Module 1: Planning and
Configuring an
Authentication and
Authorization Strategy
Overview
Components of an Authentication Model
Planning and Implementing an Authentication Strategy
Groups and Basic Group Strategy in Windows
Server 2003
Creating Trusts in Windows Server 2003
Planning, Implementing, and Maintaining an
Authorization Strategy Using Groups
Lesson: Components of an Authentication Model
Authentication, Authorization, and Least Privilege
Authentication Protocols in Windows Server 2003
How NTLM Authentication Works
How Kerberos Authentication Works
Windows Server 2003 Authentication Methods for Earlier
Operating Systems
Windows Server 2003 Storage of Secrets
Tools for Troubleshooting Authentication Problems
Practice: Configuring Secure Authentication
Authentication, Authorization, and Least Privilege
Least privilege: provide users with the minimum privileges
needed to accomplish the tasks they are authorized to perform
Least privilege: provide users with the minimum privileges
needed to accomplish the tasks they are authorized to perform
Authentication: the process of
verifying the identity of something
or someone
User is really Ben Smith

Authorization: the process of determining
whether something or someone has
permission to access a resource
Ben Smith has permission to access this
resource
User Resource
NTLM
Kerberos

Default authentication protocol for Windows Server
2003, Windows 2000, and Windows XP Professional

Most secure
Authentication Protocols in Windows Server 2003
Protocol Example
LM
Used in OS2 and Windows for Workgroups,
Windows 95, Windows 98, and Windows Me
Least secure protocol
NTLMv1
Used for connecting to servers running Windows NT
Service Pack 3 or earlier
NTLMv2
Used for connecting to servers running Windows 2000,
Windows XP, and Windows NT Service Pack 4 or higher
How NTLM Authentication Works
Domain Controller
Client
User Name, Domain
User Name, Domain

Security
Accounts
Database
Nonce
Nonce
2
2
User Password Hash + Nonce
User Password Hash + Nonce
3
3
User Password Hash
User Password Hash
=
User Password Hash + Nonce
User Password Hash + Nonce
5
5
1
1
4
4
User Password Hash
User Password Hash
4
4
When a user enters a user name and password, the computer
sends the logon credentials to the Key Distribution Centre
(KDC).
When a user enters a user name and password, the computer

sends the logon credentials to the Key Distribution Centre
(KDC).
The KDC looks up the user’s master key (KA), which is based on
the user’s password. The KDC creates two items, a session key
(SA) to share with the user, and a Ticket Granting Ticket (TGT).
The KDC looks up the user’s master key (KA), which is based on
the user’s password. The KDC creates two items, a session key
(SA) to share with the user, and a Ticket Granting Ticket (TGT).
Target Server
How Kerberos Authentication Works
KDC
User
KAB
KAB
KAB
KAB
TGT+SA
TGT+SA
TGT+Timestamp
TGT+Timestamp
Logon credentials
Logon credentials
To access a resource, the client presents its TGT and a
timestamp encrypted with the session key
To access a resource, the client presents its TGT and a
timestamp encrypted with the session key
The KDC creates a pair of tickets, one for the client and one for the
server the client wants to access resources on. Both tickets also
contain a new key (KAB).
The KDC creates a pair of tickets, one for the client and one for the

server the client wants to access resources on. Both tickets also
contain a new key (KAB).
Windows Server 2003 Authentication Methods for
Earlier Operating Systems
Compatibility
Levels
Client Domain Controller
Level 0
Use LM and NTLM but never use
NTLMv2
Use LM, NTLM, and NTLMv2
Level 1
Use LM and NTLM; will use
NTLMv2 if supported
Use LM, NTLM, and NTLMv2
Level 2
Only use NTLM; will use NTLMv2
if supported
Use LM, NTLM, and NTLMv2
Level 3 Use only NTLMv2 Use LM, NTLM, and NTLMv2
Level 4 Use NTLM and NTLMv2 Use only NTLM and NTLMv2
Level 5 Use NTLMv2 Use only NTLM v2
Windows Server 2003 Storage of Secrets
Local passwords are stored in LSA
LSA stores

Trust relationship passwords

User names


Passwords

Service account passwords

Service account names
Tools for Troubleshooting Authentication Problems
Tool Function
Kerbtray.exe
Displays Kerberos ticket information
Allows you to view and purge the ticket cache
Klist.exe
Lets you view and delete Kerberos tickets
granted to the current logon session
CmdKey.exe
Creates, lists, and deletes stored user names
and passwords or credentials
Practice: Configuring Secure Authentication
In this practice, you will:
In this practice, you will:
Secure authentication on a Windows
2003 Server by using Group Policy
Secure authentication on a Windows
2003 Server by using Group Policy
Lesson: Planning and Implementing an
Authentication Strategy
Guidelines for Creating a Strong Password Policy
Options for Account Lockout Policies and Logon
Restrictions
Options for Creating a Kerberos Ticket Policy
Guidelines for Setting Security for Administrator

Accounts
Strategies for Supplemental Authentication
Group Policy Settings to Control Authorization
to Computers
Practice: Configuring Delegated Authentication
Guidelines for Creating a Strong Password Policy
When implementing a password policy:
When implementing a password policy:
Educate users about password requirements
Consider the use of pass phrases rather than passwords
Educate users about password requirements
Consider the use of pass phrases rather than passwords
When enforcing a password policy:
When enforcing a password policy:
Use password complexity
Use Group Policy to control:

Maximum password age

Password history

Minimum password age

Password length
Use password complexity
Use Group Policy to control:

Maximum password age

Password history


Minimum password age

Password length
Options for Account Lockout Policies and
Logon Restrictions
Group Policy Setting Description
Account lockout
threshold
The number of logon attempts that can be made
before the account is locked out
Account lockout
duration
The number of minutes a locked out account will
remain disabled before being automatically
enabled
Reset account lockout
counter after
The number of minutes that must elapse after a
failed logon attempt before the counter is reset to
0 bad logon attempts
Enforce user account
logon restrictions
Ensures that the requesting account is still valid
and was not disabled since the Kerberos ticket
was issued
Options for Creating a Kerberos Ticket Policy
Default Domain
Policy Setting
Description

Maximum lifetime for
user ticket
Determines the amount of time a user ticket
is available before it expires
Maximum lifetime for
service ticket
Determines the amount of time a service
ticket is available before it expires
Maximum lifetime for
user ticket renewal
Determines the number of days for which a
user’s TGT can be renewed
Guidelines for Setting Security for
Administrator Accounts
Methods to increase the security of administrative
accounts include:
Methods to increase the security of administrative
accounts include:
Limiting the number of administrator accounts to highly
trusted personnel
Separating user and administrative accounts
Using the secondary logon service
Disabling the built-in administrator account
Enforcing strong passwords
Implementing two-factor authentication
Limiting the number of administrator accounts to highly
trusted personnel
Separating user and administrative accounts
Using the secondary logon service
Disabling the built-in administrator account

Enforcing strong passwords
Implementing two-factor authentication
Strategies for Supplemental Authentication
Delegated authentication—Windows services impersonate clients
when accessing resources on clients’ behalf
Constrained delegation—Computer account is configured so it is
delegated for only specific services on the network
Group Policy Settings to Control Authorization
to Computers
Group Policy Setting Description
Access this computer
from the network
The user and group accounts that are allowed to
connect to the computer over the network
Log on locally
The user accounts that can interactively log on to the
computer
Deny logon locally
The user accounts that are prevented from logging on
at the computer
Deny logon as batch job
The user accounts that are prevented from being able
to log on as a batch job
Deny access to this
computer over the
network
The user accounts that are prevented from accessing
the computer over the network
Remove computer from
docking station

Determines the ability to undock a portable computer
from its docking station without logging on
Practice: Configuring Delegated Authentication
In this practice, you will:
In this practice, you will:
Configure delegated authentication
for user accounts and for computer
accounts
Configure delegated authentication
for user accounts and for computer
accounts
Lesson: Groups and Basic Group Strategy in
Windows Server 2003
Windows Server 2003 Group Types and Scopes
Built-in Groups
Special Groups
Tools for Administering Security Groups
What Is a Restricted Group Policy?
Practice: Creating and Managing Groups
Windows Server 2003 Group Types and Scopes
Distribution groups
Distribution groups
Used only with e-mail applications
Not security-enabled
Used only with e-mail applications
Not security-enabled
Security groups
Security groups
Used to assign rights and permissions to
groups of users and computers

Used most effectively when nested
Used to assign rights and permissions to
groups of users and computers
Used most effectively when nested
Group scopes
Group scopes
Local
Local
Global
Global
Universal
Universal
Domain local
Domain local
Built-in Groups
Built-in groups are designed to manage shared
resources and delegate specific domain-wide
administrative roles

Performance Monitor Users

Pre-Windows 2000 Compatible
Access

Print Operators

Remote Desktop Users

Replicator


Server Operators

Users

Account Operators

Administrators

Backup Operators

Incoming Forest Trust
Builders

Network Configuration
Operators

Performance Log Users
Special Groups
Designed to provide access to resources without
administrative or user interaction

Anonymous Logon

Authenticated Users

Batch

Creator Group

Creator Owner


Dialup

Everyone

Interactive

Local System

Network

Self

Service

Terminal Server Users

Other Organization

This Organization
Tools for Administering Security Groups
FunctionTool
Enables you to administer users and groups in Active Directory
AD Users and
Computers
ACL Editor
Whoami
Dsadd
Ifmember
Getsid

Enables you to administer users and groups on a resource
Displays the complete contents of the access token in the command window
Creates groups and manipulates membership from the
command line
Enumerates all groups the current member belongs to
Compares the SIDs of two user accounts
What Is a Restricted Group Policy?
Use restricted group policy to control membership

Specify members of a group

Members that are not specified in the policy are removed
during configuration or refresh
To apply restricted group policy

Define the policy using the local computer security policy

Define the policy in a GPO that is linked to an
organizational unit that contains computer accounts to
manage local groups

Define the policy in a GPO that is linked to the Domain
Controllers OU to manage domain groups