Information Technology Reference
In-Depth Information
or more network segments with the collection of
network hosts considered the
domain
. Security
rules are related to domains. Users using cli-
ent computers which use AD for authentication
request authentication from an AD server in a
network login process which is generally similar
to the standard Windows login (without AD). Later
revisions of Windows have simplified administra-
tion of AD through security trust models which
provide a hierarchy of trust relationships with the
ability to inherit trust models.
Within Windows, domain security models
from multiple domains can be combined to manage
security across multiple servers and organizational
departments connected over a network. In many
cases, users who have authenticated in one domain
need to use resources in another domain. This
requires one domain to trust another domain's
users with what is known as
inter-domain trust
.
These trust relationships are transitive by default
and are reflected through the hierarchy of the
domain tree, thus simplifying administration.
Trust relationships can be one-way or reciprocal
and hierarchies of trust can be established (NT
Security, 2005).
Use of AD enhances Windows security by pro-
viding simplified administration of the complex
security models of medium to large sized organi-
zations. This improves Windows implementation
of the psychological acceptability security prin-
ciple by making it easier, and thus more likely, to
implement a consistent enterprise-wide security
model. The secure login process also enhances
accountability since we are more certain the user
is who they say they are.
Windows authentication is started using a
trusted path
(Loscocco et al, 1998; Yee, 2002),
a trusted communication channel between the
user and the secure system which can only be
initiated by the user. A user name and password
prompt are displayed using the GINA (Graphical
Identification and Authentication) facility. This is
a replaceable DLL which can be substituted with
another DLL to provide a different form of authen-
tication (for example, Smartcards or fingerprint
readers) (MSDN Tech Report: GINA). The user
then enters a user name and password and the
local security authority is asked to authenticate
the user using the password provided. The local
security authority then invokes the authentication
package provided with Windows, or may invoke
a custom package to provide authentication.
The password provided by the user is converted
to a cryptographic hash. The plain text version
of password entered by the user is discarded and
this cryptographic hash is compared to the cryp-
tographic hash stored in a user database for the
user being authenticated. If the entries match, then
the
security access token
for that user is returned
containing the
security identifier
(SID) for the
user. The Windows security identifier uniquely
identifies every user and group on the local host
or in the domain and is used to determine autho-
rization privileges throughout the system (NT
Security, 2005).
Logging in to a Windows domain uses a
slightly different approach to the authentication
process. Since a domain login will most likely
be performed over a network, a
nonce
(a unique
number generated only once) is used to reduce the
possibility of a replay attack to gain passwords
for a system. This nonce is used to encrypt the
password before sending it from the client to the
domain server. As with the local login, if the en-
crypted password matches, the user is considered
authenticated and the security access token for
the user is returned.
An alternative network login facility known as
LAN Manager (LM) is supported in Windows for
backwards compatibility. This login facility has
a number of well-known and significant security
weaknesses as revealed by applications which
can crack these passwords within 5-15 minutes
(Lemos, 2003). Despite these weaknesses, the
storage of these weak passwords has persisted for
some time as a default option on the many desktop
versions of Windows though it is possible to turn
the feature off in some versions.
Search WWH ::
Custom Search