The following table shows all these elements fit together in a typical security implementation.
| Security Issue | Security mechanism |
| Controlled access | Access rights, identities |
| Right for privacy | Encryption |
| Integrity | Authentication |
In the following pages, we'll be examining the security implementation of Windows NT and Windows 95 in the context of ActiveX components and distributed computing in an intranet environment. We'll be revisiting each of the above security elements as appropriate and showing how you can implement and reuse them.
Thankfully, when dealing with ActiveX based technology in a Windows NT Server network, there is a lot that can be done. The Windows NT Server product is designed from the conceptual stage to provide a secure computing environment.
Security isn't something that can be added to an operating system as an afterthought. It has to be designed into the core of the system from day one. In particular, it was designed to meet the so-called C2 security guidelines set out by the U.S. government. Even though being certified for compliance with the C2 guidelines may be required only for deployment in government organizations, the enhanced security that compliant systems offer is very important for businesses at large as well.
The main requirements for C2 compliance are:
The C2 guidelines refer to standalone systems only, and are published in an orange book aptly called the Orange Book. Guidelines for networking aspects of security are covered in the Red Book.
NT 3.51 received C2 certification in September 1996. NT 4.0 is undergoing networking and C2 certification at the time of writing.
With such robust security support in place, network software, application software, and distributed components (really networked application software pieces) can leverage off these system features to extend the secure computing environment. We'll see how this is done throughout the rest of the chapter.