Slide Master Layout Useful for revisions and projector test  First-level bullet  Second levels  Third level  Fourth level  Fifth level  Drop body text block to if more than two lines of text in title  Next horizontal guide set at  Left vertical guide set at -4.58

Colors In This Template Useful for testing projectors during setup

TNQ200-13

Deploying Windows® 2000 Security in Corporate Networks Brent Lane OakRidge Consulting Group

Session Prerequisites  Familiarity with Windows 2000, beta 3 or later  General knowledge of Windows security and administration principles

Topics Covered  Windows ® 2000 default security  Single Sign On  Network authentication  Kerberos v5  NTLM v2  Security Interoperability  Network data protection

Windows 2000 Default Security Settings

Administrators Versus Users  Administrators  Full control of the operating system  Install system components, drivers  Upgrade or repair the system  Users  Cannot compromise system integrity  Read-only access to system resources  Interactive and network logon rights  Can shutdown desktop system  Legacy application issues

Power Users  Have sufficient access to run legacy applications  Can add files to system directory  Cannot modify existing system files  Create, manage non-admin resources:  Users and groups, file and print shares

Default Group Membership Local GroupDefault Workstation Members Default Server Members AdministratorsAdministrator Power UsersInteractive Users UsersAuthenticated Users

Secondary Logon  Run commands as another user without logoff - logon  RunAs  Command line  runas /user:MyDomain\Admin cmd  Shell support  Optional support for user profile  Terminal Server – separate console for admin

Windows Single Sign On  Single account store in Active Directory  Easier to administer user accounts  Single user id and password  Application integration

Kerberos Basic Concepts  Authentication  Key Distribution  Session Tickets  Requested for each network connection  Contains authorization data  Ticket Granting Ticket  Protected by user’s secret key  Contains session key for KDC

Active Directory Key Distribution Center (KDC) Windows Domain Controller 1.Locate KDC for domain by DNS lookup for Active Directory service 2.Use hash(pwd) to sign pre-auth data in AS request 3.Group membership expanded by KDC, added to TGT auth data TGT Ticket - NTW 4.Send TGS request for service ticket to workstation Kerberos Authentication Interactive domain logon

Application Server (target) 3.Verifies session ticket issued by KDC Active Directory Key Distribution Center (KDC) Windows domain controller 1.Send TGT and request session ticket from KDC for target server TGT 2.Present session ticket at connection setup Target Kerberos Authentication Network server connection

Cross-realm Authorization Referral

Kerberos Authentication Use  LDAP to Active Directory  CIFS/SMB remote file access  Secure dynamic DNS update  Distributed file system management  Host-host authentication for IP security  Secure Intranet web services in IIS  Authenticate certificate request to Enterprise CA  DCOM/RPC security provider

Active Directory KDC Microsoft DNS Server DNS DHCP host.domain.company.com Secure Dynamic DNS Update

Cross-platform Interoperability  Based on Kerberos V5 Protocol  Windows 2000 hosts the KDC  UNIX clients to Unix Servers  UNIX clients to Windows Servers  Windows NT clients to UNIX Servers  Simple cross-realm authentication  UNIX realm to Windows domain

Cross-platform Strategy Common Kerberos Domain Windows Desktop SSPI Kerberos SSP Application protocol Windows KDC TICKET GSS-API Application protocol GSS Kerberos mechanism Unix Server

Windows 2000 Professional Smart Card Logon Windows 2000 Server Web Server Solaris UNIX Server Oracle Application IIS ISAPIExtension SSPI/Krb AppService GSS/Krb IE5 SSPI/Krb HTTPTCP Interoperability Cross platform secure 3-tier app

1.NTLM challenge/response Application server Windows NT domain controller MSV1_0 Netlogon 5. Server impersonates client 2.Uses LSA to log on to domain 3.Netlogon service returns user and group SIDs from domain controller Windows NT Directory Service 4. SP4 Netlogon secure channel is protected NTLM Authentication Version 2

NTLMv2  Unique session key per connection  Key exchange key protects session key  Generate unique keys for integrity and encryption of session data  Client -> Server, Server -> Client

NTLMv2 Deployment  LMCompatibilityLevel = {0..5}  Upgrade DCs for user account domains  Upgrade clients and servers  Use Level 1 to negotiate NTLMv2  Use Level 3 to eliminate LM support  If users never need to connect to pre-SP4 servers  Use Level 4 at the DC to refuse LM clients

Network Data Protection  Options to enable data integrity and privacy  File Protection  Protect systems and applications from network attacks  Strong network encryption available  56-bit encryption world-wide  IPSec

File Server Encryption  Changed through Browser  Can easily let Administrator lock files or folders with encryption

IP Security  Host-to-host authentication and encryption  Network layer  IP security policy with domain policy  Negotiation policies, IP filters

Summary  Windows ® 2000 default security  Single Sign On  Network authentication  Security Interoperability  Network data protection

For More Information  Refer to the TechNet website at  Web Pages  security/default.asp 

For More Information  security/default.asp    asp

Session Credits  Author: Brent Lane  Producer/Editor: Alan Maier