Using Windows 2000 Professional with Windows 2000 Server

When using Windows 2000 Professional in a Windows 2000 Server–based environment, you can take advantage of Windows 2000 Server distributed security features that provide you with flexibility to delegate account administration, strong authentication with the Kerberos v5 protocol, network security at the domain level with Internet Protocol security (IPSec), and public-key security technology.

Because security in Windows 2000 Server is integrated with Active Directory, administrators have precise administration of the network by granting specific rights to Active Directory containers. In Windows 2000 Server, the Kerberos v5 protocol is the default mechanism for authentication and access control. It provides a common protocol that enables a single-account database to access all services in a mixed environment.The Kerberos v5 protocol is an Internet security standard with mutual authentication of client and server and provides server load balancing during the authentication process. Kerberos v5 is implemented for a variety of systems and provides a single authentication service in a distributed network.

The Kerberos v5 protocol is a shared-secret authentication protocol in which the user and the authentication service both know the users password or the one-way encrypted password. The Kerberos protocol defines the interactions between a client and a network authentication service known as a Key Distribution Center (KDC). Windows 2000 implements a KDC as the authentication service on each domain controller. The KDC uses Active Directory as the account database for users and groups. The initial Windows NT domain logon is provided by the WinLogon single sign-on architecture. Initial Kerberos-protocol authentication is integrated with WinLogon. Windows 2000 Server also provides other mechanisms for authentication, such as smart cards and NTLM for compatibility with other versions of Windows.

For more information about security at the domain level, see the Distributed Systems Guide . For more information about the security features available in Windows 2000 Professional, see Security in this book.

Many Windows 2000 Server security features use public key technology as well as certificates to provide authentication, integrity, confidentiality, and nonrepudiation for network and information security. Public key security in Windows 2000 is based on industry-standard public key technologies, such as the Diffie-Hellman Key Agreement algorithm, the RSA public key algorithms developed by RSA Data Security, and the Digital Signature Algorithm. Windows 2000 security also makes use of the industry-standard, X.509 version 3 digital certificates that are issued by trusted certification authorities. For more information about the public key technologies used in Windows 2000, see the Distributed Systems Guide .

Windows 2000 incorporates Internet Protocol security (IPSec) for data protection of network traffic. IPSec is a suite of protocols that allow secure, encrypted communication between two computers over an insecure network. The encryption is applied at the IP network layer, so it is transparent to most applications that use specific protocols for network communication. IPSec provides end-to-end security, meaning that the IP packets are encrypted by the sending computer, are unreadable while they are being transmitted, and can be decrypted only by the recipient computer. For more information about IPSec, see Internet Protocol Security in the Microsoft Windows 2000 Server Resource Kit TCP/IP Core Networking Guide .