[an error occurred while processing this directive]


Exploring 2000 -
Windows 2000 Group Policies PT2 (July 1999)
John Savill explores Windows 2000 Group Policies

[an error occurred while processing this directive]
This article is based on NT 5.0, Beta 3.

Security is a key part of any enterprise Operating System, and Microsoft has striven in the past – not always successfully it might be said – to make NT Server as secure as it can possibly be. With the release of Windows 2000 Server comes a whole raft of new security-related technologies building on the foundation provided by NT 4.0. Some of these are encompassed within the Distributed Security Services (DSS) which include many new features to simplify domain administration, improve performance, and integrate Internet security technology based on public-key cryptography.

The main new feature, of course, is integration of the OS security with Active Directory to provide scalable, flexible account management for large domains with fine-grain access control and delegation of administration.

Active Directory

Windows 2000 distributed security services use Windows NT Active Directory as the repository for account information. It provides a significant improvement over the registry-based implementation in the areas of performance and scalability, and offers a feature-rich administrative environment.Active Directory provides the store for all domain security policy and account information, providing replication and availability of account information to multiple Domain Controllers. It supports a hierarchical name space for user, group, and machine account information, so that accounts can be grouped by Organisational Units, rather than the flat domain account name space provided by earlier versions of Windows NT.

It also supports a multilevel hierarchy tree of domains should organisations wish to utilise domains to create trust boundaries. Management of trust relationships between domains is simplified, however, through automatic and transparent transitive trust throughout the domain tree. Most organisations will be able to dispense with multiple domains altogether, relying instead on the concept of sites and organisational units to partition their Active Directory tree both physically and logically.

Authentication products

Windows 2000 security includes new authentication methods based on Internet standard security protocols, including Kerberos Version 5 and Transport Layer Security (TLS) for distributed security protocols, in addition to supporting Windows NT LAN Manager authentication protocols for backwards compatibility. Windows 2000 manages the user’s network security credentials transparently after a successful logon, providing a single sign-on capability. From the user’s perspective, they have logged-on to the system and now have access to a wide variety of network services, no matter how many discrete components make up that system.

The implementation of secure channel security protocols (SSL 3.0/TLS) supports strong client authentication by mapping user credentials, in the form of public-key certificates, to existing Windows 2000 accounts. Common administration tools are used to manage account information and access control, whether using shared secret authentication or public-key security.

Public Key Infrastructure (PKI)

With Windows 2000 we see the introduction of a comprehensive public key infrastructure (PKI) to the Windows platform. This infrastructure provides an integrated set of services and administrative tools for creating, deploying, and managing Public Key based-applications, allowing application developers to take advantage of Windows NT’s shared-secret security mechanisms or PK-based security mechanism as appropriate.

An important element in the PKI is Microsoft Certificate Services, which provide the means to deploy one or more enterprise Certification Authorities (CAs). These CAs support certificate generation and revocation, and are fully integrated with Active Directory, which provides CA location information and CA policy and allows certificates and revocation information to be published. The PKI does not replace the existing Windows NT domain trust and authorisation mechanisms, however, which are based on the domain controller (DC) and Kerberos Key Distribution Centre (KDC). Rather, the PKI works with these services and provides enhancements allowing applications to address extranet and Internet requirements. In particular, PKI addresses the need for scalable and distributed identification and authentication, integrity, and confidentiality.

Layered on the cryptographic services is a set of certificate management services. These support X.509 v3 standard certificates providing persistent storage, enumeration services, and decoding support. There are also services for dealing with industry-standard message formats. Primarily, these support the PKCS standards and evolving IETF (Internet Engineering Task Force) PKIX (Public Key Infrastructure, X.509) draft standards.

The Microsoft Certificate Server

The Microsoft Certificate Server allows organisations to issue standard X.509 Version 3 certificates to their employees or business partners. The CryptoAPI certificate management APIs and modules provide the means to handle all standards-based public-key certificates, whether they are issued by a commercial CA or the Microsoft Certificate Server included in the OS. System administrators define which CAs are trusted in their environment and, therefore, which certificates are accepted for client authentication and access to resources.

Certificate Services includes a default policy module suitable for issuing certificates to enterprise entities (users, machines, or services). This includes identification of the requesting entity and validation that the certificate requested is allowed under the domain PK security policy. This may be easily modified or enhanced to address other policy considerations or to extend CA support for various extranet or Internet scenarios. Since Certificate Services is standards-based, it provides broad support for PK-enabled applications in heterogeneous environments. Within the PKI, you can easily support both enterprise CAs as well as external CAs such as those associated with other organisations or commercial service providers. This allows an enterprise to tailor its environment in response to business requirements.

External users who do not have Windows 2000 accounts can be authenticated using public-key certificates and mapped to an existing user account. Access rights defined for the Windows 2000 account determine the resources the external users can use on the system. Client authentication using public-key certificates allows Windows 2000 to authenticate external users based on certificates issued by trusted Certificate Authorities.

Windows 2000 users will have easy-to-use tools and common interface dialogues for managing the private key/public key pairs and the certificates they use to access Internet-based resources. Support for creating, deploying, and managing PK-based applications is provided uniformly on workstations and application servers running Windows 2000 as well as workstations running Windows 95 and Windows 98.

Microsoft CryptoAPI

Microsoft CryptoAPI is the cornerstone for these services. It provides a standard interface to cryptographic functionality supplied by installable cryptographic service providers (CSPs), which may be software-based or take advantage of cryptographic hardware devices, and can support a variety of algorithms and key strengths. Storage of personal security credentials, which uses secure disk-based storage, is easily transported with Microsoft’s protocol (put forward to the standards bodies at the time of writing), Personal Information Exchange. The operating system also has integrated support for smart card devices. Encryption technology is engineered into the operating system in many ways to take advantage of the use of digital signatures for providing authenticated data streams. In addition to signed ActiveX controls and Java Classes for Internet Explorer 3.0, Windows 2000 will use digital signatures for image integrity of a variety of program components.

Other services take advantage of CryptoAPI to provide additional functionality for application developers who can create signed software for distribution and virus protection. Secure Channel (schannel) supports network authentication and encryption using the industry standard TLS and SSL protocols. These may be accessed using Microsoft’s WinInet interface for use with the HTTP protocol (HTTPS) and used with other protocols through the SSPI interface. Authenticode supports object signing and verification, and this has been used principally for determining origin and integrity of components downloaded over the Internet, though it may be used in other environments. Finally, general-purpose smart card interfaces are supported. These have been used to integrate cryptographic smart cards in an application-independent manner and are the basis for smart card logon support integrated with Windows 2000.

Smart Cards

The big problem with passwords is they are easy to forget, and even easier to compromise. If you can store the user credentials in a hardware token then you make things very much more secure. With Windows 2000 the user needs something physical (the card) as well as a logical access token (the PIN number) in order to authenticate to the network. Smart cards support cryptography and secure storage for private keys and certificates, enabling strong authentication from the desktop to the Windows NT domain. Smart cards enhance software-only solutions such as client authentication, logon, and secure email. They are essentially a convergence point for public key certificates and associated keys because they provide tamper-resistant storage for protecting private keys and other forms of personal information. They also isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a "need to know", and enable portability of credentials and other private information between computers at work, home, or on the road.

IP Security

The final piece to the Windows 2000 security jigsaw is secure communications for mobile users and branch offices. This is achieved by VPN support using a robust implementation of the IP Security Protocol (IPSec) – dubbed Windows 2000 IP Security. In today’s massively interconnected business world of the Internet, intranets, branch offices, and remote access, sensitive information constantly crosses the networks. The challenge for network administrators and other IS professionals is to ensure that this traffic is safe from data modification while en route; safe from interception, viewing or copying; and safe from being accessed by unauthenticated parties. Designed by the Internet Engineering Task Force (IETF) for the Internet Protocol, IPSec supports network-level authentication, data integrity and encryption. IPSec integrates with the inherent security of the Windows 2000 operating system to provide the ideal platform for safeguarding intranet and Internet communications.

Microsoft Windows IP Security uses industry-standard encryption algorithms and a comprehensive security management approach to provide security for all TCP/IP communications on both sides of an organisation’s firewall. The result is an end-to-end security strategy that defends against both external and internal attacks. And because Windows IP Security is deployed below the transport level, network managers (and software vendors) are spared the hassle and expense of trying to deploy and coordinate security one application at a time. By simply deploying Windows NT 2000, network managers provide a strong layer of protection for the entire network, with applications automatically inheriting the safeguards of the built in IP Security. The encryption support of Windows IP Security extends to Virtual Private Networks (VPNs) as well.

Whether setting security profiles for key workgroups or the entire network, the encryption support of Windows IP Security can provide network managers with the peace of mind that comes from protecting an enterprise’s communications.


[an error occurred while processing this directive]