Windows Server 2003 Security Infrastructures: Core Security Features (HP Technologies)

The key Windows enablers for account management and authentication interoperability in a mixed UNIX and AD-centric Windows environment are AD’s support for the LDAP directory access protocol and for the Kerberos distributed authentication protocol. Both protocols were shipped for the first time with Windows 2000. Microsoft’s adoption of both protocols for Windows 2000 and later operating systems is largely driven by the fact that they are both based on open standards.

8.2.1 LDAP

The Lightweight Directory Integration Protocol (LDAP) defines a set of protocols to access X.500-based directories. LDAP version 3 is the latest version. LDAP v3 has been standardized by the IETF in RFCs 2251 through 2256 and 2829 through 2831. In Windows 2000 Microsoft adopted LDAP as the default protocol to access the information stored in their Active Directory.

• AD uses MS-specific schema extensions: They use MS-specific OIDs for certain schema elements, added MS-specific attributes to the top object class, and by default AD does not support the inetOrgPerson object class. Microsoft has, however, provided an add-on software kit to support the inetOrgPerson class in Windows 2000. The class is also supported out of the box in the Windows Server 2003 AD release.

• AD cannot be deployed as a stand-alone LDAP directory. Using AD as an LDAP repository requires the deployment of a complete Windows 2000 or later infrastructure. This will change with the release of ADAM (AD Application Mode) in 2003.

8.2.2 Kerberos

Over the years the Kerberos authentication protocol has proven itself to be a secure and efficient authentication protocol in a distributed client-server environment. Kerberos version 5 (the version used in Windows 2000 and later) has been standardized in RFC 1510.

• MS Kerberos supports the 128-bit RC4-HMAC encryption algorithm as its default encryption type. It also supports 56-bit DESCBC-CRC and DES-CDB-MD5 for interoperability with MIT Kerberos.

• MS Kerberos does not support postdated and forwarded Kerberos tickets.

• MS Kerberos uses case-insensitive Kerberos principal names.

• MS includes user authorization data (user group memberships and so forth) in Kerberos tickets in the Privilege Attribute Certificate (PAC) field.