Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Critical Host Compliance Information for Windows Systems Administrators

Organization's Environment. Study our discussion of authentication options to assess your environment and how you might authenticate.

The following server solutions comply with the the Critical Host policy. Jump below for info on how to configure PennKey authentication for your Windows 2000 domain.

Service

Windows Version

Software

https

Windows NT, 2000

HTTP can comply with the Critical Host Policy when sessions are protected with SSL. Options for how to support this include:

Set Up SSL Using IIS 5.0 and Certificate Server 2.0

Apache v. 2.0 with Apache module mod_ssl

Order Thawte SSL/TLS Server Certificates to take advantage of Penn's bulk-purchase agreements.

telnet

With Microsoft's custom versions for telnet from their product Services For Unix (SFU), NTLM authentication is used instead of cleartext passwords, OR

Windows NT 4.0 with current Service Patch and hotfixes, OR

Windows 2000 Server with current Service Patch and hotfixes

Win2000 Telnet Server Services (max: 2 connections) or the the telnet server from Microsoft's Services for Unix (SFU) product. See MS notes: Q299942; Q226107 for registry entries; Q225233. Opens CMD.EXE or another, configured shell for the user who is connecting.

Not kerb'ed. Choice of NTLM or plain text authentication or both. With NTLM, need SFU client. See this document. Unclear if it may be SSL-protected.

Alternative: Citrix Terminal Services, usually using Citrix Secure Gateway, which is an SSL deployment.

pop

 

If Exchange Server was configured to provide POP mail service, then it can be additionally configured to use NTLM (???) authentication by editing the registry (......).

To understand authentication options, see our MS Authentication document and Microsoft's document Q272492. It explains the use of the Registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA key LmCompatibilitylevel which can place limits on the allowed authentication methods for the domain.

IMAP and POP (?) related to the pine distribution, GSSAPI (win?), available here

imap

 

See pop.

ftp

Windows NT 4.0 with current Service Patch and hotfixes, OR

Windows 2000 Server with current Service Patch and hotfixes

The standard IIS FTP has an SSL option. To enable it, see Microsoft's Knowledge Base article about using IIS 5.0 and Certificate Server 2.0 ( Q299525). Other references: Installing a Secure Server Certificate on Microsoft IIS 5.0 from trustwise.com; Q290625 (same in a test environment).

FileZilla Server supports Kerberos authentication using the GSSAPI API. (But not SSL, as of 18 Jul 2002.)

Configuring Windows 2000 Realms to authenticate using PennKey

Service

Software

Windows 2000 Server when used exclusively with Win2K Workstation or WinXP Pro workstations.

Resource Kit, installed with these configuration instructions

Other links

Pennified kadmin available. This is the MIT package with configurations appropriate for Penn.

IIS FAQ on SSL

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania