Скачать презентацию Secure Connected Infrastructure Identity Management Allan Hvass Senior Скачать презентацию Secure Connected Infrastructure Identity Management Allan Hvass Senior

5fff1b26c7222357fc44d5045ecc73db.ppt

  • Количество слайдов: 14

Secure Connected Infrastructure Identity Management Allan Hvass Senior Consultant Microsoft Services Secure Connected Infrastructure Identity Management Allan Hvass Senior Consultant Microsoft Services

Identity Management Challenges l l l Directories everywhere Too many passwords Passwords are weak Identity Management Challenges l l l Directories everywhere Too many passwords Passwords are weak Unmanageable security Allowing some outsiders access Ø Ø Ø Reduce costs through directory integration Increase productivity with single sign-on Reduce risk through strong authentication Strengthen security with centralized management Extend the trust model

Secure Connected Infrastructure Secure Network Connectivity Integrated Solution for Identity Management Comprehensive Security Management Secure Connected Infrastructure Secure Network Connectivity Integrated Solution for Identity Management Comprehensive Security Management & Operations • • • Secure Internet connectivity (MSA & ISA) Secure remote access (VPN, IAS) Secure wireless networks (PKI + 802. 1 x) • Directory Services (AD & MMS) • Authentication (PKI, Kerberos, Passport) • Authorization (ACLs, Roles, Federation) • Policy based management (GP, and GPMC) • • • Tools (MBSA, MSUS) Guidance (MOC, PAGs, Security Best Practices) Services (MSQS, PSS, & professional services)

Active Directory Wireless LAN VPN Gateway Exchange File Sharing LAN SQL Server Common store Active Directory Wireless LAN VPN Gateway Exchange File Sharing LAN SQL Server Common store for identity management UNIX App Identity Repository Ø Application and NOS identities Ø Repository for security principles Ø Integrated policy-based management Ø Scales to the Internet Active Directory Web Services

Flexible Authentication Mechanisms Windows 2000 Server Applications Password Biometrics Files Authenticate Smart Card Active Flexible Authentication Mechanisms Windows 2000 Server Applications Password Biometrics Files Authenticate Smart Card Active Directory People X. 509 / SSL Devices Internet Credentials Computers Ø Many other authentication options than passwords

Authentication Services Wireless LAN VPN Gateway Exchange File Sharing LAN Integrated Security Services UNIX Authentication Services Wireless LAN VPN Gateway Exchange File Sharing LAN Integrated Security Services UNIX App SQL Server Web Authentication & Authorization Services Ø Integrated PKI for authentication and encryption Ø Interoperable with UNIX via Kerberos & SFU Ø Interoperable with mainframes via HIS Ø Interoperable with Netware via SFN Ø Kerberos Active Directory

Options for Single Sign-on Experience Central Authentication MMS can help keeping multiple directories synchronized, Options for Single Sign-on Experience Central Authentication MMS can help keeping multiple directories synchronized, easing the authorization process Strategy Examples Multiple Identities Single Identity True SSO NTLM Distributed Authentication Password Synchronization Short Lived Server Side Long Lived Client Side Kerberos Certificates Sf. N Passport Sf. U (p. Sync, NIS) HIS Extend to multiple directories with trusts Client Managed Credential Manager (XP)

Directory Integration and Synchronization Wireless LAN VPN Gateway Exchange File Sharing SQL Server LAN Directory Integration and Synchronization Wireless LAN VPN Gateway Exchange File Sharing SQL Server LAN UNIX Application Web Microsoft Metadirectory Server: Services Reduces the cost of managing ids Ø Simplifies directory synchronization Ø Automates user account provisioning Active Directory Non-AD Directory Active Directory

Windows 2000 Authorization l Owners manage resources Ø Access control lists (ACLs) § l Windows 2000 Authorization l Owners manage resources Ø Access control lists (ACLs) § l Admins manage users Ø Groups § Ø Indirection & nesting simplify ACL management Privileges § l Granular permissions & scope, Inheritance System-wide operational permissions System enforces access control Ø Impersonation & delegation

Integrated Management Delegate Management Tasks to Office Admins Company Users Marketing Machines Extranet Policy: Integrated Management Delegate Management Tasks to Office Admins Company Users Marketing Machines Extranet Policy: Use Standard Security Template Devices Applications Restrict Access to Color Printer Must Use Smart Card u Integration with Active Directory provides a central consistent place to manage user and resource security

Active Directory Security Administration l l Forcing security settings to all users and systems Active Directory Security Administration l l Forcing security settings to all users and systems with group policies Delegation of administration Ø Ø l Grant permissions at organizational unit (OU) level Who creates OUs, users, groups, etc. Fine-grain access control Ø Grant or deny permissions on per-property level, or a group of properties

. NET Server Improvements l Directory Services Ø Ø Ø l Authentication Ø Ø . NET Server Improvements l Directory Services Ø Ø Ø l Authentication Ø Ø l Passport authentication Smart Cards improvements Protocol transition Delegation improvements Authorization Ø l Kerberos transitive trusts with constraining PKI cross-certification and qualified subordination Metadirectory Services optimized for multiple forests Authorization Manager (roles, tasks, rules, scope) Management Ø Group Policy Management Console

Identity Management Challenges l l l Directories everywhere Too many passwords Passwords are weak Identity Management Challenges l l l Directories everywhere Too many passwords Passwords are weak Unmanageable security Allowing some outsiders access Ø Ø Ø Metadirectory Services, Authorization Manager AD (Kerberos, PKI), Sf. U, Sf. N, HIS, Cred. Man Smart Cards, Biometrics, AD policies Group Policies, AD delegation, GPMC Certificate or Passport based web client login

© 2001 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. © 2001 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.