SAGE - Sage feature

Windows NT 5.0: Integration Friendly?

Cox by Phil Cox
<[email protected]>

Phil is a member of the Computer Incident Advisory Capability (CIAC) for the Department of Energy. He also consults and writes on issues bridging the gap between UNIX and Windows NT.



I am on the plane home from the Microsoft Professional Developers Conference, and I am amazed at the effectiveness of Microsoft. Although I am a longtime UNIX supporter, I have to admit that this conference has made me much less skeptical about Microsoft's ability to embrace good technology solutions. I left feeling that the road to decent integration between NT and UNIX is a feasible thing, and with the next release of NT (version 5.0), that process has a good start.

Although NT 4.0 has good built-in security features, the integration with UNIX-based systems has left a lot to be desired, especially in the area of secure communications. Windows NT 5.0 starts to bridge the gap in this area. With the incorporation of Active Directory (AD) ­ a Lightweight Directory Access Protocol (LDAP) compatible directory service ­ and Kerberos, a foundation for interoperability is being laid. Here is an overview of these two features and their use in intergrating NT and UNIX.

Active Directory: Microsoft's Version of NIS+

Basics
For anyone familiar with Sun's NIS+, the Active Directory will seem very familiar. The parallels between NIS and NT 4.0 domains and NIS+ and Active Directory are remarkable.

The Windows NT Active Directory provides the store for all NT domain security policy and account information. It also provides replication and availability of account information to multiple Domain Controllers [1]. The AD supports the LDAP that enables you to link the Windows NT directory with other LDAP/X500 directories. The AD also supports fine-grain access control. With this granularity, access rights can be granted down to individual properties on user objects (NIS+ {row,entry}). This enables a specific individual or group to have the right to reset passwords, but not to modify other account information. This new ability is unlike NT 4.0, which required Domain Admin permissions (i.e., total control) to modify any portion of the domain information.

Another difference in NT 5.0 is that all Domain Controllers are considered equal, so updates made on any one of them modify the Active Directory. In NT 4.0, modifications were made only to the files on the Primary Domain Controller (PDC), then propagated. The NT 5.0 structure is called "multiple master." Like NIS+, you have a PDC (master in NIS+) and as many replicas (formerly Backup Domain Controllers) as needed. Because all are considered equal, updates made on one are made and synchronized to all others automatically (just like NIS+).

Structure Changes

The structure of the directory has changed as well. Like the transition from NIS, with its flat namespace, to NIS+ and its hierarchical namespace, the Windows NT domain model changed. NT 4.0 used a flat namespace and one-way trust relationships; NT 5.0 Active Directory uses a multilevel hierarchy tree of domains. Management of trust relationships between domains in the AD is simplified through treewide transitive trust throughout the domain tree.

Usage

Unlike NT 4.0, which uses account information maintained in a secure portion of the registry on the Domain Controller, the NT 5.0 distributed security services use the Active Directory as the repository for account information. The AD improves performance, scalability, and administration. The trust relationships are also much easier to manage. The NT 4.0 model of using domain trust and pass-through authentication was much more cumbersome than the transitive trust and Kerberos delegation that comes with NT 5.0.

Security

AD security is directly dependent upon physical security and the underlying NT 5.0 OS security, primarily the security features of Access Controls and NTFS.

Kerberos: A Move Toward Integration

Windows NT 5.0 has added support for more security protocols. Currently, NT 4.0 and earlier versions utilize the Windows NT LAN Manager (NTLM) protocol. This protocol is limited to Microsoft and does not integrate in heterogeneous environments. Microsoft understood this and decided to support a protocol that is truly platform independent: Kerberos.

Kerberos Version 5 (RFC 1510) will replace NTLM as the primary security protocol for access to resources within or across Windows NT 5.0 domains. Kerberos is a standard that will provide for network authentication of heterogeneous machines. Some of the benefits of Kerberos are mutual authentication of both client and server, reduced load on the server during logon, and support for authorization delegation. Although Kerberos V5 will be the default authentication protocol, NTLM will continue [2] to be supported and used for pass-through network authentication, remote file access, and authenticated RPC connections to earlier versions of Windows NT.

NT 5.0 domains can be organized into a hierarchical domain tree. The trust relationships established between domains in the Active Directory allow users with accounts defined in one domain to be authenticated in another domain. Domain Trust relationships are established via Kerberos; thus the Kerberos transitive trust (delegation) model is in effect. This use of Kerberos will also allow the establishment of realm authentication between heterogeneous Kerberos realms.

Kerberos Highlights

Some of the NT 5.0 Kerberos highlights are:

  • Each Domain Controller will implement a Kerberos Key Distribution Center (KDC).
  • NT domains are equivalent to a Kerberos realm, but will still be called domains.
  • The KDC uses the Active Directory as the account database for users and groups.
  • Because each Domain Controller is a KDC, physical security is a high priority.
  • NT 5.0 domains use transitive trust relationships. Thus all NT domains contained within the AD will trust each other implicitly[3].
  • You can define trust relationships between existing Kerberos realms and NT 5.0 domains to generate ticket referral requests between realms and domains.
  • Microsoft plans to implement extensions [4] to support public-key authentication.
Heterogeneous "Realm Authentication"
This is a major win for those who want to be able to utilize single login for integrated UNIX and NT 5.0 systems (caveat: Kerberos implementations must support the Interoperability Requirements defined in RFC 1510). Although ticket referrals are supported, non-Windows NT KDCs are not likely to contain the Authorization Data NT is expecting[5]. When this occurs, Windows NT will try to use the principal name in the ticket and create a security access token for a designated user account or use a default account defined for this purpose. NT 5.0 will also integrate with DCE Security Services as well.
Authentication of External Users
NT 5.0 will provide support for public-key authentication on behalf of users who do not have a Windows NT domain account. Users will be authenticated by a public-key certificate and can be granted access to NT resources. NT 5.0 has the ability to associate one or more external users to an existing Windows NT account for access control. The subject name on the X.509 V3 certificate is used to identify the external user associated with the account. This many-to-one mapping provides a major benefit for external client integration.

Summary

Windows NT and UNIX integration is not anywhere near seamless, but it is getting better. With the addition of Active Directory and Kerberos, the job is getting easier. This is moving in the right direction. With this direction, the Windows NT 5.0 is a platform that can provide a good foundation for secure integration of heterogeneous platforms.

For more information, see <http://www.microsoft.com/ntserver> and <http://www.microsoft.com/security>.

Notes

[1] In NT 5.0, Domain Controllers are also Kerberos Key Distribution Centers. This has ramifications on trust relationships.

[2] Because Windows NT will continue to support NTLM authentication, you will still have to deal with the insecurities of NTLM.

[3] This is a feature of the Active Directory trust model. In NT 4.0 and earlier versions, interdomain trust relationships were established explicitly. They are defined by one-way trust relationships between Domain Controllers.

[4] A proposal to extend the Kerberos protocol specification to provide a method for using public-key cryptography for initial authentication has been submitted to the IETF working group for review.

[5] Kerberos V5 defines an encrypted field in session tickets to carry Authorization Data. NT 5.0 uses that field to hold Security IDs representing the user and group membership.

?Need help? Use our Contacts page.
3rd December 1997 efc
Last changed: 3rd December 1997 efc
Issue index
;login: index
SAGE home