Open Enterprise Networks Demand the Security Enhancements in Windows 2000 - Product Information

ENT, May 24, 2000 by Thomas Sullivan, Stephen Swoyer

Windows 2000 was built with a number of new security features and functions designed to help companies open up their net works.

More enterprises are opening their networks to customers, partners, and suppliers every day. In fact, companies are making their networks resemble the Internet rather than private networks. The advantages of extranets and intranets are endless, but with the benefits of sharing internal resources to a growing number of users comes the challenge of making networks secure, without becoming impossible to manage.

Microsoft Corp. built its Windows 2000 operating system with a number of new security features and functions designed to help companies open up their networks, yet centralize network management and make them more secure.

"Windows 2000 adds a lot of great things to security; primarily because 73 percent of the code is new," says Avi Fogel, president and CEO of Network-1 Security Solutions Inc. work-1.com), a manufacturer of distributed intrusion prevention solutions for e-business networks.

The highlights of the Windows 2000 Distributed Security Services include integration with Windows 2000 Active Directory services; Kerberos 5 authentication protocol, which is implemented as the default protocol for network authentication; and strong authenticaton-using public key certificates.

Active Directory's Role

As with most aspects of Windows 2000, Active Directory is the key to centralizing management, and security is no exception.

"We tried to make it easier to manage security; and a lot of that has to do with centralizing it," says Shanen Boettcher, product manager for Windows 2000 security services at Microsoft.

Rick Camp, product manager for EcoTools at Compuware Corp. (www.compuware.com), which makes tools to help developers work on Windows operating systems, says integration with Active Directory represents a philosophical change in security.

"Microsoft is simplifying things, but they're also making IT think about how they setup domains," he says.

For example, centralizing management of security conjures Active Directory. Active Directory uses containers and objects to organize network resources in a logical hierarchy, storing all the information about users, groups, machines, and applications in one location and then giving network administrators a way to update that information. Users seeking access to network resources only have to pass through a single checkpoint.

With Active Directory, administrators can delegate selected privileges to users; implement policy-based management that allows them to assign specific security controls to classes of machines or to Internet or extranet users, applications, or servers; control access to resources; and assign different sets of authentication procedures for different groups of users.

Further, Active Directory serves as the foundation for security services that authenticate users as they enter the system, while protecting the integrity of data and applications that reside within and safeguarding data as it moves between systems. The Security Configuration Manager, for instance, allows administrators to put security configurations into a template and apply it to selected computers in a single operation.

Microsoft says IP Security (IPSec) provides encryption of network traffic between systems, safeguarding internal networks and providing secure virtual private networking (VPN) over the Internet to a company's internal network.

Kerberos

Another security service included in Windows 2000 is version 5 of the Kerberos authentication protocol. An open-standards protocol, Kerberos provides authenticity, confidentiality, and integrity of network communications. Kerberos is a shared-secret protocol that authenticates the user and the network, protecting against hackers who attempt to impersonate a server to enter the network.

Kerberos replaces Windows NT LAN Manager as the primary protocol for network authentication and access to resources in Windows 2000. It offers a number of important security enhancements, including improved authentication, which Microsoft says results in faster overall network performance.

Not everybody thinks Kerberos is all good, though.

Windows 2000 includes its share of interoperability curveballs, especially in the areas of Unix and Linux integration. The operating system's Kerberos-based security model, for example, is proprietary, differing from the open Kerberos standard that was originally developed at the Massachusetts Institute of Technology

"Basically what Microsoft did was they overloaded an application specific field that is a maximum of 64 KB long with a user proffle that exceeds this maximum," explains Luke Kenneth Casson Leighton, a programmer at Internet Security Service Inc.'s (ISS, www.iss.net) export research services. He is also a member of the Samba development effort.

Leighton says Microsoft could just as easily have implemented its own proprietary protocol without "hijacking" the open Kerberos standard.

"It's not reasonable at all. They could have used their own proprietary protocol to obtain their own information. There's absolutely no technical reason to do what they did," he maintains.