Securing Windows Server 2003
by Mike Danseglio

The unconfirmed error reports are from readers.  They have not yet been 
approved or disproved by the author or editor and represent solely the
opinion of the reader.

Here's a key to the markup:
        [page-number]: serious technical mistake
        {page-number}: minor technical mistake
        <page-number>: important language/formatting problem
        (page-number): language change or minor formatting problem
        ?page-number?: reader question or request for clarification

This page was updated April 15, 2008.


UNCONFIRMED  errors and comments from readers: 


[22]  4th paragraph;
The description of the method that a web server uses to decrypt a session key reads
"The server uses its public key to decrypt the session key, providing a shared
key...".  I believe the server uses its PRIVATE key to decrypt the session key
because

1)  If the session key is initally encrypted with the server's PUBLIC key (earlier in
the paragraph) than only the server's PRIVATE key can be used to decrypt the session
key.

2)  The author later says on the same page (next paragraph) "because only the
intended server possesses the private key necessary to decrypt that inital session
key".  So the author's understanding of public key cryptology is correct but his
earlier description of it is not.


{137} 7.2.2.1.2 fig 7-9;
figure 7-9 #2

The copy of server A ticket encripted by serverA's private key should contain a server A session key not a TGT session key.