Users.

  • Blank password restriction. To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console.

The following are among the new security related features in Windows XP Professional:

  • Restricted software policy. New security policy options allow you to prevent certain software applications from running based on a file path, Internet zone, certificate, or hashed file path.

  • Fast user switching. On computers running Windows XP Professional that are not connected to a domain, users can switch from one user account to another without logging off or closing their applications.

  • Stored user names and passwords. This utility provides secure storage for user names and credentials needed to access network or Internet resources.

  • New service accounts. Windows XP Professional includes two new service accounts, LocalService and NetworkService, to enable graduated levels of permissions on services. Services can run as LocalService on the local computer, as NetworkService on the network, or as part of the Local System. Any service not running as one of the three built-in service accounts must have its own account.

  • Password Reset Wizard. This wizard makes it possible for users to create a secure reset disk, which they can use at a later date in case they forget the password for their local account.

For more information about these features and changes, see the applicable discussions in this chapter, and see Authorization and Access Control and Encrypting File System in this book.

Credentials and Validation

The authentication process has two fundamental parts credentials and validation.

Credentials

Credentials assert the identity of the applicant. A validating agent either confirms or denies the validity of the credentials, determining the level of trust granted the applicant. At an international border, for example, a passport issued by a recognized national government would be a traveler s credentials, and a crossing guard representing the government of the country/region one attempts to enter would be the validating agent. Typically, a passport is considered a strong guarantee of a bearer s identity. On the other hand, a business card is another kind of a credential or proof of identity that is validated with much less rigor.

In Windows 2000 and Windows XP Professional, a user s credentials can be supplied by a password, a Kerberos ticket, or a smart card if the computer is equipped to handle a smart card. For more information about smart cards, see Smart Cards later in this chapter.

Validation

Validation in Windows is performed by a protected subsystem called the Local Security Authority (LSA), which maintains information about all aspects of local operating system security. In addition to providing interactive user authentication services, the LSA does the following:

  • Manages local security policy.

  • Manages audit policy and settings.

  • Generates tokens that contain user and group information as well as information about the security permissions for the user.

The LSA validates your identity based on which entity issued your account. If it was issued by:

  • LSA. The LSA can validate your information by checking its own Security Accounts Manager (SAM) database. Any workstation or member server can store local user accounts and information about local groups. However, these accounts can only be used for accessing that workstation or computer.

  • Security authority for the local domain or for a trusted domain. The LSA contacts the entity that issued your account and asks it to verify that the account is valid and that you are the account holder.

Security Principals

In Windows XP Professional, any user, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or they can be domain-based. A local Security Accounts Manager (SAM) database manages local accounts on the computer. A domain-based SAM manages accounts in a Windows NT 4.0 domain. Active Directory manages domain accounts in Active Directory domains.

For example, Windows XP Professional computers participate in a network domain by communicating with a domain controller even when no human user is logged on. To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the LSA on the domain controller authenticates the computer s identity and then defines the computer s security context just as it would for a human security principal. This security context defines the identity and capabilities of a user or service on a particular computer or a user, service, or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, computer, or service on that resource.

The security context of a user or computer can vary from one computer to another, such as when a user logs on to a server or a workstation other than the user s own primary workstation. It can also vary from one session to another, such as when an administrator modifies the user s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain. For more information about security principals and how the security context is created, see Authorization and Access Control in this book.

About Services

Even though most Windows applications run in the security context of the user who starts them, this is not true of services. Many Windows services, such as network and printing services, are launched by the service controller when you start your computer. Services continue to run after the last human user logs off. Services have to log on to accounts to access domain resources just as human users and Windows XP Professional based computers do.

Note 

Services normally run in security contexts known as Local System, Network Service, or Local Service.

Before starting a service, the service controller logs on to the account designated for the service and presents the service s credentials for authentication by the LSA. For example, when a Windows XP Professional computer joins a domain, the messenger service on the computer connects to a domain controller and opens a secure channel to it. To obtain an authenticated connection, messenger must have credentials that the remote computer s LSA trusts. LSA uses the credentials for the local computer s domain account, as do all other services running in the security context of the Local System.

Security Identifiers

The rights and permissions for a user, computer, or group are determined by access control lists (ACLs), contain security identifiers (SIDs) for a user, computer, or group. A security identifier (SID) is a unique value that identifies a user, group, or computer account within an enterprise. Every account is issued a SID when it is created. Access control mechanisms in Windows XP Professional identify security principals by SID instead of by name. Thus, even if the name of a security principal changes, the SID remains the same.

In addition to your own unique SID, you are identified by the SIDs of the groups to which you belong. This information is stored in an access token, which encapsulates all data that relates to your identity and security context during a given session.

Access Tokens

An access token is recreated every time a security principal logs on, and contains the following information:

A copy of the access token is attached to every thread and process that the user runs. The security reference monitor (SRM) then compares the security IDs in the token with the security IDs for every file, folder, printer, or application that the user attempts to access. In this way, the access token provides a security context for the security principal s actions on the computer.

For more information about ACLs and SIDs, see Authorization and Access Control in this book.

Security Groups

Organizing users and other objects into groups simplifies access administration. Security groups can be described according to their scope (such as Global or Universal) or according to their purpose, rights, and role (such as the Everyone, Administrators, Power Users, or Users groups).

Using Microsoft Windows 2000 Server and Windows XP Professional security groups, you can assign the same security permissions to many users. This ensures consistent security permissions across all members of a group. Using security groups to assign permissions means that access control of resources remains constant and easy to manage and audit. By adding and removing users who require access from the appropriate security groups as needed, you can minimize the frequency of changes to ACLs.

Types of Logon

There are four types of logon processes in Windows 2000 Server and Windows XP Professional:

An interactive logon process confirms the user s identification to either a domain account or a local computer. This process differs, depending on whether the user account is local to the computer or resides in Active Directory:

Windows XP Professional can use a user principal name (UPN) to identify users in an interactive logon process.

If you want to log on to a Windows 2000 domain, and Logon domain does not appear in the dialog box, click the Options button to open an expanded dialog box. Or, type your user name and the Windows 2000 domain name as follows:

Tip 

The suffix in the preceding example is a fully qualified DNS domain name. An administrator might create an alternative suffix to simplify the logon process. For example, by creating a user principal name suffix of microsoft, the same user can log on by using the simpler address, user@microsoft.com.

Components Used in Interactive Logon

The interactive logon process in Windows XP Professional involves a number of components and a sequence of events that are not visible to the user. The logon process involves the following components, whose relationship to each other is illustrated in Figure 15-1.

Using RunAs to Start a Program

Administrators require a greater range of permissions than other users to perform their tasks, such as accessing files, installing and running applications, or modifying systems. However, running Windows XP Professional all the time as an administrator or a member of an administrative group makes the network more vulnerable to viruses, such as the Trojan horse, and other security risks. To reduce risk, it is recommended that you perform non-administrative tasks by using accounts that have only Users or Power Users rights and use your Administrator account only when you perform administrative tasks.

You can use administrative rights and privileges even while logged on as a member of the Users or Power Users group. The RunAs program and the RunAs Service let you log on by using one security context and then, within the initial logon session, authenticate and use a second account. Figure 15-2 illustrates the RunAs dialog box.

click to expand
Figure 15-2: RunAs dialog box

The RunAs Service logs on an account with expanded permissions. For example, when you log on as a member of the Users group, you can perform routine tasks such as running programs and visiting Internet sites without exposing your computer to unnecessary risk. As a member of the Power Users group, you can perform routine tasks and install programs, add printers, and use most Control Panel items. Then, when you use the RunAs program to log on as an administrator, you can start a program in the Administrators group security context. You can use the RunAs program to start any program, program shortcut, saved MMC console, or Control Panel item if the following conditions exist:

Note 

Some applications are started indirectly by Windows XP Professional and therefore cannot be started by the RunAs program.

To use RunAs to start a program as an administrator

  1. In Windows Explorer, click the program you want to open, such as an MMC console or Control Panel.

  2. Press SHIFT, right-click the program, tool, or item, and then click Run As.

  3. In the Run As dialog box, click The following user.

  4. In the User name and Password boxes, type the user name and password for the administrator account you want to use.

  5. In the Domain box, do one of the following:

You can perform a secondary logon from a command prompt by using the following syntax:

runas /user: domain_name\administrator_account program name 

If the Administrator account in the microsoft.com domain is named Administrator, you can use the following command to start MMC as Administrator:

runas /user:microsoft\administrator mmc 

If you attempt to start a program, an MMC console, or a Control Panel item from a network location by using the RunAs dialog box or command, it might fail if the credentials used to connect to the network share are different from the credentials used to start the program.

Note 

If the RunAs program fails, the RunAs Service might not be running. You can set the RunAs Service to start when the system starts by using the Services MMC snap-in.




Microsoft Windows XP Professional Resource Kit 2003
Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
Year: 2005
Pages: 338
BUY ON AMAZON

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net