Deploying Strategies for Users

Some users might want to access secured company applications when they are away from their offices. Some of these applications are relatively simple, such as time management, company benefits registration, or similar programs. Others are complex, such as accounting systems and line-of-business applications. Make sure that you secure these applications so that only authorized users can access the data and that they can only make authorized changes. This also provides accountability, because use of the applications can be tracked to specific users.

Windows 2000 includes a variety of security technologies that provide application developers with options for including network security. The choice of technologies depends on:

  • The application's security requirements

  • Integration issues

  • The developer's degree of familiarity with the technology

  • Network and application performance impact

  • Administration complexity

The application-oriented network security technologies include:

  • Security Support Provider Interface (SSPI) — a general purpose security API that provides access to plenty of security services from a standardized programming interface.

  • Windows NTLM security, also known as Windows NT domain-level security.

  • Kerberos v5 authentication protocol. For more information about this, see "Planning Distributed Security" in this book.

  • Secure Sockets Layer (SSL). SSL has been enhanced and standardized by the Internet Engineering Task Force (IETF) as Transport Layer Security (TLS).

  • Certificates, as discussed earlier in this chapter.

These network security technologies, and the network technologies that access them, relate to each other as indicated in Figure 17.6. Note that SSP in the figure stands for SSPI Security Provider, meaning the interface between the security facility and SSPI. Remote Procedure Call (RPC), Microsoft® Distributed Component Object Model (DCOM), and Windows Sockets (Winsock) are process-to-process communication methods. WinInet (Windows Internet API) is a programming interface used to initiate and manage Web interfaces.

The network security technologies are in the lower half of the diagram, starting at the SSPI. The network technologies are in the upper half of the diagram and are located underneath the application box that uses them.

Cc977902.DGFB_06(en-us,TechNet.10).gif

Figure 17.6 Relationships of Sample Network Application Security Technologies

Work with your corporate application developers and vendors to determine which application-oriented network security technologies you need to deploy. These technologies do not require any further infrastructure planning; however, you do need to determine how your developers can benefit from the more powerful network security that Windows 2000 provides. For example, they might consider using smart cards to ensure secure user authentication when the Routing and Remote Access or VPN links are set up.