Directory services generally provide better organization of user accounts and system resources for an organization. This provision makes security much easier to manage at the same time. Any number of OUs can be created to represent workgroups, departments, divisions, or other entities in the organization. Administrators can then manage the security of each OU independently, allowing fine granular control of how resources are accessed in an organization.

The hierarchical directory tree can hold over a million objects and provide far better performance than the older Registry. This allows for very large and complex directory structures.

Directory Services Security Features

Windows NT Directory Services holds all Windows NT domain security information, including security policies and account information. It can replicate security information to other domain controllers for ease of access at remote locations and to provide backup. Additional new security features include the following:

•  Trust relationships between domains is handled through tree-wide transitive trust.

•  Kerberos version 5 for network authentication.

•  Public-key certification to provide strong authentication. Certificate Services allow organizations to issue X.509 version 3 certificates to employees or business partners. Certificates from commercial Certificate Authorities (CAs) can also be used. Administrators choose which CAs are to be used to authenticate users.

•  Secure Sockets Layer (SSL) provides strong client authentication. User credentials within a public-key certificate are mapped to Windows NT user accounts.

•  CryptoAPI provides security protocols for building secure private networks across public networks.

An important feature is the capability to authenticate users who may be unknown to the organization but who can be verified through some other means. For example, an organization may want to provide secure access to its web site to users who do not have a Windows NT account. It can do so by first creating a generic/public account that defines the type of access allowed. Second, it allows Windows NT to authenticate users based on public-key certificates they hold that were issued by an external Certificate Authority.

This last option ties in well with Microsoft Internet Information Server. It provides a potentially more secure way of verifying Internet users as well as your own company’s remote and mobile users who attempt to access your web services over the Internet. Certificates, which are backed by public certificate authorities, are an ideal way to authenticate users. Refer to Chapter 10, for more information about certificates.

Summary

The next version of Windows NT will include full support for directory services. With security services, the way you manage Windows NT security for internal networks and the Internet is sure to change.

After discussing some basics of the Windows NT operating system and architecture, this chapter covered much of what you need to know as an administrator of Windows NT; user access, trust relationships, rights and privileges, and so on. In addition, you learned about security on an intranet and using IIS and Microsoft Proxy Server. Lastly, it discussed the new NT Directory Services model. Now that you have the basics for Windows NT down, you’ll learn about Java security.