Previous Page | Next Page

  1. Introduction
  2. Windows 2000 Professional
  3. Windows 2000 Server
  4. Windows 2000 Advanced Server
  5. Windows 2000 Datacenter Server
  6. Application Support
  7. System Operation
  8. Disks and Volumes
  9. Filesystems
  10. Configuration Files
  11. Security
  12. Network Support
  13. Access Management
  14. Processes
  15. AD Structure
  16. AD Objects
  17. AD Object Naming
  18. AD Schema
  19. AD Sites
  20. Domains
  21. AD Functions
  22. AD Replication
  23. DNS
  24. AD Security
  25. AD Installation
  26. AD Configuration
  27. AD Performance
  28. Installation
  29. Installation Options
  30. Unattended Installation
  31. Software Distribution
  32. Remote Installation Service
  33. Language
  34. Accessibility
  35. File Attributes
  37. Distributed File System
  38. Control Panel
  39. Active Directory Tools
  40. Computer Management Console Tools
  41. MMC Tools
  42. Network Tools
  43. Network Monitor
  44. System Performance Monitoring
  45. Tools
  46. Managing Services
  47. Connections
  48. TCP/IP
  49. DHCP
  50. Printing
  51. Routing
  52. IPSec
  53. ICS
  54. Fault Tolerance
  55. Backup
  56. System Failure
  57. Services
  58. Remote Access
  59. WINS
  60. IIS
  61. Certificate Server
  62. Terminal Services
  63. Web Services
  64. Authentication
  65. Accounts
  66. Permissions
  67. Groups
  68. User Rights and Auditing
  69. Auditing
  70. User Profiles
  71. Policies
  72. Group Policies
  73. Miscellaneous
  74. Terms
  75. Credits

Windows 2000 Security

Authentication is performed by the system to be sure the user is really who they claim to be. Authentication may be done at and for a local computer or at a global level for a domain using domain controllers across the network. Windows 2000 supports the following types of authentication:

  • Kerberos V5 (RFC 1510) - An internet standard authentication protocol which is the default protocol for Windows 2000 computers within a domain. This is not used for computers in different forests.
  • Windows NT LAN Manager (NTLM) - Used to authenticate users from Windows 95, 98, and NT systems. Windows 2000 Active Directory must be operating in mixed mode to use this authentication method.
  • Secure Sockets Layer/Transport Layer Security (SSL/TLS) - Requires certificate servers and is used to authenticate users that are logging onto secure web sites.
  • Smart card

Authentication uses X.509 standard and kerberos.

Additional security features include IPSec for Virtual Private Networking (VPN) encryption, and Encrypting File System (EFS) to encrypt file contents.


Kerberos was developed at Masachussets Institute of Technology (MIT). Kerberos uses a Kerberos Domain Controller (KDC). The kerberos ticket is proof that the client has permission to access the resource.

NTLanman Authentication

NT 4.0 uses NTLanman (NTLN) authentication where a domain controller authenticates clients and passes a token. The server with the resource contacts the domain master to find out if the client has access permission.

Encrypting File System (EFS)

A public and private key system is used to control the encryption and decryption of files on the EFS which runs as a service. The encryption process breaks the files into blocks and encrypts each block with a different one of multiple symmetric keys. The keys are stored inside the file header in a Data Decryption Field (DDF) and a Data Recovery Field (DRF). This file header is encrypted and can only be decrypted with a recovery agent or using the user private key. The key used to encrypt the file is encrypted using the user account X.500 certificate and stored in the file. Different keys are used to encrypt different files so someone cannot get a key from one file and use it to decrypt another file. The encryption keys are never written to memory paging files.

Files or directories may be encrypted, but the contents of directories are encrypted together. Files cannot be encrypted across the network by EFS. Files that are moved are still encrypted, but the files must be moved to other NTFS volumes. Files that are move to an encrypted folder are encrypted when they are moved. If applications that are setup to store temporary files, store those files in an encrypted directory, the temporary files are encrypted.

To do EFS recovery the user must be designated an EFS recovery agent in Group policy and have an EFS Recover Agent certificate. When recovery agents are used to recover files, the keys are not recovered and cannot be copied. To decrypt files, the recovery agent unlocks the Data Recovery Field (DRF) using the public key. Recovery keys can only be used to decrypt files that were encrypted after the recovery key was created.

The cypher.exe command line program can be used to perform encryption and decryption. Command line options:

  • /d - Decrypt files or folders.
  • /e - Encrypt files or folders.
  • /f - Force encryption or decryption regardless of the file or folder current state. Encrypt all files.
  • /I - Ignore errors.
  • /q - Only report essential information.
  • /s - Encrypt all subdirectories and files in a directory.

A filename parameter is required on the command line to specify the name of a file or directory.


Secure Sockets Layer (SSL) is used to encrypt data going across the network.