Metadirectory Services & Security

Microsoft provides an industry leading solution for the challenges of managing identity data in an enterprise. Complex challenges such as maintaining enterprise address books and hire/fire scenarios are solved with the flexible and powerful architecture of the Microsoft® Metadirectory Service (MMS), formerly named ZOOMIT VIA. MMS is a well-established product with an extensive customer base, including many large organizations throughout the world. This paper presents an overview of the capabilities and concepts behind MMS and its relationship to the concept of identity management.

Active Directory Interoperability and Metadirectory Overview

Identity is the summary of information about people, applications, and resources scattered in directories and databases throughout most IT enterprises. This paper addresses solution requirements, using Microsoft® Windows® 2000 and the Active Directory^TM service, for dealing with disparate identity information, including the sharing of identity information between different resources, the distribution of identity changes amongst various resources, and ensuring that related data remain consistent throughout the enterprise.

Security

An Introduction to the Windows 2000 Public Key Infrastructure

Public-key cryptography is a key technology for e-commerce, intranets, extranets, and other web-enabled applications. However, to garner the benefits of public-key cryptography, a supporting infrastructure is needed. The Windows® 2000 operating system includes a native public-key infrastructure (PKI) that is designed from the ground up to take full advantage of the Windows 2000 security architecture. This paper describes the fundamentals of public-key security systems, including what benefits they offer and what components are required to implement them. It also describes how the Windows 2000 PKI components deliver needed services while providing interoperability, security, flexibility, and ease-of-use.

Cryptography and PKI Basics

Cryptography protects users by providing functionality for the encryption of data and authentication of other users. This technology lets the receiver of an electronic message verify the sender, ensures that a message can be read only by the intended person, and assures the recipient that a message has not be altered in transit. This paper describes the cryptographic concepts of symmetric-key encryption, public-key encryption, hash algorithms, digital signatures, and key exchange.

Deploying a Public Key Infrastructure for Microsoft Exchange 5.5

This paper covers the procedures for successfully deploying a public key infrastructure (PKI) for Microsoft Exchange 5.5, using Certificate Server, in a Microsoft® Windows NT® 4.0 Advanced Server-based network. It also covers the upgrade process to Microsoft Windows® 2000, which is based on experience obtained from a Windows 2000-based pilot project performed for a Fortune 500 customer. Creating a PKI for this customer offered security support for digitally signed and encrypted messages and built a solid infrastructure for future security needs.

Default Access Control Settings

This white paper describes the default security settings for components of the Windows® 2000 operating system including the registry and file system, as well as user rights and group membership. Implications for developers and system administrators are discussed, and answers to frequently asked questions are provided.

Encrypting File System for Windows 2000

The Encrypting File System (EFS) that is included with the Windows® 2000 operating system provides the core file encryption technology to store NTFS files encrypted on disk. EFS particularly addresses security concerns raised by tools available on other operating systems that allow users to physically access files from an NTFS volume without an access check.

This document provides an executive summary and a technical overview of EFS and looks at the issues of data access scenarios and the limitations of the approaches that some products on the market have in trying to solve system, file, and data security problems.

IP Security for Windows 2000 Server

The Windows® 2000 Server operating system includes an implementation of the Internet Engineering Task Force's IP Security Protocol. Windows IP Security provides network managers with a key line of defense in protecting their networks. Windows IP Security exists below the transport level, so its security services are transparently inherited by applications. This white paper outlines the reasons why upgrading to Windows 2000 Server provides the protections of integrity, authentication, and confidentiality without having to upgrade applications or train users.

Public Key Interoperability

Public key is an enabling technology for customers extending their business model to the Internet, where strong distributed authentication and secure communications are critical to facilitating business-to-business and business-to-consumer scenarios. Now that the Microsoft® Windows® 2000 operating system includes a standards-based public key infrastructure (PKI) that is interoperable with other PKI products, customers can deploy an integrated PKI as part of their server and desktop infrastructure and manage it in the same way they manage other Windows 2000 security features.

Microsoft Windows 2000 Public Key Infrastructure

The Windows® 2000 operating system introduces a comprehensive public-key infrastructure (PKI) to the Windows platform. This infrastructure extends the Windows-based public-key (PK) cryptographic services introduced over the past few years, providing an integrated set of services and administrative tools for creating, deploying, and managing PK-based applications. This document explains how application developers can take advantage of the shared-secret security mechanisms or PK-based security mechanism in the Windows operating system, addresses the reasons why enterprises also gain the advantage of being able to manage the environment and applications with consistent tools and policies, and provides an overview of the PKI in Windows 2000.

Secure Networking Using Windows 2000 Distributed Security Services

Today's Microsoft® Windows NT® Server operating system offers excellent security services for account management and enterprise-wide network authentication. Large organizations need flexibility to delegate account administration and manage complex domains. Internet security concerns are driving the development of public-key security technology that must be integrated with Windows security. To meet these expanding needs, Microsoft is developing Windows® 2000 Distributed Security Services.

This paper examines the components of the Windows 2000 Distributed Security Services and provides details on their implementation.

Security Configuration Tool Set

This white paper describes the Microsoft® Security Configuration Tool Set, a set of Microsoft Management Console (MMC) snap-ins designed to reduce costs associated with security configuration and analysis of Windows NT® and Windows® 2000 operating system-based networks. The Security Configuration Tool Set allows you to configure security for a Windows NT- or Windows 2000-based system, and then perform periodic analysis of the system to ensure that the configuration remains intact or to make necessary changes over time. It is also integrated with Windows Administration Change and Configuration Management to configure policy automatically on a large number of systems in the enterprise.

Single Sign-On for Windows Networks

Single Sign-on (SSO) allows enterprise network users to access all authorized network resources seamlessly, on the basis of a single authentication that is performed when they initially access the network. SSO can improve the productivity of network users, reduce the cost of network operations, and improve network security.

Securing Windows 2000 Network Resources Scenario Guide

In today’s world of connected networks the need for security, both on internal networks and the interface to the outside world, the Internet, is more crucial than ever. The Microsoft® Windows® 2000 platform gives you great flexibility and standards-based methods to achieve the highest level of security for user authentication as well as file, print and Web services. Windows 2000 introduces new authentication mechanisms like smart card and certificate-based logon. IP Security allows you to encrypt network communications between client and server or between your businesses over the Internet.

Smart Card Logon

The Windows® 2000 operating system introduces smart card authentication as an alternative to passwords to achieve strong network authentication. A smart card can be used to authenticate to a Windows 2000 domain in three ways. The first is interactive logon involving the Active Directory^TM service, the Kerberos version 5 protocol, and public key certificates. The second is remote logon that uses a public key certificate with the Extensible Authentication Protocol (EAP) and Transport Layer Security (TLS) to authenticate a remote user to an account stored in Active Directory. The third is client authentication where a user is authenticated using a public key certificate mapped to an account stored in Active Directory. By integrating public key technologies and smart cards with Windows 2000, Microsoft is helping customers to increase their level of security at a time when the convergence of the enterprise and Web computing models is driving companies to open up their corporate networks to stay competitive.

Smart Cards

The Windows® operating system is smart card-enabled and is the best and most cost-effective computing platform for developing and deploying smart-card solutions. Smart-card requirements have been incorporated into the PC98 and Net PC design specifications and into future releases of the Windows operating system. Microsoft has released its implementation of the PC/SC 1.0 specifications for the Windows NT® 4.0, Windows 95, and Windows 98 operating systems. Future releases of the Windows platform will also contain smart card support as part of the base platform. This paper presents an overview of smart card technology including interoperability, software development, and deployment issues.

The Security Support Provider Interface

The Microsoft® Security Support Provider Interface (SSPI) is the well-defined common API for obtaining integrated security services for authentication, message integrity, message privacy, and security quality of service for any distributed application protocol. Application protocol designers can take advantage of this interface to obtain different security services without modification to the protocol itself.

Windows 2000 Security Technical Overview

The distributed security services of the Windows® 2000 Server operating system let organizations identify network users and control their access to resources. The operating system’s security model uses trusted domain controller authentication, delegation of trust between services, and object-based access control. Core features include integration with the Windows 2000 Active Directory™ service, support for the Kerberos version 5 authentication protocol for authenticating Windows 2000 users, authentication using public key certificates for external users, Encrypting File System (EFS) for protection of local data, and support for secure communication across public networks using Internet Protocol security (IPSec). In addition, developers can use Windows 2000 security elements in custom applications, and organizations can integrate Windows 2000 security with other operating systems that use Kerberos-based security.

Windows 2000 Kerberos Authentication

The next generation of the Windows® operating system adopts Kerberos as the default protocol for network authentication. An emerging standard, Kerberos provides a foundation for interoperability while enhancing the security of enterprise-wide network authentication. Windows® 2000 implements Kerberos version 5 with extensions for public key authentication. The Kerberos client is implemented as a security provider through the Security Support Provider Interface. Initial authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain’s Active Directory^TM service as its security account database. This white paper examines components of the protocol and provides detail on its implementation.

Windows 2000 Kerberos Interoperability

The Windows® 2000 operating system implements the standard Kerberos network authentication protocol to improve security and interoperability. While new to Windows, the Kerberos protocol is not new and has been implemented on a number of operating system platforms. This paper describes common scenarios for interoperability between Windows 2000 and other Kerberos implementations.

Windows 2000 Certificate Services

Microsoft® Windows® 2000 Certificate Services offers customers an integrated public key infrastructure (PKI) that enables the secure exchange of information across the Internet, extranets, and intranets. Certificate Services verifies and authenticates the validity of each party involved in an electronic transaction and lets domain users log on to a domain using the additional security provided by smart cards. This paper introduces Windows 2000 Certificate Services and describes PKI deployment in a Windows 2000 network.

____________________________________________