Chapter 16: Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI (4.0)

Overview

If you don’t have the ability to correctly verify the identity of users on a network, there is no way to ensure that users get the specific type of access that they are entitled to. This is why authentication and authorization are some of the most important steps in the security process. The authorization process starts with the authorization protocol. By default, Microsoft Windows Server 2003 uses the Kerberos v5 authentication protocol. This protocol is supported by Windows 2000 Server and clients running Microsoft Windows 2000 Professional and Windows XP Professional. Windows Server 2003 also supports both versions of NTLM, which is the authentication protocol used by Microsoft Windows NT 4.0 and earlier, in addition to Windows 95, Windows 98, and Windows Millennium Edition. The authentication protocol that is used is negotiated: Kerberos is attempted first, and NTLMv2 is attempted if that fails.

Windows Server 2003 brings a large improvement to the configuration of trust relationships by introducing the forest trust. In Windows Server 2003, with the configuration of a single trust, all domains in one forest can be configured to trust all domains in another forest. This is vastly easier than it was in Windows NT 4.0 or Windows 2000, in which trusts were configured on a domain-by-domain basis.

Now that cross-forest trusts are easier to configure, understanding group scopes is of greater importance. Domain local groups are used to assign permissions to resources within a domain. They are also used to assign rights. Assigning permissions and rights to groups rather than individual users simplifies the administration process. Global groups can be used throughout the forest, but they can only contain members from a single domain. Universal groups can contain members from any domain in the forest, including global groups and other universal groups. When trust relationships exist, however, the only group type that can have member groups from other forests is the domain local group.

Certification authorities (CAs) form the core of public key infrastructure. Windows Server 2003 supports four types of CAs. For close integration of certificates with Active Directory directory service, there are enterprise CAs. These are available in the root and subordinate versions. When integration with Active Directory is not required, CAs can be configured as standalone. Like the enterprise CA, the standalone also is also available in the root and subordinate versions. Best practice is to issue certificates from the subordinate and only use the root to issue certificates to subordinate CAs. Understanding how all of these technologies interact forms a fundamental part of the knowledge required to pass the 70-299 exam.