Authentication is what most users immediately recognize as a form of security -- the logon dialog box that is presented when Windows 2000 starts. This process involves verifying that the password and user account are correct and then allowing access to the network.

The authentication process is far more complex than it appears, because it provides security by not sending passwords directly across the network. The Windows 2000 authentication process uses Kerberos authentication, an Internet standard specified by RFC 1510. This is explained in detail later in this chapter.

Although authentication identifies a specific, authorized user, this does not in itself provide security. The next key component of a security design is the control of user access to such resources as files, printers, and modems.

Using the NTFS, you can control a user’s ability to access files. Using Active Directory, you can control the user’s ability to access printers and other resources, referred to as objects, as well as access to the Active Directory itself.

A third component of a secure network is auditing. Windows 2000’s auditing features allow user actions (such as logon or file access) to be logged in whatever level of detail you desire.

Although a perfectly secure network would not require auditing, no network is perfectly secure. An audit trail and regular analysis allow you to determine whether unauthorized access is happening and to further analyze problems that do occur so as to prevent future problems.

A network is only as secure as the wires its data is carried on, and in large networks, an immense amount of wire is involved -- from the local building’s cabling to WAN connections and modem lines. In many networks, this is complicated further by the use of VPNs (virtual private networks). These networks use the Internet -- which is inherently very insecure -- as their transport.

Encryption is a way to prevent unauthorized access to data in these networks. Although the cabling may be relatively insecure (and the Internet even more so), encrypted data is useless without the ability to decrypt it. Of course, the quality of the encryption scheme is critical. Windows 2000’s available encryption methods are explained later in this chapter.

The company’s organizational structure is an important element of a security design. It specifies which managers should assign the privileges to certain users and, ideally, describes the different departments and divisions that will require different security settings.

The scope of a company is a critical factor in a security design. For tiny companies, for example, a design may simply define three types of users and the resources they have access to. An example of this would be creating three user groups for customer service representatives, database programmers, and network administrators. Customer service employees may have Read access to billing information, the database programmers may have Read and Write access, and the network administrators might have full control over the customer database. For a company with multiple locations, each location may have a different organizational structure and different security requirements.

At the extreme, international companies may have different requirements for each location and for different organizations and may even have separate security administrators and IS departments to manage separate locations. With some companies, the locations can be treated similarly; with others, there is more similarity to a group of companies with certain communication channels than to a single, cohesive organization.

Although not strictly a security issue, the connectivity and bandwidth available between departments or locations is an important consideration. Methods of connectivity are part of the network infrastructure design, but they may also have an impact on security:

Performance effects of security measures are another consideration. Although heavy use of IP filtering and encryption can provide strong security, they can also slow down the performance of servers and the network. You may need to plan to use faster machines or multiple servers to meet the performance and security needs of the company.

Whether the company currently uses the network for communication, you should map the flow of information in the company. This includes information sent through memos, email, or phone conversations.

This can facilitate setting up improved communication systems, and it is also important to security; for example, if several users work as a team at adjacent stations, it would be pointless to give them different access privileges. On the other hand, if a user has to repeatedly ask a supervisor to look up information, the user may need more privileges to be efficient.

The life cycle of a company’s product can also affect information flow. For example, a company that produces physical products would have different communication needs during the processes of design, production, inventory management, sales, and service.

By contrast, a software company might divide its product life cycle into design, feasibility testing, programming, debugging, alpha testing, beta testing, production, sales, shipping, and support. During different phases, users may require different types of network access, and different aspects of security may be important.

In a well-organized company, its organizational chart may already divide the components of the product life cycle into departments: for example, the Testing department handles all testing, and the Sales department handles all sales. This makes it easy to assign security by department. On the other hand, in a smaller company these roles may be shared by one or more departments.

To complete your map of company information flow, you should document how decisions relating to security will be made. Will a single administrator have complete discretion to grant privileges to users? Will a single manager direct the IS department for all security needs? Or are several people or departments involved in the decision-making process?

End-user roles are those that apply to a specific user or group of users, such as Payroll Administrator or Accounts Payable Manager. These roles should be based on the company’s organizational chart, and each should have specific needs.

In the Windows 2000 security system, such resources as files are typically owned by a user. Your design should specify which user role owns each resource and thus has control over it.

Administrative roles include tasks usually performed by the IS department: for example, Backup Administrator, Security Manager, or Internet Access Manager. You should define a list of roles and specify the resources that each will need to access.

Service roles do not usually represent actual users. These represent user accounts that will be used by applications and network services: for example, IIS (Internet Information Server) uses a user account to define its access to files, and automated backup routines use a user role that has limited access to a large number of files.

Whether you are dealing with a company currently running a previous version of Windows NT, a different operating system, or no computers at all, there is a potential for security risks. These range from the highly technical (OS bugs that allow a determined cracker to gain access) to the logistical (secure documents left in easily accessible or public locations).

A vital part of your security design is a list of current security risks and the ways your design can correct them. The following are typical examples of common security risks:

These are only a few examples. The best way to find security risks is to attempt to attack the network yourself, without using administrative passwords, and to see how easy or difficult this task is.

It’s impossible to eliminate all security risks. Rather than attempt to, you should determine the level of risk that is acceptable. This may vary wildly, depending on the type of company you are working with: a small company may tolerate a great number of unlikely risks, while a bank or government organization may need to guarantee that very few or no significant risks exist.

You may wish to deem a risk acceptable if it is difficult to prevent and has a relatively small risk of serious impact (for example, employees taking printouts of their own files home) or if the cost of preventing it is greater than the potential cost of the data lost or compromised due to the risk.

Every new component you add to the network, or to the company’s infrastructure in general, adds new security risks. This includes major changes, such as a new operating system, as well as small changes, such as installing new software or creating new user accounts.

You should analyze your security design at every step to determine whether the added components will introduce new risks, and then decide on the best way to prevent those risks.

In most networks, upgrades are regularly performed. These may include any or all of the following:

Any of these upgrades may cause changes to the security of the network, and you should review the security design and assess the impact before making any changes. In particular, new versions of operating systems always create new security holes.

Another upgrade you should regularly perform is to check for updated security patches for operating systems (such as Windows 2000) and other software you may have on the network (web browsers, email programs, etc.).

Supporting users with technical problems is necessary in all but the simplest networks, and your network design should include a plan for managing the technical support personnel with security in mind. If technical support personnel are not mindful of security, they can cause more harm to the network’s security than mere users.

Last but not least, your security design should consider the impact security will have on the system administrators. Here are some potential problems to watch out for: