MCSA/MCSE Self-Paced Training Kit (Exam 70-214): Implementing and Administering Security in a Microsoft Windows 2000 Network (Pro-Certification)

Lesson 2: Supporting Macintosh Clients

Windows 2000 includes strong support for Macintosh clients by supporting the Apple File Protocol (AFP) as a native networking protocol. AFP is the file sharing protocol used by Apple products. Installing Services for Macintosh on Windows 2000 servers allows them to share files seamlessly with Macintosh clients.

Apple authentication is weak by default, but can be strengthened to NTLM version 2 by installing the Microsoft User Authentication Module (UAM).


To complete this lesson, you will need

Estimated lesson time: 20 minutes


Supporting Macintosh Computers Securely

Because Macintosh computers present their passwords without encryption by default, a malicious user can easily sniff them on the network. In addition, to check plaintext passwords, you must enable password storage using reversible encryption on domain controllers, which puts passwords at risk for decryption if the server is physically compromised.

In Windows 2000, AFP can be used with TCP/IP as well as AppleTalk, so AppleTalk is not necessary if all Macintosh clients are TCP/IP capable.

Both of these problems can be solved by installing the Microsoft User Authentication Module (UAM) on Macintosh clients that need to attach to the domain. The UAM implements NTLM version 2 with 128-bit encryption, and eliminates the requirement for storing passwords using reversible encryption. To provide secure Macintosh service, install the latest UAM on every Macintosh client and configure servers to require NTLM version 2 authentication.

When you install Services for Macintosh, the installer creates a Macintosh-compatible share called the Microsoft UAM Volume. An earlier version of the UAM is installed in this share, which allows Mac OS 8 and 9 computers to connect to the server and download the UAM easily. The current UAM, which is compatible with NTLM version 2, is not installed by default.

Servers that are already secured to require NTLM version 2 authentication will not allow Macintosh clients to connect to this share to obtain the UAM. Rather than reducing server security to deploy the UAM, solve this problem by downloading the UAM client directly from Microsoft through the client's Web browser. Automate the deployment by e-mailing Macintosh users a link to the file and letting them install it themselves.

The current version of the UAM provides NTLM version 2 128-bit encryption for Macintosh clients. There are two versions of the UAM:

The NTLM version 2 compatible UAM does not require passwords to be stored using reversible encryption, and you should not enable reversible encryption to support Macintosh clients that use this UAM.

Macintosh OS X 10.1 clients can connect natively to Server Message Block (SMB) shares on workstation computers, but they cannot authenticate with domains.

Practice: Enabling Macintosh Clients to Access Windows 2000 Servers

In this practice, you configure the domain controller to serve Macintosh clients, and you configure a Macintosh client to connect to the server using NTLM version 2 authentication.

Exercise 1: Preparing a Windows 2000 Server to Support Macintosh Clients

In this exercise, you prepare a Windows 2000 server to serve Macintosh clients. Perform these procedures on a domain controller.

To install Services for Macintosh

  1. Log on as Administrator.

  2. Click Start, point to Settings, and then click Control Panel.

  3. In Control Panel, double-click Add/Remove Programs. The Add/Remove Programs window appears.

  4. Click Add/Remove Windows Components. The Windows Components Wizard appears.

  5. In the wizard, double-click (do not select) Other Network File And Print Services. The Other Network File And Print Services dialog box appears.

  6. Select File Services For Macintosh and Print Services For Macintosh, as shown in Figure 7.6.

    Figure 7-6. Installing File Services and Print Services for Macintosh

  7. Click OK, and click Next. The Configuring Components window appears with a progress indicator.

  8. When the configuration completes, click Finish.

  9. Click Close to close the Add/Remove Programs window.

  10. Close the Control Panel window.

To create a Macintosh-compatible file share

  1. Log on as the Administrator.

  2. On the desktop, right-click My Computer, and click Manage. The Computer Management console appears.

  3. Expand Shared Folders, and then click Shares. Your screen should look like Figure 7.7.

    Figure 7-7. Shared folders in the Computer Management console

  4. Right-click in a blank area of the rightmost pane, and click New File Share. The Create Shared Folder Wizard (Figure 7.8) appears.

    Figure 7-8. Creating a Macintosh-compatible shared folder

  5. Type C:\Departments (or use the browse button to browse to that location).

  6. Type Departments as the Share Name.

  7. Type Macintosh Accessible Share in the Share Description box.

  8. Select the Apple Macintosh check box in the Accessible From The Following Clients group, and verify that Microsoft Windows is selected.

  9. Click Next to open the share permissions page.

  10. Leave the All Users Have Full Control option set, and click Finish. A message box will appear asking if you want to create another shared folder.

  11. Click No, and close the Computer Management console.

Exercise 2: Connecting to Windows 2000 from a Macintosh

In this exercise, you connect a Macintosh OS X 10.1 client computer to a Windows 2000 server using the AFP. The process for Macintosh OS 8.5-9.2 clients is very similar.

In this exercise, the UAM is downloaded directly from the Microsoft Web site because the version created automatically in the Microsoft UAM share on the Windows 2000 server is not compatible with Mac OS X. Perform this exercise from a Macintosh client running Mac OS X 10.1 or higher.

Adopt a habit of acquiring the latest revision of any security-related software that you use on your network. Vulnerabilities are routinely patched in security-related software, so installing the latest version ensures that your system is as secure as possible.

To install the Microsoft UAM

  1. Open Internet Explorer and browse to the following address: www.microsoft.com/mac/products/win2ksfm/.

    The Mactopia Services For Macintosh Web page appears.

  2. Click the download link for the Microsoft User Authentication Module (UAM) appropriate for your version of Mac OS.

    The download manager appears, then a MSUAM installation package icon appears on the desktop, and finally a MSUAM folder appears on the desktop.

  3. Double-click the UAM folder on the desktop.

  4. Double-click the Install MSUAM icon within the folder.

    The Macintosh installer appears. In Mac OS X, an authorization dialog box appears requesting the Administrator password.

  5. Click the lock icon. An Authenticate dialog box appears.

  6. Type the administrator's password, and click OK. The Authenticate dialog box closes, returning the installer to the front.

  7. Click Continue. The MS UAM Read Me document appears, as shown in Figure 7.9.

    Figure 7-9. Installing the Microsoft User Authentication Module on a Macintosh

  8. Click Continue to open the Select A Destination dialog box.

  9. Click the icon representing your internal hard disk, and then click Continue.

  10. Click Install. The Macintosh installer will inform you that the installation was successful.

  11. Click Close.

  12. Close the open window on your desktop, and delete the installation package file and folder left by the installation process.

To connect securely to a Windows share from a Macintosh client

  1. In the Mac Finder (the desktop), click the Go menu, and then click Connect To Server.

    Use the Connect To Server dialog box, shown in Figure 7.10, to create the shared drive mappings.

    Figure 7-10. The Macintosh Connect To Server dialog box

  2. Type afp://192.168.241.10/departments/ in the Address box, and click Connect.

  3. Use the IP address for your server, or its domain name if your Macintosh client has been configured to receive DNS service from the domain controller.

    A UAM authentication dialog box appears, as shown in Figure 7.11, that you can use to ensure the authentication process is secure.

    Figure 7-11. The Macintosh UAM authentication dialog box

  4. Verify that Registered User is selected, type Administrator in the Name box, and then type the administrator's password in the Password box.

  5. Ensure that the Require Strong Authentication check box is selected, and click Connect. A Departments icon appears on the desktop representing the network share.

  6. Double-click the Departments icon to view the contents of the Departments share, as shown in Figure 7.12.

    Figure 7-12. A Windows 2000 share as viewed from a Macintosh client

Lesson Review

The following questions are intended to reinforce key information in this lesson. If you are unable to answer a question, review the lesson and try the question again. Answers to the questions can be found in the appendix.

  1. What server component is used to provide the Apple File Service?

  2. Is AppleTalk required to provide service to Macintosh clients?

  3. What client component provides NTLM version 2 authentication for Macintosh computers?

  4. Does the NTLM version 2 compatible Microsoft UAM require reversible encryption to support Macintosh clients?

Lesson Summary

Категории