Windows 2000
Security
T
his chapter starts you off with a discussion on the need
for powerful distributed security before introducing you
to the specifics of Windows 2000 distributed security services.
It also reviews the new Windows 2000 security protocols, and
protection of services and data.
Windows 2000 Security
While the new era of computing and Windows 2000 will bring
forth many benefits, it will also herald dastardly attempts to
rob you, beat you up, and shut you down. There are many
forces out there that have only one thing on their evil minds,
and that is to find any way to break into your network to plun-
der and pillage.
Before you start building your new corporate infrastructure
around Windows 2000, it will pay for you to become thor-
oughly versed in the security mechanisms the operating sys-
tem offers and how to go about locking down your assets.
Without a doubt, it is probably the most secure operating sys-
tem available today. Not only has it inherited the Windows NT
C2 security compliance, which was a ton of work for Microsoft
and set the stage for a secure Windows 2000, but also, if there
were showbiz awards for security, Windows 2000 would clean
up at the Oscars, the Golden Globes, the Grammies, and more.
But before we get into Windows 2000 security specifics, let’s
look at the problem holistically, then you can evaluate your
current security status before devising a security plan.
You have probably heard the term everywhere, so what does
C2 security mean to you, the network or server administrator?
Absolutely nothing. C2 security is nothing more than a U.S.

government sanction. The United States keeps a series of
“books” that grade the security levels of operating systems.
Windows NT passed with distinction because it was able to
3
3
CHAPTER
✦✦✦✦
In This Chapter
Encryption
Kerberos
IPSec
Microsoft Certificate
Services
Logon and
Authentication
✦✦✦✦
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 65
66
Part I ✦ Windows 2000 Server Architecture
demonstrate compliance of the C2 specifications. These specifications include
object ownership, object protection, audit trail, memory protection, and user identi-
fication, all of which are discussed in various places in this book.
C2 is defined in the so-called “Orange Book,” which is really titled the Trusted
System Evaluation Criteria. C2 evaluation checks to see how secure a computer
really is. However, C2 only applies to standalone computers. Microsoft is also
testing to the specifications for network computers (Red Book and Blue Book).
Microsoft has gone above and beyond C2 with Windows 2000. So the term is
really meaningless.
The operating system is not C2 out of the box. Everyone has access to everything.
A vendor or security service provider has to set up a machine and the OS to be C2-

compliant. This means locking down objects, setting up audit trails, creating user
accounts with secure password philosophy, and so on. Only when a machine has
been fully locked down can it be rated as C2-compliant . . . no matter if it’s a wash-
ing machine or a file server.
C2 security meant a lot to Windows NT, and whatever hoops and hurdles Microsoft
went through and over to gain C2 security is not lost in Windows 2000. However,
we are now playing away from home . . . the field is the Internet, and the game is
e-commerce. You have high-powered security protocols to configure, and you
have lots more room to drop the ball.
Another reason that C2 is not important to you is that, as mentioned earlier, out of
the box Windows 2000 is as locked down as the space above your head. You have
to lock down every aspect of it; the network is only as secure as you make it. If
Windows 2000 is not properly configured, claiming awards like C2 will not get you
out of a jam when a hacker pulls your pants down on the Internet. We know we are
being blunt, but security is part of the day-to-day life of a network administrator. If
you don’t have a security problem, you don’t have a network.
The Need for Security
If you are new to network administration in general and Windows 2000 (and NT) in
particular, then before you devise a security plan, you need to understand the risks
to your network and yourself. Unless you plan to hire a security expert, you will
probably have to come up with a plan yourself. Chances are your company will ask
this of you . . . your superior will assume that you are well versed in the subject. If
you are well versed in the security threat, you can skip this part and go directly to
the section titled “Rising to the Challenge.”
A company’s data is its lifeblood, and it needs to be vigorously protected. As the
network administrator, you will be required to ensure that data is kept confidential
and that it can be relied upon. There are numerous mechanisms in place to assist
you with respect to data integrity and confidentiality, and they range from sensible
access control policy to encryption, backup, and availability.
Note

4667-8 ch03.f.qc 5/15/00 1:57 PM Page 66
67
Chapter 3 ✦ Windows 2000 Security
Data Input
Data is vulnerable to attack and capture from the moment a person types in a user
ID and password. How often have you had to enter a password while someone was
standing over your shoulder? You try to type as quickly as you can, but spies will
watch you typing and pick up your passwords quicker than you think. Then, when
you are not at your desk, they will get your user ID from the memo field at the sign-
in screen and masquerade as you from any computer, anywhere.
The new smart card technology has been introduced in Windows 2000 and is dis-
cussed later in this chapter. With a smart card, the user is authenticated without
risking being compromised because the thief needs the card to complete the hack.
Smart card readers offer one of the most sophisticated domain authentication solu-
tions available to Windows 2000.
Data Transport
The PC’s or input device’s operating system must transport the information down
the network stack to the transport, all the way to the domain controller’s (DC’s)
network interface and up the DC’s respective stack. All along this route, the data is
vulnerable to interception. If the data is not encrypted, or is encrypted very lightly,
there is a risk that a person tapping the network will be able to pick up conversa-
tions between your input device and the domain controller, or any other partner
for that matter.
To counter this, Windows 2000 employs extensive encryption technology both in
data and network communications, and in file storage and protection.
Why the Threat Exists
There are many reasons people threaten your security. Let’s look at a short list of
threats that you are most likely to encounter during your life as a Windows 2000
Server administrator:
1. Espionage: People need to break into your communications realm to learn com-

pany secrets, employee secrets, product plans, financial situation, strategy, and
so forth. This level of threat is the most virulent. The attackers have strong
motives to get the attack under way and to ensure they succeed. The attackers
do not want to be discovered and will continue to hide in your environment as
long as they need to. The damage is often irreparable if the attackers are undis-
covered. This is the most difficult form of attack to counter because, for the
most part, you do not know where they are hitting you or why.
While bugging devices and spying are not usually the responsibility of the net-
work or server administrator, espionage via the network is becoming more
probable every day because it is so easy and it is where all the jewels are
located.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 67
68
Part I ✦ Windows 2000 Server Architecture
Over the network, hackers will read files and e-mail, and try to log in to data-
bases wherever they can to steal credit card numbers, bank account numbers,
and so forth. An attacker can, for example, find out the password of your
voice mail system and then listen to your messages.
2. Denial of Service (DoS): These attackers are intent on destroying you. They
can attack your physical premises or locations, which is becoming harder to
do all the time, or they can target your network, which is becoming easier to
do because you are connected to the Internet or because you provide users
with remote access. This is fast becoming the favorable means of attack for
stopping your work: firstly, because of the dependency your company has on
the network, and secondly, because the attacker does not need to be physi-
cally present for the attack.
DoS attacks are made by flooding your network portal (targeting your gateway
to the Internet) with massive floods of e-mail, or with syn attacks, which are
the low-level communication barrages that suck up all the server’s resources,
finally causing it to crash. Sometimes the objective is to crash the server just

to trigger backdoor code that spawns a process. There could be a million
places on a network to hide a sliver of code that gets executed when certain
files are loaded. Good examples are the boot files and startup files like
AUTOEXEC.BAT.
3. Hostile Applications: Hostile applications are placed on the Internet for
unwary surfers to download. Upon execution of the code on your internal
network, the application can begin its dirty work, which for a while might be
to do nothing that can cause it to be detected, but rather to find information
that would be valuable to the attacker. Such applications are also called
Trojan horses.
4. Virus Attacks: By far, the most visible attack on the network comes in the
form of viruses. Contrary to the claims that there are tens of thousands of
viruses, only a handful of virus writers can actually claim to have invented
one from start to finish. Most virus authors are not as brilliant as you may
have been led to believe; they are just copycats. However, this information
does not provide any relief.
A lot of virus code is available on the Internet to be freely downloaded, manip-
ulated, and enhanced or packed with a payload. This is the reason we see so
many variations of viruses every month. Some can be detected by anti-virus
software such as NetShield and cleaned up; others are more sinister, such as
Backdoor-G, which can only be picked up by the anti-virus software after it
has delivered its payload. Not only does it wreck your PC before it can be
detected, but it also first attacks the anti-virus software.
Threats emanate from two locales: the external environment and the internal envi-
ronment. These two environments can be easily defined as follows:
✦ The external environment: The threat comes from people who have no con-
tractual status with the enterprise. They are complete strangers. The attack
comes from the outside.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 68
69

Chapter 3 ✦ Windows 2000 Security
✦ The internal environment: The threat comes from people who have a rela-
tionship with the company, from employees to contractors to customers.
The attack usually comes from the inside. In some cases, it comes from the
outside, with inside information. Other times, the threat is not born out of
revenge or criminal intent, but ignorance.
The External Environment
Not too long ago, the only way to threaten or attack an organization, its people,
or its business was through some sort of physical act. This is no longer the case.
It costs far less money and is much safer for a hacker to stay in a safe haven and
attempt to break into a network through a RAS portal or connection to the Internet.
For many, it means the possibility of financial reward; for others, it has to do with
some form of demented feeling of achievement.
Now that many small companies can afford dedicated connections to the Internet,
the pickings have become very attractive. While we have not yet realized the paper-
less office, almost all data is placed on the network in share-points and databases.
The network and server storage silos are thus loaded with valuable information.
Attackers also no longer need to proactively choose their targets. They create hos-
tile code that gets inadvertently downloaded from the Internet and gets executed
by a number of mechanisms, from rebooting to the mere act of unzipping a file.
The code then can gather intelligence and send it to its master. It is therefore essen-
tial that you establish policy to ensure that code downloaded from the Internet is
authenticated and signed with the digital signature (a public key) of a trusted soft-
ware publisher.
E-mail is now very much tangible property, and it can be used in court cases as evi-
dence and as a source of information that can be used to plan an attack on a person
or an organization. We all communicate more by e-mail than we do by snail mail, yet
e-mail is treated like a postcard. We do not enclose our messages in an envelope
and seal it. We just put it in the mail for anyone to look at.
E-mail needs to be secured on two levels. We need to be sure that the people with

whom we communicate are really who they say they are. And we need to be sure
that our e-mail is not being read or changed as it traverses the net. It is very easy
to trace the route a message takes over the Internet and penetrate e-mail systems.
Securing e-mail is becoming essential and falls under the auspices of public key
encryption, discussed shortly.
The Internal Environment
The internal environment threat comprises employees who are either malicious,
stupid, or who make honest mistakes. Threats come in the form of outright misuse
of privileges to total ignorance or stupidity. For example: The perpetrator of out-
right misuse of privileges has administrative rights on the network and provides
him or herself access to sensitive data.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 69
70
Part I ✦ Windows 2000 Server Architecture
The ignorance factor often involves users failing to keep anti-virus software current,
or downloading all forms of rubbish from the Internet, thereby introducing mali-
cious content to the network from the external environment.
Outright stupidity and honest mistakes that often cause headaches for administra-
tors are usually deleted files, corrupted databases, deleted mailbox folders, and the
like. Deleted data can usually be recovered from backups, as long as the backup
regimen is well practiced in your company. Most of the time, recovering deleted
files is just a waste of time spent doing administrative work to have to keep recov-
ering files. Often, the problems are not user-related issues at all, but just bad man-
agement on the part of a lazy network or server administrator.
Rising to the Challenge
Over the years, there has been a lot of discussion about the security capabilities of
Windows NT. Microsoft has often been criticized for not delivering a more secure
operating system when, in fact, the opposite is the case. But it has not been all
Microsoft’s fault. For starters, the U.S. government has for years not allowed the
export of 128K-bit encryption algorithms . . . although that did not deter many orga-

nizations from smuggling out the software.
And as for the comparison with UNIX, UNIX systems are more at risk today than
Windows 2000. Since the UNIX source code is open for all to see, many hackers can
read the code to look for weak points and plot their attacks. Server for server, there
are still more UNIX machines on the Internet than Window NT or Windows 2000
machines. On Windows NT, hackers resort to scanning network communications to
look for information with which to replay attacks. Data interception was and still is
a common form of attack against an NT network.
For Windows 2000 to compete and even excel over the competition in the risky and
exposed world of e-commerce, it needed to be the most secure operating system.
The following sections explore the standard Windows 2000 security mechanisms
Microsoft has implemented in Windows 2000:
✦ Kerberos
✦ IPSec
✦ PKI
✦ NT LAN Manager (NTLM)
All the fancy encryption algorithms you use will be useless if your server stands in
the middle of an open-plan office for anyone to plunder or sneak out. Unless a
server or key systems and data storage are locked up behind secured barriers, you
might as well forget the rest of this chapter.
Note
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 70
71
Chapter 3 ✦ Windows 2000 Security
Before you tackle the protocols, you need to get up to speed on the cloak-and-
dagger stuff.
Encryption 101
This is a true story. A man walked into a diner one morning and ordered fried eggs.
When the eggs were delivered, he changed his mind and advised the waitress that
he had ordered scrambled eggs. The waitress, peeved at the cheek of the client,

picked up a fork and with a quick whipping movement rendered the eggs into an
unrecognizable heap. “There, now they are scrambled,” she said, and stormed off.
The action of rendering the eggs into an unintelligible mess is known as scrambling.
Data is scrambled in similar fashion; we call it encryption. At first, the data is in
whole recognizable form, often called plain text, like the fried eggs. The motion to
scramble them is known as the algorithm . . . and the result is often termed cipher
text. In the anecdote, the algorithm is the technique, style, or “recipe” by which
the waitress used her wrist and fork to turn a perfect pair of sunny-side-ups into a
mound of yolk and white. If she only took a few stabs at the eggs, the patron might
be able to claim he still had fried eggs (not a strong encryption algorithm).
Knowing the key that reverses the process is vital to the recovery of the data, but
that is the only difference between egg scrambling and data scrambling. If we knew
how to unscramble eggs, Humpty Dumpty might still be alive, and our world would
be very different.
In computer science, the standard that governs the techniques and recipes for
encryption of data is known as the Data Encryption Standard (DES). DES data
encryption algorithms (DEAs) specify how to encrypt data and how to decrypt
that data. A number of important bodies, such as ANSI and the National Institute
of Standards and Technology (NIST), govern the specifications for DES. Each algo-
rithm is rated according to the strength of its encryption ability (and resistance
to duplication, attack of the encryption/decryption key).
DES, actually the DEAs, needs to be continuously improved because the codes are
often cracked by encryption experts (for science and crime). New standards are on
the horizon, and soon the Advanced Encryption Standard (EAS) will replace DES.
Other standards governed by these bodies include the Digital Signature Standard
(DSS) and the Digital Signature Algorithm (DSA). Incidentally, the U.S. government
does not regulate encryption.
For more information on encryption standards, see the RSA Laboratories Web site
at www.rsasecurity.com.
Note

4667-8 ch03.f.qc 5/15/00 1:57 PM Page 71
72
Part I ✦ Windows 2000 Server Architecture
Cryptography
Cryptography dates back more than 4,000 years. Over the past millennia, it has
protected many a culture’s communications and has brought them through wars,
treaties with neighbors, and more.
In recent years, electronic data communications have escalated to such volume and
importance in our lives that without electronic or digital cryptography we would
not be able to continue on our logical course.
In fact, we owe our computerized environment to cryptography. If you have time
during the locking down of your networks, you should read the biography of Alan
Turing, who directed the British to build the first digital computers to break the
German’s Enigma code.
Pretty Good Privacy (PGP) is a software program written originally and distributed
illegally for no financial gain by Phil Zimmerman, who believed that the cryptography
algorithms that were being protected by patents should be made public property . . .
worldwide. He created PGP back in 1991, and over the years, it was disseminated
around the world on the “undernet.” Even though its export was expressly forbidden
by the U.S. government’s International Traffic in Arms Regulations, which classified
his software as a munition, it became available everywhere on bulletin board systems
and the first pioneer sites of the World Wide Web. In the last decade, PGP was pretty
much the only means of securing data and communications on the Internet and cor-
porate networks of the world.
But encrypting data always required a user to make an effort to secure communica-
tions. Lethargy and lack of knowledge have always left room for error and holes.
Only with the incorporation of the encryption algorithms in the very core of the
operating systems and standards-based network protocols would encryption
become as pervasive and as transparent as air.
We have come a long way since Phil Zimmerman risked detention to make the slo-

gan encryption for everyone a reality. Today, Windows 2000 incorporates it exten-
sively. Only you, the administrator, need to ensure that it is configured correctly,
through security policy, and everyone on the network will be able to use it, without
even knowing it exists. Before we look at this native support for cryptography in
Windows 2000 and how it is used, here is some cryptography 101.
Keys
Cryptography is a lock, a means of securing information by rendering it undeci-
pherable without a key. The key, or cryptographic key, is held closely by people
sending and receiving the communication. The following is the simplest example
of cryptography:
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 72
73
Chapter 3 ✦ Windows 2000 Security
The communication: Package color baby burger
The Key:
Package = meet
color = same
baby = grand central station
burger = 14:00 hours
Deciphered: meet me at the same place at Grand Central station at 2 p.m.
Obviously, if you have the key, you can unlock the code and decipher the message.
Private Keys
Private key encryption is also known as Symmetric Key Encryption or just conven-
tional cryptography. This encryption uses the same key to decrypt and encrypt the
data. In other words, the key you use to lock the door is the same key you use to
unlock the door. In the previous example, both the sender of the message and the
receiver share a common codebook or key. The sender encodes the message with
the key, and the receiver decodes the message with the same key. This form of
encryption is not the most secure in the public domain, because for widespread
communications, numerous parties must hold the key. As soon as the key falls into

wrong hands, then all bets are off. But it can be used in network authentication
where the compromising of a key is highly unlikely.
Public Keys
Public key encryption uses two keys. One key is public, and the other is private.
Both keys can encrypt data, but only the private key can decrypt the data. To be
pervasive, the technology depends on a public key infrastructure (PKI), which
Windows 2000 now supports (more about PKI later).
A mathematical process is used to generate the two keys, and the keys are related to
each other by the product of that mathematical process. So the message encrypted
with one key can be decrypted only with the other. This is how it works:
You want to send an encrypted message. The receiver has a public key, which he
or she makes publicly available for encrypting messages. You encrypt the message
using the public key and send it. When the receiver gets your message, he or she
can decrypt it using the private key, which is mathematically related to the public
key. No one, including you, can decrypt the message with the public key.
It goes without saying that the private key must be closely held or your messages
will be compromised.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 73
74
Part I ✦ Windows 2000 Server Architecture
Session Keys
The chief problem in making public keys widely available is that the encryption
algorithms used to generate public keys are too slow for the majority of just-in-time
communications (there are numerous algorithms used to create the keys, but the
technology is beyond the scope of this book). For this reason, a simpler session key
is generated, and it in turn holds the “key” to the encrypted data.
1. A session key is randomly generated for every communication that requires
encryption. A key distribution authority (or the originator of the communica-
tion, or a vouchsafe process) creates the session key for the communication
or message.

2. The data is encrypted with the session key.
3. The session key is then encrypted with the recipient’s public key. The
encryption of the data by the session key is a thousand times faster than
the encryption of the data by the public key.
4. The encrypted data and the encrypted session key are then sent to the
receiver, who can decrypt both by first decrypting the session key with
the secret key and then decrypting the data with the session key.
Key Certificates
Key certificates are containers for public keys. Key certificates usually contain the
public key of the recipient, the identity of the creator of the public key, the date
the key was created, and a list of digital signatures.
Digital Signatures
We sign most things we do in the material world, so why not in the digital world?
Most of us spend our working lives in cyberspace. Our customers deal with us on
the net, they buy from us on the net, and they expect that when they send us confi-
dential communications, they are sending it to the right people. We also want to
know that when someone sends us a message, hits our Web site, or connects to our
computers that they are who they say they are. We also need to use digital signa-
tures to prevent repudiation. In other words, if someone places an order with you
over the World Wide Web or via e-mail, or enters into some form of contract with
you, they should sign the document so that they cannot turn around later and repu-
diate the transaction.
It is also not always necessary to encrypt a message, which taxes computer
resources. Sometimes, the message or data content or information is not sensitive.
Sending someone a publicly available encrypted price list would be an absurd idea.
But what if someone intercepted that message and changed the content, which
would affect the relationship? What if someone sent you a message saying, “Mary
just had a little lamb,” and a jokester intercepted the message and changed the con-
tent to read, “Mary just ate her little lamb?” The effects could be devastating.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 74

75
Chapter 3 ✦ Windows 2000 Security
Digital signatures are thus used to authenticate the sender, to legally bind parties
in digital transactions, to authenticate content, and to be sure that content has not
been changed or tampered with in any way.
Windows 2000 makes wide use of the encryption mechanics described above. One
of the most important implementations is in the use of the Kerberos protocol,
which is now the most important means of authentication and protection of data
in not only Windows 2000, but also all major operating systems.
Kerberos
What if we told you that every time you come to work you have to go to a certain
security officer who signs you in and issues you a clip-on tag that allows you to
enter the building and go to your desk, but do nothing else? And that you had to
check in with the officer every hour to renew your tag?
What if you then needed to go to this person for a new tag every time you needed
to access a resource in the company, such as the file room or the copier machine?
And then what would you think if we told you that you have to present this tag to
guards that protect each resource so that they can verify that you are legitimate?
You’d say, “Wow, this is overkill. Why is security so tight here?” It would probably
be hard to work in such an environment. But what if several companies, or a whole
city, adopted such stringent security practices? Life in the city would be so secure
that companies would be able to trust each other enough to share resources. But
for all intents and purposes, it would still be hard to work in such an environment.
Yet, this is precisely how Kerberos works. The only difference is that the security
check-ins and tag issues are handled transparently by the underlying protocols,
and everything takes place in network transmissions. The user is oblivious to what
is going on under the network hood.
Kerberos is based on a system of tickets, which are packets of encrypted data that
are issued by a Key Distribution Center (KDC)— the security officer we just men-
tioned. This ticket is your “passport” and carries with it a myriad of security infor-

mation. Each KDC is responsible for a realm, and in Windows 2000 every domain is
also a Kerberos realm. Also, every Active Directory domain controller (DC) is a KDC.
When you log on to Windows, WinLogon and LSA kick in to first authenticate you
to the KDC (see Chapter 2), which provides you an initial ticket called the Ticket
Granting Ticket (TGT), which is akin to a right-of-way coupon at the fairground, or
a passport. Then, when you need to access resources on the network, you present
the TGT to the DC and request a ticket for a resource. This resource ticket is known
as a Service Ticket (ST). When you need access to a resource, your processing envi-
ronment presents the ST to the resource. You are then granted access in accor-
dance with the ACL protecting the resource.
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 75
76
Part I ✦ Windows 2000 Server Architecture
The implementation of Kerberos in Windows 2000 is fully compliant with the
Internet Engineering Task Force’s (IETF) Kerberos v5, which was originally devel-
oped by MIT. This specification is supported by many, which means that tickets
issued in a Windows 2000 domain (now also known as a Kerberos realm) can be
passed to other realms, such as networks running Mac OS, Novell NetWare, UNIX,
AIX, IRIX, and so forth.
Trusts can therefore be established between the Kerberos Domain Controllers
(KDCs) in the respective realms. The KDC trusts, for all intents and purposes, work
just like trusts for Windows NT systems, which are set up between the primary
domain controller (PDC) in each domain. And because Windows 2000 still speaks
NT LAN Manager (NTLM), trusts are maintained to legacy Windows domains.
Kerberos, however, does require more tweaking and administration than you may
be used to on Windows NT domains using NTLM. That’s because users have to
check in with the KDC several times a day. For example, if you are logged on for
12 hours straight, you will probably have to check in with the KDC about 12 to 15
times in that period. If the domain supports 1,200 users, that will result in about
18,000 hits to the KDC.

Also, trusts between heterogeneous networks are not as transparent as the trusts
between Active Directory domains, in which the domain controllers can explicitly
vouch for the users. Trusts between Windows 2000 forests, Windows 2000 and
Windows NT, and Windows 2000 and other realms involve manual setup between
each domain’s or realm’s respective administrator. The process that takes place in
the UNIX or IRIX realm may be very different to the setup that takes place between
Windows 2000 realms.
When planning the physical layout of the network, if you have multiple domains that
communicate across a WAN, you will need to establish shortcuts or the best possi-
ble routes that ticket transmission can use to move from realm to realm. Shortcuts
may be required so that authentication does not become bogged down in network
traffic over a small pipe.
If authentication is slow due to slow links between networks, you may have a
good reason to establish the site as a new domain. For more information on
deciding when to create a new domain, check out Chapter 7.
Kerberos is, however, a very fast protocol and is an ideal environment for imple-
menting the Single Sign-On paradigm in network authentication.
Kerberos and the Single Sign-On Initiative
Single Sign-On is long overdue. From a security angle, it provides tremendous bene-
fits. If a user has six or seven passwords, it means he or she has six or seven more
opportunities to compromise security. Many people are so sick of the different pass-
words they have to deal with that they would rather not have a password. This is a
problem in systems where the password creation and application is in the hands
Note
4667-8 ch03.f.qc 5/15/00 1:57 PM Page 76