Security

Many Windows 2000 distributed security systems use public key technology. You can deploy a wide variety of security solutions that take advantage of the benefits of public key technology.

Security Technologies That Use Public Key Technology

The following Windows 2000 distributed security systems use public key technology:

  • A network logon authentication that uses the Kerberos v5 authentication protocol, including logging on with smart cards (a permitted extension to the Kerberos protocol).

  • A Routing and Remote Access service that supports secure remote access to network resources. Routing and Remote Access supports the following:

    • Integration with Active Directory, the Windows 2000 directory service that makes it possible to manage remote user authentication through the use of domain network user accounts and Group Policy settings.

    • Remote Authentication Dial-In User Service (RADIUS), which makes it possible to manage remote user authentication through a variety of authentication protocols.

    • User authentication that is based on the Extensible Authentication Protocol and Transport Layer Security (EAP-TLS). Supports the authentication of users through public key certificates and the smart card logon process.

    • Confidential communication over public Internet lines by using the Layer 2 Tunneling Protocol (L2TP) and the Point-to-Point Tunneling Protocol (PPTP).

    • Remote network access and logging on through the virtual private networks and public Internet service providers.

  • Microsoft Internet Information Services, which supports Web site security through certificate mapping and secure channel communications with the Secure Sockets Layer (SSL) protocol, Transport Layer Security (TLS) protocol, and Server Gated Cryptography (SGC) protocol.

  • IPSec, which supports IP-level, end-to-end authentication, integrity, anti-replay, and encrypted communication over open IP networks, including the Internet.

  • Encrypting File System, which makes it possible for a user to encrypt folders and files for safekeeping and allows an administrator to recover files when the users private key is damaged or lost.

Public key security in Windows 2000 is based on industry-standard public key technologies, such as the Diffie-Hellman Key Agreement algorithm, the RSA public key algorithms developed by RSA Data Security, and the Digital Signature Algorithm. Windows 2000 security also makes use of the industry-standard, X.509 version 3 digital certificates that are issued by the certification authorities that you choose to trust. Many Windows 2000 security features use public key technology as well as certificates to provide authentication, integrity, confidentiality, and nonrepudiation for network and information security.

Public Key Security Benefits

The Windows 2000 public key infrastructure enables you to deploy strong security solutions that use digital certificates and public key technology. Security solutions can include the following:

  • Secure mail, which uses certificates and the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol to ensure the integrity, origin, and confidentiality of e-mail messages.

  • Secure Web sites, which use certificates and certificate mapping to map certificates to network user accounts for controlling user rights and permissions for Web resources.

  • Secure Web communications, which use certificates and the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols to authenticate servers, to optionally authenticate clients, and to provide confidential communications between servers and clients.

  • Software code signing, which uses certificates and digital signing technology (such as Microsoft Authenticode) to ensure the integrity and authorship of software that is developed for distribution on an intranet or on the Internet.

  • Smart card logon process, which uses certificates and private keys stored on smart cards to authenticate local and remote access network users.

  • Internet Protocol security (IPSec) client authentication, which has the option to use certificates to authenticate clients for IPSec communications.

  • Encrypting File System (EFS), which uses certificates for both EFS user and EFS recovery agent operations.

  • Custom security solutions, which use certificates to provide confidentiality, integrity, authentication, or nonrepudiation.