Computer Security Information for Windows Systems Administrators

NOTE: On small screens, best seen in landscape mode.

Organization's Environment. Study our discussion of authentication options to assess your environment and how you might authenticate.

The following server solutions comply with the the Computer Security Policy. See below for info on how to configure PennKey authentication for your Windows 2000 domain.


Windows Version



Windows NT, 2000

HTTP can comply with the Critical Host Policy when sessions are protected with SSL. Options for how to support this include:

Set Up SSL Using IIS 5.0 and Certificate Server 2.0

Apache v. 2.0 with Apache module mod_ssl

Order Thawte SSL/TLS Server Certificates to take advantage of Penn's bulk-purchase agreements.


With Microsoft's custom versions for telnet from their product Services For Unix (SFU), NTLM authentication is used instead of cleartext passwords, OR

Windows NT 4.0 with current Service Patch and hotfixes, OR

Windows 2000 Server with current Service Patch and hotfixes

Win2000 Telnet Server Services (max: 2 connections) or the the telnet server from Microsoft's Services for Unix (SFU) product. See MS notes: Q299942; Q226107 for registry entries; Q225233. Opens CMD.EXE or another, configured shell for the user who is connecting.

Not kerb'ed. Choice of NTLM or plain text authentication or both. With NTLM, need SFU client. See this document. Unclear if it may be SSL-protected.

Alternative: Citrix Terminal Services, usually using Citrix Secure Gateway, which is an SSL deployment.



If Exchange Server was configured to provide POP mail service, then it can be additionally configured to use NTLM (???) authentication by editing the registry (......).

To understand authentication options, see our MS Authentication document and Microsoft's documentQ272492. It explains the use of the Registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA key LmCompatibilitylevel which can place limits on the allowed authentication methods for the domain.

IMAP and POP (?) related to the pine distribution, GSSAPI (win?), available here



See pop.


Windows NT 4.0 with current Service Patch and hotfixes, OR

Windows 2000 Server with current Service Patch and hotfixes

The standard IIS FTP has an SSL option. To enable it, see Microsoft's Knowledge Base article about using IIS 5.0 and Certificate Server 2.0 ( Q299525). Other references: Installing a Secure Server Certificate on Microsoft IIS 5.0 from; Q290625 (same in a test environment).

FileZilla Server supports Kerberos authentication using the GSSAPI API. (But not SSL, as of 18 Jul 2002.)

Configuring Windows 2000 Realms to authenticate using PennKey



Windows 2000 Server when used exclusively with Win2K Workstation or WinXP Pro workstations.

Resource Kit, installed with these configuration instructions

Other links

Pennified kadmin available. This is the MIT package with configurations appropriate for Penn.