Peter T. Brundrett

Improving the granularity of access control in Windows NT

This paper presents the access control mechanisms in Windows 2000 that enable fine-grained protection and centralized management. These mechanisms were added during the transition from Windows NT 4.0 to support the Active Directory, a new feature in Windows 2000. We first extended entries in access control lists to allow rights to apply to just a portion of an object. The second extension allows centralized management of object hierarchies by specifying more precisely how access control lists are inherited. The final extension allows users to limit the rights of executing programs by restricting the set of objects they may access. These changes have the combined effect of allowing centralized management of access control while precisely specifying which accesses are granted to which programs.

Kerberos authentication in Windows NT 5.0 domains

Abstract Enterprise networks using Windows NT are growing in size and complexity. Windows NT 5.0 uses the Kerberos Version 5 authentication protocol and the Active Directory for network security in Windows NT domains. The Windows NT implementation of the Kerberos Version 5 protocol is based on RFC 1510, which has gone through a wide industry review and is well known in the security community [1]. Kerberos authentication provides many features that support performance and security objectives for Enterprise networks. Microsofts implementation will support any RFC 1510-compliant clients, but will be required for full support of Windows NT networks because the Microsoft version includes permitted extensions to the standard. Windows NT 5.0 integrates the Kerberos protocol into the existing Windows NT distributed security model. Windows NT uses the extensibility features of the protocol, as have other security architectures, such as DCE and SESAME [2]. The Kerberos protocol is just one of the security protocols supported in Windows NT 5.0. Others include NTLM for backward compatibility, SSL and the IETF standard Transport Layer Security (TLS) for public-key authentication, Simple Protected Negotiation (SPNEGO) of security mechanisms, and IP security (IPsec) for network layer security using either shared-key or public-key authentication.