Starting from Windows XP and Windows Server 2003, Microsoft has implemented some changes on the way to control access to shared resources. In a LAN or WAN Security Policy (Security Policy), you can install one of the following two values for "Network access: Sharing and security model for local accounts" ("Network access: security model and sharing for local accounts").
T Classic (classic) - local users are authenticated by their own accounts.
Guest only (guests only) - local users always authenticate as Guest.
Value Guest only useful for systems in which to share provided a large number of files. This allows us to provide the same level of access to all shared data. We recommend you leave the Classic, because it is always better to know exactly who has access to resources.
Data Conversion Service Passport
One of the most interesting features of the new operating system Windows Server 2003 is the ability to use the authentication data for a Passport Account Active Directory. Microsoft. NET Passport - a Web-based service operated by Microsoft. More information about this service can be found in the sources listed at the end of this chapter in the "References and Further Reading" in the book Hacking Exposed. Security of Web-based applications - solutions, Joel Skembrey, Mike Shema, Yen-Ming Chan, David Vaughn. Williams, 2003.
The main advantage of using Passport authentication data services as Active Directory accounts is to provide users with access to the resources of Windows without the need for any authentication protocol. For example, consider the Internet-service-type company-customer (B2C-business-to-consumeg) based in the service of Active Directory, which is not ho ¬ odd "to use NTLM-authentication for access to remote users. Passport office to simplify the task of authenticating users across the Internet and is almost completely controlled by third parties (by Microsoft).
By users do not need any serious effort to organize this kind of authentication. However, the server will work. Because the service uses Passport authentication method, public key, then the organization should become an official partner of Service Passport, be added to appropriate lists and to establish a set of tools Passport SDK, using a key provided on the application servers. This will allow the application to decrypt the authentication data and Passport Service to authenticate users. In addition, should be made some stringent Service
Passport, and will conduct a thorough testing before the organization will be implemented authentication using the Service Passport.
After synchronizing with the Passport service, you configure the IIS-Resources. This is a simple process. At this point, you can choose the service domain AD, which requires authentication using. NET Passport.
Once the Passport office had authenticated the user, the application can use Active Directory to authenticate the user.
Use a Passport to authenticate users opens exciting prospects for companies that want to manage authorization of its Web-based applications using the infrastructure of service AD. This is not to forget the need of preparatory work. Availability of items to mark simple.NET Passport Authentication in a snap Active Directory Users and Computers (Active Directory - users and computers) means that you installed a program that successfully uses the authentication service using Passport.
What about the effect on the protection system provides the application of user authentication using the Service Passport? To assess the safety of the service is difficult, because this time it is unique and its competitors will appear only in the distant future. Not so long ago in this service have been identified several serious security issues.
|