Windows 2000 offers IT organizations a completely new security model and many new security technologies. In this book, two leading information security experts present hands-on projects and techniques for leveraging Windows 2000 security in any network environment -- intranet, extranet, Internet, VPN, or e-Commerce. The book offers detailed, practical coverage of securing sensitive resources using Kerberos, Public Key Infrastructure (PKI) technology, IPSec, Active Directory, and other Windows 2000 security technologies. Leading security professionals Jalal and Jalil Fegghi present each key Windows 2000 security protocol, review the tradeoffs associated with each approach, and guide network administrators to make the most appropriate choices for their environments. The book also includes detailed techniques for building secure Virtual Private Networks and e-Commerce sites and applications. For all Windows 2000 network/system administrators, IT executives and professionals, and power users concerned with security. The CD-ROM contains useful programs and code.

Table of Contents:
(Each chapter concludes with a “Summary” and with “References.”) Preface I. THE KERBEROS NETWORK AUTHENTICATION SERVICE. 1. The Kerberos Network Authentication Service. Basic Concepts of Kerberos. Passwords. Symmetric Keys. Key Distribution and Management. Single Sign-On. Kerberos Architecture. Time Stamps for Nonces. Preauthentication. Security Services. Different Views of Kerberos. Cross-Realm Authentication. Policy Configuration Options. Public Key Extensions. Initial Authentication. Cross-Realm Authentication. Limitations of Kerberos. Kerberos Tickets. Ticket Contents. Ticket Flags. Delegation of Authentication. Ticket-Granting Tickets. The Use of Network Addresses in Tickets. Authenticators for Tickets. The Kerberos Protocol. Authentication Service Exchange. Ticket-Granting Service Exchange. Client/Server Exchange. Summary. References. 2. Kerberos in Windows 2000. Authentication: Kerberos versus NTLM. Scalability. Mutual Authentication. Support for Multitier Applications. Simplified Trust Management. Interoperability with Existing Trust Infrastructures. Smart Card Support. Windows 2000 Implementation of Kerberos. Key Distribution Center (KDC). Account Database. Kerberos Policy. Kerberos Security Support Provider. Credentials Cache. IP Transport. Authorization in Windows 2000. Access-Control Model. Preparation of Authorization Data by the KDC. Interactive Log-On in Windows 2000. Using a Password. Using a Smart Card. Summary. References. II. PUBLIC KEY TECHNOLOGY. 3. Public Key Technology. Overview of Cryptography. Symmetric Key Cryptography. Public Key Cryptography. Public Key Cryptography Schemes. Message Digest Algorithms. Digital Signatures. RSA Digital Signatures. DSS Digital Signatures. Elliptic Curve Digital Signatures. Key Length. Considerations for Symmetric Key Cryptosystems. Considerations for Public Key Cryptosystems. Digital Certificates. Cryptographic Authentication. Secure, Scalable Key Distribution. Client-Centric Processing. X.509 Digital Certificates. Encoding of Certificates. Certificate Revocation Lists (CRLs). Methods for Propagating CRL Information. X.509 CRLs. Certification Authorities. Certificate Enrollment. Subject Authentication. Certificate Generation, Distribution, and Revocation. Data Repositories. Public Key Infrastructures (PKIs). Structures among Multiple Certification Authorities. Certification Path Discovery and Validation. Summary. References. 4. Public Key Technology in Windows 2000. Public Key Security. Secure E-Commerce: TLS/SSL. Supporting Distributed Business Partners: TLS/SSL Client-Side Authentication. Strong Network Authentication: Smart Cards. Distributing Authenticated Code: Authenticode 2.0. Laptop and Desktop File System Security: EFS. Secure E-Mail: S/MIME. Network-Level Secure Communications: IPsec. Public Key Security Architecture. CryptoAPI. Cryptographic Service Providers. Certificate Services. Public Key Infrastructure. Trust Models. Certificate Chain Building. Revocation Status Checking. Cryptographic Algorithms and Key Lengths. Hardware Support. Certificate Trust Lists. Public Key Infrastructure Standards. Interoperability with Third-Party PKIs. PKI to PKI. PKI to Application. Application to Application. Summary. References. 5. Using Public Key Technology in Windows 2000. Designing a Certification Authority Structure. Factors Influencing the Design of a CA Structure. Models for Operating a Certification Authority. Models for CA Structures. Using Certificate Services. Enterprise versus Standalone Certification Authorities. Installing Certificate Services. Administering the Certificate Services CA. Certificate Enrollment for Users and Computers. Certificate Stores. Enrollment Using the Certificate Request Wizard. Web-Based Enrollment. Distribution of Root CA Certificates to Computers. Summary. References. III. IP SECURITY AND VIRTUAL PRIVATE NETWORKS. 6. IP Security (IPsec). IPsec Concepts. Security Protocols. Security Associations. Models for Combining AH and ESP Protocols. Points of Implementation. Limitations of IPsec and Performance Considerations. Key Management in IPsec. Internet Security Association and Key-Management Protocol (ISAKMP). Internet Key Exchange. Summary. References. 7. Virtual Private Networks (VPNs). Basic Concepts. VPN Scenarios. Tunneling. Authentication, Authorization, Accounting, Auditing, and Alarming. Remote-Access Virtual Interfaces and Routing Considerations. Virtual Private Networking with L2TP/IPsec. L2TP/IPsec Two-Level Authentication. IPsec Confidentiality, Data Origin Authentication, and Integrity Services. L2TP/IPsec Packet Encapsulation. Remote-Access Authentication Protocols in Windows 2000. VPNs and Firewalls. VPN Server behind the Firewall. VPN Server in front of the Firewall. VPN Interoperability. Summary. References. 8. Using IPsec and VPNs in Windows 2000. Using IPsec. IPsec Policies. Predefined IPsec Policies. Custom IPsec Policies. Using VPNs. Network Configuration. Domain Configuration. Security Configuration. Remote-Access Policy Configuration. Remote-Access Policies. Remote-Access Policy Conditions. Remote-Access Policy Permission. Remote-Access Policy Profile. Setting up VPNs. Remote-Access VPN Server Setup. VPN Client Setup. Router-to-Router VPN Connections. Summary. References. IV. TRUST BEYOND THE ENTERPRISE. 9. Extending Trust beyond the Enterprise. Local Registration Authorities. The LRA Model. LRA Deployment Models. VeriSign OnSite Service. Certificate Enrollment and Distribution. Certificate Management. Authentication Models. Controlling Access to the LRAA Web Site. Public versus Private Certification. Local Hosting. VerSign OnSite Automated Authentication Service. Networking of Local Trust Networks. VeriSign Gateway Service. VeriSign Go Secure! for Microsoft Exchange. Summary. References. 10. Trust in Business-to-Business Marketplaces. B2B Net Marketplaces. Trust. Distributed Trust Management. Verifiable Trust. B2B Trust Services. Authentication. Payment. Validation. Summary. References. V. SECURE NETWORK PROGRAMMING IN WINDOWS 2000. 11. Kerberizing Applications Using Security Support Provider Interface. SSPI and Windows 2000 Security Architecture. SSPI Functions. Using SSPI. Impersonation and Delegation. Sample Project: Using SSPI to Kerberize Applications. Summary. References. 12. Service Publication in Windows 2000 Active Directory. Service Publication and Connection Points. Service Connection Point (SCP). Host-Based Services. Replicable Services. Service Publication and Security. Service Principal Names. Sample Project: Using Connection Points for Service Publication. Summary. References. Appendix A. Glossary. Appendix B. Acronyms. Index. CD-Rom Warranty. 0201657783T04062001