Preparing Your Security Infrastructure

Microsoft Windows 2000 has been designed to provide very high levels of data security, while offering administrators the benefits of ease of implementation and administration. New features such as IPSec, Kerberos authentication, and public keys offer a higher level of security than previous versions of Windows NT.

Because Windows 2000 is designed to operate within an existing Windows NT domain structure, you can easily introduce Windows 2000–based servers into your existing network security structure. However, as you migrate or upgrade your existing Windows NT network to Windows 2000, your security strategy will be influenced by the security-specific features of Windows 2000 that you plan to deploy. For instance, if you are currently using Microsoft Proxy Server in your network, you will need to upgrade this product for Windows 2000, and install the proper client software to use the service.

Windows 2000 supports public key infrastructure (PKI), an authentication method employing digital certificates, certification authorities, and certificate management software. You can use certificate authentication to secure e-mail clients and Internet communication, in support of smart card technology, and to secure communication (using IPSec) with non-Kerberos clients. For more information about planning and deploying a PKI, see "Planning Your Public Key Infrastructure"in this book. The details of how you deploy your PKI are determined by the specific certificate services you employ—you can use Microsoft Certificate Services or third-party certificate services.

Define your certificate requirements, practices, and strategies. If you are thinking of implementing a third-party PKI, make sure it is compatible with Windows 2000. In this case, compatibility means support of rooted certification hierarchies as implemented in Windows 2000. Note that the Windows 2000 PKI will not replace existing Windows domain trust and authorization mechanisms, such as the Kerberos protocol. The PKI features of Windows 2000 are integrated with the domain controller and Kerberos authentication services.

You can implement PKI in stages to support particular goals, such as in support of e-mail or to support authentication to existing systems, depending on your priorities.

To implement PKI in stages

1. Install root certification authorities in the parent domains for each Windows 2000 tree in your domain forest.
2. Install intermediate certification authorities in the domains of each business unit.
3. Install and configure issuing certificate authorities and services in the domains for each user group, at each site as required.

© 1985-2000 Microsoft Corporation. All rights reserved.