authentication of internet

While Routing and Remote Access (RRAS) security is sufficient for small networks, larger companies often need a dedicated infrastructure for authentication. RADIUS is a standard for dedicated authentication servers.

Windows 2000 Server and Windows Server 2003 include the Internet Authentication Service (IAS), an implementation of RADIUS server. IAS supports authentication for Windows-based clients, as well as for third-party clients that adhere to the RADIUS standard. IAS stores its authentication information in Active Directory, and can be managed with Remote Access Policies. IAS first showed up for Windows NT 4.0 in the Windows NT 4.0 Option Pack and in Microsoft Commercial Internet System (MCIS) 2.0 and 2.5.

While IAS requires the use of an additional server component, it provides a number of advantages over the standard methods of RRAS authentication. These advantages include centralized authentication for users, auditing and accounting features, scalability, and seamless integration with the existing features of RRAS.

In Windows Server 2008, Network Policy Server (NPS) replaces the Internet Authentication Service (IAS). NPS performs all of the functions of IAS in Windows Server 2003 for VPN and 802.1X-based wireless and wired connections and performs health evaluation and the granting of either unlimited or limited access for Network Access Protection clients.

[edit]Logging

By default, IAS logs to local files (%systemroot%\LogFiles\IAS\*) though it can be configured to log to SQL as well (or in place of).

When logging to SQL, IAS appears to wrap the data into XML, then calls the stored procedure report_event, passing the XML data as text... the stored procedure can then unwrap the XML and save data as desired by the user.

[edit]History

The initial version of Internet Authentication Service was included with the Windows NT 4.0 Option Pack.

Windows 2000 Server's implementation added support for more intelligent resolution of user names that are part of a Windows Server domain, support for UTF-8 logging, and improved security.^[1]. It also added support for EAP Authentication for IEEE 802.1x networks. Later on it added PEAP (with service Pack 4).

Windows Server 2003's implementation introduces support for logging to a Microsoft SQL Server database, cross-forest authentication (for Active Directory user accounts in other Forests that the IAS server's Forest has a cross-forest trust relationship with, not to be confused with Domain trust which has been a feature in IAS since NT4), support for IEEE 802.1X port-based authentication, and other features.^[2]

All versions of IAS support multi domain setups. Only Windows Server 2003 supports cross forest. While NT4 version includes a Radius Proxy, Windows 2000 didn't have such a feature. Windows Server 2003 reintroduced the feature and is capable of intelligently proxy, load balance, and tolerate faults from faulty or unreachable back-end servers.

Introduction

The current system for securing end-user transactions over the Internet consists of information transfer via HTTP over SSL, with trust established using server-based certificates. The components of this system need re-examining in the light of the current threats to Internet-based commerce.

Threat Analysis

There are three classes of threat to secure transactions over the internet, which are within the domain of this paper. (Threats such as server compromise, company employee dishonesty, trojaned clients and so on are outside its scope.) They are:

1. Eavesdropping (someone is listening to my conversation)
2. Impersonation (I'm not conversing with who I think I am)
3. Scamming (I'm conversing with who I think I am, but they are dishonest)

The difference between impersonation and scamming is as follows. Impersonation is where I think I'm conversing withBarclays Bank, but actually I'm knowingly conversing with www.secure-barclays.co.uk, who I assume are Barclays but are not. Scamming is where I am conversing with what appears to be a legitimate organisation such as a business, but they misuse the information I give them.

Is "scamming" the best word here? It needs to be specific enough not to include those items covered under impersonation, so words like "dishonesty", "fraud" and so on don't work. "Misrepresentation"? "False pretences"?

Current Threats

If we look at which of the threats is most prevalent in May 2005, the answer is clearly impersonation, in the form of "phishing". Phishing is the setting-up of fake websites purporting to be those of existing well-known entities, with the aim of harvesting valuable information such as bank login details or credit card numbers. The existence of the 300-member Anti Phishing Working Group is evidence of industry concern over this issue.

No-one is cracking the encryption on secure connections because the value of the data secured by a single transaction is generally far too low. This is unlikely to change; as cracking hardware gets cheaper, key lengths get longer and cracking gets harder. But the reason that there are not so many complex scamming attacks is not technical but pragmatic - impersonation works, and it is so much easier and cheaper. As impersonation gets harder, scamming will rise.

ENVIRONMENT

Spiceworks authentication in a Windows Workgroup Environment is relatively simple once all of the variables are clarified.

Spiceworks depends on remote administrative privileges to gather useful, detailed information about your network. If Spiceworks cannot connect to a device with the account and password you provided, it will place that device in the Unknowns category, in the Scan Errors Tab on the Inventory page, and the Scan Errors Tab on the Devices page.

Spiceworks uses the WMI, SSH, and SNMP protocols to gather information from the devices on your network. If the login accounts you provided do not have the right WMI, SSH, or SNMP privileges, Spiceworks will not be able to gather any useful information.

Windows Authentication

Spiceworks uses Windows Management Instrumentation (WMI) to gather detailed information from Windows computers. WMI by default will only allow accounts to log on remotely that are members of the Local Administrators Group on the computer being accessed, WMI also requires a password for authentication. By default only the built-in Windows Administrator account is a member of the Local Administrators Group. This is why it is necessary to use an account with Local Administrator credentials when setting up the Windows accounts on the Network Scan page in Spiceworks.

Note: Windows XP Home does not support remote access using Windows Management Instrumentation (WMI). This limitation was implemented by Microsoft and the only way to retrieve information from WinXP Home computers in Spiceworks is to setup Spiceworks as a Remote Collector on the XP Home computers and send the information to the Central Spiceworks installation.

Note: Windows XP Professional computers in a workgroup environment will need the following steps performed before any remote WMI authentication will occur.

• Click Start → Control Panel → Folder Options.
• Select the View tab and scroll to the bottom of the Advanced Settings: section.
• Uncheck the Use simple file sharing (Recommended) to disable the option and click the OK button.