1. Module 2: Introducing Windows 2000 Security

2. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to Resources Introducing Encryption Technologies Encrypting Stored and Transmitted Data Introducing Public Key Infrastructure Technology

3.  Introducing Security Features in Active Directory Active Directory Hierarchical Structure Trust Relationships Administration Using Group Policy

4. Active Directory Hierarchical Structure Domain Tree Forest Objects OU OU OU Domain Domain Domain Defining Security Boundaries Using Domains Supporting Security Settings Using OUs Providing Delegation of Administration

5. Trust Relationships Transitive (Two Way) Shortcut (Two Way) External (One Way) Forest 1Forest 2

6. Administration Using Group Policy Group Policy Domain OUOU OUOUOU OU Security Policies with Domain-wide Scope Security Policies with OU-wide Scope

7.  Authenticating User Accounts Using Kerberos V5 Authentication Using Certificate-based Authentication Using NTLM Protocol for Authentication

8. Using Kerberos V5 Authentication Ticket-Granting Ticket 11 Service Ticket Windows 2000–based Computer 22 44 33 TGT Initial Logon KDC 11 22 TGT Service Request ST Session Established 33 TGT Cached Locally Windows 2000–based Computer Target Server

9. Using Certificate-based Authentication Certification Authority Windows 2000–based Server (configured for client certificate authentication) SSL Protocol Map Certificates to Active Directory Accounts Implement Smart Card Authentication User

10. Using NTLM Protocol for Authentication Windows 2000 Stand–alone Server Windows 2000–based Computer Windows NT–based Server Windows 2000–based Computer Windows 2000 Domain Controller Directory Services Client

11.  Securing Access to Resources Describing Security Identifiers Controlling Access to Resources Defining Security Groups for Resource Access Discussion: Authentication and Access Control

12. Describing Security Identifiers SID S-1–5–21-212721301… Automatically Created When an Object Is Added Identify Users, Groups, or Computers Used to Grant Access Rights and Permissions to Resources Groups SID Users SID Computers SID

13. Controlling Access to Resources DACL Specifies Access Permissions for a Resource ACEs List Actions That Users or Groups Can Perform SACL Specifies Users or Groups to Be Audited ACEs List Events to Be Audited Based on Successes or Failures

14. Domain Local Groups Global Groups Universal Groups Defining Security Groups for Resource Access Resources Tree OU OU OU Domain Domain Domain Domain Local Groups Global Groups Universal Groups

15. Discussion: Authentication and Access Control Houston Windows 2000 Domain Controllers New York Windows NT 4.0 Domain Windows NT Windows 98

16.  Introducing Encryption Technologies Using Symmetric Key Encryption Using Public Key Encryption Using Digital Signatures

17. Using Symmetric Key Encryption Encrypting Application Data EFS S/MIME Encrypting Communication Protocols IPSec TLS Shared Secret Key Encryption by User1 Encryption Algorithm Shared Secret Key Decryption by User2 Decryption Algorithm

18. Using Public Key Encryption PlaintextCiphertext User1 Plaintext User2 Certification Authority User2’s Public Key User2’s Private Key

19. Using Digital Signatures Digest Function User1 (Sender) Plaintext User1’s Private Key Digest Encrypted Digest 11 22 33 User2 (Receiver) User1’s Public Key 44 66 Compare 55 Digest Function

20.  Encrypting Stored and Transmitted Data Encrypting Stored Data Using EFS Encrypting Transmitted Data Discussion: Encrypting Data

21. Encrypting Stored Data Using EFS EFS Protects Stored Data The File Encryption Key Encrypts the Data The File Encryption Key Is Encrypted By: The user’s public key The EFS recovery agent’s public key

22. IPSec Encrypts Data at the IP Layer SSL Encrypts Data at the Application Layer TLS Encrypts Data at the Application Layer Encrypting Transmitted Data Encrypted IP Packet

23. Discussion: Encrypting Data Windows 2000 Professional Houston Windows 2000 Domain Controllers New York Windows NT 4.0 Domain Windows 2000 Windows NT Windows 95

24.  Introducing Public Key Infrastructure Technology Describing PKI Components Using Digital Certificates for Authentication Describing Certification Authorities

25. Describing PKI Components Key and Certificate Management Tools Certification Authority Certificate Publication Point Digital Certificate Public Key–Enabled Applications and Services Certificate Revocation List

26. Using Digital Certificates for Authentication Issuer’s identity Extensions Subject’s identity CA–issued ID number Subject: Scott Culp Issuer: CA1 Subject’s Public Key: Serial Number: 29483756 Not Before: 6/18/99 Not After: 6/18/06 Secure E-mail Client Authentication Signed: Cg6&^78 Subject: Scott Culp Issuer: CA1 Subject’s Public Key: Serial Number: 29483756 Not Before: 6/18/99 Not After: 6/18/06 Secure E-mail Client Authentication Signed: Cg6&^78 Subject’s public key value Validity period CA’s digital signature

27. Describing Certification Authorities Root CA Intermediate CAs Public Key–enabled Applications and Services

28. Review Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to Resources Introducing Encryption Technologies Encrypting Stored and Transmitted Data Introducing Public Key Infrastructure Technology