Chapter 16: Planning, Configuring, and Troubleshooting Authentication, Authorization, and PKI (4.0)

 < Day Day Up > 



Overview

If you don’t have the ability to correctly verify the identity of users on a network, there is no way to ensure that users get the specific type of access that they are entitled to. This is why authentication and authorization are some of the most important steps in the security process. The authorization process starts with the authorization protocol. By default, Microsoft Windows Server 2003 uses the Kerberos v5 authentication protocol. This protocol is supported by Windows 2000 Server and clients running Microsoft Windows 2000 Professional and Windows XP Professional. Windows Server 2003 also supports both versions of NTLM, which is the authentication protocol used by Microsoft Windows NT 4.0 and earlier, in addition to Windows 95, Windows 98, and Windows Millennium Edition. The authentication protocol that is used is negotiated: Kerberos is attempted first, and NTLMv2 is attempted if that fails.

Windows Server 2003 brings a large improvement to the configuration of trust relationships by introducing the forest trust. In Windows Server 2003, with the configuration of a single trust, all domains in one forest can be configured to trust all domains in another forest. This is vastly easier than it was in Windows NT 4.0 or Windows 2000, in which trusts were configured on a domain-by-domain basis.

Now that cross-forest trusts are easier to configure, understanding group scopes is of greater importance. Domain local groups are used to assign permissions to resources within a domain. They are also used to assign rights. Assigning permissions and rights to groups rather than individual users simplifies the administration process. Global groups can be used throughout the forest, but they can only contain members from a single domain. Universal groups can contain members from any domain in the forest, including global groups and other universal groups. When trust relationships exist, however, the only group type that can have member groups from other forests is the domain local group.

Certification authorities (CAs) form the core of public key infrastructure. Windows Server 2003 supports four types of CAs. For close integration of certificates with Active Directory directory service, there are enterprise CAs. These are available in the root and subordinate versions. When integration with Active Directory is not required, CAs can be configured as standalone. Like the enterprise CA, the standalone also is also available in the root and subordinate versions. Best practice is to issue certificates from the subordinate and only use the root to issue certificates to subordinate CAs. Understanding how all of these technologies interact forms a fundamental part of the knowledge required to pass the 70-299 exam.



 < Day Day Up > 



MCSA(s)MCSE Self-Paced Training Kit Exam 70-299 (c) Implementing and Administering Security in a M[.  .. ]twork
MCSA/MCSE Self-Paced Training Kit (Exam 70-299): Implementing and Administering Security in a MicrosoftВ® Windows Server(TM) 2003 Network (Pro-Certification)
ISBN: 073562061X
EAN: 2147483647
Year: 2004
Pages: 217

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net