InformationWeek
Defining The Business Value Of Technology
November 2, 1998
NT5: Miles TO Go Before Win2000
 Print this story |
To set up a tunnel in NT 4, you first go to Control Panel/Networks and add PPTP. You need to understand the fine distinctions between acronyms such as CHAP, MS-CHAP, PAP, and MLPP. After rebooting the server, it's off to RRAS Admin (once you've installed the update and hot fixes) for ongoing administration. Windows 2000, on the other hand, requires no reboots and replaces the alphabet soup with options to "Secure my data, password, or data and password."
When you install Windows 2000 and select the custom Networking option, it automatically installs the Routing and Remote Access Service and pre-configures five PPTP and five L2TP connections. PPTP continues to provide a simple VPN service based on MS-CHAP shared-secret security, while L2TP works with IPSec's public-key encryption service for access to VPNs by authenticated machines and users..
There are options to use the Extensible Authentication Protocol to add support for smart-card and biometric-security devices. IPSec includes extensions for hardware-accelerated encryption, enabling IT to provide enterprisewide VPN access with no apparent performance degradation.
Active Directory can be used to create customized profiles to assign IPSec policies to machines or groups of machines in the directory. These policies negotiate the level of encryption used between systems, enforcing mandatory security with some while relaxing it with others. You administer IPSec policies with the same tool you use to administer group policies for resources--files, printers, and other services.
Relationship Management
Navigating the MMC interfaces and understanding the relationship between Windows 2000's various policies takes some getting used to. In the beta, some were automatically installed on the Administrative Tools sub-menus, while others had to be configured by running the MMC wizard and adding snap-ins. You access the Group Policy Editor by right-clicking the domain or organizational unit in the Active Directory tree, choosing Task and then Manage Group Policy. Remote access policies are found in the RRAS snap-in.
The new operating system's remote access policies allow or disallow access based on the time of day, user, group, type of connection, authentication, encryption, or combination of properties. NT 4 requires accessing each user's dial-in account check box, while the new version's policies let you manage by group. For example, we created a group of remote users called Suppliers in the Active Directory. Then we opened the Network Services Management snap-in and created a new policy that restricted access by members of the Suppliers group according to time of day and level of encryption and authentication.
When a Supplier dials or tunnels in to the network, they are granted access only if they meet the policy's conditions. Users can belong to multiple groups; the first policy that matches the user is applied. This lets you establish priority treatment, giving special groups additional bandwidth via ISDN or other high-speed links. You can move users in and out of groups to change rights and permissions, but you'll have to wait for the next beta to use drag-and-drop.
Active Directory simplifies management of user accounts for customers and business partners. You can create an organizational unit to group accounts together according to business relationship, then delegate administration privileges to appropriate people within that group. Right-click the organizational unit and select Delegate Control: A wizard lets you choose whom you want to delegate to, and what control they have.
Windows 2000 provides security models for intrabusiness as well as interbusiness relationships. For intrabusiness needs, Kerberos version 5 is introduced as the primary security protocol for domains, enabling transitive trust relationships for interdomain authentication. Where NT 4 must set up one-way trusts between domains, any domain that is a member of an Active Directory tree automatically inherits trust.
Interbusiness communications take advantage of Windows 2000's enhanced X.509-based public-key infrastructure. Using IIS, you can map a single user or multiple users' certificate access to an NT account. Certificates are now stored in Active Directory; you can do searches to find issued and revoked certificates, or identify certificates from a specific Certificate Authority. You can set up a policy to trust all certificates from that authority, then add appropriate users to a group that accesses that policy.
IIS 5 has been enhanced with new security and management features. Obtaining, configuring, and renewing Secure Sockets Layer server certificates is automated by the Certificate Wizard; the CTL Wizard configures certificate trust lists. The Permissions Wizard applies scenario-based Web and FTP permissions, NTFS access permissions, and authentication schemes for public access and secure Internet and Intranet sites.
Digest authentication provides a more secure way of transmitting authentication credentials than the current Basic authentication method, but it requires Internet Explorer 5. Another IIS 5 innovation, Distributed Authoring and Versioning, lets remote authors edit, move, search, or delete server files and directories over an HTTP connection.
Jim Drews is a contributing editor at Network Computing, a CMP Media Inc. magazine and sister publication to InformationWeek; he can be reached at jdrews@nwc.com. Mike Lee is manager of new product development for Network Computing; he can be reached at mlee@nwc.com. Steve Gillmor is director of Southern Digital Inc., a Charleston, S.C., IT consulting firm; he can be reached at sgillmor@ southerndigital.com. Logan Harbaugh is a technology editor at InformationWeek.
return to page 1, 2, 3, 4
Read sidebar story, "NDS Offers Stability And Maturity."
Back to Labs
Send Us Your Feedback
Top of the Page
Featured Microsite
