Chapter 8: Configuring Secure Network and Internet Authentication Methods

Introduction

Previous chapters of this book examined ways to keep networks and systems secure from a variety of threats by implementing security configurations aimed at protecting traffic on a network. This chapter examines the concept of authentication: ensuring that users and servers are who they claim to be.

When Windows NT 4.0 and Windows 95 still had a major share of corporate networks, security analyst's used NT LAN Manager (NTLM) for authentication and hoped it worked. Truth be told, there were not many other easily implemented or understood solutions. With Windows 2000, this no longer holds true. Windows 2000 provides fully integrated Kerberos authentication support natively in all Windows 2000 Active Directory organizations. Although NTLM and NTLMv2 can still be used, it is not necessary in a purely Windows 2000 network. Networks containing legacy clients such as Windows NT or Windows 9.x computers, however, are forced to utilize NTLMv2 for authenticating these clients.

Likewise, when it came time for authenticating users who were accessing Web sites, security analyst's often relied on anonymous authentication and basic authentication. Anonymous authentication simply directs all user access attempts at a Web site towards one specially configured domain user account that has limited permissions. Basic authentication provides more control such as what Web site users can and cannot do, but transmits credentials in encoded plaintext across the Internet. Windows 2000 provides fairly robust Web authentication methods including anonymous and basic authentication as well as more advanced methods such as digest authentication, integrated Windows authentication, and client certificate mapping. Each of these Web authentication methods are described in detail in this chapter, discussing the strengths and weaknesses of each as well as how to configure and implement them.

The last item examined in this chapter is the concept of Kerberos trusts and how they are implemented between domains in Windows 2000. You will see that Kerberos provides a more secure and robust solution for creating trusts between domains with its default of two-way transitive trusts. Thanks to this feature, it is easier than ever before to share resources between domains.



MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net