The next generation of the Microsoft® Windows® operating system will adopt Kerberos as the default protocol for network authentication. An emerging standard, Kerberos provides a foundation for interoperability while enhancing the security of enterprise-wide network authentication. Windows 2000 implements Kerberos version 5 with extensions for public key authentication. The Kerberos client is implemented as a security provider through the Security Support Provider Interface. Initial authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain’s Active Directory^TM directory service as its security account database. This white paper examines components of the protocol and provides detail on its implementation. 

This paper provides a technical introduction to how the Microsoft^® Windows^®  2000 operating system implements the Kerberos version 5 authentication protocol. The paper includes detailed explanations of important concepts, architectural elements, and features of Kerberos authentication. The first section, “Overview of the Kerberos Protocol,” is for anyone unfamiliar with Kerberos authentication. Following this introduction to the protocol are several sections with details of Microsoft’s implementation in Windows 2000. The paper concludes with a brief discussion of requirements for interoperability with other implementations.

Authentication in Windows 2000

Windows 2000 supports several protocols for verifying the identities of users who claim to have accounts on the system, including protocols for authenticating dial-up connections and protocols for authenticating external users who access the network over the Internet. But there are only two choices for network authentication within Windows 2000 domains:

• Kerberos Version 5. The Kerberos version 5 authentication protocol is the default for network authentication on computers with Windows 2000.
• Windows NT LAN Manager (NTLM) . The NTLM protocol was the default for network authentication in the Windows NT^® 4.0 operating system. It is retained in Windows 2000 for compatibility with downlevel clients and servers. NTLM is also used to authenticate logons to standalone computers with Windows 2000.

Computers with Windows 3.11, Windows 95, Windows 98, or Windows NT 4.0 will use the NTLM protocol for network authentication in Windows 2000 domains. Computers running Windows 2000 will use NTLM when authenticating to servers with Windows NT 4.0 and when accessing resources in Windows NT 4.0 domains. But the protocol of choice in Windows 2000, when there is a choice, is Kerberos version 5.

Benefits of Kerberos Authentication

The Kerberos protocol is more flexible and efficient than NTLM, and more secure. The benefits gained by using Kerberos authentication are:

• More efficient authentication to servers. With NTLM authentication, an application server must connect to a domain controller in order to authenticate each client. With Kerberos authentication, the server does not need to go to a domain controller. It can authenticate the client by examining credentials presented by the client. Clients can obtain credentials for a particular server once and reuse them throughout a network logon session.
• Mutual authentication. NTLM allows servers to verify the identities of their clients. It does not allow clients to verify a server’s identity, or one server to verify the identity of another. NTLM authentication was designed for a network environment in which servers were assumed to be genuine. The Kerberos protocol makes no such assumption. Parties at both ends of a network connection can know that the party on the other end is who it claims to be.
• Delegated authentication. Windows services impersonate clients when accessing resources on their behalf. In many cases, a service can complete its work for the client by accessing resources on the local computer. Both NTLM and Kerberos provide the information that a service needs to impersonate its client locally. However, some distributed applications are designed so that a front-end service must impersonate clients when connecting to back-end services on other computers. The Kerberos protocol has a proxy mechanism that allows a service to impersonate its client when connecting to other services. No equivalent is available with NTLM.
• Simplified trust management . One of the benefits of mutual authentication in the Kerberos protocol is that trust between the security authorities for Windows 2000 domains is by default two-way and transitive. Networks with multiple domains no longer require a complex web of explicit, point-to-point trust relationships. Instead, the many domains of a large network can be organized in a tree of transitive, mutual trust. Credentials issued by the security authority for any domain are accepted everywhere in the tree. If the network includes more than one tree, credentials issued by a domain in any tree are accepted throughout the forest.
• Interoperability . Microsoft’s implementation of the Kerberos protocol is based on standards-track specifications recommended to the Internet Engineering Task Force (IETF). As a result, the implementation of the protocol in Windows 2000 lays a foundation for interoperability with other networks where Kerberos version 5 is used for authentication.

The Microsoft® Windows® operating system is smart card–enabled and is the best and most cost-effective computing platform for developing and deploying smart-card solutions. Smart-card requirements have been incorporated into the PC98 and Net PC design specifications and into future releases of the Windows operating system. Microsoft has released its implementation of the PC/SC 1.0 specifications for the Windows NT® 4.0, Windows 95, and Windows 98 operating system. Future releases of the Windows platform will also contain smart-card support as part of the base platform. This paper presents an overview of Smart Card technology including interoperability, software development, and deployment issues.

The need for security and enhanced privacy is increasing as electronic forms of identification replace face-to-face and paper-based ones. The emergence of the global Internet and the expansion of the corporate network to include access by customers and suppliers from outside the firewall have accelerated the demand for solutions based on public-key technology. A few examples of the kinds of services that public-key technology enables are secure channel communications over a public network, digital signatures to ensure image integrity and confidentiality, and authentication of a client to a server (and vice-versa).

Smart cards are a key component of the public-key infrastructure that Microsoft is integrating into the Windows^® operating system because smart cards enhance software-only solutions, such as client authentication, logon, and secure e-mail. Smart cards are essentially a point of convergence for public-key certificates and associated keys because they:

• Provide tamper-resistant storage for protecting private keys and other forms of personal information.
• Isolate security-critical computations, involving authentication, digital signatures, and key exchange from other parts of the system that do not have a need to know.
• Enable portability of credentials and other private information between computers at work, at home, or on the road.

The smart card will become an integral part of the Windows platform because smart cards provide new and desirable features as revolutionary to the computer industry as the introduction of the mouse or compact disc.

The Encrypting File System (EFS) that is included with the Microsoft® Windows® 2000 operating system provides the core file encryption technology to store NTFS files encrypted on disk. EFS particularly addresses security concerns raised by tools available on other operating systems that allow users to physically access files from an NTFS volume without an access check.

This document provides an executive summary and a technical overview of EFS and looks at the issues of data access scenarios and the limitations of the approaches that some products on the market have in trying to solve system, file, and data security problems.

A standard safety measure on a personal computer system is to attempt to boot from a floppy disk before trying to boot from the hard disk. This guards users against hard drive failures and corrupted boot partitions. It also adds the convenience of booting different operating systems. Unfortunately, this can mean someone with physical access to a system can bypass the built-in security features of the Windows^® 2000 operating system file system access control by using a tool to read Windows NTFS on-disk structures. Many hardware configurations provide features like a boot password to restrict this kind of access. Such features are not in widespread use, and in a typical environment, where multiple users are sharing a workstation, they do not work very well. Even if these features were universal, the protection provided by a password is not very strong.

The root of these security concerns is sensitive information, which typically exists as unprotected files on your hard drive. You can restrict access to sensitive information that is stored on an NTFS partition if Windows 2000 is the only operating system that can be run and, if the hard drive cannot be physically removed. If someone really wants to get at the information, it is not difficult if they can gain physical access to the computer or hard drive. Availability of tools that allow access to NTFS files from MS-DOS^® and UNIX operating systems makes bypassing NTFS security even easier.

Data encryption is the only solution to this problem. With EFS, data in NTFS files is encrypted on disk. The encryption technology used is public key-based and runs as an integrated system service, making it easy to manage, difficult to attack, and transparent to the user. If a user attempting to access an encrypted NTFS file has the private key to that file, the user is able to open the file and work with it transparently as a normal document. A user without the private key to the file is denied access.

Gaining an understanding of the Active Directory^TM directory service is the first step in understanding how the Windows® 2000 operating system functions and what it can do to help you meet your enterprise goals. This paper looks at Active Directory from the following three perspectives:

• Store. Active Directory, the Windows 2000 Server directory service, hierarchically stores information about network objects and makes this information available to administrators, users, and applications. The first section of this paper explains what a directory service is, the integration of Active Directory service with the Internet’s Domain Name System (DNS), and how Active Directory is actualized when you designate a server as a domain controller.
• Structure. Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites. The next section in this paper describes the structure and function of these Active Directory components, and how this architecture lets administrators manage the network so that users can accomplish business objectives.
• Inter-communicate. Because Active Directory is based on standard directory access protocols, it can interoperate with other directory services and can be accessed by third-party applications that follow these protocols. The final section describes how Active Directory can communicate with a wide variety of other technologies.

Active Directory Benefits

The introduction of Active Directory in the Windows 2000 operating system provides the following benefits:

• Integration with DNS. Active Directory uses the Domain Name System (DNS). DNS is an Internet standard service that translates human-readable computer names (such as mycomputer.microsoft.com) to computer-readable numeric Internet Protocol (IP) addresses (four numbers separated by periods). This lets processes running on computers in TCP/IP networks identify and connect to one another.
• Flexible querying. Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computers snap-in to quickly find an object on the network using object properties. For example, you can find a user by first name, last name, e-mail name, office location, or other properties of that person's user account. Finding information is optimized by use of the global catalog.
• Extensibility. Active Directory is extensible, which means that administrators can add new classes of objects to the schema and can add new attributes to existing classes of objects. The schema contains a definition of each object class, and each object class’s attributes, that can be stored in the directory. For example, you could add a Purchase Authority attribute to the User object and then store each user's purchase authority limit as part of the user's account.
• Policy-based administration. Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPOs) applied to Active Directory sites, domains, or organizational units. GPO settings determine access to directory objects and domain resources, what domain resources (such as applications) are available to users, and how these domain resources are configured for use.
• Scalability. Active Directory includes one or more domains, each with one or more domain controllers, enabling you to scale the directory to meet any network requirements. Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest. In the simplest structure, a single-domain network is simultaneously a single tree and a single forest.
• Information Replication. Active Directory uses multimaster replication, which lets you update the directory at any domain controller. Deploying multiple domain controllers in one domain provides fault tolerance and load balancing. If one domain controller within a domain slows, stops, or fails, other domain controllers within the same domain can provide necessary directory access, since they contain the same directory data.
• Information security. Management of user authentication and access control, both fully integrated with Active Directory, are key security features in the Windows 2000 operating system. Active Directory centralizes authentication. Access control can be defined not only on each object in the directory, but also on each property of each object. In addition, Active Directory provides both the store and the scope of application for security policies. (For more about Active Directory logon authentication and access control, see the “For More Information” section at the end of this paper.)
• Interoperability. Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP), it can interoperate with other directory services employing these protocols. Several application programming interfaces (APIs) —such as Active Directory Service Interfaces (ADSI)—give developers access to these protocols.

At the end of this document, “Appendix A: Tools” provides a brief overview of the software tools you use to perform the tasks associated with Active Directory.

The IntelliMirror^TM management technologies are a set of powerful features built into the Microsoft® Windows® 2000 operating system and designed to increase availability and reduce the overall cost of supporting users of Windows. IntelliMirror uses policy-based Change and Configuration Management to enable users' data, software, and settings to follow them throughout a distributed computing environment, whether they are on- or off-line.

The IntelliMirror^TM management technologies are a set of powerful features built into the Microsoft® Windows® 2000 operating system, designed for desktop Change and Configuration Management. IntelliMirror uses features in both Windows 2000 Server and Windows 2000 Professional to allow users' data, software, and settings to follow them.

The features of IntelliMirror increase the availability of a user’s data, personal computer settings, and computing environment by intelligently managing information, settings, and software. Based on policy definitions, IntelliMirror is able to deploy, recover, restore or replace user’s data, software, and personal settings in a Windows 2000–based environment.

Essentially, IntelliMirror provides users with follow-me functionality for their personal computing environment. Users have constant access to all of their information and software, whether or not they are connected to the network, with the assurance that their data is safely maintained and available.

IntelliMirror is an addition to the Zero Administration initiative for Windows (ZAW). IntelliMirror allows an administrator to set policy definitions once and be confident that the policy will be applied without further administrative intervention.

At the core of IntelliMirror are three features:

• User data management
• Software installation and maintenance
• User settings management

IntelliMirror features can be used separately or all together, depending on the business or organizational requirements.

This paper defines and explains IntelliMirror and its features and presents practical applications of IntelliMirror to show the overall benefit achieved by combining these features.

This white paper describes Microsoft® Windows® 2000 operating system Transmission Control Protocol/Internet Protocol (TCP/IP) implementation details and is a supplement to the Microsoft Windows 2000 TCP/IP manuals. This paper examines the Microsoft TCP/IP protocol suite from the bottom up. Throughout the paper, network traces are used to illustrate key concepts. These traces were gathered and formatted using Microsoft Network Monitor, a software-based protocol tracing and analysis tool included in the Microsoft Systems Management Server product. This paper is intended for network engineers and support professionals who are already familiar with TCP/IP.

Microsoft has adopted TCP/IP as the strategic enterprise network transport for its platforms. In the early 1990s, Microsoft started an ambitious project to create a TCP/IP stack and services that would greatly improve the scalability of Microsoft networking. With the release of the Microsoft® Windows NT® 3.5 operating system, Microsoft introduced a completely rewritten TCP/IP stack. This new stack was designed to incorporate many of the advances in performance and ease of administration that were developed over the past decade. The stack is a high-performance, portable 32-bit implementation of the industry-standard TCP/IP protocol. It has evolved with each version of Windows NT to include new features and services and to enhance performance and reliability.

The goals in designing the TCP/IP stack were to make it:

• Standards-compliant
• Interoperable
• Portable
• Scalable
• High performance
• Versatile
• Self-tuning
• Easy to administer
• Adaptable

The TCP/IP suite for Windows 2000 was designed to make it easy to integrate Microsoft systems into large-scale corporate, government, and public networks and to provide the ability to operate over those networks in a secure manner. Windows 2000 is an Internet-ready operating system.