PART IV
Modern Concerns

11  Windows NT Internet Security

12  Java Security

13  CGI Security

14  Viruses

Chapter 12
Windows NT Internet Security

The goal of this chapter is to investigate the security aspects of Windows NT and how you can implement Windows NT into an Internet or intranet strategy. This chapter will concentrate on using Windows NT as an Internet web server or as a proxy server gateway that allows internal users to access the Internet while blocking Internet users from accessing internal resources. Important topics include:

•  General Windows NT features related to security.

•  Windows NT architecture and security subsystem.

•  Environmental features related to security including domains, trust relations, user accounts, groups, rights, and permissions.

•  Logon and authentication in the Windows NT environment.

•  Internet connections and the use of Windows NT as a public web server.

•  Microsoft Internet Information Server (IIS), a web server included with Windows NT.

•  Microsoft Proxy server, a firewall-like product for Windows NT.

Windows NT Overview

The first thing to know about Windows NT is that two versions exist, both of which have the same core features, security system, and networking support.

•  Windows NT Workstation. This version is designed to run applications in a high-performance way for an individual user. Basically, Microsoft licenses this version for a limited number of users.

•  Windows NT Server. This is the network file and application server version of Windows NT. While it has significant performance enhancement features to improve access by multiple network users, a significant feature is that its licensing structure is designed for multi-user networks.

---

Note:  This chapter will discuss Windows NT Server unless otherwise noted.

---

Windows NT is designed to provide file and print services and an architecture for running client/server applications. It also supports remote communication services and Internet services. NT Server is an ideal platform for providing web services on the Internet or for use as a proxy server. It can also operate as a firewall with additional third-party software.

Microsoft’s marketing strategy for Windows NT has been to build in as many networking and Internet features as possible. In fact, Windows NT server comes with a full web server component called the Internet Information Server (IIS) and a free evaluation copy of Microsoft Proxy Server is available for download from Microsoft’s web site.

Some additional features of Windows NT are as follows:

•  Includes interoperability support for most network operating systems and supports most clients.

•  Supports all the major networking protocols without the need to purchase additional options.

•  Supports the following file sharing protocols: NCP (NetWare Core Protocol); SMB (Server Message Blocks); and HTTP.

•  Support for distributed processing of applications across the network and mechanisms for sharing resources across the network.

•  Includes integrated security at the core of the operating system, as discussed in the next section. Supports secure logon and authentication.

•  A new Windows NT Domain Services feature provides an integrated, enterprise-wide information store for user accounts, computer information, security information, and other information.

•  Supports control of the user’s desktop (Windows clients) through custom configuration files.

•  Includes secure dial-up connectivity support for mobile and remote users in the form of the Remote Access Server (RAS).

Of course, a Microsoft representative could probably add about 50 more items to this list. The main point is that Microsoft has bloated Windows NT with features that are normally purchased separately with other operating systems. You can view a complete product summary list at Microsoft’s web site (http://www.microsoft.com).

Windows NT networks are based on the workgroup model or the domain model. In the workgroup model, user accounts and access are handled individually at each Windows NT computer. A workgroup is usually a small departmental network. In contrast, a domain is a large collection of servers and users, often representing an entire company or division of a company. In the domain model, a domain-wide user account database holds user accounts and provides a place for administrators to control access to the network. Once you successfully log on to a domain account, there is usually no need to log on again when accessing other systems in the domain, assuming you are authorized to access those systems.