Lesson 2: Supporting Macintosh Clients
Windows 2000 includes strong support for Macintosh clients by supporting the Apple File Protocol (AFP) as a native networking protocol. AFP is the file sharing protocol used by Apple products. Installing Services for Macintosh on Windows 2000 servers allows them to share files seamlessly with Macintosh clients.
Apple authentication is weak by default, but can be strengthened to NTLM version 2 by installing the Microsoft User Authentication Module (UAM).
A Macintosh client
Supporting Macintosh Computers Securely
Because Macintosh computers present their passwords without encryption by default, a malicious user can easily sniff them on the network. In addition, to check plaintext passwords, you must enable password storage using reversible encryption on domain controllers, which puts passwords at risk for decryption if the server is physically compromised.
In Windows 2000, AFP can be used with TCP/IP as well as AppleTalk, so AppleTalk is not necessary if all Macintosh clients are TCP/IP capable.
Both of these problems can be solved by installing the Microsoft User Authentication Module (UAM) on Macintosh clients that need to attach to the domain. The UAM implements NTLM version 2 with 128-bit encryption, and eliminates the requirement for storing passwords using reversible encryption. To provide secure Macintosh service, install the latest UAM on every Macintosh client and configure servers to require NTLM version 2 authentication.
When you install Services for Macintosh, the installer creates a Macintosh-compatible share called the Microsoft UAM Volume. An earlier version of the UAM is installed in this share, which allows Mac OS 8 and 9 computers to connect to the server and download the UAM easily. The current UAM, which is compatible with NTLM version 2, is not installed by default.
Servers that are already secured to require NTLM version 2 authentication will not allow Macintosh clients to connect to this share to obtain the UAM. Rather than reducing server security to deploy the UAM, solve this problem by downloading the UAM client directly from Microsoft through the client's Web browser. Automate the deployment by e-mailing Macintosh users a link to the file and letting them install it themselves.
The current version of the UAM provides NTLM version 2 128-bit encryption for Macintosh clients. There are two versions of the UAM:
UAM for Mac OS 8.5 through 9.2
UAM for Mac OS X 10.1 and later
The Mac OS X is entirely different from earlier versions of the Mac OS and requires a different version of the UAM to be compatible with NTLM version 2.
The NTLM version 2 compatible UAM does not require passwords to be stored using reversible encryption, and you should not enable reversible encryption to support Macintosh clients that use this UAM.
Macintosh OS X 10.1 clients can connect natively to Server Message Block (SMB) shares on workstation computers, but they cannot authenticate with domains.
Practice: Enabling Macintosh Clients to Access Windows 2000 Servers
In this practice, you configure the domain controller to serve Macintosh clients, and you configure a Macintosh client to connect to the server using NTLM version 2 authentication.
Exercise 1: Preparing a Windows 2000 Server to Support Macintosh Clients
In this exercise, you prepare a Windows 2000 server to serve Macintosh clients. Perform these procedures on a domain controller.
To install Services for Macintosh
Log on as Administrator.
Click Start, point to Settings, and then click Control Panel.
In Control Panel, double-click Add/Remove Programs. The Add/Remove Programs window appears.
Click Add/Remove Windows Components. The Windows Components Wizard appears.
In the wizard, double-click (do not select) Other Network File And Print Services. The Other Network File And Print Services dialog box appears.
Select File Services For Macintosh and Print Services For Macintosh, as shown in Figure 7.6.
Figure 7-6. Installing File Services and Print Services for Macintosh
Click OK, and click Next. The Configuring Components window appears with a progress indicator.
When the configuration completes, click Finish.
Click Close to close the Add/Remove Programs window.
Close the Control Panel window.
To create a Macintosh-compatible file share
Log on as the Administrator.
On the desktop, right-click My Computer, and click Manage. The Computer Management console appears.
Expand Shared Folders, and then click Shares. Your screen should look like Figure 7.7.
Figure 7-7. Shared folders in the Computer Management console
Right-click in a blank area of the rightmost pane, and click New File Share. The Create Shared Folder Wizard (Figure 7.8) appears.
Figure 7-8. Creating a Macintosh-compatible shared folder
Type C:\Departments (or use the browse button to browse to that location).
Type Departments as the Share Name.
Type Macintosh Accessible Share in the Share Description box.
Select the Apple Macintosh check box in the Accessible From The Following Clients group, and verify that Microsoft Windows is selected.
Click Next to open the share permissions page.
Leave the All Users Have Full Control option set, and click Finish. A message box will appear asking if you want to create another shared folder.
Click No, and close the Computer Management console.
Exercise 2: Connecting to Windows 2000 from a Macintosh
In this exercise, you connect a Macintosh OS X 10.1 client computer to a Windows 2000 server using the AFP. The process for Macintosh OS 8.5-9.2 clients is very similar.
In this exercise, the UAM is downloaded directly from the Microsoft Web site because the version created automatically in the Microsoft UAM share on the Windows 2000 server is not compatible with Mac OS X. Perform this exercise from a Macintosh client running Mac OS X 10.1 or higher.
Adopt a habit of acquiring the latest revision of any security-related software that you use on your network. Vulnerabilities are routinely patched in security-related software, so installing the latest version ensures that your system is as secure as possible.
To install the Microsoft UAM
Open Internet Explorer and browse to the following address: www.microsoft.com/mac/products/win2ksfm/.
The Mactopia Services For Macintosh Web page appears.
Click the download link for the Microsoft User Authentication Module (UAM) appropriate for your version of Mac OS.
The download manager appears, then a MSUAM installation package icon appears on the desktop, and finally a MSUAM folder appears on the desktop.
Double-click the UAM folder on the desktop.
Double-click the Install MSUAM icon within the folder.
The Macintosh installer appears. In Mac OS X, an authorization dialog box appears requesting the Administrator password.
Click the lock icon. An Authenticate dialog box appears.
Type the administrator's password, and click OK. The Authenticate dialog box closes, returning the installer to the front.
Click Continue. The MS UAM Read Me document appears, as shown in Figure 7.9.
Figure 7-9. Installing the Microsoft User Authentication Module on a Macintosh
Click Continue to open the Select A Destination dialog box.
Click the icon representing your internal hard disk, and then click Continue.
Click Install. The Macintosh installer will inform you that the installation was successful.
Click Close.
Close the open window on your desktop, and delete the installation package file and folder left by the installation process.
To connect securely to a Windows share from a Macintosh client
In the Mac Finder (the desktop), click the Go menu, and then click Connect To Server.
Use the Connect To Server dialog box, shown in Figure 7.10, to create the shared drive mappings.
Figure 7-10. The Macintosh Connect To Server dialog box
Type afp://192.168.241.10/departments/ in the Address box, and click Connect.
Use the IP address for your server, or its domain name if your Macintosh client has been configured to receive DNS service from the domain controller.
A UAM authentication dialog box appears, as shown in Figure 7.11, that you can use to ensure the authentication process is secure.
Figure 7-11. The Macintosh UAM authentication dialog box
Verify that Registered User is selected, type Administrator in the Name box, and then type the administrator's password in the Password box.
Ensure that the Require Strong Authentication check box is selected, and click Connect. A Departments icon appears on the desktop representing the network share.
Double-click the Departments icon to view the contents of the Departments share, as shown in Figure 7.12.
Figure 7-12. A Windows 2000 share as viewed from a Macintosh client
Lesson Review
The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.
What server component is used to provide the Apple File Service?
Is AppleTalk required to provide service to Macintosh clients?
What client component provides NTLM version 2 authentication for Macintosh computers?
Does the NTLM version 2 compatible Microsoft UAM require reversible encryption to support Macintosh clients?
Lesson Summary
Windows 2000 Server provides strong support for Macintosh computers in the Services for Macintosh and AppleTalk protocols. Installing these services and enabling password storage with reversible encryption will allow access by Macintosh computers using non-secure plaintext authentication.
You can secure Macintosh client access by requiring NTML version 2 on servers and installing the Microsoft User Authentication Module (UAM). The UAM enables Macintosh clients to authenticate securely using NTML version 2, and eliminates the requirement for reversible password encryption on servers.
The UAM client for earlier versions of Mac OS is installed by default in the Microsoft UAM volume that is created when Services for Macintosh is installed. You must download the UAM for Mac OS X clients from Microsoft.