Chapter Summary

Authentication is the process of proving your identity. In Windows networks, users frequently authenticate themselves using a user name and password pair. How the user name and password are communicated across the network has changed with different versions of Windows.

Earlier versions of Windows use LM authentication, which is still supported by Windows Server 2003 for backward compatibility but carries with it potential security vulnerabilities. LM authentication should be disabled whenever compatibility with Windows 95 or Windows 98 is not required.

If LM authentication cannot be disabled, the storage of the LMHash can be avoided for specific user accounts by using passwords that have more than 14 characters or passwords that contain special ALT characters.

Newer versions of Windows use NTLMv1, NTLMv2, or Kerberos authentication. The Kerberos protocol is designed to be more secure and scalable than NTLM authentication.

Local passwords are stored and maintained by the Local Security Authority (LSA). The LSA is responsible for managing local security policies, authenticating users, creating access tokens, and controlling audit policies.

The Windows Server 2003 Resource Kit includes the Kerbtray.exe, Klist.exe, and CmdKey.exe tools for troubleshooting Kerberos authentication problems.

Use security policy settings to configure authentication requirements.

Implement a strong password policy in your organization to reduce the likelihood that your users’ credentials will be compromised.

Although you can enforce complex passwords by using security policy in Windows Server 2003 Active Directory, employee education is the only way to keep users from writing down passwords or using discoverable personal information in passwords.

An account lockout policy prevents malicious attackers from logging on by continually guessing passwords; however, it enables malicious attackers to perform denial-of-service attacks that deny valid users from successful authentication.

Kerberos ticket lifetimes must be short enough to prevent attackers from cracking the cryptography that protects the ticket’s stored credentials but long enough to minimize the number of tickets that clients request.

Use delegated authentication and constrained delegation as strategies for implementing supplemental authentication where required.

Any application that has the Certified for Windows Server 2003 logo has been tested to ensure that it will function in environments that require multifactor authentication.

Web users have special authentication considerations. Specifically, you must choose whether anonymous access will be allowed, and which account will be used to access resources on behalf of anonymous users. If anonymous access is not allowed, you will be using delegated authentication.

Web users have four choices for Web authentication methods: Basic Authentication, Digest Authentication For Windows Domain Servers, Integrated Windows Authentication, and .NET Passport Authentication.

Use delegated authentication, and the more granular constrained delegation, when front-end servers must access back-end services on behalf of authenticated users.

A trust is a relationship that is established between domains that enables security principals from one domain to be authenticated by domain controllers in another domain.

Use Active Directory Domains And Trusts to create trust relationships between forests or between domains in the same forest.

When all domain controllers within a domain are running Windows Server 2003, raise the domain functional level to Windows Server 2003.

The following are valid types of trusts:

• Parent/child

• Tree/root

• External

• Realm

• Forest

• Shortcut

The following are valid authentication protocols that can be used between trusts:

• NTLM

• Kerberos

You can use SID filtering to prevent SID spoofing. SID filtering enables administrators to discard credentials that use SIDs that are likely candidates for spoofing.