Hack Proofing Windows 2000 Server

Kerberos version 5 is the default network authentication protocol for Windows 2000. Kerberos is not a new protocol that Microsoft invented; it has been used in the UNIX world for several years. Microsoft has chosen to implement Kerberos network authentication in Windows 2000 to enhance security, because network servers and services need to know that the client requesting access is actually a valid client. Kerberos is based on tickets containing client credentials encrypted with shared keys. Kerberos v5 provides the following enhancements over previous versions of Kerberos:
Authentication forwarding Allows the forwarding of service requests on behalf of a user to another trusted service provider.
Replaceable encryption systems Supports multiple encryption methods. Previous versions of Kerberos support only DES encryption.
Subsession keys Allows a client and server to negotiate a secured short-lived subsession key to be used once for session exchanges.
Longer ticket time to lives The maximum ticket time in Kerberos v4 was 21.25 hours. Kerberos v5 allows a ticket to last for months at a time.
Windows 2000 supports five methods of authenticating user identity:
Windows NT LAN Manager (NTLM)
Kerberos v5
Distributed Password Authentication (DPA)
Extensible Authentication Protocol (EAP)
Secure Channel (Schannel)
Windows 2000 uses only NTLM and Kerberos for network authentication. The other three protocols are used for authentication over dial-up connections or the Internet.
Windows NT 4.0 uses Windows NT LAN Manager (NTLM) as the default network authentication protocol. For that reason, NTLM is still available in Windows 2000 to...