System and Network Security

[Previous] [Next]

Security is available in Windows 2000 for every configuration, from a simple workgroup to enterprise server systems. The emphasis on security and the fact that security mechanisms permeate every corner of Windows 2000 should not come as a surprise. Security is an increasingly critical issue in virtually every enterprise. Intranets, extranets, and dial-in access, not to mention casual user malfeasance, are all threats to both data and infrastructure. At the same time, an overly complex security apparatus tries the patience of administrators and users alike. Windows 2000 attempts to resolve these conflicting needs with a security system that is genuinely secure yet easy to administer and transparent to the user.

The Security Configuration Manager is a one-stop tool that lets an administrator configure security-sensitive registry settings, access controls on files, and registry keys all in one location. This information can be incorporated into a security template that can then be applied to multiple computers in a single operation.

Windows 2000 Server includes full support for the MIT Kerberos version 5 security protocol, providing a single logon to Windows 2000 Server-based enterprise resources. Kerberos replaces NT LAN Manager (NTLM), which is used in Windows NT 4 as the primary security protocol. For smooth integration, Windows 2000 supports both methods of authentication—NTLM when either the client or the server is running a previous version of Windows, and Kerberos for Windows 2000 servers and clients. In addition, there is built-in support for Secure Socket Layer/Transport Layer Security (SSL/TLS) for users logging on to a secure Web server.

Other security enhancements include

  • An X.509-based public-key certificate server integrated with Active Directory, allowing the use of public-key certificates for authentication.
  • Support for tamper-resistant smart cards to store passwords, private keys, account numbers, and other security information.
  • Microsoft IP Security Management (IPSec), which governs end-to-end secure communication. Once IPSec is implemented, communications are secured transparently; no user training or interaction is required.

Many of the security functions in Windows 2000 are innate in Active Directory, and full implementation is available only when Active Directory is used. In addition, some security functions cannot be fully realized in a mixed environment of server domains. For example, Windows 2000 includes support for transitive trusts, which means that when a Windows 2000 domain is joined to a Windows 2000 domain forest, a two-way, transitive trust relationship is established automatically. No administrative tasks are required to establish this trust relationship. To set up a trust relationship between a Windows 2000 domain and a Windows NT domain, however, you must explicitly establish it.

Security is so firmly integrated into all aspects of Windows 2000 that it can't really be quarantined into a single section; hence you'll find security material throughout this book. However, basic security concepts are described in Chapter 17. Implementation is delineated in Chapters 18 and 19.



Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net