PlayUKlottery.com - win up to 42 million Pounds
Lesson 1: Understanding the New Authentication Protocols in Windows 2000

Cover
LOC Page
About This Book
Chapter and Appendix Overview
Getting Started
The Microsoft Certified Professional Program
Technical Support
Chapter 1 -- The Microsoft Windows 2000 Platform
Lesson 1: Overview of the Windows 2000 Platform
Lesson 2: Windows 2000 Professional
Lesson 3: Windows 2000 Server
Lesson 4: Windows 2000 Advanced Server and Windows 2000 Datacenter Server
Review
Chapter 2 -- Installing Windows 2000
Lesson 1: Preparing to Install
Lesson 2: Installing Windows 2000 from a CD-ROM
Lesson 3: Installing Windows 2000 over the Network
Lesson 4: Troubleshooting Windows 2000 Setup
Review
Chapter 3 -- Configuring the DNS Service
Lesson 1: Understanding DNS
Lesson 2: Resolving Names
Lesson 3: Installing the DNS Service
Lesson 4: Configuring the DNS Service
Lesson 5: Configuring a DNS Client
Lesson 6: Troubleshooting the DNS Service
Review
Chapter 4 -- Implementing Active Directory Directory Services
Lesson 1: Introduction to Active Directory Directory Services
Lesson 2: Active Directory Structure and Site Replication
Lesson 3: Active Directory Concepts
Lesson 4: Introduction to Planning
Lesson 5: Installing Active Directory Directory Services
Lesson 6: Configuring Active Directory Replication
Review
Chapter 5 -- Administering Active Directory Directory Services
Lesson 1: Creating Organizational Units
Lesson 2: Creating User and Computer Accounts
Lesson 3: Managing Groups
Lesson 4: Controlling Access to Active Directory Objects
Review
Chapter 6 -- Managing Desktop Environments with Group Policy
Lesson 1: Understanding Group Policy
Lesson 2: Applying Group Policy
Lesson 3: Configuring Group Policy
Review
Chapter 7 -- Managing Software by Using Group Policy
Lesson 1: Introducing the Software Installation and Maintenance Technology
Lesson 2: Deploying Software
Lesson 3: Upgrading Software
Lesson 4: Managing Software
Review
Chapter 8 -- Managing File Resources
Lesson 1: Sharing and Publishing File Resources
Lesson 2: Administering Shared Folders by Using Dfs
Lesson 3: Using NTFS Special Access Permissions
Lesson 4: Managing Disk Quotas on NTFS Volumes
Lesson 5: Increasing Security with EFS
Lesson 6: Using Disk Defragmenter
Review
Chapter 9 -- Configuring Remote Access
Lesson 1: Understanding the New Authentication Protocols in Windows 2000
Lesson 2: Configuring Inbound Connections
Lesson 3: Configuring Outbound Connections
Lesson 4: Examining Remote Access Policies
Lesson 5: Creating a Remote Access Policy
Review
Chapter 10 -- Supporting DHCP and WINS
Lesson 1: New DHCP Functionality
Lesson 2: New WINS Functionality
Review
Chapter 11 -- Managing Disks
Lesson 1: Introduction to Disk Management
Lesson 2: Common Disk Management Tasks
Review
Chapter 12 -- Implementing Disaster Protection
Lesson 1: Using Fault-Tolerant Volumes
Lesson 2: Using Advanced Startup Options
Lesson 3: Using the Recovery Console
Lesson 4: Using the Backup Utility
Lesson 5: Performing an Emergency Repair
Review
Chapter 13 -- Upgrading a Network to Windows 2000
Lesson 1: Planning a Network Upgrade
Lesson 2: Establishing the Root Domain
Lesson 3: Upgrading Domain Controllers and Member Servers
Lesson 4: Upgrading Client Operating Systems
Review
Chapter 14 -- Using Remote Installation Services
Lesson 1: Performing Remote Installations
Lesson 2: Creating Distribution Servers
Review
Appendix A -- Questions and Answers
Appendix B -- Creating Setup Disks
About This Electronic Book
About Microsoft Press


[Previous] [Next]

Lesson 1: Understanding the New Authentication Protocols in Windows 2000

Microsoft Windows NT 4.0 included support for several authentication protocols used to verify the credentials of users connecting to the network. These protocols included the following:

  • Password Authentication Protocol (PAP)

  • Challenge Handshake Authentication Protocol (CHAP)

  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

  • Shiva Password Authentication Protocol (SPAP)

  • Point-to-Point Tunneling Protocol (PPTP)

Windows 2000 includes support for these and several additional protocols that significantly increase your authentication, encryption, and multilinking options. The new protocols supported by Windows 2000 include Extensible Authentication Protocol (EAP), Remote Authentication Dial-In User Service (RADIUS), Internet Protocol Security (IPSec), Layer-Two Tunneling Protocol (L2TP), Bandwidth Allocation Protocol (BAP)), and Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2).

After this lesson, you will be able to

  • Describe the new protocols supported by Windows 2000.

Estimated lesson time: 15 minutes

Extensible Authentication Protocol (EAP)

EAP allows for an arbitrary authentication mechanism to validate a dial-in connection. The exact authentication method to be used is negotiated by the dial-in client and the remote access server. EAP supports authentication by using the following schemes:

  • Generic token cards. These are physical cards used to provide passwords. Token cards can use several authentication methods, such as using codes that change with each use.

  • Message Digest 5 Challenge Handshake Authentication Protocol (MD5-CHAP). This protocol encrypts user names and passwords with an MD5 algorithm.

  • Transport Level Security (TLS). TLS is used for smart card support or other certificates. Smart cards require a card and reader. The smart card electronically stores the user's certificate and private key.

Through the use of the EAP application programming interfaces (APIs), independent software vendors can supply new client and server authentication modules for technologies such as token cards, smart cards, biometric hardware such as retina scanners, or one-time password systems. EAP allows for the support of authentication technologies that are not yet developed. EAP authentication methods are added on the Security tab of the remote access server's Properties dialog box.

NOTE
For more information on EAP, see RFC 2284.

Remote Authentication Dial-In User Service (RADIUS)

The diversity of hardware and operating systems in today's enterprise networks requires remote user authentication to be vendor-independent and scalable. RADIUS support in Windows 2000 facilitates this kind of user authentication, while providing highly scalable authentication designs for performance and fault-tolerant designs for reliability.

RADIUS provides authentication and accounting services for distributed dial-up networking. Windows 2000 can act as a RADIUS client, a RADIUS server, or both. A RADIUS client, typically an Internet service provider (ISP) dial-up server, is a remote access server receiving authentication requests and forwarding requests to a RADIUS server. As a RADIUS client, Windows 2000 can also forward accounting information to a RADIUS accounting server. RADIUS clients are configured on the Security tab in the remote access server's Properties dialog box.

A RADIUS server validates the RADIUS client request. Windows 2000 Internet Authentication Services (IAS) performs authentication. As a RADIUS server, IAS stores RADIUS accounting information from RADIUS clients in log files. IAS is one of the optional components that can be installed during Windows 2000 installation or at a later time through Add/Remove Programs in Control Panel. IAS can then be found in Administrative Tools on the Programs menu (via the Start menu).

NOTE
For additional information on RADIUS, see RFC 2138/2139.

Internet Protocol Security (IPSec)

IPSec is a framework of open standards for ensuring secure private communications over Internet Protocol (IP) networks by using cryptographic security services. IPSec provides aggressive protection against private network and Internet attacks, while retaining ease of use. Clients negotiate a security association (SA) that acts as a private key to encrypt the data flow.

Your network security administrator can use IPSec policies, rather than applications or operations systems, to configure IPSec security services. The policies provide variable levels of protection for most traffic types, in most existing networks. Your network security administrator can configure IPSec policies to meet the security requirements of a user, group, application, domain, site, or global enterprise.

Windows 2000 provides an administrative interface, IP Security Management, to create and manage IPSec policies (centrally at the group policy level for domain members, or locally on a nondomain computer). IP Security Management is a tool that you can add to any Microsoft Management Console (MMC). Configuring IPSec policies is beyond the scope of this course.

NOTE
For additional information on security mechanisms for IP, see RFC 1825.

Layer-Two Tunneling Protocol (L2TP)

L2TP is very similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network. L2TP differs from PPTP in that it provides tunneling, but not encryption. L2TP provides a secure tunnel by cooperating with other encryption technologies such as IPSec. IPSec does not require L2TP, but its encryption functions complement L2TP to create a secure virtual private network (VPN) solution.

Both PPTP and L2TP use PPP to provide an initial envelope for the data and then append additional headers for transport through the transit internetwork. Some of the key differences between PPTP and L2TP are as follows:

  • PPTP requires an IP-based transit internetwork. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use User Datagram Protocol (UDP), frame relay permanent virtual circuits (PVCs), X.25 virtual circuits (VCs), or Asynchronous Transfer Mode (ATM) VCs to operate over an IP network.

  • L2TP supports header compression; PPTP does not. When header compression is enabled, L2TP operates with four bytes of overhead, compared to six bytes for PPTP.

  • L2TP supports tunnel authentication, while PPTP does not. However, when either PPTP or L2TP is used in conjunction with IPSec, IPSec provides tunnel authentication so that layer-two tunnel authentication is not necessary.

  • PPTP uses PPP encryption. L2TP requires IPSec for encryption.

The creation of L2TP ports for VPNs is discussed later in this chapter.

Bandwidth Allocation Protocol (BAP)

In Windows NT 4.0, Remote Access Service (RAS) supports basic multilink capabilities. It allows the combining of multiple physical links into one logical link. Typically, two or more Integrated Services Digital Network (ISDN) lines or modem links are bundled together for greater bandwidth.

In Windows 2000, BAP and Bandwidth Allocation Control Protocol (BACP) enhance multilink by dynamically adding or dropping links on demand. BAP is especially valuable to operations that have carrier charges based on bandwidth utilization. BAP and BACP are sometimes used interchangeably to refer to bandwidth-on-demand functionality. Both protocols are PPP control protocols and work together to provide bandwidth on demand. BAP provides a very efficient mechanism for controlling connection costs while dynamically providing optimum bandwidth.

You can enable multilink and BAP protocols on a serverwide basis from the PPP tab of each remote access server's Properties dialog box. You configure BAP settings through remote access policies. Using these policies, you can specify that an extra line is dropped if link utilization drops below 75 percent for one group and below 25 percent for another group. Remote access policies are described later in this chapter.

NOTE
For more information on PPP multilink, see RFC 1990. For more information on BAP/BACP, see RFC 2125.

Lesson Summary

Windows NT 4.0 included support for several authentication protocols used to verify the credentials of users connecting to the network. These protocols included the following: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), Shiva Password Authentication Protocol (SPAP), and Point-to-Point Tunneling Protocol (PPTP).

Windows 2000 includes support for these and several additional protocols that significantly increase your authentication, encryption, and multilinking options including the following:

  • Extensible Authentication Protocol (EAP). EAP is an extension to the Point-to-Point Protocol (PPP) that works with dial-up, PPTP, and L2TP clients. EAP allows for an arbitrary authentication mechanism to validate a dial-in connection. The exact authentication method to be used is negotiated by the dial-in client and the remote access server.

  • Remote Authentication Dial-In User Service (RADIUS). Windows 2000 RADIUS support allows user authentication to be vendor-independent and provides highly scalable authentication designs for performance and fault-tolerant designs for reliability.

  • Internet Protocol Security (IPSec). IPSec is a framework of open standards for ensuring secure private communications over IP networks by using cryptographic security services. IPSec provides aggressive protection against private network and Internet attacks, while retaining ease of use. Clients negotiate a security association (SA) that acts as a private key to encrypt the data flow.

  • Layer-Two Tunneling Protocol (L2TP). L2TP is very similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network. L2TP differs from PPTP in that it provides tunneling but not encryption. L2TP provides a secure tunnel by cooperating with other encryption technologies such as IPSec. IPSec does not require L2TP, but its encryption functions complement L2TP to create a secure virtual private network (VPN) solution.

  • Bandwidth Allocation Protocol (BAP). BAP and Bandwidth Allocation Control Protocol (BACP) enhance multilink by dynamically adding or dropping links on demand. BAP is especially valuable to operations that have carrier charges based on bandwidth utilization. BAP and BACP are sometimes used interchangeably to refer to bandwidth-on-demand functionality. BAP provides a very efficient mechanism for controlling connection costs while dynamically providing optimum bandwidth.