How To Configure the Security for a Server That Uses Microsoft NNTP Service in Windows 2000

This article describes how to configure the security to control who has access to specific newsgroups and who can operate Microsoft Network News Transfer Protocol (NNTP) Service. You can also restrict access on the basis of the client computer Internet Protocol (IP) address. If users connect to Microsoft NNTP Service over a public network, you can encrypt that connection by using the Secure Sockets Layer (SSL) protocol so that others cannot intercept the articles that are sent and received.

NOTE: The security is based on Windows 2000 Server accounts and folder permissions. The access that users have to newsgroups is restricted on the basis of user name and password.

Setting Access to Newsgroups

You can control the access to individual newsgroups or sets of newsgroups by setting Windows 2000 Server permissions for the folders that contain those newsgroups. You can set permissions for an individual folder or for a set of folders. You can also limit access to all newsgroups according to the IP address of the client.

Restricting Access to Newsgroups

1. Create Windows 2000 Server accounts for users.
2. Define Windows 2000 Server permissions for the folder that contains the newsgroup. Ensure that you give the local System account full access to all newsgroup folders so that Microsoft NNTP Service has access to its files.
3. Set the authentication method that is used by Microsoft NNTP Service. Create user accounts by using User Manager in Windows 2000 Server. It is recommended that you organize users into groups, and then grant permissions by group to simplify your administrative responsibilities. If possible, you must use the accounts and groups that are already established in your organization.
   
   Microsoft NNTP Service supports two methods for user authentication:
   • Basic authentication
   • Windows Security Package

Setting Authentication Methods

If you do not want to restrict the access to a newsgroup, enable anonymous access and do not set any Windows 2000 Server folder permissions for the folder that contains the newsgroup. To enable anonymous access, on the Access tab, click Authentication under the Access control section, and then click to select the Allow anonymous check box:

1. Select the NNTP virtual server, and then click Properties on the Action menu.
2. On the Access tab, under the Access control section, click Authentication.
3. Click to select one or more of the following check boxes: Allow anonymous, Basic authentication, Windows Security Package, or Enable SSL client authentication.
4. To require SSL authentication, click to select the Require SSL client authentication check box. To associate client certificates with Windows user accounts, click to select the Enable client certificate mapping to Windows user accounts check box, and then click Client Mappings.

Limiting Access by IP Address

You can limit access to Microsoft NNTP Service by the IP address of the client. By default, all of the IP addresses have access to Microsoft NNTP Service.

You can either enable or deny access to a specific list of IP addresses. IP addresses can be specified individually or as a group by using a subnet mask. You can also specify IP addresses by using a domain name, but this specification adds the extra task of a DNS lookup for each connection:

1. In Microsoft Management Console (MMC), select the NNTP virtual server, and then click Properties on the Action menu.
2. On the Access tab, under the Connection control section, click Connection.
3. Click All except the list below to deny access to a list of IP addresses, or click Only the list below to enable access to a list of IP addresses.
4. Click Add for each IP address that you want to grant or deny access to the NNTP virtual server.
5. In the Computer dialog box, click one of these options: Single Computer, Group of computers, or Domain. Depending upon which option you selected, you can proceed as follows:
   • If you selected the Single Computer option: In IP address, enter the IP address of the computer. (If you do not know the IP address, click DNS Lookup.)
   • If you selected the Group of computers option: In Subnet address, enter the IP address. In Subnet mask, type the subnet mask for the group of computers.
   • If you selected the Domain option: In Name, enter the domain name of the computer.
6. Click OK.

Restricting Operator Access

The operators of Microsoft NNTP Service must be granted operator privileges. By default, everyone in the Administrators group in Windows 2000 Server is granted operator privileges.

To Add an Operator

1. In MMC, select the NNTP virtual server, and then click Properties on the Action menu.
2. On the Security tab, click Add. The Select Users or Groups dialog box opens.
3. On the Look in drop-down menu, select the domain of the operator that you want to add.
4. Under Name, click the Operator or Group, and then click Add.
5. When you have made all of your selections, click OK.

To Remove an Operator

1. In MMC, select the NNTP virtual server, and then click Properties on the Action menu.
2. On the Security tab, under the Operators section, click the operator.
3. Click Remove.
4. Click OK.

Securing Connections with SSL

SSL provides a secure, encrypted connection between Microsoft NNTP Service and the client. SSL can protect your private information when users connect across a public network, for example, by means of the Internet.

SSL support requires an SSL certificate, and this certificate has to be installed on the computer that is running Windows 2000 Server. SSL must also be supported by the client software. For example, Microsoft Outlook Express supports SSL.

If a server certificate is installed, Microsoft NNTP Service uses SSL whenever a client requests it. As an option, you can require SSL for all newsgroups or for newsgroups that are located in a virtual folder. You can also use SSL authentication of clients.

Enabling SSL

Obtain and install an SSL server certificate.

To require an SSL connection for access to newsgroups:

1. In MMC, click the Virtual Directories node under the NNTP virtual server.
2. In the details pane, select the virtual directory that you want to modify.
3. On the Action menu, click Properties.
4. In the Virtual Directory dialog box, under Secure Communications, click Secure.
5. In the Security dialog box, click to select the Require Secure Channel check box.

To enable SSL authentication for clients:

1. In MMC, select the NNTP virtual server, and then click Properties on the Action menu.
2. On the Access tab, under Access control, click Authentication, and then click to select the Enable SSL client authentication check box.