<META HTTP-EQUIV="PICS-Label" CONTENT='(PICS-1.1 "http://www.rsac.org/ratingsv01.html" l comment "RSACi North America Server" by "inet@microsoft.com" r (n 0 s 0 v 0 l 0))' />
<TITLE>Introduction to Windows 2000 Security Services : [Microsoft Windows 2000 Server, security, Active Directory, Kerberos, PKI, smart cards, x.509]</TITLE>
<META NAME="KEYWORDS" CONTENT="Microsoft Windows 2000 Server, security, Active Directory, Kerberos, PKI, smart cards, x.509 ">
<META NAME="DESCRIPTION" CONTENT="This page introduces security services in Windows 2000
It outlines the key business and technical benefits your company can gain from deploying Windows 2000. ">
<TD WIDTH="10"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD WIDTH="10"><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/1ptrans.gif" WIDTH="10" HEIGHT="1" /><!--mstheme--></font></TD>
<TD><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/1ptrans.gif" WIDTH="10" HEIGHT="1" /><!--mstheme--></font></TD>
<TD WIDTH="100%"><!--mstheme--><font face="Times New Roman"><A CLASS="NavLink" HREF="file:///D:/Documents and Settings/ericbrus/My Documents/My Webs/myweb12/server/features/exploring.asp" target="_top">Technologies in Depth</A><!--mstheme--></font></TD>
<TD WIDTH="15"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD WIDTH="10"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD WIDTH="10"><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/1ptrans.gif" WIDTH="10" HEIGHT="1" /><!--mstheme--></font></TD>
<TD><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/1ptrans.gif" WIDTH="10" HEIGHT="1" /><!--mstheme--></font></TD>
<TD WIDTH="100%"><!--mstheme--><font face="Times New Roman"><A CLASS="NavLink" HREF="file:///D:/Documents and Settings/ericbrus/My Documents/My Webs/myweb12/server/features/choosing.asp" target="_top">Choosing the Right Server</A><!--mstheme--></font></TD>
<TD WIDTH="15"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD WIDTH="10"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD CLASS="NavItemSelected" COLSPAN="3"><!--mstheme--><font face="Times New Roman"><A CLASS="NavLink" HREF="/windows2000/upgrade/default.asp" TARGET="_top">Upgrading to Windows 2000</A><!--mstheme--></font></TD>
<TD WIDTH="15"><!--mstheme--><font face="Times New Roman"> <!--mstheme--></font></TD>
<TD WIDTH="20" VALIGN="TOP"><!--mstheme--><font face="Times New Roman">
<A HREF="mailto:?subject=An article from Microsoft&body=This article is from the Microsoft Windows 2000 Web site. http://www.microsoft.com/windows2000/guide/server/features/secintro.asp"><IMG SRC="/windows2000/images/icoEmail2.gif" WIDTH="20" HEIGHT="15" BORDER="0"></A>
<!--mstheme--></font></TD>
<TD VALIGN="TOP" NOWRAP><!--mstheme--><font face="Times New Roman">
<A CLASS="finePrint" HREF="mailto:?subject=An article from Microsoft&body=This article is from the Microsoft Windows 2000 Web site. http://www.microsoft.com/windows2000/guide/server/features/secintro.asp">Send this document<BR />to a colleague</A><BR />
<!--mstheme--></font></TD>
<TD WIDTH="15"><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/ts.gif" WIDTH="15" HEIGHT="1" /><!--mstheme--></font></TD>
<TD WIDTH="28" VALIGN="TOP" NOWRAP><!--mstheme--><font face="Times New Roman">
<A HREF="file:///D:/Documents and Settings/ericbrus/My Documents/My Webs/myweb12/server/features/secintro.asp"><IMG SRC="/windows2000/images/icoPrinter.gif" WIDTH="22" HEIGHT="15" BORDER="0"></A>
<!--mstheme--></font></TD>
<TD VALIGN="TOP" NOWRAP><!--mstheme--><font face="Times New Roman">
<A CLASS="finePrint" HREF="file:///D:/Documents and Settings/ericbrus/My Documents/My Webs/myweb12/server/features/secintro.asp">Printer-friendly<BR>version</A><BR>
<!--mstheme--></font></TD>
<TD WIDTH="15"><!--mstheme--><font face="Times New Roman"><IMG SRC="/windows2000/images/ts.gif" WIDTH="15" HEIGHT="1" /><!--mstheme--></font></TD>
<!--mstheme--></font></TD>
</TR>
</TABLE><!--mstheme--><font face="Times New Roman">
<p>Today, businesses use networks consisting of intranets, extranets and Internet sites, all of which extend the traditional local area network (LAN) and require increased system security. Therefore, understanding security services and the role they play in your network infrastructure is important to understanding the overall value of the Windows« 2000 operating system. This introduction provides an overview of how Windows 2000 security services work. It outlines the key business and technical benefits your company can gain from deploying Windows 2000. And it describes how Windows 2000 security services can help your business by:</p>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> Cutting costs with simplified security management.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> Providing consistent and reliable security.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> Supporting open standards to Internet-enable your business.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> Protecting mobile users and new devices.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Times New Roman">
<br>
<!--mstheme--></font><table CELLPADDING="0" CELLSPACING="0" BORDER="0" WIDTH="100%"><!--Start of 'back to top' heading-->
<tr valign="bottom">
<td><!--mstheme--><font face="Times New Roman"><a NAME="heading1"></a><h2><!--mstheme--><font color="#400040">What Are Windows 2000 Security Services?<!--mstheme--></font></h2><!--mstheme--></font></td>
<td align="right"><!--mstheme--><font face="Times New Roman"><A class=finePrint href="#top">Back to Top</A><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="Times New Roman">
<p>Security services are an essential part of a modern network operating system. Your network infrastructure, system administration practices, and your end users' experiences depend on the management, flexibility, and enforcement of security services. Windows 2000 enables you to extend your enterprise in an increasingly inter-networked world without compromising security. It provides an integrated set of security services employing such features as Kerberos, Public Key Infrastructure, smart card infrastructure, certificate services, Encrypted File System (EFS), the Security Configuration Toolset, Group Policy and delegated administration.</p>
<p>These services are based on three fundamental design principles:</p>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"><b>Central administration</b> . Security requires simplicity. As networks become larger and more complex, more powerful security management tools are required. The Active Directory<SUP><FONT SIZE=1>TM</FONT></SUP> service in Windows 2000 simplifies security management. Administrators can manage user accounts and access rights from a central location, and delegate security administration tasks.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"><b>Flexible deployment</b> . Security requires flexibility. In the past, companies could make assumptions about their network users because all users were employees. As companies extend business to the Internet, they can no longer make assumptions about the identity, integrity and desktop platform of their end users. For this reason, Windows 2000 delivers interoperable, flexible authentication mechanisms that verify identity and securely map external users to the company's internal systems.
Active Directory provides a single, consistent point of security management for users, devices and applications. Active Directory enables new, powerful security management capabilities such as delegated administration, Group Policy, and configuration management.</P>
<p>Active Directory organizes information as a hierarchy to simplify the process of locating, using, and managing the security of network resources. Within the Active Directory tree, companies can store a wide range of information and tightly control access to it. Such information is organized as objects in containers known as organizational units (OUs) as shown in Figure 1 below. Active Directory acts as the single point of authentication for users seeking access to the network. It enables the operating system to represent network resources and make them available to end users -- this is essential to basic application, file and print services. </p>
<p>Active Directory is tightly integrated with Windows 2000 security services such as Kerberos, Public Key Infrastructure, Encrypted File System (EFS), the Security Configuration Manager, Group Policy and delegated administration.</p>
<p><b>Figure 1.</b> Active Directory Security Integration.</p>
<p> Active Directory uses containers and objects to organize network resources much like Windows uses folders and files to organize information on your PC. It stores information about users and groups, machines, devices and applications and manages the relationships between them to provide a comprehensive view of a distributed network. The Active Directory hierarchy is flexible. It allows you to organize resources based on your business processes and organization rather than on geography alone.</p>
<P><b>Flexible Authentication Mechanisms</b><br>
Windows 2000 supports multiple authentication mechanisms for proving the identity of users as they enter your network. For example, you can authenticate your customers over the Internet with standard x.509 certificates and authenticate internal users with the familiar username/password. For dual factor authentication, you can use smart cards and PINs or passwords and biometric credentials as shown in Figure 2 below.</P>
2000 employs a consistent authorization model based on a tried-and true distributed security model. Microsoft has used the same model since the introduction of Windows 3.1. Each resource in the network has associated Access Control Lists (ACLs). These ACLs are collocated with the resource and they determine which users and groups have access. For example, files carry ACLs with them as they are moved around in the file system. Similarly, objects in the directory, such as users, have ACLs stored with them in the directory. As shown in Figure 3 below, a user requests a file, the operating system compares the user's "ticket" with the file's ACL, and grants appropriate access.</P>
<p>Each resource has an individual security barrier. Hackers must expend energy breaking into each resource rather than having carte blanche access by impersonating a system superuser, which is a common tactic for breaking into UNIX systems.</p>
<p>This consistent authorization method is integrated with the standard Kerberos network authentication protocol to deliver a more efficient, higher level of security for network traffic. Kerberos is based on "tickets" and greatly reduces the need for repeated authentication on each network resource. Kerberos authenticates both the client and the network, protecting against the possibility of hackers impersonating a server to enter the network. </p>
<p><STRONG>Figure 3. </STRONG> Windows 2000 Server Authorization Model.</p>
<p> Take a common file|open operation. In Windows Explorer, a user finds a file share. Active Directory directs the user to the location of the share. Next, the user finds an individual file and opens it. A request is made to the server from the client that contains a Kerberos ticket with the user's credential information included. The server receives the ticket and looks at the credentials. The operating system compares the credential information with the ACL on the file to determine if the user has access.</p>
<p> If the user has access rights, the file is returned to the user. Because a consistent access model is implemented in Windows 2000, these same credentials are used to access everything from applications and file services to printers and network devices. This means that access to all network resources is managed in the same way using the same tools. The result is simplified management and more accurate security configuration.</p>
<br>
<!--mstheme--></font><table CELLPADDING="0" CELLSPACING="0" BORDER="0" WIDTH="100%"><!--Start of 'back to top' heading-->
<tr valign="bottom">
<td><!--mstheme--><font face="Times New Roman"><a NAME="heading3"></a><h2><!--mstheme--><font color="#400040">Benefits of Security Services <!--mstheme--></font></h2><!--mstheme--></font></td>
<td align="right"><!--mstheme--><font face="Times New Roman"><A class=finePrint href="#top">Back to Top</A><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="Times New Roman">
<p>Windows 2000 delivers comprehensive, manageable and interoperable security services that extend your systems to partners, suppliers and customers.</p>
<p>As shown in Figure 4 below, integration with Active Directory provides a central, consistent place to manage user and resource security. Policies may be applied to a group, such as the Marketing Department, or to an object, such as a client on the extranet</p>
<IMG alt="Integrated Management with Active Directory" border =0 height=227 src="/windows2000/images/4adss4.gif" width=390 >
<P><STRONG>Figure 4.</STRONG> Integrated Management with Active Directory.</P>
<br>
<P><b>Integrated Management</b><br>
The integrated Active Directory of Windows 2000 enables companies to significantly lower management costs with a simpler way to manage security for users, groups and network resources, as well as certificates and security configurations. For example, Active Directory makes it easier to manage and use encrypted e-mail in Exchange 6.0 by publishing user public key certificates in the directory. Integrated security management provides the following benefits:</P>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"><b>Delegation of administration.</b> Active Directory enables you to delegate specific administrative privileges and tasks to individual users and groups to leverage your system administration resources.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"><b>Policy-based management.</b> Windows 2000 provides tools that allow administrators to develop standard secure configurations for machines and to use Group Policy in Active Directory to update them. This saves time on initial configuration and avoids configuration "drift" that could create security holes. Security policies can be assigned to specific classes of machines, Internet or extranet users, applications, or servers using Active Directory containers.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"><b>Access control.</b> In Windows 2000, printers, users, shared folders, groups, and computer objects are located in the directory. Their ACLs are stored with those objects in the Active Directory where access can be centrally controlled.
<p>Security requires end-to-end protection. For example, support for multiple authentication mechanisms such as Kerberos, X.509 certificates and smart cards, combined with a flexible access control model, enables powerful and consistent security services for internal desktop users, remote dial-up users and e-commerce customers. Windows 2000 security services were built with business applications in mind.</p>
<p>Consider some of the scenarios addressed by the security services infrastructure of Windows 2000 - the uses, risks and the technology solutions.</p>
<P><b>Securely Internet-enable Your Business</b><br>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> <b>E-commerce.</b> Companies doing business on the Internet must be concerned with proving the identity of customers. Windows 2000 provides a fully-featured public key infrastructure including a Certificate Authority for issuing x.509 certificates and validating identity. Secure Socket Layer/Transport Layer Security (SSL/TLS) protocols confirm the user's identity and protect data on the wire across the Internet.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> <b>Extranets.</b> Support for
open PKI standards and secure protocols, such as IPSec, L2TP, SSL/TLS, and
S/MIME enables you to extend your network to suppliers and partners more
quickly, while protecting against impostors, data theft, or malicious hackers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Times New Roman">
<P><b>Cut Costs with Improved Security Management</b><br>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> <b>Centralized management.</b> The integration of security in Active Directory prevents security holes caused by scattered security configuration management. It prevents confusion over employee roles, prevents configuration drift and improves auditing capabilities. Windows 2000 provides delegated administration in Group Policy to leverage management resources and easily change security rights.
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> <b>Enterprise interoperability.</b> With support for Kerberos and NTLM v2 authentication
protocol, Windows 2000 provides secure interoperability with legacy systems.
It supports smart cards and biometrics to protect against password sharing or
guessing. In addition, Windows 2000 security services are also available to
application developers via open APIs like Security Support Provider Interface
(SSPI) or Crypto API (CAPI). This allows applications to leverage the
integrated Kerberos single sign-on capabilities and PKI of Windows 2000.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="Times New Roman">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="../../_themes/copy-of-tilt/atlbull1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="Times New Roman"> <b>Mobile users.</b> By design, laptops and many new devices are portable and lend themselves to theft. Often these machines hold important company data and represent a security risk if stolen. Windows 2000 offers Encrypted File System functionality that obscures data on the hard drive to render it useless to anyone without access to the encryption or recovery key.
<p>Many companies have diverse collections of technologies that must work together. Windows 2000 security services are built on open standards that provide powerful interfaces for application integration and for interoperability with a wide variety of applications and platforms. For example, native support for standard PKI and Kerberos enables cross-platform single-sign on across the enterprise.</p>
<p>Consider a company that has an existing "Kerberized" database application running on a UNIX server. The company wants to securely expose the application to a partner over an extranet as illustrated in Figure 5 below.</p>
<p><b>Figure 5.</b> Cross Platform Interoperability Using Kerberos.</p>
<p>The partner connects over the Internet and requests a URL that is part of the database application. The partner uses a standard Web browser and connects via an SSL or TLS session to an Internet Information Server (IIS) running on a Windows 2000 machine. The first step is authentication of identity using SSL or TLS authentication. IIS will confirm the user identity in Active Directory. Next, Windows 2000 Server will look up the user in Active Directory.</p>
<p>If the user's account is found, a credentials package will be assembled and a Kerberos ticket will be granted to the IIS server on behalf of the user. We are now using Kerberos. Next, the server impersonates the partner and requests access to the database application by passing identity information in the Kerberos ticket. Finally, the database server will verify the identity information in the Kerberos ticket and determine if it should grant or deny access. This is a standard request/response process for a "Kerberized" application.</p>
<p>This example assumes a well-established Kerberos environment that a customer wants to maintain. Alternatively, Windows 2000 can register foreign services. With an account in Active Directory, the database application can take part in the Windows 2000 authorization model. It appears the same as any other Windows-based resource - eliminating the need for maintenance of a user database on both platforms.</p>
<p>In this way, Windows 2000 provides flexible authentication for intranets and extranets, and interoperates with existing systems. Deploying extranets is faster and easier because special-purpose/add-on security infrastructures are unnecessary. There is no need for specialized client plug-ins and directory services that add management complexity. You can extend existing technologies to the Internet and e-commerce, using a powerful and consistent management and security model. This combination of open standards support, flexibility and manageability makes Windows 2000 the ideal platform for extending your enterprise to your partners, suppliers and customers.</p>
<br>
<!--mstheme--></font><table CELLPADDING="0" CELLSPACING="0" BORDER="0" WIDTH="100%"><!--Start of 'back to top' heading-->
<tr valign="bottom">
<td><!--mstheme--><font face="Times New Roman"><a NAME="heading6"></a><h2><!--mstheme--><font color="#400040">Conclusion<!--mstheme--></font></h2><!--mstheme--></font></td>
<td align="right"><!--mstheme--><font face="Times New Roman"><A class=finePrint href="#top">Back to Top</A><!--mstheme--></font></td>
</tr>
</table><!--mstheme--><font face="Times New Roman">
<p>Networked computing is more important than ever for a business to remain competitive. Windows 2000 Server has been designed to leverage existing investments in systems and extend them to partners, customers, and suppliers. Windows 2000 security services provide an integrated, comprehensive, and interoperable security solution for extending your enterprise. Figure 6 below illustrates how all the components of a modern network can work securely together around the Windows 2000 platform.</p>