Securing Server Data in Windows 2000
From Windows 2000 Server Professional Reference, by Karanjit S. Siyan, PhD., New Riders.
Data security is increasingly important in today's interconnected world. This tip discusses how such security can be accomplished with Windows 2000.
How do you secure data on the file server? One way is to make use of the security provisions provided by the NOS. The network Administrator with Supervisor or Full Access privileges, however, can read all files and directories on the server. That becomes a problem if you are dealing with sensitive information you do not want other users, including the Supervisor, to see.
One way of handling this problem is to encrypt databases and files that contain sensitive information. The file is decrypted when it is opened, and is encrypted when it is closed. As you can imagine, however, performance suffers because of the encryption and decryption operations. Windows 2000 NTFS version 5 supports file encryption.
A number of encryption programs are available. Some encryption programs are bundled with software tools. Many use the Data Encryption Standard (DES) algorithms, or MD5 (Message Digest 5) to provide a one-way checksum to detect alteration of data.
Encryption also can be performed in hardware at the NIC level before transmitting packets across the LAN media. When LAN packets are being encrypted, only the data portion of the packet is encrypted. Because the network address and control fields in the packets usually are not encrypted, devices such as bridges and routers can interpret the network address and control fields.
Windows 2000 introduces IPSec, used to provide secure channels over the TCP/IP protocol, and the Kerberos protocol for transparent but secure authentication of services.
For more information about Windows 2000 Server Professional Reference, go to New Riders.
This was first published in September 2000