Professional Documents
Culture Documents
Services Overview
How Security services are integrated
into the Windows server architecture?
Win32
Application
Win32
Subsystem
Security
Subsystem
User Mod
Kernel Mo
Executive Services
Security
I/O
IPC Memory P & P Power Process
Windows
Reference
Manager
Manager
Manager
Manager
Manager
Manager
Manager
Monitor
File
System
Object Manager
Device Driver
Microkernel
Graphics
Device
Driver
Active Directory
Definition-It is a hierarchical tree like
structure.
Information about network resources
stored in Active Directory Database,
which is centralized database.
Forest
Domain Tree
Domain
Organizational Unit (OU)
Sites
ids.com
ce.ids.com
it.com
it.ids.com
ce.it.com
it.it.com
Designing Forest
Cont
The domain within forest are joined
together by kerberos v5 transitive trust
Trust Relationship-:It is agreement
between two domain,so that one
domain can access the resources of
another domain.It is mainly established
to manage the interaction between
multiple domains.
Cont
Making Decision
Same software is used across the
organization
Minimizing a single forest reduces
the number of administrative task
globally
In forest transitive trust relationship
is going to maintain , so no need to
maintain relationship manually
Security
Subsystem
Pass Request for
Authorization
Security
Reference
Monitor
DACL
ccess
(Discretionary a
Control List)
ACE
(Access Control
Entries)
Security Subsystem
Components
Security subsystem components runs within the
Local Security Authority process, which includes.
Netlogon service(Netlogon.dll)
NTLM authentication protocol (Msv1_0.dll)
SSL authentication protocol (Schannel.dll)
Kerberos v5 authentication protocol (Kerberos.dll)
Kerberos Key Distribution Center (KDC) service
(Kdcsv.dll)
LSA server service (Lsaserv.dll)
Security Authentication Manager(SAM)
(samsrv.dll)
Directory Service module (ntdsa.dll)
Multiple authentication Provider (secre32.dll)
Netlogon
service(Netlogon.dll)
It maintain computers secure channel to a
domain controller in its domain
It passes credentials to the domain
controller through a secure channel and
return access token with security identifiers
and user rights
It is also responsible for replication of
active directory data to Windows NTs
Backup domain controller (In Mixed mode
only)
Kerberos v5 authentication
protocol (Kerberos.dll)
Default authentication protocol used
by windows Server
It is based on TGTs (Ticket granting
tickets) and service tickets
Security Account
Manager(SAM) (samsrv.dll)
It is used on non- domain controllers
for storage of local security account
It also enforce all locally stored
policies
Multiple authentication
Provider (secre32.dll)
This SSP (Security Support Provider)
supports all security packages
available on the system
Security packages include Kerberos ,
NT LAN Manager (NTLM), Secure
channel and Distributed Password
Authentication
LSA Functionality
Maintains all local security information for windows
Server based computer
It allows user to authenticate interactively with
windows Server bases computer
Generate access token contains security identifiers
(SID) for user and all group
It manage local policy, so it override if any other
domain or OU or Forest level policy is defined in Active
Directory.
It maintain Audit policy (log , alert for security
reference by kernel )
It builds list of trusted domain at interactive logon
screen
It determine which users have assigned privileges
It manage memory quotes for the usage.
It reads System Access Control List ( SACL ) for each
object to determine what security auditing has been
defined for the object
Directory
Mail , chat
IE, IIS
Enable
News
application
POP3
Application
Application Interfac
Security Suppo
Provider Interf
(SSPI)
NTLM
SChannel Distributed
Kerberos
Security Proto
Password
SSL/TLS
Authentication
NTLM
Windows NT LAN Manager (NTLM)
Used for pass-through network
authentication,local account
authentication for windows 2000
professionals & memebr servers.
Use to authenticate clients that are
unable to use Kerberos authentication
This includes windows 95, windows 98
and windows NT operating system
Kerberos
Default authentication protocol used by
windows Server
It provides mutual authentication of client
and server and better performance.
It is based on TGTs (Ticket granting
tickets) and service tickets
Kerberos security provider uses the KDC
service on Domain Controller and active
directory for obtaining TGTs and service
tickets.
Distributed Password
Authentication (DPA)
Shared secret authentication protocol
used by MSN
DPA is a part of MCIS services.
It Provides you tu use single account
and password to connect all internet
sites that are a member of a same
internet membership organization.