| This article is based on NT 5.0, Beta 3.
Active Directory
Authentication products
Public Key Infrastructure (PKI)
The Microsoft Certificate Server
Microsoft CryptoAPI
Smart Cards
IP Security
Security is a key part of any enterprise Operating System, and
Microsoft has striven in the past – not always successfully it might be said –
to make NT Server as secure as it can possibly be. With the release of Windows 2000 Server
comes a whole raft of new security-related technologies building on the foundation
provided by NT 4.0. Some of these are encompassed within the Distributed Security Services
(DSS) which include many new features to simplify domain administration, improve
performance, and integrate Internet security technology based on public-key cryptography.
The main new feature, of course, is integration of the OS security with Active Directory
to provide scalable, flexible account management for large domains with fine-grain access
control and delegation of administration.
Active Directory
Windows 2000 distributed security services use Windows NT Active Directory as
the repository for account information. It provides a significant improvement over the
registry-based implementation in the areas of performance and scalability, and offers a
feature-rich administrative environment.Active Directory provides the store for all domain
security policy and account information, providing replication and availability of account
information to multiple Domain Controllers. It supports a hierarchical name space for
user, group, and machine account information, so that accounts can be grouped by
Organisational Units, rather than the flat domain account name space provided by earlier
versions of Windows NT.
It also supports a multilevel hierarchy tree of domains should organisations wish to
utilise domains to create trust boundaries. Management of trust relationships between
domains is simplified, however, through automatic and transparent transitive trust
throughout the domain tree. Most organisations will be able to dispense with multiple
domains altogether, relying instead on the concept of sites and organisational units to
partition their Active Directory tree both physically and logically.
Authentication products
Windows 2000 security includes new authentication methods based on Internet standard
security protocols, including Kerberos Version 5 and Transport Layer Security (TLS) for
distributed security protocols, in addition to supporting Windows NT LAN Manager
authentication protocols for backwards compatibility. Windows 2000 manages the user’s
network security credentials transparently after a successful logon, providing a single
sign-on capability. From the user’s perspective, they have logged-on to the system
and now have access to a wide variety of network services, no matter how many discrete
components make up that system.
The implementation of secure channel security protocols (SSL 3.0/TLS) supports strong
client authentication by mapping user credentials, in the form of public-key certificates,
to existing Windows 2000 accounts. Common administration tools are used to manage
account information and access control, whether using shared secret authentication or
public-key security.
Public Key Infrastructure (PKI)
With Windows 2000 we see the introduction of a comprehensive public key infrastructure
(PKI) to the Windows platform. This infrastructure provides an integrated set of services
and administrative tools for creating, deploying, and managing Public Key
based-applications, allowing application developers to take advantage of
Windows NT’s shared-secret security mechanisms or PK-based security mechanism as
appropriate.
An important element in the PKI is Microsoft Certificate Services, which provide the means
to deploy one or more enterprise Certification Authorities (CAs). These CAs support
certificate generation and revocation, and are fully integrated with Active Directory,
which provides CA location information and CA policy and allows certificates and
revocation information to be published. The PKI does not replace the existing
Windows NT domain trust and authorisation mechanisms, however, which are based on the
domain controller (DC) and Kerberos Key Distribution Centre (KDC). Rather, the PKI works
with these services and provides enhancements allowing applications to address extranet
and Internet requirements. In particular, PKI addresses the need for scalable and
distributed identification and authentication, integrity, and confidentiality.
Layered on the cryptographic services is a set of certificate management services. These
support X.509 v3 standard certificates providing persistent storage, enumeration services,
and decoding support. There are also services for dealing with industry-standard message
formats. Primarily, these support the PKCS standards and evolving IETF (Internet
Engineering Task Force) PKIX (Public Key Infrastructure, X.509) draft standards.
The Microsoft Certificate Server
The Microsoft Certificate Server allows organisations to issue standard X.509 Version 3
certificates to their employees or business partners. The CryptoAPI certificate management
APIs and modules provide the means to handle all standards-based public-key certificates,
whether they are issued by a commercial CA or the Microsoft Certificate Server included in
the OS. System administrators define which CAs are trusted in their environment and,
therefore, which certificates are accepted for client authentication and access to
resources.
Certificate Services includes a default policy module suitable for issuing certificates to
enterprise entities (users, machines, or services). This includes identification of the
requesting entity and validation that the certificate requested is allowed under the
domain PK security policy. This may be easily modified or enhanced to address other policy
considerations or to extend CA support for various extranet or Internet scenarios. Since
Certificate Services is standards-based, it provides broad support for PK-enabled
applications in heterogeneous environments. Within the PKI, you can easily support both
enterprise CAs as well as external CAs such as those associated with other organisations
or commercial service providers. This allows an enterprise to tailor its environment in
response to business requirements.
External users who do not have Windows 2000 accounts can be authenticated using
public-key certificates and mapped to an existing user account. Access rights defined for
the Windows 2000 account determine the resources the external users can use on the
system. Client authentication using public-key certificates allows Windows 2000 to
authenticate external users based on certificates issued by trusted Certificate
Authorities.
Windows 2000 users will have easy-to-use tools and common interface dialogues for
managing the private key/public key pairs and the certificates they use to access
Internet-based resources. Support for creating, deploying, and managing PK-based
applications is provided uniformly on workstations and application servers running
Windows 2000 as well as workstations running Windows 95 and Windows 98.
Microsoft CryptoAPI
Microsoft CryptoAPI is the cornerstone for these services. It provides a standard
interface to cryptographic functionality supplied by installable cryptographic service
providers (CSPs), which may be software-based or take advantage of cryptographic hardware
devices, and can support a variety of algorithms and key strengths. Storage of personal
security credentials, which uses secure disk-based storage, is easily transported with
Microsoft’s protocol (put forward to the standards bodies at the time of writing),
Personal Information Exchange. The operating system also has integrated support for smart
card devices. Encryption technology is engineered into the operating system in many ways
to take advantage of the use of digital signatures for providing authenticated data
streams. In addition to signed ActiveX controls and Java Classes for
Internet Explorer 3.0, Windows 2000 will use digital signatures for image
integrity of a variety of program components.
Other services take advantage of CryptoAPI to provide additional functionality for
application developers who can create signed software for distribution and virus
protection. Secure Channel (schannel) supports network authentication and encryption using
the industry standard TLS and SSL protocols. These may be accessed using Microsoft’s
WinInet interface for use with the HTTP protocol (HTTPS) and used with other protocols
through the SSPI interface. Authenticode supports object signing and verification, and
this has been used principally for determining origin and integrity of components
downloaded over the Internet, though it may be used in other environments. Finally,
general-purpose smart card interfaces are supported. These have been used to integrate
cryptographic smart cards in an application-independent manner and are the basis for smart
card logon support integrated with Windows 2000.
Smart Cards
The big problem with passwords is they are easy to forget, and even easier to compromise.
If you can store the user credentials in a hardware token then you make things very much
more secure. With Windows 2000 the user needs something physical (the card) as well as a
logical access token (the PIN number) in order to authenticate to the network. Smart cards
support cryptography and secure storage for private keys and certificates, enabling strong
authentication from the desktop to the Windows NT domain. Smart cards enhance
software-only solutions such as client authentication, logon, and secure email. They are
essentially a convergence point for public key certificates and associated keys because
they provide tamper-resistant storage for protecting private keys and other forms of
personal information. They also isolate security-critical computations involving
authentication, digital signatures, and key exchange from other parts of the system that
do not have a "need to know", and enable portability of credentials and other
private information between computers at work, home, or on the road.
IP Security
The final piece to the Windows 2000 security jigsaw is secure communications for mobile
users and branch offices. This is achieved by VPN support using a robust implementation of
the IP Security Protocol (IPSec) – dubbed Windows 2000 IP Security. In today’s
massively interconnected business world of the Internet, intranets, branch offices, and
remote access, sensitive information constantly crosses the networks. The challenge for
network administrators and other IS professionals is to ensure that this traffic is safe
from data modification while en route; safe from interception, viewing or copying; and
safe from being accessed by unauthenticated parties. Designed by the Internet Engineering
Task Force (IETF) for the Internet Protocol, IPSec supports network-level authentication,
data integrity and encryption. IPSec integrates with the inherent security of the
Windows 2000 operating system to provide the ideal platform for safeguarding intranet
and Internet communications.
Microsoft Windows IP Security uses industry-standard encryption algorithms and a
comprehensive security management approach to provide security for all TCP/IP
communications on both sides of an organisation’s firewall. The result is an
end-to-end security strategy that defends against both external and internal attacks. And
because Windows IP Security is deployed below the transport level, network managers (and
software vendors) are spared the hassle and expense of trying to deploy and coordinate
security one application at a time. By simply deploying Windows NT 2000, network
managers provide a strong layer of protection for the entire network, with applications
automatically inheriting the safeguards of the built in IP Security. The encryption
support of Windows IP Security extends to Virtual Private Networks (VPNs) as well.
Whether setting security profiles for key workgroups or the entire network, the encryption
support of Windows IP Security can provide network managers with the peace of mind that
comes from protecting an enterprise’s communications.
.
[an error occurred while processing this directive] |
