DCOM Explained
by Rosemary Rock-Evans
Digital Press
ISBN: 1555582168   Pub Date: 09/01/98

Previous Table of Contents Next


Microsoft’s Products and Services

As we saw in Chapter 10, Microsoft’s own security services are currently provided primarily by Windows NT although this may change in the future. In the following paragraphs I will describe each of these services in relation to the functions of security we looked at earlier in this chapter.

Authentication

User ID-Authentication in Windows NT is based on a user id and a password. The password is encrypted. A user can be an individual or a group, and roles and aliases are also supported.

The table of users, passwords, and public keys is stored with the Registry on each host, and as such must be set up on every machine. Each table holds host-specific information—the users allowed to access that host. This is likely to change in the future with the introduction of the Active Directory, a service I describe in the next chapter, as the Active Directory is to hold security data and will be a central store for information, replicated around the network.

When a client calls a method or creates an instance of a component, DCOM obtains the client’s username and checks to see if the username is valid and the password correct. Only if the username is authentic is the name passed to the machine or process where the component is actually running. DCOM on the component’s machine then checks the authorization.

Microsoft Certificate Server-Microsoft Certificate Server is a service used for the management of Digital Certificates (which conform to the X509 standard). Thus, Microsoft has provided the software for a company to set themselves up as a TTP (Trusted Third Party) or Digital Certificate Authority.

It, too, runs as a service of Windows NT and can handle certificate requests, the issue of certificates, and revocation lists. It also logs all transactions for auditing purposes.

The Server consists of four main components:

  The Entry Module-Used to handle the requests for certificates. It can be customized to take in client requests for certificates in a number of different formats. Once the request has been handled it is sent to the Certificate server Policy Module for processing.
  The Policy Module-Used to decide whether to grant a certificate according to its trust policy. The module can be adapted to add user policies and can also look up information in external databases as part of the process of checking identity. Where manual checks are required, an alert is sent to the appropriate personnel.
  The Certificate Engine-These modules are responsible for creating digital certificates, storing published certificates, generating the key pair, and also logging. The log tracks all requests and their status and stores published certificates and certificate revocation lists for auditing purposes.
  The Exit Module-Packages certificates in the format required by the application. The module can send the certificates by e-mail or publish them in either an LDAP-compliant directory service or an ODBC-compliant database. It is also responsible for delivering Certificate Revocation Lists.

Smart cards-Microsoft has decided that smartcards are a critical component of its security strategy, particularly its public key infrastructure. They intend to use the cards to store private keys, account names, passwords, and other forms of personal information, thus providing not only access via public key authentication and encryption but access via user name/password authentication, for example. The card is intended to provide a form of “single sign-on” mechanism.

Microsoft is also smart card enabling its development tools, including Visual C++, Visual Basic, and Visual J++, in addition to the integration with Windows NT and other Windows platforms. Smart card support has been added to the NetPC and PC98 design specifications. Microsoft has also released an implementation of the PC/SC specifications for Windows NT 4, which has been released to Workgroup members and a limited number of third-party smartcard providers.


Previous Table of Contents Next