Before you start
Objectives: Learn the difference between authentication and authorization, and how are those two implemented in Windows operating systems.
Prerequisites: no prerequisites.
Key terms: authentication, Windows, user, smart card, rights, authorization, computer, groups, cards, biometric
Authentication vs Authorization
There are two key terms we need to be familiar with when it comes to security and restrictions. Those terms are Authentication and Authorization. In simple terms, authentication verifies our identity or proves that we are who we say you are. On the other hand, authorization determines if we have permissions or rights to access a resource, or in other words, if we are allowed to do something.
For example, we might be able to log on to the secure system (authenticate), but we might not have permissions to change system settings (not authorized). On the other hand, we can’t have authorization without authentication, or in other words, we can’t be authorized to do something if we are not authenticated (exception to this is anonymous access to resources).
In technical terms, authentication is the process of submitting and checking credentials to validate or prove user identity. This way we can allow only specific users to access protected systems. In Windows world, authentication is often performed using usernames and passwords. However, we can also apply newer authentication technologies such as smart cards and biometric scanners, which can strengthen the authentication process. Let’s take a look at some of existing and new authentication features in Windows operating systems.
- Kerberos (at the time of writing this article we use Kerberos version 5), is the main authentication (and also authorization) protocol used by clients and servers running Windows. Kerberos can authenticate both the user account as well as computer accounts. Kerberos grants tickets, also called security tokens, to authenticated users and to authorized resources. The process of using tickets to validate permissions is called delegated authentication. Components of Kerberos are Authentication Server or AS (accepts and processes authentication requests), Service Server or SS (provides or holds network resources), and a Ticket Granting Server or TGS (grants tickets that are valid for specific resources on specific servers).
- Windows NT LAN Manager or NTLM is used to provide backwards compatibility with pre-Windows 2000 machines, which don’t support Kerberos. NTLM is a challenge/response authentication protocol.
- Certificates are digital documents that identify specific user or computer. Certificates are obtained from a Public Key Infrastructure (PKI). A PKI is a system that provides for a trusted third party to vouch for user identities. To read more about PKI, go to Public Key Infrastructure section. Certificates can be saved on a computer, removable device such as USB, on a Smart Card, etc., and can be used as authentication credentials instead of or in addition to a username and password.
- Smart Card is a physical card that contains a memory chip. Authentication credentials, such as certificates, are embedded in that memory chip. Don’t mix a smart card with a swipe card. Swipe card contains information in a magnetic strip. A swipe card is technically not the same as a smart card. Contactless smart cards can be read without the card coming into contact with the reader. A smart card can store digital signatures, cryptography keys, and identification codes. Smart cards are often used in combination with a PIN for authentication. Administrators can revoke the digital signature stored on the smart card if it is lost or stolen. The Personal Identity Verification (PIV) standard allows the use of smart cards without requiring specific vendor software. By supporting PIV, Windows obtains drivers for smart cards from Windows Update or built-in PIV-compliant mini-drivers. Because of that, smart cards can be used as a form of authentication in newer versions of Windows such as Windows 7, and newer. Starting from Windows 7, Windows includes new features that make it possible to use smart cards for tasks other than just authentication. For example, we can use them to encrypt drives, use BitLocker, sign e-mails, etc. We can use Group Policy or Local Security Policy to set smart card settings in Windows environment.
- Biometric is a human characteristic that is unique between different people. Because of that, we can use biometric scanners or readers to measure specific body parts and compare them to the previously saved metric. For example, common attributes used for scanning are fingerprints, iris of an eye, blood vein pattern, facial scans, voice recognition, etc. Windows 7 introduced the Windows Biometric Framework or WBF which provides support for biometric device configuration on local computers or in a domain.
- Online Identity Integration feature was introduced with Windows 7 as well. It introduces a set of group policy settings that can be used to allow or prevent online IDs for authenticating to specific computers. Users can link their Windows user account with online ID to identify themselves for authentication.
Multifactor authentication is any combination of two or more authentication factors. The three common authentication factor types are Something You Know (such as a password), Something You Have (such as a smart card or a token device), Something You Are (such as a biometric quality like a fingerprint).
As we said, with authorization we can actually grant or deny access to a specific resource, based on the authentication. When talking about authorization we have to be familiar with three different terms. Those terms are Permissions, Policies, and Rights. Permissions are assigned to resources to control the user access. They usually contain an Allow or Deny statement. Policies are a set of restrictions and settings that can be enabled or disabled trough Group Policy in Windows, which apply to the user and/or computer. Rights contain certain actions that the user can perform on a computer. In Windows, a predefined set of rights are available under User Rights in the Computer Configuration node in Group Policy.
Different versions of Windows come with predefined set of rights applied to the built-in user groups. Those groups have been assigned different rights based on their needs. Most administrators will add users to user groups rather than modify the specific user rights. It is easier to track and maintain user rights by adding users to user groups then by manually setting rights for specific user accounts. We can modify the membership of groups in the Groups node in Computer Management. We should always verify user rights for the group before adding a user to it. If we don’t do this, we risk giving users more rights than they need. Built-in groups exist both on the local computer and in the Built-in container in Active Directory for a domain. To read more about built-in user groups in Windows, be sure to check out the article User Account in Windows.