- Evolution of Directory Services
- Active Directory Development
- Active Directory Structure
- Active Directory Components
- Domain Trusts
- Organizational Units
- Groups in an Active Directory Environment
- Active Directory Replication
- DNS in Active Directory
- Active Directory Security
- Active Directory Changes in Windows .NET Server 2003
- Best Practices
Active Directory Security
The security built around Active Directory and Windows .NET Server 2003 was designed to protect valuable network assets and address many of the common security problems inherent in Windows NT 4.0. Windows .NET Server 2003 expands on these security capabilities and was specifically designed to address issues such as the problems in Internet Information Server (IIS) that were exploited by viruses such as Code Red and Nimbda.
Development of Windows .NET Server 2003 security has also been affected by a secured computing initiative by Microsoft to embed more security in its products. In a nutshell, Microsoft is more focused than ever before on the security of its products, and all new features must pass a security litmus test before they can be released. This initiative has affected the development of Windows .NET Server 2003 and is evident in the security features.
Kerberos was designed at M.I.T. as a secure method of authenticating users without actually sending a user password across the network, encrypted or not. Being able to send a password this way greatly reduces the threat of password theft because malicious users are no longer able to seize a copy of the password as it crosses the network and run brute-force attacks on the information to decrypt it.
The actual functionality of Kerberos is complicated, but essentially what happens is the computer sends an information packet to the client that requires authentication. This packet contains a "riddle" of sorts that can be answered only by the user's proper credentials. The user applies the "answer" to the riddle and sends it back to the server. If the proper password was applied to the answer, the user is authenticated. This form of authentication is not proprietary to Microsoft, and is available as an Internet standard. For a greater understanding of Kerberos security, see Chapter 12, "Server-Level Security."
Internet Information Server v6 Disabled by Default
One of the chief criticisms of Microsoft's Internet Information Server and Microsoft products in general, for that matter, is a lack of security built into the products, both right out of the box and during standard operations. Components of IIS, especially Index Server, have proven to be vulnerable to virus and hack techniques such as those demonstrated by the infamous Code Red and Nimbda viruses. For these reasons, Microsoft disabled the Internet Information Server component in Windows .NET Server 2003 by default. Turning on this component is straightforward enough, as covered in Chapter 11, "Internet Information Services."
Additional Security Considerations
Active Directory implementations are, in essence, as secure as the Windows .NET Server 2003 environment in which they run. The security of the Active Directory structure can be increased through the utilization of additional security precautions, such as secured server-to-server communications using IPSec or the use of smart cards or other encryption techniques. In addition, the user environment can be secured through the use of group policies that can set parameter changes such as user password restrictions, domain security, and logon access privileges.