 | |
provided by:
For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.AuthenticationAuthentication is the process of proving one’s identity to the network environment. Typically, authentication involves typing a username and password on a system before you are granted access, but you could also use biometrics to be authenticated. Biometrics are the use of one’s unique physical characteristics, such as a fingerprint or the blood vessels in one’s retina, to prove one’s identity.
Here’s a quick look at what happens when you log on to your system with a username and password. When you type a username and password to log on to a system, that username and password are verified against a database, known as the user account database, which has a list of the usernames and passwords that are allowed to access the system. If the username and password you type are in the user account database, you are allowed to access the system — otherwise, you get an error message and aren’t allowed to access the system.
The name of the account database that stores the usernames and passwords is different depending on the environment. In a Microsoft network, the account database is known as the Active Directory Database and resides on a server known as a domain controller.
Generating the access tokenWhen you log on to a Microsoft network environment, the username and password you type are placed in a logon request message that is sent to the domain controller to be verified against the Active Directory Database. If the username and password that you have typed are correct, then an access token is generated for you. An access token is a piece of information that identifies you and is associated with everything you do on the computer and network. The access token contains your user account information and any groups you are a member of. When you try to access a resource on the network, the user account and group membership in the access token are compared against the permission list of a resource. If the user account in the access token or one of the groups contained in the access token are also contained in the permission list, then you are granted access to the resource — if not, you get an access denied message.
If you don’t have a server-based network environment and you are simply running Windows 2000 Professional or Windows XP, when you log on, the logon request is sent to the local computer — to an account database known as the Security Accounts Manager (SAM) database. When you log on to the SAM database, an access token is generated as well, and that helps the system determine what files you can access.
Smart cardAnother type of logon supported by network environments today is the use of a smart card. A smart card is a small, ATM card–like device that contains your account information. You insert the smart card into a smart card reader that is connected to a computer, and then you enter the PIN (Personal Identification Number) associated with the smart card. This is an example of securing an environment by forcing someone to not only have the card but also know the PIN.
Strong passwordsIt’s really hard to talk about authentication without talking about ensuring that users create strong passwords. A strong password is a password that is very difficult for hackers to guess or crack because it contains a mix of upper and lowercase characters, contains a mix of numbers and letters, and is a minimum of six characters long.
AuthorizationAfter a user has logged on and an access token is created, the user may start trying to access resources such as files and printers. In order to access a file, folder, or printer on the network, the user must be authorized to access the resource. Authorization is the process of giving a user permission to access a resource. Do not confuse authentication and authorization — you must be first authenticated to the network, and once authenticated, you can then access the resources you have been authorized for.
In order to authorize access to a resource, you set permissions on the resource. For example, if you want to allow Jill to access the accounting folder, you need to give Jill permission to the accounting folder.
No one else is authorized to access the resource. You find out how to set permissions in the next chapter, but for now, make sure you understand the difference between authentication and authorization.
| |
provided by:
For Dummies is a registered trademark of Wiley Publishing, Inc. in the United States and other countries. Used here by license.