Secure Authentication Features in Windows XP
- Secure Authentication Features in Windows XP
- Authentication Services and Components
- Logon Process
- Configuration and Recommended Practices
- Authentication Policies
Sometimes it is a good idea to be absolutely certain you know who you are dealing with. Authentication is the process by which the identity of a specific entitya person, a user, or a computeris verified. Authentication transactions happen in many places, many times a day. Using an ATM card and PIN to withdraw cash from an ATM, providing a driver's license when making a purchase at a home improvement store with a credit card, and presenting a passport when going through customs are common types of authentication. In each of these examples some sort of authority requests proof of identification. This ID verification indicates that the person requesting the transaction is who they say they are. This process is separate from authorization, whereby it is determined that an entity is granted specific rights or permissions. Simply proving identity does not guarantee the desired outcome of the transaction. Once the authority establishes that you are who you say you are, it then attempts to authorize you to complete that transaction: the ATM ensures that you have sufficient funds to cover the requested withdrawal; the cashier contacts the credit card issuer for purchase approval; and the customs agent checks that all necessary paperwork and visas are in place for a traveler to enter or exit a country.
Windows XP Professional, like Windows 2000, provides a sophisticated authentication system, which is examined in this chapter. Specific topics covered here include the mechanics of Windows XP authentication, the log-on process, configuration and management of authentication parameters, and best practices for secure authentication. We cover authorization in detail in Chapter 17, Authorization and Access Control.
Secure Authentication Features in Windows XP
Because Windows XP is built on a Windows 2000 base, you find that there are a number of familiar secure authentication features. Windows XP, however, goes beyond Windows NT 4.0 and Windows 2000 in a number of ways. Whether you are connected to a domain, configured as a part of a workgroup, or are using a stand-alone computer, you find that authentication is even more manageable than before. Here are some of the biggest changes and additions to authentication processes, management, and configuration:
Everyone Group. By default, the Everyone Group no longer includes the Anonymous Group. Previously, the Anonymous Group was granted access to any resource to which the Everyone Group was granted access, even though anonymous users are not required to supply usernames and passwords for authentication.
Guest Account. By default, Windows XP workstations not joined to a domain are configured to use Guest only network logons. All users, including anonymous users, accessing resources on a computer from over a network with this default setting, are forced to use the Guest Account for authentication and are subsequently given all the same access rights and privileges as the Guest Account.
Service Accounts. Two new service accounts have been added to Windows XP to enhance the granularity of service account access: LocalService for services that run locally, and NetworkService for services that run on the network. The LocalSystem account remains available as well, and is the only account that has Act as part of the operating system rights by default.
Blank Passwords. By default, Windows XP workstations that are not part of a domain prevent users with blank passwords from logging on over the network. This is especially helpful for preventing unauthorized access to home workstations connected to the Internet. All blank password access is restricted to local logons only.
Password Reset Wizard. Windows XP supplies a recovery mechanism for use in the event a user forgets his or her password. This Wizard creates a disk that can be used to reset a local account password (it cannot be used to reset a domain password). This disk is computer specific so it cannot be used on another workstation, even if the username and password are the same. Others can use this disk without proper authorization to access a local account, so it is a good idea to keep this disk in a safe location.
Stored User Names. Windows XP allows a user to store frequently used username and password combinations for access to other resources, such as secured Web sites or computers in an untrusted domain. This information becomes part of the user's profile and can travel around the network with the user if roaming profiles have been enabled.
Fast User Switching. Fast user switching allows multiple users of the same computer to log on without shutting down applications that may be in use by another user who is currently logged on to the system. Fast User Switching uses Terminal Services technology to provide this ability. This feature is only available on computers that are not connected to a domain.
As you see from this list, there are quite a few changes to the security and authentication strategy in previous Windows versions. However, Windows XP is interoperable with earlier versions of Windowsfrom Windows for Workgroups and Windows 9x on up to Windows NT 4.0 and Windows 2000. The management and configuration of secure authentication is covered later in this chapter, with attention given to interoperability issues where required. We now move into a discussion of credentials that Windows XP does support as the first step in gaining a full understanding of the Windows XP authentication process.