1.6 Microsoft and the challenge of TSIs
This book focuses on how Microsoft has provided built-in support for TSIs in the latest versions of its enterprise server operating system Windows Server 2003. These built-in TSI features are introduced in Section 1.6.1. We will also look at other Microsoft products that are not bundled with Windows Server 2003 and that can provide TSI services. These other Microsoft products will not be covered in detail in this book.
1.6.1 Windows server 2003 as a TSI security building block
Table 1.6 shows the TSI building blocks that come bundled with the Windows Server 2003 server operating system. The table shows only the software that Microsoft sells as a product. It doesn’t show the free Microsoft tools—a good example is Microsoft Software Update Services (SUS).
| Windows Feature | TSI Service | Discussed In |
| Kerberos authentication infrastructure | Authentication infrastructure | Chapter 5 |
| Web server authentication infrastructure | Authentication infrastructure | Chapter 6 |
| Passport authentication infrastructure | Authentication infrastructure | Chapter 7 |
| Authorization manager and framework | Authorization infrastructure | Chapter 12 |
| Malicious mobile code protection | Authorization and security administration infrastructure | Chapter 11 |
| Public key infrastructure | Key management infrastructure | Chapters 13–16 |
| Built-in auditing system | Auditing infrastructure | Chapter 18 |
| Built-in Security Policy enforcement (using group policy objects) | Security administration infrastructure | Chapter 18 |
| Security patch management | Security administration infrastructure | Chapter 18 |
1.6.2 Other microsoft TSI building blocks
Table 1.7 provides an overview of other Microsoft software products that can be used to provide TSI services. The Microsoft Identity Integration Server 2003 (MIIS), the Microsoft Operations Manager (MOM), the Microsoft Systems Management Server (SMS), and the Microsoft Provisioning System (MPS), Microsoft Services for UNIX, are available now. TrustBridge is the name of a TSI product that will be released sometime near the end of 2003. Trustbridge will not be discussed in this chapter, but we will return to it in Chapter 9. The same is true for the Rights Management Service (RMS), which is discussed in Chapter 12, and Services for UNIX 3.0 (SFU 3.0), which are discussed in Chapter 8.
| Microsoft Software | TSI Service | More Information At |
|---|---|---|
| Microsoft Identity Integration Server (MIIS)—formerly known as MMS | Identity, authentication and authorization data management—security management infrastructure | http://www.microsoft.com/windowsserver2003/technologies/directory/miis/default.mspx |
| Microsoft Provisioning System (MPS) | Security management infrastructure—provisioning | http://www.microsoft.com/serviceproviders/mps |
| Microsoft Operations Manager (MOM) | Security management and auditing infrastructure | http://www.microsoft.com/mom |
| Microsoft Systems Management Server (SMS) | Security management and auditing infrastructure and | http://www.microsoft.com/sms |
| Microsoft Services for UNIX 3.0 (SFU 3.0) | Security management and authentication infrastructure | http://www.microsoft.com/windows/sfu |
| TrustBridge (code name for product to be released in 2004) | Authentication and authorization infrastructure | http://www.microsoft.com/presspass/press/2002/jun02/06-06trustbridgepr.asp |
| Rights Management Services | Authorization infrastructure | http://www.microsoft.com/windowsserver2003/technologies/rightsmgmt/default.mspx |
Microsoft Indentity Integration Server
Microsoft Indentity Integration Server 2003 (MIIS) is Microsoft’s metadirectory solution. MIIS was formerly called Microsoft Metadirectory Services (MMS) In the context of trusted security infrastructures, MIIS can be used as the central repository for security-related information such as identities and authorization data. Microsoft bought the core MIIS engine from a company called Zoomit back in 1999. MIIS stores and integrates information stored in different directories or data sources into a unified view called the metaverse. Figure 1.6 shows the MIIS architecture.
Figure 1.6: MIIS 3.0 architecture.
Besides the metaverse, you will notice two other typical MIIS terms in Figure 1.6: management agents and connector spaces. A connector space (CS) is a representation of the objects and their associated attributes from a connected system (an HR system, another directory, and so forth) in the MIIS data repository. A management agent (MA) is the mechanism that processes and replicates data between a connected system and its MIIS connector space. MIIS ships with the following MAs: Active Directory (AD), Active Directory Application Mode (ADAM), Attribute value pair text files, Delimited text files, Directory Services Markup Language (DSML), Fixed width text files, LDAP Directory Interchange Format (LDIF), Lotus Notes/
Domino 4.6 and 5.0, Microsoft NT 4 Domains, Microsoft Exchange 5.5, 2000 and 2003, Microsoft SQL 7 and 2000, Novell eDirectory v8.6.2 and v8.7.
Microsoft also provides a free reduced functionality version of MIIS: the Identity Integration Feature Pack. This add-on package for Windows Server 2003 can synchronize identity information between AD, AD Application Mode (ADAM), Exchange 2000 Server and Exchange Server 2003. It can also automate the provisioning of identity data between these different data sources. You can download it from http://www.microsoft.com/downloads/details.aspxFamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5&Display-Lang=en.
Figure 1.7: MOM architecture.
Microsoft Operations Manager
Microsoft Operations Manager (MOM) is Microsoft’s solution for enterprise-wide event and performance management. In the context of trusted security infrastructures, MOM can be used to build a centralized auditing infrastructure. Microsoft licensed MOM’s core engine from NetIQ and rebranded it. MOM’s highly flexible and distributed architecture is illustrated in Figure 1.7.
Out-of-the-box MOM includes agents for the following platforms, applications, and services (as part of the base management pack): Windows 2000, Active Directory, Internet Information Server, Windows 2000 Terminal Server, Distributed Transaction Coordinator, WINS, DHCP, RRAS, Transaction Server, Message Queue Server, DNS, MOM, and SMS. MS also provides optional agents (as part of application management packs) for the following MS applications: Exchange, SNA Server, ISA Server, Proxy Sever, SQL Server, Commerce Server, Site Server, and Biztalk Server. Other agents covering many more applications and platforms (including non-Microsoft platforms and applications) are available from third-party software vendors.
Microsoft Systems Management Server
The functionality of Microsoft’s Systems Management Server (SMS) is often confused with the functionality of Microsoft’s MOM. Although there are some small overlaps, both products have different focus areas. Whereas MOM is focusing on performance monitoring and log consolidation, the SMS’s key strengths are in the areas of software distribution, hardware and software inventories, and help desk functions.
The latest SMS release is SMS 2003, which Microsoft released late 2003. Many enterprises are still using SMS 2.0. In 2003 Microsoft released an interesting add-on called the Software Update Services (SUS) Feature Pack that specifically extends SMS 2.0’s capabilities in the security patch management space for the Windows OSs and the MS Office applications. The SUS Feature Pack functionality is included out-of-the-box in SMS 2003.
Figure 1.8 gives an overview of the SMS architecture. As for MOM, this architecture is highly flexible and distributed. Figure 1.8 does not show SMS’s hierarchical site capabilities consisting of primary and secondary sites.
Figure 1.8: SMS architecture.
Provisioning system
The Microsoft Provisioning System (MPS) is Microsoft’s provisioning solution. It is built on Microsoft-centric XML technology and provides a provisioning solution for some of the core Microsoft applications such as Active Directory, Exchange, FrontPage, SharePoint Team Services, and IIS. MPS can be extended to cover other applications as well (by building custom MPS providers). Figure 1.9 gives an overview of the MPS architecture. MPS is not a true Microsoft product offering, but rather a collection of different Microsoft technologies. It is currently available only through specific Microsoft partners such as eQuest Technologies (more information is available at http://www.eqinc.com/Servs/Microsoft%20Provisioning% 20System%20Development.htm).
Figure 1.9: MPS architecture.
EAN: 2147483647
Pages: 137