Let’s start with a quick review of the basics to set
the foundation for this discussion of network access and
authentication. Windows Server 2008 authentication is a two-part
process involving authentication of the user (interactive login) and
access control to network resources. When a user logs in, their
identity is verified through Active Directory (AD) Domain Services and
this provides controlled access to Active Directory objects. As the
user attempts to access various network resources, their network
authentication credentials are used to determine whether or not the
user has permission to access those resources. Also part of AD are user
accounts and groups that impact network access. Authentication can also
occur through a public key infrastructure (PKI), which uses digital
certificates and certification authorities to verify and authenticate
entities including users, computers, and services. Group Policy is used
to manage configuration settings for servers, clients, and users.
Remote Authentication Dial-In User Service (RADIUS) is a protocol that
originally was created for dial-in authentication and authorization
service. Now, its role has expanded to include wireless access point
access, authenticating Ethernet switches, virtual private network
servers, and more. In Windows Server 2008, the RADIUS function is now
handled by the Network Policy and Access Services role.
As you can see from Figure 1,
the Network Policy and Access Services role installs Network Policy
Server (NPS) and Routing and Remote Access (RRAS). Under the NPS node,
you’ll find RADIUS Clients and Servers, Policies, Network Access
Protection (NAP) and Accounting. Under the Routing and Remote Access
node, you’ll find Network Interfaces, Remote Access Logging &
Policies, IPv4 and IPv6.
Back
to NPS: NPS allows you to configure and manage network policies from a
centralized location. You can configure and manage RADIUS server,
RADIUS proxy, and Network Access Protection (NAP) policy server from
within this role. With NPS, you can authorize and authenticate network
connections through different access servers such as 802.1x, wireless
access points (WAP), virtual private network server (VPN), dial-up
servers, and computers running Windows Server 2008 with Terminal
Services Gateway (TS Gateway).
Network
Policy Server creates and enforces organizationwide access policies for
clients. These services include client health, connection request
authentication, and connection request authorization. You can also use
NPS as a RADIUS proxy to forward connection requests for authentication
and authorization to NPS or other RADIUS servers. As part of NPS,
routing and remote access services can also be installed. This provides
users access to resources connecting remotely through VPN or
dial-up connections. RRAS can also be used to provide routing services
on small networks or to connect two private networks across the
Internet.
To
summarize, authentication in Windows Server 2008 is provided by
numerous infrastructure components including Active Directory Domain
Services, Group Policy, Public Key Infrastructure, and RADIUS. These
interact with Network Policy Server (NPS). For example, in Active
Directory, you can configure user or computer accounts to either Allow Access or Control Access Through NPS Network Policy (recommended). In Windows Server 2008, the Control Access Through NPS Network Policy (recommended)
is selected by default. When using groups to manage access, you can
then use your existing groups and create network policies in NPS that
either allow access (with or without restrictions) or deny access based
on existing groups. For example, you can configure a policy in NPS that
specifies the Marketing group have unrestricted VPN access. You might
also configure another NPS policy that specifies that Vendors can never
have VPN access.
Tip
Numerous
authentication and communication-based protocols are no longer
supported in Windows Server 2008 (and Windows Vista). We’ve listed a
few here, but for the full list (and subject to change until the final
version of Windows Server 2008 is released), refer to the Microsoft Web
site. Support has been removed for:
X.25
SLIP-based connections (automatically updated to PPP-based connections)
ATM
NWLinkIPX/SPX/NetBIOS Compatible Transport Protocol
Service for Macintosh
OSPF
SPAP, EAP-MD5-CHAP and MS-CHAPv1 authentication protocols
NTLMv2 and Kerberos Authentication
Starting
with Windows 2000, Kerberos Version 5 (Kerberos) was supported as the
default authentication protocol in Active Directory. The NT LAN Manager
(NTLM) protocol is still supported for authentication with clients that
required NTLM (i.e., for backward compatibility only). You can control
how NTLM is used through Group
Policy. The default authentication level in most cases is “Send NTLMv2
Response Only.” With this level of authentication, NTLMv2 is used with
clients that use this authentication protocol and session security only
if the server supports it.
You
can configure Kerberos to utilize different methods of authentication,
and these can be set via NPS for the network as well as in the IPsec
Settings tab of the Windows Firewall with Advanced Security Properties,
which we’ll discuss a bit later in this chapter.
To
begin, install this role on your Windows Server 2008 computer, if it’s
not already installed. To do so, open Server Manager, choose Add Roles from the interface option, then select Network Policy and Access Services. Follow the on-screen prompts to complete configuration, which are self-explanatory. In order to install Health Registration Authority (HRA) and Host Credential Authorization Protocol
(HCAP), you also need to have web services (IIS) installed. For our
purposes, we will disregard these two options and focus just on network
access. Once Network Policy and Access Services are installed, you can
access the services through the Server Manager interface. As shown in Figure 10.15,
you can start, stop, or check the status of a service as well as set
Preferences. Note that you can deploy NPS in a number of ways at
various points in your forest or domain. It is beyond the scope of this
chapter to discuss these options in detail.
WLAN Authentication Using 802.1x and 802.3
NPS
is responsible for network security and is used to provide secure
wireless access through NPS. Windows Server 2008 also provides features
that enable you to deploy 802.1x authenticated wired service for IEEE
802.3 Ethernet network clients. In conjunction with 802.1x capable
switches and other Windows Server 2008 features, you can control
network access through Wired Network Policies in Windows Server 2008
Group Policies. Recall that NPS is used to configure remote
connections. The 802.3 wired network specification allows you to use
the 802.1x specification to provide wired networking access. This is
configured via NPS and uses Protected Extensible Authentication
Protocol (PEAP) authentication. It is outside the scope of this book to
discuss how to plan, configure, and deploy a WLAN authentication
method, but we will discuss these concepts to the extent you need to
understand the changes in the Windows Server 2008 environment.
Tip
Group
Policy and Network Policy Server are two Windows Server 2008 areas with
which you should be familiar. Understand the role of Group Policy
versus the role of Network Policy Server in securing the network. Be
able to explain in your own words what these two features do in Windows
Server 2008. If you can describe them in your own words, there’s a good
chance you understand their functionality and will be able to
distinguish right and wrong answers on the exam.
Let’s
start with some definitions as a review. The 802.11 standard defined
the shared key authentication method for authentication and Wired
Equivalent Privacy (WEP) for encryption for wireless communications.
802.11 ultimately ended up being a relatively weak standard and newer
security standards are available and recommended for use. The 802.1x
standard that existed for Ethernet switches was adapted to the 802.11
wireless LANs to provide stronger authentication than the original
standard. 802.1x is designed for medium to large wireless LANs that
have an authentication infrastructure, such as AD and RADIUS in the
Windows environment. With such an infrastructure in place, the 802.1x
standard supports dynamic WEP, which are mutually determined keys
negotiated by the wireless client and the RADIUS server. However, the
802.1x standard also supports the stronger Wi-Fi Protected
Access (WPA) encryption method. The 802.11i standard formally replaces
WEP with WPA2, an enhancement to the original WPA method.
Wireless and Wired Authentication Technologies
Windows
Server 2008 supports several authentication methods for authenticating
that a computer or user is attempting to connect via a protected
wireless connection. These same technologies support 802.1x
authenticated wired networks as well. These Extended Authentication
Protocols (EAP) methods are:
EAP–TLS
PEAP–TLS
PEAP–MS–CHAPv2
Extended
Authentication Protocol–Transport Layer Security (EAP–TLS) and
Protected Extended Authentication Protocol–Transport Layer Security
(PEAP–TLS) are used in conjunction with Public Key Infrastructure (PKI)
and computer certificates, user certificates, or smart cards. Using
EAP–TLS, a wireless client sends its certificate (computer, user, or
smart card) for authentication and the RADIUS server sends its computer
certificate for authentication. By default, the wireless client
authenticates the server’s certificate. With PEAP–TLS, the server and
client create an encrypted session before certificates are exchanged.
Clearly, PEAP–TLS is a stronger authentication method because the
authentication session data is encrypted.
If
there are no computer, user, or smart card certificates available, you
can use PEAP-Microsoft Challenge Handshake Authentication Protocol
version 2 (PEAP-MS-CHAPv2). This is a password-based authentication
method in which the exchange of the authentication traffic is encrypted
(using TLS), making it difficult for hackers to intercept and use an
offline dictionary attack to access authentication exchange data. That
said, it’s the weakest of these three options for authentication
because it relies on the use of a password.
A Windows-based client running Windows Vista or Windows Server 2008 can be configured in the following ways:
Group Policy
Command line
Wired XML profiles
Using
Group Policy, you can configure the Wired Network (IEEE 802.3) Policies
Group Policy extension, which is part of Computer configuration Group
Policy that can specify wired network settings in the AD environment.
The Group Policy extension applies only to Windows Server 2008 and
Windows Vista computers. The command line can be used within the netsh context using the lan command (netsh lan). You can explore the available comments by typing netsh lan /?
at the command line prompt. Wired XML profiles are XML files that
contain wired network settings. These can be imported and exported to
Windows Server 2008 and Windows Vista clients using the netsh context as well. You can use netsh lan export profile or netsh lan add profile to export or import a wired profile using the command line.
For
Windows XP SP2 or Windows Server 2003-basec computers, you can manually
configure wired clients by configuring 802.1x authentication settings
from the Authentication tab of the properties dialog box of a LAN
connection in the Network Connections folder, as shown in Figure 2, which shows the Network Connections Properties dialog box from a Windows XP Pro SP2 computer.