White Paper - File Sharing Security

All NT workstations and servers on a network must be provided a machine account in order to participate in a

domain. Machine accounts are established for NT machines by the domain administrator when the system is

configured and added to an NT domain. The account is then used by the NT system to logon to the network

(the NT domain) every time the computer boots up. In the Master Domain architectures discussed above, the

machine accounts would reside in one of the resource domains.

Windows NT systems use the NetLogon service to perform the logon of the computer to its domain on the

network, using the machine account. The NetLogon service establishes a secure communications channel with its

domain controller. Security is maintained through the use of special internal trust accounts.

Using the NetLogon service, all users logging onto the computer, whether interactively or remotely, are

authenticated through the domain where the computer has the machine account. In many cases, such as in the

Master Domain model, the user account will not reside on the domain where the computer has the machine

account. In these cases, the domain controller will examine the domain name to which the account belongs (the

domain of the account is provided with the rest of the logon credentials) and will determine if a trust relationship

exists with that domain. If a trust relationship does exist, then the authentication request is passed on to that

domain. The response to the authentication request is then passed back through the domain controller where the

request originated.

3.3.2 User Authentication

Whenever a user accesses the resources of a computer on a Windows network, the user must first be

authenticated. User authentication is the process of matching credentials provided by the user against an

equivalent entry in an account database. In the case of Windows, the credentials of the user are the account

name and password.

User accounts may be stored locally on the machine performing the authentication, or remotely by a server

dedicated to managing the accounts and authenticating users. Windows supports both mechanisms, but

authentication using locally stored accounts is very limiting on a network. This is because there is no way to

perform a remote logon using a locally defined account. The remote computer knows nothing of accounts stored

on individual computers, and thus has no way of authenticating these accounts.

On most Windows networks, user accounts are managed centrally on one or more Domain Controllers. The

Domain Controllers store user accounts in the Security Accounts Manager (SAM) database. Whenever a

computer on a network wants to authenticate a user, it contacts a Domain Controller, and asks to authenticate a

user.

When a user logs onto a machine either interactively, or remotely, the user is first challenged by the machine.

The user responds with the appropriate account name and password (in remote logons, this is usually automatic).

The response is then authenticated as follows:

1) The machine will examine the credentials offered by the user to see if the account is a local account on the

machine. If the account is local, then the authentication is processed locally.

2) If the account is not a local account, then the request is passed onto the NetLogon service, which in turn

passes it along to the domain controller where the computers own machine account resides (domain A).