CHAPTER 16
SECURING ACCESS IN A HETEROGENEOUS NETWORK
ENVIRONMENT
Definition: Heterogeneous, are non-Microsoft clients require access to resources in a Microsoft Windows
2000 network.
======================================================================
winsec16.html PAGE
2 2002/05/04
Lesson 1:
Providing Interoperability Between Windows 2000 and
Heterogeneous Networks
Microsoft offers three services that allow Windows 2000 to provide both authentication
and resource access capabilities to heterogeneous networks. They are the following:
AppleTalk Network Integration Services
You can use AppleTalk Network Integration Services to allow Macintosh client computers to securely
access resources in a Windows 2000 network.
NOTE: File Services for Macintosh and Print Services for Macintosh were formerly known as Services
for Macintosh. File Services for Macintosh allow Macintosh users to authenticate with the network and
access file resources by creating Macintosh-accessible volumes. Print Services for Macintosh allow
Macintosh users to access print servers in a Windows 2000 network.
Microsoft Services
for NetWare 5.0
Microsoft Services for NetWare t.0 is an add-on product that allows integration of Windows 2000 and
Novell NetWare networks through the following utilities:
between Active Directory and Novell Directory Services (NDS).
emulate a NetWare 3.x server and provide file and print services to NetWare clients.
======================================================================
winsec16.html PAGE
3 2002/05/04
Microsoft Services for UNIX 2.0
Microsoft Services for UNIX version 2.0 is an add-on product that allows the integration of
Windows 2000 and UNIX clients in a single network. Services for UNIX 2.0 include the following
components:
NFS software. Includes an NFS client, FNS server, and NFS gateway. The NFS gateway allows
a Windows 2000 server to publish UNIX NFS data as a Windows 2000 share so that Microsoft
clients can connect to NFS resources without installing NFS client software.
Telnet services. Includes a Telnet server that allows up to 64 connections and a Telnet client for
connecting a Telnet services on a UNIX computer.
Management tools. Includes the Services for UNIX MMC console for managing various services
for UNIX utilities and the Active Perl script engine.
Network Information
Services (
the Server for
Directory to provide a single directory service.
Two-Way Password Synchonization. Provides the ability to synchronize passwords between Active
Directory and UNIX systems.
User Name Mapping. Allows Windows 2000 account names to be mapped to UNIX User
Identifiers (UIDs) so that a user connecting to an NFS resource doesn’t have to provide alternate
credentials for the UNIX systems.
*** See the chart on
page 659 ***
Lesson Summary:
networks in a secure manner.
heterogeneous clients use the same security model as Windows 2000 clients.
======================================================================
winsec16.html PAGE
4 2002/05/04
Lesson 2:
Securing Authentication in a Heterogeneous Network
When designing access to Windows 2000 networks by heterogeneous, or non-Microsoft clients,
you must ensure the integrity of the authentication process.
Authentication associates users with a security principal within Active Directory.
Securing Authentication for Macintosh Clients
File Services for Macintosh supports users authenticating with Active Directory from Macintosh
client computers. File Services for Macintosh requires that Macintosh clients authenticate using
accounts stored in Active directory.
When authenticating with the Windows 2000 network, Macintosh users can use any of the
following authentication methods:
No authentication. If guest access is enabled on the Windows 2000 server, a Macintosh
user can connect the Guest account.
Apple Clear Text. Passwords are passed in clear text form the Macintosh client to the
Windows 2000 Server. Clear text authentication is available for Macintosh users who use
the standard Apple Share client software or System 7 File Sharing.
Apple Standard Encryption. Passwords up to 8 characters are enabled. The
encrypted password isn’t transmitted on the network. Instead, a hash algorithm is executed
against a random number using the user’s password. At the server, the same password is
used to perform the hash algorithm and the results are compared.
NOTE: This process requires the password to be stored in reversibly encrypted format at the
server.
Microsoft User Authentication Module (MS-UAM). Allows encrypted passwords up to 14
characters in length. MS-UAM also requires reversibly encrypted format.
Making the Decision
*** See the table on page 662 ***
======================================================================
winsec16.html PAGE
5 2002/05/04
Securing Authentication for Novell Clients
A Windows 2000 Server running FPNW emulates a NetWare 3.x server and allows NetWare
clients to authenticate with the Windows 2000 server. NetWare clients can access file and print
services hosted by the Windows 2000 server using native NetWare commands and utilities.
NOTE: FPNW requires that the NetWare clients connect to the FPNW server using IPX/SPX
protocols. Configure the FPNW server to use the same frame type and internal network to
ensure connectivity by NetWare clients. Failure to do so can result in the FPNW server being
unavailable to NetWare clients.
To allow users to authenticate with Active Directory by using a NetWare client, configure user
accounts as NetWare-enabled accounts in Active Directory Users And Computers.
Securing Authentication for UNIX clients
UNIX clients can use several methods to authenticate with a Windows 2000 network. The
choice will depend primarily on the application that’s used to access data on the Windows 2000
server.
Clear Text. Several windows Sockets (WINSock) applications can use clear text authentication
when authenticating with a Windows 2000 domain controller. Among the common applications,
Telnet, POP3, FTP and IMAP4 all use clear text authentication.
NOTE: these applications can use either SSL or IPSec to encrypt transmissions between the
client and the server and protect clear text authentication.
Network Information Service (
database.
NT LAN Manager (NTLM). Samba, a NetBIOS server for UNIX workstations, allows file
access using Server Message Blocks (SMBs). If the UNIX clients are running Samba version
2.0.6 and later, NTLM authentication can be used for authenticating the user accounts.
Kerberos. Used to authenticate UNIX users by using accounts in Active Directory. To use
Kerberos, you must either configure the UNIX clients to use Active Directory domain controllers
as their Kerberos Key Distribution Center (KDC) or implement inter-realm trust relationships
between the Kerberos realm and the Windows 2000 domain.
======================================================================
winsec16.html PAGE
6 2002/05/04
Making the Decision
When you design secure authentication for UNIX clients, you should include the following in
your security plan:
Identify the application that UNIX clients will use for accessing resources on the Windows
2000 network. Each application will have a specific form of required authentication.
Design an authentication infrastructure to support the deployment applications. The
infrastructure you design will vary based on the required authentication mechanisms.
Create accounts in Active Directory where necessary. Kerberos authentication and
authentication associate UNIX UIDs with Active Directory user accounts.
Lesson Summary:
Until a non-Microsoft user authenticates with the Windows 2000 network, there’s no way to
apply the Windows 2000 security model to the heterogeneous client sessions.
By using Windows 2000 add-on services, you can ensure that authentication is encrypted to
protect the Windows 2000 user credentials.
Lesson 3:
Designing Directory Synchronization and Integration
When designing a secure network that includes multiple directories, consider how the directories
will integrate. The goal is to allow a user to authenticate to the heterogeneous network using a
single user account and password. All network operating systems and services should recognize
the single set of credentials.
You also must plan directory integration to prevent changes in one directory service from
overwriting directory modifications in another directory service. By defining which directory
service is authoritative for specific attribute, you can decentralize the management of directory
data to specific department.
Kerberos v5 is used by both Active Directory and several UNIX deployments. Kerberos v5 is
used by both Active Directory and several UNIX deployments.
======================================================================
winsec16.html PAGE
7 2002/05/04
Synchronizing Active Directory with a Novell Directory
User accounts in a NetWare environment can synchronize their passwords with an Active
Directory user account by using the MSDSS application included in Windows Services for
NetWare 5.0. The MSDSS application allows passwords to by synchronized between
Novell Directory Services (NDS) user accounts and Active Directory user accounts based
on mappings configured in MSDSS.
Securely Synchronizing Multiple Directories
Microsoft Metadirectory Services (MMS) 2.2 allows integration of identity information from
multiple directory services. By using MMS, you ensure that the organization has a single
authoritative directory store that collects all of its information from multiple existing directories.
MMS establishes a single directory by deploying a metadirectory. It is a combination of Active
Directory, LDAP directory, NDS Directory, and E-Mail Service.
The metadirectory not only merges information from multiple directories into a single source, but it
can also synchronize those changes to all directory services in an organization.
A metadirectory allows you to define ownership rules. You can designate which directory is
authoritative for each attribute.
Management agents maintain synchronization between the metadirectory and the source directories.
Management agents import data into the metadirectory and export metadirectory data to the
correct directory assigned to the management agent.
*** See the making
decision page 671 ***
Applying the Decision
While MSDSS allows password synchronization between NetWare NDS directories and
Active Directory, MMS provides you with greater flexibility of when deciding how attribute
control is delegated. For example, imagine that user modifications performed in NDS are
being overwritten with previous data stored in Active Directory during the migration from
NetWare to Windows 2000.
======================================================================
winsec16.html PAGE
8 2002/05/04
The management agent also prevents any attempts by Active Directory to update objects
stored in the OU. Because of the ability of MMS to delegate management of specific attributes,
it may be desirable for Blue Yonder Airlines to use MMS instead of MSDSS.
Integrating Active Directory with Kerberos Realms
Windows 2000 uses Kerberos v5 authentication as the default authentication mechanism.
Kerberos allows Windows 2000 and UNIX clients to interoperate and authenticate with
each other.
Using Active Directory as the Kerberos realm. Configure UNIX clients to use
Windows 2000 DC as Kerberos KDCs. All authentication of UNIX Kerberos clients
is performed using accounts stored in Active Directory.
Using Windows 2000 Professional in an existing Kerberos realm. Configure
Windows 2000 Professional client computers to authenticate with a UNIX KDC in a
Kerberos realm. If this is required, configure the Windows 2000 Professional computer
to be a member of a workgroup.
Creating a Kerberos inter-realm trust. This trust relationship allows ticket granting
tickets (TGTs) to be issued for resources located in another Kerberos realm or Windows
2000 domain.
NOTE: This process requires the passwords in the UNIX realm and Windows 2000
domain to be synchronized.
Making the Decision
When determining what form of Kerberos interoperability to use in a mixed network,
consider the following design issues:
======================================================================
winsec16.html PAGE
9 2002/05/04
Lesson Summary:
organization. The implementation of a uniform directory requires planning to ensure that
attributes modified in one directory aren’t changed by entries in another directory.
the authentication or whether the directories must coexist and allow the forwarding of
authentication requests between the multiple directories.
Lesson 4:
Securing Access to Windows 2000 Resources
To make Windows 2000 network resources available to heterogeneous clients, you must be
sure that only authorized users access those resources.
Securing Macintosh Access to Windows 2000 Resources
Windows 2000 supports resource access for Macintosh clients through Microsoft’s File
Service for Macintosh and Print Services for Macintosh.
Securing file Access
Macintosh clients are able to connect to the Windows 2000-based server using either
AppleTalk phase 2 protocol or, its AppleShare client version 3.7 or later is installed on
the Macintosh clients, Apple Filing Protocol (AFP) over TCP/IP.
Windows 2000 allows the Macintosh clients to access the server by using Mac-accessible
volumes that are predefined at the Windows 2000 server.
The Mac-accessible volumes is an entry point to an NTFS volume on a Windows 2000-
based server.
Macintosh permissions are assigned in three categories of users for all folders. Owner (The
user who creates the folder), Primary Group (Each folder is associated with a specific
Macintosh Group. The group can be any global group in the domain, and Everyone (All
other users who have permissions to access the folder. This includes user connecting with
Guest credentials.
======================================================================
winsec16.html PAGE
10 2002/05/04
Securing Print Access
AppleTalk provides no native mechanisms for securing printer access in a Macintosh network.
You can implement print security by changing the service account associated with the MacPrint
service to a specific user account rather than the default of the System Account. You can then
restrict access to specific printers by assigning the new service account Print permissions only
to the printers accessible to Macintosh users.
Securing NetWare Access to Windows 2000 Resources
FPNW allows a Windows 2000-based server to provide secure access to file and print
resources to NetWare clients using NetWare Core Protocol (NCP).
Securing File Access
You can provide file access to NetWare clients by defining Novell volumes in the Computer
Management console. Setting permissions on the NetWare volumes can restrict access to
authorized users. Defining NTFS permissions on folders and files within the NetWare volume
also affects effective permissions.
NOTE: The user account named FPNW Service Account must have Read permissions for
the directory that’s the root of a NetWare volume.
Securing Print Access
All shared printers hosted by the Windows 2000-based server running FPNW are accessible
to both Windows and NetWare client computers. NetWare clients use the share name defined
for the printer as the queue name for the printer. You can control printer access by assigning
Print permissions to groups that contain the NetWare-enabled user accounts.
NOTE: Within File and Print Services for NetWare, you can define a default queue to which
NetWare clients will connect for printing.
======================================================================
winsec16.html PAGE
11 2002/05/04
Securing UNIX Access to Windows 2000 Resources
UNIX clients can use several methods to access resources stored in a Windows network.
UNIX clients can use NFS, WINSock applications, and SMB clients to access file resources
on a Windows 2000-based server.
Securing File Access
Services for UNIX 2.0 provides an NFS Server service that allows UNIX clients using
NFS client software to access file resources.
The UNIX client doesn’t have to provide alternate credentials when connecting to Server for
NFS. Instead, Services for UNIX uses the User Name Mapping console to map UNIX UIDs
and GIDs to Windows 2000 user accounts and group accounts.
Once the Windows 2000 user account is identified, access to the NFS data is determined
using the DACLs defined for the NFS folders.
NOTE: You can protect authentication by using either SSL (if supported by the application)
or IPSec to encrypt all the data that’s transmitted.
NOTE: If a mapping can’t be found, the UNIX UID will be mapped to the anonymous logon
account. This account does not have a lot of privileges.
Alternately, you can use a WinSock Application such as FTP or Telnet to access file resources.
Finally, Samba and other SMB clients for UNIX allow Server Message Block (SMB) access
to Windows 2000 resources. SMB clients authenticate by submitting user accounts and
passwords that exist in Active directory. Depending on the Version of the SMB client software,
the authentication is either presented in a clear text or NTLM transmission.
NOTE: The LPD service isn’t set to start automatically. You must configure the startup option
to start automatically to ensure that UNIX clients are still able to submit print jobs if the Windows
2000-based server hosting the LPD service is restarted.
======================================================================
winsec16.html PAGE
12 2002/05/04
Securing Print Access
You can support print access by UNIX clients by installing Microsoft Print Services for Unix.
Print Services for UNIX installs a Line Printer Daemon (LPD) service on the Windows 2000-
based server that allows UNIX clients running the LPR service to send documents to the LPD
service.
*** SEE making the
decision page 681 ***
Lesson Summary:
Windows 2000 provides several services that allow heterogeneous clients to authenticate and
access resources stored on a Windows 2000-based server.
Although different protocols are used, you can implement standard Windows 2000 security
one the heterogeneous client user authenticates with the Windows 2000-based server.
Lesson 5:
Securing Windows 2000 User Access to Heterogeneous
Networks
When designing access to resources stored in heterogeneous networks by Microsoft clients,
you can provide secure access by using one of two methods: native clients or gateway services.
(CSNC & GSNW).
The native clients method requires that additional client software be loaded at the Microsoft
clients.
The gateway then publishes resources from the heterogeneous network so that Microsoft
clients can access the data through the gateway.
======================================================================
winsec16.html PAGE
13 2002/05/04
Securing Access to NetWare Resources
Many networks use NetWare servers for file and print services. You can provide Windows
2000 Professional-based computers with access to NetWare resources by installing Client
Services for NetWare (CSNW) or by installing Novell Client v4.8 for Windows NT/2000
from Novell NetWare.
Both clients require a user account in the NetWare environment that allows the user to
authenticate with the NetWare environment.
NOTE: CSNW requires the installation of the NWLink IPX/SPX Compatible Transport.
Providing Access to NetWare Resources by Using a Native
Client
Windows 2000 Professional-based computers can access NetWare resource by installing
either CSNW or the NetWare Client v4.28 for Windows NT/2000.
To use the native NetWare clients, include the following in your network security deployment
plan:
Providing Access to NetWare Resources by Using a Gateway
If you plan to use GSNW to provide access to NetWare resources, consider the following
terms when designing your security plan:
of the Ntgateway group on the NetWare server.
through GSNW. Individual users aren’t identified when accessing NetWare resources
through the GSNW gateway.
to the gateway account on the NetWare server. IPX/SPX must be run in the NetWare environment.
number of GSNW shares. You can connect to NetWare servers only if available drive letters exist
at the GSNW server. If no drive letters are available, you can’t establish future connections.
======================================================================
winsec16.html PAGE
14 2002/05/04
**** Review the
decision chart on page 688 ***
Securing Access to UNIX Resources
In some mixed networks Windows 2000 users have to access resources stored on UNIX
servers. As with NetWare resources, you can provide access either directly to users or
through a gateway service.
Providing Access to UNIX Resources with UNIX client software
To allow Windows-based computers to connect to NFS resources in a UNIX environment,
Services for UNIX 2.0 provides the Client for NFS. A Windows 2000-based computer
with the Client for NFS installed is able to connect to NFS shared on UNIX servers by
using the same methods used to connect to Windows 2000 shares.
User Name Mapping sends the associated UID and GID to Client for NFS, which submits
the account information to the NFS server for authentication and authorization.
When planning to provide secure Windows 2000 client access to NFS shares on UNIX
server, include the following tasks in your design:
Providing Access to UNIX Resources by Using a Gateway
Gateway for NFS allows Windows 2000 users to connect to UNIX NFS shared without
installing NFS client software at each Windows 2000-based client computer.
======================================================================
winsec16.html PAGE
15 2002/05/04
When planning a Gateway for NFS deployment to allow access to UNIX NFS share,
address the following issues in your design:
Lesson Summary:
servers, you must decide whether to provide individual access or collective access.
NIX UIDs and GIDs so that the connecting user doesn’t have to provide additional credentials.
IN CLASSROOM: