Exam Objectives Fast Track

Previous page
Table of content
Next page

Network Authentication in Windows 2000

  • Windows 2000 supports five methods of authenticating user identity:

    • Windows NTLM

    • Kerberos v5

    • Distributed Password Authentication (DPA)

    • Extensible Authentication Protocol (EAP)

    • Secure Channel (Schannel)

  • Windows 2000 uses only NTLM and Kerberos for network authentication. DPA, EAP, and Schannel are for authentication over dial-up connections or the Internet.

  • Windows NT 4.0 uses Windows NTLM as the default network authentication protocol. For that reason, NTLM is still available in Windows 2000 to maintain backward compatibility with previous versions of Microsoft operating systems. It is also used to authenticate logons to Windows 2000 standalone computers.

  • Kerberos is the default network authentication for Windows 2000. Kerberos is a widely used authentication protocol based on an open standard. All Windows 2000 computers use Kerberos v5 in the network environment, except in these situations:

    • Windows 2000 computers use NTLM when they authenticate to Windows NT 4.0 servers

    • Windows 2000 computers use NTLM when they access resources in Windows NT 4.0 domains

    • Windows 2000 domain controllers use NTLM when authenticating Windows NT 4.0 clients

    • Logging in locally to a Windows 2000 domain controller

  • NTLM suffers in comparison to Kerberos for several reasons:

    • Authentication with NTLM is slower than with Kerberos

    • NTLM performs one-way authentication only, which allows server spoofing

    • NTLM trusts are one-way and non-transitive and thus harder to manage

    • NTLM is proprietary and not compatible with non-Microsoft networks

Kerberos Overview

  • Kerberos operates on the assumption that the initial transactions between clients and servers are done on an unsecured network.

  • Kerberos depends on shared secrets to perform its authentication.

  • An authenticator is unique information encrypted in the shared secret.

  • The KDC, the trusted authority used in Kerberos, maintains a database with all account information for principals in the Kerberos realm. A principal is a uniquely named entity that participates in network communication; a realm is an organization that has a Kerberos server.

  • Another key used with the KDC is the session key, which the KDC issues when one principal wants to communicate with another principal. For example, if a client wants to communicate with a server, the client sends the request to the KDC, and the KDC in turn issues a session key so that the client and server can authenticate with each other. Each portion of the session key is encrypted in the respective portion of the long-term key for both the client and server.

Kerberos in Windows 2000

  • The KDC service runs on every Windows 2000 domain controller. This eliminates a single point of failure for the KDC service (unless, of course, you only have one domain controller).

  • Policy for Kerberos in Windows 2000 is set at the domain level through the Default Domain Policy group policy object.

  • Unlike standard Kerberos, which supports two methods of delegation (proxiable tickets and forwardable tickets), Microsoft Kerberos supports forwardable tickets only.

  • Kerberos verifies user's identities, but does not authorize which resources they can use.

  • The authorization data field in a Microsoft Kerberos ticket contains a list of user SIDs and group SIDs for the user.

  • An access token is created after the credentials in a session ticket have been verified. This information is used to construct an impersonation token for accessing services on the server. The impersonation token is presented to the service, and as long as the information presented matches the ACL for the service, access is granted.

Configuring Kerberos Trusts

  • In order for users in one Windows NT domain to access resources in another, administrators of the two domains had to set up an explicit trust relationship. These trusts were one-way; if the administrators wanted a reciprocal relationship, two separate trusts had to be created because these trusts were based on the NTLM security protocol, which does not include mutual authentication.

  • In Windows 2000 networks, with the Kerberos protocol, all trust relationships are two-way, transitive and an implicit, automatic trust exists between every parent and child domain; it is not necessary for administrators to create these trusts. This transitive state comes about through the use of the Kerberos referral; as a result, every domain in a tree implicitly trusts every other domain in that tree.

  • Shortcut trusts are two-way transitive trusts that allow you to shorten the path in a complex forest. These trusts must be explicitly created by the administrator's to create a direct trust relationship between Windows 2000 domains in the same forest. A shortcut trust is used to optimize performance and shorten the trust path that Windows 2000 security must take for authentication purposes. The most effective use of shortcut trusts is between two domain trees in a forest.

  • Shortcut trusts are one of the two types of explicit domain trusts that can be established in Windows 2000; the other is the external trust used to establish a trust relationship with domains that are not part of the forest. The external trust is one-way and non-transitive, as in NT 4.0 domain models. However, as with NT, two one-way trusts can be established if a two-way relationship is desired.

  • Active Directory automatically creates the parent/child and tree root trusts. You must manually create all shortcut and external trusts.

  • Trusts can be created from the command prompt using Netdom or from the GUI using Active Directory domains and trusts.

Configuring User Authentication

  • LM authentication is the least secure Windows 2000 authentication model. It is the default for Windows 95 and Windows 98 clients.

  • NTLM version 1 is the default authentication method for Windows NT 4.0. It is more secure than LM but less secure than Kerberos. Kerberos is the default authentication method for Windows 2000. It does not authenticate the server; it authenticates only the client.

  • NTLM version 2 is more secure than NTLM version 1 or LM. Windows 9.x and Windows NT 4.0 clients can be configured to use NTLMv2. We have to make a registry change to both platforms in order for them to use NTLMv2. Windows 9.x clients also need the directory services clients installed, whereas NT 4.0 clients must have SP 4 or above installed.

  • NTLM authentication is slower than Kerberos authentication.

  • NTLM performs one-way authentication. Kerberos provides mutual (two-way) authentication.

  • NTLM trusts are one-way and nontransitive. Kerberos trusts are two-way and transitive.

  • NTLM is proprietary and not compatible with non-Microsoft networks.

  • Kerberos is a private key encryption protocol.

  • Windows 2000 domain controllers run the Kerberos server service, which allows Kerberos passwords and identities to be stored in Active Directory.

Configuring Web Authentication

  • Web authentication can be provided by many mechanisms, including:

    • Anonymous authentication

    • Digest authentication

    • Integrated Windows authentication

    • Certificate mapping

    • SSL

  • SSL and TLS are public key-based security protocols. If supported by your Web browser and server, SSL and TLS provides mutual authentication, message integrity, and confidentiality.

  • Most Web authentication problems can be traced to incorrectly (or missing) configured user accounts or lack of required client credentials.


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
Lotus Notes and Domino 6 Development (2nd Edition)
Java for RPG Programmers, 2nd Edition
Mapping Hacks: Tips & Tools for Electronic Cartography
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
.NET System Management Services
Microsoft Office Visio 2007 Step by Step (Step By Step (Microsoft))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy