Authentication allows network administrators to determine who is accessing the network and to design restrictions so that each authenticated user can access only desired areas of the network. If you don't have a good authentication design, trusted users might be unable to access the network at all times.
After this lesson, you will be able to
- Determine business and technical requirements that will affect your authentication design for a Windows 2000 network
Estimated lesson time: 20 minutes
Determining Business and Technical Requirements
When designing authentication for your Windows 2000 network, you must meet certain business and technical requirements. These requirements define how you can make sure that authentication mechanisms are secured within a Windows 2000 network. The business requirements include these areas:
- Many organizations require that all projects should ultimately reduce the company's total cost of ownership. You can do this by using Group Policy to enforce standardized security configurations. In a Windows NT 4.0 network, you had to edit the registry manually to apply many advanced security settings. This required an administrator either to connect to each computer in the domain or to configure each computer in the domain manually. With Group Policy, Windows 2000 can ensure that common registry modifications are enforced centrally using Active Directory.
- Identify security risks in the network. In a Windows NT network, many client computers were unable to use more secure methods of authentication. (Unless otherwise noted, "Windows NT" refers to versions 3.51 and 4.0.) For example, Windows 95 and Windows 98 clients used LAN Manager (LM) authentication. LM authentication gives attackers an easy way to crack passwords. LM passwords are easily solved because they can be attacked in seven character sections. With the installation of the Directory Services Client in a Windows 2000 network, Windows 95 and Windows 98 clients use the NTLMv2 authentication protocol, which gives higher authentication security and reduces the risk of password cracking.
In addition to business requirements, technical requirements also play a part in the design of your network's authentication strategy. These technical requirements might include the following:
- Network authentication must be available even if WAN links are not. By deploying Domain Name System (DNS) servers, DCs, and global catalog servers at each remote site, you ensure that each site has the services needed to provide local authentication. While only Windows 2000 clients are site-aware by default, installing the Directory Services Client software on Windows 95, Windows 98, and Windows NT 4.0 clients makes these down-level client systems site-aware.
- Network authentication must occur quickly. When authentication takes place over WAN links, authentication performance suffers. By ensuring that all clients are site-aware, you ensure that the clients will attempt to find network services on their local segment of the network. This solution requires you to deploy the Directory Services Client software to all down-level clients and to deploy Active Directory sites correctly.
- DCs must not be overloaded with authentication requests. Microsoft provides a tool known as the Active Directory Sizer (ADSizer), which helps you plan the optimal number of DCs that you require for your network. This includes determining the ideal number of DCs and the processor and memory requirements for each one.
You can get the ADSizer tool by going to www.microsoft.com and searching for "ADSizer tool."
You must design authentication for your network to meet all business and technical objectives defined by your organization. These objectives will provide the framework for your design. If you don't meet all objectives, it's quite possible that you will face a redesign in the near future. Ensure that you have collected all business and technical objectives before completing your authentication design.