Xem mẫu
- Introduction
Just a few short years ago, no one could have foreseen the huge impact
that the personal computer would have on the working lives of so many
people. Idling on the desk of millions of office workers around the world
is a tireless instrument that extends and facilitates our ability to deliver
work. Today, the personal computer and the operating systems that
run it are as ubiquitous as the car, with which it shares several pow-
erful characteristics.
The modern car comes with a surfeit of features—sleek lines,
aggressive low-cut features, and a powerful engine—all intended to
tempt the buyer. But, it is the road that the car travels along that
makes it truly productive. Without the road, the modern car would be
sleek, beautiful, and useless. Windows 2000 Professional and most
other modern personal operating systems are armed with the same
sleek lines, powerful engines, and aggressive features as the modern
car. To guide operating systems such as Windows 2000 Professional
down the road of increased productivity, flexibility, and reliability, a
robust and mission-critical server operating system infrastructure is
required—an operating system infrastructure like Windows 2000
Server.
A significant portion of the design objectives for the Windows 2000
development team was to ensure that Windows 2000 Server was the
most efficient, scalable, and reliable Microsoft operating system for the
enterprise. Complex decision-making issues that arose during the
design of Windows 2000 Server were handled with ruthless efficiency. If
a choice arose between compatibility and stability, it was ruled as no
competition—stability won every time. That has left us with an oper-
xxxi
- xxxii Introduction
ating system that has gone through one of the most rigorous testing
cycles in operating system history. Compound this with the involve-
ment of some of the best minds in the computing business, and you
have a network operating system that can only be described as a
winner.
What does Windows 2000 Server signify to information tech-
nology professionals? It means an exciting opportunity to learn new
skills, provide better services, and enhance productivity (and to use
cool-sounding words like ADSI and Kerberos). Windows 2000 Server
ushers in a bevy of features that leverage best-of-breed technology
sets. This is not technology for technology’s sake, but a technical
architecture geared toward providing an infrastructure based on
delivery.
Even on first appearances, it is obvious that Windows 2000
Server is a vastly complex operating system. With functionality liter-
ally bursting from the seams, it creates the dual opportunity for
success and failure. The correctly prepared professional who under-
stands the nature and complexities of Windows 2000 Server can
provide an outstanding infrastructure based on its reliable, exten-
sible, and flexible feature set. Those unprepared for managing and
working with a product as far-reaching and complex as Windows
2000 Server should prepare for a good deal of confusion and reac-
tive problem solving.
Windows 2000 Server is the next-generation operating system
from Microsoft that not only replaces, but also revolutionizes the
network operating system product space that Windows NT 4 Server
occupied. With adequate preparation, appreciable benefits can be
realized by all information technology professionals, from the
Dilbert-style network manager, to the technical developer who sits
in a lotus position chanting C++ mantras. But, more importantly,
your clients—the users—will be able to reap the rewards that go
hand in hand with Windows 2000 Server.
Mission-Critical Windows—A Contradiction
in Terms?
Rightly or wrongly, Microsoft has been soundly chastised on more
than one occasion for supplying server-based operating systems
that fail ungracefully under pressure. Mention Windows and
Mission Critical in the same sentence, and most people are likely to
www.syngress.com
- Introduction xxxiii
choke on their coffee. In the last 10 years, mainframes and several
flavors of UNIX have been the first choice for providing mission-crit-
ical services, and for very good reasons. The message chanted by
hardware and software vendors alike was, “Don’t use Microsoft for
anything that just can’t go down”—a statement that most times I
would have agreed with. Windows 2000 Server has changed all of
that.
The Windows 2000 product group represents the largest and
most technically advanced body of work undertaken by the most
successful software company in the world. It is considered by many
to be the single most important milestone in the evolutionary devel-
opment of the Windows family. By providing a computing platform
that offers stability, high productivity, and compatibility, Microsoft
is extending its software presence even further into the server
space.
The deluge of complaints that Microsoft has received (not to
mention the battering suffered at the hands of the press) regarding
its server-based operating systems has ensured that the Windows
2000 core services are built around a reliable and scalable architec-
ture. Don’t get me wrong, blue screens of death are not a thing of
the past, nor have required reboots been relegated to the dust pile
of Windows anachronisms. What has changed is the refocus on sta-
bility and on user requirements.
I am not alone in wanting 99.999% uptime, scalable directory
services, and a secure computing platform. Windows NT went some
way to addressing all of those concerns, but not nearly far enough.
Mission critical means different things to different organizations—to
supermarkets, point-of-sale systems are mission critical; to e-busi-
nesses, Web farms are mission critical. The common thread that
runs through these disparate businesses is the requirement to
provide a stable, supporting infrastructure that technologically
enables mission-critical business services—a requirement to which
Windows 2000 Server provides an almost unbeatable solution.
That’s the good news. The bad news is that you need more than a
superficial level of understanding of your network operating system,
you need to get your hands dirty with the real technical nuts and
bolts.
This book is aimed at ensuring that your hands never look the
same again!
www.syngress.com
- xxxiv Introduction
Who Should Read This Book?
If you work with Windows 2000 Server, or are planning to, then this
book will be of use to you. It is not meant to be light bedtime
reading, but an exploration of the more technical issues of Windows
2000 Server. I recommend that you gain some familiarity with
Windows 2000 Server concepts before reading this book (though it
is not entirely necessary, since most chapters have introductory
material), and that you understand general networking and oper-
ating system concepts. Don’t let that scare you though—you don’t
need a degree in Quantum Physics, or need to own a personalized
pocket protector to derive value from this book. What you do need is
a will to get involved with the most exciting development in oper-
ating systems in the new millennium.
Windows 2000 Server is not a lightweight operating system. As
users have become more demanding, there has been an associated
increase in the complexity of the supporting technical infrastruc-
ture. But even among scary-sounding Windows 2000 Server
acronyms like FSMO, SDOU, and LDAP, you will find concepts such
as ease of use, security, and decreased support overhead. These are
certainly concepts that most people can identify with, and if you do,
then you want to understand the contents of this book.
How This Book Is Organized
When I was initially putting together the outline for this book, I
realized that it would be impossible to cover all the technology sets
in as great a detail as I would have liked—not unless I was prepared
to have a book published that no one was physically able to pick
up! As a result, certain features of Windows 2000 Server have
received greater coverage than others. Core Windows 2000 Server
features like Active Directory, IntelliMirror, network services, and
security rightfully receive the lion’s share of the coverage.
For relative newcomers to Windows 2000 Server, I recommend
that you read the chapters in the order presented in the book. Not
all chapters are freestanding, and certain chapters should be
grouped together around the core Windows 2000 Server features I
have mentioned. For those of you looking for particular technical
information, or those who need no introduction to Windows 2000
Server, feel free to page through and use this book as a technical
reference. Hopefully, within no time your copy of Mission-Critical
www.syngress.com
- Introduction xxxv
Windows 2000 Server will take on the appearance of a truly useful
book—in other words dog-eared and discolored, with a fair amount
of pencil work in the margins!
Acknowledgments
There are a number of people I must thank; some of them provided
invaluable help in writing this book, while others taught me many
of the things worth knowing in life. Thanks go to Sonia Barrett, for
teaching me to laugh, to smile, and to appreciate real music. To Ray
Walshaw, for gifting me with confidence and teaching me the
courage of my convictions. Martin Walshaw—big brothers just don’t
come any better. Costas Kellas, for starting me down the road. The
lads from the valley—Uruman Gwuafi, Alex Harris, David Ker, Sean
Disney—thanks for teaching me that no mountain is too high—liter-
ally. Andrew Williams and Syngress, for being all the things a good
publisher should be. D. Lynn White, for a great job of technical
editing this back breaker.
My last and most important acknowledgment goes to the person
who brings the light into my life. Natalie—thank you for helping me
climb mountains, write books, sleep late, and most of all for being
my wife—this book is yours as much as mine. Just you know why.
www.syngress.com
- Chapter 1
Introduction to
Windows 2000
Server
Solutions in this chapter:
s What’s New in Windows 2000 Server?
s What’s Not New in Windows 2000 Server?
s Windows 2000 Challenges
1
- 2 Chapter 1 • Introduction to Windows 2000 Server
Introduction
Significant changes in the way that computers are used in the workplace
have heralded an increased focus on issues such as security, manage-
ability, scalability, and reliability. The use of information technology has
ushered in an era characterized by high availability, high productivity, and
increased support levels. Unfortunately, the burden of responsibility rests
squarely on the shoulders of the IT professional to ensure that the infras-
tructure meets the requirements of the modern demanding user.
It is no great secret, or surprise, that legacy technologies are beginning
to creak under the strain of ever-increasing user requirements, stability
initiatives, and management drives to lower the cost of ownership. A new
technology set was needed to provide services that existing operating sys-
tems could not. Microsoft itself was guilty of a lack of technical delivery
with glaring omissions in the Windows NT 4 technical strategy that
included the lack of a perceived stable mission-critical server platform and
the absence of a cohesive infrastructure to manage configuration changes.
With a vision of providing an operating system for the future, Microsoft
began development on its most ambitious project to date: Windows 2000.
The aims of the design team, though simple in theory, proved to be much
more difficult to achieve in reality. They had to provide scalable answers to
the deficiencies in Windows NT 4, and satisfy design objectives that
included:
s Increasing reliability, availability, and scalability
s Reducing costs through simplified management
s Providing a powerful and robust Internet and application server
Much has been said about the complexity and size of this new brain-
child. The modern-day software malady of ever-increasing size and com-
plexity has certainly directly affected Windows 2000 Server, but not
necessarily in the manner that many people perceive.
There is no doubting that Windows 2000 Server is a mammoth exercise
in coding complexity. Can a software project so large and intricate escape
its unwieldy foundation to provide a truly stable computing platform? I can
cite a classic modern example in defense of Windows 2000: its older sib-
ling, Windows NT 4. Comparatively speaking, Windows NT 4 included a ver-
itable minefield of code and feature changes over the ground-breaking
Windows 3.x. The new operating system was to support memory protection,
preemptive multitasking, and a limited directory service in a time when
DOS and Windows 3.1 ruled the roost. Is the difference between Windows
2000 and Windows NT so substantial that we cannot draw confidence from
the benefits gained during the migration from the veritable Windows 3.1 to
the (then) cutting-edge 32-bit Windows NT platform?
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 3
Whether you plan to deploy it or are already using it, a lasting first
impression of Windows 2000 Server is the vast array of integrated function-
ality. Casual inspection reveals a hauntingly familiar interface—is it just
Windows NT 4 with a slick version of the Windows 98 GUI? Actually,
nothing could be further from the truth. By probing a little deeper it soon
becomes apparent that Windows 2000 Server combines an evolutionary
upgrade path with a revolutionary feature set.
This chapter touches on the powerful features of Windows 2000 Server,
and its effect on the organization and Administrators. Windows 2000
Server presents a radical change from its predecessor, and knowledge of its
myriad of features is required to leverage its true power.
What’s New in Windows 2000 Server?
When confronted by the sea of features and changes that accompany
Windows 2000 Server, it is easy to understand the need to address some of
the new features in detail, while touching on others in no more than a cur-
sory fashion. Microsoft supplies a “feature highlight” that includes almost
80 major features—enough to make the eyes water!
Microsoft, to its credit, has learned that it is not possible to satisfy the
diverse set of server requirements with a “one package fits all” strategy. To
allow Windows 2000 Server to scale from the small business right into the
multinational corporate server farm, it has been divided into a family of
server operating systems (Table 1.1).
Each of the various flavors supports the much-touted Active Directory,
which is probably the most critical element of the Windows 2000 Server
family. Active Directory simplifies management, extends interoperability
with applications and devices, and improves security.
The entry-level and most commonly used edition is Windows 2000
Server Standard Edition. The nomenclature for Windows 2000 Advanced
Server hearkens back to the early days of Windows NT, when the name
Advanced Server made its debut. Aside from its nostalgic name, Advanced
Server maps most closely to Windows NT Server Enterprise Edition. It con-
tains all the features and benefits of Windows 2000 Standard Edition, but
includes support for larger deployments. The inclusion of support for net-
work load balancing, clustering, and a more scalable memory and CPU
architecture makes Advanced Server an excellent candidate for large SQL
Server databases, for high-end Web servers, and for meeting the demands
of high-end, critical file and application services.
Windows 2000 DataCenter is Microsoft’s top-of-the-line model. In addi-
tion to having all the features of the Standard Edition and Advanced
Server, DataCenter supports more processors and larger amounts of
memory. Windows 2000 DataCenter Server is ideal for extremely large-scale
www.syngress.com
- 4 Chapter 1 • Introduction to Windows 2000 Server
Table 1.1 Windows 2000 Server Family
Description Features
Windows Designed to be a s During upgrade four-way SMP
2000 powerful support. Fresh install supports
Server multipurpose server. two-way SMP.
Ideal for workgroup s Supports 4GB of memory.
and departmental s Active Directory.
servers. s Kerberos security.
s Enhanced Internet and Web
services.
Windows Designed for s All Windows 2000 Server features.
2000 intensive enterprise s Up to eight-way SMP support.
Advanced applications. Provides s Supports up to 8GB of memory.
Server further availability s 32-node network load balancing.
and scalability s Two-node clustering.
enhancements.
Windows Designed for massive s All Windows 2000 Advanced
2000 enterprise solutions Server features.
DataCenter providing maximum s Up to 32-way SMP support.
levels of scalability s Supports up to 64GB of memory.
and availability. s Four-node clustering.
deployments with the most demanding needs, such as high-end clustering,
data warehousing, and Internet Service Providers (ISPs).
As usual, Microsoft has published a minimum hardware specification
for the Windows 2000 Server family (Table 1.2)—and also, as usual, you
can totally disregard them. I would be sorely taxed to think of anything as
mind-numbingly boring as watching Windows 2000 Server run on a
Pentium 133MHz. So this said, the recommendations should be read care-
Table 1.2 Minimum Hardware Requirements for Windows 2000
Microsoft published minimum requirements for Windows 2000 Server
and Windows 2000 Advanced Server
s 133MHz or higher Pentium-compatible CPU
s 256MB RAM (128MB minimum supported)
s 2GB hard disk with a minimum of 1GB free hard disk space
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 5
fully, and then thrown away. Hardware specifications are very much
dependant on the type and volume of usage, but to provide a decent level of
performance for the base operating system (but without leaving too much
room for applications), I would recommend at a minimum a Pentium II
500MHz, 256MB of RAM, and a 100MB network interface card (NIC). The
same rule that applies to luck also applies to RAM in the context of
Windows 2000 Server: There is no such thing as too much of it!
The Key to Unlocking Your Network: Active Directory
The success or failure of a Windows 2000-enabled network will, in the
majority of cases, hinge on the implementation of Microsoft’s directory ser-
vice, Active Directory. It is a fundamental change that affects the Windows
operating system and Windows networking from top to bottom, and pro-
vides a structure for other applications to integrate more tightly into your
Windows network than ever before.
“What exactly is a directory service?” you ask. A directory is a place to
store interesting (and sometimes not-so-interesting) information (Figure
1.1). A directory service includes both the entire directory and the method
of storing it on the network so that it is available to any client or server.
Figure 1.1 Directory service structure.
Address
Hostname
www.syngress.com
- 6 Chapter 1 • Introduction to Windows 2000 Server
The type of information that is stored in a directory falls into three basic
categories:
Resources Resources are the items attached to the network and made
available to users. A resource can be a server’s hard drive, an IP address,
an application, a fax modem, a scanner, a printer, or any “thing” that can
be used by a client workstation.
Services A service is a function on the network that makes resources
shareable. Most services are simply network applications. These two cate-
gories are typically related. For most services, there is an analogous
resource, and for most resources, there is an analogous service.
Sometimes, however, a resource or a service stands alone.
Accounts The final category in a directory is an account. An account is
usually a logon ID and associated password used for access to the network.
It is used to grant the right to use a service or a resource.
Now that we know what a directory service is, we now need to find out
how the Active Directory fits into the picture. Active Directory offers a
nearly ideal set of directory characteristics so that a single directory and
logon is available to all users. It also allows administration to be centralized
or distributed according to requirements. The directory and its inherent
security can be extended and scaled from small to large enterprises. Simply
put, the Active Directory allows your users to find the resources they need
on the network, while simultaneously facilitating administration, flexibility,
and scalability.
Why Should I Use the Active Directory?
At first, it can be difficult to see the need for a directory service when, on first
inspection, your current infrastructure suffices. This is abetted by the fact
that many IT professionals live by the tried and tested maxim “if it ain’t broke,
don’t fix it.” Active Directory should only be implemented if it meets well-
defined business requirements, and if it satisfies carefully thought-out tech-
nical considerations. Once it is implemented, though, you will wonder how
you ever lived without it. Some of the advantages of Active Directory include:
Inherent scalability Active Directory has been designed to provide reliable
services that scale from the small office to the multinational corporation.
Multiple indexes of the directory provide swift information retrieval even in
large distributed environments.
Enhanced security Active Directory integrates with a number of security
mechanisms. It includes support for Kerberos, Secure Sockets Layer (SSL),
smart cards, and X.509 certificates.
Standards based In a move away from proprietary architecture, Active
Directory supports LDAP access, and uses TCP/IP with DNS as a name-
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 7
space. This also implies that Active Directory can be easily integrated into
an Internet or intranet environment.
Extensibility Active Directory provides a host of built-in functionality,
including an inherent extensibility supplied through a definable schema
and the Active Directory Services Interface (ADSI). Active Directory also
provides tools for synchronizing with other directory services and managing
identity information stored in multiple directory services.
Ease of administration Active Directory acts as publishing service for
resources, allowing for centralized administration. The hierarchical direc-
tory structure simplifies administrative tasks and allows for the delegation
of authority.
Inherent flexibility and scalability provides almost limitless applications
for Active Directory, whether it is as the backbone of your distributed secu-
rity environment or as a framework for client management and support.
With the adoption of Active Directory by software vendors, the benefits of
the Windows 2000 directory services will not only be available to the sup-
porting infrastructure, but to applications themselves.
Change and Configuration Management
A great deal of attention has been focused on the cost of owning computing
platforms; in particular, client workstations. Microsoft has aggressively
addressed this issue by providing a series of technologies for Windows 2000
that support change and configuration management (Figure 1.2). The term
change and configuration management encompasses all of the corrective, con-
figurative, and preventative tasks that an Administrator must perform to
keep his user base productive, including the deployment of software to the
desktop. As is typical in the computing world, fancy multibarreled words can
be boiled down to very basic principles: Change and configuration manage-
ment is quite simply desktop and user management and configuration.
Figure 1.2 Change and configuration management in Windows 2000.
www.syngress.com
- 8 Chapter 1 • Introduction to Windows 2000 Server
After consulting customers and the IT sector, Microsoft realized that its
change and configuration management feature set needed to meet at least
the following requirements:
s The ability to store user data centrally.
s Support of a personalized computing environment; data and appli-
cations should follow the users as they roam around the network.
s The ability to work on or offline.
s Reduction of administrative overhead by providing the ability to
centrally configure clients by policy, including software deployment
by policy.
s Self-healing desktops that reduce support call incidents.
s The ability to add/replace desktops without prestaging.
A number of factors have contributed to the increased costs associated
with managing and owning a network and its infrastructure; more
demanding users, increasingly complex products, and a growing user base
are just a few of them. Windows 2000 certainly does not break the mold
when it comes to developing complex products, but it does provide an
infrastructure to lower the cost of owning a Windows-based infrastructure.
Change and configuration management centers are the continuing
requirement for Administrators to manage the change and configuration
issues that arise during the support of their user base. Two main concepts
that support the new change and configuration management techniques
are IntelliMirror and remote operating system installation. IntelliMirror is a
set of tools and technologies that increase availability, reduce support
costs, and allow the users’ software, settings, and data to follow them.
Three pillars support the IntelliMirror technology:
User data management Users can have access to their data whether they
are online or offline. This feature leverages the Active Directory, Group
Policy, folder redirection, disk quotas, and file synchronization—technolo-
gies that increase data availability. In Microsoft parlance: “My data and
documents follow me.”
User settings management Allows preferences to follow the user. The
user’s personalized settings such as desktop arrangements and software
and operating system settings follow the user. This feature includes the
Active Directory, Group Policy, roaming profiles, and particular shell
enhancements—technologies that increase computer availability. In
Microsoft parlance: “My preferences follow me.”
Software installation and maintenance Ensures that users have access
to their required software. Software can be advertised to install on demand,
or be installed by default. This feature includes the Active Directory, Group
Policy, self-repairing software, and application deployment—technologies
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 9
that increase application availability. In Microsoft parlance: “My software
follows me.”
NOTE
A word of caution, do not tell friends or family that your software, data,
and preferences are following you. They could take it upon themselves to
retire you to a room with soft padded walls.
The second concept, remote operating system installation, allows
Administrators to build a functional, standardized workstation remotely.
Providing a solid and flexible infrastructure for operating system deploy-
ment is imperative for a successful operating system installation strategy.
A brief summary of some of the technologies used with IntelliMirror
include (Figure 1.3):
Active Directory A scalable directory service that stores information about
the network that can be accessed by users and Administrators alike. It can
act as both an information source and a centralized administrative tool.
Group Policy A technology that enables Administrators to precisely
define the configuration of the users’ computing environment. It can sat-
isfy such diverse requirements as setting security settings to application
deployment. Group Policy can control both user- and machine-based con-
figuration settings.
Offline Files and Folders A technology that allows users to access defined
files and folders while offline. Entire mapped drives can even be accessed
while offline. The Synchronization Manager can be used to synchronize
offline resources.
Folder Redirection The ability to point a folder, such as My Documents,
to another (network) location.
Distributed File System (DFS) This service can build a single namespace
consisting of multiple shares on different servers. DFS provides the ability
to load share and increase data availability.
Roaming User Profiles A centrally stored user profile that follows the user
around the network.
Windows Installer A standardized, scalable installation service that is cus-
tomizable, consistent, and provides diagnosis and self-repair functionality.
Disk Quotas A technology that enables Administrators to monitor and
limit disk space usage on a per-volume per-user basis.
www.syngress.com
- 10 Chapter 1 • Introduction to Windows 2000 Server
Figure 1.3 IntelliMirror and associated technologies.
Group Policies
At times, it seems that as soon as your back is turned, more clients attach
themselves to the network. The growing hunger of businesses to technologi-
cally enable their workforce is creating a mounting headache for the
Administrator of today’s networks. Maintaining and enforcing a standardized
configuration while allowing the users freedom to work unhindered is a jug-
gling act that sometimes requires the Administrator to have too many balls
in the air at once. The only way to ensure that the configuration of possibly
thousands of workstations is maintained in a consistent manner is by
allowing the network to enforce the rules for software deployment and other
change and configuration issues. Policy-based management is one answer to
Windows 2000 change and configuration management challenges.
Group policies can be used throughout Windows 2000 to define user
and computer configuration settings such as scripts, software policies,
security settings, application deployment, user settings, and document
options. Using group policies, these settings can be controlled centrally and
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 11
applied across the business. Group Policy leverages the Active Directory
and supports the IntelliMirror technology to control the scope and granu-
larity of changes in configuration. By providing a well-managed desktop
environment through group policies, Windows 2000 eases the resolution
and elimination of change and configuration management issues.
The ability to control and manage the network in a scalable environ-
ment ensures that small, medium, and large businesses have the tools to
lower the cost of owning PCs and supporting users. The vast array of con-
figurable settings ensure that there is a wealth of usage scenarios for
Group Policy, with just a few of those possible being:
s Install the accounting package on all computers in Finance.
s Run acclogon.cmd when users in the Accounts department log on.
s Do not save settings on exit for all consultants.
s Disable the RunAs service for the whole organization except
Administrators.
s Launch this Web page at user logon.
Windows 2000 Security
Windows 2000 Server serves up a great number of security enhancements
compared to what was available in previous incarnations of the operating
system. These enhancements include Public Key Infrastructure capabilities,
the Kerberos v5 authentication protocol, smart card support, the Encrypted
File System (EFS), and IPSec. These new additions to security are neces-
sary to protect data as more organizations come to the realization that their
information technology infrastructure is business critical. It can be very
hard to quantify the benefits of an enhanced security infrastructure—that
is, until it’s too late. Legacy security infrastructure and exploitable vulnera-
bilities have the potential to leave the doors in your network invitingly ajar,
allowing havoc to be wreaked on mission-critical systems.
In today’s ever-changing global environment, the more security that can
be provided by a network operating system, the better off the organizations
that use it will be. Security for Microsoft’s network operating system has
undergone major surgery with the arrival of Windows 2000 Server. What
has emerged from the operating theatre is a product family that includes
extensible, standards-based, mission-critical security. Some of the new fea-
tures include:
s Multiple methods of authenticating internal and external users
s Protection of data stored on disk drives using encryption
s Protection of data transmitted across the network using encryption
www.syngress.com
- 12 Chapter 1 • Introduction to Windows 2000 Server
s Per-property access control for objects
s Smart card support for securing user credentials securely
s Transitive trust relationships between domains
s Public Key Infrastructure (PKI)
Why the Change?
The change in security in Windows 2000 Server is necessary as more organi-
zations use the operating system for mission-critical applications. The more
widely an operating system is used in industry, the more likely it is to become
a target. The weaknesses of Windows NT came under constant attack as it
gained popularity. One group, L0pht Heavy Industries, harshly highlighted the
frailties of Windows NT’s password encryption for the LAN Manager hash. Due
to the fact that the LAN Manager hash was always sent (by default) when a
user logged in, L0pht produced a tool to crack the password. Microsoft made
provisions for fixing the problem in a Service Pack release, but in Windows
2000 Server, it has replaced the default authentication with Kerberos v5 for
an all-Windows 2000 domain controller based network—a system where pass-
words are never transmitted along the network.
Alarming figures based on intrusion detection statistics indicate that
the majority of security violations occur internal to the corporate network.
Accordingly, emphasis has moved from protecting against “black hat”
external hackers to securing the corporate network as a whole.
Differences in Windows 2000 Server Security
One of the enhancements to the security in Windows 2000 Server is the
support for two authentication protocols, Kerberos v5 and NTLM (NT LAN
Manager). Kerberos v5 is the default authentication method for Windows
2000 domains, and NTLM is provided for backward compatibility with
Windows NT 4.0 and earlier operating systems. Transitive trust relation-
ships—a feature of Kerberos v5—are established and maintained automati-
cally. Transitive trusts rely on Kerberos v5, so they are applicable only to
Windows 2000 Server-only domains.
Another security enhancement is the addition of the Encrypted File
System (EFS). EFS allows users to encrypt and decrypt files on their
system on the fly. This provides an even higher degree of protection for files
than was previously available using NTFS (NT File System) only.
The inclusion of IPSec (IP Security) in Windows 2000 Server enhances
security by protecting the integrity and confidentiality of data as it travels
over the network. It’s easy to see why IPSec is important; today’s networks
consist of not only intranets, but also branch offices, remote access for
travelers, and, of course (fade in scary music), the Internet.
Each object in the Active Directory can have its permissions controlled
with a high level of granularity. This per-property level of permissioning is
www.syngress.com
- Introduction to Windows 2000 Server • Chapter 1 13
available at all levels of the Active Directory. Smart cards are supported in
Windows 2000 Server to provide an additional layer of protection for client
authentication, as well as providing secure e-mail. The extra protection is
derived from adversaries needing not only the smart card, but also the
Personal Identification Number (PIN) of the user to activate the card—a fea-
ture called two-factor authentication. Windows 2000 Server depends heavily
on Public Key Infrastructure (PKI). PKI consists of several components:
public keys, private keys, certificates, and certificate authorities (CAs).
Windows 2000 Network Services
The cliché that the world is getting smaller is used and derided on a daily
basis, but that does not detract from the fact that it has become a truism.
Communications, both data- and voice-based, have reduced the world to a
global village. One of the factors that have hastened the arrival of the global
village is the drive to well-connected networks. Operating systems such as
Windows 2000 Server provide a number of advanced network services that
facilitate reliable and scalable communication and connectivity. A few of
the network services Windows 2000 offers include:
Certificate Services Several of the services available in the Windows NT
4.0 Option Pack are now included in Windows 2000 Server, including
Certificate Services. Certificates are used most commonly to implement
Secure Socket Layer communications on Web servers for the transmission
of private information—your credit card number, for example. Certificate
Services can also be used to make e-mail secure, provide digital signatures,
and set up certification authorities that issue and revoke certificates.
DHCP Dynamic Host Control Protocol (DHCP) is certainly not new, but
now interfaces with DNS and Active Directory. This feature illustrates an
important point: Active Directory integration is pervasive throughout
Windows 2000, and you’ll find it in the most unlikely places!
DNS Domain Name Services (DNS) have been included with Windows 2000
as the default namespace provider. Additional benefits include the adoption
of Dynamic Domain Name Service (DDNS), allowing clients to update
details in DNS automatically.
Internet Authentication Service Internet Authentication Service (IAS)
brings the ability to manage the authentication, accounting, authorization,
and auditing of dial-up or virtual private network (VPN) clients. IAS uses
the Remote Authentication Dial-In User Service (RADIUS). Setting up a VPN
will allow you to provide secure network connections to users over the
Internet, and IAS is a service used to manage these types of connections.
Internet Connection Sharing Many homes and small offices have a need
for sharing an Internet connection, and there are a number of third-party
products on the market that have filled this need. Windows 2000 can now
www.syngress.com
nguon tai.lieu . vn
