MCSE Training Kit (Exam 70-220): Designing Microsoft Windows 2000 Network Securityby Microsoft Corporation
Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network.
Make the right design decisions to protect your business network—and prepare for the Microsoft® Certified Professional (MCP) exam—with this official Microsoft study guide. Work at your own pace through a system of case-study scenarios and tutorials to gain practical experience planning the security infrastructure for a Windows® 2000 network. As you build these real-world design skills, you’re also preparing for MCP Exam 70-220—a core credit on the Windows 2000 MCSE track.
HERE’S WHAT YOU’LL LEARN:
- Analyzing business requirements, including strategies, structures, and processes
- Evaluating your company’s existing and planned technical environment
- Identifying security risks and requirements and defining security baselines
- Planning an authentication strategy and Public Key Infrastructure
- Controlling access to resources using EFS, NTFS, security groups, and Group Policy
- Designing security for Windows 2000 network services: DNS, Remote Installation Services (RIS), SNMP, and Terminal Services
- Developing an IPSec data encryption scheme and management strategy
- Providing secure connections for users of remote access services, VPNs, extranets, or the Internet
HERE’S WHAT’S INSIDE:
- Comprehensive self-paced training manual that maps to MCP exam goals and objectives
- Case study-based exercises that help you apply what you learn to the job
- Summaries and end-of-chapter review questions to help gauge your progress
- 120-day evaluation version of Windows 2000 Advanced Server
- All the book’s content—plus supplemental materials—on CD-ROM
- NEW! Sample MCSE Readiness Review practice-test questions on line. See “About This Book” for details.
For complete information on MCSE core and elective requirements, go to: http://www.microsoft.com/trainingandservices/default.asp
A Note Regarding the CD or DVD
The print version of this book ships with a CD or DVD. For those customers purchasing one of the digital formats in which this book is available, we are pleased to offer the CD/DVD content as a free download via O'Reilly Media's Digital Distribution services. To download this content, please visit O'Reilly's web site, search for the title of this book to find its catalog page, and click on the link below the cover image (Examples, Companion Content, or Practice Files). Note that while we provide as much of the media content as we are able via free download, we are sometimes limited by licensing restrictions. Please direct any questions or concerns to email@example.com.
Read an Excerpt
Chapter 3: Designing Authentication for a Microsoft Windows 2000 Network
About This Chapter
All access to Microsoft Windows 2000 resources is based on the credentials that users provide when they authenticate with the network. This chapter will examine the authentication protocols that are used in Windows 2000, the ways to authenticate down-level clients, and the optimum placement of domain controllers (DCs) to facilitate the authentication process.
Before You Begin
To complete this chapter, you must read the chapter scenario. This scenario is used throughout the chapter to apply the design decisions discussed in each lesson.
Chapter Scenario: Market Florist
Market Florist is an Internet-based floral delivery company that allows customers to purchase floral arrangements over the Internet and have them delivered anywhere in North America. You have been called in as a security consultant to design an authentication strategy for the Market Florist internal network that will ensure that user credentials are protected during the authentication process.
The Existing Network
Market Florist's head office is in Seattle, the Canadian office is in Winnipeg, and the Mexican office is in Monterrey. Market Florist's marketing department is in San Francisco.
Figure 3.1 shows the network links among Market Florist's four offices.
Figure 3.1 The Market Florist Wide Area Network
Market Florist Active Directory Design
Market Florist's Active Directory directory service design is comprised of three separate domains: marketflorist.tld, ca.marketflorist.tld, and mx.marketflorist.tld. The Seattle and San Francisco sites authenticate in the marketflorist.tld domain and the Winnipeg and Monterrey sites authenticate with their country's subdomain, as shown in Figure 3.2.
Figure 3.2 The Market Florist Active Directory structure
Market Florist Server Configuration
Market Florist has Windows 2000 servers distributed across its network as shown in Table 3.1.
Table 3.1 Windows 2000 Servers in the Market Florist Network
|Location||Windows 2000 Servers|
|Seattle||Three Windows 2000 DCs for the marketflorist.tld domain.
Two of the DCs are configured as Active Directory-integrated Windows 2000 DNS servers hosting the marketflorist.tld DNS zone.
Two of the Windows 2000 DCs are configured as global catalog servers.
One Windows 2000 member server configured as a WINS server.
|San Francisco||Two Windows 2000 DCs for marketflorist.tld.
One of the Windows 2000 DCs is configured as a global catalog server.
|Winnipeg||Three Windows 2000 DCs for the ca.marketflorist.tld domain.
One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS servers hosting the ca.marketflorist.tld zone.
|Monterrey||Two Windows 2000 DCs for the mx.marketflorist.tld domain.
One of the DCS is configured as an Active Directory-integrated Windows 2000 DNS server hosting the mx.marketflorist.tld zone.
Market Florist Client Computers
The Market Florist network uses a mix of Microsoft Windows 95, Windows NT 4.0 workstation, and Windows 2000 Professional client computers. All client computers were updated to the latest service pack version before January 1, 2000, to ensure that the Market Florist network was Year 2000 compliant.
Table 3.2 shows how the client computers are distributed across the network.
Table 3.2 Market Florist Client Computer Distribution
|Seattle||700 Windows 2000 Professional clients|
|San Francisco||200 Windows 95 clients
300 Windows NT 4.0 workstations
100 Windows 2000 Professional clients
|Winnipeg||200 Windows NT 4.0 clients
300 Windows 2000 Professional clients
|Monterrey||300 Windows 95 clients
100 Windows 2000 Professional clients
Lesson 1: Designing Authentication in a Microsoft Windows 2000 Network
Authentication allows network administrators to determine who is accessing the network and to design restrictions so that each authenticated user can access only desired areas of the network. If you don't have a good authentication design, trusted users might be unable to access the network at all times.
After this lesson, you will be able to
- Determine business and technical requirements that will affect your authentication design for a Windows 2000 network
Estimated lesson time: 20 minutes
Determining Business and Technical Requirements
When designing authentication for your Windows 2000 network, you must meet certain business and technical requirements. These requirements define how you can make sure that authentication mechanisms are secured within a Windows 2000 network. The business requirements include these areas:
- Many organizations require that all projects should ultimately reduce the company's total cost of ownership. You can do this by using Group Policy to enforce standardized security configurations. In a Windows NT 4.0 network, you had to edit the registry manually to apply many advanced security settings. This required an administrator either to connect to each computer in the domain or to configure each computer in the domain manually. With Group Policy, Windows 2000 can ensure that common registry modifications are enforced centrally using Active Directory.
- Identify security risks in the network. In a Windows NT network, many client computers were unable to use more secure methods of authentication. (Unless otherwise noted, "Windows NT" refers to versions 3.51 and 4.0.) For example, Windows 95 and Windows 98 clients used LAN Manager (LM) authentication. LM authentication gives attackers an easy way to crack passwords. LM passwords are easily solved because they can be attacked in seven character sections. With the installation of the Directory Services Client in a Windows 2000 network, Windows 95 and Windows 98 clients use the NTLMv2 authentication protocol, which gives higher authentication security and reduces the risk of password cracking.
In addition to business requirements, technical requirements also play a part in the design of your network's authentication strategy. These technical requirements might include the following:
- Network authentication must be available even if WAN links are not. By deploying Domain Name System (DNS) servers, DCs, and global catalog servers at each remote site, you ensure that each site has the services needed to provide local authentication. While only Windows 2000 clients are site-aware by default, installing the Directory Services Client software on Windows 95, Windows 98, and Windows NT 4.0 clients makes these down-level client systems site-aware.
- Network authentication must occur quickly. When authentication takes place over WAN links, authentication performance suffers. By ensuring that all clients are site-aware, you ensure that the clients will attempt to find network services on their local segment of the network. This solution requires you to deploy the Directory Services Client software to all down-level clients and to deploy Active Directory sites correctly.
- DCs must not be overloaded with authentication requests.
Microsoft provides a tool known as the Active Directory Sizer
(ADSizer), which helps you plan the optimal number of DCs that you
require for your network. This includes determining the ideal number of
DCs and the processor and memory requirements for each one.
You can get the ADSizer tool by going to www.microsoft.com and searching for "ADSizer tool."
You must design authentication for your network to meet all business and technical objectives defined by your organization. These objectives will provide the framework for your design. If you don't meet all objectives, it's quite possible that you will face a redesign in the near future. Ensure that you have collected all business and technical objectives before completing your authentication design.
Lesson 2: Designing Kerberos Authentication
Windows 2000 is designed to use Kerberos v5 as the default authentication protocol. Kerberos v5 provides more flexibility in authentication than the NTLM authentication protocol did.
After this lesson, you will be able to
- Design a network to support Kerberos authentication for Windows 2000–based clients
Estimated lesson time: 45 minutes
Reviewing Kerberos Components
This lesson examines in detail how Kerberos authentication is used as the default authentication mechanism for Windows 2000–based computers. Before we start looking into design considerations of how Kerberos authentication works and how you can optimize and secure Kerberos authentication, let's look at the core components of Kerberos authentication. The components of the Kerberos v5 protocol include
- Key distribution center (KDC). A network service that supplies both ticket-granting tickets (TGTs) and service tickets to users and computers on the network. The KDC manages the exchange of shared secrets between a user and a server when they authenticate with each other. The KDC contains two services: the Authentication Service and the Ticket Granting Service. The Authentication Service provides the initial authentication of the user on the network and provides the user with a TGT. Whenever users request access to a network service, they supply their TGT to the Ticket Granting Service. The Ticket Granting Service then provides the user with a service ticket for authentication with the target network service. In a Windows 2000 network, the KDC service is run at all Windows 2000 DCs....
Meet the Author
Developed by senior editors and content managers at Microsoft Corporation.
and post it to your social network
Most Helpful Customer Reviews
See all customer reviews >