Installing, Configuring, and Administering Microsoft Windows XP

Installing, Configuring, and Administering Microsoft Windows XP
PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399
Copyright © 2005 by Microsoft Corporation
All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means
without the written permission of the publisher.
Library of Congress Control Number 2004117425
Printed and bound in the United States of America.
1 2 3 4 5 6 7 8 9
QWT
9 8 7 6 5 4
Distributed in Canada by H.B. Fenn and Company Ltd.
A CIP catalogue record for this book is available from the British Library.
Microsoft Press books are available through booksellers and distributors worldwide. For further information about
international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at
fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments to [email protected]
Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, IntelliMirror, MSDN, MS-DOS, MSN, NetMeeting,
Outlook, PowerPoint, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows Server are either
registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person,
place, or event is intended or should be inferred.
Acquisitions Editor: Lori Oviatt
Project Editor: Denise Bankaitis
Technical Editor: James Causey
Copy Editor: Ina Chang
Production: Elizabeth Hansford
Indexer: Julie Kawabata
SubAssy Part No. X11-03252
Body Part No. X11-03253
CONTENTS AT A GLANCE
CHAPTER 1:
Introducing Windows XP Professional . . . . . . . . . . . 1
CHAPTER 2:
Installing Windows XP Professional . . . . . . . . . . . .25
CHAPTER 3:
Managing Disks and File Systems . . . . . . . . . . . . . .75
CHAPTER 4:
Managing Devices and Peripherals. . . . . . . . . . . .119
CHAPTER 5:
Configuring and Managing the
User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
CHAPTER 6:
Configuring and Managing Printers
and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
CHAPTER 7:
Configuring and Managing NTFS Security . . . . .219
CHAPTER 8:
Configuring and Managing Shared
Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
CHAPTER 9:
Supporting Applications in Windows XP
Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
CHAPTER 10:
Connecting Windows XP Professional to
a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
CHAPTER 11:
Configuring TCP/IP Addressing and
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353
CHAPTER 12:
Managing Internet Explorer Connections
and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
CHAPTER 13:
Managing Users and Groups . . . . . . . . . . . . . . . . .419
CHAPTER 14:
Configuring and Managing Computer
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
CHAPTER 15:
Backing Up and Restoring Systems
and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
CHAPTER 16:
Managing Performance . . . . . . . . . . . . . . . . . . . . .521
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
iii
CONTENTS
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
The Textbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
The Supplemental Course Materials CD-ROM . . . . . . . . . . . . . . . . . . . . . xix
Readiness Review Suite Setup Instructions . . . . . . . . . . . . . . . . . . . . xix
eBook Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
The Lab Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Keyboard Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Coverage of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . xxvii
Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
MCP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
For Microsoft Official Academic Course Support . . . . . . . . . . . . . . . . . xxix
Evaulation Edition Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
CHAPTER 1:
Introducing Windows XP Professional . . . . . . . . . . . 1
Overview of Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Windows XP Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Intelligent User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Comprehensive Help and Support Options . . . . . . . . . . . . . . . . . . . . . . . . 8
Pick a Help Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Ask for Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Pick a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Searching and Printing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows XP Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Attachment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Security Management Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Windows XP Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Workgroup Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Domain Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Logging On and Off Windows XP Professional . . . . . . . . . . . . . . . . 19
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
v
vi
CONTENTS
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Scenario 1.1: Securing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Scenario 1.2: Assisting Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . 24
CHAPTER 2:
Installing Windows XP Professional . . . . . . . . . . . .25
Preinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Verifying Hardware Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Storage Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Domain or Workgroup Membership . . . . . . . . . . . . . . . . . . . . . . . . . 31
Performing an Attended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Windows XP Professional Setup Program . . . . . . . . . . . . . . . . . . . . . 33
Running the Setup Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Running the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Completing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Installing over the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Preparing for a Network Installation . . . . . . . . . . . . . . . . . . . . . . . . . 38
Modifying the Setup Process Using Winnt.exe . . . . . . . . . . . . . . . . . 41
Modifying the Setup Process Using Winnt32.exe. . . . . . . . . . . . . . . 42
Automating Installations Using Windows Setup Manager. . . . . . . . . . . 44
Installing Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Using Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Upgrading to Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Identifying Client Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Generating a Hardware Compatibility Report. . . . . . . . . . . . . . . . . . 48
Upgrading Compatible Windows 98 Computers . . . . . . . . . . . . . . . 49
Upgrading a Windows 2000 Professional Computer. . . . . . . . . . . . 50
Migrating User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Installing and Configuring RIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Client Requirements for Remote Installation. . . . . . . . . . . . . . . . . . . 55
Creating Boot Floppies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Installing Windows XP Using RIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Using Disk Duplication to Deploy Windows XP Professional. . . . . . . . . 58
Using the System Preparation Tool to Prepare the
Master Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Installing Windows XP Professional from a Master Disk Image . . . 60
Applying System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Windows Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Slipstreaming Service Packs and Updates . . . . . . . . . . . . . . . . . . . . . . . . . 65
Slipstreaming Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Slipstreaming Windows Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
CONTENTS
Using Windows Product Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
How Windows Product Activation Works . . . . . . . . . . . . . . . . . . . . . 66
Activating Windows XP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Automating Windows Product Activation . . . . . . . . . . . . . . . . . . . . . 67
Troubleshooting Windows XP Professional Setup . . . . . . . . . . . . . . . . . . 68
Resolving Common Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Setup Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Scenario 2-1: Dual-Booting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Scenario 2-2: Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
CHAPTER 3:
Managing Disks and File Systems . . . . . . . . . . . . . .75
Understanding Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Understanding Basic Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Understanding Dynamic Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Working with Simple Volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Working with Spanned Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Working with Striped Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Adding Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Changing the Storage Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Using Refresh and Rescan Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Managing Disks on a Remote Computer. . . . . . . . . . . . . . . . . . . . . . 84
Managing Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Using the Removable Storage Manager . . . . . . . . . . . . . . . . . . . . . . 85
Managing Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Using Compressed Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Using NTFS Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Increasing Security with the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Understanding the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Using the Cipher Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Using a Recovery Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Managing Recovery Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Disabling the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
EFS Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Managing Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Understanding Disk Quota Management . . . . . . . . . . . . . . . . . . . . 102
Setting Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Determining the Status of Disk Quotas . . . . . . . . . . . . . . . . . . . . . . 105
Monitoring Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Best Uses for Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
vii
viii
CONTENTS
Using Disk Defragmenter, Chkdsk, and Disk Cleanup. . . . . . . . . . . . . . 106
Defragmenting Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Using Disk Defragmenter Effectively . . . . . . . . . . . . . . . . . . . . . . . . 108
Using Chkdsk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Using Disk Cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Scenario 3-1: Storage Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
Scenario 3-2: Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
CHAPTER 4:
Managing Devices and Peripherals. . . . . . . . . . . .119
Using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configuring and Troubleshooting Devices . . . . . . . . . . . . . . . . . . . 120
Viewing Hidden and Phantom Devices . . . . . . . . . . . . . . . . . . . . . . 122
Managing and Troubleshooting I/O Devices . . . . . . . . . . . . . . . . . . . . . 123
Scanners and Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Mouse Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Game Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
IrDA and Wireless Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
Understanding Automatic and Manual Hardware Installation . . . . . . 128
Confirming Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Troubleshooting Device Installation . . . . . . . . . . . . . . . . . . . . . . . . . 131
Installing Hardware Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Viewing and Configuring Hardware Profiles . . . . . . . . . . . . . . . . . . . . . 134
Understanding Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Creating or Modifying a Hardware Profile. . . . . . . . . . . . . . . . . . . . 135
Activating a Hardware Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
Viewing Hardware Profile Properties . . . . . . . . . . . . . . . . . . . . . . . . 136
Driver Signing and File Signature Verification . . . . . . . . . . . . . . . . . . . . 136
Configuring Driver Signing Requirements. . . . . . . . . . . . . . . . . . . . 137
Checking System File Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
Using the File Signature Verification Tool . . . . . . . . . . . . . . . . . . . . 138
Configuring Computers with Multiple Processors . . . . . . . . . . . . . . . . . 139
Multiprocessor Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Managing ACPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Forcing Installation of a Specific HAL . . . . . . . . . . . . . . . . . . . . . . . . 141
Troubleshooting ACPI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Scenario 4-1: Managing a Hardware Upgrade . . . . . . . . . . . . . . . . 144
Scenario 4-2: Troubleshooting Problems with the HAL. . . . . . . . . 145
CONTENTS
CHAPTER 5:
Configuring and Managing the
User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring and Managing Desktop Components . . . . . . . . . . . . . . . . 148
Configuring Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
Using Multiple Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
The Taskbar and Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configuring Power Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Selecting a Power Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
Configuring Advanced Power Options. . . . . . . . . . . . . . . . . . . . . . . 166
Enabling Hibernate Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
Configuring Advanced Power Management. . . . . . . . . . . . . . . . . . 168
Advanced Configuration and Power Interface (ACPI) . . . . . . . . . . 168
Configuring an Uninterruptible Power Supply . . . . . . . . . . . . . . . . 168
Configuring User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Local and Roaming User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
User Profile Storage Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Configuring Multiple Languages and Locations . . . . . . . . . . . . . . . . . . 172
Configuring Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring Keyboard Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Configuring Sound Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Configuring Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring Mouse Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Configuring General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
Other Accessibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
The Magnifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
The Narrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
Scenario 5-1: Time for Hibernation . . . . . . . . . . . . . . . . . . . . . . . . . 182
Scenario 5-2: Power Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
CHAPTER 6:
Configuring and Managing Printers and
Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Introduction to Windows XP Professional Printing . . . . . . . . . . . . . . . . 184
Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Adding a Local Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Adding a Printer Connected to a Print Server . . . . . . . . . . . . . . . . . . . . 188
Types of Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Connecting to a Printer on a Windows Print Server . . . . . . . . . . . 190
Using the Search Assistant to Find a Printer . . . . . . . . . . . . . . . . . . 191
Adding a Network Interface Printer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Standard TCP/IP Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
LPR Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Connecting to an Internet Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
How Internet Printing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
ix
x
CONTENTS
Using Windows XP as a Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Requirements for Network Print Services . . . . . . . . . . . . . . . . . . . . 198
Sharing Printers During Installation . . . . . . . . . . . . . . . . . . . . . . . . . 199
Sharing an Existing Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Installing Additional Print Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Creating Printer Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Managing Printer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Managing Printer Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
Scheduling Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Managing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Assigning Forms to Paper Trays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Setting a Separator Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Administering Printers with a Web Browser . . . . . . . . . . . . . . . . . . 209
Managing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
Pausing, Restarting, and Canceling a Document . . . . . . . . . . . . . . 210
Troubleshooting Common Printing Problems . . . . . . . . . . . . . . . . . . . . 211
Examining the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Common Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . 212
Printing Troubleshooters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Additional Troubleshooting Options . . . . . . . . . . . . . . . . . . . . . . . . 214
Configuring and Managing Windows XP Fax Support . . . . . . . . . . . . . 214
The Fax Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Fax Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Scenario 6-1: Printing in a Small Office . . . . . . . . . . . . . . . . . . . . . . 218
Scenario 6-2: Printer Wars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
CHAPTER 7:
Configuring and Managing NTFS Security . . . . .219
Understanding the NTFS File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
Understanding NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
Components of NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 222
NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
NTFS Permissions Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Managing NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Best Practices for Assigning Permissions . . . . . . . . . . . . . . . . . . . . . 230
Setting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Using Command-Line Tools to View and Modify Permissions . . . 236
Assigning Multiple NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . 239
Auditing NTFS Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
Monitoring Security Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Troubleshooting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
Problems with Effective Permissions. . . . . . . . . . . . . . . . . . . . . . . . . 244
Problems with Denied Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Problems with Permission Inheritance . . . . . . . . . . . . . . . . . . . . . . . 245
CONTENTS
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
CHAPTER 8:
Configuring and Managing Shared
Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Understanding Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Guidelines for Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . 255
How Shared Folder Permissions Are Applied . . . . . . . . . . . . . . . . . 256
Planning Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Requirements for Sharing Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Shared Application Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Shared Data Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Administrative Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Sharing Folders in Computer Management . . . . . . . . . . . . . . . . . . 261
Sharing Folders in Windows Explorer. . . . . . . . . . . . . . . . . . . . . . . . 264
Using the NET Command to Share Folders . . . . . . . . . . . . . . . . . . . 265
Sharing a Folder on a Remote Computer . . . . . . . . . . . . . . . . . . . . 268
Managing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Assigning Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . 268
Creating Multiple Share Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Modifying Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Connecting to Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Combining Shared Folder Permissions and NTFS Permissions . . . . . . 273
Monitoring Access to Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
Reasons for Monitoring Network Resources . . . . . . . . . . . . . . . . . . 275
Requirements for Monitoring Network Resources . . . . . . . . . . . . . 275
Monitoring Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
Using Offline Folders and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Understanding Offline Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Configuring Your Computer to Use Offline Folders and Files . . . 280
Managing Internet Information Services . . . . . . . . . . . . . . . . . . . . . . . . 283
Installing IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Using IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Sharing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
NTFS Permissions and Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . 287
Using Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Scenario 8-1: Shared Folder Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Scenario 8-2: Command-Line Nirvana . . . . . . . . . . . . . . . . . . . . . . . 292
xi
xii
CONTENTS
CHAPTER 9:
Supporting Applications in Windows XP
Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Understanding Windows Installer Technologies . . . . . . . . . . . . . . . . . . 296
Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Windows Installer Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Deploying Software Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . 302
Overview of Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Software Installation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Removing Software Installation Policy . . . . . . . . . . . . . . . . . . . . . . . 304
Understanding Application Compatibility . . . . . . . . . . . . . . . . . . . . . . . 305
Windows Logo Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Causes of Application Incompatibility . . . . . . . . . . . . . . . . . . . . . . . 306
Application Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Advanced Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Troubleshooting Application Compatibility Issues . . . . . . . . . . . . . 310
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Scenario 9-1: Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Scenario 9-2: Irreconcilable Differences? . . . . . . . . . . . . . . . . . . . . . 315
CHAPTER 10:
Connecting Windows XP Professional to
a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Configuring TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
The OSI Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
The DARPA Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
The TCP/IP Protocol Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Managing Network Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
Troubleshooting TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Connecting to a Wireless Ethernet Network. . . . . . . . . . . . . . . . . . . . . . 335
Understanding Wireless Specifications. . . . . . . . . . . . . . . . . . . . . . . 335
Connecting Windows XP to a Wireless Network . . . . . . . . . . . . . . 336
Configuring Other Network Connections . . . . . . . . . . . . . . . . . . . . . . . . 337
Client Service for NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Installing the NWLink Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
Installing Third-Party Clients and Protocols . . . . . . . . . . . . . . . . . . 339
Connecting to Computers UsingDial-Up Networking . . . . . . . . . . . . . 340
Connecting to the Internet Using Dial-Up Networking . . . . . . . . 340
Connecting to a Network at Your Workplace . . . . . . . . . . . . . . . . . 341
Configuring and Troubleshooting Internet Connection
Sharing (ICS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
Using Remote Desktop and Remote Assistance. . . . . . . . . . . . . . . . . . . 344
Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
CONTENTS
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Scenario 10-1: Small Office Networking . . . . . . . . . . . . . . . . . . . . . 351
Scenario 10-2: Help! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
CHAPTER 11:
Configuring TCP/IP Addressing and Security . . .353
Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Binary Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
Decoding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Local vs. Remote Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Using Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Subnetting and Supernetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Securing IP Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Internet Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Protective Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Monitoring Internet Communications Security . . . . . . . . . . . . . . . 375
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
Case Scenario 11-1: A Growing Enterprise . . . . . . . . . . . . . . . . . . . 380
Case Scenario 11-2: Security on a Shoestring . . . . . . . . . . . . . . . . . 380
CHAPTER 12:
Managing Internet Explorer Connections
and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Managing Internet Explorer Connections . . . . . . . . . . . . . . . . . . . . . . . . 382
Using the New Connection Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . 382
Managing Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Connecting to Resources Using Internet Explorer . . . . . . . . . . . . . . . . . 387
Uniform Resource Locators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Connecting to Web Site Resources . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Accessing FTP Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Accessing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Connecting to Web Server–Based Applications . . . . . . . . . . . . . . . 391
Managing Internet Explorer Security Settings . . . . . . . . . . . . . . . . . . . . 391
Overview of Internet Explorer Security Features. . . . . . . . . . . . . . . 391
Managing URL Actions for Web Content Zones. . . . . . . . . . . . . . . 393
Web Content Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Advanced Internet Security Options. . . . . . . . . . . . . . . . . . . . . . . . . 402
Managing Internet Explorer Privacy Settings . . . . . . . . . . . . . . . . . . . . . 404
Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Pop-Up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Managing Internet Cache and History Data . . . . . . . . . . . . . . . . . . 408
AutoComplete and Internet Explorer Password Caching . . . . . . . 411
Using Add-On Manager to Control Add-On Programs . . . . . . . . . . . . 412
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
xiii
xiv
CONTENTS
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Scenario 12-1: Getting Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Scenario 12-2: Managing Internet Explorer
Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
CHAPTER 13:
Managing Users and Groups . . . . . . . . . . . . . . . . .419
Overview of User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
User and Group Account Permissions . . . . . . . . . . . . . . . . . . . . . . . 420
User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Built-In User Accounts and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . 421
Implicit Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Domain User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . 424
Tools for Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . 425
Planning User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Mapping Out a User and Group Strategy . . . . . . . . . . . . . . . . . . . . 429
User Account Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 430
Setting Requirements for Complex Passwords . . . . . . . . . . . . . . . . 431
Changing the Way Users Log On or Log Off. . . . . . . . . . . . . . . . . . 432
Creating and Managing User Accounts with Local Users
and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
Managing User Account Properties . . . . . . . . . . . . . . . . . . . . . . . . . 434
Managing User Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
Managing User Rights Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . 437
Creating and Managing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Creating and Managing Groups Using Local Users
and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438
Managing Groups Using Command-Line Tools . . . . . . . . . . . . . . . 441
Creating and Managing User Accounts with the User
Accounts Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
Creating a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Changing an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Best Practices for User Account Management . . . . . . . . . . . . . . . . . . . . 446
Managing User Account–Related System Policies . . . . . . . . . . . . . . . . . 447
Managing User Rights with Group Policy . . . . . . . . . . . . . . . . . . . . 447
Managing User Account Settings with Group Policy . . . . . . . . . . . 451
Using Cached Credentials in Windows XP . . . . . . . . . . . . . . . . . . . . . . . 454
Understanding Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 454
Managing Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
Troubleshooting Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . 455
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
CONTENTS
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Scenario 13-1: Designing Accounts for a Field Office . . . . . . . . . . 458
Scenario 13-2: Protecting Files on a Military System . . . . . . . . . . . 459
CHAPTER 14:
Configuring and Managing Computer
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Understanding Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Local Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
Domain Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
Managing Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Predefined Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
Creating a Custom Security Policy Management Console . . . . . . 468
Viewing, Modifying, and Creating a Security Template. . . . . . . . . 470
Analyzing and Configuring Security Settings . . . . . . . . . . . . . . . . . 472
Exporting Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Managing Security Policy with Secedit.exe . . . . . . . . . . . . . . . . . . . 475
Managing Security Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Actions That Can Be Audited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
Planning an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
Implementing and Managing an Audit Policy . . . . . . . . . . . . . . . . 479
Monitoring Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Scenario 14-1: Designing a Security Policy . . . . . . . . . . . . . . . . . . . 487
Scenario 14-2: Security Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
CHAPTER 15:
Backing Up and Restoring Systems
and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Understanding the Windows Backup Utility. . . . . . . . . . . . . . . . . . . . . . 492
Features of the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Planning a Backup and Recovery Strategy . . . . . . . . . . . . . . . . . . . . . . . 494
Choosing a Backup Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
Determining What to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Selecting Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Choosing a Backup Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
Planning for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Backing Up the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Creating a New Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
Modifying a Backup Job. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Executing a Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Performing an ASR Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Restoring a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Determining Which Backups to Restore . . . . . . . . . . . . . . . . . . . . . 504
Creating a Restore Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504
Using ASR to Recover a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
xv
xvi
CONTENTS
Using System Restore to Recover Data and Settings. . . . . . . . . . . . . . . 507
Configuring System Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Creating a Restore Point Manually . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Restoring Settings and Data from a Restore Point . . . . . . . . . . . . . 510
Using Startup and Recovery Tools to Recover a System . . . . . . . . . . . . 511
Using the Recovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
Using the Last Known Good Configuration. . . . . . . . . . . . . . . . . . . 513
Starting a System in Safe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Scenario 15-1: Backup Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Scenario 15-2: Power Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
CHAPTER 16:
Managing Performance . . . . . . . . . . . . . . . . . . . . .521
Designing a System for Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Factors Leading to Poor Performance . . . . . . . . . . . . . . . . . . . . . . . 522
Determining Resource Requirements . . . . . . . . . . . . . . . . . . . . . . . . 523
Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
The Performance Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Viewing Performance Charts with System Monitor . . . . . . . . . . . . 526
Using Histograms and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Using Performance Logs to Spot Trends . . . . . . . . . . . . . . . . . . . . . 532
Using Performance Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Monitoring Performance with Task Manager . . . . . . . . . . . . . . . . . 536
Improving Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
Memory Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Disk Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
Adding CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
Mobile System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Scenario 16-1: A Slow Application . . . . . . . . . . . . . . . . . . . . . . . . . . 548
Scenario 16-2: Spotting the Cause of Performance Issues . . . . . . 549
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
ABOUT THIS BOOK
Welcome to Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270), Second Edition, a part of the Microsoft Official Academic Course
(MOAC) series. Through lectures, discussions, demonstrations, textbook exercises, and classroom labs, this course teaches the skills and knowledge necessary
to plan, install, configure, and support Windows XP in standalone, small network, and corporate network environments. In 16 chapters, students will learn
how to install Windows XP Professional, connect to and share network resources,
configure Internet services and applications, manage security settings and auditing, and evaluate system performance.
TARGET AUDIENCE
This textbook was developed for beginning information technology students
who want to learn to configure and manage Windows XP in a variety of environments so that they can provide corporate support and implementation of
Windows XP on a direct-hire or consulting basis. Students who continue to study
Microsoft server operating systems can go on to earn the Microsoft Certified
System Administrator (MCSA) or Microsoft Certified Systems Engineer (MCSE)
credential.
PREREQUISITES
The prerequisites for taking this course are:
■
Familiarity with the use of Windows XP, including navigation and
operation of major features.
■
A fundamental knowledge of computer hardware, network construction, and operating systems.
■
Prerequisite knowledge and course work as defined by the learning
institution and the instructor. Completion of the Supporting Users and
Troubleshooting Microsoft Windows XP (Microsoft Learning) course or
equivalent experience is recommended.
xvii
xviii
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
THE TEXTBOOK
The textbook content has been crafted to provide a meaningful learning experience to students in an academic classroom setting.
Key features of the Microsoft Official Academic Course textbooks include the
following:
■
Learning objectives for each chapter that prepare the student for the
topic areas covered in that chapter.
■
Chapter introductions that explain why the information is important.
■
An inviting design with screen shots, diagrams, tables, bulleted lists,
and other graphical formats that makes the book easy to comprehend
and supports a number of different learning styles.
■
Clear explanations of concepts and principles, and frequent exposition
of step-by-step procedures.
■
A variety of reader aids that highlight a wealth of additional information, including:
❑
Note—Real-world application tips and alternative procedures, and
explanations of complex procedures and concepts
❑
Caution—Warnings about mistakes that can result in loss of data or
that are difficult to resolve
❑
Important—Explanations of essential setup steps before a procedure
and other instructions
❑
More Info—Cross-references and additional resources for students
■
End-of-chapter review questions that assess knowledge and can serve
as homework, quizzes, and review activities before or after lectures.
(Answers to the textbook questions are available from your instructor.)
■
Chapter summaries that distill the main ideas in a chapter and reinforce learning.
■
Case scenarios, approximately two per chapter, that provide students
with an opportunity to evaluate, analyze, synthesize, and apply information learned during the chapter.
■
Comprehensive glossary that defines key terms introduced in the
book.
ABOUT THIS BOOK
THE SUPPLEMENTAL COURSE MATERIALS CD-ROM
This book comes with a Supplemental Course Materials CD-ROM, which contains a variety of informational aids to complement the book content:
■
An electronic version of this textbook (eBook). For information about
using the eBook, see the section titled “eBook Setup Instructions” later
in this introduction.
■
The Microsoft Learning Readiness Review Suite built by MeasureUp.
This suite of practice tests and objective reviews contains questions of
varying complexity and offers multiple testing modes. You can assess
your understanding of the concepts presented in this book and use the
results to develop a learning plan that meets your needs.
■
An eBook of the Microsoft Encyclopedia of Networking, Second Edition.
■
Microsoft PowerPoint slides based on textbook chapters, for notetaking.
■
Microsoft Word Viewer and Microsoft PowerPoint Viewer.
A second CD contains a 120-day evaluation edition of Windows XP Professional
with Service Pack 2.
The 120-day evaluation edition of Windows XP Professional provided with this book is not the full retail product; it is provided only for
the purposes of training and evaluation. Microsoft Technical Support
does not support evaluation editions.
NOTE
Readiness Review Suite Setup Instructions
The Readiness Review Suite includes a practice test of 300 sample exam questions and an objective review with an additional 125 questions. Use these tools to
reinforce your learning and to identify areas in which you need to gain more experience before taking your final exam for the course, or the certification exam if
you choose to do so.
Installing the Practice Test
1. Insert the Supplemental Course Materials CD into your CD-ROM
drive.
If AutoRun is disabled on your machine, refer to the Readme.txt
file on the Supplemental Course Materials CD.
NOTE
2. On the user interface menu, select Readiness Review Suite and follow
the prompts.
xix
xx
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
eBook Setup Instructions
The eBook is in Portable Document Format (PDF) and must be viewed using
Adobe Acrobat Reader.
Using the eBooks
1. Insert the Supplemental Course Materials CD into your CD-ROM
drive.
If AutoRun is disabled on your machine, refer to the Readme.txt
file on the CD.
NOTE
2. On the user interface menu, select Textbook eBook and follow the
prompts. You also can review any of the other eBooks provided for
your use.
You must have the Supplemental Course Materials CD in your
CD-ROM drive to run the eBook.
NOTE
THE LAB MANUAL
The Lab Manual is designed for use in either a combined lecture and lab situation, or in a separate lecture and lab arrangement. The exercises in the Lab Manual correspond to textbook chapters and are for use in a classroom setting
supervised by an instructor.
The Lab Manual presents a rich, hands-on learning experience that encourages
practical solutions and strengthens critical problem-solving skills:
■
Lab Exercises teach procedures by using a step-by-step format. Questions interspersed throughout Lab Exercises encourage reflection and
critical thinking about the lab activity.
■
Lab Review Questions appear at the end of each lab and ask questions
about the lab. They are designed to promote critical reflection.
■
Lab Challenges are review activities that either cover material in the
text or ask students to perform a variation on a task they performed in
the Lab Exercises, but without detailed instructions.
■
Troubleshooting Labs appear after a number of regular labs; they consist of medium-length review projects and are based on true-to-life scenarios. These labs challenge students to “think like an expert” to solve
complex problems.
ABOUT THIS BOOK
■
Labs are based on realistic business settings and include an opening
scenario and a list of learning objectives.
Students who successfully complete the Lab Exercises, Lab Review Questions,
Lab Challenges, and Troubleshooting Labs in the Lab Manual will have a richer
learning experience and deeper understanding of the concepts and methods covered in the course. They will be better able to answer and understand the test
bank questions, especially the knowledge application and knowledge synthesis
questions. They will also be much better prepared to pass the associated certification exams if they choose to take them.
NOTATIONAL CONVENTIONS
The following conventions are used throughout this textbook and the Lab
Manual:
■
Characters or commands that you type appear in bold type.
■
Terms that appear in the glossary also appear in bold type.
■
Italic in syntax statements indicates placeholders for variable information. Italic is also used for book titles and terms defined in the text.
■
Names of files and folders appear in Title caps, except when you are to
type them directly. Unless otherwise indicated, you can use all lowercase letters when you type a filename in a dialog box or at a command
prompt.
■
Filename extensions appear in all lowercase.
■
Acronyms appear in all uppercase.
■ Monospace
type represents code samples, examples of screen text, or
entries that you might type at a command prompt or in initialization
files.
■
Square brackets [ ] are used in syntax statements to enclose optional
items. For example, [filename] in command syntax indicates that you
can type a filename with the command. Type only the information
within the brackets, not the brackets themselves.
■
Braces { } are used in syntax statements to enclose required items. Type
only the information within the braces, not the braces themselves.
xxi
xxii
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
KEYBOARD CONVENTIONS
■
A plus sign (+) between two key names means that you must press
those keys at the same time. For example, “Press Alt+Tab” means that
you hold down Alt while you press Tab.
■
A comma (,) between two or more key names means that you must
press the keys consecutively, not at the same time. For example, “Press
Alt, F, X” means that you press and release each key in sequence. “Press
Alt+W, L” means that you first press Alt and W at the same time, and
then you release them and press L.
COVERAGE OF EXAM OBJECTIVES
This book is intended to support a course that is structured around concepts and
practical knowledge fundamental to this topic area, as well as the tasks that are
covered in the objectives for the MCSE 70-270 exam. The following table correlates
the exam objectives with the textbook chapters and Lab Manual lab exercises. You
might also find this table useful if you decide to take the certification exam.
The Microsoft Learning Web site describes the various MCP certification exams and their corresponding courses. It provides up-to-date
certification information and explains the certification process and the
course options. See http://www.microsoft.com/learning/ for up-to-date
information about MCP exam credentials for other certification programs
offered by Microsoft.
NOTE
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Installing Windows XP Professional
Textbook Chapter
Lab Manual Content
Perform and troubleshoot an attended
installation of Windows XP Professional.
Perform and troubleshoot an unattended
installation of Windows XP Professional.
■
Install Windows XP Professional by
using Remote Installation Services
(RIS).
Chapter 2
Labs 1 and 2
Chapter 2
Lab 2
Chapter 2
Not covered
■
Install Windows XP Professional by
using the System Preparation Tool.
Chapter 2
Not Covered
■
Create unattended answer files by
using Setup Manager to automate the
installation of Windows XP Professional.
Chapter 2
Lab 2
ABOUT THIS BOOK
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Installing Windows XP Professional
Textbook Chapter
Lab Manual Content
Upgrade from a previous version of Windows to Windows XP Professional.
■
Prepare a computer to meet upgrade
requirements.
Chapter 2
Labs 1 and 2
Chapter 2
Labs 1 and 2
■
Chapter 2
Not Covered
Chapter 2
Lab 2
Chapter 2
Lab 2
Monitor, manage, and troubleshoot access
to files and folders.
■
Configure, manage, and troubleshoot
file compression.
Chapter 7
Lab 7
Chapter 3
Lab 7
■
Control access to files and folders by
using permissions.
Chapter 7
Lab 7
Optimize access to files and folders.
Manage and troubleshoot access to shared
folders.
■
Create and remove shared folders.
Chapter 7
Chapter 8
Lab 3
Lab 8
Chapter 8
Lab 8
■
Chapter 8
Lab 8
Manage and troubleshoot Web server
resources.
Connect to local and network print
devices.
■
Manage printers and print jobs.
Chapter 8
Lab 8
Chapter 6
Lab 6
Chapter 6
Lab 6
■
Control access to printers by using
permissions.
Chapter 6
Lab 6
■
Connect to an Internet printer.
Chapter 6
Lab 6
■
Connect to a local print device.
Configure and manage file systems.
■
Convert from one file system to
another file system.
Chapter 6
Chapter 3
Chapter 3
Lab 6
Lab 3
Lab 3
■
Chapter 3
Lab 3
Chapter 8
Lab 8
Migrate existing user environments to a new installation.
Perform post-installation updates and
product activation.
Troubleshoot failed installations.
Implementing and Conducting Administration of Resources
■
Control access to shared folders by
using permissions.
■
Configure NTFS, FAT32, or FAT file
systems.
Manage and troubleshoot access to and
synchronization of offline files.
xxiii
xxiv
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Textbook Chapter Lab Manual Content
Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers
Implement, manage, and troubleshoot disk
devices.
■
Install, configure, and manage DVD
and CD-ROM devices.
Chapter 3
Lab 3
Chapter 3
Lab 4
■
Monitor and configure disks.
Chapter 3
Lab 3
■
Monitor, configure, and troubleshoot
volumes.
Chapter 3
Lab 3
Monitor and configure removable
media, such as tape devices.
Implement, manage, and troubleshoot display devices.
■
Configure multiple-display support.
Chapter 3
Not Covered
Chapter 5
Lab 5
Chapter 5
Not Covered
■
Install, configure, and troubleshoot a
video adapter.
Configure Advanced Configuration Power
Interface (ACPI).
Implement, manage, and troubleshoot
input and output (I/O) devices.
■
Monitor, configure, and troubleshoot
I/O devices, such as printers, scanners, multimedia devices, mice, keyboards, and smart card readers.
Chapter 5
Labs 4 and 5
Chapter 4
Not Covered
Chapter 4
Lab 4
Chapter 4
Lab 4
■
Monitor, configure, and troubleshoot
multimedia hardware, such as cameras.
Chapter 4
Lab 4
■
Install, configure, and manage
modems.
Chapter 4
Lab 4
■
Install, configure, and manage Infrared Data Association (IrDA) devices.
Chapter 4
Not Covered
■
Install, configure, and manage wireless devices.
Chapter 4
Not Covered
■
Install, configure, and manage USB
devices.
Chapter 4
Lab 4
■
Install, configure, and manage handheld devices.
Chapter 4
Not Covered
■
Install, configure, and manage network adapters.
Chapters 4,
10, and 11
Labs 4, 10, and
11
■
ABOUT THIS BOOK
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Textbook Chapter Lab Manual Content
Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers
Manage and troubleshoot drivers and
driver signing.
Monitor and configure multiprocessor
computers.
Chapter 4
Lab 4
Chapter 4
Not Covered
Monitoring and Optimizing System Performance and Reliability
Monitor, optimize, and troubleshoot performance of the Windows XP Professional
desktop.
■
Optimize and troubleshoot memory
performance.
Chapter 16
Lab 16
Chapter 16
Lab 16
■
Optimize and troubleshoot processor
utilization.
Chapter 16
Lab 16
■
Optimize and troubleshoot disk performance.
Chapter 16
Lab 16
■
Optimize and troubleshoot application performance.
Chapter 16
Lab 16
Configure, manage, and troubleshoot
scheduled tasks.
Manage, monitor, and optimize system performance for mobile users.
Restore and back up the operating system,
System State data, and user data.
■
Recover System State data and user
data by using Windows Backup.
Chapter 16
Lab 15
Chapter 16
Lab 16
Chapter 15
Lab 15
Chapter 15
Lab 15
■
Troubleshoot system restoration by
starting in Safe Mode.
Chapter 15
Lab 15
■
Recover System State data and user
data by using the Recovery Console.
Chapter 15
Lab 15
Configure and manage user profiles and
desktop settings.
Configure support for multiple languages
or multiple locations.
■
Enable multiple-language support.
Chapters 5
and 13
Chapter 5
Labs 5 and 13
Lab 5
Chapter 5
Lab 5
■
Configure multiple-language support
for users.
Chapter 5
Lab 5
■
Configure local settings.
Chapter 5
Lab 5
■
Configure Windows XP Professional
for multiple locations.
Chapter 5
Lab 5
■
Configuring and Troubleshooting the Desktop Environment
xxv
xxvi
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Textbook Chapter
Configuring and Troubleshooting the Desktop Environment
Lab Manual Content
Manage applications by using Windows
Installer packages.
Lab 9
Chapter 9
Implementing, Managing, and Troubleshooting Network Protocols and Services
Configure and troubleshoot the TCP/IP
protocol.
Connect to computers by using dial-up
networking.
■
Connect to computers by using a
virtual private network (VPN)
connection.
Chapters 10
and 11
Chapter 10
Lab 10
Chapter 10
Lab 10
■
Create a dial-up connection to connect
to a remote access server.
Chapter 10
Lab 10
■
Connect to the Internet by using
dial-up networking.
Chapter 10
Lab 10
Chapter 10
Lab 10
Chapter 12
Lab 12
Chapter 12
Labs 6, 8, and 12
Chapter 10
Lab 10
Chapter 11
Lab 11
Chapter 3
Lab 3
Chapter 14
Lab 14
■
Configure and troubleshoot Internet
Connection Sharing (ICS).
Connect to resources by using Internet
Explorer.
Configure, manage, and implement Internet Information Services (IIS).
Configure, manage, and troubleshoot
Remote Desktop and Remote Assistance.
Configure, manage, and troubleshoot an
Internet Connection Firewall (ICF).
Labs 10 and 11
Configuring, Managing, and Troubleshooting Security
Configure, manage, and troubleshoot the
Encrypting File System (EFS).
Configure, manage, and troubleshoot a
security configuration and local security
policy.
ABOUT THIS BOOK
Textbook and Lab Manual Coverage of Exam Objectives for
MCSE Exam 70-270
Objective
Configuring, Managing, and Troubleshooting Security
Textbook Chapter
Lab Manual Content
Configure, manage, and troubleshoot local
user and group accounts.
■
Configure, manage, and troubleshoot
auditing.
Chapter 13
Lab 13
Chapter 13
Lab 13
■
Configure, manage, and troubleshoot
account settings.
Chapter 13
Lab 13
■
Configure, manage, and troubleshoot
account policy.
Chapter 13
Lab 13
■
Configure, manage, and troubleshoot
user and group rights.
Chapter 13
Lab 13
Chapter 13
Chapter 12
Not Covered
Lab 12
■
Troubleshoot cached credentials.
Configure, manage, and troubleshoot Internet Explorer security settings.
THE MICROSOFT CERTIFIED PROFESSIONAL PROGRAM
The MCP program is one way to prove your proficiency with current Microsoft
products and technologies. These exams and corresponding certifications are
developed to validate your mastery of critical competencies as you design and
develop, or implement and support, solutions using Microsoft products and technologies. Computer professionals who become Microsoft certified are recognized
as experts and are sought after industry-wide. Certification brings a variety of
benefits to the individual and to employers and organizations.
MORE INFO For a full list of MCP benefits, go to http://
www.microsoft.com/learning/itpro/default.asp.
Certifications
The MCP program offers multiple certifications, based on specific areas of technical expertise:
■
Microsoft Certified Professional (MCP) In-depth knowledge of at
least one Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.
xxvii
xxviii
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Microsoft Certified Systems Engineer (MCSE) Qualified to effectively analyze the business requirements for business solutions and
design and implement the infrastructure based on the Windows and
Windows Server 2003 operating systems.
■
Microsoft Certified Systems Administrator (MCSA) Qualified to
manage and troubleshoot existing network and system environments
based on the Windows and Windows Server 2003 operating systems.
■
Microsoft Certified Database Administrator (MCDBA) Qualified
to design, implement, and administer Microsoft SQL Server databases.
■
Microsoft Certified Desktop Support Technician (MCDST) Qualified
to support end users and to troubleshoot desktop environments on
the Microsoft Windows operating system.
MCP Requirements
Requirements differ for each certification and are specific to the products and job
functions addressed by the certification. To become an MCP, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise. These exams are designed to test your expertise and ability
to perform a role or task with a product, and they are developed with the input of
industry professionals. Exam questions reflect how Microsoft products are used
in actual organizations, giving them real-world relevance.
■
Microsoft Certified Professional (MCP) candidates are required to pass
one current Microsoft certification exam. Candidates can pass additional Microsoft certification exams to validate their skills with other
Microsoft products, development tools, or desktop applications.
■
Microsoft Certified Systems Engineer (MCSE) candidates are required
to pass five core exams and two elective exams.
■
Microsoft Certified Systems Administrator (MCSA) candidates are
required to pass three core exams and one elective exam.
■
Microsoft Certified Database Administrator (MCDBA) candidates are
required to pass three core exams and one elective exam.
■
Microsoft Certified Desktop Support Technician (MCDST) candidates
are required to pass two core exams.
ABOUT THIS BOOK
ABOUT THE AUTHORS
The textbook, Lab Manual, pretest, testbank, and PowerPoint slides were developed exclusively for an instructor-led classroom environment by two authors,
Dave Field and Owen Fowler.
Dave Field is an author, trainer, and presenter. An MCSE on Windows NT 4, Windows 2000, and Windows 2003, Dave is an expert on networking technologies
and support desk topics. He has written consumer computer books such as How
To Do Everything with Windows XP Home Networking (Osborne/McGraw-Hill) and
has designed courses for Microsoft and Osborne/McGraw-Hill for the Microsoft
MCSE, MCSA, and MCDST certifications.
Dave is also the systems engineer at Camp Snoopy, a theme park in the Mall of
America in Bloomington, Minnesota. In this role, he has directed the installation
of entire network infrastructures using technologies such as Active Directory,
Microsoft Exchange, and Microsoft SQL Server. He has been the principal architect of point-of-sale implementations, ERP rollouts, and e-commerce initiatives.
Owen Fowler has worked as a Tier II Support Agent for one of the largest electronic tax filing centers in the United States. He has also run his own computer
consulting business, covering networking and operating system issues, in Colorado and Washington. In 2003, he assisted Verizon Wireless in consolidating its
nationwide network into a single domain. Owen has been an author, technical
editor, and development editor on many titles for Microsoft Learning.
FOR MICROSOFT OFFICIAL ACADEMIC COURSE
SUPPORT
Every effort has been made to ensure the accuracy of the material in this book
and the contents of the CD-ROM. Microsoft Learning provides corrections for
books through the World Wide Web at the following address:
http://www.microsoft.com/learning/support/
If you have comments, questions, or ideas regarding this book or the companion
CD-ROM, please send them to Microsoft Learning using either of the following
methods:
xxix
xxx
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Postal Mail:
Microsoft Learning
Attn: Installing, Configuring, and Administering Microsoft Windows XP Professional
(70-270), Second Edition, Editor
One Microsoft Way
Redmond, WA 98052-6399
E-mail: [email protected]
Please note that product support is not offered through the above addresses.
EVALUATION EDITION SOFTWARE SUPPORT
A 120-day software evaluation edition of Windows XP Professional with Service
Pack 2 is provided with this textbook. This is not the full retail product and is provided only for training and evaluation purposes. Microsoft and Microsoft Technical Support do not support this evaluation edition. It differs from the retail
version only in that Microsoft and Microsoft Technical Support do not support it,
and it expires after 120 days. For information about issues relating to the use of
evaluation editions, go to the Support section of the Microsoft Learning Web site
(http://www.microsoft.com/learning/support/).
For online support information relating to the full version of Windows XP
Professional that might also apply to the evaluation edition, go to
http://support.microsoft.com. For information about ordering the full version
of any Microsoft software, call Microsoft Sales at (800) 426-9400 or visit
http://www.microsoft.com.
CHAPTER 1
INTRODUCING WINDOWS XP
PROFESSIONAL
Upon completion of this chapter, you will be able to:
■ Describe the support features of Windows XP Professional
■ Identify security technologies in Windows XP Professional
■ Identify the role of Windows XP Professional in the enterprise
■ Log on to a Windows XP Professional computer
In this course, we introduce you to the installation, configuration, and management of Windows XP Professional. Students in this course are expected to come
from all backgrounds and have varying levels of experience with Windows XP
Professional. That said, you will get the most from this course if you have a good
understanding of the Windows graphical environment. Those who have completed “Supporting Users and Troubleshooting Microsoft Windows XP”
(Microsoft Official Academic Curriculum Course 70-271) will have a firm basis
for understanding this material.
We have a lot of information to cover, but plenty of excellent resources are available to help you understand this technology. Many will be provided with this
textbook, and many more are available from your instructor or at Microsoft’s
Windows XP Web site at www.microsoft.com/windowsxp.
1
2
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
OVERVIEW OF WINDOWS XP PROFESSIONAL
Windows XP Professional is the Microsoft business-class desktop operating system. It is intended for those who require high performance, security, and reliable
computer resources. It differs from the consumer-level Windows XP Home Edition in its support for enterprise computing architectures, multiple processors,
advanced security, and manageability. It is found in business, desktop publishing,
banking and finance, and manufacturing environments, as well as other areas
that require reliable and secure computer performance. In this section, we will
examine the features of Windows XP Professional and describe many of the elements of this operating system.
Windows XP Architecture
The Windows XP line of operating systems is based on the Windows NT kernel
architecture. This architecture was designed to allow the central processes—those
processes requiring the most privilege—to operate in a privileged environment,
often referred to as the kernel (shown in Figure 1-1). This environment is insulated from direct manipulation by users or hardware resources. The kernel is also
separated from the actual system hardware by the hardware abstraction layer
(HAL). The HAL is a layer of code designed to interface the specific hardware
with the more generic operating system. At one time, HALs existed for PowerPC
and DEC Alpha processors, but today HALs mainly exist to support differing
power management versions or multiple processors.
User-mode applications run with less privilege, protecting the kernel from instabilities caused by failing or faulty applications. This separation of the critical processes allows the operating system to continue operation even when applications
or noncritical hardware devices fail. Critical devices—such as disk drives or motherboard components—can still bring a system down, but the system most likely
will not fail (for example, if a USB peripheral device fails).
In addition, each application can be run in a protected memory space. This prevents a failing application from affecting other applications and the operating
system itself.
CHAPTER 1:
32-bit
Application
INTRODUCING WINDOWS XP PROFESSIONAL
16-bit
Application
32-bit
Application
16-bit
Application
NTVDM
Logon Process
Security Subsystem
Win32 Subsystem
User
Mode
Kernel
Mode
I/O
Manager
IPC
Manager
Memory
Manager
Process
Manager
Plug and
Play
File
Systems
Security
Reference
Monitor
Windows
Manager
Power
Manager
Graphics
Device
Drivers
Object Manager
Executive
Microkernel
Device Drivers
Hardware Abstraction Layer (HAL)
Hardware
Figure 1-1 The Windows XP architecture
FT01HT01.TIF
Intelligent User Interface
Windows XP represents Microsoft’s most advanced user interface. Building on
the desktop metaphor of earlier Windows operating systems, Windows XP
brings together the latest research in intuitive user interface design with new,
attractive visual styles.
The Start menu
The Windows XP Start button (first seen in Windows 95) has been linked to an
all-new Start menu that displays a great variety of options within a single space
(as shown in Figure 1-2). Users can access frequently used applications, recent
documents, favorite applications, system settings, help, and much more within
the same menu.
3
4
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 1-2 Windows XP Professional Start menu
FT01HT02.bmp
The left column in the figure is divided into the pinned items list above and the frequently used programs list below. Initially these lists have a few default programs
listed, but as users work with the computer, the frequently used programs list
begins to learn which programs are used most frequently and ranks them for
quick access. Users also have the option of pinning any program or document to
the pinned items list.
The right column of the Start menu contains a list of special purpose folders, the
Help and Support area, and configuration tools. This list can be customized to
hide or expose folders such as My Documents, My Music, and My Recent Documents. The system configuration items can also be customized to show or
hide configuration tools, depending on the role of the user who is logged on to
the system.
Designated administrators can configure and lock down all Start menu settings
by using the Group Policy management tools built into Windows XP and Windows Server products.
The taskbar
The Windows XP taskbar has the ability to group similar applications to reduce
clutter. You can then manage these groups together to maximize, minimize, or
even close all applications in the group at once. Figure 1-3 shows a user closing a
group of Microsoft Office Word 2003 documents.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
Figure 1-3 Closing a group of Microsoft Office Word 2003 documents
FT01HT03.bmp
The taskbar can also hold toolbars such as Quick Launch or Media Player to provide quick access to these useful tools. You can copy icons to the Quick Launch
bar so you can quickly launch applications or documents without having to open
the Start menu. The Media Player toolbar activates a small Media Player control
panel when Windows Media Player is minimized. Figure 1-4 shows the Quick
Launch toolbar and the Media Player toolbar in use.
Quick Launch
Toolbar
Media Player
Toolbar
Figure 1-4 Quick Launch and Media Player toolbars
FT01HT04.bmp
The right side of the taskbar is known as the notification area. This area—called the
system tray in earlier versions of Windows—contains icons that represent operating system alerts, applications, or services that are running in the background on
the system. Examples of these include an alert when operating system updates
are available from Microsoft or an icon that represents a running antivirus application. Figure 1-5 shows the notification area with several icons displayed.
Figure 1-5 The notification area
FT01HT05.bmp
The desktop
Many people who are familiar with the previous versions of Microsoft desktop
operating systems have found the default Windows XP desktop (the area above
the taskbar in Figure 1-6) surprisingly bare.
5
6
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 1-6 Windows XP “Bliss” desktop with a lone Recycle Bin icon
FT01HT06.bmp
Desktops in previous versions of Windows featured icons for My Computer, My
Network Places, Internet Explorer, and other applications. Each application that
users installed also offered to add its own icons to the desktop. The result was a
desktop with dozens of icons. Windows XP, by default, does not place any icon
other than the Recycle Bin on the desktop. You can put your icons back on the
desktop by customizing the desktop settings.
The Windows Classic desktop
When Windows XP was first released, many users were uncomfortable with the
new desktop technology (code-named Luna). To accommodate these users,
Microsoft created a desktop theme that mimics many of the features of the earlier
Windows interfaces. In this way, those who can’t get a handle on the new interface can actually reinstate the entire Windows Classic theme. You get an interface
similar to that of Windows 2000 Professional with all the colors and controls
familiar to users of the older operating system (Figure 1-7).
We will discuss desktop themes and how to configure them in
Chapter 5.
NOTE
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
Figure 1-7 Selecting the Windows Classic theme
FT01HT07.bmp
Hardware Support
Windows XP has better hardware installation and configuration support than
previous Windows versions. Microsoft has combined the scalability, reliability,
and performance of the corporate family of operating systems with the ease of
configuration for many tasks of the consumer family of operating systems and
formed a comprehensive driver model with the best traits of each.
Enhanced device driver support
Windows XP fully implements Microsoft’s Plug and Play technology to allow simple configuration of supported hardware devices.
Driver signing Windows XP can be configured to require device drivers for
new hardware to contain a digital signature from Microsoft’s Windows Hardware
Quality Laboratory (WHQL). This ensures that devices and their drivers are
tested and approved by an authoritative third party (in this case, Microsoft)
before use.
Device driver rollback If a driver is installed that causes a problem with the
operating system or other hardware, it can be rolled back, effectively uninstalling
it and returning the previous driver. This speeds recovery from incorrect driver
installation.
CD and DVD recording
Windows XP natively supports reading and writing to CD-R and CD-RW media.
Files and video can be written directly to these media without any third-party
burning tools. For example, users can select a folder of images from a digital camera, drag it to the icon representing their CD-R drive, and then create a CD. They
can also transfer more and larger files to a single CD instead of copying them to
several smaller-capacity floppy disks.
7
8
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
This feature also provides options for original equipment manufacturers (OEMs)
and independent software vendors (ISVs). OEMs can create branded applications that generate emergency boot CDs instead of emergency boot floppy disks
and, by using function calls to the CD-ROM-burning features of the operating system, software vendors can offer a “burn to CD” option on their Windows applications. This can be a great feature, for example, in a graphics program that writes
many large files to disk.
Auto-Configuration for Multiple Network Connectivity
The Auto-Configuration for Multiple Network Connectivity feature provides easy
access to network devices and the Internet. It also allows a mobile computer user
to seamlessly operate both office and home networks without manually reconfiguring Transmission Control Protocol/Internet Protocol (TCP/IP) settings.
You can use this feature to specify an alternative configuration for TCP/IP if a
Dynamic Host Configuration Protocol (DHCP) server is not found. The alternative configuration is useful when a computer is used on multiple networks, one of
which does not have a DHCP server and does not use an automatic private Internet Protocol (IP) addressing configuration.
COMPREHENSIVE HELP AND SUPPORT OPTIONS
Windows XP has an extensive collection of user assistance features. Among these
are a new Help and Support Center found on the Start menu, Remote Assistance,
and support Troubleshooters. Figure 1-8 shows the user assistance items we will
introduce next.
Figure 1-8 Help and Support Center
FT01HT08.bmp
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
Microsoft also allows manufacturers of computer systems to create their own custom-branded versions of the Help and Support Center (Figure 1-9). This helps
them to promote their brand identity while providing their customers with integrated support options.
Figure 1-9 Custom-branded Help and Support
FT01HT09.BMP
Pick a Help Topic
This area of Help and Support contains topical advice on system usage, configuration, and troubleshooting issues. Users are directed to information on system
features, instructions on setting up system components, and wizards to guide
more advanced processes.
Ask for Assistance
The Ask for Assistance feature allows users to ask another user for help via the
Remote Assistance feature or to communicate directly with Microsoft Product
Support Services to resolve an issue.
Remote Assistance
The Remote Assistance feature allows a helper to remotely view and control a
computer for any support task. It also enables chat and file transfers. If a user has
a computer problem, another person can be invited to help over the Internet. The
remote assistant can accept the invitation, chat with the user about the problem,
9
10
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
and view the desktop. With permission, the remote assistant can also get full control of the computer to perform any complex steps needed to fix the problem.
The remote assistant can also transfer any files required to fix the problem.
Do not confuse Remote Assistance with Remote Desktop. Remote Desktop allows one to connect to, and control, a computer
remotely. It does not allow the user at the computer being controlled to
see what is happening on the screen. We will present more information on
Remote Desktop in Chapter 10.
IMPORTANT
Microsoft Incident Submission and Management
The Microsoft Incident Submission and Management feature allows a user to submit electronic support incidents to Microsoft, collaborate with support engineers,
and manage submitted incidents.
Pick a Task
This area of Help and Support contains links to Windows Updates, links for
locating compatible hardware and recovering from system problems with System
Restore, and a menu of system support tools.
Windows Update
Microsoft maintains a collection of patches and updates for each recent Windows
operating system on the Windows Update Web site. This option connects the
user to this site to scan for available updates.
Compatible Hardware and Software
The Compatible Hardware and Software feature provides up-to-date, comprehensive, user-friendly hardware and software compatibility information to aid users
in upgrading equipment, making purchasing decisions, and troubleshooting
problems. For example, if you purchase an application that requires a 3-D accelerator card, you might not know which cards are compatible with your computer.
You can use Help and Support to run a comprehensive query and find compatible 3-D accelerator cards. You can run queries based on manufacturer, product
type, software, or hardware. The Microsoft compatibility teams use data from user
interactions, independent hardware vendors (IHVs), and ISVs to improve their
products.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
My Computer Information
My Computer Information provides an easily understood, highly accessible view
of personalized software and hardware information about your computer or
another computer for which you have administrative permissions.
You can view information in five categories, as described in the following sections.
View General System Information About This Computer The My Computer
Information – General category allows you to view information about your computer such as the computer manufacturer, model, basic input/output system
(BIOS) version, processor version and speed, operating system, amount of memory, and amount of available disk space.
View The Status Of My System Hardware And Software The My Computer
Information – Status category allows you to examine diagnostic information
about your computer, including the following:
■
Obsolete applications and device drivers
■
System software
■
Hardware: video card, network card, sound card, and universal serial
bus (USB) controller
■
Hard disks
■
Random access memory (RAM)
Find Information About The Hardware Installed On This Computer The
Computer Information – Hardware category allows you to examine descriptive
information about your computer’s hardware, including the local disk, display,
video card, modem, sound card, USB controller, network cards, CD-ROM drives,
floppy drives, memory, and printers.
View A List Of Microsoft Software Installed On This Computer The Software category allows you to view a list of Microsoft products that are installed and
registered by product identification (PID) number on your computer, including
products that run automatically from Startup. It also shows you the Windows Dr.
Watson Crash Information about any software that crashed while running on
your computer.
View Advanced System Information Advanced System Information allows
you to choose from the following options:
11
12
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
FT01HT10.bmp
View Detailed System Information (MSINFO32.exe) This option
allows you to view detailed information about hardware resources,
components (multimedia, input, network, ports, and storage), software environment, and Internet settings, as shown in Figure 1-10.
Figure 1-10 The System Information window
■
View Running Services This option lets you view the system service
processes running on your computer.
■
View Group Policy Settings Applied This option lets you view
which settings on your computer are the result of Group Policy control.
■
View The Error Log View errors and messages from the operating
system, its services, and installed applications.
■
View Information For Another Computer If you have administrative permissions on a remote computer, you can view My Computer
Information on that remote computer. If you click View Computer
Information For Another Computer, the Web Page dialog box appears,
prompting you to enter the name of the remote computer you want to
view. Enter the remote computer name, and then click Open to view
the remote computer information.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
Searching and Printing Options
Help and Support also supports a full-text search function and gives users the
ability to print applicable sections for offline reference.
Full-Text Search
The Windows Help system uses Hypertext Markup Language (HTML) to format and display information. If you have an Internet connection, you can search
for every occurrence of a word or phrase across all Windows-compiled HTML
Help files. Because the Windows Help System is also extensible, multiple search
engines can plug into the Help and Support Center application using a set of
standard interfaces. Users can search for content across multiple remote and
online providers. For example, you can search for information resident on your
computer or located remotely in the Microsoft Knowledge Base or in a participating OEM’s knowledge base.
The Microsoft Knowledge Base is a comprehensive database containing detailed articles with technical information about Microsoft products, fix lists, documentation errors, and answers to commonly asked
technical support questions. To access the Knowledge Base directly,
instead of using the Help And Support application, go to http://
search.support.microsoft.com/kb/c.asp.
NOTE
Printing
The Help and Support Center application allows you to print an entire chapter of
Help content with one print command—that is, it can iteratively print all available
topics in a specified node. If some topics are not available because of network
connection problems, Windows XP Professional prints only the available content. After you have located the information you want to print, click Print.
WINDOWS XP SECURITY TECHNOLOGIES
Windows XP supports many technologies for securing communications and
data. Among these are the Windows Firewall, Security Center, Attachment Manager, Encrypting File System, and policy-based security management.
Windows Firewall
Known prior to Windows XP Service Pack 2 (SP2) as the Internet Connection
Firewall, Windows XP SP2 provides the improved Internet firewall known as
the Windows Firewall. SP2 enables the Windows Firewall by default to protect
13
14
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Internet-connected computers from malicious access from the Internet. The Windows XP Firewall blocks nearly all incoming TCP/IP traffic by default. It automatically responds to requests by Windows applications for Internet data by opening
a port to allow return traffic only from the remote host. When the connection is
dropped, the port is closed again to outside traffic. Unless a user chooses to configure service definitions, the Windows Firewall does not respond to any outside
connection attempt. This prevents any access from an outside system that is not
specifically invited, thus thwarting attempts to hack the system from the Internet.
Security Center
Released with SP2, the Security Center (Figure 1-11) is a centralized, Internet
security monitoring center. It has links to maintenance and configuration activities for Internet Firewall, Virus Protection, and Automatic Updates.
Figure 1-11 Windows XP Security Center
FT01HT11.BMP
NOTE The Security Center will be discussed in more depth in
Chapter 14.
Attachment Manager
The Attachment Manager, also released in SP2, provides security by controlling
which e-mail attachments can be opened from within installed e-mail clients.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
Encrypting File System
The Encrypting File System (EFS) stores folders and files in encrypted form,
generating file encryption keys for each encrypted file stored on the system. The
keys are then encrypted with a key belonging to the file’s owner and one belonging to a designated recovery agent. Encryption prevents people from getting
access to data in these files even if they somehow gain access to the system. Without
the user’s key or the recovery agent’s key, the data is inaccessible to all other users.
We will discuss the EFS in more depth in Chapter 3 and
Chapter 14.
NOTE
Security Management Policies
Windows XP uses security management policies to define security settings on the
local computer. These settings can be applied directly to the computer using the
Local Security Policy console (as shown in Figure 1-12) or remotely using Group
Policy management tools.
Figure 1-12 The Local Security Policy console
FT01HT12.bmp
Using policies, you can devise a standard group of security settings and apply
them to multiple computers at once, ensuring consistent security settings
throughout the enterprise.
WINDOWS XP ORGANIZATIONAL ROLES
Windows XP Professional is at home both in small offices and international enterprises. With its enormously flexible configuration options, Windows XP can be
configured for standalone use, for sharing files with a small network workgroup,
or for working in a large network in which files are accessed from servers in a faroff datacenter.
15
16
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Workgroup Networks
A workgroup is a logical collection of computers that share resources with each
other, as shown in Figure 1-13. These resources might be files, printers, or applications. A workgroup is also called a peer-to-peer network because all computers in
the workgroup can share resources as equals (peers) without a dedicated server.
Security in a workgroup is defined by a series of local security databases residing
on each of the computers that are sharing resources.
Windows Server
2003
Windows 2000
Server
Accounts
Accounts
Accounts
Windows XP
Professional
Accounts
Windows XP
Professional
Accounts
Windows Server
2003
Printer
Figure 1-13 A workgroup network
FT01HT13.eps
NOTE Logical vs. Physical Network Structures A logical network
structure such as a workgroup or a domain is basically a management
tool used by administrators to classify, configure, and support the computers in that network.
A physical network structure is the actual hardware design, including
such items as routers, switches, cables, and connectors that make up
the actual network.
Users of computers in workgroups are given access to resources on each computer by the person in charge of that computer. They have a username and a password for each computer on which they access resources. It is not uncommon for
a user to have to keep track of several different usernames and passwords.
A workgroup provides the following advantages:
■
It does not require inclusion of a domain controller in the configuration to hold centralized security information.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
■
It is simple to design and implement. It does not require the extensive
planning and administration that a domain requires.
■
It is a convenient networking environment for a limited number of
computers in close proximity.
Some disadvantages of workgroups include:
■
A workgroup becomes impractical in environments with more than 10
computers because each computer has its own security authority and
must maintain its own set of usernames and passwords. This greatly
increases administrative overhead as the workgroup grows.
■
Workgroups do not provide for centralized management of systems or
resources.
■
Workgroups require users to remember and use different usernames
and passwords for each resource they need to access.
■
Workgroups usually struggle with computer name resolution across IP
subnets and switched networks.
Domain Networks
A domain is a logical grouping of network computers that share a central directory
database (as shown in Figure 1-14). A directory database contains user accounts
and security information for the domain. This database is known as the directory
and is a major portion of Active Directory, the Windows 2000 and Windows
Server 2003 directory service.
Active Directory can manage much more than just user security, however. It can
publish shared data folders, printers, applications, and other resources for ease of
location and configuration. Users can be consolidated into organizational units
(OUs) based on their roles within the organization. Management responsibilities
can be delegated to junior administrators without compromising the security of
the entire directory.
17
18
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Windows 2000
Server
(Domain Controller)
Windows 2000
Server
(Domain Controller)
Replication
Active
Directory
Active
Directory
Domain
Windows XP
Professional
Windows XP
Professional
Windows Server
2003
(Member Server)
Printer
Figure 1-14 A domain network
FT01HT14.eps
In a domain, the directory resides on computers that are configured as domain
controllers. A domain controller is a server that manages all security-related aspects
of user and domain interactions, centralizing security and administration.
You can designate only a computer running one of the Microsoft
Windows Server products as a domain controller. If all computers on the
network are running Windows XP Professional, the only type of network
available is a workgroup.
NOTE
Users of computers in domains are given access to resources on each computer
by a central administration team. Each user has only one username and password
to access resources throughout the domain. This method of control greatly simplifies management of user accounts.
The benefits of a domain include the following:
■
Centralized administration, because all user information is stored centrally.
■
A single logon process for users to gain access to network resources
(such as file, print, and application resources) for which they have permissions. In other words, you can log on to one computer and use
resources on another computer in the network as long as you have
appropriate permissions to access the resource.
■
Scalability, so that you can create very large networks.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
A typical Windows domain includes the following types of computers:
■
Domain controllers running Windows 2000 Server or Windows
Server 2003. Each domain controller stores and maintains a copy of
the directory. In a domain, you create a user account once, which is
recorded in the directory. When a user logs on to a computer in the
domain, a domain controller authenticates the user by checking the
directory for the username, password, and logon restrictions. When
there are multiple domain controllers in a domain, they periodically
replicate their directory information.
■
Member servers running Windows 2000 Server or Windows
Server 2003. A member server is a server that is not configured as a
domain controller. A member server does not store directory information and cannot authenticate users. Member servers provide shared
resources such as shared folders or printers.
■
Client computers running Windows XP Professional, Windows
2000 Professional, or another Windows client operating
system. Client computers run a user’s desktop environment and
allow the user to gain access to resources in the domain.
Logging On and Off Windows XP Professional
The procedure used to log on to Windows XP differs depending on the operating
system’s role in the network. Users in a workgroup environment might use the
Welcome screen or the Log On To Windows dialog box. Domain users are
restricted to the Log On To Windows dialog box.
The Welcome screen
By default, Windows XP Professional uses the Welcome screen to allow users to
log on locally (as shown in Figure 1-15). To log on, click the icon for the user
account you want to use. If the account requires a password, you are prompted to
enter it. If the account is not password protected, you are logged on to the computer. In addition to the Welcome screen, you can also use Fast User Switching
(which is on by default). This feature allows you to quickly log another user on to
the system while the originally logged on user is placed on standby status. The
original user’s applications are kept running, and they return to the screen when
you switch back to the original user.
19
20
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 1-15 Windows XP Welcome screen
FT01HT15.bmp
NOTE If your computer is a member of a domain, the Welcome screen
and Fast User Switching will not be available.
You can also use Ctrl+Alt+Delete at the Welcome screen to get the Log On To
Windows dialog box. This enables you to log on to the Administrator account,
which is not displayed on the Welcome screen when other user accounts have
been created. To use Ctrl+Alt+Delete, you must enter the sequence twice to get
the logon prompt.
A user can log on locally to either of the following:
■
A computer that is a member of a workgroup
■
A computer that is a member of a domain but is not a domain controller
The User Accounts program in Control Panel includes a Change The Way Users
Log On Or Off task, which allows you to configure Windows XP Professional to
use the Log On To Windows dialog box instead of the Welcome screen.
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
The Log On To Windows dialog box
To use the Log On To Windows dialog box (shown in Figure 1-16) to log on
locally to a computer running Windows XP Professional, you must supply a valid
username; if the username is password protected, you must also supply the password. Windows XP Professional authenticates the user’s identity during the
logon process. Only valid users can access resources and data on a computer or a
network. Windows XP Professional authenticates users who log on locally to the
computer at which they are seated, and one of the domain controllers in a Windows 2000 or Windows Server 2003 domain authenticates users who log on to a
domain.
Figure 1-16 Windows XP Log On To Windows dialog box
FT01HT16.bmp
When a user starts a computer running Windows XP Professional that is configured to use the Log On To Windows dialog box, an Options button also appears.
This allows the user to expose or hide options such as logging on to a domain
instead of the local system, or connecting to the network using dial-up networking.
If your computer is not part of a domain, you will not get the Log
On To option.
NOTE
21
22
INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Windows XP includes the most advanced Microsoft user interface to
date. It uses an intuitive user interface and high-resolution graphics to
present users with an attractive and useful environment.
■
Windows XP has many hardware interface design features that make
using peripheral devices easier; among these are driver signing and
device driver rollback.
■
Help and Support is a comprehensive collection of support tools and
technologies that make it easier to locate help and assistance.
■
Windows XP supports many security technologies to protect users and
their data from malicious programs and hack attempts.
■
Windows XP supports a wide range of uses, including standalone,
workgroup, and domain environments.
■
Windows XP provides logon security to ensure that access to the desktop is authenticated.
REVIEW QUESTIONS
1. Which feature of Windows XP Professional allows you to prevent people who gain access to a computer’s files from reading the contents of
the files? (Choose all that apply.)
a. Windows Firewall
b. Encrypting File System (EFS)
c. Group Policy
d. Local Security Policy
2. Which feature of Windows XP Professional allows you to recover from
installing the incorrect driver for a device? (Choose all that apply.)
a. Driver Signing
b. Driver Rollback
c. Plug and Play
d. Windows Hardware Quality Laboratory (WHQL)
CHAPTER 1:
INTRODUCING WINDOWS XP PROFESSIONAL
3. Which feature in Help and Support allows a user to receive help from
another user over a network connection? (Choose all that apply.)
a. System Restore
b. Microsoft Incident Submission
c. Remote Assistance
d. Remote Desktop
4. Which of the following statements best describes Windows Firewall?
(Choose all that apply.)
a. Windows Firewall prevents unauthorized users from accessing
system files.
b. Windows Firewall protects a computer from high temperatures
by shutting it down when it gets too warm.
c. Windows Firewall protects a computer from attacks by malicious
users or programs on the Internet.
d. Windows Firewall encrypts data files on a computer’s disk drives.
5. Which of the following scenarios depict a workgroup network?
(Choose all that apply.)
a. A small collection of computers that share files with each other.
Each computer has a list of authorized users.
b. A large corporate network with hundreds of computers and a central accounts database.
c. One computer connected to the Internet via modem.
d. A laptop on the hood of a car on a construction site.
23
24
INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 1.1: Securing Data
You have been hired by a large pharmaceutical company to support its research
department. Many of the users in the department use laptop computers and
travel extensively. The company wants to prevent unauthorized access to the contents of the disk on each laptop and is concerned about what will happen to the
company’s trade secrets if a laptop is stolen. What feature of Windows XP helps
you address these two concerns?
1. Encrypting File System (EFS)
2. Remote Assistance
3. User accounts
4. Windows Firewall
Scenario 1.2: Assisting Remote Users
Your boss is staying in a hotel while at a conference. He is logged on to your
domain over an Internet connection and is having a problem with his e-mail
configuration. You have tried to visualize the error message he is describing,
but it would be much simpler to troubleshoot the problem if you could just see
his screen. How can you get a view of his screen to help him troubleshoot his
problem?
CHAPTER 2
INSTALLING WINDOWS XP
PROFESSIONAL
Upon completion of this chapter, you will be able to:
■ Perform and troubleshoot an unattended installation of Windows XP
Professional
■ Install Windows XP Professional by using Remote Installation Services (RIS)
■ Install Windows XP Professional by using the System Preparation tool
■ Create unattended answer files by using Setup Manager to automate the
installation of Windows XP Professional
■ Upgrade from a previous version of Windows to Windows XP Professional
■ Prepare a computer to meet upgrade requirements
■ Migrate existing user environments to a new installation
■ Perform post-installation updates and product activation
■ Troubleshoot failed installations
In this chapter we will discuss the installation of Microsoft Windows XP Professional. We’ll present the hardware requirements for supporting Windows XP Professional, how to verify hardware compatibility, and how to test your hardware for
compatibility before installation. You will learn how to perform attended and
unattended installations. We will introduce advanced installation techniques
such as Remote Installation Services (RIS) and the System Preparation tool
(Sysprep). Finally, you’ll learn critical post-installation steps such as activation
and applying operating system updates.
25
26
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
PREINSTALLATION TASKS
Before you install Windows XP Professional on a computer, you must perform
several steps to ensure a successful installation. Among these are verifying that
your hardware will be compatible with the operating system, determining how
the system will be configured, and deciding which installation method to use.
Verifying Hardware Compatibility
Although the Windows XP Professional Setup Wizard checks your hardware and
software for potential conflicts, before you install Windows XP Professional you
should verify that your hardware is listed in the Windows Catalog. Microsoft provides tested drivers for the listed devices only. Using hardware not listed in the
catalog can cause problems during and after installation. The most recent version
of the Windows Catalog for released operating systems is on the Microsoft Web
site at http://www.microsoft.com/windows/catalog.
The Windows Catalog only includes hardware that has been
tested and certified by the Windows Hardware Quality Laboratory
(WHQL). Your hardware might support Windows XP but not be WHQL certified. If this is the case, Windows XP will not include device drivers for
your device, but drivers and support should be available directly from the
manufacturer, usually on its Web site. This step might be necessary if you
want to use the latest and greatest hardware, but using these drivers
bypasses an important quality-control certification step and can introduce instability into your system.
NOTE
Hardware Requirements
You must determine whether your hardware meets or exceeds the minimum
requirements for installing and operating Windows XP Professional, as shown in
Table 2-1.
Table 2-1
Windows XP Professional Hardware Requirements
Component
Minimum Requirements
Central processing unit
(CPU)
Pentium (or compatible) 233-megahertz
(MHz) or higher; a Pentium II (or compatible)
300-MHz or higher processor is recommended
64 megabytes (MB) minimum; 128 MB recommended; 4 gigabytes (GB) of random access
memory (RAM) maximum
Memory
CHAPTER 2:
Table 2-1
INSTALLING WINDOWS XP PROFESSIONAL
Windows XP Professional Hardware Requirements
Component
Minimum Requirements
Hard disk space
650 MB free space on a 2-GB hard disk; 2-GB
free disk space is recommended
Network adapter card and related cable
Video display adapter and monitor with Video
Graphics Adapter (VGA) resolution or higher;
Super VGA and a Plug and Play monitor are
recommended
CD-ROM drive, 12X or faster recommended
(not required for installing Windows XP Professional over a network), or DVD drive
A high-density 3.5-inch disk drive as drive A,
unless the computer supports starting the
Setup program from a CD-ROM or DVD drive
Keyboard and mouse or other pointing device
Networking
Display
Other drives
Accessories
Older systems might require a BIOS update to support the
sophisticated power management features of Windows XP. Check with the
manufacturer of your system to see if an updated BIOS is available.
NOTE
Storage Requirements
The Windows XP Professional Setup program examines the hard disk to determine
its existing configuration. Setup then allows you to install Windows XP Professional on an existing partition or to create a new partition on which to install it.
New Partition or Existing Partition
Depending on the hard disk configuration, you might need to do one of the following during installation:
■
If the hard disk is new or has not previously stored data, you can create
a new, appropriately sized partition for Windows XP Professional.
■
If the hard disk is already partitioned and contains enough unpartitioned disk space, you can use the unpartitioned space to create a Windows XP Professional partition.
■
If an existing partition is large enough, you can install Windows XP
Professional on that partition. Installing on an existing partition might
require you to reformat the partition to create sufficient clean space for
the installation.
27
28
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
If an existing partition is not large enough, you can delete it to provide
more unpartitioned disk space for the creation of the Windows XP Professional partition.
Reformatting or deleting a disk partition destroys the data
contained on the partition. Be sure you have backed up any data in the
partition before performing either of these two actions.
CAUTION
Microsoft recommends installing Windows XP Professional on a 2-GB or larger
partition. Although Windows XP Professional does not require that much disk
space for installation, using a larger installation partition provides the flexibility
to install Windows XP Professional updates, operating system tools, or other necessary files in the future.
Remaining Free Hard Disk Space
Although you can use Setup to create other partitions, you should create and size
only the partition on which you will install Windows XP Professional. After you
install Windows XP Professional, you can use more advanced tools such as the
Disk Management administrative tool to partition any remaining space on the
hard disk.
Managing disks and partitions is discussed in more detail in
Chapter 3.
NOTE
File Systems
After you create the installation partition, Setup prompts you to select the file
system with which to format the partition. Like Microsoft Windows NT and
Microsoft Windows 2000 Professional, Windows XP Professional supports both
the NT file system (NTFS) and the file allocation table (FAT) file system. Both
Windows 2000 Professional and Windows XP Professional also support FAT32.
Figure 2-1 summarizes some of the features of these file systems.
We will examine the differences between NTFS and FAT file systems more closely in Chapter 3.
NOTE
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
FAT
· DOS and Windows
· 2 or 4 GB max size1
· No file- or folder-level security
FAT32
· Windows 95 R2 and later
· 32 GB max size2
· No file- or folder-level security
· Windows NT 4.0 and later3
· 16 EB max size
· File- and folder-level security
· Compression
· Encryption
· Disk quotas
· Mounted volumes
NTFS
1 Depending on OS version
2 OS limit imposed by Microsoft
3 Windows NT family operating systems
Figure 2-1 A file system comparison
FT02HT01.VSD
NTFS supports the following features:
■
File- and folder-level security
files and folders.
NTFS allows you to control access to
There are many reasons to choose NTFS over FAT for Windows XP
installations, but security is by far the most important. Chapter 7 is
dedicated to understanding and managing NTFS security.
NOTE
■
Disk compression
partition.
■
Disk quotas NTFS allows you to control disk usage on a per-user
basis.
■
Encryption NTFS allows you to encrypt file data on the physical
hard disk, using the Microsoft Encrypting File System (EFS). See Chapter 14 for additional information about EFS.
NTFS compresses files to store more data on the
The version of NTFS (NTFS 5) in Windows XP Professional supports remote storage, dynamic volumes, and mounting volumes to folders. Windows Server 2003,
Windows XP, and Windows 2000 are the only operating systems that can
natively access data on a local hard disk formatted with NTFS 5.
29
30
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FAT and FAT32
FAT and FAT32 file systems offer backward compatibility with older Windows
operating systems. If you plan to dual boot between Windows XP Professional
and another operating system that requires FAT or FAT32, you must format the
system partition with FAT or FAT32.
The terms system partition and boot partition might appear to
be switched at birth. After all, the computer boots from the system partition and loads the operating system from the boot partition. You can
think of the terms in this way: When a system starts, it makes its operating system selection from configuration files in the system partition.
As the chosen operating system loads (boots), it loads from the boot
partition.
NOTE
The FAT and FAT32 file systems do not offer many of the features (for example,
file-level security, compression, and encryption) that NTFS supports. Therefore,
in most situations, you should format the hard disk with NTFS. The only reason to
use FAT or FAT32 is to support dual booting with another operating system that
does not support NTFS. If you are setting up a computer for dual booting, you must
format only the system partition as FAT or FAT32. For example, if drive C is the system partition, you can format it as FAT or FAT32 and format drive D as NTFS.
Keep in mind that formatting a drive with NTFS makes the
data it contains inaccessible to operating systems that are not NTFS
compatible.
CAUTION
Converting a FAT or FAT32 Volume to NTFS
Windows XP Professional provides the Convert command for converting a partition to NTFS without reformatting the partition and losing all the information on
it. The Convert command runs from the Windows XP command prompt and
manages the file system conversion.
The following example demonstrates the syntax for the Convert command:
Convert volume /FS:NTFS [/V] [/CvtArea:filename] [/Nosecurity] [/X]
After a partition has been converted to NTFS, you cannot convert the partition back to a FAT partition without reformatting it
(erasing all data from the partition). After reformatting with FAT, data
must be restored from backup.
IMPORTANT
Table 2-2 describes the options available with the Convert command.
CHAPTER 2:
Table 2-2
INSTALLING WINDOWS XP PROFESSIONAL
Convert Command Options
Switch
Function
Required
Volume
Specifies the drive letter (followed by a
colon), volume mount point, or volume name
that you want to convert
Specifies converting the volume to NTFS
Runs the Convert command in verbose mode
Specifies a contiguous file in the root directory to be the placeholder for NTFS system
files
Sets the security settings to make converted
files and directories accessible to everyone
Forces the volume to dismount first if necessary; all open handles to the volume are
thereby invalid
Yes
/FS:NTFS
/V
/CvtArea:filename
/NoSecurity
/X
Yes
No
No
No
No
For help with any command-line program, at the command
prompt type the command followed by /? and press ENTER. For example, to
receive help on the Convert command, type Convert /? and press ENTER.
NOTE
Domain or Workgroup Membership
During installation, you must choose whether the computer will join a domain or
a workgroup. Figure 2-2 shows the requirements for joining a domain or a workgroup.
tailspintoys.com
Domain
Joining a domain requires:
· A domain name
· A computer account
· An available domain controller
and a DNS server
Workgroup
Joining a workgroup requires:
· A new or an existing workgroup
name
Figure 2-2 Domain or workgroup membership requirements
FT02HT02.FH10
31
32
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Joining a Domain
When you install Windows XP Professional on a computer, you can add that computer to an existing domain. This process is referred to as joining a domain. A computer can join a domain during or after installation.
Joining a domain during installation requires the following:
■
A domain name Ask the domain administrator for the Domain
Name System (DNS) name for the domain that the computer will join.
An example of a DNS-compatible domain name is microsoft.com, in
which microsoft is the name of the organization’s DNS identity.
You can join a domain using the NetBIOS name of the domain if
your network is still supporting NetBIOS name resolution. Examples of a
NetBIOS name are “MICROSOFT” or “CONTOSO.” Ask your administrator
to make sure.
NOTE
■
A computer account Before a computer can join a domain, you
must create a computer account in the domain. If you create the computer account during installation, Setup prompts you for the name and
password of a user account with authority to add domain computer
accounts. You can ask a domain administrator to create the computer
account before installation or, if you have been given permission, you
can create the computer account yourself during installation.
■
An available domain controller and a server running the DNS
service (called the DNS server) At least one domain controller in
the domain that you are joining and one Active Directory–compatible
DNS server must be online when you install a computer in the domain.
Joining a Workgroup
When you install Windows XP Professional on a computer, you can add that computer to an existing workgroup or create a new workgroup. This process is
referred to as joining a workgroup.
If you are not using the default workgroup name WORKGROUP during installation, you must assign a workgroup name to the computer. The workgroup name
you assign can be the name of an existing workgroup or the name of a new workgroup that you create during installation.
The act of assigning a workgroup name that did not previously exist on the network is all that is required to create a new workgroup. The computer browser service that maintains lists of computers in My Network Places will group computers
by their workgroup affiliations.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Being in a workgroup does not confer any security or administrative control to a computer that joins. Workgroups are merely collections
of computers. Chapter 1 discusses the difference between domains and
workgroups in more detail.
NOTE
PERFORMING AN ATTENDED INSTALLATION
In this section we will examine attended installations using the Windows XP Professional product CD-ROM and also installing from a network location. You will
learn the steps in the installation process and ways to control the eventual configuration of the system.
Windows XP Professional Setup Program
The installation process for Windows XP Professional combines the Setup program with wizards and informational screens. Installing Windows XP Professional from a CD-ROM to a clean hard disk consists of four stages:
■
Running the Setup program Setup prepares the hard disk for the
later installation stages and copies the files necessary to run the Setup
Wizard.
■
Running the Setup Wizard The Setup Wizard requests setup information about the computer, such as names and passwords.
■
Installing Windows XP Professional networking
components After gathering information about the computer, the
Setup Wizard prompts you for networking information and then
installs the networking components that allow the computer to communicate with other computers on the network.
■
Completing the installation Setup copies files to the hard disk and
configures the computer. It also cleans up installation files not required to
operate the computer. The system restarts after installation is complete.
The following sections cover the four stages in more detail.
Running the Setup Program
To start the Setup program, insert the Windows XP Professional installation CDROM in your CD-ROM drive and start your computer.
If your system cannot boot from the CD-ROM, you can make
setup boot disks. Microsoft Knowledge Base article 310994 describes
how to download and use a program that is used to create these disks.
NOTE
33
34
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 2-3 shows the six steps involved in running the Setup program.
Boot
1
Load Setup program into memory
2
Start text-based Setup program
3
Create the Windows XP Professional partition
4
Format the Windows XP Professional partition
5
Copy setup files to the hard disk
6
Restart the computer
Setup Wizard
Figure 2-3 Steps in running the Setup program
F02HT03.FH10
After the computer starts, a minimal version of Windows XP Professional is copied into memory. This version of Windows XP Professional starts the text-mode
portion of the setup process. You are then prompted by the Setup program to perform the following steps:
■
Read and accept a licensing agreement.
■
Select the partition on which to install Windows XP Professional. You
can select an existing partition, delete an existing partition on the hard
disk, or create a new partition by using unpartitioned space on the
hard disk.
■
Select a file system for the new partition. The Setup program then formats the partition with the selected file system.
Setup provides the option to perform a “quick” format of the
partition. A quick format is essentially a standard format that does not
scan the disk for bad sectors. If you are certain the disk is not damaged,
you can speed your installation using this option. If the disk has never
been formatted or if you want to be sure the scan for bad sectors is performed, use the standard NTFS format option.
NOTE
Setup copies files to the hard disk and saves configuration information. After that,
Setup restarts the computer. Following the restart, the Windows XP Professional
Setup Wizard is launched and installation continues.
Running the Setup Wizard
The GUI-based Windows XP Professional Setup Wizard leads you through the
next stage of the installation process. It gathers data about you, your organization,
and your computer, including the following information:
CHAPTER 2:
■
INSTALLING WINDOWS XP PROFESSIONAL
Regional settings Customize language, locale, and keyboard settings. You can configure Windows XP Professional to use multiple languages and regional settings.
MORE INFO You can add another language or change the locale and
keyboard settings after installation is complete. See Chapter 5 for more
information.
■
Name and organization Enter the name of the person and the organization to which this copy of Windows XP Professional is licensed.
■
Computer name Enter a computer name of up to 15 characters.
The computer name must be different from all other computer, workgroup, or domain names on the network. The Setup Wizard displays a
default name (a hash of the organization name you entered earlier in
the process).
To change the computer name after installation is complete,
right-click My Computer and select Properties. In the System Properties
dialog box, select the Computer Name tab, and then click Change.
Take care when changing a computer name. Changing the name creates a new computer account in the domain with that name, possibly requiring an administrator to manage permissions that were
previously given to the original computer name.
NOTE
■
Product key You will be prompted to enter the product key from the
Windows XP packaging.
■
Password for Administrator account Specify a password for the
Administrator user account, which the Setup Wizard creates during
installation. The Administrator account provides the administrative
privileges required to manage the computer.
Be sure to choose a complex password for the Administrator account. Using combinations of letters, numbers, and special symbols and making the password long can defeat attempts to guess the
password.
IMPORTANT
■
Time and date Select the time zone, adjust the date and time settings if necessary, and determine whether you want Windows XP Professional to automatically adjust for daylight savings time.
35
36
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Installing Windows XP Professional Networking Components
After gathering information about your computer, the Setup Wizard guides you
through installing the Windows XP Professional networking components
(Figure 2-4).
Networking
1
Detect network adapter cards
2
Select networking components
3
Join a workgroup or domain
4
Install components
Complete setup
Figure 2-4 Installing Windows networking components
F02HT04.FH10
■
Detect network adapter cards The Windows XP Professional
Setup Wizard detects and configures any network adapter cards
installed on the computer.
■
Select networking components The Setup Wizard prompts you to
choose typical or customized settings for the networking components
it installs. Custom allows you to specify any settings and optional clients or protocols you desire. You can install other clients, services, and
network protocols at this time, or you can wait until after the installation has completed.
The typical installation includes the following options:
■
❑
Client For Microsoft Networks Allows your computer to access
network resources such as shared folders and printers on a Microsoft
Windows network.
❑
File And Printer Sharing For Microsoft Networks Allows other
computers to access file and print resources on your computer.
❑
QoS Packet Scheduler QoS Packet Scheduler manages bandwidth
usage on the network, giving priority to traffic requiring constant bandwidth.
❑
Internet Protocol (TCP/IP) Allows your computer to communicate
over local area networks (LANs) and wide area networks (WANs).
Transmission Control Protocol/Internet Protocol (TCP/IP) is the
default networking protocol used in Windows networking.
Join a workgroup or domain If you choose to join a domain for
which you have administrative privileges, you can create the computer
account during installation. The Setup Wizard prompts you for the
name and password of a user account with authority to add domain
computer accounts.
CHAPTER 2:
■
INSTALLING WINDOWS XP PROFESSIONAL
Install components The Setup Wizard installs and configures the
Windows networking components you selected.
Completing the Installation
After installing the networking components, the Setup Wizard starts the final
step in the installation process (Figure 2-5).
Complete setup
1
Copy files
2
Configure the computer
3
Save the configuration
4
Remove temporary files
5
Restart the computer
Setup
complete
Figure 2-5 The final steps to complete the installation
F02HT05.FH10
To complete the installation, the Setup Wizard performs the following tasks:
■
Installs Start Menu items The Setup Wizard sets up shortcuts that
will appear on the Start Menu.
■
Registers components The Setup Wizard applies the configuration
settings that you specified earlier.
■
Saves configuration settings The Setup Wizard saves your configuration settings to the local hard disk. The next time you start Windows XP Professional, the computer uses this configuration
automatically.
■
Removes temporary files To save hard disk space, the Setup Wizard deletes any files used for installation only.
■
Restarts the computer The Setup Wizard restarts the computer.
This finishes the installation.
After the installation has completed, be sure to apply
any system updates currently available. This is critical for system security because unpatched systems contain known security vulnerabilities
and can be exploited by hackers. Unpatched systems should not be connected to any public networks until they have been patched. See the section titled “Applying System Updates” later in this chapter.
IMPORTANT
37
38
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
INSTALLING OVER THE NETWORK
In this section, you will learn how to install Windows XP Professional across a
network connection. This process is similar to the CD-ROM installation, except
that the installation media is located on a networked computer and must be
accessed over the network. This means you must have some level of connectivity
between the computer installing Windows XP and the server hosting the installation files.
Preparing for a Network Installation
In a network installation, the Windows XP Professional installation files are
found in a shared location on a network file server called a distribution server.
From the computer on which you want to install Windows XP Professional
(the target computer), connect to the distribution server and then run the
Setup program.
Figure 2-6 shows the requirements for a network installation.
Installation
files
Distribution
server
Target computer
Requirements for a network installation:
· Distribution server
· FAT partition on the target computer
· Network client
Figure 2-6 Requirements for a network installation
F02HT06.FH10
Performing a Windows XP Professional network installation requires you to do
the following:
■
Locate a distribution server. The distribution server contains the
installation files from the i386 folder on the Windows XP Professional
CD-ROM. These files reside in a common network location in a shared
folder that allows computers on the network to access the installation
files. Contact a network administrator to obtain the path to the installation files on the distribution server.
After you have created or located a distribution server, you can
use the over-the-network method to concurrently install Windows XP Professional on multiple computers.
NOTE
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
■
Create a FAT partition on the target computer. The target computer requires a formatted partition to which to copy the installation
files. Create a partition containing at least 1.5 GB of disk space, and format it with the FAT file system.
■
Install a network client. A network client is software that allows the
target computer to connect to the distribution server. On a computer
without an operating system, you must boot from a client disk that
includes a network client that enables the target computer to connect
to the distribution server.
Installing Windows XP Professional over the network differs from a CD-ROM
installation in that the Setup program copies the installation files to the target
computer and begins to run the installation. From this point, you install Windows XP Professional as you would from a CD-ROM. The process for installing
Windows XP Professional over the network (shown in Figure 2-7) is as follows:
Boot
1
Boot the network client
2
Connect to the distribution server
3
Run Winnt.exe or Winnt32.exe
4
Install Windows XP Professional
Setup
Figure 2-7 Installing Windows XP Professional over the network
F02HT07.FH10
1. Boot the network client. On the target computer, boot from a
floppy disk that includes a network client or start another operating
system that can be used to connect to the distribution server.
Network boot disks are complex to create and require the use of
real-mode network card drivers. Windows NT 4 includes a utility for creating client boot disks, but no utility currently exists for this purpose in
Windows XP Professional. Other third-party utilities exist for boot disk
creation, but they are not supported by Microsoft for creating network
installation boot disks. Microsoft Enterprise customers can make use of
the Windows Preinstallation Environment (WinPE) to manage network
installations, but WinPE is available only to subscribers of the Select or
OEM licensing programs. Many organizations, preferring to use network
installation points for upgrades, use Windows Server Remote Installation
Services (RIS), other deployment tools such as Altiris’s Deployment
Solution, or disk imaging tools such as Ghost or DriveImage to perform
installations.
NOTE
39
40
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. Connect to the distribution server. After you start the network client on the target computer, connect to the shared folder on the distribution server that contains the Windows XP Professional installation files.
3. Run Winnt.exe or Winnt32.exe to start the Setup. Winnt.exe
and Winnt32.exe reside in the shared folder on the distribution server.
❑
Use Winnt.exe for an installation using MS-DOS or Windows 3 or later
versions on the source system.
❑
Use Winnt32.exe when upgrading from Windows 95, Windows 98,
Windows Me, Windows NT 4, or Windows 2000 Professional.
Winnt32.exe is a 32-bit Windows application. As such, it makes
full use of 32-bit multithreading and multitasking. This allows it to both
copy and execute setup tasks simultaneously. The end result is a quicker
installation than can be achieved using Winnt.exe.
NOTE
Running Winnt.exe or Winnt32.exe from the shared folder does the
following:
❑
Creates the $Win_nt$.~ls temporary folder on the target computer
❑
Copies the Windows XP Professional installation files from the shared
folder on the distribution server to the $Win_nt$.~ls folder on the target computer
4. Install Windows XP Professional. Setup restarts the local computer and begins the actual process of installing Windows XP Professional. The rest of the installation progresses in the same way as the
attended installation discussed earlier.
After the installation is complete, be sure to apply any
available system updates. See the section titled “Applying System
Updates” later in this chapter.
IMPORTANT
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Modifying the Setup Process Using Winnt.exe
You can modify an over-the-network installation by changing how Winnt.exe
runs Setup. Table 2-3 describes the switches you can use with Winnt.exe.
Table 2-3
Winnt.exe Switches
Switch
Function
/a
/r[:folder]
Causes Winnt.exe to install accessibility options.
Specifies an optional folder to be copied and saved. The
folder remains after Setup finishes.
Specifies an optional folder to be copied. This folder can
be used to deliver other applications or data to the system
for use during the installation. The folder is deleted after
Setup finishes.
Specifies the source location of Windows XP Professional
files. This must be a full path in the form x:\[path] or
\\server\share\[path]. The default is the current folder
location.
Specifies a drive to contain temporary setup files and
directs Setup to install Windows XP Professional on that
drive. If you do not specify a drive, Setup attempts to
locate the drive with the most available space.
Performs an unattended installation by using an optional
script file. Unattended installations also require using the
/s switch. The answer file provides answers to some or all
of the prompts that the end user normally responds to
during Setup.
Indicates an identifier (id) that Setup uses to specify how
a Uniqueness Database File (UDF) modifies an answer
file. The /udf parameter overrides values in the answer
file, and the identifier determines which values in the
UDF are used. If you do not specify a UDF_file, Setup
prompts you to insert a disk that contains the
$UNIQUE$.UDB file. UDFs are used only during an
unattended installation.
/rx[:folder]
/s[:sourcepath]
/t[:tempdrive]
/u[:script_file]
/udf:id[,UDF_file]
41
42
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Modifying the Setup Process Using Winnt32.exe
You can modify an over-the-network installation by changing how Winnt32.exe
runs Setup. Table 2-4 describes the switches you can use with Winnt32.exe.
Table 2-4
Winnt32.exe Switches
Switch
Function
/checkupgradeonly
■
Checks your computer for upgrade compatibility with Windows XP Professional. If you use this option with the /unattend option, no user input is required. Otherwise, the results
are displayed on the screen and you can save them under the
file name you specify.
■
For Windows 98 or Windows Me upgrades, the default report
file name is Upgrade.txt in the %systemroot% folder (the folder
that contains the Windows XP Professional system files).
■
For Windows NT 4 or Windows 2000 upgrades, the default
report file name is Ntcompat.txt in the %systemroot% folder.
■
/cmd:command_line
/cmdcons
/copydir:foldername
/copysource:foldername
For more information about generating a compatibility report, see
“Upgrading to Windows XP Professional” later in this chapter.
Specifies a specific command that Setup is to run. This command is
run after the computer restarts and after Setup collects the necessary configuration information. This option is useful for running a
configuration script or other command as part of the installation.
Copies to the hard disk the additional files necessary to load a
command-line interface, the Recovery console, which is used for
repair and recovery. The Recovery console is installed as a Startup
option. You can use the Recovery console to stop and start services
and to access the local drive, including drives formatted with
NTFS. You can use this option only after you install Windows XP
Professional.
Creates an additional folder within the %systemroot% folder, which
contains the Windows XP Professional system files. For example, if
your source folder contains a folder called My_drivers, type /copydir:My_drivers to copy the My_drivers folder to your system
folder. You can use the /copydir switch to create as many additional
folders as you want.
Creates an additional folder within the %systemroot% folder. Setup
deletes folders created with /copysource after installation is complete.
CHAPTER 2:
Table 2-4
INSTALLING WINDOWS XP PROFESSIONAL
Winnt32.exe Switches
Switch
Function
/debug[level] [:file_name]
Creates a debug log at the specified level.
The log includes the following levels:
4 (detailed information for debugging)
3 (information)
2 (warnings)
1 (errors)
0 (severe errors only)
Each level includes the level below it.
By default, the debug log file is C:\Winnt32.log and the default
level is 2.
Prevents Dynamic Update from running. Without Dynamic
Update, Setup runs only with the original Setup files. This option
disables Dynamic Update even if you use an answer file and specify
Dynamic Update options in that file.
Specifies a share on which you previously downloaded Dynamic
Update files (updated files for use with Setup) from the Windows
Update Web site. When run from your installation share and used
with /duprepare, it prepares the updated files for use in networkbased client installations. When used without /duprepare and run
on a client, it specifies that the client installation will use the
updated files on the share specified in pathname.
Prepares an installation share for use with Dynamic Update files
that you downloaded from the Windows Update Web site. You can
use this share for installing Windows XP Professional for multiple
clients (used only with /dushare).
Instructs Setup to copy replacement files from an alternative location. Directs Setup to look in the alternative location first and, if
files are present, to use them instead of the files from the default
location.
Instructs Setup to copy all installation source files to the local hard
disk. Use this switch when installing from a CD-ROM to provide
installation files when the CD-ROM is not available later in the
installation.
Prevents Setup from restarting the computer after completing the
file-copy phase. This allows you to execute another command.
/dudisable
/dushare: pathname
/duprepare: pathname
/m:foldername
/makelocalsource
/noreboot
43
44
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 2-4
Winnt32.exe Switches
Switch
Function
/s:sourcepath
Specifies the source location of Windows XP Professional installation files. To simultaneously copy files from multiple paths, use a
separate /s switch for each source path. If you type multiple /s
switches, the first location specified must be available or the installation will fail. You can use a maximum of eight /s switches.
Copies Setup startup files to a hard disk and marks the drive as
active. You can then install the drive in another computer. When
you start that computer, Setup starts at the next phase. Using /syspart requires the /tempdrive switch. You can use /syspart on computers running Windows NT 4, Windows 2000, Windows XP
Professional, or Windows 2000 Server. You cannot use it on computers running Windows 95, Windows 98, or Windows Me.
Places temporary files on the specified drive and installs Windows
XP Professional on that drive.
Performs an unattended installation. The answer file provides your
custom specifications to Setup. If you don’t specify an answer file,
all user settings are taken from the previous installation if you are
performing a reinstallation. You can specify the number of seconds
between the time that Setup finishes copying the files and when it
restarts with number. You can specify the number of seconds only
on computers running Windows 98, Windows Me, Windows NT
4, or Windows 2000 that are upgrading to a newer version of Windows XP Professional.
Indicates an identifier (id) that Setup uses to specify how a UDF
modifies an answer file. The UDF overrides values in the answer
file, and the identifier determines which values in the UDF are
used. For example, /udf:RAS_user, OUR_COMPANY.UDF overrides
settings that are specified for the RAS_user identifier in the
OUR_COMPANY.UDF file. If you do not specify a UDF, Setup
prompts you to insert a disk that contains the $UNIQUE$.UDF file.
/syspart:[drive_letter]
/tempdrive:drive_letter
/unattend[number]:
[answer_file]
/udf:id[,udb_file]
AUTOMATING INSTALLATIONS USING WINDOWS
SETUP MANAGER
Businesses and other organizations that maintain dozens, hundreds, or even
thousands of computers need a way to automate the Windows XP installation
process to save time and expense. One way to do this is by creating an answer file
to provide the answers to the installation dialog boxes. The setup process is run—
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
specifying the answer file—and the installation process continues unattended by
reading the answers from the file. Using answer files also allows the organization to
send installations out to remote offices to be installed by less experienced personnel, eliminating travel expenses and giving senior IT staff time for other projects.
Windows Setup Manager allows you to quickly create a script for a customized
installation of Windows XP Professional without concern for cryptic text file syntax. Windows Setup Manager enables you to create scripts to perform customized
installations on workstations and servers that meet the specific hardware and network requirements of your organization.
MORE INFO Answer files and UDFs use a special syntax to direct the
unattended installation process. Examples of this are displayed in the
slides accompanying this chapter, and an example Unattend.txt file can
be found in the i386 folder on the Windows XP CD-ROM. A more complete
reference to the Unattend.txt syntax is available in the Windows XP preinstallation reference (ref.chm) located in the Windows XP deployment tools
package (described in the next section).
Installing Setup Manager
Windows Setup Manager is part of the deployment tools package that ships with
Windows XP. This toolkit assists with corporate deployment issues such as largescale deployment and mass configuration. You use it as follows:
1. Start Windows Explorer, and create the folder C:\Deploy.
The C:\Deploy folder is used to contain the files extracted from
DEPLOY.CAB on the Windows XP Professional CD-ROM.
NOTE
2. Navigate to the Support\Tools\Deploy folder on the Windows XP
CD-ROM. Windows XP Professional displays the contents of
DEPLOY.CAB.
3. Select all of the files listed in DEPLOY.CAB by selecting any file in the
window and pressing CTRL+A.
4. Choose Extract from the shortcut menu. The Select A Destination dialog box appears.
5. Go to My Computer, select Local Disk (C:), select Deploy, and then
click the Extract button.
6. Select C:\Deploy to view its contents. The files in C:\Deploy should
include the following:
45
46
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
Deploy.chm Compiled Hypertext Markup Language (HTML) help
file containing the Microsoft Windows Corporate Deployment Tools
User’s Guide.
❑
Readme.txt Text document containing late-breaking information
about the deployment tools.
❑
Ref.chm Compiled HTML help file containing the Windows XP preinstallation reference. This is an excellent resource for understanding
unattended installations.
❑
Setupmgr.exe
❑
Sysprep.exe
Microsoft Setup Manager Wizard.
The Sysprep tool (discussed later in this chapter).
7. Double-click Readme. Take a moment to view the topics covered in the
Readme.txt file, and then close Notepad.
Using Setup Manager
You can create or modify an answer file, typically named Unattend.txt, by using
Windows Setup Manager. You could create Unattend.txt files with a simple text
editor such as Notepad, but using Setup Manager reduces errors in syntax.
Setup Manager does the following:
■
Provides a wizard with an easy-to-use graphical interface with which
you can create and modify answer files (Unattend.txt).
■
Makes it easy to create UDFs (Unattend.udb).
A UDF contains the configuration settings that make each computer installation unique. The UDF modifies a standard answer file by
overriding values in the answer file. When you run Setup with Winnt.exe or
Winnt32.exe, you use the /udf:id[,UDB_file] switch. Entries in the UDF
override values in the answer file, and the identifier (id) determines which
values in the UDF are used.
NOTE
■
Makes it easy to specify computer-specific or user-specific information.
■
Simplifies the inclusion of application setup scripts in the answer file.
■
Creates the distribution folder that you use for the installation files.
If you are upgrading systems to Windows XP Professional, you
can add any application upgrades or update packs to the distribution
folder and enter the appropriate commands in the Additional Commands
page of the Windows Setup Manager Wizard. These upgrades or update
packs are then applied to the application as part of the upgrade.
NOTE
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
When you start Setup Manager, it displays the Welcome To The Windows Setup
Manager Wizard page. When you click Next, you are presented with two options:
■
Create A New Answer File Build a new unattended installation
answer file based on settings you provide. This creates a new Unattend.txt file.
■
Modify An Existing Answer File
answer file.
Edit the contents of an existing
If you select Create A New Answer File, you then must choose the type of answer file
you want to create. Setup Manager can create the following types of answer files:
■
Windows Unattended Installation Builds an unattended installation package consisting of an Unattend.txt file and possibly a UDF.
■
Sysprep Install Builds a file that controls the mini-installation that
follows the installation of Windows XP Professional from a Sysprep
disk image.
■
Remote Installation Services (RIS) Provides a way to automate
the answer file for completing an installation using Remote Installation
Services (RIS) with Windows 2000 Server or Windows Server 2003 to
install Windows XP Professional.
Sysprep is discussed in more detail in the section titled “Using
Disk Duplication to Deploy Windows XP Professional” later in this chapter.
RIS is discussed later in this chapter in the section titled “Understanding Remote Installation.”
NOTE
The remaining steps of the Windows Setup Manager Wizard allow you to specify
the level of user interaction with the Setup program and to enter all the information required to complete the setup.
UPGRADING TO WINDOWS XP PROFESSIONAL
You can upgrade many earlier versions of Windows operating systems directly to
Windows XP Professional. Before upgrading, however, you must ensure that the
computer hardware meets the minimum Windows XP Professional hardware
requirements. Check the Windows Catalog or test the computer for hardware
compatibility using the Windows XP Professional Compatibility tool. Using compatible hardware prevents problems with driver incompatibility and results in a
more stable system.
47
48
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Older systems might require a BIOS update to support the
sophisticated power management features of Windows XP. Check with the
manufacturer of your system to see if an updated BIOS is available for
your system.
NOTE
Identifying Client Upgrade Paths
You can upgrade most client computers running earlier versions of Windows
directly to Windows XP Professional. However, computers running some earlier
versions of Windows (including Windows 95, Microsoft Windows NT 3.1, and
Microsoft Windows NT 3.5) require an additional step. Table 2-5 lists the Windows XP Professional upgrade paths for various client operating systems.
Table 2-5
Upgrade Paths for Client Operating Systems
Upgrade from
Upgrade to
Windows 98
Windows Me
Windows NT Workstation 4
Windows 2000 Professional
Windows 95
Windows XP Professional
Windows XP Professional
Windows XP Professional
Windows XP Professional
Windows 98 and then Windows XP Professional
Windows NT 4 Workstation and then Windows XP Professional
Windows NT 3.1, 3.5, or 3.51
Generating a Hardware Compatibility Report
Before you upgrade a client computer to Windows XP Professional, make sure
that it meets the minimum hardware requirements by using the Windows XP
Compatibility tool to generate a hardware and software compatibility report. This
tool runs automatically during system upgrades, but running it before beginning
the upgrade should identify any hardware and software problems and allow you
to fix compatibility problems ahead of time.
To run the Windows XP Compatibility tool and generate a compatibility report,
perform the following steps:
1. Insert the Windows XP Professional CD-ROM into the CD-ROM drive.
2. At the command prompt, type d:\i386\winnt32 /checkupgradeonly.
d:\ represents the drive letter of the CD-ROM drive. If your drive
letter differs, use that letter instead.
NOTE
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
3. Press ENTER.
Generating the upgrade report can take several minutes. The tool
checks only for compatible hardware and software and generates a
report that you can analyze to determine the system components that
are compatible with Windows XP Professional.
NOTE
Reviewing the Report
Winnt32 /checkupgradeonly generates a report that appears as a text document,
which you can view in the tool or save as a text file. The report documents the system hardware and software that are incompatible with Windows XP Professional.
It also specifies whether you need to obtain an upgrade pack for software
installed on the system and recommends additional system changes or modifications to maintain functionality in Windows XP Professional.
Upgrading Compatible Windows 98 Computers
For client systems that test as compatible with Windows XP Professional, run
Winnt32.exe to complete the upgrade. To upgrade a Windows 98 computer,
complete the following procedure:
1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive.
2. The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen.
To customize how the installation runs, exit the Welcome screen
and run the Winnt32.exe Setup program (discussed earlier) with any
appropriate switches.
NOTE
3. Click Install Windows XP.
4. Accept the license agreement.
5. Enter your 25-character product key, which is located on the back of
the Windows XP Professional CD-ROM case.
6. If the computer is to be a member of a domain, create a computer
account in that domain.
7. Provide upgrade packs for applications that need them. (Upgrade
packs update the software to work with Windows XP Professional;
they are available from the software vendor and would be identified as
a result of the compatibility check.)
49
50
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
8. Upgrade to NTFS when prompted. Select the upgrade if you do not
plan to set up the client computer to dual boot.
9. Continue with the upgrade if the Windows XP Professional Compatibility tool generates a report showing that the computer is compatible
with Windows XP Professional. The upgrade finishes without further
intervention and adds your computer to a domain or workgroup.
After the installation, be sure to apply any currently
available system updates. See the section titled “Applying System
Updates” later in this chapter.
IMPORTANT
Upgrading a Windows 2000 Professional Computer
The upgrade process for computers running Windows 2000 Professional is similar to the upgrade process for computers running Windows 98, except that the
computers should already be members of a domain.
Before you perform the upgrade, use the Windows XP Professional Compatibility
tool to verify that the system is compatible with Windows XP Professional and to
identify any potential problems.
Windows 2000 Professional computers that meet the hardware compatibility
requirements can upgrade directly to Windows XP Professional. To start the
upgrade process, complete the following procedure.
1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive.
The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen.
If you do not want to use any switches with Winnt32.exe, click
Install Windows XP and follow the prompts on your screen. These steps
are the same as for Windows 98, skipping the computer account creation.
NOTE
2. Click Exit to close the Welcome To Microsoft Windows XP screen.
3. Click Start, and then click Run.
4. Type d:\i386\winnt32 /switch (where d is the drive letter for your
CD-ROM and /switch represents one or more switches that you want to
use with the Winnt32 command), and then press ENTER. The Welcome To Windows page appears.
5. In the Installation Type drop-down list, select Upgrade, and then click
Next. The License Agreement page is displayed.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
6. Read the license agreement, click I Accept This Agreement, and then
click Next. Setup displays the Product Key page.
7. Enter your 25-character product key, which is located on the back of
the Windows XP Professional CD-ROM case.
8. After copying installation files, the Restarting The Computer page
appears and the computer restarts. The upgrade finishes without further intervention.
After the installation, be sure to apply any currently
available system updates. See the section titled “Applying System
Updates” later in this chapter.
IMPORTANT
Migrating User Settings
Windows XP Professional provides the Files And Settings Transfer Wizard to simplify the task of moving data files and personal settings from your old computer
to your new one. You don’t have to configure all of your personal settings on your
new computer because you can move your old settings—including display settings, Microsoft Internet Explorer and Microsoft Outlook Express options, dialup connections, and your folder and taskbar options—to your new computer. The
wizard also helps you move specific files and folders to your new computer.
The Files And Settings Transfer Wizard has three options for transferring files
and/or settings. They are listed in Table 2-6.
Table 2-6
Files And Settings Wizard Transfer Options
Option
Files and Settings That Will Be Transferred
Settings Only
Settings:
Accessibility
Command Prompt Settings
Display Properties
Internet Explorer Settings
Microsoft Messenger
Microsoft NetMeeting
Mouse And Keyboard
MSN Explorer
Network Printer And Drives
Outlook Express
Regional Settings
Sounds And Multimedia
Taskbar Options
Windows Media Player
Windows Movie Maker
51
52
Table 2-6
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Files And Settings Wizard Transfer Options
Option
Files and Settings That Will Be Transferred
Files Only
Folders:
Desktop
Fonts
My Documents
My Pictures
Shared Desktop
Shared Documents
Files:
Media and document files with the following extensions will be migrated:
.asf (Windows Media Audio/Video file)
.asx (Windows Media Audio/Video shortcut)
.au (AU format sound)
.avi (video clip)
.cov (fax cover page file)
.cpe (fax cover page file)
.doc (WordPad document)
.eml (Internet e-mail message)
.m3u (M3U file)
.mid (MIDI sequence)
.midi (MIDI sequence)
.mp2 (Movie File MPEG)
.mp3 (MP3 Format Sound)
.mpa (Movie File MPEG)
.mpeg (Movie File MPEG)
.mswmm (Windows Movie Maker Project)
.nws (Internet News Message)
.rft (Rich Text Format)
.snd (AU Sound Format)
.wav (Wave Sound)
.wm (Windows Media Audio/Video file)
.wma (Windows Media Audio file)
.wri (Write document)
You can select the Let Me Select A Custom List Of Files And Settings When
I Click Next check box if you don’t want all the default folders, file types,
and settings to be transferred.
Both Files And
Settings
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
UNDERSTANDING REMOTE INSTALLATION
Remote installation is the process of connecting to a server running Remote
Installation Services (RIS), called the RIS server, and starting an automated
installation of Windows XP Professional on a local computer. Remote installation
enables administrators to install Windows XP Professional on client computers
throughout a network from a central location. This reduces the time spent by
administrators visiting all the computers in a network, thereby reducing the cost
of deploying Windows XP Professional.
RIS provides several benefits:
■
It enables remote installation of Windows XP Professional. An
installation image is placed on the RIS server and is provided to clients
that connect to the server using the Preboot Execution Environment
(PXE) boot process supported by certain network adapters. The server
is able to recognize clients by their globally unique identifier
(GUID), which is unique to each computer, can be preset for certain
configurations in the Active Directory, and can be configured to provide additional configuration information (such as computer name) to
the client during the installation process. Clients that are not PXE-compatible can be started with boot disks that include the necessary programs and settings to locate the server and begin the installation.
■
It simplifies system image management. This is accomplished by
eliminating hardware-specific images and by detecting Plug and Play
hardware during setup. After the installation of the client, it performs a
full Plug and Play analysis of its hardware, installing the appropriate
drivers.
■
It supports recovery of the operating system and computer in the
event of computer failure. A failed client can boot from the RIS
server again and restore the exact installation image it received the first
time.
■
It reduces total cost of ownership (TCO). It accomplishes this by
allowing either users or technical staff to install the operating system
on individual computers. The PXE boot process and subsequent installation of Windows XP Professional is scripted and requires no direct
intervention.
53
54
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Installing and Configuring RIS
Before beginning a rollout of Windows XP Professional using RIS, you should
become familiar with the prerequisites for the service and you must install the
service using the Remote Installation Services Setup Wizard.
Examining the Prerequisites
The ability to act as a RIS server is available only on computers running Windows
2000 Server or Windows Server 2003. The RIS server can be a domain controller
or a member server. Table 2-7 lists the network services required for RIS and their
RIS function. These network services do not have to be installed on the same
computer as RIS, but they must be available somewhere on the network.
Table 2-7
Network Services Requirements for RIS
Network Service
RIS Function
DNS service
RIS relies on the DNS server for locating the directory service (for the purpose of looking up client computer
accounts).
Client computers that can perform a network boot receive
an IP address from the DHCP server.
RIS relies on the Active Directory service in Windows XP
Professional for locating existing client computers as well as
existing RIS servers.
DHCP service
Active Directory
Remote installation requires that RIS (included on the Windows 2000 Server or
Windows Server 2003 CD-ROM) be installed on a volume that is shared over the
network. This shared volume must meet the following criteria:
■
It cannot be on the same drive that is running Windows
Server. RIS installs its installation images in a Single Instance Store
(SIS) on an NTFS partition. This formatting is not compatible with
other types of storage and therefore cannot be used on a partition containing any other data.
■
It must be large enough to hold the RIS software and the various
Windows XP Professional images. The space required by several
different installation images can be considerable. Some care must be
taken to ensure sufficient disk space for all the images that are planned
for deployment.
■
It must be formatted with the Windows NTFS file system version
5 or later. Only NTFS version 5 or later supports SIS data structures.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Using the Remote Installation Services Setup Wizard
When your network meets the prerequisites for RIS, you can run the Remote
Installation Services Setup Wizard, which does the following:
■
Installs the RIS software
■
Creates the remote installation folder and copies the Windows XP Professional installation files to the server
■
Adds .sif files, which are a variation of an Unattend.txt file
■
Configures the Client Installation Wizard screens that appear during a
remote installation
■
Updates the registry
■
Creates the SIS volume
■
Starts the required RIS services
MORE INFO Managing RIS on a server is beyond the scope of this
course. More information on installing and managing RIS is available in
the Microsoft Windows Server 2003 Resource Kit (ISBN 0-7356-1471-7)
from Microsoft Learning.
Client Requirements for Remote Installation
Client computers that support remote installation must have one of the following
configurations:
■
A configuration meeting the Net PC or PC98
specification These configurations are specified by Intel and
Microsoft for their “Wired for Management” initiative and are designed
to simplify the installation and management of business desktop computers.
■
A network adapter card with a PXE boot ROM This is the configuration that allows the computer to start without an operating system
by retrieving a basic operating system from the RIS server. The computer’s motherboard and BIOS must also support starting from the
PXE boot ROM.
■
A supported network adapter card and a remote installation boot
disk As a last resort, you can create a boot disk for certain supported
network adapters that will locate the RIS server and begin the installation. These disks are created by the Remote Boot Disk Generator (covered later in this chapter).
55
56
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Net PCs
The Net PC is a highly manageable platform with the ability to perform a network
boot, manage upgrades, and prevent users from changing the hardware or operating system configuration. Additional requirements for the Net PC are as follows:
■
The network adapter must be set as the primary boot device within the
system BIOS.
■
The user account that will be used to perform the installation must be
assigned the user right Log On As A Batch Job. See Chapter 13 for more
information on assigning user rights.
■
Users must be assigned permission to create computer accounts in the
domain they are joining.
Even the Administrator group does not have the right to log on
to a batch job by default; it must be assigned this right before attempting a remote installation. Best practices for security dictate that you
set up an installation user account to manage installations. This prevents the need to give regular user accounts privileges that they do not
require for daily use. These user account requirements apply to any RIS
installation, including those using the non–Net PC and boot disk
installation methods detailed in the next section.
NOTE
Computers That Do Not Meet the Net PC Specification
Computers that do not directly meet the Net PC specification can still interact
with the RIS server. To enable remote installation on a computer that does not
meet the Net PC specification, perform the following steps:
1. Install a network adapter card with a PXE boot ROM.
2. Set the motherboard’s BIOS to start from the PXE boot ROM.
Creating Boot Floppies
If the network adapter card in a client is not equipped with a PXE boot ROM or
the BIOS does not allow starting from the network adapter card, create a remote
installation boot disk. The boot disk simulates the PXE boot process. Windows
2000 and Windows Server 2003 ship with the Remote Boot Disk Generator (Figure 2-8), which allows you to create a boot disk easily.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Figure 2-8 Windows Server Remote Boot Disk Generator
FT02HT08TR.BMP
Run Rbfg.exe to start the Windows 2000 Remote Boot Disk Generator. The
Rbfg.exe file is located in the \RemoteInstall\Admin\i386 folder on the RIS
server. These boot floppies support only the Peripheral Component Interconnect
(PCI)-based network adapters listed in the Adapter List. To see the list of the
supported network adapters, select Adapter List, as shown earlier in Figure 2-8.
Installing Windows XP Using RIS
RIS pre-setup is accomplished in advance by a network administrator and might
include a standard operating system (OS) image or a specific system image created using the Riprep.exe utility included with RIS to copy the configuration of a
fully customized system.
The steps at the client-level include:
■
PXE boot The target system is booted using the PXE boot features of
the system BIOS or by using the remote boot disks generated with
Rbfg.exe.
■
System installation RIS automatically installs the operating system
according to the setup requirements stored in the RIS server for the client system. Two options are available:
❑
Risetup Installs the client as an unattended installation using an
answer file created using Setup Manager
❑
Riprep Installs a system image created using the Riprep.exe utility
57
58
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
USING DISK DUPLICATION TO DEPLOY WINDOWS XP
PROFESSIONAL
When you install Windows XP Professional on several computers with identical
hardware configurations, the most efficient installation method to use is disk
duplication. By creating a disk image of a Windows XP Professional installation
and copying that image onto multiple destination computers, you save time in the
rollout of Windows XP Professional. This method also creates a convenient baseline that you can easily recopy onto a computer that is experiencing significant
problems.
One tool you will use for disk duplication is the System Preparation tool
(Sysprep.exe). This utility is part of the deployment tools that ship with Windows
XP Professional. Knowing how to use the System Preparation tool can help you
prepare master disk images for efficient mass installations. A number of thirdparty disk-imaging tools are available for copying the image to other computers.
In this section, you will learn how to use the System Preparation tool to prepare
the master image.
To install Windows XP Professional using disk duplication, you first need to
install and configure Windows XP Professional on a test computer. You must
then install and configure any applications and application update packs on the
test computer. Finally, you use the System Preparation tool to prepare the master
image for copying.
Using the System Preparation Tool to Prepare the
Master Image
The System Preparation tool (Sysprep) was developed to eliminate problems
encountered in disk copying. To support unique permission structures and computer identification in Active Directory, every computer in a domain network
must have a unique security identifier (SID). If you were to copy an existing disk
image to other computers, all of those computers would have the same SID. To
prevent this problem, Sysprep adds a system service to the master image that creates a unique local domain SID the first time the computer to which the master
image is copied is started.
Sysprep also allows you to add a Mini-Setup Wizard to the master copy. This wizard runs the first time the computer to which the master image is copied is
started. The wizard guides the user through entering the user-specific information such as the following:
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
■
End-user license agreement
■
Product ID
■
Regional settings
■
User name
■
Company name
■
Network configuration
■
Whether the computer is joining a workgroup or domain
■
Time zone selection
The Mini-Setup Wizard can be scripted using Windows Setup
Manager (discussed earlier) so this user-specific information can be
entered automatically.
NOTE
The hard drive controller device driver and the hardware abstraction layer (HAL)
on the computer on which the disk image was generated and on the computer to
which the disk image was copied must be identical. The other peripherals, such
as the network adapter, the video adapter, and sound cards on the computer on
which the disk image was copied, need not be identical to the ones on the computer on which the image was generated.
Any other variations between systems, beyond which disk controller driver and HAL to use, will be discovered and configured during the
Plug and Play phase of the installation.
NOTE
Sysprep can also be customized. Table 2-8 describes some of the switches you can
use to customize Sysprep.exe.
Table 2-8
Switches for Sysprep.exe
Switch
Description
/quiet
Runs with no user interaction because it does not show
the user confirmation dialog boxes.
Does not regenerate SID on reboot. Use this when you
want to run Sysprep without removing the original SID
(useful when packaging a system with a mini-setup to
allow customization by an end user but retaining the
existing SID for security settings already in place on the
domain).
/nosidgen
59
60
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 2-8
Switches for Sysprep.exe
Switch
Description
/pnp
/noreboot
Forces Setup to detect Plug and Play devices on the destination computers on the next reboot.
Restarts the source computer after Sysprep.exe has
completed.
Shuts down without a reboot.
/forceshutdown
Forces a shutdown instead of powering off.
/reboot
For a complete list of the switches for Sysprep.exe, start a command prompt, change to the Deploy folder or the folder where you
installed Sysprep.exe, type sysprep.exe /?, and press ENTER.
NOTE
Installing Windows XP Professional from a Master Disk
Image
After running Sysprep on your test computer, you are ready to run a third-party
disk image copying tool to create a master disk image. Save the new disk image on
a shared folder or CD-ROM, and then copy this image to the multiple destination
computers.
End users can then start the destination computers. The Mini-Setup Wizard
prompts the user for computer-specific variables, such as the administrator password for the computer and the computer name. If a Sysprep.inf file was provided,
the Mini-Setup Wizard is bypassed and the system loads Windows XP Professional without user intervention.
APPLYING SYSTEM UPDATES
The first step to be accomplished after initial installation of Windows XP is the
application of system updates and patches. The vast majority of these updates
and patches relate to security vulnerabilities discovered in the system of its associated applications. Systems being connected to the Internet without first being
patched can be penetrated and infected or controlled by malicious users and
applications within minutes. Make sure these updates are applied before you connect the system to any public network. System updates are supplied in two ways:
updates and service packs.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Windows Updates
Updates to the operating system and its associated applications are made available to Microsoft customers for free via the Windows Update service. This is a
browser-based scanning and delivery system designed to scan a system for uninstalled updates and make them available for download. Figure 2-9 shows the
Windows Update Welcome screen.
Figure 2-9 Windows Update Web site
FT02HT09TR.BMP
Users can connect to Windows Update in one of three ways:
■
From the Start menu, choose All Programs, and then click Windows
Update from near the top of the list of available applications.
■
In Internet Explorer, choose Windows Update from the Tools menu.
■
Navigate to www.windowsupdate.com or windowsupdate.microsoft.com.
Windows Update undergoes continuous improvements and might
appear different from the screens depicted in this book. The basic design
and functionality remain unchanged.
NOTE
Using Windows Update
When you connect to Windows Update, an ActiveX control is loaded by Internet
Explorer. This control scans the system and reports on the available patches.
Users can then choose which patches to install. Figure 2-10 shows an Optional
Software Update selected for installation.
61
62
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT02HT10TR.BMP
Figure 2-10
Windows Update with an Optional Software Update selected for
installation
Patches come in three types:
■
High Priority Updates Security updates and patches for critical system components
■
Optional Software Updates
and associated applications
■
Optional Hardware Updates Updated drivers for hardware
detected by the system
Recommended updates for Windows
Installing updates from Windows Update requires the
user to have permission to install software on the local machine. This
typically requires the user to be a member of the Administrators or Power
Users local security group.
IMPORTANT
After scanning the computer, Windows Update displays the available updates.
Critical fixes are preselected for installation and should be installed first. The
Windows Update application manages the download and application of the fixes
and might ask to restart the computer when the application is complete.
Figure 2-11 shows a download in progress.
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
Figure 2-11 Windows Update download in progress
FT02HT11TR.BMP
Following any restart, you can return to the Windows Update site and scan for
Windows XP or Driver Updates. These are not as critical and can be installed at
your leisure. They usually offer enhanced functionality or stability.
Service Packs
Service packs are available from Windows Update or via CD-ROM from
Microsoft’s Web site. Installing a service pack is akin to installing a cumulative
collection of all updates and patches released for the operating system to date.
Service packs should be installed at your earliest convenience. Their effect on
your systems and applications should be tested on a representative computer
and, when found to be safe, rolled out to the rest of your computers.
Subscribers to Microsoft’s TechNet CD-ROM or DVD-ROM subscription service receive these disks as part of their subscription.
NOTE
Applying a Service Pack from Download or CD-ROM
Applying a service pack takes some time. Plan for at least an hour. If you are
downloading it, you will have an express installation option. This downloads
only the parts needed to update your system.
1. After identifying an available service pack, either download it or obtain
the CD-ROM.
63
64
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. Execute the downloaded service pack file to run the extraction and
installation program.
CD-ROM versions have an Autorun program that guides you
through the service pack installation.
NOTE
3. Choose whether to create an uninstallation folder. If you have a concern about the stability of the service pack, you can choose to retain the
ability to uninstall it.
4. The service pack will install and restart the computer.
Installing a Service Pack from Windows Update
Downloading a service pack from Windows Update works in much the same way
as installing a Windows Update patch. Much of the procedure is automated, as
with Windows fixes. The downloaded file launches the Service Pack Installation
Wizard, which queries the system. It then downloads the files required to update
the system.
Microsoft made a change to service pack distribution with Windows XP Service Pack 2, allowing the entire service pack to be downloaded
via Automatic Updates and applied after the download is complete.
NOTE
Automatic Updates
Automatic Updates are configured in the System Properties dialog box. From the
Start menu, right-click on My Computer and select Properties. Select the Automatic Updates tab to display the Configuration dialog box (Figure 2-12).
Figure 2-12 Configuring automatic updates in Windows XP
FT02HT12TR.BMP
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
If your Automatic Updates settings appear different, you most
likely do not have Windows XP Service Pack 2 (SP2) installed. This update
includes several improvements to Automatic Updates and other security-related technologies. Installing SP2 at your earliest opportunity will
help protect your computer and make this material more understandable.
NOTE
1. After locating System Properties, locate and select the Automatic
Updates tab. Note that Automatic Updates should already be activated.
(This is new with SP2.)
2. Select from the options displayed in Table 2-9.
Table 2-9
Automatic Update Options
Option
Setting
Automatic (recommended)
This setting uses the Background Intelligent
Transfer Service (BITS) to download the updates
using your unused Internet bandwidth. You will
be notified when they are available. If you choose
not to install them at that time, they will be
applied at the time you specify in the dialog box.
This setting downloads the updates using BITS.
When they are downloaded, you will receive a
notification bubble telling you they are ready.
You can install, defer, or reject them at that time.
This setting causes Automatic Updates to notify
you only of the existence of updates. When you
choose to install them, they will be downloaded
and installed in the foreground.
Disables Automatic Updates.
Download updates for me,
but let me choose when to
install them
Notify me but don’t automatically download or
install them
Turn off Automatic Updates
SLIPSTREAMING SERVICE PACKS AND UPDATES
Organizations that use a network installation process for Windows XP can apply
updates and service packs to their network installation point to reduce the
amount of time it takes to update clients after they are installed. This is accomplished through a process called slipstreaming.
Slipstreaming Service Packs
Service packs can be slipstreamed into an installation point. This is accomplished
in two steps. First the service pack is extracted to a temporary folder, and then the
65
66
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Update.exe program within the service pack folder is run to update the installation point.
After downloading the service pack, execute it with the /x command-line switch.
C:\ WindowsXP-KB835935-SP2-ENU.exe /x:c:\<temporary folder>
After the files are extracted, use the update.exe command with the /s switch.
(c:\i386 is the folder containing the Windows XP installation files.) This updates
the installation files.
C:\<temporary folder>\update\update.exe /s:c:\i386
Slipstreaming Windows Updates
Many Windows updates can be slipstreamed into an installation point using a
command-line switch. The /integrate switch causes the update to integrate with
the installation point. (c:\i386 is the folder containing the Windows XP installation files.)
KB123456.EXE /integrate:C:\i386
MORE INFO For more information on slipstreaming updates, see
Microsoft Knowledge Base article 828930, “How to Integrate Software
Updates into Your Windows Installation Source Files.”
USING WINDOWS PRODUCT ACTIVATION
Microsoft Windows Product Activation is an anti-piracy technology designed to
prevent copying and hard-disk loading of Windows XP. It applies to all retail versions of Windows XP. OEM and volume-licensed versions of Windows XP are
either preactivated (OEM) or do not require activation (volume).
How Windows Product Activation Works
Users must activate Windows XP with their unique product keys within the
defined grace period. For the retail version, this is 30 days from the time the system is installed. After expiration, Windows does not allow interactive logons until
the system is activated. The activation program, however, still functions so that
the activation can be performed. After activation, the system is returned to interactive status.
During activation, Windows XP scans the systems hardware and uses the results
of the scan to create a hash value. This scan is repeated during each system startup
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
after activation. Each hardware component that is replaced changes the hash,
some (motherboards, for example) more than others (mice). If excessive changes
are made to the hardware configuration of the computer, the hash value falls outside the allowable limits and Windows Product Activation requires you to reactivate your system. This prevents people from making copies of a Windows XP
installation and giving or selling them to others for use with different system
hardware.
Activating Windows XP
Windows XP can be activated in two ways. It can be activated online over the
Internet, and it can be activated via telephone. Both methods use the same application. Telephone activation is provided as a fallback for online activation or
when the user prefers for privacy reasons to conduct the activation offline.
The Windows Product Activation Wizard launches when you click on the activation reminder balloon that pops up every few days or when you click Activate
Windows at the top of All Programs on the Start menu.
Online Activation
Within 30 days of installation, you can activate Windows XP using the Internet.
Windows XP combines your product key with an arithmetic hash created from
the results of a hardware scan to create an Installation ID. This is sent to
Microsoft, and Windows XP is activated.
Telephone Activation
If you cannot access the Internet or do not wish to transmit the product information over the Internet, you can use telephone activation. Windows XP provides
you with a telephone number to dial and shows the Installation ID on the screen.
After providing the Installation ID to the Microsoft activation line, you receive a
confirmation ID. Key this into the Activation dialog box, and click Next. Windows
XP is activated.
Automating Windows Product Activation
Most mass installations of Windows XP use volume or OEM licensing and do not
require activation. However, for retail versions, activation can be automated as a
step in the unattended installation answer file. The unattended installation file
can cause the system to launch the Activation Wizard and perform an online activation. Settings for an Internet proxy can be configured into this file as well.
67
68
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
TROUBLESHOOTING WINDOWS XP PROFESSIONAL
SETUP
Your installation of Windows XP Professional should complete without any problems. However, this section covers some common issues you might encounter
during installation.
Resolving Common Problems
Table 2-10 lists some common installation problems and offers solutions.
Table 2-10
Troubleshooting Tips
Problem
Solution
CD-ROM drive is not
supported
Replace the CD-ROM drive with a supported drive.
If replacement is impossible, try another installation
method, such as installing over the network. After
you complete the installation, add the adapter card
driver for the CD-ROM drive, if it is available.
You can do one of the following:
■
Use the Setup program to create a partition by
using existing free space on the hard disk.
Insufficient disk space
■
■
Dependency service fails
to start
Delete and create partitions as needed to create
a partition that is large enough for installation.
Reformat an existing partition to create more
space or install a larger hard drive.
In the Windows XP Professional Setup Wizard,
return to the Network Settings dialog box and verify
that you installed the correct protocol and network
adapter. Verify that the network adapter has the
proper configuration settings, such as transceiver
type, and that the local computer name is unique on
the network.
CHAPTER 2:
Table 2-10
INSTALLING WINDOWS XP PROFESSIONAL
Troubleshooting Tips
Problem
Solution
Setup cannot connect to
the domain controller
Do the following:
■
Verify that the domain name is correct.
■
Verify that the server running the DNS service
and the domain controller are both running
and online. If you cannot locate a domain controller, install Windows XP Professional into a
workgroup and then join the domain after
installation.
■
Verify that the network adapter card and protocol settings are set correctly.
■
Verify that there is a computer account on the
domain.
■
If you are reinstalling Windows XP Professional
and are using the same computer name, delete
the computer account and re-create it.
■
Windows XP Professional fails to install or
start
Make sure you are using an account with rights
to add computer accounts to the domain.
Verify the following:
■
Windows XP Professional is detecting all of the
hardware.
■
Computer is unable to
copy files from the
CD-ROM (media errors
occur)
All of the hardware is in the Windows Catalog.
If upgrading, try running Winnt32 /checkupgradeonly to verify that the hardware is compatible with Windows XP Professional.
Test the CD-ROM on another computer. If you can
copy the files using a different CD-ROM drive on a
different computer, use the CD-ROM to copy the
files to a network share or to the hard drive of the
computer on which you want to install Windows XP
Professional.
Setup Logs
During Setup, Windows XP Professional generates a number of log files containing installation information that can help you resolve any problems that occur
after setup is completed. The action log and the error log are especially useful for
troubleshooting.
69
70
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Action Log
The action log records in chronological order the actions that the Setup program
performs. It includes actions such as copying files and creating registry entries. It
also contains entries that are written to the Setup error log. The action log is
stored in Setupact.log. This file is placed in the %Windir% folder (usually
C:\Windows).
Error Log
The error log describes errors that occur during setup and their severity. If errors
occur, the log viewer displays the error log at the end of setup. The error log is
stored in Setuperr.log. This file is placed in the %Windir% folder (usually
C:\Windows).
Additional Logs
Setup creates a number of additional logs, including the following:
■
% windir%\comsetup.log Outlines installation for Optional Component Manager and COM+ components.
■
% windir%\setupapi.log Receives an entry each time a line from
an .inf file is implemented. If an error occurs, this log describes the failure.
■
% windir%\debug\NetSetup.log
join domains or workgroups.
■
% windir%\repair\setup.log Provides information that is used by
the Recovery console. (In Windows NT 4, this is used by the Emergency Repair Process.) For more information about the Recovery console, see Chapter 15.
Logs activity when computers
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
SUMMARY
■
Preinstallation tasks include verifying hardware requirements and
compatibility, determining file system type and partition size, and
domain or workgroup membership. The Windows Catalog lists all systems and hardware that have been certified to be compatible with Windows XP.
■
Methods to set up Windows XP include CD-ROM, network-based,
Remote Installation Services (RIS), and installation from disk images.
Disk image installations are accomplished with the help of the Sysprep
utility, which prepares a system for imaging. Installation via CD-ROM
and RIS can be automated to reduce administration costs. This automation is accomplished through the use of answer files and Uniqueness Database Files (UDFs) that control the installation process.
■
Most configuration settings can be reconfigured after setup is
completed.
■
Several switches for Winnt.exe and Winnt32.exe allow you to modify
the installation process. Some of these control unattended setup or the
inclusion of additional folders to be copied to the system during the
installation.
■
Before you upgrade a client computer to Windows XP Professional,
you should ensure that it meets the minimum hardware requirements.
■
User settings and files can be migrated to a new system by using the
Files And Settings Transfer Wizard. This tool copies files and settings
into a file for transport to a new system.
■
Updates to Windows XP can be installed manually via Windows
Update, slipstreamed into a network installation point, or installed by
Automatic Updates.
■
Use setup logs to determine the cause of installation failures.
71
72
PART 1:
PART TITLE [BOOK TITLE IF NO PARTS]
REVIEW QUESTIONS
1. List the client requirements for using Remote Installation Services
(RIS), and explain why they are important.
2. Which of the following statements about file systems are correct?
(Choose all that apply.)
a. File- and folder-level security are available only with NTFS.
b. Disk compression is available with FAT, FAT32, and NTFS.
c. Dual-booting between Windows 98 and Windows XP Professional is available only with NTFS.
d. Encryption is available only with NTFS.
3. Which of the following statements about joining a workgroup or a
domain are correct? (Choose all that apply.)
a. You can add your computer to a workgroup or a domain only during installation.
b. If you add your computer to a workgroup during installation, you
can join the computer to a domain later.
c. If you add your computer to a domain during installation, you
can join the computer to a workgroup later.
d. You cannot add your computer to a workgroup or a domain during installation.
4. Which of the following configurations can you change after installing
Windows XP Professional? (Choose all that apply.)
a. Language
b. Locale
c. Keyboard settings
d. All of the above
CHAPTER 2:
INSTALLING WINDOWS XP PROFESSIONAL
5. Describe how the /unattend and /UDF command-line switches for
Winnt32.exe work together to automate an installation.
6. Which of the following operating systems can be upgraded directly to
Windows XP Professional? (Choose all that apply.)
a. Windows NT Workstation 4
b. Windows NT 3.51
c. Windows 2000 Professional
d. Windows NT Server 4
7. Automatic Updates are used to apply which of the following types of
updates?
a. Optional Hardware Updates
b. Optional Software Updates
c. High Priority Updates
d. Application Updates
8. If you encounter an error during setup, which of the following log files
should you check, and why? (Choose all that apply.)
a. Setuperr.log
b. W3svc.log
c. Setup.log
d. Setupact.log
73
74
PART 1:
PART TITLE [BOOK TITLE IF NO PARTS]
CASE SCENARIOS
Scenario 2-1: Dual-Booting
You are planning to dual-boot a computer with Windows 2000 Professional and
Windows XP Professional. You have determined that there is plenty of disk space
for a partition for each operating system. You are running the setup program and
deciding which file system to use to format the partitions. Answer the following
questions regarding this dual-boot setup:
1. Which of the following file systems can you use for the system partition of this computer?
a. CDFS
b. NTFS
c. FAT32
d. UFS
2. Which file system is the best choice for a secure installation?
a. CDFS
b. NTFS
c. FAT32
d. UFS
Scenario 2-2: Automatic Updates
You are setting up Automatic Updates for a computer that will run unattended for
long periods of time. You are concerned that no users will be around to manually
install updates. Which of the available options for applying automatic updates is
the best choice for this scenario, and how can you manage the application of service packs to this system?
CHAPTER 3
MANAGING DISKS AND
FILE SYSTEMS
Upon completion of this chapter, you will be able to:
■ Monitor and configure disks
■ Monitor, configure, and troubleshoot volumes
■ Monitor and configure removable media such as tape devices
■ Install, configure, and manage DVD and CD-ROM devices
■ Configure NTFS, FAT, and FAT32 file systems
■ Convert from one file system to another
■ Use disk optimization utilities: Disk Defragmenter, Chkdsk, and Disk Cleanup
This chapter deals with management and operation of storage technologies in
Microsoft Windows XP. You will learn about installation and management of
disks and removable media devices such as CD-ROMs, DVD-ROMs, and tape
drives. We will explore management of basic and dynamic disks, volume management, and configuration and management of file systems. You will also use
Disk Management to manage partitions and volumes on hard disks, mount volumes to NTFS folders, and manage remote systems. This chapter also shows you
other disk management tools such as Disk Defragmenter and Chkdsk. You will
learn how to use Disk Cleanup to reclaim disk space and learn best practices for
disk management and optimization of storage.
75
76
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING DISK MANAGEMENT
Whether you are setting up unused free space on a hard disk on which you
installed Windows XP Professional or configuring a new hard disk, you must perform certain tasks. Before you can store data on a new hard disk, you must perform the following tasks to prepare the disk:
■
Initialize the disk with a storage type. Initialization defines the
fundamental structure of a hard disk. Windows XP Professional
supports basic storage and dynamic storage. A physical disk can be
either basic or dynamic; you can’t use both storage types on one disk.
■
Divide the disk into partitions or volumes. Basic disks are
divided into partitions, or discrete storage sections. Similar divisions of
dynamic disks are called volumes.
■
Format the disk. After you create a partition or volume, you must format it with a file system, either file allocation table (FAT), FAT32, or NTFS.
Understanding Basic Storage
The traditional industry standard is basic storage. All versions of MS-DOS, Windows, Windows NT, Windows 2000, and Windows XP support basic storage. For
Windows XP Professional, basic storage is the default storage type.
Basic storage dictates the division of a hard disk into partitions. A partition is a
portion of the disk that functions as a physically separate unit of storage. Windows XP Professional recognizes primary and extended partitions. A disk that is
initialized for basic storage is called a basic disk. A basic disk can contain primary
partitions, extended partitions, and logical drives (as shown in Figure 3-1).
Primary Partitions
C:
C:
Primary Partitions
D:
D:
Primary Partitions
E:
E:
Primary Partition
F:
Extended Partition
F:
G:
H:
Figure 3-1 Basic and dynamic storage types
FT03HT01.VSD
Logical
Drives
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Table 3-1 compares some of the characteristics of primary partitions and
extended partitions.
Table 3-1
Primary and Extended Partitions
Primary Partitions
Extended Partitions
A basic disk can contain a maximum of
four primary partitions, or up to three
primary partitions if there is also an
extended partition.
Can be marked as the active partition.
The system BIOS looks to the active
partition for the boot files to start the
operating system (only one active
partition per hard disk).
Each primary partition can be formatted
and assigned a drive letter.
A basic disk can contain only one
extended partition.
An extended partition can’t be
marked as the active partition.
Divided into logical drives, each of
which can be formatted and
assigned a drive letter.
The Windows XP Professional system partition is the active
partition that contains the hardware-specific files required to load the
operating system. The Windows XP Professional boot partition is the
primary partition or logical drive where the operating system files are
installed. The boot partition and the system partition can be the same
partition. However, the system partition must be on the active partition,
typically drive C, whereas the boot partition can be on another primary
partition or an extended partition.
NOTE
Understanding Dynamic Storage
Windows 2000 and Windows XP Professional support dynamic storage, which is a
standard that creates a single partition encompassing the entire disk. A disk that
you initialize for dynamic storage is a dynamic disk. You divide dynamic disks into
volumes, which can consist of a portion, or portions, of one or more physical disks.
When you have converted a basic disk to dynamic storage, you can create Windows XP Professional volumes. Consider which of the following volume types
(Figure 3-2) best suit your needs for efficient use of disk space and performance.
■
Simple volume
fault tolerant.
■
Spanned volume Includes disk space from multiple disks (up to
32). Windows XP Professional writes data to a spanned volume on the
first disk, completely filling the space, and continues in this manner
through each disk that you include in the spanned volume. These volumes are not fault tolerant. If any disk in a spanned volume fails, the
data in the entire volume is lost.
Contains disk space from a single disk and is not
77
78
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Or
Single hard disk
C:
D:
E:
Multiple
System
Volumes
Simple Volume
(C:)
2–32 hard disks or portions of disks
Spanned Volume
(C:)
2–32 disks
or portions
of disks
Striped Volume
(C:)
Figure 3-2 Dynamic disks in Windows XP
FT03HT02.VSD
■
Striped volume Combines areas of free space from multiple hard
disks (up to 32) into one logical volume. In a striped volume, Windows XP Professional optimizes performance by adding data to all
disks at the same rate. If a disk in a striped volume fails, the data in the
entire volume is lost.
Windows 2000 Server and Windows Server 2003 provide fault
tolerance on dynamic disks. Fault tolerance is the ability of a computer
or an operating system to respond to some catastrophic events without
loss of data. The server products provide mirrored volumes and RAID-5
volumes that are fault tolerant. Windows XP Professional does not provide fault tolerance.
NOTE
Creating multiple volumes on a single hard disk allows you to efficiently organize
data for such tasks as backing up data. For example, you can create a volume for
the operating system, one for applications, and one for data. When you back up
your data, you can back up the entire data volume on a daily basis and back up
the application and operating system volumes on only a monthly or quarterly
basis.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Working with Simple Volumes
A simple volume contains disk space from a single disk. You can extend a simple
volume to include unallocated space on the same disk. You can create a simple
volume and format it with NTFS, FAT, or FAT32. You can extend a simple volume
only if it is formatted with NTFS.
Simple volumes can be designated with a drive letter, left disconnected, or
mounted as a folder on any existing NTFS volume. Mounting makes the volume’s
space available as part of the normal file system. You can disconnect the mounted
volume at any time and reconnect it elsewhere, all without losing the data on the
mounted volume.
A volume mounted to an NTFS folder must itself be formatted
as NTFS.
NOTE
Working with Spanned Volumes
A spanned volume consists of disk space from multiple dynamic disks. Spanned
volumes enable you to combine the available free space on these disks. They can’t
be part of a striped volume and are not fault tolerant. Only NTFS-spanned volumes can be extended, and deleting any part of a spanned volume deletes the
entire volume.
You can combine various-sized areas of free space from 2 to 32 dynamic disks
into one large logical volume. Windows XP Professional organizes spanned volumes so data is stored in the space on one disk until it is full, and then, starting
at the beginning of the next disk, data is stored in the space on the second disk,
and so forth.
You can extend existing spanned volumes formatted with NTFS by adding free
space. Disk Management formats the new area without affecting any existing files
on the original volume. You can’t extend volumes formatted with FAT or FAT32,
and you can’t extend the system volume or a boot volume.
Windows NT and Windows 2000 support a technology similar to
XP spanned volumes called volume sets. You cannot import volume sets
into Windows XP without first upgrading the basic disks to dynamic disks.
You must do this before upgrading the operating system to Windows XP.
NOTE
Windows NT systems do not support dynamic disks, so they must be
upgraded first to Windows 2000 Professional and then to Windows XP.
Alternatively, you can back up the disks and then restore them after the
upgrade.
79
80
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Working with Striped Volumes
Striped volumes offer the best performance of all the Windows XP Professional
disk management strategies. In a striped volume, data is written evenly across all
physical disks in 64-KB units. Because all the hard disks that belong to the striped
volume perform the same functions as a single hard disk, Windows XP can issue
and process concurrent I/O commands simultaneously on all hard disks. In this
way, striped volumes can increase system I/O speed.
You create striped volumes by combining areas of free space from multiple disks
(from 2 to 32) into one logical volume. With a striped volume, Windows writes
data to multiple disks, similar to spanned volumes. However, on a striped volume, Windows XP writes files across all disks so data is added to all disks at the
same rate. Like spanned volumes, striped volumes don’t provide fault tolerance.
If a disk in a striped volume fails, the data in the entire volume is lost. You cannot
extend striped volumes.
Windows NT and Windows 2000, which use basic disks, support
an equivalent technology called stripe sets. You cannot import stripe sets
into Windows XP without first upgrading the basic disks to dynamic disks.
You must do this before upgrading the operating system to Windows XP.
NOTE
Windows NT systems do not support dynamic disks, so they must be
upgraded first to Windows 2000 Professional and then to Windows XP.
Alternatively, you can back up the disks and then restore them after
the upgrade.
Adding Disks
When you install new disks in a computer running Windows XP Professional,
they are added as basic storage. To add a new disk, install or attach the new physical disk (or disks), and then choose Rescan Disks from the Action menu of the
Disk Management snap-in in Computer Management (Figure 3-3). You must use
Rescan Disks every time you remove or add a disk to a computer. You shouldn’t
need to restart the computer when you add a new disk. However, you might need
to restart the computer if Disk Management doesn’t detect the new disk after you
run Rescan Disks.
Viewing Disk Properties
By right-clicking the physical disk in the lower pane of Disk Management and
selecting Properties, you can view and configure properties and settings for the
physical disk.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Figure 3-3 The Disk Management snap-in in Computer Management
FT03HT03.BMP
These are the tabs of the disk Properties dialog box:
■
General Lists the device type, manufacturer, and physical location of
the device, including the bus number or the Small Computer System
Interface (SCSI) identifier. Lists the device status and provides access
to the troubleshooter for the device.
■
Policies Allows you to set the following options for write caching
and safe removal:
❑
Optimize For Quick Removal
and in Windows
❑
Optimize For Performance Enables write caching in Windows to
improve disk performance
❑
Enable Write Caching On This Disk Enables write caching to
improve disk performance, but a power outage or equipment failure
might result in data loss or corruption
Disables write caching on the disk
■
Volumes Lists the volumes contained in this disk.
■
Driver Allows you to get detailed information about the driver, update
the driver, roll back the driver, and uninstall the driver.
Disks are separated into partitions (basic disks) or volumes (dynamic disks). You
can view or configure properties for a volume or partition by right-clicking the
volume or partition in Disk Management and selecting Properties.
81
82
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Viewing Volume or Partition Properties
By right-clicking the partition or volume (sometimes called the logical disk) in the
upper pane of Disk Management and selecting Properties, you can view and configure properties and settings for the volume or partition.
The tabs of the volume Properties dialog box are:
■
General Lists the volume label, type, file system, used space, free
space, and total disk capacity. It also allows you to run Disk Cleanup,
and on NTFS volumes it allows you to compress the drive and choose
to have the Indexing Service index the disk for fast file searching.
■
Tools Allows you to check the partition or volume for errors, defragment it, and back it up.
■
Hardware Shows you all drives on the computer and allows you to
view the properties of each device, including the manufacturer,
location, and status of the device. It also allows you to access the
troubleshooter for the device.
■
Sharing Allows you to share the drive, set permissions on the share,
and determine the type of caching for the share.
■
Security Allows you to set the NTFS permissions. This tab is available
only if the partition or volume is formatted with the NTFS file system.
■
Quota Allows you to enable and configure quota management. This
tab is available only if the partition or volume is formatted with the
NTFS file system.
Dynamic disks store information about their configuration in a
small space at the end of the disk. As a result, you can take a disk that
might be part of a spanned volume and import it into another system.
Disk Management on the new system will actually recognize the imported
disk as part of a spanned volume and ask for the rest of the disks! Users
can thus move storage from one system to another system without losing their data.
NOTE
Changing the Storage Type
You can upgrade a disk from basic storage to dynamic storage at any time without
loss of data. However, any disk to be upgraded must contain at least 1 MB of unallocated space for the upgrade to succeed. Before you upgrade disks, close any
programs that are running on those disks.
IMPORTANT
storage type.
Always back up the data on a disk before converting the
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Table 3-2 shows the results of converting a disk from basic storage to dynamic
storage. Partitions and volumes are converted to their equivalent under the
dynamic storage architecture.
Table 3-2
Basic Disk and Dynamic Disk Organization
Basic Disk Organization
Dynamic Disk Organization
System partition
Boot partition
Primary partition
Extended partition
Simple volume
Simple volume
Simple volume
Simple volume for each logical drive and an
additional simple volume for remaining
unallocated space
Simple volume
Spanned volume
Striped volume
Logical drive
Volume set
Stripe set
To upgrade a basic disk to a dynamic disk, in the Disk Management snap-in,
right-click the basic disk that you want to upgrade, and then choose Upgrade To
Dynamic Disk (Figure 3-4). The system will verify your intentions and begin
the upgrade. The upgrade process requires that you restart your computer
afterward.
Figure 3-4 Initiating an upgrade from basic to dynamic disk
FT03HT04NEW.BMP
If you find it necessary to convert a dynamic disk to a basic disk, you must remove
all volumes from the dynamic disk before you can change it to a basic disk. To
convert a dynamic disk to a basic disk, right-click the dynamic disk, and then
choose Revert To Basic Disk.
CAUTION
basic disk.
All data on a dynamic disk will be lost when you revert it to a
83
84
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Using Refresh and Rescan Disks
If you need to update the information displayed in Disk Management, you can
use the Refresh and Rescan commands. The Refresh command updates the drive
letter, file system, volume, and removable media information, and it determines
whether unreadable volumes are now readable. It does not scan for new disk
hardware. To refresh disk information, choose Refresh from the Action menu.
Rescan Disks updates hardware information. When Disk Management rescans
disks, it scans all attached disks for disk configuration changes. It then performs
the Refresh command. Rescanning disks can take several minutes, depending on
the number of hardware devices installed. To rescan disks, choose Rescan Disks
from the Action menu.
Managing Disks on a Remote Computer
In a domain environment, users with local administrator privileges, such as members of the Domain Admins group or the Server Operators group, can manage
disks on remote computers.
In a workgroup environment, you can manage disks on a remote computer running Windows XP Professional if you have an account with the same username
and password set up on both the local and remote computer (as shown in
Figure 3-5).
Figure 3-5 The Computer Management console connecting to a remote computer
FT03HT05.BMP
To manage disks on a remote computer, take the following steps:
1. Open Computer Management and focus it on the remote computer by
right-clicking Computer Management (Local) and selecting Connect
To Another Computer.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
2. Type the name of the other computer, and click OK.
If you have permissions to manage the remote system, you can use
Computer Management to manage it. If you do not, you can view only
limited information.
3. Locate Disk Management under the Storage section.
MANAGING REMOVABLE STORAGE
Removable Storage is a simple way to manage and access all removable storage
media on a system. It is a set of device and media management application programming interfaces (APIs) that together form a structure for managing media
allocation, tracking, and utilization.
Some functions that are supported by removable storage are:
■
Injecting and ejecting media
■
Maintaining media pools and media libraries to consolidate media
tracking
■
Brokering application access to media
■
Providing a storage management interface for administrators
Using the Removable Storage Manager
The Removable Storage Manager (RSM) interface is located inside the Computer
Management console. In this application, an administrator or operator can view
media pools, media allocation, and work queues. Figure 3-6 shows a CD-ROM
and a smart media card mounted in the RSM.
Figure 3-6 The RSM showing a CD-ROM and a smart media card
FT03HT06.BMP
85
86
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Managing Media Pools
A media pool manages a collection of media. The media in the pool must be of the
same type and configuration. An example of a media pool is a collection of tapes
used for a backup rotation, which are assigned on successive days to back up system files. By organizing them into pools, you can protect them from use by other
applications. This protects their data from accidental deletion.
Media pools can be created and managed in the RSM. A media pool serves as a
container for the media allocated to a specific application. It is not available for
another application until it is released to the Free media pool or moved to the
media pool belonging to the other application.
There are four default media pool types:
■
Free Contains all media that have been detected by the system but
not allocated to any application.
■
Import Contains media that are recognized but known to contain
data from another application. They are placed here for protection
until they can be placed in an appropriate media pool.
■
Unrecognized Contains media that the system does not recognize.
Typically these are media of a type not known to the system, but they
can also be corrupted media of a known type.
■
Application-Specific Applications such as Backup create media
pools to manage their own media.
If you open the RSM and do not see your media pools, select
Removable Storage and, from the View menu, select Full. This provides the
full view of all removable storage resources.
NOTE
Managing the Work Queue
During a backup it might be necessary to insert additional media or respond to
media errors to allow a backup to be completed. When this happens, you may
receive a message to check the RSM console. Figure 3-7 shows Removable
Storage displaying work queues.
If you select Work Queue in the RSM, you will see a list of completed, active,
and pending requests. If you are having problems with media allocation or are
troubleshooting a failure of your CD-ROM to eject, check here to see if there is
an active request on your media.
Working with Mounted Media
When you are using the RSM, you can find your mounted media by clicking the
library that contains the media or by selecting the media folder. Once your media
is selected, if it supports Eject commands you can eject it right from the RSM. This
comes in handy when you must eject media on a remote system.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Figure 3-7 Removable Storage Manager displaying work queues
FT03HT07.BMP
Working with Media on a Remote Computer
To work with media on a remote computer, right-click the root folder in Computer Management and choose to connect to a remote computer.
Working with Libraries
All media devices are classified as libraries in the RSM. This allows all applications
on the system that communicate with the removable storage APIs to access data
on any media that is visible to Removable Storage. The APIs built into Removable
Storage make device differences transparent to the applications. All the application has to know is how to work with Removable Storage. Removable Storage
then manages the device and media, providing data storage to the application
(as shown in Figure 3-8).
Backup
Windows
Explorer
Media
Player
Photo
Editing
Application
Removable Storage
Service
Tape
USB
DVD
Diskette
Figure 3-8 Removable Storage service providing access to data on various
media types
FT03HT08.VSD
87
88
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
MANAGING COMPRESSION
Windows XP Professional supports two types of compression: NTFS compression and compressed folders. NTFS compression enables you to compress files,
folders, or an entire drive. NTFS compressed files and folders occupy less space
on an NTFS-formatted volume, which enables you to store more data. Each
file and folder on an NTFS volume has a compression state, which is either
compressed or uncompressed. The Compressed Folders feature allows you
to create a compressed folder so that all files you store in that folder are automatically compressed.
Using Compressed Folders
The Compressed Folders feature, which is new in Windows XP Professional,
allows you to create compressed folders and view their contents. It also allows
you to compress large files so that you can store more files on a floppy disk
or a hard drive. The compressed “folders” are in reality Zip-compatible
archives and can be read by any operating system or application that can
read .zip files.
To create a compressed folder, start Windows Explorer and then choose File |
New | Compressed Folder. This creates a compressed folder in the current folder.
You can drag and drop files into the compressed folder, and the files will be compressed automatically. If you copy a file from the compressed folder to another
folder that is not compressed, that file will no longer be compressed. A zipper
icon denotes a compressed folder (as shown in Figure 3-9), and these
folders are labeled Compressed Folder.
Figure 3-9 A compressed folder showing the zipper icon
FT03HT09.BMP
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Benefits of using compressed folders generated with the Compressed Folders
feature include the following:
■
You can create and use compressed files and folders on both FAT and
NTFS volumes.
■
You can open files directly from the compressed folders, and you can
run some programs directly from compressed folders.
■
You can move these compressed files and folders to any drive or folder
on your computer, the Internet, or your network, and they will be compatible with any program that can read Zip archiv,es.
■
You can encrypt compressed folders that you created using this feature.
You can compress individual files only by storing them in a compressed folder. If you move or extract the files into an uncompressed
folder, they will be uncompressed.
NOTE
Using NTFS Compression
NTFS compressed files can be read and written to by any application. When an application (such as Microsoft Word or Excel) or an operating system command (such as
Copy) requests access to a compressed file, NTFS uncompresses the file before making it available. When you close or explicitly save a file, NTFS compresses it again.
Some benefits of NTFS compression include:
■
You can open files and run applications directly from the compressed
folders.
■
NTFS compression is integrated directly with NTFS and can be applied
by modifying the compression attribute on files and folders.
■
NTFS handles all compression and decompression “on the fly.”
■
NTFS compressed files can be made to appear in an alternative text
color to indicate their compressed status.
NTFS allocates disk space based on uncompressed file size. If you copy a compressed file to an NTFS volume with enough space for the compressed file but
not enough space for the uncompressed file, you might get an error message stating that there is not enough disk space for the file, and the file will not be copied
to the volume.
Compressing Files and Folders Using NTFS Compression
You can set the compression state of folders and files, and you can change the
color that is used to display compressed files and folders in Windows Explorer.
89
90
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
If you want to set the compression state of a folder or file, right-click the folder or
file in Windows Explorer, choose Properties, and then click Advanced. In the
Advanced Attributes dialog box, shown in Figure 3-10, select the Compress Contents To Save Disk Space check box. Click OK, and then, in the Properties dialog
box, click Apply.
NTFS encryption and compression are mutually exclusive. For
that reason, if you select the Encrypt Contents To Secure Data check
box, you cannot compress the folder or file.
NOTE
Figure 3-10 The Advanced Attributes dialog box
FT03HT10.BMP
IMPORTANT To change the compression state for a file or a folder, you
must have Write permission for that file or folder.
The compression state for a folder does not reflect the compression state of the
files and subfolders in that folder. A folder can be compressed while all of the files
in that folder are uncompressed. Alternatively, an uncompressed folder can contain compressed files. When you compress a folder that contains one or more
files, folders, or both, Windows XP Professional displays the Confirm Attribute
Changes dialog box, shown in Figure 3-11.
Figure 3-11 The Confirm Attribute Changes dialog box
FT03HT11.BMP
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
The Confirm Attribute Changes dialog box has two additional options:
■
Apply Changes To This Folder Only
that you have selected
■
Apply Changes To This Folder, Subfolders, And Files Compresses
the folder and all subfolders and files that are contained within it and
are subsequently added to it
Compresses only the folder
Compressing a Drive or Volume Using NTFS Compression
You can set the compression state of an entire NTFS drive or volume. To do so, in
Windows Explorer, right-click the drive or volume, and then choose Properties.
In the Properties dialog box, select the Compress Drive To Save Disk Space check
box, as shown in Figure 3-12, and then click OK.
Figure 3-12 The Local Disk (C:) Properties dialog box
FT03HT12.BMP
Displaying NTFS compressed files and folders in a different color Windows
Explorer makes it easy for you to quickly determine whether a file or folder is
compressed. By default, it displays the names of compressed files and folders in
a different color to distinguish them from those that are uncompressed.
To display compressed files and folders in a different color:
1. In Windows Explorer, choose Tools | Folder Options.
2. On the View tab, clear the Show Encrypted Or Compressed Files In Color
check box to turn off displaying the names of compressed files and folders
in a different color or select it to display the names in a different color.
Copying and Moving NTFS Compressed Files and Folders
There are rules that determine whether the compression state of files and folders
is retained when you copy or move them within and between NTFS and FAT
volumes. The following list describes how Windows XP Professional treats the
91
92
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
compression state of a file or folder when you copy or move a compressed file or
folder within or between NTFS volumes or between NTFS and FAT volumes.
■
Copying a file within an NTFS volume When you copy a file
within an NTFS volume (shown as A in Figure 3-13), the file inherits
the compression state of the target folder. For example, if you copy a
compressed file to an uncompressed folder, the file is uncompressed.
■
Moving a file or folder within an NTFS volume When you move
a file or folder within an NTFS volume (shown as B in Figure 3-13), the
file or folder retains its original compression state. For example, if you
move a compressed file to an uncompressed folder, the file remains
compressed.
■
Copying a file or folder between NTFS volumes When you copy
a file or folder between NTFS volumes (shown as C in Figure 3-13), the
file or folder inherits the compression state of the target folder.
■
Moving a file or folder between NTFS volumes When you move
a file or folder between NTFS volumes (shown as C in Figure 3-13), the
file or folder inherits the compression state of the target folder. Because
Windows XP Professional treats a move as a copy and a delete, the files
inherit the compression state of the target folder.
■
Moving or copying a file or folder to a FAT volume Windows XP
Professional supports compression only for NTFS files. When you
move or copy a compressed NTFS file or folder to a FAT volume, Windows XP Professional uncompresses the file or folder.
■
Moving or copying a compressed file or folder to a floppy
disk When you move or copy a compressed NTFS file or folder to a
floppy disk, Windows XP Professional uncompresses the file or folder.
A
B
Move
Copy
Retains
Inherits
NTFS Volume
NTFS Volume
C
Move
or
Inherits
Copy
NTFS Volume
NTFS Volume
Figure 3-13 The effects of copying and moving compressed folders and files
FT03HT13.FH10
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
NOTE When you copy a compressed NTFS file, Windows XP Professional
uncompresses the file, copies the file, and then compresses the file again
as a new file. This might cause performance degradation when many large
files are copied at once.
NTFS Compression Guidelines
The following list provides best practices for using compression on NTFS volumes:
■
Because some file types compress more than others, select file types to
compress based on the anticipated resulting file size. For example,
because Windows bitmap files contain more redundant data than
application executable files, this file type compresses to a smaller size.
Bitmaps often compress to less than 50 percent of the original file size,
whereas application files rarely compress to less than 75 percent of the
original size.
■
Do not store compressed files, such as PKZip files, in a compressed
folder. Windows XP Professional will attempt to compress the file,
wasting system time and yielding no additional disk space.
■
Compress static data rather than data that changes frequently. Compressing and uncompressing files incurs some system overhead.
By choosing to compress files that are infrequently accessed, you
minimize the amount of system time dedicated to compression and
uncompression activities.
■
NTFS compression can cause performance degradation when you
copy and move files. When a compressed file is copied, it is uncompressed, copied, and then compressed again as a new file. You should
compress data that is not copied or moved frequently.
INCREASING SECURITY WITH THE EFS
Encryption is the process of making information indecipherable to protect it from
unauthorized viewing or use. The Encrypting File System (EFS) provides encryption for data in NTFS files stored on disk. This encryption is public key–based
and runs as an integrated system service, making it easy to manage, difficult to
attack, and transparent to the file owner. If a user who attempts to access an
encrypted NTFS file has the private key to that file, the file can be decrypted so
that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access.
Windows XP Professional also includes the Cipher command, which provides
the ability to encrypt and decrypt files and folders from a command prompt.
Windows XP Professional also let you specify a recovery agent. If the owner loses
93
94
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
the private key, the person designated as the recovery agent can still recover the
encrypted file.
Understanding the EFS
The EFS allows users to encrypt NTFS files by using a strong public key–based
cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is
needed to begin, and most operations are transparent. Backups and copies of
encrypted files are also encrypted if they are in NTFS volumes. Files remain
encrypted if you move or rename them, and temporary files created during editing and left unencrypted in the paging file or in a temporary file do not defeat
encryption.
You can set policies to recover EFS-encrypted data when necessary. The recovery
policy is integrated with overall Windows XP Professional security policy. Control
of this policy can be delegated to individuals with recovery authority, and you can
configure different recovery policies for different parts of the enterprise. Data
recovery discloses only the recovered data, not the key that was used to encrypt
the file. Several protections ensure that data recovery is possible and that no data
is lost in the case of total system failure.
The EFS is implemented from Windows Explorer or from the command line. You
can enable or disable it for a computer, domain, or organizational unit (OU) by
setting recovery policy in the Group Policy console in the Microsoft Management
Console (MMC).
To be subject to Group Policy for the domain or for an OU, your
computer must be part of an Active Directory domain.
NOTE
You can use EFS to encrypt and decrypt files on remote file servers but not to
encrypt data that is transferred over the network. Windows XP Professional supports secure network protocols, such as Internet Protocol Security (IPSec), to
encrypt data over the network.
Here are the key features provided by the EFS:
■
Transparent encryption In the EFS, file encryption does not
require the file owner to decrypt and re-encrypt the file on each use.
Decryption and encryption happen transparently on file reads and
writes to disk.
■
Strong protection of encryption keys Public key encryption
resists all but the most sophisticated methods of attack. Therefore, in
the EFS, the file encryption keys are encrypted using a public key from
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
the user’s certificate (X.509 v3 certificates in the case of Windows XP
Professional and Windows 2000). The list of encrypted file encryption
keys is stored with the encrypted file and is unique to it. To decrypt the
file encryption keys, the file owner supplies a private key, which only
he or she has.
■
Integral data-recovery system If the owner’s private key is unavailable, the recovery agent can open the file using the agent’s private key.
You can have more than one recovery agent, each with a different public key, but at least one public recovery key must be present on the
system to encrypt a file.
■
Secure temporary and paging files Many applications create temporary files while you edit a document, and these temporary files can
be left unencrypted on the disk. On computers running Windows XP
Professional, the EFS can be implemented at the folder level, so any
temporary copies of an encrypted file are also encrypted, provided that
all files are on NTFS volumes. The EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption
keys, ensuring that they are never copied to the paging file.
Encrypting
The recommended method for encrypting files is to create an NTFS folder and
then encrypt the folder. To encrypt a folder, in the Properties dialog box for the
folder, click the General tab. On the General tab, click Advanced, and then select
the Encrypt Contents To Secure Data check box (Figure 3-14). All files placed in
the folder are encrypted, and the folder is marked for encryption. Folders that are
marked for encryption are not actually encrypted; only the files within the folder
are encrypted.
Compressed files cannot be encrypted, and encrypted files cannot be compressed with NTFS compression.
NOTE
Figure 3-14 Encrypting files
FT03HT14.BMP
95
96
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
After you encrypt the folder, when you save a file in that folder, the file is
encrypted using file encryption keys, which are fast symmetric keys designed for
bulk encryption. The file is encrypted in blocks, with a different file encryption
key for each block. All of the file encryption keys are stored and encrypted in the
Data Decryption Field (DDF) and the Data Recovery Field (DRF) in the file
header.
If an administrator removes the password on a user account,
the user account loses all EFS-encrypted files, personal certificates, and
stored passwords for Web sites or network resources. Each user should
make a password reset disk to avoid this situation. To create a password
floppy disk, open User Accounts and, under Related Tasks, click Prevent A
Forgotten Password. The Forgotten Password Wizard steps you through
creating the password reset disk. Store the password reset disk in a
secure location to prevent fraudulent use.
CAUTION
Decrypting
To decrypt a folder or file, you clear the Encrypt Contents To Secure Data check
box in a folder or file’s Advanced Attributes dialog box, which you access from
that folder or file’s Properties dialog box. Once decrypted, the file remains
unencrypted until you select the Encrypt Contents To Secure Data check box
(Figure 3-15).
Figure 3-15 Decrypting files
FT03HT15.BMP
Using the Cipher Command
The Cipher command lets you encrypt and decrypt files and folders from a
command prompt. The following example shows the available switches for the
Cipher command, described in Table 3-3:
cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]
CHAPTER 3:
Table 3-3
MANAGING DISKS AND FILE SYSTEMS
Cipher Command Options
Switch
Description
/e
Encrypts the specified folders. Folders are marked so any files
that are added later are encrypted.
Decrypts the specified folders. Folders are marked so any files
that are added later are not encrypted.
Performs the specified operation on files in the given folder and
all subfolders.
Performs the specified operation on files as well as folders.
Encrypted files can be decrypted when modified, if the parent
folder is not encrypted. To avoid this, encrypt the file and the
parent folder.
Continues performing the specified operation even after errors
have occurred. By default, Cipher stops when an error is
encountered.
Forces the encryption operation on all specified files, even those
that are already encrypted. Files that are already encrypted are
skipped by default.
Reports only the most essential information.
Displays files with the hidden or system attributes, which are not
shown by default.
Creates a new file encryption key for the user running the Cipher
command. Using this option causes the Cipher command to
ignore all other options.
Specifies a pattern, file, or folder.
/d
/s
/a
/i
/f
/q
/h
/k
file_name
If you run the Cipher command without parameters, it displays the encryption
state of the current folder and any files that it contains. You can specify
multiple file names and use wildcards. You must put spaces between multiple
parameters.
Using a Recovery Agent
If you lose your file encryption certificate and associated private key through disk
failure or any other reason, a person designated as the recovery agent can open
the file using her own certificate and associated private key. If the recovery agent
is on another computer in the network, send the file to her for recovery on her
system. She can bring her private key to the owner’s computer, but it is not good
security practice to copy a private key onto another computer.
97
98
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
NOTE The default recovery agent is the administrator of the local computer, unless the computer is part of a domain. In a domain, the domain
administrator is the default recovery agent. You can designate alternative EFS recovery accounts for computers grouped by OUs. Before you
can designate accounts to other recovery agents in a Windows 2000 or
Windows Server 2003 domain, you must deploy Certificate Services to
issue recovery agent certificates. For more information about Certificate
Services, see Chapter 16 in the Microsoft Windows 2000 Server Resource
Kit Distributed System Guide.
It is good security practice to rotate recovery agents. However, if the agent designation changes and the original agent’s recovery keys are deleted without files
having been decrypted and then re-encrypted with the new keys, access to the
files is denied to all users. For this reason, you should keep the recovery agent’s
certificates and private keys until all files that are encrypted with them have been
decrypted and re-encrypted with the new recovery agent’s keys.
To recover an encrypted file:
1. If the file was lost due to disk failure, use Backup or another backup
tool to restore a backup version of the encrypted file or folder to the
computer where the recovery agent’s file recovery certificate is located.
If the user key was lost due to the user clearing his password but the
file is otherwise intact, proceed to step 2.
2. The recovery agent should log on to the system and locate the restored
file.
3. In Windows Explorer, the recovery agent should open the Properties
dialog box for the file or folder. On the General tab, click Advanced.
4. Clear the Encrypt Contents To Secure Data check box.
5. Return the decrypted file or folder to the user.
Managing Recovery Agents
To ensure that an agent is available to decrypt files when the user’s key is lost, you
must designate a recovery agent before using EFS. This involves generating the
recovery agent’s key and importing it into her certificate store. After designating a
recovery agent, you have other management tasks to perform. This section lists a
series of procedures you can use to manage recovery agents and recovery keys.
To generate a recovery agent certificate:
1. Log on as an administrator.
2. At a command prompt, type cipher /r:filename. This creates a recovery
agent certificate and decryption key.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
To designate a recovery agent:
1. Log on as the person who will be the recovery agent.
2. Open an empty Microsoft Management Console (MMC) session by
typing mmc at a command prompt.
3. On the File menu, choose Add/Remove Snap-in to open the Add/
Remove Snap-in dialog box (Figure 3-16).
FT03HT16.BMP
Figure 3-16 Adding a snap-in to an empty MMC session.
4. Click Add to open the Add Standalone Snap-in dialog box.
5. Select the Certificates snap-in, and click Add.
6. When you are asked to specify which account this snap-in will manage,
select My User Account.
7. Close the Add Standalone Snap-in dialog box, and click OK to close
the Add/Remove Snap-in dialog box.
8. Right-click the Personal folder in the Certificates snap-in, and choose
Import from the All Tasks menu. This starts the Certificate Import
Wizard. (You can also start the Certificate Import Wizard by doubleclicking a certificate file.)
Enter the name of your certificate file (generated earlier with Cipher), and complete the wizard to import the .cer file containing the recovery agent certificate.
1. Log on as a local administrator, and launch the Group Policy console
by typing gpedit.msc at a command prompt.
2. Expand Computer Configuration, Windows Settings, Security Settings,
and Public Key Policies.
99
100
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. Right-click Encrypting File System, select Add Data Recovery Agent
(Figure 3-17), and complete the Add Data Recovery Agent Wizard,
selecting the new recovery agent.
FT03HT17.BMP
Figure 3-17 Adding a data recovery agent
To remove a recovery agent:
1. In the Group Policy console, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and Encrypting
File System.
2. Select the recovery agent to remove and delete the certificate.
Managing Recovery Keys
You can use the Certificate Export Wizard to export the recovery agent’s
certificate and recovery key to a disk.
To export a certificate:
1. Open the Certificates snap-in, and then expand the Personal folder.
2. Double-click Certificates, and then right-click the recovery agent’s
certificate.
3. Select All Tasks, and then select Export.
4. Select Yes, Export The Private Key.
You have the option of exporting and then deleting the recovery key; if
you delete it, you will be required to import it to decrypt any files that
require the recovery agent’s services.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
5. Select an option, and then click Next.
6. Enter a strong password to protect your exported key.
7. Click Next, and enter a file name for the exported certificate and
private key.
8. Click Next, review the final information, and then click Finish. The
exported key will have a .pfx extension.
To import recovery certificates and keys:
1. Start the Certificate Import Wizard by double-clicking a certificate file.
2. Enter the password that protects the private key.
3. Designate a location for the certificate. The default location is the personal certificate store.
Disabling the EFS
You can disable EFS for a domain, OU, or computer by applying an empty
Encrypted Data Recovery Agent policy setting. Until Encrypted Data Recovery
Agent settings are configured and applied through Group Policy, there is no policy, so the EFS uses the default recovery agents. The EFS must use the recovery
agents listed in the Encrypted Data Recovery Agents Group Policy agent if the settings have been configured and applied. If the policy that is applied is empty, the
EFS does not operate.
EFS Best Practices
■
Teach users to export their certificates and private keys to removable
media and store the media securely when it is not in use. This protects
against attackers who physically obtain the computer and try to access
the private key.
■
Teach users to encrypt folders rather than files. Encrypting files at the
folder level helps ensure that files are not unexpectedly decrypted.
■
The private keys that are associated with recovery certificates are
extremely sensitive. These keys must be exported and stored in a
secure location when they are not in use.
■
Do not destroy recovery keys when recovery agents are changed. Keep
them until all files that might have been encrypted with them have
been encrypted with new keys.
■
Designate two or more recovery agents. This provides redundancy for
file recovery.
101
102
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
MANAGING DISK QUOTAS
You use disk quotas to manage storage growth in distributed environments. Disk
quotas allow you to allocate disk space to users based on the files and folders they
own. You can set disk quotas, quota thresholds, and quota limits for all users and
for individual users. You can also monitor the amount of hard disk space that
users have used and the amount that they have left against their quota.
Understanding Disk Quota Management
Windows XP Professional disk quotas track and control disk usage on a per-user,
per-volume basis. Windows XP Professional tracks disk quotas for each volume,
even if the volumes are on the same hard disk. Because quotas are tracked on a
per-user basis, every user’s disk space is tracked regardless of the folder in which
he stores files.
Some characteristics of disk quotas:
■
Disk usage is based on file and folder ownership. Windows XP
Professional calculates disk space usage for users based on the files
and folders they own. When a user copies or saves a new file to an
NTFS volume or takes ownership of a file on an NTFS volume, Windows XP Professional charges the disk space for the file against the
user’s quota limit.
■
Disk quotas do not use compression. Windows XP Professional
ignores compression when it calculates hard disk space usage. Users
are charged for each uncompressed byte, regardless of how much hard
disk space is actually used. This is done partially because file compression produces different degrees of compression for different types of
files. Different uncompressed file types that are the same size might
end up being very different sizes when they are compressed.
■
Free space for applications is based on a quota limit. When
you enable disk quotas, the free space that Windows XP Professional
reports to applications for the volume is the amount of space remaining within the user’s disk quota limit.
Disk quotas can be applied only to NTFS 5 volumes (Windows 2000,
Windows XP, and Windows Server 2003).
NOTE
You use disk quotas to monitor and control hard disk space usage. System administrators can do the following:
■
Set a disk quota limit to specify the amount of disk space for each user.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
■
Set a disk quota warning to specify when Windows XP Professional
should log an event, indicating that the user is nearing his limit.
■
Enforce disk quota limits and deny users access if they exceed their
limit, or allow them continued access.
■
Log an event when a user exceeds a specified disk space threshold. The
threshold can be when the user exceeds his quota limit or when he
exceeds his warning level.
After you enable disk quotas for a volume, Windows XP Professional collects disk
usage data for all users who own files and folders on the volume. This allows you
to monitor volume usage on a per-user basis. By default, only members of the
Administrators group can view and change quota settings. However, you can
allow users to view quota settings.
Setting Disk Quotas
You can enable disk quotas and enforce disk quota warnings and limits for all
users or for individual users.
To enable disk quotas, in Disk Management open the Properties dialog box for
a partition or volume, click the Quota tab, and configure the options that are
described in the following list and displayed in Figure 3-18:
■
Enable Quota Management Select this check box to enable disk
quota management.
■
Deny Disk Space To Users Exceeding Quota Limit Select this check
box so that when users exceed their hard disk space allocation, they
receive an “out of disk space” message and cannot write to the volume.
■
Do Not Limit Disk Usage Select this option when you do not want
to limit the amount of hard disk space for users.
■
Limit Disk Space To Configures the amount of disk space that
users can use.
■
Set Warning Level To Configures the amount of disk space that
users can fill before Windows XP Professional logs an event, indicating
that a user is nearing his limit.
■
Log Event When A User Exceeds Their Quota Limit Select this
option if you want Windows XP Professional to log an event in the
Security log every time a user exceeds his quota limit.
■
Log Event When A User Exceeds Their Warning Level Select this
option if you want Windows XP Professional to log an event in the
Security log every time a user exceeds the warning level.
103
104
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Quota Entries Click this button to open the Quota Entries For dialog box, where you can add a new entry, delete an entry, and view the
per-user quota information.
Figure 3-18 The Quota tab of the Properties dialog box for a disk
FT03HT18.BMP
To enforce identical quota limits for all users:
1. In the Limit Disk Space To text box and the Set Warning Level To text
box, enter the values for the limit and warning levels, respectively, that
you want to set.
2. Select the Deny Disk Space To Users Exceeding Quota Limit check box.
Windows XP Professional will monitor usage and will not allow users to create
files or folders on the volume when they exceed the limit.
To enforce different quota limits for one or more specific users:
1. In Computer Management, open the Properties dialog box for a volume or partition, click the Quota tab, and then click Quota Entries.
2. In the Quota Entries dialog box, shown in Figure 3-19, double-click the
user account for which you want to set a disk quota limit or create an
entry by choosing New Quota Entry from the Quota menu.
FT03HT19.BMP
Figure 3-19 The Quota Entries dialog box
3. Configure the disk space limit and the warning level for each individual user.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Determining the Status of Disk Quotas
You can determine the status of disk quotas in the Quota Entries dialog box for a
disk by checking the traffic-light icon and reading the status message to its right
(Figure 3-19). The color shown on the traffic light icon indicates the status of
disk quotas:
■
A red traffic light indicates that disk quotas are disabled.
■
A yellow traffic light indicates that Windows XP Professional is rebuilding disk quota information.
■
A green traffic light indicates that the disk quota system is active.
Monitoring Disk Quotas
You use the Quota Entries dialog box (shown earlier in Figure 3-19) to monitor
usage for all users who have copied, saved, or taken ownership of files and folders
on the volume. Windows XP Professional scans the volume and monitors the
amount of disk space in use by each user. You can use the Quota Entries dialog
box to view the following:
■
The amount of hard disk space that each user uses
■
Users who are over their quota warning threshold, signified by a
yellow triangle
■
Users who are over their quota limit, signified by a red circle
■
The warning threshold and the disk quota limit for each user
Best Uses for Disk Quotas
Use the following guidelines for using disk quotas:
■
If you enable disk quota settings on the volume where Windows XP
Professional is installed and your user account has a disk quota limit,
log on as Administrator to install additional Windows XP Professional
components and applications. In this way, Windows XP Professional
will not charge the disk space that you use to install applications
against the disk quota allowance for your user account.
■
You can monitor hard disk usage and generate hard disk usage information without preventing users from saving data. To do so, clear the
Deny Disk Space To Users Exceeding Quota Limit check box when
you enable disk quotas.
105
106
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Set more restrictive default limits for all user accounts, and then modify
the limits to allow more disk space to users who work with large files.
■
If multiple users share computers running Windows XP Professional,
set disk quota limits on computer volumes so that disk space is shared
by all users who share the computer.
■
Generally, you should set disk quotas on shared volumes to limit storage for users. Set disk quotas on public folders and network servers to
ensure that users share hard disk space appropriately. When storage
resources are scarce, you might want to set disk quotas on all shared
hard disk space.
■
Delete disk quota entries for users who no longer store files on a volume. You can delete quota entries for a user account only after all files
that the user owns have been removed from the volume or another
user has taken ownership of the files.
USING DISK DEFRAGMENTER, CHKDSK,
AND DISK CLEANUP
Windows XP Professional saves files and folders in the first available space on a
hard disk and not necessarily in an area of contiguous space. The parts of the files
and folders are scattered over the hard disk rather than being in a contiguous
area. This scattering of files and folders across a hard disk is known as fragmentation. When your hard disk contains numerous fragmented files and folders, your
computer takes longer to access them because it requires several additional reads
to collect the various pieces. Creating new files and folders also takes longer
because the available free space on the hard disk is scattered. Your computer
must save a new file or folder in various locations on the hard disk.
Temporary files, Internet cache files, and unnecessary programs also take up
space on your computer’s hard drive. Sometimes file system errors occur, and
sometimes sectors on your hard disk go bad; these events can cause you to lose
data stored on your hard disk. This section introduces three Windows XP Professional tools—Disk Defragmenter, Chkdsk, and Disk Cleanup—that help you organize your hard disks, recover readable information from damaged areas on your
hard disk, mark bad sectors to prevent future data loss, and clean up any temporary files and unnecessary programs that are taking up space on your hard drive.
Defragmenting Disks
The process of finding and consolidating fragmented files and folders is called defragmenting. Disk Defragmenter locates fragmented files and folders and defragments
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
them by moving the pieces of each file or folder to one location so they occupy a single, contiguous space on the hard disk. Your system can thus access and save files
and folders more efficiently. By consolidating files and folders, Disk Defragmenter
also consolidates free space, making it less likely that new files will be fragmented.
Disk Defragmenter can defragment FAT, FAT32, and NTFS volumes.
You access Disk Defragmenter by choosing Start | All Programs | Accessories |
System Tools | Disk Defragmenter. The Disk Defragmenter window has three
areas, as shown in Figure 3-20.
Figure 3-20 The Disk Defragmenter window
FT03HT20.BMP
The upper pane of the window lists the volumes that you can analyze and defragment. The middle pane provides a graphic representation of how fragmented the
selected volume is. The lower pane provides a dynamic representation of the
volume that continuously updates during defragmentation. The display colors
indicate the condition of the volume:
■
Red indicates fragmented files.
■
Blue indicates contiguous (nonfragmented) files.
■
Green indicates system files, which Disk Defragmenter cannot move.
■
White indicates free space on the volume.
By comparing the Analysis Display band to the Defragmentation Display band during and after defragmentation, you can easily see the improvement in the volume.
You can also open Disk Defragmenter by selecting a drive you want to defragment
in Windows Explorer or My Computer. Choose File | Properties, click the Tools
tab, and click Defragment Now. Then select one of these options:
■
Analyze Analyzes the disk for fragmentation. After the analysis, the
Analysis Display band provides a graphic representation of how fragmented the volume is.
107
108
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Defragment Defragments the disk. After defragmentation, the
Defragmentation Display band provides a graphic representation of
the defragmented volume.
Figure 3-21 shows the Disk Defragmenter window after you have analyzed drive
C. Windows XP Professional displays a message dialog box indicating that you
need to defragment the volume. You can view a report showing more details
about the fragmentation on your volume, close the dialog box and run the defragmenter at a later time, or defragment the volume right then.
Figure 3-21 The Disk Defragmenter window showing a completed analysis
FT03HT21.BMP
If there is not enough fragmentation to require you to defragment the volume,
Windows XP Professional displays a Disk Defragmenter dialog box indicating
that there is currently no need to defragment the volume.
Using Disk Defragmenter Effectively
The following list provides some guidelines for using Disk Defragmenter:
■
Run Disk Defragmenter when the computer will receive the least
usage. During defragmentation, data is moved around on the hard
disk, and that process is disk intensive. The defragmentation process
adversely affects access time to other disk-based resources.
■
Educate users to defragment their local hard disks at least once a
month to prevent accumulation of fragmented files. Third-party disk
defragmenter tools allow remote management and scheduling to
ensure that monthly defragmentation takes place.
■
Analyze the target volume before you install large applications, and
defragment the volume if necessary. Installations complete more
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
quickly when the target volume has adequate contiguous free space.
Also, accessing the application after installation is faster.
■
When you delete a large number of files or folders, your hard disk
might become excessively fragmented; be sure to analyze it afterward.
Using Chkdsk
Chkdsk attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors and mark them to prevent their future
use. All files on the volume or partition must be closed for this program to run. To
access Chkdsk, select the drive you want to check in Windows Explorer or My
Computer. Choose File | Properties, click the Tools tab, and click Check Now.
Select one of the options in the Chkdsk dialog box (shown in Figure 3-22).
Figure 3-22 The Chkdsk dialog box
FT03HT22.BMP
Here are the execution options for Chkdsk:
■
Automatically Fix File System Errors Select this check box to
have Windows XP Professional attempt to repair file system errors
found during disk checking. All files must be closed for this program to
run. If the drive is currently in use, a message asks if you would like to
reschedule the disk checking for the next time you restart your computer. Your drive is not available to run other tasks while the disk is
being checked.
■
Scan For And Attempt Recovery Of Bad Sectors Select this check
box to have Windows XP Professional attempt to repair file system
errors found during disk checking, locate bad sectors, and recover any
readable information located in those bad sectors. All files must be
closed for this program to run. If the drive is currently in use, a message asks if you would like to reschedule the disk checking for the next
time you restart your computer. Your drive is not available to run other
tasks while the disk is being checked. If you select this check box, you
do not need to select Automatically Fix File System Errors because
Windows XP Professional attempts to fix any errors on the disk.
109
110
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Chkdsk runs in five phases: file verification, index verification,
security descriptor verification, file data verification, and free space
verification.
NOTE
You can also use the command-line version of Chkdsk. The command-line syntax
for Chkdsk is as follows:
Chkdsk [volume[[path]filename]]] [/f] [/v] [/r] [/x] [/i] [/c] [/l[:size]]
The switches used by Chkdsk are described in Table 3-4.
Table 3-4
Chkdsk Options
Switch
Description
filename
Specifies the file or set of files to check for fragmentation. You
can use the wildcards * and ?. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems.
Specifies the location of a file or set of files within the folder
structure of the volume. This switch is valid only on volumes
formatted with FAT12, FAT16, and FAT32 file systems.
Changes the log file size. You must use the /l switch with this
switch. This switch is valid only on volumes formatted with
NTFS.
Specifies the drive letter (followed by a colon), mount point, or
volume name. This switch is valid only on volumes formatted
with FAT12, FAT16, and FAT32 file systems.
Skips the checking of cycles within the folder structure. This
switch is only valid on volumes formatted with NTFS.
Fixes errors on the volume. If Chkdsk cannot lock the volume,
you are prompted to have Chkdsk check it the next time the
computer starts.
Performs a less vigorous check of index entries. This switch is
valid only on volumes formatted with NTFS.
Displays the current size of the log file. This switch is valid only
on volumes formatted with NTFS.
Locates bad sectors and recovers readable information. If
Chkdsk cannot lock the volume, you are prompted to have
Chkdsk check it the next time the computer starts.
On volumes formatted with FAT12, FAT16, or FAT32, displays
the full path and name of every file on the volume. On volumes
formatted with NTFS, displays any cleanup messages.
Forces the volume to dismount first, if necessary.
Displays this list of switches.
path
size
volume
/c
/f
/i
/l
/r
/v
/s
/?
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Used without parameters, Chkdsk displays the status of the disk in the current
volume.
Using Disk Cleanup
You can use Disk Cleanup to free up disk space by deleting temporary files and
uninstalling programs. Disk Cleanup lists the temporary files, Internet cache files,
and unnecessary programs that you can safely delete. To access Disk Cleanup,
select the drive you want to check in Windows Explorer or My Computer.
Choose File | Properties, click the General tab, and click Disk Cleanup. The Disk
Cleanup dialog box (shown in Figure 3-23) has the following options.
Figure 3-23 The Disk Cleanup dialog box
FT03HT23.BMP
■
Downloaded Program Files Select this check box to delete the
ActiveX controls and Java applets that were downloaded automatically
from the Internet when users viewed certain pages. These files are
temporarily stored in the Downloaded Program Files folder on the
computer’s hard disk.
■
Temporary Internet Files Select this check box to delete the files in
the Temporary Internet Files folder on the computer’s hard drive.
These files are Web pages stored on the hard disk for quick viewing.
Users’ personalized settings for Web pages are not deleted.
■
Recycle Bin Select this check box to delete the files in the Recycle
Bin. When you delete a file from your computer, it is not permanently
removed from the computer until the Recycle Bin is emptied (when the
files in the Recycle Bin are deleted).
111
112
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Temporary Files Select this check box to delete any Temporary files
on this volume. Programs sometimes store temporary information in a
Temp folder. Before a program closes, it usually deletes this information. You can safely delete temporary files that have not been modified
in more than a week.
■
WebClient/Publisher Temporary Files Select this check box
to delete any temporary WebClient/Publisher files. The WebClient/
Publisher service maintains a cache of accessed files on this disk. These
files are kept locally for performance reasons only and can be safely
deleted.
■
Compress Old Files Select this check box to compress files that
have not been accessed in a while. No files are deleted, and all files
are still accessible. Because files compress at different rates, the
value displayed for the amount of space you will recover is an
approximation.
■
Catalog Files For The Content Indexer Select this check box to
delete any old catalog files left over from previous indexing operations.
The Indexing Service speeds up and enriches file searches by maintaining an index of the files on this disk.
For additional ways to free up space on your hard disk using Disk Cleanup, click
the More Options tab in the Disk Cleanup dialog box (shown in Figure 3-24).
Figure 3-24 The More Options tab of the Disk Cleanup dialog box
FT03HT24.BMP
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
The other options for Disk Cleanup are:
■
Windows Components Click Clean Up under Windows Components to launch the Windows Components Wizard, which allows
you to add and remove Windows components from your installation.
These components include Accessories and Utilities, Fax Services,
Indexing Services, Microsoft Internet Explorer, Internet Information
Services (IIS), Management and Monitoring Tools, Message Queuing,
MSN Explorer, Networking Services, Other Network File and Print
Services, and Update Root Certificates.
■
Installed Programs Click Clean Up under Installed Programs to
launch Add Or Remove Programs, which allows you to install programs and to uninstall programs that are no longer in use. The list of
programs available to be uninstalled depends on what programs are
installed on your computer.
■
System Restore Click Clean Up under System Restore to delete all
but the most recent restore points. For more information about restore
points and System Restore, see Chapter 15.
113
114
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
The Disk Management snap-in provides a central location for disk
information and management tasks, such as creating and deleting partitions and volumes; formatting them with the FAT, FAT32, or NTFS
file systems; and assigning them drive letters.
■
The Disk Management snap-in provides a way to manage disks locally
and on remote computers.
■
A disk that is initialized for basic storage is called a basic disk; it can contain primary partitions, extended partitions, and logical drives.
■
A disk that is initialized for dynamic storage is called a dynamic disk;
dynamic storage allows for greater flexibility with regard to configuration. It can be divided into volumes, which can consist of a portion, or
portions, of one or more physical disks.
■
In Windows XP Professional, NTFS compression allows you to compress files, folders, or an entire volume.
■
NTFS encryption and compression are mutually exclusive.
■
To create a compressed folder using the Compressed Folders feature,
start Windows Explorer, choose File | New, and then click Compressed Folder.
■
Use Windows XP Professional disk quotas to allocate disk space usage
to users.
■
You can set disk quotas, quota thresholds, and quota limits for all
users and for individual users.
■
You can apply disk quotas only to NTFS 5 volumes.
■
The EFS allows users to encrypt NTFS files by using a strong public
key–based cryptographic scheme that encrypts all files in a folder.
■
Disk Defragmenter, a Windows XP Professional system tool, locates
fragmented files and folders and defragments them, enabling your system to access and save files and folders more efficiently.
■
Chkdsk attempts to repair file system errors, locate bad sectors, and
recover readable information from those bad sectors.
■
Disk Cleanup frees up disk space by locating temporary files, Internet
cache files, and unnecessary programs that you can safely delete, and it
also deletes temporary files and uninstalls programs.
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
REVIEW QUESTIONS
1. Which of the following statements are true for a disk that uses dynamic
storage? (Choose all correct answers.)
a. The system partition for Windows NT is never on a dynamic disk.
b. A dynamic disk can be partitioned into four primary partitions or
three primary partitions and one extended partition.
c. The Convert command allows you to convert a basic disk into a
dynamic disk.
d. A dynamic disk has a single partition that includes the entire disk.
2. Which of the following does Windows XP Professional allow you to
compress using NTFS compression? (Choose all correct answers.)
a. A FAT volume
b. An NTFS volume
c. A bitmap stored on a floppy disk
d. A folder on an NTFS volume
3. Which of the following types of files or data are good candidates
for NTFS compression? (Choose all correct answers.)
a. Encrypted data
b. Frequently updated data
c. Bitmaps
d. Static data
4. Which of the following statements about disk quotas in Windows XP
Professional is correct?
a. Disk quotas track and control disk usage on a per-user, per-disk
basis.
b. Disk quotas track and control disk usage on a per-group,
per-volume basis.
c. Disk quotas track and control disk usage on a per-user,
per-volume basis.
d. Disk quotas track and control disk usage on a per-group,
per-disk basis.
115
116
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
5. Which of the following files and folders does Windows XP Professional
allow you to encrypt? (Choose all correct answers.)
a. A file on an NTFS volume
b. A folder on a FAT volume
c. A file stored on a floppy disk
d. A folder on an NTFS volume
6. Which of the following functions does Chkdsk perform? (Choose all
correct answers.)
a. Locate fragmented files and folders and arrange them
contiguously.
b. Locate and attempt to repair file system errors.
c. Locate bad sectors and recover readable information from those
bad sectors.
d. Delete temporary files and offline files.
CASE SCENARIOS
Scenario 3-1: Storage Choices
You are configuring a computer that will be used as a graphics workstation. You
have specified the fastest processor available, 4 GB of RAM, a top-of-the-line
graphics processor, and a very fast network adapter. You are deciding what disk
configuration to specify for data storage. Of the following available configurations, which offers the fastest read/write performance with this computer?
a. Four disks using dynamic storage, configured as a spanned volume
b. Four disks using basic storage, configured as separate volumes
c. Four disks using dynamic storage, configured as a striped volume
d. Four disks using dynamic storage, configured as separate volumes
CHAPTER 3:
MANAGING DISKS AND FILE SYSTEMS
Scenario 3-2: Disk Quotas
You have configured a computer for your accounting department with the following settings:
■
Two NTFS volumes (one system, one data).
■
Disk quotas on the data volume permit 1GB per user.
■
Users each have a personal folder for their own files, and all users share
a folder for community projects.
A user reports that she cannot save a file to her disk and that she received an
insufficient disk space error. She is puzzled by this because she has only 457 MB
used in her My Documents folder. After investigating, you learn that she is also
responsible for maintaining the community files and that several are owned by
her user account. The total files under her ownership, according to the Quota
Entries dialog box, is 998.57 MB.
What is the best way to allow her to continue saving files on this system?
a. Tell her to delete some files to make more space available.
b. Increase the disk quota available to her account.
c. Take ownership of some files yourself to give her more free quota
space.
d. Increase the disk quota available to all users of this computer.
117
CHAPTER 4
MANAGING DEVICES AND
PERIPHERALS
Upon completion of this chapter, you will be able to:
■ Implement, manage, and troubleshoot input and output (I/O) devices
■ Manage and troubleshoot drivers and driver signing
■ Configure and monitor multiprocessor computers
■ Configure Advanced Configuration and Power Interface (ACPI) settings
and support
In this chapter, we begin to work with system hardware and how to install, configure, and troubleshoot it. We will discuss many types of I/O devices, configure
settings for driver signing, and cover multiprocessor and ACPI configuration.
To get the most from this chapter, you should be familiar enough with PC hardware to be able to identify different types of hardware and perform basic installation of I/O cards and peripherals.
119
120
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
USING DEVICE MANAGER
Device Manager provides you with a graphical view of the hardware installed on
your computer and helps you manage and troubleshoot it. You can use Device
Manager to disable, uninstall, and update device drivers. Device Manager also
helps you determine whether the hardware on your computer is working properly. It lists devices with problems, and each device that is flagged is displayed
with the corresponding status information.
Windows XP Professional also provides the Hardware Troubleshooter to troubleshoot hardware problems. To access the Hardware
Troubleshooter, choose Start | Help And Support. In the Help and Support Center, under Pick A Help Topic, click Hardware. In the Hardware list,
click Fixing A Hardware Problem. Under Fixing A Hardware Problem, click
Hardware Troubleshooter.
NOTE
Configuring and Troubleshooting Devices
When you change device configurations manually, Device Manager can help you
avoid problems by allowing you to identify free resources and assign a device to
that resource, disable devices to free resources, and reallocate resources used by
devices to free a required resource.
You must be logged on as a member of the Administrators group to change
resource settings. Even if you are logged on as Administrator, if your computer is
connected to a network, policy settings on the network might prevent you from
changing resources.
Improperly changing resource settings on devices can disable
your hardware and cause your computer to stop working.
CAUTION
The Plug and Play (PnP) basic input/output system (BIOS) automatically identifies PnP devices and arbitrates their resource requests. However, the resource
allocation among PnP devices is not permanent. If another PnP device requests a
resource that has already been allocated, the BIOS again arbitrates the requests to
satisfy all of them. After startup, Windows XP takes over management of devices
and might again change one or more assignments to suit its own requirements.
You should not manually change resource settings for a PnP device because
Windows XP Professional will then be unable to arbitrate the assigned resources
if they are requested by another PnP device. In Device Manager, PnP devices have
a Resources tab in their Properties dialog box. To free the resource settings you
manually assigned and allow Windows XP Professional to again arbitrate the
resources, select the Use Automatic Settings check box on the Resources tab.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Devices supported by Windows NT 4 have fixed resource settings.
These are usually defined during an upgrade from Windows NT 4 to Windows XP Professional, but you can also define them by using the Add New
Hardware Wizard in Control Panel.
NOTE
To configure or troubleshoot a device using Device Manager:
1. Click Start, right-click My Computer, and then click Manage. The
Computer Management console opens (Figure 4-1).
FT04HT01.bmp
Figure 4-1 The Computer Management console
2. Under System Tools, click Device Manager.
3. In the Details pane, double-click the device type, and then double-click
the device you want to configure. A Properties dialog box for the device
appears (Figure 4-2).
FT04HT02.bmp
Figure 4-2 A Properties dialog box for the Netelligent 10/100TX PCI UTP
Controller
4. To configure a device, click the appropriate tab. To troubleshoot, on
the General tab, click the Troubleshoot button.
121
122
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The tabs in the Properties dialog box will vary depending on the device selected,
but they should include some of the ones listed here:
■
Advanced or Advanced Properties
depending on the device selected.
■
General Displays the device type, manufacturer, and location. It
also displays the device status and provides a troubleshooter to help
you troubleshoot any problems you are having with the device. The
troubleshooter steps you through a series of questions to determine
the problem and provide a solution.
■
Device Properties
device selected.
■
Driver Displays the driver provider, driver date, driver version, and
digital signer. This tab also provides the Driver Details, Uninstall, and
Driver Update buttons, which allow you to get additional information
on the driver, uninstall the driver, or update the driver with a newer
version, respectively.
■
Port Settings Available in a communications port (COM1) Properties dialog box, this tab allows you to configure settings for bits per second, data bits, parity, stop bits, and flow control.
■
Properties Determines how Windows uses the device. For example,
for a CD-ROM, these settings determine how Windows uses the CDROM for playing CD music (for example, volume and enabling digital
CD playback instead of analog playback).
■
Resources Displays the resource type and setting, whether there are
any resource conflicts, and whether you can change the resource settings.
The properties listed vary
The properties listed vary depending on the
Viewing Hidden and Phantom Devices
By default, Device Manager does not display all devices. The devices that are not
displayed include hidden (non-PnP) devices and phantom (disconnected) devices.
Non-PnP devices are fixed system devices that have drivers installed; they typically
are not managed—they are permanently installed as part of the system’s hardware.
To display hidden devices:
1. In Device Manager, choose View | Show Hidden Devices.
Phantom devices are devices that have been installed but are not currently connected. Examples of phantom devices are disconnected USB keychain drives, PC
Card devices, and Bluetooth peripherals. When these devices are disconnected,
they usually disappear from Device Manager.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
To display phantom devices:
1. Click Start | Run. In the Open text box, type cmd, and click OK.
2. At the command prompt, type set
DEVMGR_SHOW_NONPRESENT_DEVICES=1.
3. Press ENTER.
4. Open Device Manager. It will display phantom devices.
The command set DEVMGR_SHOW_NONPRESENT_DEVICES=1
is an example of an environment variable. You can set an environment
variable for the active session by using this command, or you can set it
globally by using the Environment Variables dialog box (accessed via the
Advanced tab of the System Properties dialog box). We will expand on the
discussion of environment variables in Chapter 13.
NOTE
MANAGING AND TROUBLESHOOTING I/O DEVICES
The list of devices that can be installed is too long to include here. This section
describes some of the most common devices and how they are installed, configured, and managed.
Scanners and Cameras
Most digital cameras, scanners, and other imaging devices are PnP devices that Windows XP Professional installs automatically when you connect them to your computer. If your imaging device is not installed automatically when you connect it, or if
it does not support PnP, use the Scanner and Camera Installation Wizard to install it.
To manually install a scanner or camera or other imaging device:
1. In Control Panel, click Printers And Other Hardware, and then click
Scanners And Cameras.
2. In the Scanners And Cameras window, double-click Add An Imaging
Device to start the Scanners And Camera Installation Wizard.
3. Click Next, and follow the on-screen instructions to install your imaging device.
4. In Device Manager, select the appropriate device, and then click Properties.
The standard color profile for Image Color Management (ICM 2.0) is
sRGB, but you can add, remove, or select a different color profile for a
device. To change the color profile, click the Color Management tab of
the device’s Properties dialog box.
123
124
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Image Color Management (ICM) is a framework that allows scanners, cameras, printers, and monitors to share data about color values.
This ensures the colors scanned by the scanner are reliably displayed on
the monitor and properly depicted when printed. ICM uses color space
profiles to control its color management functions. Examples of color
space profiles are sRGB (Red, Green, and Blue), and CMYK (Cyan,
Magenta, Yellow, and Black). The profile you choose depends on the type
of devices you are using and the type of output you are generating. More
information on color space profiles is available from the International
Color Consortium at http://www.color.org.
NOTE
5. If you have any problems with your scanner or camera, click Troubleshoot in the Scanners And Cameras Properties dialog box.
Mouse Devices
Click the Mouse icon in the Printers And Other Hardware window of Control
Panel to configure and troubleshoot your mouse. The following list describes the
options available:
■
FT04HT03.bmp
Buttons Allows you to configure your mouse for a left-handed or righthanded user. It also allows you to set a single mouse click to select or
open, and it allows you to control the double-click speed. (See Figure 4-3.)
Figure 4-3 The Buttons tab of the Mouse Properties dialog box
■
Pointers Allows you to select or create a custom scheme for your
pointer. You can adjust the speed and acceleration of your pointer and
set the Snap To Default option, which moves the pointer to the default
button in dialog boxes.
■
Hardware Allows you to access the Troubleshooter if you are having
problems with your mouse. This tab also has a Properties button that
allows you to perform advanced configuration of your mouse. This
includes uninstalling or updating your mouse driver, viewing or changing
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
the resources allocated to your mouse, and increasing or decreasing the
sensitivity of your mouse by varying the sample rate, which defines how
often Windows XP Professional determines the position of your mouse.
Modems
Click Phone And Modem Options in the Printers And Other Hardware window
of Control Panel to install, configure, or troubleshoot your modem.
To install a new modem:
1. Click Add on the Modems tab. The Add Hardware Wizard steps you
through the installation process.
2. To configure an installed modem, click the Modems tab, select the
modem from the list of installed modems, and click Properties.
3. Click the appropriate tab for the configuration changes you want to
make. For example:
a. Click the Modem tab (Figure 4-4) to set the maximum port speed
and whether to wait for a dial tone before dialing.
b. The Diagnostics tab allows you to query the modem and to view
the modem log.
c. If you need additional help in troubleshooting the modem, you
can use the General tab to access the Troubleshooter.
FT04HT04.bmp
Figure 4-4 Configuring modem settings
The Phone and Modem Options dialog box has two other tabs:
■
Dialing Rules tab Lists all the locations you have configured on the
computer. Click Add on this tab to add a new location, or click Edit to
edit an existing location.
125
126
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
FT04HT05.bmp
Advanced tab Shows the telephony providers installed on this
computer (Figure 4-5). It also allows you to add or remove telephony
providers and to configure those already installed.
Figure 4-5 Configuring modem settings
We will cover modem configuration as it pertains to dialing
and communications in Chapter 10.
MORE INFO
Game Controllers
Click Game Controllers in the Printers And Other Hardware window of Control
Panel to install, configure, or troubleshoot your game controller.
To install a game controller:
1. Attach the game controller to the computer (for example, if it is a
universal serial bus [USB] game controller, attach it to a USB port).
2. If the game controller does not install properly, in Device Manager,
look under Human Interface Devices. If you do not see an icon for your
game controller, check to make sure your system has detected its USB
controllers and root hubs (Figure 4-6).
3. Missing USB controllers may be an indication that your USB ports are
not activated in the BIOS. If the USB host controller is not listed, check
to make sure USB is enabled in the BIOS. When prompted during
system startup, enter BIOS setup and enable USB.
4. If USB is enabled in the BIOS, contact the manufacturer or vendor for
your computer and obtain the current version of the BIOS.
CHAPTER 4:
FT04HT06.BMP
MANAGING DEVICES AND PERIPHERALS
Figure 4-6 Viewing installed USB controllers and root hubs
IrDA and Wireless Devices
Most internal Infrared Data Association (IrDA) devices should be installed during
Windows XP Professional setup or when you start Windows XP Professional after
adding one of these devices. If you attach an IrDA transceiver to a serial port, you
must install it using the Add Hardware Wizard.
To configure an IrDA device:
1. In Control Panel, click Wireless Link.
2. On the Hardware tab, click the device you want to configure, and then
click Properties. The Properties dialog box (Figure 4-7) shows the
status of the device, driver files, and any power management settings.
FT04HT07.BMP
Figure 4-7 Configuring IrDA device settings
The Wireless Link icon appears in Control Panel only if you have
already installed an infrared device on your computer.
NOTE
127
128
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Keyboards
Click Keyboard in the Printers And Other Hardware window of Control Panel to
configure or troubleshoot a keyboard.
■
On the Speed tab (Figure 4-8), you can configure the character repeat
delay and the character repeat rate. You can also control the cursor
blink rate.
■
The Hardware tab shows you the device properties for the installed
keyboard and allows you to access the Troubleshooter if you are
having problems with your keyboard. You can also install a device
driver, roll back to a previous device driver, or uninstall a device
driver.
FT04HT08.BMP
Figure 4-8 Configuring keyboard speed settings
UNDERSTANDING AUTOMATIC AND MANUAL
HARDWARE INSTALLATION
Windows XP Professional supports PnP devices. For most devices that are
PnP-compliant, if the appropriate driver is available and the BIOS on the computer
is a PnP BIOS or an ACPI BIOS, Windows XP Professional automatically detects,
installs, and configures the device. When Windows XP Professional detects a new
piece of hardware that cannot be installed automatically, it displays the Found
New Hardware Wizard (Figure 4-9).
When a hardware device is not detected, you must initiate installation manually.
You can also use the Add Hardware Wizard to do this.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Figure 4-9 The Found New Hardware Wizard
FT04HT09.bmp
To install hardware using the Add Hardware Wizard:
1. Click Start | Control Panel | Printers And Other Hardware.
2. Click Add Hardware to start the Add Hardware Wizard.
3. On the Welcome To The Add Hardware Wizard page, click Next.
Windows XP Professional searches for new devices and does one of
the following:
❑
If it detects any new PnP hardware, it installs the new hardware.
❑
If it detects new hardware but cannot locate the correct drivers, it starts
the Found New Hardware Wizard (Figure 4-9).
❑
If it cannot find a new device, you’ll see the wizard’s Is The Hardware
Connected? page. If you have already connected the new device, click
Yes, I Have Already Connected The Hardware, and then click Next. The
wizard displays the The Following Hardware Is Already Installed On
Your Computer page (Figure 4-10). To add hardware that is not in the
list, click Add A New Hardware Device.
To use the Add Hardware Wizard to troubleshoot a hardware
device, click the device in the list of installed hardware devices, and then
click Next. The Completing The Add Hardware Wizard page appears. Click
Finish to launch a troubleshooter to help solve any problems you might be
having with that hardware device. For more on troubleshooting devices, see
the “Troubleshooting Device Installation” section later in this chapter.
NOTE
129
130
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT04HT10.bmp
Figure 4-10 Adding hardware or troubleshooting with the Add Hardware
Wizard
Confirming Hardware Installation
After installing hardware, you should confirm the installation using Device
Manager.
To start Device Manager, do the following:
1. Right-click My Computer, and select Properties.
2. Click the Hardware tab, and then click Device Manager, where you can
view the installed hardware (Figure 4-11).
You can also launch Device Manager from the Computer Management console. It is a snap-in located under System Tools.
NOTE
FT04HT11.bmp
Figure 4-11 Device Manager, showing devices listed by type
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Windows XP Professional uses icons in the Device Manager window to identify
each installed hardware device. If Windows XP Professional does not have
an icon for the device type or cannot identify a device, it displays a question
mark.
Expand the device tree to locate the newly installed hardware device. The device
icon indicates whether the hardware device is operating properly.
Three icons display the hardware status:
■
Normal
■
Stop sign Windows XP Professional disabled the hardware device
because of hardware conflicts. To correct this, right-click the device
icon and then choose Properties. Research the actual settings configured on the device and set the hardware resources in the system manually to match the actual device settings.
Hardware is operating properly.
To get the actual device settings, you might need to physically
view the device and look at its settings, or review its configuration in
your system BIOS. This may involve examining switches or jumpers
(groups of pins that can be electrically connected to alter hardware
configuration).
NOTE
■
Exclamation point The hardware device is configured incorrectly
or its drivers are missing.
Troubleshooting Device Installation
Plenty of things can go wrong when you install a hardware device. Be sure to carefully follow the manufacturer’s instructions to ensure a trouble-free installation.
If you do see any of the icons that indicate an abnormally functioning hardware
device, try the following:
■
Open the Properties dialog box for the device. The General tab lists the
status of the device and lets you launch a device troubleshooter.
■
Consult the manufacturer’s instructions to verify that you have
performed all necessary steps to configure the device.
■
Right-click the device and select Uninstall. Restart Windows, and allow
it to detect the device again.
■
Double-check the device’s resource settings (if non-PnP) and ensure
that they match those configured on the Resources tab.
131
132
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Installing Hardware Manually
To manually install hardware, first determine which hardware resource is
required by the hardware device. Next you must determine the available hardware resources. In some cases, you will have to modify hardware resource
settings on other devices to free up an I/O port or interrupt request (IRQ).
Finally, you might have to troubleshoot any problems you encounter.
NOTE Windows XP installed on an ACPI system with the ACPI hardware
abstraction layer (HAL) will not allow you to change resource settings.
It might appear to accept your changes, but it will revert to its prior settings, even if you attempt to change the settings using the system BIOS
configuration tools. To permit manual configuration of device resource
settings, you must have installed a Standard PC HAL during installation.
For more information, see the section titled “Managing ACPI Support”
later in this chapter.
Determining which hardware resources are required
When installing new hardware, you need to know what resources the hardware
can use. You can check the product documentation to determine the resources
that a hardware device requires.
Here are the resources that hardware devices use to communicate with an operating system:
■
Interrupts Hardware devices must get the processor’s attention to
send messages. The microprocessor knows this process as an interrupt
request (IRQ). The microprocessor uses this information to determine
which device needs its attention and the type of attention that it needs.
Modern computers have a minimum of 15 IRQs, numbered 0 to 15,
that are assigned to devices. For example, most computers assign IRQ
1 to the keyboard. Computers with Advanced Programmable Interrupt
Controllers (APICs) can have up to 24 IRQs, which can be controlled
by Windows XP. The computer’s BIOS manages IRQ assignment on
the Peripheral Component Interconnect (PCI) bus during the boot
process. During startup, Windows XP takes over management of IRQs.
Older bus designs such as the 16-bit Industry Standard Architecture (ISA) bus require users to manually set I/O cards to nonconflicting IRQs.
NOTE
■
Input/output (I/O) ports I/O ports are a section of memory that a
hardware device uses to communicate with the operating system.
When a microprocessor receives an interrupt request via an IRQ, the
operating system checks the I/O port address to retrieve additional
information about what the hardware device wants it to do. An I/O
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
port is represented as a hexadecimal number. Windows XP device drivers use I/O port settings to locate and access hardware resources.
Do not confuse I/O ports with communication ports such as COM
ports or USB ports. The latter are physical ports that accept data from
peripheral devices but are not directly addressed by the CPU.
NOTE
■
Direct memory access (DMA) channels DMA channels allow a
hardware device, such as a floppy disk drive, to access memory
directly, without interrupting the microprocessor. DMA channels
speed up access to memory. Modern computers have eight DMA channels, numbered 0 through 7. DMA channels are managed by the motherboard’s chipset or by devices that have their own DMA controller.
Determining available hardware resources
After you determine which resources a hardware device requires, you can look for
an available resource. Device Manager provides a list of all hardware resources
and their availability (Figure 4-12).
Figure 4-12 Device Manager showing resources listed by connection
FT04HT12.bmp
To view the hardware resource lists, do the following:
1. In the System Properties dialog box, click the Hardware tab, and then
click Device Manager.
2. On the View menu, choose Resources By Connection. Device Manager
displays the resources that are currently in use (for example, IRQs).
3. To view a list of resources for another type of hardware resource, click
the type of hardware resource you want to see on the View menu.
133
134
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
When you know which hardware resources are available, you can install the hardware manually by using the Add Hardware Wizard.
If you select a hardware resource during manual installation,
you might need to configure the hardware device so that it can use the
resource. For example, for a network adapter to use IRQ 5, you might
have to set a jumper, change a firmware setting on the adapter, or
change a setting in the system BIOS and configure Windows XP Professional so that it recognizes that the adapter now uses IRQ 5.
NOTE
Changing hardware resource assignments
You might need to change hardware resource assignments. For example, a hardware device might require a specific resource presently in use by another device.
You might also encounter two hardware devices requesting the same hardware
resource, resulting in a conflict.
To change a resource setting:
1. On the Hardware tab of the System Properties dialog box, click Device
Manager.
2. Expand the device list, right-click the specific device, and then choose
Properties.
3. In the Properties dialog box for the device, click the Resources tab.
When you change a hardware resource, you can print the content
of Device Manager. This provides you with a record of the hardware configuration. If you encounter problems, you can use the printout to verify the
hardware resource assignments.
NOTE
From this point, follow the same procedures that you used to choose a hardware
resource during a manual installation.
Changing the resource assignments for non-PnP devices in Device
Manager does not change the resources used by that device. You use
Device Manager only to instruct the operating system on device configuration. To change the resources used by a non-PnP device, consult the
device documentation to see how to configure the device.
NOTE
VIEWING AND CONFIGURING HARDWARE PROFILES
Control Panel contains applications that you can use to customize selected
aspects of the hardware and software configuration for a computer. You can configure hardware settings by creating and configuring hardware profiles. Windows
XP Professional uses these hardware profiles to determine which drivers to load
when system hardware changes.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Understanding Hardware Profiles
A hardware profile stores configuration settings for a set of devices and services.
Windows XP Professional can store different hardware profiles to meet a user’s
various needs. Hardware profiles are used primarily for portable computers. For
example, a portable computer can use different hardware configurations depending on whether it is docked or undocked. The user can create a hardware profile
for each state (docked and undocked) and choose the appropriate profile when
starting Windows XP Professional.
Creating or Modifying a Hardware Profile
To create or modify a hardware profile, in Control Panel, click Performance And
Maintenance. In the Performance And Maintenance window, click System, and in
the System Properties dialog box, click the Hardware tab. Click Hardware Profiles
to view the Available Hardware Profiles list (Figure 4-13).
Figure 4-13 Available Hardware Profiles list in the Hardware Profiles dialog box
FT04HT13.bmp
Windows XP Professional creates an initial profile during installation, listed as
Profile 1 (Current). You can create a new profile with the same configuration as
another profile. To create a new profile, in the Available Hardware Profiles list,
select the profile that you want to copy, and then click Copy.
The order of the profiles in the Available Hardware Profiles list determines
the default order at startup. The first profile in the list becomes the default
profile. To change the order of the profiles, use the Up and Down arrow
buttons.
135
136
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Activating a Hardware Profile
If the Available Hardware Profiles list contains two or more profiles, Windows XP
Professional prompts the user to make a selection during startup. You can configure how long the computer waits before starting the default configuration.
Some items to consider as you configure these settings:
■
To adjust this time delay, click the Select The First Profile Listed If I
Don’t Select A Profile In option and then specify the number of seconds in the Seconds text box in the Hardware Profiles Selection group.
■
To configure Windows XP Professional to automatically choose the default
profile without prompting the user, you set the number of seconds to 0.
To override the default during startup, press SPACEBAR during the
operating system selection prompt (on multiboot systems) or just after
the BIOS screens disappear and before you see the Windows XP logo screen.
NOTE
■
You can also select the Wait Until I Select A Hardware Profile option to
have Windows XP Professional wait for you to select a profile.
When you use hardware profiles, be careful not to disable one of the boot devices
using the Devices program in Control Panel. If you disable a required boot device,
Windows XP Professional might not start. It is a good idea to make a copy of the
default profile and then make changes to the new profile. Then you can use the
default profile again if a problem occurs.
Viewing Hardware Profile Properties
To view the properties for a hardware profile, in the Available Hardware Profiles
list, select a profile, and then click Properties. This displays the Properties dialog
box for the profile.
If Windows XP Professional identifies your computer as a portable unit, the This
Is A Portable Computer check box is selected. If Windows XP Professional determines that your portable computer is docked, it selects that option. You cannot
change this docked option setting after Windows XP Professional selects it.
DRIVER SIGNING AND FILE SIGNATURE VERIFICATION
Windows XP Professional drivers and operating system files have been digitally
signed by Microsoft to ensure their quality. In Device Manager, you can look on
the Driver tab of a device’s Properties dialog box to verify that the digital signer of
the installed driver is correct.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Some applications overwrite existing operating files as part of their installation process, which can cause system errors that are difficult to troubleshoot. Microsoft has
greatly simplified the tracking and troubleshooting of altered files by signing the
original operating system files and allowing you to easily verify these signatures.
Configuring Driver Signing Requirements
The Microsoft Windows Hardware Quality Laboratory (WHQL) tests and certifies devices and drivers for compatibility with Windows XP. The approved drivers
are signed with a digital certificate. Drivers provided by third-party developers
might not have passed this process.
Handle unsigned drivers at your own risk. They have not
passed Microsoft quality testing.
CAUTION
To configure how the system responds to unsigned files, in Control Panel click System in the Performance And Maintenance section, and then click the Hardware tab.
On the Hardware tab, in the Device Manager box, click Driver Signing (Figure 4-14).
Figure 4-14 Configuring driver signing in the Driver Signing Options dialog box
FT04HT14.bmp
The following three settings are available to configure driver signing:
■
Ignore Allows any files to be installed regardless of their digital
signature or lack thereof. Users are not alerted to the existence of
an unsigned driver, and the driver is installed without delay.
Setting Ignore causes Windows XP to silently accept third-party
drivers. Do not use this setting lightly. It poses a risk that a user can accept
an unsuitable driver. It is almost always better to be alerted to the fact that
a driver has not passed certification testing so you can make an informed
decision about the driver’s suitability before proceeding with the installation.
CAUTION
137
138
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Warn This option, the default, displays a warning message before
allowing the installation of an unsigned file. The user has to option to
continue installing the driver or to cancel the installation.
■
Block Prevents the installation of unsigned files. Organizations for
whom system reliability must be assured will want to set this option to
prevent installation of any driver that had not been fully tested.
If you are logged on as Administrator or as a member of the Administrators
group, you can select the Make This Action The System Default check box to
apply the driver signing configuration to all users who log on to the computer.
Checking System File Signatures
Windows XP Professional also provides System File Checker (SFC), a commandline tool that you can use to check the digital signature of files. The syntax of the
SFC tool is as follows:
Sfc [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]
Table 4-1 explains the SFC optional parameters.
Table 4-1
System File Checker Optional Parameters
Parameter
Description
/scannow
Causes the SFC tool to scan all protected system files
immediately
Causes the SFC tool to scan all protected system files once at
the next system restart
Causes the SFC tool to scan all protected system files every
time the system restarts
Causes the SFC settings to be returned to the default settings
Purges the file cache
Sets the file cache size
/scanonce
/scanboot
/revert
/purgecache
/cachesize=x
Using the File Signature Verification Tool
The File Signature Verification tool (Figure 4-15) allows you to view the file’s
name, location, modification date, file type, and version number. To use it, click
Start, click Run, type sigverif, and then press ENTER.
Once the File Signature Verification tool begins, you can click Advanced to
configure it (Figure 4-16).
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
Figure 4-15 File signature verification
FT04HT15.bmp
Figure 4-16 Configuring advanced file signature verification settings
FT04HT16.bmp
CONFIGURING COMPUTERS WITH MULTIPLE
PROCESSORS
This section explains how to configure a system with multiple processors. It covers scaling and upgrading your computer from a single processor to a multiprocessor system.
During installation, Windows XP detects the type and number of processors on
the system board and installs the appropriate HAL to support the system’s
processor(s). In addition, each processor has a device driver just like any other
hardware device on the system. This allows the replacement of processors with
models that have different speeds and capabilities.
Multiprocessor Scaling
Adding processors to your system is one way to improve performance. This is
more of an issue for Windows Server products than it is for Windows XP
139
140
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Professional because multiprocessor configurations are typically used for
processor-intensive applications, such as those found on database servers or
Web servers. However, any application that performs heavy computation and is
designed for multiple processors, such as certain scientific or financial applications or applications that do complex graphic rendering (like computer-aided
design programs), will benefit from multiprocessor systems (although most
applications will get a boost).
Upgrading to multiple processors can increase the load on other
system resources. You might need to increase other resources such as
disks, memory, and network components to get the maximum benefit
from adding a second CPU. In addition, to make full use of multiple processors, applications must be designed to support multi-threaded operation. Most 32-bit applications use multiple threads to some extent but
have not been optimized for multiple CPUs.
NOTE
To add a second processor:
1. Shut down the system.
2. Install the second CPU according to the CPU manufacturer’s instructions.
3. Start the system. Windows XP detects the second CPU and forces a
Found New Hardware installation routine. The HAL is changed to
support multiple processors.
MANAGING ACPI SUPPORT
Advanced Configuration and Power Interface (ACPI) is a computer industry
specification that defines how motherboards, operating systems, and programs
interface with power components and peripheral devices. It consolidates features
of PnP with features of Advanced Power Management (APM) to allow the operating system to control system power, processor performance states, and power to
peripheral devices.
ACPI supersedes PnP and APM and is designed to control
devices that are built to those standards as well as newer devices that
support ACPI.
NOTE
When Windows XP is installed on a computer, it checks the version of the system
BIOS against a list of known good ACPI BIOS releases. If it finds the BIOS in the
list, it installs an ACPI HAL. If the BIOS cannot be verified to be a known good
version, Windows XP installs a non-ACPI HAL to enable basic power management and PnP operation.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
In future versions of ACPI, the system hardware will be able to negotiate ACPI settings with the operating system during installation to provide the most comprehensive feature set possible under the circumstances.
Microsoft does not support changing from an ACPI HAL to a
non-ACPI HAL, or vice versa, because of the great differences in how each
specification detects and installs devices. Changing the HAL will likely
cause system instability and failure to start, requiring a reinstallation of
Windows XP to restore proper operation.
CAUTION
To see which HAL is loaded on your system:
1. Open the System Properties dialog box.
2. Click the Hardware tab.
3. Click Device Manager to launch the Device Manager console.
4. Expand the Computer object. The HAL installed on your system will
be displayed as shown in Figure 4-17.
FT04HT17.bmp
Figure 4-17 Device Manager displaying the HAL version
Forcing Installation of a Specific HAL
You can force Windows XP to install a specific HAL during operating system
installation. You should do this only under the advice of a representative of the
hardware manufacturer or Microsoft Product Support Services (PSS).
To force Windows XP to install a specific HAL:
1. Just after booting from the Windows CD-ROM or soon after starting
the Windows XP setup program, you are presented with the option to
press F6 if you need to install a SCSI or RAID controller (Figure 4-18).
Press F5 instead.
141
142
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT04HT18.tif
Figure 4-18 Press F5 here to install an alternative HAL.
2. On the screen that appears, shown in Figure 4-19, select the appropriate hardware abstraction layer.
FT04HT19.tif
Figure 4-19 Selecting a HAL
You can skip HAL selection and force use of a non-ACPI HAL by
pressing F7 in step 1 above instead of F5.
NOTE
TROUBLESHOOTING ACPI
Most ACPI problems stem from not having the correct HAL for the system experiencing trouble. Using an ACPI HAL with a non-ACPI compliant system can
result in resource arbitration issues. This can manifest itself as problems with
shutting down properly, I/O errors during operation, and problems with hibernation or standby operation.
To use a different HAL, you must reinstall Windows XP, forcing the installation of
the correct HAL if necessary. You should do this only under the advice of a representative of the hardware manufacturer or Microsoft PSS.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
SUMMARY
■
Windows XP can install and manage hardware devices automatically
using the PnP and ACPI specifications.
■
Manually configuring a device prevents Windows XP from managing
its settings and hinders automatic resource arbitration.
■
Hardware profiles allow Windows XP to maintain more than one
configuration to support systems that experience repetitive hardware
changes such as docking and undocking a notebook computer.
■
The Microsoft Windows Hardware Quality Laboratory (WHQL) tests
and certifies devices and drivers for compatibility with Windows XP.
The approved drivers are signed with a digital certificate.
■
Windows XP can prohibit installation of unsigned device drivers.
■
Windows XP is provided with digitally signed system files and can
verify and restore these files if they are overwritten by applications.
■
Adding a second CPU in Windows XP causes Windows XP to install
a multiprocessor HAL to enable multiprocessor support.
■
Advanced Configuration and Power Interface (ACPI) controls device
and power management in Windows XP.
■
Changing between ACPI and non-ACPI hardware abstraction layers
(HALs) will cause system instability and can result in failure to start.
■
You can select a version of the HAL during system installation and
reinstallation.
REVIEW QUESTIONS
1. Which of the following settings does Windows XP configure on Plug
and Play peripheral devices? (Choose all correct answers.)
a. IRQ
b. I/O address
c. voltage
d. performance level
143
144
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. Which of the following settings does Windows XP configure on
ACPI peripheral devices? (Choose all correct answers.) (knowledge
application)
a. IRQ
b. I/O address
c. bus type
d. bandwidth
3. To make full use of a second CPU, an application must support
__________ operation. (knowledge demonstration)
4. Device drivers that are tested and accepted by the Microsoft Hardware
Quality Laboratory (WHQL) are digitally __________. (knowledge
demonstration)
a. approved
b. accepted
c. signed
d. encrypted
5. Which of the following technologies do you use to block the
installation of unsigned device drivers? (knowledge application)
a. File Signature Verification
b. Driver signing
c. System File Checker
d. Sigverif
CASE SCENARIOS
Scenario 4-1: Managing a Hardware Upgrade
You are upgrading a graphics workstation to improve performance. You are
adding a second CPU and additional memory. Which of the following choices
provides for correct installation of both new components?
a. Install a multiprocessor HAL for the processor, and take no action for
the memory.
b. Take no action for the processor or for the memory.
CHAPTER 4:
MANAGING DEVICES AND PERIPHERALS
c. Reinstall Windows XP to support the processor, and take no action for
the memory.
d. Take no action for the processor, and run the Add New Hardware
Wizard for the memory.
Scenario 4-2: Troubleshooting Problems with the HAL
You are troubleshooting a system that will not boot. The user of the system says that
he replaced the ACPI HAL with a non-ACPI HAL. How do you solve this problem?
a. Run System Restore to replace the original HAL
b. Change the HAL back to the original
c. Reinstall Windows XP
d. Restore the original HAL from a backup
145
CHAPTER 5
CONFIGURING AND
MANAGING THE USER
EXPERIENCE
Upon completion of this chapter, you will be able to:
■ Configure and manage desktop components
■ Configure display options
■ Configure multiple displays
■ Configure power management options
■ Manage users’ profiles and data
■ Configure regional and language settings
■ Manage accessibility settings
In this chapter, you will learn how to manage the Microsoft Windows XP user
experience. We will explore desktop components and their settings; configure
power management options; manage user profiles, user profile folders, and data
folders; and configure accessibility options. We will also discuss regional settings
and language options, and how to configure and manage multiple displays in
Windows XP.
147
148
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CONFIGURING AND MANAGING DESKTOP
COMPONENTS
The desktop environment is the workspace of the Windows XP user. It offers a
metaphor for organization that allows users to personalize their work area to suit
their requirements and offers a space to store documents, frequently used program
shortcuts, and links to Web sites. You can even embed Web site views directly
into the background wallpaper.
In this section, we will explore desktop configuration, including the configuration of components such as the taskbar, the Start menu, and the notification area.
We will explore display settings such as wallpaper selection, screen savers, screen
resolution, and color settings. We will conclude by discussing multiple monitor
support and troubleshooting.
Configuring Display Settings
Windows XP supports a wide range of display options and an amazing array of
hardware and configurations.
To view or modify the display, open Control Panel, click Appearance And Themes,
and then click Display to open the Display Properties dialog box. Alternatively,
you can access the dialog box by right-clicking the desktop and selecting Properties.
The Windows XP Control Panel supports two modes of operation:
Category view (the default) and Classic view. In Classic view, the Display
icon is typically in plain view. We present the Category view navigation
path here because it is the default experience for most users.
NOTE
The Display Properties dialog box has five tabs: Themes, Desktop, Screen Saver,
Appearance, and Settings. We will examine them in turn.
You can enable Group Policy settings that restrict
access to display options. For example, in the Display Properties dialog
box, you can choose to remove the Appearance tab or the Settings tab.
For more information about Group Policy, see Chapter 13 and Chapter 14.
IMPORTANT
Themes tab
On the Themes tab (Figure 5-1), you can select a complete set of configuration
settings to set a theme for colors, wallpapers, sounds, icons, and other elements.
You can choose from included themes such as Windows Classic or Windows XP,
or you can choose themes published online or as part of Microsoft Plus! For
Windows XP.
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
Figure 5-1 The Themes tab of the Display Properties dialog box
FT05HT01.BMP
Desktop tab
The Desktop tab is where you select desktop wallpaper and background colors
(Figure 5-2). You can select one of the available wallpaper options or a solid background color, or you can browse for a graphic image in a folder on your hard drive.
Figure 5-2 The Desktop tab of the Display Properties dialog box
FT05HT02.BMP
You can also use this tab to access settings that control which default icons are
displayed on the desktop and their appearance. Click Customize Desktop to
open the Desktop Items dialog box (Figure 5-3).
You can choose to include or exclude an icon for My Documents, My Computer,
My Network Places, and Microsoft Internet Explorer on your desktop, as well as
customize the icons used to represent these items.
You can also configure the frequency with which the Desktop Cleanup Wizard
(Figure 5-4) is run. The default setting for running the wizard is every 60 days.
Click Clean Desktop Now to run the Desktop Cleanup Wizard immediately.
149
150
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 5-3 Managing desktop icons in the Desktop Items dialog box
FT05HT03.BMP
Figure 5-4 Removing unused icons with the Desktop Cleanup Wizard
FT05HT04.BMP
The wizard removes icons from the desktop that have not been used in the last
60 days and places them in the Unused Desktop Shortcuts folder, which is placed
on the user’s desktop; it does not remove any programs from your computer.
You can also embed Web site content in your desktop. To include Web content on
your desktop, in the Desktop Items dialog box, click the Web tab (Figure 5-5).
You are presented with a list of Web pages. You can add any Web page to your
desktop by checking the box next to it or by clicking New and entering the URL.
You can also click Delete to remove a Web page from the list.
Click Properties to view the Properties dialog box for the embedded Web page.
This dialog box (Figure 5-6) allows you to make the Web page available offline, to
synchronize immediately or schedule the synchronization of this offline Web page
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
with the content on the Internet, and to specify whether you want Microsoft
Internet Explorer to download more than just the top-level page of this Web site.
Figure 5-5 Managing desktop Web content
FT05HT05.BMP
Figure 5-6 Viewing settings for an embedded Web page
FT05HT06.BMP
If you want Internet Explorer to download more than just the
top-level page, you can configure the Web component to include all of the
content linked up to three levels deep when synchronizing the page.
NOTE
Screen Saver tab
The Screen Saver tab (Figure 5-7) allows you to choose a screen saver. Screen
savers prevent damage to monitors by preventing an image from getting burned
into the screen. Newer monitors are not as likely to burn in as early monitors, but
long-term display of fixed objects can still cause some damage.
You can select the time the system will remain idle before the screen saver appears.
The default is 15 minutes. You can use even use a picture of your own as a screen
151
152
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
saver by uploading it from a digital camera or scanner, copying it from the Internet,
or copying it from an e-mail attachment.
Figure 5-7 Configuring screen saver settings
FT05HT07.BMP
The Screen Saver tab also lets you configure the system to prompt you for a
password before clearing the screen saver. This is a great security feature that
essentially locks your system if you get called away and cannot return to your
system in a timely manner.
Finally, on this tab you can adjust system power profiles and settings to help save
energy. We will discuss power management in more detail in the next section.
Appearance tab
The Appearance tab (Figure 5-8) allows you to configure the style of windows and
buttons, the color scheme, and font size.
Figure 5-8 The Appearance tab of the Display Properties dialog box
FT05HT08.BMP
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
Click Effects to configure the following options (Figure 5-9):
■
Use The Following Transition Effect For Menus And Tooltips
■
Use The Following Method To Smooth Edges For Screen Fonts
■
Use Large Icons
■
Show Shadows Under Menus
■
Show Windows Contents While Dragging
■
Hide Underlined Letters For Keyboard Navigation Until I Press The
Alt Key
Figure 5-9 Configuring menu and text effects
FT05HT09.BMP
Settings tab
The Settings tab allows you to configure display options, including the number of
colors, video resolution, font size, and refresh frequency (Figure 5-10).
Figure 5-10 Settings tab of the Display Properties dialog box
FT05HT10.BMP
153
154
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Let’s explore the options on the Settings tab for configuring display
settings.
■
Color Quality Displays the current color settings for the monitor
attached to the display adapter listed under Display. This option allows
you to change the color quality for the display adapter.
■
Screen Resolution Displays the current screen resolution
settings for the monitor attached to the display adapter listed under
Display. This option allows you to set the resolution for the
display adapter. As you increase the number of pixels, you display
more information on the screen, but you decrease the size of the
information.
■
Troubleshoot Opens the Video Display Troubleshooter to help you
diagnose display problems.
■
Advanced Opens the Properties dialog box for the display adapter,
as described in Table 5-1.
Table 5-1
Display Adapter Advanced Options
Tab
Option
Description
General
Display (DPI
Setting)
Provides Normal, Large, or Other display font
options. Use the Other option to choose a
custom font size.
Determines the action that Windows should
take when you make changes to display settings. After you change the color settings,
you must choose one of the following
options:
Compatibility
■
Restart The Computer Before Applying The New Display Settings
■
Apply The New Display Settings
Without Restarting
■
Ask Me Before Applying The New
Display Settings
Some display adapter drivers install their own custom tabs for
this dialog box. If you see additional manufacturer-specific tabs, check
your manufacturer’s documentation for details on configuring options in
those tabs.
NOTE
CHAPTER 5:
Table 5-1
CONFIGURING AND MANAGING THE USER EXPERIENCE
Display Adapter Advanced Options (Continued)
Tab
Option
Description
Adapter
Adapter Type
Provides the manufacturer and model number
of the installed adapter.
Clicking Properties displays the Properties
dialog box for your adapter (Figure 5-11):
■
The General tab of the Properties dialog box provides additional information, including device status, resource
settings, and any conflicting devices.
■
The Driver tab of the Properties
dialog box provides details about
the display adapter’s device driver
and allows you to update the driver,
roll back to the previously installed
driver, or uninstall the driver.
■
Adapter
Information
List All Modes
The Resources tab of the Properties
dialog box displays the hardware
resources (such as IRQs or device
I/O ports) being used by the adapter.
Provides additional information about the
display adapter, such as video chip type,
digital-to-analog converter (DAC) type, memory
size, and BIOS version.
Displays all compatible modes for your display
adapter and lets you select resolution, color
depth, and refresh frequency in one step.
Figure 5-11 The Properties dialog box for a display adapter
FT05HT11.BMP
155
156
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 5-1
Display Adapter Advanced Options (Continued)
Tab
Option
Description
Monitor
Monitor Type
Provides the manufacturer and model number
of the currently installed monitor. The Properties button opens the hardware Properties dialog
box for your monitor, which lists device and
driver information and allows you to manage
the device drivers for your monitor. It also
gives access to the Video Display Troubleshooter to help resolve problems with this
device.
Configures the refresh rate frequency. This
option applies only to high-resolution drivers. Do
not select a refresh rate and screen resolution
combination that is unsupported by the monitor.
If you are unsure, refer to your monitor documentation or select the lowest refresh rate option.
Monitor
Settings
When you use a Plug and Play display, unsupported settings are unavailable. You would
have to actually clear the Hide Modes This
Monitor Cannot Display check box to see
unsupported settings.
Troubleshoot Hardware
Acceleration
Color
Management
If you select an unsupported refresh rate, your
monitor will most likely go blank for 15 seconds
as Windows displays a confirmation dialog box.
By waiting for the dialog box to expire, you can
decline to apply the settings permanently, and
the prior settings will be returned.
Lets you progressively decrease your display
hardware’s acceleration features to help you
isolate and eliminate display problems. Lets you
select whether to use write combining, which
improves video performance by collecting video
display writes in the CPU and then bursting
them to the video display memory in large
blocks. Write combining on unsupported hardware can lead to screen corruption, however. If
you experience trouble with your display, try
clearing the Enable Write Combining check box.
Specifies the color profile for your monitor.
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
Using Multiple Displays
Windows XP Professional supports multiple display configurations. Multiple displays allow you to extend your desktop across more than one monitor (Figure 5-12).
Windows XP Professional supports the extension of your display across a maximum of 10 monitors.
ALF
ALF
Figure 5-12 A document viewed on multiple displays
FT05HT12.TIF
IMPORTANT You must use Peripheral Component Interconnect (PCI)
or Accelerated Graphics Port (AGP) display adapters when configuring
multiple displays.
If one of the display adapters is built into the motherboard, note these additional
considerations:
■
The motherboard adapter always becomes the secondary adapter. It
must be multiple-display compatible.
■
You must set up Windows XP Professional before installing another
display adapter. Windows XP Professional Setup disables the motherboard adapter if it detects another display adapter. In some systems,
the BIOS completely disables the on-board adapter on detecting an
add-in adapter. If you are unable to override this detection in the BIOS,
you cannot use the motherboard adapter with multiple displays.
■
Typically, the system BIOS selects the primary display based on PCI
slot order. However, on some computers, the BIOS allows the user to
select the primary display device.
157
158
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
You cannot disable the primary display. This is an important consideration for laptop computers with docking stations. For example, some
docking stations contain a display adapter; these often disable, or turn
off, a laptop’s built-in display. Multiple-display support does not function in these configurations unless you attach multiple adapters to the
docking station.
Configuring Multiple Displays
Before you can configure multiple displays, you must install additional display
adapters in your PC. Then you must enable each one for operation in a multipledisplay environment.
To install multiple monitors, complete the following steps:
1. Turn off your computer, and insert one or more additional PCI or AGP
display adapters into available slots on your computer. Follow the
instructions provided by the adapter manufacturer(s).
2. Plug an additional monitor into each PCI or AGP display adapter that
you installed.
3. Turn on your computer and allow Windows XP Professional to detect
the new adapters and install the appropriate device drivers. You might
be required to insert driver disks and configure additional settings as
specified in the manufacturer’s installation instructions.
To configure your display in a multiple-display environment, complete the following steps:
1. In Control Panel, click Appearance And Themes, and then click
Display.
2. In the Display Properties dialog box, click the Settings tab (Figure 5-13).
FT05HT13.BMP
Figure 5-13 Configuring multiple-display support
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
3. Click the monitor icon for the primary display device.
4. Select the display adapter for the primary display, and then select the
color depth and resolution.
5. Click the monitor icon for the secondary display device.
6. Select the display adapter for the secondary display, and then select
the Extend My Windows Desktop Onto This Monitor check box.
7. Select the color depth and resolution for the secondary display.
8. Repeat steps 5 through 7 for each additional display.
Windows XP Professional uses the virtual desktop concept to determine the
relationship of each display. The virtual desktop uses coordinates to track the
position of each individual display desktop.
The coordinates of the top-left corner of the primary display always remain 0, 0.
Windows XP Professional sets secondary display coordinates so that all the displays adjoin each other on the virtual desktop. This allows the system to maintain
the illusion of a single, large desktop where users can cross from one monitor to
another without losing track of the mouse.
To change the display positions on the virtual desktop, select the Settings tab and
click Identify, and drag the display representations to the desired position. The
positions of the icons dictate the coordinates and the relative positions of the
displays.
Troubleshooting Multiple Displays
If you encounter problems with multiple displays, follow the troubleshooting
guidelines in Table 5-2.
Table 5-2
Troubleshooting Tips for Multiple Displays
Problem
Possible Solutions
You cannot see
any output on the
secondary displays.
■
Activate the device in the Display Properties dialog
box. Confirm that you chose the correct video driver.
■
Restart the computer to confirm that the secondary
display initialized. If it didn’t, check the status of the
display adapter in Device Manager.
■
Check that both display adapters are compatible with
multiple-monitor support. If the primary adapter is
not compatible, multiple-display support will not be
activated.
159
160
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 5-2
Troubleshooting Tips for Multiple Displays (Continued)
Problem
Possible Solutions
The Extend My
Windows Desktop
Onto This Monitor
check box is
unavailable.
■
In the Display Properties dialog box, select the display
onto which you want to extend your desktop.
■
Confirm that the secondary display adapter is
supported.
■
An application fails
to display on the
secondary display.
Confirm that Windows XP Professional can detect
the secondary display.
■ Run the application on the primary display.
■
Run the application in full-screen mode (MS-DOS) or
maximized (Windows).
■
Disable the secondary display to determine whether
the problem is specific to multiple-display support.
The Taskbar and Start Menu
In addition to modifying your display settings, you can customize the behavior
of the taskbar and the Start menu. In this section, we will explore the settings for
these two desktop components.
Configuring the taskbar
The taskbar allows you to tell at a glance which applications are loaded and access
these applications even if another application has the focus on the desktop or is
maximized. When the taskbar icons start to get too crowded, they can group
themselves into stacks based on the type of application. You can control this
behavior (and other settings) in the Taskbar And Start Menu Properties dialog box
(Figure 5-14), which you open by right-clicking on the taskbar or the Start menu
and then selecting Properties.
Figure 5-14 The Taskbar And Start Menu Properties dialog box
FT05HT14.BMP
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
The Taskbar And Start Menu Properties dialog box previews the
appearance of changes you specify. If you want to see what some of these
settings look like, just watch the picture of the taskbar in the dialog box
as you choose them. You will see how the taskbar would look with these
settings applied.
NOTE
Let’s explore the settings in this dialog box:
■
Lock The Taskbar This setting locks the position and size of the
taskbar, preventing you from inadvertently moving it to another edge
of the screen or resizing docked toolbars (such as Quick Launch or
Media Player) or the taskbar itself.
■
Auto-Hide The Taskbar This setting causes the taskbar to retreat to
the edge of the screen whenever it is not the focus of an operation. This
gives an additional portion of screen space to other applications.
■
Keep The Taskbar On Top Of Other Windows This setting prevents
other application windows from covering the taskbar. (Covering the
taskbar prevents the user from accessing other applications by clicking
their taskbar icons.)
■
Group Similar Taskbar Icons This option causes the icons for similar applications to stack themselves into groups when the taskbar starts
to get too cluttered. Disabling this option causes the icons to get smaller
and smaller as more are added, until they can no longer be read.
If you are running many different types of applications at once, it
is still possible to overcrowd the taskbar.
NOTE
■
Show Quick Launch This option displays the Quick Launch toolbar
on the taskbar. This toolbar allows you to add icons to quickly launch
applications without searching for them on the Start menu.
Configuring the notification area The notification area (formerly known as
the system tray in earlier versions of Windows) includes the system clock display
and notification icons for any background applications running on your system.
The notification area has two options:
■
Show The Clock
■
Hide Inactive Icons Allows you to hide notification icons that are
not currently active. You can also designate certain icons that will always
show by using the Customize button (Figure 5-15).
Enables or disables the clock display.
161
162
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 5-15 Customizing the notification area
FT05HT15.BMP
Configuring the Start menu
The Start menu is the most-used menu in Windows XP. It contains program
shortcuts, configuration settings, recently used document lists, frequently used
programs, and pinned programs, which are programs that are fixed to the Start
menu for rapid access.
You can customize the Start menu through the Taskbar And Start Menu Properties
dialog box (Figure 5-16).
Figure 5-16 Customizing the Start menu
FT05HT16.BMP
You can click the Customize button to open the Customize Start Menu dialog box
(Figure 5-17), where you can customize several features of the Start menu. The
dialog box has two tabs: General and Advanced.
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
Figure 5-17 Customizing the Windows XP Start menu
FT05HT17.BMP
Options on the General tab of the Customize Start Menu dialog box are as follows:
■
Select An Icon Size For Programs Specifies large or small icons on
the Start menu. You can use this option to prevent the Start menu from
getting too large when there are too many icons.
■
Programs Controls the number of recent programs that are displayed.
You can also clear the list here.
■
Show On Start Menu Specifies which programs to display on the
Start Menu as the default tools for accessing the Internet via the World
Wide Web and communicating via e-mail. You can also disable the
display of applications for these categories by clearing the selection
box next to each program.
The following options are available on the Advanced tab of the Customize Start
Menu dialog box (Figure 5-18):
■
Start Menu Settings This portion of the dialog box controls the
behavior of two aspects of Start menu operation:
❑
Open Submenus When I Pause On Them With My Mouse Controls
navigation of the Start menu. If you disable this setting, you must click
each submenu to expand it.
❑
Highlight Newly Installed Programs Causes the Start menu to
draw attention to new applications by highlighting their submenus
and shortcuts.
163
164
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Start Menu Items Controls which submenus are displayed on the
Start menu and their appearance. This selection include options to
display Control Panel, the My Documents folder, and My Computer.
■
Recent documents Activates the display of the My Recent Documents
list. Clicking the Clear list button clears the contents of this list.
Figure 5-18 Configuring Start menu advanced items
FT05HT18.BMP
Restoring the Classic Start menu You can choose the Classic Start Menu
option in the Taskbar And Start Menu Properties dialog box to configure Windows XP
with the appearance of Windows 2000 Professional. Clicking Customize opens
the Customize Classic Start Menu dialog box (Figure 5-19), where you can add or
remove items from the Classic Start menu and enable or disable optional submenus.
Figure 5-19 Customizing the Classic Start menu
FT05HT19.BMP
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
CONFIGURING POWER OPTIONS
You can configure Windows XP Professional to turn off the power to your monitor
and your hard disk or put the computer in hibernate mode. In Control Panel,
click Performance And Maintenance, and then click Power Options. Alternatively,
you can use the Screen Saver tab of the Display Properties dialog box.
Selecting a Power Scheme
Power schemes allow you to configure the conservation settings for your system. In
the Power Options Properties dialog box (Figure 5-20), click the Power Schemes tab.
Figure 5-20 The Power Schemes tab of the Power Options Properties dialog
FT05HT20.BMP
box for a notebook computer
Windows XP Professional provides the following six built-in power schemes:
■
Home/Office Desk Designed for a desktop computer. After 20 minutes of inactivity, the monitor is turned off, but the hard disks are never
turned off.
■
Portable/Laptop Optimized for portable computers that run on
batteries. After 15 minutes of inactivity, the monitor is turned off; after
30 minutes of inactivity, the hard disks are turned off. The system will
go on standby (low power) after 20 minutes and hibernate (if enabled)
after 1 hour.
When notebook computers are running on batteries, the settings
for power schemes change. In the Portable/Laptop scheme, for example,
the time drops to 5 minutes for monitor, hard disk, and system standby,
with hibernation in 10 minutes. This section presents the “on battery”
settings for Portable/Laptop and Maximize Battery. The rest are for a
desktop computer or a laptop on AC power.
NOTE
165
166
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Presentation Designed for use with presentations for which the
computer display must always remain on. The monitor and the hard
disks are never turned off.
■
Always On Designed for use with personal servers. After 20 minutes of
inactivity, the monitor is turned off, but the hard disks are never turned off.
■
Minimal Power Management Disables some power management
features, such as timed hibernation. After 15 minutes of inactivity, the
monitor is turned off, but the hard disks are never turned off.
■
Max Battery Designed to conserve as much battery power as possible.
After 1 minute of inactivity, the monitor is turned off; the hard disks are
turned off after 3 minutes. The system goes on standby after 2 minutes
and hibernates after 5 minutes.
Configuring Advanced Power Options
To configure your computer to use advanced power options, you use the
Advanced tab of the Power Options Properties dialog box (Figure 5-21).
Figure 5-21 Advanced power options on a notebook computer
FT05HT21.BMP
This tab offers the following options:
■
Select the Always Show Icon On The Taskbar check box to add an icon
to the taskbar for quick access to Power Management.
■
Select the second check box, Prompt For Password When Computer
Resumes From Standby, to be prompted for your Windows password
when your computer comes out of standby mode. (On older systems,
this check box might not appear unless the system is set to hibernate.)
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
The lower half of this tab configures actions the system will take if the power
button is pressed, or (for laptops only) when the lid is closed or the sleep button
is pressed. Options for these settings include: Shut Down, Stand By, Hibernate,
Do Nothing, and Ask Me What To Do.
Enabling Hibernate Mode
When your computer hibernates, it saves the current system state to your hard
disk, and then your computer shuts down. When you start the computer after
it has been hibernating, it returns to its previous state, which includes any
programs that were running when it went into hibernate mode, and even any
local network connections that were active at the time.
NOTE Dial-up and VPN connections are not preserved during a hibernate
action.
To configure your computer to use Hibernate mode:
1. Select the Hibernate tab in the Power Options Properties dialog box
(Figure 5-22).
2. Select the Enable Hibernation check box.
FT05HT22.BMP
Figure 5-22 Enabling hibernation on a Windows XP system
You must have free disk space equivalent to the amount
of RAM on your system to allow the system’s state to be written to disk
during hibernation. If the Hibernate tab is unavailable, your computer does
not support this mode.
IMPORTANT
167
168
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Configuring Advanced Power Management
Windows XP Professional supports Advanced Power Management (APM), which
helps reduce the power consumption of your system. To configure your computer to use APM, you use the APM tab of the Power Options Properties dialog
box. If the APM tab is unavailable, your computer is compliant with Advanced
Configuration and Power Interface (ACPI), a specification that supersedes
APM support.
To enable APM, select the Enable Advanced Power Management Support check
box on the APM tab.
You must be logged on as a member of the Administrators group
to configure APM.
NOTE
Advanced Configuration and Power Interface (ACPI)
If your laptop has an ACPI-based BIOS, you can insert and remove PC cards on
the fly, and Windows XP Professional will detect and configure them without
requiring you to restart your machine. This is known as dynamic configuration of
PC cards. There are two other important features for mobile computers:
■
Hot and warm docking/undocking Hot and warm docking/
undocking means you can dock and undock from the Windows XP
Professional Start menu without turning off your computer. Windows XP
Professional automatically creates two hardware profiles for laptop
computers: one for the docked state and one for the undocked state.
(For more information about hardware profiles, see Chapter 4.)
■
Hot swapping of Integrated Device Electronics (IDE) and floppy
devices Hot swapping of IDE and floppy devices means you can
remove and swap devices such as floppy drives, DVD/CD drives, and
hard drives without shutting down your system or restarting your
system; Windows XP Professional automatically detects and configures
these devices.
Configuring an Uninterruptible Power Supply
An uninterruptible power supply (UPS) is a device connected between a computer or another piece of electronic equipment and a power source, such as an
electrical outlet. The UPS ensures that the electrical flow to the computer is not
interrupted because of a blackout and, in most cases, it protects the computer
from potentially damaging events such as power surges and brownouts. Different
UPS models offer different levels of protection.
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
To configure your UPS, click the UPS tab of the Power Options Properties dialog
box, which shows the current power source, the estimated UPS run time, the
estimated UPS capacity, and the UPS battery condition. Click Details to display
the UPS Selection dialog box, which lists manufacturers so you can select the
manufacturer of your UPS.
Unlike desktop systems, notebook computers do not enable the
UPS tab in the Power Options Properties dialog box (because they don’t
need it).
NOTE
NOTE Check the Windows Catalog to make sure the UPS you are consid-
ering is compatible with Windows XP Professional before you purchase it.
If you want to configure a UPS not listed by manufacturer and model:
1. In the Select Manufacturer list box, select Generic.
2. In the Select Model list box, select Generic, and then click Next.
You can configure the conditions that trigger the UPS device to send a
signal in the UPS Interface Configuration dialog box (Figure 5-23). These
conditions include power failures, a low battery, and the UPS shutting
down. You should select Positive if your UPS sends a signal with positive polarity when the power fails and the UPS is running on battery.
Select Negative if your UPS sends a signal with negative polarity.
CAUTION Be sure to check your UPS documentation before you configure
signal polarity.
FT05HT23.BMP
Figure 5-23 The UPS Interface Configuration dialog box
After you have configured the UPS service for your computer, you should test
the configuration to ensure that your computer is protected from power failures.
Disconnect the main power supply to simulate a power failure. During your test,
169
170
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
the computer and the devices connected to the computer should remain operational. You should let the test run long enough for the UPS battery to reach a low
level so that you can verify that an orderly shutdown occurs.
Do not test your UPS on a production computer. You could
lose valuable data. Use a spare computer for the test.
CAUTION
CONFIGURING USER PROFILES
Typically, the use of user profiles is considered part of user account management
and does not extend beyond defining the user’s profile folder. We will cover user
account management in Chapter 13, but here we will discuss how user profiles
configure the user experience, including how roaming user profiles enable
IntelliMirror technologies.
IntelliMirror is a set of technologies that, taken together, provide a framework for
managing the user experience. IntelliMirror technologies provide three main
functions:
■
User data management A user profile contains files and folders
that are stored locally on a computer (local user profiles) or remotely
on the network (roaming user profiles). These files include the user’s
Start menu, My Documents folder, desktop, and any registry settings
that are specific to the user. Other folders and files might also be part
of a user’s profile, as required by applications managed for the user.
■
User settings management Also stored in the user’s profile is a set
of registry entries that configure user-specific settings for the user’s
applications and system configuration preferences.
■
Software installation and maintenance Software installation and
settings are managed by policies such as Active Directory Group Policy
Objects or local computer policies that define which applications are
installed for the user and the configuration settings those applications
will have.
User profiles in IntelliMirror are specific to the user.
Local and Roaming User Profiles
There are two types of user profiles:
■
Local profile Windows XP Professional creates a local user profile
the first time a user logs on to a computer and stores the profile on that
computer.
CHAPTER 5:
■
CONFIGURING AND MANAGING THE USER EXPERIENCE
Roaming profile If the domain administrator designates a user profile folder for a user, that user’s local profile is copied to the specified
folder, making it available wherever she logs on. A roaming user profile
is especially helpful because it follows the user around, setting up the
same desktop environment no matter which computer the user logs on
to in the domain.
The portability of the roaming user profile is the basis for the IntelliMirror
experience.
A read-only roaming user profile is called a mandatory user profile. When the user logs off, Windows XP Professional does not save any
changes made to the desktop environment during the session, so the
next time the user logs on, the profile is exactly the same as the last
time she logged on.
NOTE
User Profile Storage Locations
On the local computer, user profiles are stored in the Documents And Settings
folder tree on the boot partition (usually drive C). If you browse this folder hierarchy,
you will see a folder for each user that contains such subfolders as Desktop, Start
Menu, Favorites, and My Documents. If you save a file to one of these folders, it
should show up on the appropriate menu or desktop for the user whose profile
you are working with (Figure 5-24).
Figure 5-24 User profile folders
FT05HT24.BMP
In addition to the user-specific folders, there is a folder for All Users. Placing a
program shortcut in All Users\Desktop makes it available to all users of the computer you are working with. Similarly, an icon in All Users\Start Menu makes it
available to each user on her Start menu.
171
172
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CONFIGURING MULTIPLE LANGUAGES AND LOCATIONS
Windows XP can support many different language styles and regional options for
currency, time, and even punctuation.
To access regional options and language settings, in Control Panel click the Date,
Time, Language, And Regional Options icon (Figure 5-25).
Figure 5-25 The Date, Time, Language, And Regional Options icon in Control Panel
FT05HT25.BMP
You can manage date and time settings and number and date formats or add
other languages. Choosing any option to format date and time or manage
regional or language options launches the Regional And Language Options
dialog box (Figure 5-26).
Figure 5-26 Configuring regional and language options
FT05HT26.BMP
The Regional Options tab allows you to configure standards and formats for each
language. For example, you can configure the format for displaying numbers,
currency, time, and dates. If you have configured multiple locations, you can also
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
choose your preferred location. Windows XP Professional has support for many
locales including Galician, Gujarati, Kannada, Kyrgyz, Mongolian (Cyrillic), Punjabi,
Divehi, Arabic (Syrian), and Telugu.
If some of the languages mentioned here do not appear on your
system, you might need to add support for that type of language. Two
check boxes are available in the Text Services And Input Languages dialog
box. The first is Install Files For Complex Script And Right-To-Left Languages. These files are required for Arabic, Armenian, Georgian, Hebrew,
Indic, Thai, and Vietnamese. The second is Install Files For East Asian
Languages. These files are required for Chinese, Japanese, and Korean.
NOTE
To configure multiple languages:
1. On the Languages tab of the Regional And Languages Options dialog
box, click Details. The Text Services And Input Languages dialog box
appears.
2. Click Add to open the Add Input Language dialog box (Figure 5-27).
FT05HT27.BMP
Figure 5-27 The Text Services And Input Languages dialog box and the
Add Input Language dialog box
3. To configure additional languages, scroll through the list of languages
and select the one you want to add. If you added at least one language
to the one already installed on your computer, your computer now
supports multiple languages.
If you experience any problems with the way multiple languages or locales are
working, double-check your settings. You can also try uninstalling the multiplelanguage support or multiple-locale support. Make sure everything is working
correctly with only one language or locale, and then reconfigure and reinstall the
multiple-language or multiple-locale support.
173
174
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CONFIGURING ACCESSIBILITY OPTIONS
Windows XP Professional lets you configure accessibility options through the
Accessibility Options icon in Control Panel.
Configuring Keyboard Options
To configure keyboard options, in Control Panel, click Accessibility Options.
In the Accessibility Options window, click Accessibility Options to display the
Accessibility Options dialog box. The Keyboard tab of the dialog box, shown in
Figure 5-28, allows you to configure the keyboard options StickyKeys, FilterKeys,
and ToggleKeys.
Figure 5-28 The Keyboard tab of the Accessibility Options dialog box
FT05HT28.BMP
StickyKeys
Turning on StickyKeys allows you to press a multiple-key combination, such as
CTRL+ALT+DELETE, one key at a time. This option is useful for people who have
difficulty pushing more than one key at a time. This is a check box selection, so it
is either on or off. You can configure StickyKeys by clicking Settings to open the
Settings For StickyKeys dialog box (Figure 5-29).
You can configure a shortcut key for StickyKeys. The default shortcut for turning
on StickyKeys is pressing SHIFT five times.
Two other options can also be configured for StickyKeys: Press Modifier Key Twice
To Lock and Turn StickyKeys Off If Two Keys Are Pressed At Once. The modifier
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
keys are CTRL, ALT, SHIFT, and the Windows logo key. If you select the modifier
key option, pressing one of the modifier keys twice will cause that key to remain
active until you press it again. If you choose to use the second option, StickyKeys
is disabled if two keys are pressed simultaneously.
Figure 5-29 The Settings For StickyKeys dialog box
FT05HT29.BMP
You can configure two notification settings for StickyKeys: Make Sounds When
Modifier Key Is Pressed and Show StickyKeys Status On Screen. The first setting
causes a sound to be made when any of the modifier keys—CTRL, ALT, SHIFT, or the
Windows logo key—is pressed. The second notification setting causes a StickyKeys
icon to be displayed in the taskbar when StickyKeys is turned on.
FilterKeys
The Keyboard tab also allows you to configure FilterKeys. Turning on FilterKeys
causes the keyboard to ignore brief or repeated keystrokes. This option also
allows you to configure the keyboard repeat rate, which is the rate at which a key
continuously held down repeats the keystroke. This is a check box selection, so it
is either on or off. You can configure FilterKeys by clicking Settings to open the
Settings For FilterKeys dialog box (Figure 5-30).
You can configure a shortcut key for FilterKeys. The default shortcut for turning
on FilterKeys is holding down the RIGHT SHIFT key for eight seconds.
Two other Filter options can also be configured for FilterKeys: Ignore Repeated
Keystrokes and Ignore Quick Keystrokes And Slow Down The Repeat Rate. Ignore
Repeated Keystrokes is inactive by default, and Ignore Quick Keystrokes And Slow
Down The Repeat Rate is active by default. Only one of these two filter options
can be active at a time. You configure them by clicking Settings.
175
176
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 5-30 The Settings For FilterKeys dialog box
FT05HT30.BMP
Two Notification settings can be configured for FilterKeys: Beep When Keys Pressed
Or Accepted and Show FilterKey Status On Screen. The first setting causes a beep
when you press a key and another beep when the keystroke is accepted. The second
option causes a FilterKeys icon to be displayed on the taskbar when FilterKeys
is turned on. These settings are check boxes, so one of the settings, both of the
settings (the default), or neither of the settings can be selected.
ToggleKeys
You can also configure ToggleKeys on the Keyboard tab. Turning on ToggleKeys
causes the computer to make a high-pitched sound each time the CAPS LOCK, NUM
LOCK, or SCROLL LOCK options are activated (with the appropriate key). Enabling
ToggleKeys also causes the computer to make a low-pitched sound each time any
of these options is deactivated.
You can configure a shortcut key for ToggleKeys by clicking Settings. The default
shortcut for turning on ToggleKeys is to hold down NUM LOCK for five seconds.
There is one more check box on the Keyboard tab: Show Extra
Keyboard Help In Programs. When selected, it causes other Windowsbased programs to display additional keyboard help if it is available.
NOTE
Configuring Sound Options
The Sound tab of the Accessibility Options dialog box provides the Use Sound
Sentry check box, which allows you to generate visual warnings when your computer makes a sound. The Sound tab also provides the Use ShowSounds check
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
box, which allows you to configure Windows XP Professional programs to display
captions for the speech and sounds they produce.
Configuring Display Options
The Display tab of the Accessibility Options dialog box provides a High Contrast
check box, which allows you to use color and fonts designed for easy reading. You
can click Settings to specify whether to use a shortcut, LEFT ALT+LEFT SHIFT+PRINT
SCREEN, which is enabled by default. Clicking Settings also allows you to select a
high-contrast appearance scheme. The Display tab also provides cursor options
that allow you to set the blink rate and the width of the cursor.
Configuring Mouse Options
The Mouse tab of the Accessibility Options dialog box provides the Use MouseKeys
check box, which allows you to control the pointer with the numeric keypad on
your keyboard. You can click Settings to configure MouseKeys in the Settings For
MouseKeys dialog box (Figure 5-31).
Figure 5-31 The Settings For MouseKeys dialog box
FT05HT31.BMP
MouseKeys uses a shortcut, LEFT ALT+LEFT SHIFT+NUM LOCK, which is enabled
by default. You can also configure the pointer speed and acceleration speed. There
is even a check box, Hold Down Ctrl To Speed Up And Shift To Slow Down, that
allows you to temporarily increase or decrease the mouse pointer speed when you
are using MouseKeys. To speed up the mouse pointer movement, hold down
CTRL while you press the numeric keypad directional keys. To slow down the
mouse pointer movement, hold down SHIFT while you press the numeric keypad
directional keys.
177
178
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Configuring General Tab Options
The General tab of the Accessibility Options dialog box (Figure 5-32) allows you
to configure Automatic Reset. This feature turns off all the accessibility features
except the SerialKey devices after the computer has been idle for a specified amount
of time.
Figure 5-32 The General tab of the Accessibility Options dialog box
FT05HT32.BMP
The General tab includes the Notification feature, which allows you to produce a
warning message when a feature is activated and to make a sound when turning
a feature on or off.
The General tab also allows you to activate the SerialKey Devices feature, which
configures Windows XP Professional to support an alternative input device (also
called an augmentative communication device) to your computer’s serial port.
The Administrative Options feature provides two check boxes, Apply All Settings
To Logon Desktop and Apply All Settings To Defaults For New Users, that allow
you to apply all configured accessibility options to this user at logon and to apply
all configured accessibility options to all new users.
OTHER ACCESSIBILITY TOOLS
In addition to display and sound options, two utilities are available that assist users
who have visual impairments: the Magnifier and the Narrator.
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
The Magnifier
The Magnifier magnifies a portion of the screen to make it easier to read. It follows
the mouse pointer and allows the user to control which text is magnified. Settings
control the level of magnification.
The Narrator
The Narrator feature reads aloud system menus and dialog boxes. It can be used to
help with system dialog box navigation and control.
Many of these accessibility options are limited in functionality
but give you an idea of what is possible. More sophisticated tools exist,
and you can get more information about them at the Microsoft Accessibility Web site at www.microsoft.com/enable.
NOTE
179
180
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Windows XP supports a vast array of display technologies.
■
The Windows XP user experience can be tailored to support the preferences and needs of most users. Key to this is the ability to configure
desktop preferences, the taskbar and Start menu, roaming user profiles,
and accessibility options.
■
Windows XP includes sophisticated power management capabilities,
including the ability to adapt power management preferences from a
dedicated desktop PC to a low-power notebook computer. It includes
support for low-power standby and hibernation and also includes the
ability to communicate with uninterruptible power supplies for powerloss notification.
■
Windows XP supports roaming user profiles as part of its support for
Microsoft’s IntelliMirror technologies. This support allows administrators to provide a consistent user experience on all configured desktops
in an enterprise.
■
Windows XP includes accessibility settings to assist physically
challenged users with system and application operation. Capabilities
include keystroke assistance with StickyKeys, FilterKeys, and MouseKeys,
text-to-speech functions such as the Narrator, and visual aids such as
high-contrast colors and the Magnifier.
REVIEW QUESTIONS
1. A user is familiar with the layout of the Windows 2000 Start menu. How
can you configure Windows XP to enable this user to be more at home in
Windows XP? (Choose two answers.)
a. Enable Windows 95 application compatibility mode
b. Enable the Windows Classic desktop theme
c. Enable the Windows Classic Start menu setting
d. Enable the legacy menu setting in Windows Explorer
2. You are configuring multiple-monitor support on a laptop computer with
a docking station. The computer has an internal AGP display adapter and
a PCI display adapter in the docking station. When you dock the computer, it does not enable multiple-monitor support. How do you enable
multiple monitors for this computer?
CHAPTER 5:
CONFIGURING AND MANAGING THE USER EXPERIENCE
a. Configure the laptop’s BIOS to enable the on-board display.
b. Click Extend The Desktop Onto This Display on the Settings tab
of the Display Properties dialog box.
c. Add an additional display adapter to the docking station.
d. Switch the laptop to its outboard display port.
3. You are attempting to add an icon to the desktop for all users of a computer. How do you do this?
a. Add the icon to C:\Documents and Settings\All Users\Start Menu.
b. Add the icon to C:\Documents and Settings\<username>\Start
Menu for each user.
c. Add the icon to C:\Documents and Settings\All Users\Desktop.
d. Add the icon to C:\Documents and Settings\<username>\Desktop
for each user.
4. You have sustained an injury to your right arm, which will be in a sling
for a time. How can you perform keystroke combinations such as
CTRL+ALT+DEL without the use of your right hand?
a. Enable FilterKeys
b. Enable MouseKeys
c. Enable OptionKeys
d. Enable StickyKeys
5. You are attempting to configure Advanced Power Management settings
on your computer, but you cannot locate the Configuration tab. What is
the problem?
a. You must log on as Administrator.
b. APM is not enabled. On the View tab of the Folder Options dialog
box (available from the Tools menu in Windows Explorer), select
the checkbox next to Enable APM Configuration Settings.
c. You are looking in the wrong place. Locate the Advanced Power
Management icon in Control Panel.
d. Your system may support Advanced Configuration and Power
Interface (ACPI). Check to see whether your system supports ACPI.
181
182
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
6. You are configuring a system for a bilingual text newsletter, which is
published in English and Punjabi (an Indic language). How do you
enable these two languages to be used? (Choose all correct answers.)
a. In the Text Services And Input Languages dialog box, add Punjabi.
b. In the Regional And Language Options dialog box, select English.
c. On the Languages tab of the Regional And Language Options
dialog box, select the Install Files For Complex Script And RightTo-Left Languages (Including Thai) check box.
d. On the Languages tab of the Regional And Language Options
dialog box, select the Install Files For East Asian Languages
check box.
CASE SCENARIOS
Scenario 5-1: Time for Hibernation
You are configuring a computer to hibernate when it has been idle for an extended
period of time. The computer has the following features and statistics:
■
Supports Advanced Configuration and Power Interface (ACPI)
■
768 MB of free disk space
■
Windows XP Professional with Service Pack 2
■
Uninterruptible power supply with capacity to operate computer for
25 minutes
■
1 GB of physical RAM
Can this computer be configured to hibernate? If not, how can you enable it to
hibernate?
Scenario 5-2: Power Problems
A user is attempting to connect the signal cable from a new uninterruptible power
supply to a computer that was previously connected to a UPS. He reports that the
computer immediately initiates a shutdown whenever the cable is connected.
What is most likely causing this behavior? How can you configure Windows XP
to eliminate this problem?
CHAPTER 6
CONFIGURING AND
MANAGING PRINTERS AND
FAX DEVICES
Upon completion of this chapter, you will be able to:
■ Connect to local and network print devices
■ Manage printers and fax devices
■ Manage print jobs
■ Control access to printers
■ Connect to an Internet printer
In Chapter 4, you learned how to install and manage hardware devices. In this
chapter, we will focus on two specific types of devices: printers and fax devices.
Desktop publishing has long been a principal use of personal computers. Programs such as Aldus (now Adobe) PageMaker and Quark XPress set type for
newspapers and magazines, books, and newsletters. The PostScript printing
language allowed these programs to produce output similar, if not identical, in
quality to standard typography. As adoption of personal computers increased,
businesses began to use them to produce daily reports and colorful charts. Laser
and inkjet printers, rather than expensive typesetting equipment, now produce
the vast majority of today’s printed material.
In this chapter, you will learn how to connect, configure, and manage printers
and fax devices. You’ll learn how to manage print jobs and control access to
printers using permissions. Finally, we’ll discuss connecting to remote printers
using the Internet.
183
184
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
INTRODUCTION TO WINDOWS XP PROFESSIONAL
PRINTING
With Microsoft Windows XP Professional, you can share printing resources
across an entire network and administer printing from a central location. You can
easily set up printing on client computers running Windows XP, Windows 2000
Professional, Windows NT 4, Windows Me, Windows 98, and Windows 95.
Terminology
Before you set up printing, you should be familiar with Windows XP Professional
printing terminology to understand how the different components fit together
(Figure 6-1).
Printer
driver
Local print
device
Network interface
print device
Print server
Figure 6-1 Printing terminology
FT06HT01.VSD
■
■
Print Device A hardware device that puts text or images on paper or
on other print media. Windows XP Professional supports the following
print devices:
❑
Local print devices, which are connected to a physical port on the local
computer.
❑
Network interface print devices, which are connected to a print server
through the network instead of a physical port. Network interface print
devices require their own network interface cards and have their own network address or else they are attached to an external network adapter.
Printer The software interface through which a computer communicates with a print device. Windows XP Professional supports the following interfaces: line printer (LPT), COM, universal serial bus (USB),
IEEE 1394 (FireWire), Infrared Data Access (IrDA), Bluetooth, and network-attached devices such as the HP JetDirect and Intel NetPort or
network printing services such as LPR, standard TCP ports, and
Internet Printing Protocol (IPP).
Windows XP Professional treats a FireWire card as a network
connectivity device as well as a peripheral connectivity device. FireWire is
used to connect digital camcorders, scanners, and other high-bandwidth
devices to computers.
NOTE
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
■
Print server The computer that manages one or more printers on a
network. The print server receives and processes documents from
client computers, and prints them on locally attached or network print
devices.
■
Printer driver One file or a set of files containing information that
Windows XP Professional requires to convert print commands into a
specific printer language, such as Adobe PostScript. This conversion
makes it possible for a print device to print a document. A printer
driver is specific to each print device model and can support printing
to that print device over a wide variety of port types.
ADDING A LOCAL PRINTER
Many Windows XP systems use print devices connected directly to the system.
These print devices use a variety of interfaces: parallel ports, USB ports, FireWire
ports, and most recently Bluetooth. The Add Printer Wizard progresses through
the following steps to help you add a printer:
You must be a member of the local Administrators or Power
Users security group to install and manage printers.
NOTE
■
FT06HT02.BMP
Local or Network Printer Specify whether the printer you are
installing is locally attached to a hardware port on your system or
attached to a point on the network. Locally attached printers can also
be detected through Plug and Play (PnP). Your system scans its ports
for a print device and helps automate device driver selection
(Figure 6-2).
Figure 6-2 Local or Network printer page of the Add Printer Wizard
185
186
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
NOTE If you have a PnP-compatible print device that connects through
a USB port, an IEEE 1394 interface, or any other port (such as IrDA or
Bluetooth) that supports automatic detection of devices, you do not need
to use the Add Printer Wizard. Simply plug the printer cable into your
computer and bring the device within range, or point the printer toward
your computer’s infrared port and turn on the print device. Windows then
installs the printer for you.
■
FT06HT03.BMP
■
FT06HT04.BMP
Select a Printer Port If you do not choose to use PnP, the Select A
Printer Port page is presented (Figure 6-3). Choose the port to which you
have connected your print device.
Figure 6-3 The Select A Printer Port page
Install Printer Software Select the printer driver software (Figure
6-4). If the driver for your print device is not listed, you can provide a
manufacturer’s driver by selecting Have Disk.
Figure 6-4 Install Printer Software page
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
NOTE If you use PnP to detect your print device, the wizard will usually
skip the Select A Printer Port page and Install Printer Software page. The
exception to this is when PnP fails to detect the device or cannot find the
driver software.
■
FT06HT05.BMP
■
FT06HT06.BMP
Name Your Printer Enter a descriptive name for your printer (Figure
6-5). You can also specify whether the printer is to be the default printer
for applications on your system.
Figure 6-5 The Name Your Printer page
Printer Sharing Specify whether to share this printer with other systems on the network (Figure 6-6). Doing so makes your system a print
server. If you choose to share the printer, you can enter information
about the printer in the Location And Comment page.
Figure 6-6 The Printer Sharing page configured to share a printer
187
188
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
FT06HT07.BMP
■
FT06HT08.BMP
Print Test Page Specify whether to print a Windows test page from your
newly installed print device to verify that the printer is properly configured
(Figure 6-7).
Figure 6-7 The Print Test Page page
Completing The Add Printer Wizard This page (Figure 6-8) details
all the configuration settings you have chosen for this printer. If everything is correct, you can click Finish and the printer will be installed.
Windows will copy the chosen printer driver to your system, share the
printer (if directed), and print the test page (if selected).
Figure 6-8 Completing The Add Printer Wizard page
ADDING A PRINTER CONNECTED TO A PRINT SERVER
Most organizations use print servers to manage printing. Print servers allow you
to control who prints to which device and manage documents sent to the server.
Documents can be spooled to a print queue, which allows management of
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
printing priority, queuing of large documents on the server instead of the client to
improve performance, and reprinting of failed documents. We will discuss using
Windows XP as a print server later in this chapter; for now, we will concentrate on
configuring Windows XP as a client.
Types of Print Servers
In addition to Windows Server operating systems, an organization can use Novell
NetWare or UNIX/Linux to manage printing or use a dedicated print serving
device to manage print spools. We will discuss these in turn, beginning with
Windows servers.
Windows Server Operating Systems
The most widely used print servers today are based on Windows Server operating
systems. Windows 2000 Server and Windows Server 2003 can manage many
print devices simultaneously and manage hundreds of print jobs on different
printers attached to these devices.
Pay close attention to the terminology in use here. A
printer is actually a print queue attached to a print device. With Windows
Server, you can create multiple printers that use the same device. Thus
administrators can control access to the device by specifying groups of
users, giving different groups different priority, and even allowing access
at different times of day.
IMPORTANT
Windows 2000 Server and Windows Server 2003 can also advertise their printers
in Active Directory. Users can then browse or search for a device that can print
their particular job. They can search by location, speed, resolution, type of paper,
duplexing or stapling capability, or even whether the device can print color output. They can simply connect to the desired printer, and it becomes available for
their use (assuming, of course, that they have permission to use it!).
NetWare Print Servers
Novell NetWare can also provide print server functionality. This network operating system can manage print devices in queues and can provide access to Windows XP systems either as an LPD server or through the use of Client Services for
NetWare (an optional Windows XP networking client). Novell also provides its
own Windows XP client, but its setup and configuration are beyond the scope of
this course.
MORE INFO To learn more about installing and using Client Services for
NetWare, see the Windows XP Professional Resource Kit, Second Edition
(ISBN 0-7356-1974-3) from Microsoft Learning.
189
190
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNIX/Linux Print Servers
Printers that are on print servers running on UNIX or Linux and running the
Samba server service can be advertised in Active Directory. Samba allows these
servers to function as member servers in the Active Directory domain. Clients can
browse and connect to these printers as if the printers were on Windows servers.
Connecting to a Printer on a Windows Print Server
There are many ways to connect to a printer on a Windows Server:
■
FT06HT09.BMP
Add Printer Wizard You can use this wizard to connect to a network printer on a Windows Server. On the Select A Printer Port page,
select A Network Printer, Or A Printer Attached To Another Computer
to get to the Specify A Printer page (Figure 6-9).
Figure 6-9 The Specify A Printer page of the Add Printer Wizard
This page allows you to enter the printer address, if you know it, or
browse for it in Active Directory (as shown later in Figure 6-10). By
selecting criteria for your search, you can find printers that have the features you require for your job.
If you are using a computer that is not a member of an Active
Directory domain, the Specify A Printer page will show Browse For A
Printer instead of Find A Printer In The Directory.
NOTE
■
Connect option In My Network Places, you can locate a printer,
right-click its icon, and select Connect. If you have permission to use
the printer, it will be installed on your system.
CHAPTER 6:
■
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
NET USE command Windows computers can use the following
command to connect to a network printer, where x is the number of
the printer port you want to designate for this printer, server_name
is the name of the print server hosting the printer, and printer_name is
the name of the printer you want to use.
Net use lptx: \\server_name\printer_name
Using the Search Assistant to Find a Printer
You can search for printers in Active Directory when you are logged on to an
Active Directory domain by using the Search Assistant. On the Start menu, click
Search. In the Search Assistant, click Printers, Computers, Or People and then
choose Find Printers to open the Find Printers dialog box. The dialog box has
three tabs to help you locate a printer (Figure 6-10).
Figure 6-10 Finding a printer in Active Directory
FT06HT10.BMP
■
Printers tab Allows you to search for specific information, such as
the name, location, and model of the printer.
■
Features tab Allows you to select from a prepared list of additional
search options, such as whether the printer can print double-sided
copies or print at a specific resolution.
■
Advanced tab Allows you to use custom fields and Boolean operators to define complex searches, such as searches on printers that support collation and a specific printer language (such as PostScript).
If you want to search for all available printers, you can leave all search criteria
blank and click Find Now. All of the printers in the domain are listed. You can
then connect to the printer of your choice. Locate a printer and make a connection to it by double-clicking it or by right-clicking it and then selecting Connect.
191
192
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The Find Printers feature is not available in the Search Assistant unless you are logged on to an Active Directory domain. If you are
using a standalone computer that is in a workgroup, the Find Printers
feature is not available.
NOTE
ADDING A NETWORK INTERFACE PRINTER
Connecting to and installing a network interface printer is similar to installing a
local printer. The principal difference is in the selection of the port. A network
interface printer uses a network interface device to provide connectivity and is
accessed as if it were locally attached.
Standard TCP/IP Port
You can access a network interface printer as a local port by selecting Standard
TCP/IP Port or (if Print Services for UNIX is installed) LPR Port. Selecting Standard TCP/IP Port launches the Standard TCP/IP Printer Port Wizard, which
guides you through the steps necessary to connect to a TCP/IP print server.
You enter the name or IP address of the print device (Figure 6-11). The wizard
scans the address and attempts to determine what type of device it is communicating with. If it cannot determine the device type or the device is not responding,
the wizard presents the Additional Port Information Required page (Figure 6-12),
where you can manually select the device type from a drop-down list. In addition,
you can configure a custom device if you know its settings.
Figure 6-11 Selecting a standard TCP/IP port
FT06HT11.BMP
If the device has more than one available port, the wizard prompts you to select
the correct port on the device.
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Figure 6-12 The Additional Port Information Required page
FT06HT12.BMP
The wizard completes and exits. If the port was installed as part of the Add
Printer Wizard, you are presented with the Install Printer Software window and
installation proceeds as for a local printer.
LPR Port
If Print Services for UNIX is installed on your system (discussed in more detail
later), you can connect to UNIX LPD servers as a client, using the LPR port.
UNIX and Linux systems traditionally use the Line Printer
Daemon (LPD) service to share printers with other UNIX/Linux systems.
This service opens a port to the network and listens for print commands. The Line Printer Remote (LPR) service is the client portion of
the LPD/LPR service pair. It connects to the LPD service over the
network and sends the print commands to the print device attached
to the LPD system.
NOTE
Microsoft’s Print Services for UNIX allows you to make your computer an
LPD server and also an LPR client.
To connect to an LPR port:
1. On the Select A Printer Port page of the Add Printer Wizard (Figure 6-13),
select the LPR port. This opens a dialog box that asks for the name or
address of the LPD server and the name of the printer queue on the
remote system (Figure 6-14).
193
194
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT06HT13.BMP
Figure 6-13 Selecting an LPR port
FT06HT14.BMP
Figure 6-14 Configuring an LPR port
If the LPR Port selection is not available, you must install Print
Services for UNIX. This is an additional network service available in Add/
Remove Programs under Windows Components.
NOTE
2. Enter the address and queue name, and click OK. The dialog box is
closed, and installation of the printer continues as a local printer with
the Install Printer Software page.
It is technically possible to use the Standard TCP/IP Printer Port
Wizard to configure an LPR port, but it is recommended that you use
Print Services for UNIX and its LPR port option when connecting to an
actual LPD server.
NOTE
CONNECTING TO AN INTERNET PRINTER
Windows XP can also connect to printers using Internet Printing Protocol (IPP).
This protocol transmits print commands to IPP-enabled Web servers by encapsulating them within Hypertext Transfer Protocol (HTTP). All that is required to
print in this manner is the Uniform Resource Locator (URL) of the Internet print
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
server and permission to print there. For an example of a Internet printer URL,
see Figure 6-15.
How Internet Printing Works
Windows Internet printing relies on the services of a Microsoft Internet
Information Services (IIS) server. This server can authenticate clients, accept
print jobs from them, and print the jobs locally using one of its connected
print devices.
When IIS is installed on a Windows XP Web server, it creates the /printers
virtual folder to manage the IPP feature. You can manage this folder like any
other in IIS; the site administrator can also require authentication before
allowing access to it.
Microsoft’s IIS Lockdown tool for securing Web servers disables
Internet printing by default. If you intend to use Internet printing, you
must configure IIS Lockdown to override this disabling action. For more
information, see Microsoft Knowledge Base article 325864, “How to
Install and Use the IIS Lockdown Tool.”
NOTE
To add an Internet printer using the Add Printer Wizard:
1. Enter the URL for the server in the Add Printer Wizard (Figure 6-15).
The server authenticates the client in accordance with the authentication type defined for the /printers folder. This can be anonymous
access, Integrated Windows authentication, or Basic (clear text)
authentication.
FT06HT15.BMP
Figure 6-15 Entering the URL for Internet printing
195
196
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. If you have permission to print, the server packages a driver into a cabinet (.cab) file and sends it to you. Windows automatically installs the
driver as it completes the Add Printers Wizard. You can now print to
the Internet printing server.
Windows computers that have Internet printing enabled provide access to the
printers via a Web page on the server. You can access this page by entering http://
<servername>/printers in your Web browser address bar. On this page, you can
browse printers, view their properties, select a printer that supports the type of
print job you want to send, and manage print jobs.
To connect to a printer using the /printers Web page:
1. Connect to the /printers site (Figure 6-16) and select a printer.
FT06HT16.BMP
Figure 6-16 Connecting to /printers
2. Click Connect to install the printer. Windows verifies that you intend
to install this printer (Figure 6-17).
FT06HT17.BMP
Figure 6-17 Confirming installation of an Internet printer
3. The server packages a driver and sends it to the client (Figure 6-18).
CHAPTER 6:
FT06HT18.BMP
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Figure 6-18 Installing an Internet printer
4. After installation, the printer appears in Printers and Faxes as an Internet printer. Note the address in Figure 6-19.
FT06HT19.BMP
Figure 6-19 An installed Internet printer
USING WINDOWS XP AS A PRINT SERVER
Windows XP can operate as a print server by simply sharing printers with network users. Using the full power of the print-sharing features, however, requires
careful planning and implementation. In this section, we will discuss planning
and configuring print serving, including managing permissions, schedules, and
printer priorities. You will learn how to manage print jobs and troubleshoot
printing problems.
197
198
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Requirements for Network Print Services
Careful planning is required before you share printers on the network. The
requirements for setting up print serving on a network include:
■
At least one computer to operate as the print server If the print
server will manage many heavily used printers, Microsoft recommends
a dedicated print server. The computer can run either of the following:
❑
Windows 2000 Server or Windows Server 2003; these operating
systems can handle a large number of connections and support Apple
Macintosh, UNIX/Linux, and Novell NetWare clients.
❑
Windows XP Professional, which is limited to 10 concurrent connections from other computers for file and print services. It does not
support Macintosh computers or NetWare clients but does support
UNIX computers.
■
Sufficient random access memory (RAM) If a print server will
manage a large number of printers or many large documents, the
server might require additional RAM beyond what Windows XP Professional or Windows Server 2003 requires for other tasks. If a print
server does not have sufficient RAM for its workload, printing
performance will deteriorate.
■
Sufficient disk space on the print server Enough disk space on
the print server is required to ensure that the print server can store documents sent to it until it sends the documents to the print device. This
is critical when documents are large or likely to accumulate. For example, if 10 users send large documents to print at the same time, the
print server must have enough disk space to hold all of the documents
until it can send them to the print device. If there is not enough space
to hold all of the documents, users will get error messages and will be
unable to print until the printing load subsides.
Planning for Print Serving
Before you set up network printing, develop a network-wide printing strategy
to meet users’ printing needs without unnecessary duplication of resources or
delays in printing. Some items to consider while planning a print server
installation include:
■
Determine users’ printing requirements Determine the number
of users who will print, the printer features they will need, and the
printing workload. For example, people in a billing department who
continually print invoices and envelopes will have a larger printing
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
workload and might require more printers with more paper options
and more print servers than software developers who do all their work
on the Internet and rarely print.
■
Determine the company’s printing requirements The printing
needs of your company will include the number and types of printers
required. Consider the type of output that each printer will handle.
What print speed or special features will be required to support all
your users? Also consider the reliability of the printer you are considering. Can it handle the workload? Don’t use a personal printer for
network printing.
■
Determine the number of print servers required This will be the
number of print servers needed to handle the number and types of
printers that your network will employ. Print servers can spool a certain number of documents before performance degrades. You might
have to consider the size and quantity of documents your users produce. Will one server be up to the task, or do you need additional
servers?
■
Determine where to locate printers Printers should be in a location where users can easily pick up their printed documents.
Sharing Printers During Installation
You can share printers during installation by choosing the appropriate configuration setting in the Add Printers Wizard:
1. On the Printer Sharing page of the Add Printer Wizard, enter a Share
Name and click Next.
You can assign a shared printer name even though you already supplied a printer name. The shared printer name identifies a printer on
the network and must conform to a naming convention. This name can
differ from the printer name that you entered previously.
2. The wizard displays the Location And Comment page. Enter descriptive information about the printer and its location. This information
provides a more detailed description of the printer.
If the computer running Windows XP Professional is part of a
domain, Windows displays the values that you enter on the Location And
Comment page when a user searches Active Directory for a printer.
Entering this information is optional, but it can help users locate the
printer more easily.
NOTE
199
200
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. The rest of the installation proceeds normally. When you complete the
wizard, the printer is installed and shared.
Sharing printers using the Add Printers Wizard makes
them available to all network users. To manage permissions on the
printer, you must use the printer’s Properties dialog box. (Right-click
the printer in the Printers folder, and select Properties.)
IMPORTANT
Sharing an Existing Printer
If the printing demands on your network increase and your system has an existing, nonshared printer, you can share that printer so users can use it.
When you share a printer, you assign the printer a share name, which appears in
My Network Places. Use an intuitive name to help users when they browse for
a printer. You can also add printer drivers for other versions of Windows XP,
Windows 2000, Windows NT, Windows 98, and Windows 95.
To share an existing printer, take the following steps:
1. In Printers and Faxes, right-click the icon for the printer you want to
share, and then choose Sharing.
2. On the Sharing tab of the printer’s Properties dialog box (Figure 6-20),
click Share This Printer.
FT06HT20.BMP
Figure 6-20 Sharing an existing printer
3. In the Share Name text box, type a share name and then click OK.
Windows XP Professional puts an open hand under the printer icon,
indicating that the printer is shared.
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Installing Additional Print Drivers
After you share a printer, you can install additional print drivers to allow users of
other operating systems to access and print to the print device. You do this by
using the Additional Drivers dialog box, which is accessed via the Sharing tab of
the printer’s Properties dialog box (Figure 6-21).
Figure 6-21 Installing additional drivers
FT06HT21.BMP
When you specify additional drivers, Windows XP asks for a disk containing the
drivers. These drivers must be native Windows drivers. They do not have to be
the ones packaged with Windows (although that helps), but they should conform to the Windows driver model. These drivers will include an .inf file that contains specific information about the driver. Third-party drivers that install from
executable programs will not be recognized or installed.
After installation, the new drivers are stored on the print server computer and,
when a client specified under Alternate Drivers connects to the server, the driver
is automatically provided to the client instead of the Windows XP driver.
Windows 95, Windows 98, and Windows Me systems do not automatically download drivers. When a user connects to a printer with one of
these systems, the client operating system launches its Add Printers
Wizard to manage the installation of drivers.
NOTE
Creating Printer Pools
A printer pool consists of two or more printers that are connected to one print
server and act as a single printer. The printers can be local or network interface
printers. Although the printers should be identical, you can use printers that
are not identical but use the same printer driver. In this scenario, you can only
201
202
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
support print features that are supported by the common print driver. After you
install a printer, you can create a printer pool using the Ports tab of the Properties
dialog box for that printer. Select the Enable Printer Pooling check box, and select
additional ports on the printer server (Figure 6-22).
Figure 6-22 Enabling printer pooling
FT06HT22.BMP
When you create a printer pool, users can print documents without checking
which printer is available. The document prints to the first available printer in the
printing pool.
A printing pool offers the following advantages:
■
In a network with a high volume of printing, it decreases the time that
documents wait on the print server.
■
It simplifies administration because you can administer multiple printers simultaneously.
Before you create a printer pool, be sure to connect the printers to the print
server. Then take the following steps:
1. On the Ports tab of the printer’s Properties dialog box, select the
Enable Printer Pooling check box. This enables to pooling of the printers and allows you to select multiple printer ports.
2. Select the check box for each port to which a printer that you want to
add to the pool is connected.
When you set up a printer pool, place the printers in the
same physical area so users can easily retrieve their documents.
IMPORTANT
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Managing Printer Permissions
Windows XP Professional allows you to control printer usage and administration
by assigning permissions. With printer permissions, you can control who can
use a printer. You can also assign printer permissions to control who can
administer a printer and the level of administration, which can include managing
printers and managing documents. For security reasons, you might need to limit
user access to certain printers. You can also use printer permissions to delegate
responsibility for specific printers to users who are not administrators. Windows
XP Professional provides three levels of printer permissions: Print, Manage
Documents, and Manage Printers. Table 6-1 lists the capabilities of each level of
permission.
Table 6-1
Printing Capabilities of Windows XP Professional Printer Permissions
Capabilities
Print documents
Pause, resume, restart, and
cancel the user’s own
document
Connect to a printer
Control job settings for all
documents
Pause, resume, restart, and
cancel all other users’
documents
Cancel all documents
Share a printer
Change printer properties
Delete a printer
Change printer permissions
Print
Permission
Manage Documents
Permission
Manage Printers
Permission
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
✓
You can allow or deny these levels of printer permissions. Denied permissions
always override allowed permissions. For example, if you select the Deny check
box next to Manage Documents for the Everyone group, no one can manage
documents, even if you grant this permission to another user account or group.
This is because all user accounts (including Administrators) are members of the
Everyone group.
203
204
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Assigning Printer Permissions
By default, Windows XP Professional assigns Print permission for each printer to
the built-in Everyone group, allowing all users to send documents to the printer.
You can also assign printer permissions to users or groups. (See Figure 6-23.)
Figure 6-23 Assigning printer permissions
FT06HT23.BMP
To assign printer permissions, take the following steps:
1. In the Printers and Faxes window, right-click the appropriate printer
icon, and then choose Properties to open the printer’s Properties dialog box.
2. Click the Security tab, and then click Add.
If the computer running Windows XP Professional is in a workgroup environment and you do not have a Security tab in your printer’s
Properties dialog box, close the Properties dialog box. In Explorer, on the
Tool menu, click Folder Options and click the View tab. Clear the Use Simple File Sharing (Recommended) check box, and then display your
Printer’s Properties dialog box.
NOTE
3. In the Select Users, Groups, Or Computers dialog box, enter the
appropriate user account or group, and then click Add. Repeat this
step for all users or groups you want to add. Click OK.
If you do not remember the exact user or group name, you can use the
Advanced button to launch an advanced version of the Select Users,
Groups, Or Computers dialog box. This dialog box allows you to
search Active Directory for users and groups that meet certain criteria.
4. Select the new user account or group. In the bottom part of the dialog
box, click the permissions you want to assign.
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
It might occasionally be necessary to assign advanced permissions to a user. To do this, click Advanced and assign additional printer
permissions that do not fit into the predefined permissions on the Security tab. This is not normally required and is done only for very specific
purposes by an experienced administrator.
NOTE
5. Click OK to close the Properties dialog box.
Modifying Printer Permissions
You can change the default printer permissions in Windows XP Professional or
the printer permissions that you previously assigned for any user or group. To do
this, simply make the appropriate changes on the Security tab in the printer’s
Properties dialog box.
Managing Printer Priority
Let’s say you are in an organization where some users (such as executives or
members of a high-priority support team) need to have their documents print
before those of other users. Whatever the reason, you need to find a way to ensure
that their documents move to the head of the line.
By assigning priorities to printers, you can ensure that some users’ documents print
before those of users with lower priority. To make this work, you need to add two
or more printers for each print device. Each printer receives a priority relative to the
others, with users requiring the higher priority using the high-priority printer.
Printer priorities range from 1 (the lowest) to 99 (the highest). Users’ ability to
print to the high-priority printer is controlled through the use of permissions.
To set priorities among printers:
1. Add a printer and share it.
2. Add a second printer and point it to the same print device or port. The
port can be a physical port on the print server or a port that points to
a network interface print device.
3. Set a different priority for each printer pointing to the print device.
Have different groups of users print to different printers, or have users
send different types of documents to each printer.
For example, User1 sends documents to a printer with the lowest priority, 1, and
User2 sends documents to a printer with the highest priority, 99. In this example,
User2’s documents always print before User1’s.
Printer priority is managed on the Advanced tab of the printer’s Properties dialog
box (Figure 6-24).
205
206
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 6-24 Managing printer priority
FT06HT24.BMP
Scheduling Printers
Suppose you have a user who prints many large documents that require other
users to wait for extended periods for their own documents to print. If there is no
urgency for these documents to be printed during business hours, you can create
a printer that directs documents to the same print device but restricts the times
the device is available to the printer. The user can send large documents to the
printer all day long, but they will begin to print only after business hours.
To create a scheduled printer:
1. Create a second printer connected to the same print device.
2. On the Advanced tab of the printer’s Properties dialog box, configure a
schedule for when the printer will be available (Figure 6-25).
FT06HT25.BMP
Figure 6-25 Creating a printer schedule
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
MANAGING PRINTERS
In addition to adding and removing printers and print devices for your systems,
managing printers also involves assigning forms to paper trays and setting separator pages. Also, you can pause, resume, and cancel a document if a problem
occurs on a printer. If a print device is faulty or you add printers to your network,
you might need to redirect documents to a different printer. You might also need
to change which users have administrative responsibility for printers, which
involves changing ownership.
Assigning Forms to Paper Trays
If a printer has multiple trays that regularly hold different paper sizes, you can
assign a form to a specific tray. A form defines a paper size. Users can then select
the paper size from within their application. When the user prints, Windows XP
Professional routes the print job to the tray that holds the correct form. Examples
of forms include Legal, A4, Envelopes #10, and Letter Small.
You make paper tray assignments by selecting the appropriate form for each
paper tray on the Device Settings tab of the printer’s Properties dialog box
(Figure 6-26).
Figure 6-26 Assigning forms to paper trays
FT06HT26.BMP
After you set up a paper tray, users specify the paper size from within their
Windows-based applications. Windows XP Professional then uses the paper tray
configurations to determine which paper tray holds the form.
207
208
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Setting a Separator Page
A separator page is a file that contains print device commands. Separator pages
have two functions:
■
To identify and separate printed documents Users might be
better able to identify their own documents if they are separated from
others by a distinguishable page.
■
To switch print devices between print modes Some print devices
can switch between print modes that take advantage of different device
features. You can use separator pages to specify the correct page
description language. For example, you can specify PostScript or
Printer Control Language (PCL) for a print device that can switch
between different print modes but cannot automatically detect which
language a print job uses.
Windows XP Professional includes four separator page files, which are located in
the %systemroot%\System32 folder.
■
Sysprint.sep Prints a page before each document; compatible with
PostScript print devices
■
Pcl.sep Switches the print mode to PCL for HP-series print devices
and prints a page before each document
■
Pscript.sep Switches the print mode to PostScript for HP-series
print devices but does not print a page before each document
■
Sysprtj.sep
A version of Sysprint.sep that uses Japanese characters
If you want to use a separator page, choose one and then use the Separator
Page dialog box (Figure 6-27), which is accessible from the Advanced tab of the
printer’s Properties dialog box, to specify that the separator page should be
printed at the beginning of each print job.
Figure 6-27 Configuring a separator page
FT06HT27.BMP
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Administering Printers with a Web Browser
Windows XP Professional enables you to manage printers from any computer
running a Web browser, regardless of whether the computer is running Windows
XP Professional or has the correct printer driver installed. All management tasks
that you perform with Windows XP Professional management tools are the same
when you use a Web browser. The difference is the interface, which is a Webbased interface. To access a printer using a Web browser, a print server running
Windows 2000 Server, Windows Server 2003, or Windows XP Professional must
have Microsoft Internet Information Services (IIS) installed.
The following are the advantages of using a Web browser, such as Microsoft
Internet Explorer, to manage printers:
■
It allows you to administer printers from any computer running any
Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed. This
allows administration using HTTP, which can pass most firewalls.
■
It allows you to customize the interface. For example, you can create
your own Web page containing a floor plan with the locations of the
printers and the links to the printers.
■
It provides a summary page listing the status of all printers on a print
server.
■
It can report real-time print device data, such as whether the print
device is in power-saving mode, if the printer driver makes such information available. This information is not available in the Printers and
Faxes window.
As with any other administrative tool, security considerations should govern how you use this tool. Do not make this tool available to users you do not trust, and control access to this tool from the
Internet.
CAUTION
Accessing Printers Using a Web Browser
You can access all printers on a print server by using a Web browser (Figure 6-28).
In the Address text box, type http://print_server_name/printers. This command displays a page listing all the printers on the print server. Click the name of
the printer you want to manage. If you know the share name of the printer, you
can enter it directly in the browser. Type http://server_name/printer_share_
name in the Address box. From the printer’s URL page, you can view information
about the printer, such as its model, its location, and the number of documents
209
210
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
waiting to print. You can manage any document you have sent to the printer, and
if you have Manage Printers permission for the printer, you can also pause or
resume operation of the printer.
Figure 6-28 Using Internet Explorer to access all printers on a print server
FT06HT28.BMP
MANAGING DOCUMENTS
In addition to managing printers, Windows XP Professional allows you to manage documents. Managing documents includes pausing, resuming, restarting,
and canceling documents. In addition, you can set a specific document to notify
the user when it has finished printing, adjust document priority to allow a critical
document to print before other documents, or specify a specific time for a
document to print.
Pausing, Restarting, and Canceling a Document
If there is a printing problem with a specific document, you can pause and
resume printing of that document. You can also restart or cancel a document. You
must have Manage Documents permission for the appropriate printer to perform
these actions. Because the creator of a document has the default permissions to
manage that document, users can perform any of these actions on their own
documents.
To manage a document, right-click the icon representing the printer for the document in the Printers and Faxes window, and then click Open. Select the appropriate documents, click the Document menu, and then click the appropriate
command (Figure 6-29).
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Figure 6-29 Managing documents
FT06HT29.BMP
Here are some of the document management tasks and how to perform them:
■
Pause printing of a document Select the documents for which you
want to pause printing, and then click Pause. (The status changes to
Paused.)
■
Resume printing a document Select the documents you want to
resume printing, and then click Resume. (The status changes to Printing.)
■
Restart printing of a document Select the documents for which
you want to restart printing, and then click Restart. Restart causes
printing to start from the beginning of the document.
■
Cancel printing of a document Select the documents for which
you want to cancel printing, and then click Cancel. You can also cancel
printing of a document by pressing the DELETE key.
TROUBLESHOOTING COMMON PRINTING PROBLEMS
During setup and configuration of a printer, problems can occur. This section
introduces a few common problems that you might encounter and suggests some
solutions. You will also learn about the built-in Printer Troubleshooter and some
of the other troubleshooting features included in Windows XP Professional.
Examining the Problem
When you detect a printing problem, always verify that the printer is plugged in,
turned on, and connected to the print server. For a network interface printer, verify that there is a network connection between the printer and the print server.
To determine the cause of a problem, first try printing from a different program to
verify that the problem is with the printer and not with the program. If the problem is with the printer, ask the following questions:
■
Can other users print normally? If so, the problem is most likely
caused by insufficient permissions, no network connection, or client
computer problems.
211
212
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Does the print server use the correct printer driver for the printer?
■
Is the print server operational and is there enough disk space for
spooling?
■
Does the client computer have the correct printer driver?
Common Troubleshooting Scenarios
Table 6-2 lists some of the common setup and configuration problems that you
might encounter. It also gives probable causes of the problems and possible
solutions.
Table 6-2
Common Printer Problems and Possible Solutions
Problem
Probable Cause
Possible Solution
Test page does not
print. You have confirmed that the printer
is connected and
turned on.
Test page or documents
print incorrectly as
garbled text.
Pages are only partially
printing.
The selected port is
not correct.
Configure the printer for the
correct port. For a printer
that uses a network interface
printer, make sure that the
network address is correct.
Reinstall the printer with the
correct printer driver.
The installed printer
driver is not correct.
There is not enough
memory to print the
document.
The printer does not
have enough toner.
Printer drivers for
Users report an error
the client computers
message that asks
them to install a printer are not installed on
driver when they print the print server.
to a print server
running Windows XP
Professional.
The client computer
Documents from one
client computer do not is connected to the
wrong printer.
print, but documents
from other client
computers do.
Add memory to the print
server.
Replace the printer’s toner
cartridge.
On the print server, add the
appropriate printer drivers for
the client computers. Use the
client computer operating
system CD-ROM or a printer
driver from the vendor.
On the client computer,
remove the printer, and then
add the correct printer.
CHAPTER 6:
Table 6-2
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Common Printer Problems and Possible Solutions (Continued)
Problem
Probable Cause
Possible Solution
Documents print correctly on some printers
in a printer pool, but
not all of them.
The printers in the
printer pool are not
identical.
Printing is slow because
the print server is
taking a long time to
render the job.
Printing is slow, and
print jobs are taking a
long time to reach the
top of the queue.
The print server’s
disk needs defragmenting or is getting
close to capacity.
If you are using a
printing pool, you
might not have
enough printers in
the pool.
The printing priorities among printers
are set incorrectly.
Verify that all printers in the
printer pool are identical or
that they use the same printer
driver. Remove inappropriate
devices.
Defragment the print server’s
disk and check whether there
is adequate space for temporary files on the hard disk.
Add printers to the printing
pool.
Documents do not
print in the right
priority.
Adjust the printing priorities
for the printer device associated with the printers.
Printing Troubleshooters
Windows XP Professional helps you interactively troubleshoot problems you
encounter. To troubleshoot problems with a printer, choose Start | Control Panel |
Printers And Other Hardware. In the Printers And Other Hardware window,
under Troubleshooters, click Printing. The Help and Support Center window
appears, with the Printing Troubleshooter displayed (Figure 6-30).
Figure 6-30 Printing Troubleshooter
FT06HT30.BMP
213
214
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Notice the series of questions on the page. As you respond to these questions, the
troubleshooter asks additional questions and makes suggestions to resolve your
problem based on the answers you provide.
Additional Troubleshooting Options
Check Event Viewer for system or application events related to a document’s failure to print. You can look up these events in the Microsoft Knowledge Base to get
more information on the potential cause.
Windows XP Professional provides a number of ways to help you resolve problems with your computer. On the Start menu, click Help And Support. If your
problem is a printing problem, click Printing And Faxing to enter the help section
on Printing and Faxing (Figure 6-31).
Figure 6-31 The Printers and Faxing area in the Help and Support Center
FT06HT31.BMP
The Help and Support Center also allows you to use Remote Assistance to invite
another person to help you over the Internet. The expert can accept this invitation, chat with you, and view your desktop. She can also transfer any files
required to fix the issue or perform any complex procedures that need to be performed. You can also visit the Windows XP newsgroups or try Microsoft Online
Assisted Support, which is accessible from the Help and Support Center.
CONFIGURING AND MANAGING WINDOWS XP
FAX SUPPORT
Windows XP Professional can provide complete fax services from your computer.
You can send and receive faxes using a locally attached fax device or using a
remote fax device connected to your network. You can track and monitor fax
CHAPTER 6:
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
activity as well. However, the fax component of Windows XP Professional is not
installed by default. You install it by installing Fax Services in the Windows Components section of Add/Remove Programs (Figure 6-32).
Figure 6-32 Installing Fax Services
FT06HT32.BMP
If you have a fax device (such as a fax modem) installed when you install the Fax
Service, a Fax icon is added to Control Panel. You use the Fax icon to add, monitor, and troubleshoot fax devices, including fax modems and fax printers.
The Fax Console
Installing Windows XP’s fax support installs the Fax console as well. The Fax
console manages the sending and receiving of faxes. The console has tools for
designing cover pages and for viewing or printing received faxes. To access this
utility, choose Start | All Programs | Accessories. Select Fax Console to launch
the Fax console.
Fax Printers
Windows XP fax support installs the fax device to operate as a printer. This
enables you to print to the fax device and send the results as a fax. Once printing
is complete, the Fax service asks for addressing information to direct the fax to its
destination. You are also prompted to select a cover page, and you can edit information on the cover page before sending the fax. The fax can be sent immediately
or scheduled for a later time.
215
216
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Local printers are connected to a physical port on the print server,
and network interface printers are connected to a printer through the
network.
■
Network interface printers require their own network interface cards
and have their own network address, or else they are attached to an
external network adapter.
■
Windows XP Professional supports the following printer ports (software interfaces): LPT, COM, USB, and network-attached devices such
as the HP JetDirect and Intel NetPort.
■
Sharing a local printer makes it possible for multiple users on the network to use it.
■
To set up and share a printer for a local print device or for a network
interface print device, use the Add Printer Wizard.
■
To share an existing printer, use the Sharing tab of the Properties
dialog box for the printer and select Share This Printer.
■
Windows XP Professional allows you to control printer use and
administration by assigning permissions.
■
On client computers running Windows XP Professional, Windows 2000,
or Windows Server 2003 that are members of an Active Directory
domain, you can find a printer using Active Directory search capabilities.
■
On client computers running Windows NT 4, Windows 95, or Windows 98, the Add Printer Wizard allows you only to enter a UNC name
or to browse Network Neighborhood to locate the printer.
■
A printer pool consists of two or more identical printers that are connected to one print server and act as a single printer.
■
You can set priorities on virtual printers so users can send critical documents to a high-priority printer and noncritical documents to a lowerpriority printer, even when there is only one physical printer.
■
Setting a specific time for a document to print allows large documents
to print only during off hours, such as late at night.
■
Windows XP Professional enables you to manage printers from any computer running a Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed.
CHAPTER 6:
■
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES
Windows XP Professional helps you interactively troubleshoot problems you encounter. To troubleshoot printing problems, use the
Printing Troubleshooter.
REVIEW QUESTIONS
1. To have a print server on your network, do you have to have a
computer running one of the Windows Server products? Why?
2. Windows XP Professional printing supports which of the following
types of computers? (Choose all correct answers.)
a. Macintosh computers
b. UNIX computers
c. NetWare clients
d. Windows 98 computers
3. Which of the following operating systems running on a client computer allow you to connect to a network printer by using Active Directory search capabilities? (Choose all correct answers.)
a. Windows Server 2003
b. Windows Me
c. Windows NT 4
d. Windows XP Professional
4. Which of the following tabs do you use to assign printer permissions
to users and groups?
a. Security tab of the Properties dialog box for the printer
b. Security tab of the Properties dialog box for the user or group
c. Permissions tab of the Properties dialog box for the printer
d. Permissions tab of the Properties dialog box for the user or group
5. If a printer has multiple trays that regularly hold different paper sizes,
how do you assign a form to a paper tray?
6. Briefly describe how to enable Internet printing on a print server.
217
218
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 6-1: Printing in a Small Office
You are the system administrator in a small architectural drafting office that uses
four UNIX and six Windows XP Professional workstations. You are asked to
establish printing to two wide-format plotters from all systems. The plotters do
not have any network connectivity, but you have print drivers for both Windows
XP and UNIX. What is the best way to establish printing in this scenario?
Scenario 6-2: Printer Wars
You are the network analyst for a trading office. The office has only one printer.
Users are complaining to you about printing conflicts. The traders need their
print jobs printed immediately, but these jobs often wait behind large reports
being printed by the accountants. The office staff and accountants also need to
print e-mails and spreadsheets, but these are not urgent jobs. Using a combination of printing schedules, printer priorities, and permissions, how can you make
everyone happy?
CHAPTER 7
CONFIGURING AND
MANAGING NTFS SECURITY
Upon completion of this chapter, you will be able to:
■ Understand the structure of NTFS security
■ Control access to files and folders by using permissions
■ Optimize access to files and folders by using NTFS best practices
■ Audit NTFS security
■ Troubleshoot access to files and folders
In this chapter, we’ll explore the configuration and management of security in the
NTFS file system. You will learn how NTFS manages users’ access to resources
and how to analyze and configure access control lists (ACLs). You’ll see how
user group membership controls access to resources and how individual permissions are grouped into standard permissions. Finally, we will discuss how you
can combine security groups and permissions to control access.
219
220
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING THE NTFS FILE SYSTEM
To understand how the NTFS file system controls access to files, folders, and
other objects, you need to understand the basic workings of the NTFS file system.
In this course, you have already learned how the hard disk is divided into volumes
or partitions. The file system’s job is to provide some structure to the volume or
partition to allow it to store, track, and secure data that is stored on it.
The NTFS file system can be described as a collection of files. The files are classified
into two types, normal files (data files) and metadata files (files that contain data
that describes data). The Master File Table (MFT), itself a metadata file, points to
each of the other files, both normal and metadata, while including pointers to the
appropriate entry in the $Secure file to control who has access to the files.
Let’s look more closely at the metadata files:
■
Master File Table (MFT) A metadata repository containing pointers
to the actual storage sites of data on the physical disk. The MFT
(Figure 7-1) also contains directory indexes and stores attributes of files
and folders in MFT records. The MFT can expand as more data is stored,
allowing for the storage of vast amounts of data. In addition, a mirror
copy of a portion of the MFT is maintained on each NTFS volume to
ensure recoverability of the file system if the main MFT is damaged.
$Boot MFT
Data1
Data2
ta
NTFS-formatted
Disk
M
$Secure
Data4
MFT Records
Data1 Abc.doc Timestamps NTFSSID1 LCN
Data1 123.doc Timestamps NTFSSID1 LCN
Data1
Xyz.xls
Timestamps NTFSSID1 LCN
Data1
987.txt
Timestamps NTFSSID1 LCN
MFT record
header
FT07HT01.vsd
File name
attribute
Figure 7-1 MFT structure
Standard
Location
information
on disk
attributes Security index reference ($SII)
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
NOTE The MFT is placed in an area on disk called the MFT zone, which is
an area of disk set aside for expansion of the MFT. As the disk fills, this
zone is reduced in size as required. If the zone gets small enough that the
MFT no longer fits, the MFT can become fragmented because it has to be
recorded in other areas of the disk. MFT fragmentation severely reduces
file system performance and is one of the deleterious effects of filling up
an NTFS volume.
■
Consolidated security NTFS maintains another metadata repository for tracking security information. Replacing the individual
security descriptors (lists of users and groups with access to the file
or folder stored separately for each file or folder) of earlier versions of
NTFS, the $Secure metadata file (Figure 7-2) contains a set of common
security descriptors that can be referenced over and over again by a single index attribute stored in the MFT for a file or folder. As each file or
folder is assigned security settings, these settings are compared against
settings assigned to other files and folders. If they match, both
resources are assigned the same security entry in the $Secure metadata
file. This reduces the amount of resources devoted to maintaining what
could be thousands of separate security descriptor attributes on files
and folders. Instead, a fairly small number (by comparison) of unique
security descriptors are stored in the $Secure metadata file with index
pointers to these entries stored in the file or folder’s MFT record.
$Boot MFT
Data1
Data2
NTFS-formatted
Disk
M
$Secure
ta
MFT Records
NTFSSID1
S-1-5-21-646518322-1873620750Permissions for Data1
619646970-1110
NTFSSID2
S-1-5-21-646518322-1873620750Permissions for Data2
619646970-1110
NTFSSID3
S-1-5-21-646518322-1873620750Permissions for Data3
619646970-1110
NTFSSID4
S-1-5-21-646518322-1873620750Permissions for Data4
619646970-1110
User or group security IDs (SIDs)
NTFS security ID index ($SII) attribute from MFT
FT07HT02.vsd
Figure 7-2 Security organization in NTFS
221
222
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Transaction logging By logging changes to files, NTFS ensures
data consistency by reversing unfinished transactions when recovering
from a crash.
■
Quota tracking NTFS has the ability, through quota tracking, to
keep track of the amount of data each user has stored on a volume and
to limit further disk writes to prevent exceeding the limit.
NOTE
Quota management is covered in Chapter 3.
UNDERSTANDING NTFS PERMISSIONS
The NTFS security descriptors described above contain access control lists
(ACLs) which are, in essence, a list of user or group security IDs (SIDs) matched
up with permission settings for each SID. These individual entries are called
access control entries (ACEs).
Components of NTFS Permissions
NTFS permission assignment involves three components: ACLs, ACEs, and users
or groups.
Access control lists (ACLs)
The ACL is the fundamental construct of security in the Microsoft Windows NT
family of operating systems. Objects from files and folders all the way up to group
policy objects in Active Directory are secured by using ACLs. ACLs come in
two types:
■
System access control lists (SACLs) SACLs are defined by the
operating system and are controlled administratively, either by policies
or by system administrators. They control auditing of access to objects.
■
Discretionary access control lists (DACLs) DACLs are commonly referred to simply as ACLs. These are the lists of users or groups
that have been granted access to an object. Because access is granted
at the discretion of the object’s owner, this type of ACL is classified as
discretionary.
Each object’s security descriptor contains a DACL that defines the users and
groups that have access permissions to the object. NTFS stores this DACL in the
$Secure metadata file and records the descriptor’s index attribute in the object’s
standard information attributes in the MFT.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Access control entries (ACEs)
ACLs consist of one or more access control entries (ACEs). These entries consist
of a user or group security identifier (SID) paired with permissions assigned to
this SID. ACEs can be one of three types:
■
Allow ACE An ACE that allows access to the listed SID for the listed
operations (Read, Write, Modify, etc.).
■
Deny ACE
listed SID.
■
System Audit ACE A component of a SACL, a System Audit ACE
lists the operations to be audited for an object.
An ACE designed to deny the specified operation to the
When more than one ACE exists on an ACL, the cumulative effects of all the ACEs
are taken into account to determine what operations are permitted for a specific
user. The rule governing this can be stated in the following way: Permission
assigned to a user who has more than one ACE for an object is the most lenient of the
accumulated permissions, unless one of the permissions is Deny, which overrides all
other permissions for the specified operation.
An example of this rule is the case where a user might be a member of more than
one security group with access to a file. If one group has Allow Read permission
and the other has Allow Modify, the user has permission to modify the file. If the
permissions are Allow Modify and Deny Read, the user cannot open the file,
thereby negating the Modify permission.
We will discuss permissions in more detail in the upcoming
section titled “NTFS Permissions.”
NOTE
Users and groups
Users and groups, which are identified by the SID in the ACE, are the final part of
the NTFS permissions scheme. By placing users into security groups and assigning the groups access to NTFS objects, you can easily control object access. Simply
by placing a user into a security group, you confer all permissions granted to the
group. This chapter discusses both built-in security groups and administratively
created security groups, which differ in a few important ways:
■
Built-in security groups Groups that are included with the operating system by default. Examples of these groups are the Users group,
Power Users group, and Administrators group. By default, Administrators have Full Control access to NTFS folders and files so they can
administer permissions.
223
224
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Assigned security groups Groups created by administrators to
make it easier to manage access to resources. An example of an
assigned group is an Applications group that you might create to
manage access to executable applications.
■
Special groups Also referred to as implicit groups, these are groups
whose membership changes based on the circumstances of a user’s
access to a file. Examples of special groups are:
❑
CREATOR OWNER group A group made up of the creator or
owner(s) of a resource.
We will pay special attention to the CREATOR OWNER group in
this chapter. As you will see, you can use this group to manage access to
public data.
NOTE
❑
INTERACTIVE group A group of users who access an object while
logged on to a system’s console.
❑
NETWORK group A group of users who access a resource over a
network connection.
❑
Everyone group Any user identifiable by username who attempts to
access resources on a system. This group includes users who have not
authenticated themselves to any authority recognized by the system.
❑
Authenticated Users group Users who have been authenticated by
an authority recognized and trusted by the system. This is an important consideration for security because members of the Authenticated
Users group are more trusted than users belonging only to the Everyone group.
NTFS Permissions
You use NTFS permissions to specify which users and groups can access files and
folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes
formatted with file allocation table (FAT) or FAT32 file systems. NTFS security
applies whether a user accesses the file or folder at the local computer or over the
network.
The permissions you assign for folders are different from the permissions you
assign for files. Administrators, the owners of files or folders, and users with Full
Control permission can assign NTFS permissions to users and groups to control
access to files and folders.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
NTFS folder permissions
You assign folder permissions to control the access that users have to folders and
to the files and subfolders within the folders. Folder permissions differ from file
permissions in that some folder-level operations, such as listing folder contents,
do not apply directly to files.
The standard folder permissions are:
■
Read See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive,
and System)
■
Write Create new files and subfolders within the folder, change
folder attributes, and view folder ownership and permissions
■
List Folder Contents See the names of files and subfolders in the folder
■
Read & Execute Move through folders to reach other files and folders,
even if you don’t have permission for those folders, and perform actions
permitted by the Read permission and the List Folder Contents permission
■
Modify Delete the folder plus perform actions permitted by the
Write permission and the Read & Execute permission
■
Full Control Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS
folder permissions
You can deny any individual permission to a user account or group. To deny all
access to a user account or group for a folder, deny the Full Control permission.
Take care when denying permissions. This action, if not
properly documented, can cause hard-to-trace permission issues when
users are members of more than one group or change group membership later on.
CAUTION
NTFS file permissions
You assign file permissions to control the access that users have to files. The
standard file permissions are:
■
Read Read the file and view file attributes, ownership, and permissions
■
Write Overwrite the file, change file attributes, and view file ownership and permissions
■
Read & Execute Run applications, plus perform the actions permitted
by the Read permission
225
226
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Modify Modify and delete the file, plus perform the actions permitted
by the Write permission and the Read & Execute permission
■
Full Control Change permissions and take ownership, plus perform
the actions permitted by all other NTFS file permissions
Special permissions
The previous section mentioned standard permissions. NTFS actually has 14 discrete permissions that apply to folders and 13 that apply to files. These permissions are grouped together into standard permissions for convenience, but you
can assign them separately to provide very granular control of access permission
for objects stored in the file system. These discrete permissions are called NTFS
special permissions.
The NTFS special permissions are as follows:
■
Full Control
■
Traverse Folder/Execute File Traverse Folder applies only to folders. It allows or denies moving through folders to access other files or
folders, even when the user has no permissions for the traversed folder
(the folder that the user is moving through).
Applies all permissions to the user or group.
Traverse Folder is not applied if the user or group has the Bypass
Traverse Checking user right granted in Group Policy (discussed in
Chapter 13). By default, the Everyone group has Bypass Traverse
Checking granted, so you must modify the Group Policy if you want to
use the Traverse Folder permission.
Execute File applies only to files. It allows or denies running executable files (application files).
■
List Folder/Read Data List Folder applies only to folders. It allows
or denies viewing file names and subfolder names within the folder.
Read Data applies only to files. It allows or denies viewing the contents
of a file.
■
Read Attributes Allows or denies the viewing of the attributes of a
file or folder. These attributes are defined by NTFS. Attributes are items
such as time stamps, compression, or encryption.
■
Read Extended Attributes Allows or denies the viewing of extended
attributes of a file or a folder. These attributes are defined by programs.
These can be items such as Author, Subject, and Source.
■
Create Files/Write Data Create Files applies only to folders. It
allows or denies the creation of files within a folder.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Write Data applies only to files. It allows or denies the making of
changes to a file and the overwriting of existing content.
■
Create Folders/Append Data Create Folders applies only to folders. It allows or denies the creation of folders within the folder.
Append Data applies only to files. It allows or denies making changes to
the end of the file, but not changing, deleting, or overwriting existing data.
■
Write Attributes Allows or denies the changing of the NTFS attributes
(such as time stamps and compression attributes) of a file or folder.
■
Write Extended Attributes Allows or denies the changing of the
extended attributes (such as Author, Subject, and Source) of a file or
a folder.
■
Delete Subfolders and Files Allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not
been granted on the particular subfolder or file.
■
Delete Allows or denies the deletion of a file or folder. A user can
delete a file or folder even without having the Delete permission
granted on that file or folder if the Delete Subfolder and Files permission has been granted to the user on the parent folder.
■
Read Permissions Allows or denies the reading of the permissions
assigned to the file or folder.
■
Change Permissions Allows or denies the changing of the permissions assigned to the file or folder. You can give other administrators
and users the ability to change permissions for a file or folder without
giving them Full Control permission over the file or folder. In this way,
the administrator or user can’t delete or write to the file or folder but
can assign permissions to the file or folder.
■
Take Ownership Allows or denies taking ownership of the file or
folder. The owner of a file can always change permissions on a file
or folder, regardless of the permissions set to protect the file or folder.
There is one other special permission that you will not see very
often: Synchronize. Synchronize allows or denies different threads to wait
on the handle for the file or folder and synchronize with another thread
that might signal it. This permission applies only to multithreaded, multiprocess programs.
NOTE
Mapping NTFS special permissions to standard permissions
Figure 7-3 shows how the NTFS special permissions combine to make up the
NTFS standard permissions.
227
228
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
READ
✗
✗
✗
✗
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
WRITE
✗
✗
✗
✗
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
MODIFY
✗
✗
✗
✗
✗
✗
✗
✗
✗
✗
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete
FULL CONTROL
LIST FOLDER CONTENTS
✗
✗
✗
✗
✗
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
READ & EXECUTE
✗
✗
✗
✗
✗
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
✗
✗
✗
✗
✗
✗
✗
✗
✗
✗
✗
✗
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Read Permissions
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete
Change Permissions
Take ownership
Figure 7-3 Mapping NTFS special permissions to NTFS standard permissions
FT07HT03.VSD
NTFS Permissions Inheritance
By default, permissions that you assign to the parent folder are inherited by and
propagated to the subfolders and files contained in the parent folder, as well as
for any new files and subfolders that are created in the folder. However, you can
prevent permissions inheritance.
You can prevent permissions assigned to a parent folder from being inherited
by subfolders and files that are contained within the folder. You might want to
do this if a certain subfolder needs permissions that differ from the rest of the
subfolders—for instance, if you have a parent folder called Data but want the
Engineering Data subfolder to have slightly different permissions.
To block permissions inheritance:
1. In the Advanced Security Settings dialog box, clear the Inherit From
Parent The Permission Entries That Apply To Child Objects check box.
2. Windows XP prompts you to copy existing permissions, remove all
permissions and start with an empty ACL, or cancel.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
The folder for which you prevent permissions inheritance becomes the new
parent folder. The subfolders and files contained within this new parent folder
inherit the permissions assigned to it.
Copying or moving NTFS objects
When you copy or move an object on an NTFS volume or between NTFS
volumes (Figure 7-4), it might inherit permissions from its new parent folder,
depending on the type of operation performed.
An object moved within an NTFS volume retains its permissions
All other operations, move or copy, inherit permissions from destination folder
XCOPY.EXE with the /O or /X option will copy permissions to the new location
Permissions
NTFS
NTFS
Move or Copy
Folder A
Folder C
XCOPY.EXE
COPY
XCOPY.EXE
MOVE
Folder B
FAT
Folder D
Figure 7-4 Copying and moving NTFS objects
FT07HT04.VSD
■
Moving NTFS objects within an NTFS volume The only situation
in which permissions are retained (ACLs copied with objects) is when
an object such as a file or folder is moved within an NTFS partition.
■
Moving NTFS objects between NTFS volumes When objects are
moved between volumes, they inherit the permissions of whichever
target folder they are placed in on the target volume.
■
Moving NTFS objects to a non-NTFS volume Moving an object to
a volume that does not support NTFS permissions removes all permissions from the object.
■
Copying NTFS objects within an NTFS volume When you copy
an object within an NTFS volume, it inherits the permissions of the target folder.
229
230
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Copying NTFS objects to another NTFS volume When you copy
an object to another NTFS volume, it inherits the permissions of the
target folder.
■
Copying NTFS objects to a non-NTFS volume Copying an object
to a volume without NTFS security removes all permissions from the
object.
There are two ways to cause Windows XP to retain permissions even when an
object is copied or moved to another NTFS volume:
■
Using Xcopy.exe with the /O or the /X command-line switch copies
permissions to the new destination.
■
Modifying the HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Policies\Explorer registry key. Adding the
DWORD value ForceCopyAclwithFile with a value of 1 causes Windows XP
to always copy the ACL with the object.
MORE INFO For more on these methods of copying permissions, see
Microsoft Knowledge Base article 310316.
MANAGING NTFS PERMISSIONS
To assign NTFS permissions, you must fully understand the use and consequences of each permission. It is also important to understand how permissions
from multiple group memberships work together to create effective permissions.
In this section, you will learn how to plan for NTFS permission assignment and
how to assign permissions. We will also explore how to determine effective
permissions and how the system uses this determination to grant or deny
access to objects.
Best Practices for Assigning Permissions
The following are best practices for implementing NTFS permissions. These
guidelines will help you avoid permission problems.
■
Assign the most restrictive NTFS permissions that still enable users
and groups to accomplish necessary tasks. Observe the principle of
least privilege.
■
Assign all permissions at the folder level, not at the file level. Group
files for which you want to restrict user access in a separate folder, and
then assign restricted access to that folder.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
■
Assign permissions to groups whenever possible, not to individual
users. You can manage permissions for a group once, and then make
users members of that group to give them access to the files or folders.
■
Avoid changing the default permissions on system files and folders.
This can cause unexpected and difficult-to-diagnose problems.
■
Do not deny access to the Everyone group. Administrators are members of Everyone as well, and they would also be restricted. Instead,
remove the Everyone group from the ACL and replace it with appropriate groups requiring access. If all users require access, use the Authenticated Users group.
■
For all application executable files, assign Read & Execute and Change
Permissions to the Administrators group and assign Read & Execute to
the Users group. Damage to application files usually results from accidents and viruses. By assigning Read & Execute to Users and Read &
Execute and Change Permissions to Administrators, you can prevent
users or viruses from modifying or deleting executable files. To update
files, members of the Administrators group can assign Full Control to
their user account to make changes and then reassign Read & Execute
and Change Permissions.
■
For public folders, assign Full Control to CREATOR OWNER and Read
and Write to the Authenticated Users group. This gives users full
access to the files that they create, but members of the Authenticated
Users group can only read files in the folder and add files to the folder.
■
If you don’t want a user or group to access a particular folder or file,
don’t assign permissions. If you do not grant permission, the user will
not have access to the object. You should deny permissions only in the
following special cases (which should be very well documented):
❑
To exclude a person (or persons) who belongs to a group with
Allowed permissions. For example, in a department where users have
full control over files, you can deny permission to modify data to new
employees who are in a probationary period.
❑
To exclude one special permission from a standard permission group.
For example, you can deny the Delete special permission to users who
have the Modify standard permission.
Setting NTFS Permissions
Administrators, users with the Full Control permission, and the owners of files
and folders can assign permissions to user accounts and groups.
231
232
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To assign or modify NTFS permissions for a file or folder, on the Security tab of
the Properties dialog box for the file or folder, configure the options shown in
Figure 7-5.
Figure 7-5 Assigning NTFS permissions
FT07HT05.BMP
Here are the options on the Security tab:
■
Group Or User Names Allows you to select the user account or
group for which you want to change permissions or that you want to
remove from the list.
■
Permissions For Administrators Allows or denies permissions.
Select the Allow check box to allow a permission. Select the Deny
check box to deny a permission. This selection creates an Allow or
Deny ACE in the ACL for the object.
■
Add Opens the Select Users Or Groups dialog box, which you use to
select user accounts and groups to add to the Group Or User Names
list (shown in Figure 7-6).
■
Remove Removes the selected user account or group and the associated permissions for the file or folder. This removes the ACE for this
user or group from the associated ACL for the object.
■
Advanced Opens the Advanced Security Settings dialog box for the
selected folder so that you can grant or deny special permissions
(shown in Figure 7-7).
Adding users or groups
Click Add to display the Select Users Or Groups dialog box (Figure 7-6), where
you can add users or groups so that you can assign them permissions for accessing a folder or file.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Figure 7-6 The Select Users Or Groups dialog box for a folder
FT07HT06.BMP
The options in the Select Users Or Groups dialog box are:
■
Select This Object Type Allows you to select the types of objects
you want to look for, such as built-in security principals (users, groups,
and computer accounts), user accounts, or groups.
■
From This Location Indicates where you are currently looking—for
example, in the domain or on the local computer.
■
Locations Allows you to select where you want to look—for example,
in the domain or on the local computer.
■
Enter The Object Names To Select Allows you to type in a list of
built-in security principals, users, or groups to be added.
■
Check Names Verifies the selected list of built-in security principals,
users, or groups to be added against the location selected in the From
This Location field.
■
Advanced Allows you access to advanced search features, including
the ability to search for deleted accounts, accounts with passwords
that do not expire, and accounts that have not logged on for a certain
number of days.
Granting or denying special permissions
On the Security tab of the Properties dialog box, click Advanced to display the
Advanced Security Settings dialog box (Figure 7-7), which lists the users and
groups and the permissions they have on this object. The Permissions Entries box
also shows where the permissions were inherited from and where they are applied.
You can use the Advanced Security Settings dialog box to change the special
permissions set for a user or group. To change the permissions set for a user or
group, select a user and click Edit to display the Permission Entry For dialog box
(Figure 7-8). You can then select or clear the specific permissions that you want
to change.
233
234
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 7-7 The Permissions tab of the Advanced Security Settings dialog
box for a folder
FT07HT07.BMP
Figure 7-8 The Permission Entry dialog box for a folder
FT07HT08.BMP
For more information on each of the NTFS special permissions,
see the “NTFS Permissions” section earlier in the chapter.
NOTE
Taking ownership of files and folders
You can transfer ownership of files and folders from one user account or group to
another. You can give someone the ability to take ownership and, as an administrator, you can take ownership of a file or folder (Figure 7-9).
The following rules apply for taking ownership of a file or folder:
■
The current owner or any user with Full Control permission can assign
the Full Control standard permission or the Take Ownership special
access permission to another user account or group, allowing the user
account or any member of the group to take ownership.
CHAPTER 7:
■
CONFIGURING AND MANAGING NTFS SECURITY
An administrator can take ownership of a folder or file, regardless of
assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators
group can change the permissions for the file or folder and assign the
Take Ownership permission to another user account or group.
Figure 7-9 Taking ownership of a folder
FT07HT09.BMP
For example, if an employee leaves the company, an administrator can take
ownership of the employee’s files and assign the Take Ownership permission
to another employee, and then that employee can take ownership of the former
employee’s files.
You cannot assign anyone ownership of a file or folder. The owner
of a file, an administrator, or anyone with Full Control permission can
assign Take Ownership permission to a user account or group, allowing
them to take ownership. To become the owner of a file or folder, a user or
group member with Take Ownership permission must explicitly take ownership of the file or folder.
NOTE
To take ownership of a file or folder:
1. On the Security tab of the Properties dialog box for the file or folder,
click Advanced.
2. In the Advanced Security Settings dialog box, on the Owner tab, select
your name in the Change Owner To list.
3. Select the Replace Owner On Subcontainers And Objects check box to
take ownership of all subfolders and files that are contained within the
folder, and then click OK.
235
236
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Preventing permissions inheritance
As we discussed earlier, subfolders and files inherit permissions that you
assign to their parent folder. This is indicated in the Advanced Security Settings dialog box (shown earlier in Figure 7-7) when the Inherit From Parent
The Permission Entries That Apply To Child Objects check box is selected.
To prevent a subfolder or file from inheriting permissions from a parent
folder, clear the check box. You are then prompted to select one of the following options:
■
Copy Copy the permission entries that were previously applied from
the parent to the child, and then deny subsequent permissions inheritance from the parent folder.
■
Remove Remove the permission entries that were previously applied
from the parent to the child, and retain only the permissions that you
explicitly assign here.
■
Cancel
Cancel the dialog box.
Using Command-Line Tools to View
and Modify Permissions
Microsoft offers two command-line tools for viewing and setting NTFS permissions in Windows XP: CACLS.exe (for “Change ACLs”) and XCACLS.exe (for
“Extended CACLs”). CACLS is included in Windows XP, and XCACLS is available for download from Microsoft. The principal difference is that CACLS can
set only standard NTFS permissions—Read, Write, Change (Modify), and Full
Control—while XCACLS offers more (but not full) control over special permissions such as Delete, Change permissions, and Take Ownership. In this section,
we will discuss viewing and setting permissions with CACLS.
MORE INFO For more information on using XCACLS, see Microsoft
Knowledge Base article 318754.
Understanding CACLS
CACLS has the following command-line switches:
■
/T Changes the ACLs of specified files in the current directory and all
subdirectories.
■
/E Edits existing ACLs instead of replacing them.
■
/C Causes CACLS to continue on access denied errors. The default
behavior is to stop when the first error is encountered.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
■
/G user:perm Grants permissions to the specified user. The permissions you grant can be one of the following: Read, Write, Change (the
same as Modify), or Full Control.
■
/R user Actually removes the ACE for the specified user. If this is the
only ACE the user’s access token is a match with, access is denied to
the specified user. If the user belongs to a group with access, the user
continues to have access based on the group’s permissions. This
switch can be used only in conjunction with the /E switch.
■
/P user:perm Replaces the specified user’s access permissions with
the new permissions given. This has the same effect as revoking the
user’s permissions and granting new permissions. The permissions
you grant can be one of the following: None (the same as Deny Full
Control), Read, Write, Change (the same as Modify), or Full Control.
■
/D user The same as setting Deny Full Control for the specified user.
This switch has the same effect as /P used with the N permission.
Using CACLS to view and change permissions
CACLS used without any switches displays permissions assigned to the specified
resource (Figure 7-10).
Figure 7-10 CACLS showing permissions for a folder
FT07HT10.BMP
NOTE In Figure 7-10, the CACLS display shows Special Access permissions FILE_APPEND_DATA and FILE_WRITE_DATA. Even though CACLS
cannot modify these permissions, it reports on their use.
To change permissions, you must first decide whether you are changing permissions for one user, a group, or all users at once. The /E switch allows you to
manipulate existing ACEs, add new ones, and remove individual ACEs. If you do
not specify the /E switch, all ACEs are removed and replaced by the new ACE you
have defined with CACLS.
237
238
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CAUTION Failure to use the /E switch with CACLS results in the
removal of all previously existing ACEs.
If you want to add permission for a user or group, you can do so by simply using
the /G switch. The following command grants Jack the Full Control permission
to the Syllabi folder:
CACLS.EXE Syllabi /E /G Jack:F
To revoke the ACE for Jack, issue the CACLS command with the /R switch:
CACLS.EXE Syllabi /E /R Jack
In the Revoke ACE scenario above, the user will still have any
access granted by group memberships.
NOTE
To deny access to Jack, in spite of any other permissions he might have:
CACLS.EXE Syllabi /E /D Jack
Finally, to grant the built-in Users group permission to modify files in the folder:
CACLS.EXE Syllabi /E /G Users:C
CACLS power play
The true power of a tool such as CACLS is the ability to use it in batch files to
change permissions for many users or folders at once. By issuing a series of
CACLS commands in a batch file, you can automate changes to lock users out of
data folders during backup operations and let them back in afterward. You can
also use CACLS to dump permission listings into a file by using the > commandline redirect:
CACLS.EXE Syllabi > permissions.txt
Doing this daily allows you to analyze changes being made to permissions over a
long period of time. You can use a program such as Windiff.exe to spot changed
lines in the files. It might therefore be possible to spot nefarious activity by other
administrators or users of the system.
Windiff.exe is one of more than 100 support tools included with
Windows XP. You can install them by running the Setup program in the
\Support\Tools folder on the Windows XP Professional CD-ROM. For more
information on installing support tools, see Microsoft Knowledge Base
article 306794 at http://support.microsoft.com.
NOTE
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Assigning Multiple NTFS Permissions
You can assign multiple permissions to a user account and to each group the user
belongs to. To assign permissions, you must understand the rules and priorities
by which NTFS assigns and combines multiple permissions and assigns NTFS
permissions inheritance.
When a user attempts to access an object, the user’s application initiates an access
request and attaches the user’s access token, which is generated when the user
logs on. The access token contains the user’s SID and the SIDs of any security
groups the user belongs to. It is compared with ACEs on the object’s DACL. If a
SID in the access token matches the SID listed in an ACE, the permissions in the
ACE are evaluated to see if access can be granted. If all the ACEs are evaluated and
at least one grants access (and none are found that explicitly deny access), the
object is opened. If no ACEs are found referencing any of the user’s SIDs or one is
found that denies the operation, access is denied.
Example A
User A wants to access a folder to read a file (Figure 7-11). The user’s SID and the
SIDs for the groups the user is a member of are part of the access token that is created when the user logs on. Each SID is evaluated to see if it matches an ACE on
the DACL for the object. User A is a member of Groups A, B, and D. The user’s
SID does not match any ACE on the DACL. Group B and Group D each match an
ACE on the folder’s DACL. Membership in Group B grants the user Modify access
to the folder. Membership in Group D grants the user Full Control access to the
folder. The user’s effective access level is Full Control. The Read operation
requested by the user succeeds.
A
User A requests access to read file
SIDs
Access Token
Folder DACL
User A
No ACE
User B
(Allow Read)
Group A
(Allow Modify)
Group A
Group B
No ACE
Group D
(Allow Full Control)
Group D
Effective Permission is Full Control
Figure 7-11 User A opens a file to read.
FT07HT11.VSD
Group C
(Deny Read)
239
240
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Example B
User B wants to access the same folder to read a file (Figure 7-12). The user’s SID
and the SIDs for the groups the user is a member of are part of the access token
that is created when the user logs on. Each SID is evaluated to see if it matches an
ACE on the DACL for the object. User B is a member of Groups A, C, and D. The
user’s SID matches a Read ACE on the DACL. Groups B, C and D also match an
ACE on the folder’s DACL. Membership in Group B grants the user Modify access
to the folder. Membership in Group D grants the user Full Control access to the
folder. Membership in Group C denies the user Read access to the folder. The
user’s effective access level is Deny Read. The Read operation requested by
the user fails.
B
User B requests access to read file
SIDs
Access Token
Folder DACL
User B
User B
(Allow Read)
Group A
Group A
(Allow Modify)
Group C
Group C
(Deny Read)
Group D
Group D
(Allow Full Control)
Effective Permission is Deny Read
Figure 7-12 User B fails to open a file to read.
FT07HT12.VSD
Effective permissions
A user’s effective permissions for a resource are the sum of the NTFS permissions
that you assign to the individual user account and that you assign to all of the
groups to which the user belongs. If a user has Read permission for a folder and
is a member of a group with Write permission for the same folder, the user has
both Read and Write permissions for that folder.
If the application a user is using wants to open a file to modify it, it requests Append
Data access to the object. If any ACEs match the user’s access token, they are examined to see if the required permission is allowed. If it is not explicitly allowed, access
is denied. If no ACEs match the user’s access token, access is denied.
To view effective permissions for an object:
1. In the object’s Properties dialog box, on the Security tab, click
Advanced to access the Advanced Security Settings dialog box.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
2. Click the Effective Permissions tab, and use the Select button to
browse for and select a user or group.
3. View the effective permissions on the object for the selected user or
group (Figure 7-13).
FT07HT13.BMP
Figure 7-13 Effective permissions for user group
Overriding folder permissions with file permissions
NTFS file permissions take priority over NTFS folder permissions. If you have
access to a file, you can access the file if you have the Bypass Traverse Checking
user right (granted by an administrator via Group Policy) even if you don’t have
access to the folder containing the file. You can access the files for which you have
permissions by using the full Universal Naming Convention (UNC) path or
local path to open the file from its respective application.
Using “Deny Access” to Override Permissions
You can deny permission to a user account or group for a specific file, although
this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed.
Even if a user has permission to access a file or folder as a member of a group,
denying permission to the user blocks any other permissions the user
might have.
AUDITING NTFS OBJECT ACCESS
Auditing allows you to track user activities on a computer. You can specify that
Windows XP Professional write a record of an event to the security log, which
maintains a record of valid and invalid logon attempts and events related to
241
242
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
creating, opening, or deleting files or other objects. An audit entry in the security
log contains the following information:
■
The action that was performed
■
The user who performed the action
■
The success or failure of the event and when the event occurred
Enabling Auditing
To track the activities of individuals responsible for security breaches, you can
set up auditing for files and folders on NTFS partitions. To audit user access
to files and folders, you must first set your audit policy to audit object access,
which includes files and folders. We will discuss this in more detail in
Chapter 13.
When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access to audit and by which
users or groups.
NTFS object access auditing is configured on the Auditing tab of the Advanced
Security Settings dialog box (Figure 7-14), where you can add, remove, or change
audit events.
Figure 7-14 Audit Settings tab of the Advanced Security Settings dialog box
FT07HT14.BMP
Events can be described for both success and failure of the audited action. If
you choose to add or edit an audited event, the Auditing Entry dialog box opens
(Figure 7-15).
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Figure 7-15 Auditing Entry dialog box
FT07HT15.BMP
These are the actions you can audit for success and failure:
■
Traverse Folder/Execute File Running a program or gaining access
to a folder to change directories
■
List Folder/Read Data
■
Read Attributes Reading the attributes of a file or folder
■
Read Extended Attributes
or folder
■
Create Files/Write Data Changing the contents of a file or creating
new files in a folder
■
Create Folders/Append Data
■
Write Attributes
■
Write Extended Attributes Changing extended attributes of a file
or folder
■
Delete Subfolders And Files Deleting a file or subfolder in a folder
(applies to folders only)
■
Delete Deleting a file or folder
■
Read Permissions Viewing permissions for the file owner for a file
or folder
■
Change Permissions Changing permissions for a file or folder
■
Take Ownership Taking ownership of a file or folder
Displaying the contents of a file or folder
Reading the extended attributes of a file
Creating folders in a folder
Changing attributes of a file or folder
243
244
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Enabling auditing of a folder or file creates an SACL in the
object’s security descriptor. This SACL is used by the system when
the object is accessed to determine which operations are audited and
whether the operations should be recorded for success or failure.
NOTE
Monitoring Security Event Logs
Once auditing is enabled for NTFS objects, the results of the auditing can be monitored in the security event log for the system being audited. This log is visible
in the Event Viewer console either in Computer Management or by executing
eventvwr.msc from the command line. We will cover the use and administration of
auditing in more detail in Chapter 13.
TROUBLESHOOTING NTFS PERMISSIONS
Occasionally you will have a user who cannot access files that should be allowed,
or who is found to have access that he shouldn’t have. These problems can almost
always be traced to improper effective permissions, either from membership in an
incorrect security group or from incorrectly assigned permissions to one or more
groups of which the user is a member.
Problems with Effective Permissions
To locate improper effective permissions, you can use the Effective Permissions
tab of the Advanced Security Settings dialog box (Figure 7-16) for the resource in
question. Select the user to list the permissions calculated from the user’s own
permissions and those of any groups the user belongs to. If you find a discrepancy, select each of the user’s groups in turn to locate the one that is contributing
the discrepancy to the effective permissions.
Figure 7-16 Displaying effective permissions for a user
FT07HT16.BMP
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Problems with Denied Permissions
When you use the Deny permission ACEs, it is easy to lose track of them. Their
use is more the exception than the rule, so administrators will rarely suspect a
denied permission at first.
You can analyze effective permissions to see whether a checkmark is missing
from one or more special permissions that should be checked. Locate the Deny
access ACE and remove it to restore access to the affected user(s).
Problems with Permissions Inheritance
Blocking permissions inheritance can cause unintended consequences for effective permissions. Suppose a user is a member of a group with access to a folder
through inheritance from a parent folder. If an administrator removes inheritance
without copying the permissions from the parent and sets new permissions that
do not give the original user access, the user will be denied access.
You can analyze effective permissions to see whether you need to add the appropriate security group(s) with the appropriate permissions.
245
246
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
NTFS permissions are available only on NTFS volumes and are used to
specify which users and groups can access files and folders and what
these users can do with the contents of those files or folders.
■
NTFS folder permissions are Read, Write, List Folder Contents, Read
& Execute, Modify, and Full Control.
■
The NTFS file permissions are Read, Write, Read & Execute, Modify,
and Full Control.
■
Administrators, the owners of files or folders, and users with Full
Control permission can assign NTFS permissions to users and groups
to control access to files and folders.
■
The command-line tools CACLS.exe and XCACLS.exe can be used to
automate permission changes.
■
NTFS stores security descriptors (which include ACLs) for all files in
a central metadata file. An index attribute is stored in the file’s MFT
record to identify the security descriptor. Multiple files can designate
the same security descriptor, optimizing use of space.
■
A user attempting to gain access to a resource must have permission for
that type of access. This access type is requested by the user’s application and compared with ACEs in the object’s ACL. If the requested
access is not allowed, access to the file or folder is denied.
■
You can assign multiple permissions to a user account by assigning
permissions to her individual user account and to each group she
belongs to.
■
A user’s effective permissions for a resource are based on the NTFS permissions that you assign to the individual user account and to all of the
groups the user belongs to.
■
NTFS file permissions take priority over NTFS folder permissions.
■
By default, when you format a volume with NTFS, the Full Control
permission is assigned to the Everyone group.
■
To assign or modify NTFS permissions for a file or a folder, you use the
Security tab of the Properties dialog box for the file or folder.
■
By default, subfolders and files inherit permissions that you assign to
their parent folder.
■
To stop subfolders and files from inheriting permissions that you
assign to their parent folder, clear the Inherit From Parent The
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
Permission Entries That Apply To Child Objects check box in the
Advanced Security Settings dialog box.
■
The current owner or any user with Full Control permission can assign
the Full Control standard permission or the Take Ownership special
access permission to another user account or group, allowing the user
account or a member of the group to take ownership.
■
You cannot assign (give) anyone ownership of a file or folder.
■
When you move a file or folder within a single NTFS volume, the file or
folder retains its original permissions.
■
When you move a file or folder between NTFS volumes, the file or
folder inherits the permissions of the destination folder.
■
When you copy files or folders from one folder to another or from one
volume to another, Windows XP Professional treats the copied file or
folder as a new file or folder. It therefore takes on the permissions of
the destination folder.
■
You should assign the most restrictive NTFS permissions that still
enable users and groups to accomplish necessary tasks.
■
You should assign permissions at the folder level, not the file level.
■
You should assign Full Control to CREATOR OWNER for public
folders and Read and Write to the Authenticated Users group.
■
Allow permissions wherever possible rather than deny permissions. The
only exceptions should be to except users who belong to an assigned
group, or to except permissions from a standard permission group.
REVIEW QUESTIONS
1. Which of the following statements correctly describe NTFS file and
folder permissions? (Choose all correct answers.)
a. NTFS security is effective only when a user gains access to the file
or folder over the network.
b. NTFS security is effective when a user gains access to the file or
folder on the local computer.
c. NTFS permissions specify which users and groups can gain
access to files and folders and what they can do with the contents
of the file or folder.
d. NTFS permissions can be used on all file systems available with
Windows XP Professional.
247
248
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. Which of the following NTFS folder permissions allows you to delete
the folder?
a. Read
b. Read & Execute
c. Modify
d. Change
3. Which of the following users can assign permissions to user accounts
and groups? (Choose all correct answers.)
a. Administrators
b. Power Users
c. Users with the Full Control permission
d. Owners of files and folders
4. What is an access control list (ACL) and what is the difference between
an ACL and an access control entry (ACE)?
5. What are a user’s effective permissions for a resource?
6. By default, what inherits the permissions that you assign to the parent
folder?
7. Which of the following tabs of the Properties dialog box for the file or folder
do you use to assign or modify NTFS permissions for a file or a folder?
a. Advanced
b. Permissions
c. Security
d. General
8. Which of the following statements about copying a file or folder are
correct? (Choose all correct answers.)
a. When you copy a file from one folder to another folder on the
same volume, the permissions on the file do not change.
b. When you copy a file from a folder on an NTFS volume to a folder
on a FAT volume, the permissions on the file do not change.
c. When you copy a file from a folder on an NTFS volume to a folder
on another NTFS volume, the permissions on the file match
those of the destination folder.
d. When you copy a file from a folder on an NTFS volume to a folder
on a FAT volume, the permissions are lost.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
9. Which of the following statements about moving a file or folder are
correct? (Choose all correct answers.)
a. When you move a file from one folder to another folder on the
same volume, the permissions on the file do not change.
b. When you move a file from a folder on an NTFS volume to a
folder on a FAT volume, the permissions on the file do not
change.
c. When you move a file from a folder on an NTFS volume to a
folder on another NTFS volume, the permissions on the file
match those of the destination folder.
d. When you move a file from a folder on an NTFS volume to a
folder on the same volume, the permissions on the file match
those of the destination folder.
10. You are attempting to copy a large number of files from one NTFS volume to another and want to avoid having to re-create all the original
permissions once the copy operation is completed. How can you
accomplish this with minimal effort?
CASE SCENARIOS
Scenario 7-1: Permission Soup
You are designing NTFS security for a system that will store public data and applications for users to share. Users will access all files locally from the system you are
configuring. You have been presented with the following requirements:
■
Create a place for all users to place public files. They should be able to
add files and maintain their own files, but they should not be able to
do more than read any other user’s files.
■
Set up a place for users from the HR department to place personnel
policies. Only HR personnel should be able to modify these files, but
all users should be able to read them.
■
Provide a place for executable application files for users from the
Accounting department. Only users from Accounting should be able to
see these files.
■
Create a folder for personnel reviews. Only managers should be able
to access this folder, and each manager should be able to create and
modify her own files only. Besides the manager who creates each file,
249
250
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
only HR personnel should be able to read these files, and administrators should not have access to any of these files. In addition, provide a
way for managers to know if an administrator has accessed any file in
this folder.
Answer the following questions about this scenario:
1. What user groups should be defined to support this scenario?
2. What folders should you create to support this scenario?
3. Which NTFS standard permissions should you give to the Users group
for the Public folder? How can you ensure that the creators of files can
modify and delete them?
4. What permissions should the HR users have for the personnel policy
files? Where should this permission be assigned?
5. How do you ensure that only Accounting has permission to access the
accounting applications?
6. Detail the steps to take to secure the personnel review folders. How
will you report on access to any of these files by administrators?
Scenario 7-2: Effective Permissions
You are newly employed by a small distillery. One of your first tasks is to
straighten out permission issues that have left some users unable to access files
containing mash recipes. The previous administrator attempted to restrict some
users from accessing these recipes but ended up locking out the blending crew
(group name Blenders).
Answer the following questions about this scenario:
1. How can you determine what the blending crew’s effective permissions are?
a. Use the Effective Permissions tab of the Sharing Permissions
dialog box for the Mash Recipes folder. Display effective permissions for the Blenders group.
b. Use the Effective Permissions tab of the Advanced Security Settings dialog box for the Mash Recipes folder. Display effective
permissions for the Blenders group.
c. Use the CACLS command-line program with the /E:Blenders
switch to display permissions for the Mash Recipes folder.
d. Use the CACLS command-line program without any switches to view
all permissions for the folder. Determine the Blender group’s permissions by combining the permissions for all groups they belong to.
CHAPTER 7:
CONFIGURING AND MANAGING NTFS SECURITY
2. Which of the following CACLS command lines can you use to grant
the Blenders group access to read these files?
a. CACLS “Mash Recipes” /G Blenders:R
b. CACLS “Mash Recipes” /E /G Blenders:R
c. CACLS “Mash Recipes” /D Blenders
d. CACLS “Mash Recipes” /R Blenders
251
CHAPTER 8
CONFIGURING AND
MANAGING SHARED
FOLDER SECURITY
Upon completion of this chapter, you will be able to:
■ Create and remove shared folders
■ Control access to shared folders by using permissions
■ Analyze and troubleshoot combined share and NTFS permissions
■ Manage and troubleshoot offline files
■ Manage and troubleshoot Web server resources
In Chapter 7, you learned about NTFS permissions. NTFS permissions are more
than sufficient to protect files and folders stored on a system. There are times,
however, when it is necessary to deploy a system that will support users across a
network. To enable us to use files over a network connection, we must share the
folders that contain them. The process of sharing folders makes them available to
networked client systems.
In this chapter, you will learn how to share folders. You will explore share permissions and how they interact with NTFS permissions. We will discuss the setup
and management of offline files. Finally, we will discuss Web sharing and how it
differs in its application from standard shares.
253
254
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING SHARED FOLDERS
You use shared folders to provide network users with access to file resources.
When a folder is shared, users can connect to the folder over the network and
access the files it contains. However, to access the files, users must have permissions to access the shared folders (Figure 8-1).
Server
Computer
Client
Computer
Data
Folder
Network Connection
A
User A accesses
folder locally
(access is controlled by
NTFS permissions)
B
User B accesses
folder over the network
(access is controlled by
Share and NTFS permissions)
Figure 8-1 Accessing folders locally and remotely
FT08HT01.TIF
Shared Folder Permissions
A shared folder can contain application data, user documents, and even software. To control how users gain access to a shared folder, you assign shared
folder permissions. Each type of data requires different shared folder
permissions.
The following list explains what each of the shared folder permissions allows a
user to do:
■
Read Display folder names, file names, file data, and attributes; run
program files; and change folders within the shared folder.
■
Change Create folders, add files to folders, change data in files,
append data to files, change file attributes, delete folders and files;
also allows the user to perform actions permitted by the Read
permission.
■
Full Control Change file permissions, take ownership of files, and
perform all tasks permitted by the Change permission.
As with NTFS permissions, you can allow or deny shared folder permissions.
Generally, it is best to allow permissions and to assign permissions to a group
rather than to individual users. Deny permissions only when it is necessary to
override permissions that are otherwise applied—for example, when it is
necessary to deny permission to a specific user who belongs to a group to
which you have given the permission. If you deny a shared folder permission
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
to a user, the user won’t have that permission when accessing the folder across
the network. For example, to deny all access to a shared folder, deny the Full
Control permission.
A user with no share permissions assigned, either as an individual or as a member of a security group, will not have access to the shared
folder.
NOTE
The following are characteristics of shared folder permissions:
■
Shared folder permissions apply to folders, not individual files.
Because you can apply shared folder permissions only to the entire
shared folder and not to individual files or subfolders in the shared
folder, they provide less detailed security than NTFS permissions.
■
Shared folder permissions don’t restrict access to users who gain
access to the folder at the computer where the folder is stored. They
apply only to users who connect to the folder over the network.
■
Shared folder permissions are the only way to secure network
resources on a FAT volume. NTFS permissions aren’t available on FAT
volumes.
■
The default shared folder permission is Read, and it is assigned to the
Everyone group when you share the folder.
The Everyone: Read permission allows all users accessing a system to read documents in a folder. This includes those who have not been
specifically authenticated as a user on the system. You should always
remove this permission from shares and use Authenticated Users
instead (or even more specific user groups). We will discuss the reasons
for this in more detail in Chapter 13.
NOTE
Guidelines for Shared Folder Permissions
The following list provides some general guidelines for managing your shared
folders and assigning shared folder permissions:
■
Determine which groups need access to each resource and the level of
access that they require. Document the groups and their permissions
for each resource.
■
Assign permissions to groups instead of user accounts to simplify
access administration.
255
256
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Assign to a resource the most restrictive permissions that still allow
users to perform required tasks. For example, if users only need to read
information in a folder and they will never delete or create files, assign
the Read permission.
■
Organize resources so that folders with the same security requirements
are located within a folder. For example, if users require Read permission for several application folders, store those folders within the same
folder. Then share this folder instead of providing each individual
application folder with its own share.
■
Use intuitive share names so users can easily recognize and locate
resources. For example, for the Application folder, use Apps for the
share name. You should also use share names that all client operating
systems can use. Microsoft operating systems prior to Windows 2000
might shorten the shared folder name to 12 or fewer characters.
■
Do not deny access to the Everyone group. Instead, completely remove
the Everyone group from the permissions. Denying access to Everyone
denies access even to administrators.
How Shared Folder Permissions Are Applied
Applying shared folder permissions to user accounts and groups affects access
to a shared folder over the network. Denied permissions take precedence over
allowed permissions. The following list describes the effects of applying
permissions:
■
Multiple permissions A user can be a member of multiple groups,
each with different permissions that provide different levels of access
to a shared folder. When you assign permission to a user for a shared
folder and that user is a member of a group to which you assigned a
different permission, the user’s effective permissions are a combination
of the user and group permissions. For example, if a user has Read
permission and is a member of a group with Change permission, the
user’s effective permission is Change (which includes Read).
■
Deny permissions Denied permissions take precedence over any
permissions that you otherwise allow for user accounts and groups. If
you deny a shared folder permission to a user, the user won’t have that
permission, even if you allow the permission for a group the user
belongs to.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
■
NTFS permissions Shared folder permissions are sufficient to gain
access across the network to files and folders on a FAT volume but not
on an NTFS volume. On a FAT volume, users can gain access to a
shared folder for which they have permissions, as well as all of that
folder’s contents. When users gain access to a shared folder on an
NTFS volume, they need the shared folder permission and also the
appropriate NTFS permissions for each file and folder to which they
gain access. A user’s effective permission for a shared folder on an NTFS
volume is the more restrictive of the shared and NTFS permissions.
■
Moving, renaming, copying, or deleting a shared folder When
you copy a shared folder, the original folder is still shared but the copy
is not. When you rename or move a shared folder, it is no longer
shared. When a folder is deleted, the folder share is deleted as well.
PLANNING SHARED FOLDERS
When you plan shared folders, you can reduce administrative overhead and
ease user access by putting resources into folders according to common access
requirements. Determine which resources you want shared, organize resources
according to function and use, and decide how you will administer the resources.
Shared folders can contain applications and data. By consolidating data and
applications into shared folders according to function, you gain the following
benefits:
■
Ease of use By centralizing files in just a few shared folders, you
make them easier for users to find.
■
Simpler configuration When files are consolidated into common
folders, it is easier to apply permissions.
■
Centralized administration If data folders are centralized, you can
back up them up more easily and you can upgrade application software more easily.
Requirements for Sharing Folders
In Windows XP Professional, members of the built-in Administrators and Power
Users groups can share folders.
By default, in a Windows Server domain, members of the Domain Admins and
Server Operators groups can share folders on any machine in the domain.
If the folder to be shared resides on an NTFS volume, users
must also have at least the Read permission for that folder to be able to
share it.
NOTE
257
258
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Shared Application Folders
Shared application folders are used for applications that are installed on a
network server and that can be used from client computers. The main advantage
of sharing applications is that you don’t need to install and maintain most
components of the applications on each computer. Although program files for
applications can be stored on a server, configuration information for most
network applications is often stored on each client computer. The exact way in
which you share application folders will vary depending on the application and
your particular network environment and company organization.
When you share application folders, consider the following points:
■
Create one shared folder for applications, and organize all of your
applications under this folder. This designates one location for installing and upgrading software.
■
Assign the Administrators group Full Control permission for the applications folder so members of this group can manage the application
software and control user permissions.
■
Assign Change permission to groups that are responsible for upgrading and troubleshooting applications.
If you are in an environment where viruses are a possibility, you
might want to assign administrators and others who maintain the applications the Read permission. This will prevent a virus from attacking your
application files. Permission can be raised temporarily during maintenance
(usually by taking ownership) and lowered again afterward. For more
information on taking ownership of files, see Chapter 7.
NOTE
■
Remove any permissions for the Everyone group, and assign Read
permission to the Users group.
■
Create a separate shared folder outside your application folder hierarchy
for any application for which you need to assign different permissions.
Then assign the appropriate permissions to that folder.
If you support an application that must write to a data file on
the application share, it might be necessary to grant Change permission
to allow this operation to take place. If this is the case, consider separating this application from those that will operate effectively with the
Read permission.
NOTE
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Shared Data Folders
Users on a network use data folders to exchange public and working data. Working data folders are used by members of a team who need access to shared files.
Public data folders are used by larger groups of users who all need access to
common data.
Create and share common data folders on a separate volume
from the operating system and applications. Data files should be backed
up frequently, and keeping data folders on a separate volume makes this
convenient. With this system administration scheme, if the operating
system requires reinstallation, the volume containing the data folder
remains intact.
NOTE
Public data
When you share a common public data folder, do the following:
■
Use centralized data folders so data can be backed up easily.
■
Assign Change permission to the Users group for the common
data folder (Figure 8-2). This provides users with a central, publicly
accessible location for storing data files that they want to share with
other users. Users can access the folder and can read, create, or
change files in it.
Public data
Public
Users
C
Working data
Data
Administrators
FC
Accountants
Accountants
FC
• Back up centralized data
folders consistently.
FT08HT02.FH10
• Share lower-level folders.
Figure 8-2 Public data and working data shared folders
Working data
When you share a working data folder, do the following:
■
Assign Full Control permission to the Administrators group for a
central data folder so administrators can perform maintenance.
259
260
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Share lower-level data folders below the central folder by assigning
Change permission to the appropriate groups when you need to
restrict access to those folders.
Figure 8-2 above shows an example of these practices. To protect data in the
Accountants folder, which is a subfolder of the Data folder, share the Accountants
folder and assign the Change permission to the Accountants group so that only
members of that group can access the Accountants folder.
Users accessing the folder tree via the upper-level shared
folder receive different permissions to the lower-level shared folder
because they access it through the upper-level share point. In the example above, administrators have Full Control access to the Accountants
folder because they access it through the Data share point. Keep this in
mind whenever you need to restrict access to a down-level folder. It might
be necessary to separate the folders into two different trees.
CAUTION
Administrative Shared Folders
Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from
users who view shared resources in My Network Places. The root of each lettered
volume, the system root folder, the connection point for interprocess communication (IPC), and the location of the printer drivers are hidden shared folders that
you can directly access across the network (if you have sufficient permission).
The following list describes the purpose of the administrative shared folders that
Windows XP Professional provides automatically:
■
C$, D$, E$, etc. The root of each volume on a hard disk is automatically shared, and the share name is the drive letter with a dollar sign
($). When you connect to this folder, you have access to the entire
volume. You use the administrative shares to remotely connect to the
computer to perform administrative tasks. Windows XP Professional
assigns Full Control permission for this share to the Administrators
group. Access to other file system objects through this share depends
on the NTFS permissions assigned on those objects.
Removable media are not automatically given an administrative
share. To share the contents of a CD-ROM drive, you must create a
manual share.
NOTE
■
Admin$ The system root folder, which is C:\Windows by default, is
shared as Admin$. Administrators can access this shared folder to
administer Windows XP Professional without knowing which folder on
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
the hard disk Windows XP Professional is installed in. Only members
of the Administrators group have access to this share. Windows XP
Professional assigns Full Control permission for this share to the
Administrators group.
■
IPC$ This hidden share is used to manage connections for IPC,
which lets processes running on two different systems create communication channels with each other to pass data and control
messages.
■
Print$ When you install the first shared printer, the %systemroot%\
System32\Spool\Drivers folder is shared as Print$. This folder
provides access to printer driver files for clients. Only members of the
Administrators and Power Users groups have Full Control permission
for this share. The Everyone group has Read permission for this share.
NOTE Hidden shared folders aren’t limited to those that the system
creates automatically. You can share additional folders and add a dollar
sign to the end of the share name. Only users who know the folder name
and have the proper permissions can access it.
SHARING A FOLDER
When you share a folder, you can give it a share name, provide comments to
describe the folder and its content, control the number of users who have access
to the folder, assign permissions, and share the same folder multiple times.
There are three ways to share folders in Windows XP: the Computer Management
console, Windows Explorer, and the NET SHARE command.
If you have enabled Windows Firewall on your system, the
act of sharing a folder opens the Windows network basic input/
output system (NetBIOS) file-sharing ports on your machine to the
local network. If you are using an Internet connection, this might expose
your system to potential Internet attacks. Be sure that you are protected by an additional layer such as a firewall or router between your
local network and the Internet before you share folders.
IMPORTANT
Sharing Folders in Computer Management
You can work with shared folders using the Shared Folders console in Computer
Management or by adding the Shared Folders snap-in to a blank Microsoft
Management Console session. Either method allows the creation, management,
and removal of shared folders. We will discuss management in a later section; this
section discusses the creation of a shared folder.
261
262
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To share a folder in Computer Management:
1. Log on with a user account that is a member of a group that can share
folders.
2. Open the Computer Management console by right-clicking
My Computer and selecting Manage.
3. Locate the Shared Folders item in the Computer Management console
(Figure 8-3). Expand it by clicking the small plus sign next to it.
FT08HT03.BMP
Figure 8-3 Computer Management administering shared folders
4. View any existing shares (by clicking the Shares item) to ensure that
the share you are creating is unique.
5. Begin the process of adding a new share by right-clicking the Shares
item and selecting New File Share.
6. Complete the first page of the Create Shared Folder Wizard by selecting a
folder to share and providing a share name and description (Figure 8-4).
FT08HT04.BMP
Figure 8-4 The Shared Folder Wizard configuring a shared folder
7. Complete the Create Shared Folder Wizard by assigning permissions
to the new share and clicking Finish (Figure 8-5).
CHAPTER 8:
FT08HT05.BMP
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Figure 8-5 Setting permissions in the Shared Folder Wizard
8. You will be presented with a success dialog box (Figure 8-6). If you do
not want to share any more folders, click No to close it.
FT08HT06.BMP
Figure 8-6 Completing the Shared Folder Wizard
The same method of creating a shared folder also applies if you
are using a Shared Folder snap-in you have added to a blank Microsoft
Management Console (MMC) session. We will discuss customizing the
MMC with snap-ins in Chapter 9.
NOTE
To stop sharing a folder in Computer Management:
1. Right-click the folder, and select Stop Sharing (Figure 8-7).
FT08HT07.BMP
Figure 8-7 Removing a shared folder
2. Confirm the selection. The folder will no longer be shared.
263
264
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Be sure no users have files open on the shared folder before
you remove it. Stopping a share with open files might lead to data corruption. See “Disconnecting users from open files” later in this chapter for
more information.
CAUTION
Sharing Folders in Windows Explorer
Using Windows Explorer is perhaps the simplest way to share folders. Sharing is
managed in the Properties dialog box for the folder, right alongside the Security
settings for NTFS.
To share a folder in Windows Explorer:
1. Log on with a user account that is a member of a group that is able to
share folders.
2. Right-click the folder that you want to share, and then choose Sharing
And Security to open the folder’s Properties dialog box.
3. On the Sharing tab, click Share This Folder and configure the options
shown in Figure 8-8. These are the options:
FT08HT08.BMP
Figure 8-8 The Sharing tab of a folder’s Properties dialog box
❑
Share Name The name that users from remote locations use to connect to the shared folder. You must enter a share name. By default, this
is the same name as the folder. You can type a different name up to
80 characters long.
Be sure to use share names that all client operating systems
can read. Microsoft operating systems prior to Windows 2000 might
shorten the shared folder name to 12 or fewer characters.
NOTE
❑
Comment An optional description for the share name. The comment appears in addition to the share name when users at client
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
computers browse the server for shared folders. This comment can be
used to identify the contents of the shared folder.
❑
User Limit The number of users who can concurrently connect to
the shared folder. If you click Maximum Allowed as the user limit,
Windows XP Professional supports up to 10 connections.
❑
Permissions The shared folder permissions that apply only when
the folder is accessed over the network. On an NTFS volume, these
permissions interact with the NTFS permissions for the data being
accessed to determine the final level of access. By default, the Everyone
group is assigned Read permission for all new shared folders.
For security purposes, it is best to remove the Everyone group
and replace it with the Users group or Authenticated Users group.
NOTE
❑
Caching The settings to configure offline access to this shared folder.
See “Using Offline Folders and Files” later in this chapter for more
information.
To stop sharing a folder in Windows Explorer:
1. On the Sharing tab of the folder’s Properties dialog box (Figure 8-9),
select the Do Not Share This Folder option.
2. Click Apply.
FT08HT09.BMP
Figure 8-9 Stopping the sharing of a folder in Windows Explorer
Using the NET Command to Share Folders
In addition to the graphical methods of sharing folders, you can share folders
from the command line by using the NET command. This method is great if you
need to create or remove many shared folders at once or you need to script the
265
266
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
creation of shares into a batch file to automate system installation and configuration tasks. When used without options, NET SHARE lists information about all
resources being shared on the computer.
The syntax of the NET command allows you to perform any shared folder management task you would perform with either the Computer Management console
or Windows Explorer. The syntax for NET SHARE includes the NET SHARE
command pair followed by options from the following list. (Note the three syntax
options used to create a share, change a share, and delete a share.)
To create a shared folder:
NET SHARE sharename=drive:path [/USERS:number | /UNLIMITED] [/REMARK:"text"]
[/CACHE:Manual | Documents| Programs | None ]
To change a shared folder:
NET SHARE sharename [/USERS:number | /UNLIMITED] [/REMARK:"text"]
[/CACHE:Manual | Documents | Programs | None]
To remove a shared folder or printer:
NET SHARE {sharename | devicename | drive:path} /DELETE
Here are the switches for the NET SHARE command:
■
sharename The network name of the shared resource. You can also
type NET SHARE with a share name to display information about only
that share.
■
drive:path Specifies the absolute path of the directory to be shared.
An example is C:\Deploy.
■
/USERS:number Sets the maximum number of users who can
simultaneously access the shared resource. For Windows XP, this limit
never exceeds 10 users due to restrictions on Microsoft client operating
systems.
■
/UNLIMITED Specifies that an unlimited number of users can simultaneously access the shared resource. For Windows XP, this limit never
exceeds 10 users due to restrictions on Microsoft client operating systems.
■
/REMARK:“text” Adds a descriptive comment about the resource.
Enclose the text in quotation marks.
■
devicename Specifies the device that is being shared (usually a
printer port).
■
/DELETE Stops sharing the resource.
CHAPTER 8:
■
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
/CACHE Controls how caching for offline files is managed for this
folder. The following options are available for this argument:
❑
/CACHE:Manual Enables manual client caching of programs and
documents from this share.
❑
/CACHE:Documents
this share.
❑
/CACHE:Programs Enables automatic caching of documents and
programs from this share.
❑
/CACHE:None
Enables automatic caching of documents from
Disables caching from this share.
The /CACHE settings refer to offline files and folders. We will discuss these settings in more detail in the “Using Offline Folders and Files”
section later in this chapter.
NOTE
To share a folder using the NET SHARE command:
1. Log on with a user account that is a member of a group that can share folders.
2. Open a command prompt session by clicking Start | Run, typing
cmd.exe in the Run dialog box, and clicking OK (Figure 8-10). The
Windows XP command-line console opens (Figure 8-11).
FT08HT10.BMP
Figure 8-10 Opening the command-prompt session
3. Execute the NET.EXE command with the SHARE argument (Figure 8-11).
To share the C:\Deploy folder with default settings:
NET SHARE Deploy=C:\deploy
FT08HT11.BMP
Figure 8-11 Sharing a folder at the command line
267
268
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To stop sharing a folder using the NET command:
Issue the NET SHARE command with the /DELETE switch:
NET SHARE Deploy /DELETE
Sharing a Folder on a Remote Computer
You can direct Computer Management to configure a remote computer by rightclicking Computer Management (Local) and selecting Connect To Another Computer (Figure 8-12). Once connected, you can configure shared folders on the
remote computer as if the computer were local.
Figure 8-12 Connecting to a remote computer
F08HT12.BMP
NOTE To manage shared folders on a remote system, you must have an
account with rights to manage shares on that system.
MANAGING SHARED FOLDERS
Although you can configure shared folder permissions using both the Computer
Management console and the NET SHARE command, we will concentrate for the
rest of this chapter on configuring shared folders in Windows Explorer.
The tasks you might carry out when managing shared folders include assigning
folder permissions, creating additional—differently named—shares on the same
folder, and changing the name of the shared folder.
Assigning Shared Folder Permissions
When you assign the permissions for a shared folder, make sure you have
considered the permissions required for each group of users. If you have not
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
already done so, read the “Planning Shared Folders” section earlier in this
chapter.
To assign shared folder permissions in Windows Explorer:
1. On the Sharing tab of the Properties dialog box for the shared folder,
click Permissions.
2. In the Permissions dialog box, ensure that the Everyone group is
selected and then click Remove. This clears the permissions that apply
to all users to make way for more specific permissions.
3. In the Permissions dialog box, click Add.
4. In the Select Users Or Groups dialog box (Figure 8-13), browse for or
type the name of the users or groups to which you want to assign
permissions.
If you want to enter more than one user account or group at a
time, separate the names with a semicolon. If you want to ensure that
the names are correct, click Check Names.
NOTE
FT08HT13.BMP
Figure 8-13 The Select Users Or Groups dialog box
5. Click OK.
6. In the Permissions dialog box for the shared folder, click the user
account or group and then, under Permissions, select the Allow check
box or the Deny check box as needed for the user account or group
(Figure 8-14).
7. Click Apply or OK to complete the permissions assignment.
Be sure to remove the default Everyone permissions to
ensure that the permissions you have configured are not overridden by
any more lenient permissions.
IMPORTANT
269
270
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT08HT14.BMP
Figure 8-14 Assigning permissions to users
Creating Multiple Share Names
You might want to set different permissions on a shared folder. You can create
multiple share names for the same folder and assign each a different set of permissions. To share a folder with multiple share names, click New Share in the folder’s
Properties dialog box. In the New Share dialog box (Figure 8-15) you can assign
a new share name, limit the number of connections to the share, and click
Permissions to set the permissions for the shared folder.
Figure 8-15 The New Share dialog box
FT08HT15.BMP
Modifying Shared Folders
To change the name of a shared folder, you must stop sharing it and then share it
again with the original permissions. Before you do this, be sure to document the
permissions.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
If you stop sharing a folder while a user has a file open, the
user might lose data. If you click Do Not Share This Folder and a user has
a connection to the shared folder, Windows XP Professional displays a dialog box notifying you of that fact.
You should notify users and ask them to close any open files. You can
then use Shared Folders in Computer Management to verify that the files
have been closed before you proceed. For more on monitoring shared folders, see the section titled “Monitoring Access to Shared Folders” later in
this chapter.
CAUTION
CONNECTING TO SHARED FOLDERS
Once you have configured your shared folders, you can configure client computers to connect to them. You can access a shared folder from a client computer by
using My Network Places, mapping a drive in My Computer, typing a path in the
Run dialog box, or mapping a drive with the NET USE command.
Browsing the My Network Places might be a simple way of locating files, but
it takes time. If you map a drive letter to a folder, it cuts the time it takes to
access files in the future. To map a drive, you must know the Universal
Naming Convention (UNC) path to the folder. This is an address formatted
as \\Server\share. An example using the folder from previous demonstrations
would be \\BEHEMOTH\Deploy (where BEHEMOTH is the server’s name).
To connect to a shared folder using My Network Places:
1. Open Windows Explorer by choosing Start | All Programs |
Accessories | Windows Explorer.
2. Find My Network Places in the tree view on the left side of the screen.
3. Expand My Network Places, and browse for the computer that is sharing
folders on your network. If you are on a large network, you might have to
expand Entire Network and browse for the appropriate workgroup or domain.
4. When you locate the share to which you want to connect, expand it by
clicking its plus sign. You can navigate the share and its files to select
the resources you want to use (Figure 8-16).
FT08HT16.BMP
Figure 8-16 Navigating My Network Places
271
272
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To map a drive using My Computer:
1. Click Start | My Computer.
2. On the Tools menu, choose Map Network Drive. Windows XP Professional displays the Map Network Drive dialog box (Figure 8-17), which
allows you to assign a drive letter to the connection. By default, the
drive letter displayed is Z or the last letter of the alphabet that is currently unassigned.
FT08HT17.BMP
Figure 8-17 The Map Network Drive dialog box
3. In the Folder text box, type \\server\sharename or click
Browse to browse for a share. By default, Reconnect At Logon is
selected.
4. Clear the Reconnect At Logon check box unless you want to have
Windows XP Professional create a connection to this share each time
you log on to your computer.
If you are connecting to a folder to which your logged-on user
does not have the appropriate permission, you can choose the Connect
Using A Different User Name option to select another username and
password to use for the connection.
NOTE
5. Click Finish to establish the connection. The newly mapped drive
opens in a new My Computer window.
You will find Map Network Drive in other places as well. It is
available as a right-click menu option in My Computer on the Start
menu and Windows Explorer, and you can find it by right-clicking My
Network Places.
NOTE
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
To map a drive using the NET USE command:
1. Open a command prompt session by clicking Start | Run, entering
cmd.exe in the Run dialog box, and clicking OK. The Windows XP
command-line console opens (Figure 8-18).
FT08HT18.BMP
Figure 8-18 Mapping a drive with Net Use
2. Execute the NET.EXE command with the USE argument. To map a
drive to the \\BEHEMOTH\Deploy folder:
NET USE Y: \\BEHEMOTH\deploy
To connect to a shared folder using the Run dialog box:
1. Click Start | Run, and then type \\computer_name in the Open text
box. Windows XP Professional displays shared folders for the computer.
2. Double-click the shared folder to which you want to connect.
NOTE
You can also type the full UNC path to the folder you want to use.
COMBINING SHARED FOLDER PERMISSIONS AND
NTFS PERMISSIONS
You share folders to provide network users with access to resources. If you are
using a FAT volume, which has no security of its own, the shared folder permissions are the only resource available to provide security for the folders you have
shared and the folders and files they contain. If you are using an NTFS volume,
you can assign NTFS permissions to individual users and groups to better control
access to the files and subfolders in each shared folder. When you combine
shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.
One strategy for providing access to resources on an NTFS volume is to share
folders by giving the Authenticated Users group Full Control and then controlling access by assigning NTFS permissions.
273
274
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Always avoid sharing a folder to the Everyone group. Authenticated Users is an acceptable alternative and ensures that users are
known and authenticated.
NOTE
Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also,
NTFS permissions apply whether the resource is accessed locally or over the network.
When you use shared folder permissions on an NTFS volume, the following
rules apply:
■
You can apply NTFS permissions to files and subfolders in the shared
folder. You can even apply different NTFS permissions to each file and
each subfolder in a shared folder.
■
In addition to shared folder permissions, users must have NTFS
permissions to the files and subfolders in shared folders to access
those files and subfolders. This is in contrast to FAT volumes, in which
permissions for a shared folder are the only permissions protecting
files and subfolders in the shared folder.
■
When you combine shared folder permissions and NTFS permissions,
the more restrictive permission is always the overriding permission.
In Figure 8-19, the Users group has the shared folder Full Control permission for
the Public folder and the NTFS Read permission for FileA. Because the effective
combined permission is the more restrictive of the two, the Users group’s effective permission for FileA is the more restrictive Read permission. The effective
permission for FileB is Full Control because both the shared folder permission
and the NTFS permission allow this level of access.
Public
FC
NTFS permission
Users
File A
R
NTFS permission
File B
FC
NTFS volume
• Apply NTFS permissions to files and subfolders.
• The most restrictive permission is the effective permission.
Figure 8-19 Combining shared folder permissions and NTFS permissions
FT08HT19.FH10
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
MONITORING ACCESS TO SHARED FOLDERS
The Computer Management console in Windows XP Professional includes the
Shared Folders snap-in, which allows you to easily monitor access to network
resources and send administrative messages to users. You monitor access to
shared folders to determine how many users currently have a connection to each
folder. You can also monitor open files to determine which users are accessing the
files, and you can disconnect users from one open file or from all open files.
Reasons for Monitoring Network Resources
It is important to understand why you should monitor the network resources in
your computer environment. Some of the reasons it is important to assess and
manage network resources include:
■
Maintenance You should determine which users are currently using
a resource so you can notify them before making the resource temporarily or permanently unavailable.
■
Security You should monitor user access to resources that are confidential or need to be secure to verify that only authorized users are
accessing them.
■
Planning You should determine which resources are being used and
how much they are being used so you can plan for future system
growth.
When you use the Shared Folders snap-in in the Computer Management console,
you can monitor the resources on the local computer or on a remote computer.
Requirements for Monitoring Network Resources
Not all users can monitor access to network resources. The following list
describes the group membership requirements for monitoring access to network
resources using the Shared Folders snap-in:
■
By default, in a Windows Server domain, the Domain Admins and Server
Operators groups can manage share folders residing on any machines in
the domain. The Power Users group is a local group that can share only
folders residing on the standalone server or folders on a computer running Windows XP Professional on which the group exists.
■
In a Windows workgroup, the Administrators and Power Users groups
can share folders on the Windows Server standalone server or the computer running Windows XP Professional on which the group exists.
275
276
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Monitoring Shared Folders
You use the Shares folder in the Shared Folders snap-in to view a list of all shared
folders on the computer and to determine how many users have a connection to
each folder. In Figure 8-20, the Shares folder has been selected in the Computer
Management console tree, and all the shared folders on that computer are shown
in the details pane.
Figure 8-20 Shares folder of the Shared Folders snap-in
FT08HT20.BMP
The following list explains the information provided in the details pane shown in
Figure 8-20.
■
Shared Folder The shared folders on the computer. This is the name
that was given to the folder when it was shared.
■
Shared Path The path to the shared folder.
■
Type The type of network connection: Windows, Novell NetWare, or
Apple Macintosh.
Because Windows XP does not support clients from non-Windows
operating systems, the Type field would always show Windows for the
local system. If you were viewing a Windows Server 2003 system remotely
with Computer Management, you might see other clients if the appropriate service to support them has been installed.
NOTE
■
# Client Connections The number of clients who have made a
remote connection to the shared folder.
■
Comment Descriptive text about the folder. This comment was
provided when the folder was shared.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Windows XP Professional does not update the list of shared folders, open files, and user sessions automatically. To update these lists, on
the Action menu, click Refresh.
NOTE
Determining how many users can access a shared folder concurrently
You can use the Shared Folders snap-in to determine the maximum number of
users who are permitted to access a folder. In the Shared Folders details pane,
click the shared folder for which you want to determine the maximum number of
concurrent users. On the Action menu, click Properties. In the Properties dialog
box for the shared folder, the General tab shows the user limit. In Windows XP
Professional, the maximum is 10, but you can set this to a lower value. You can
also use the Shared Folders snap-in to determine if the maximum number of
users permitted to access a folder has been reached.
Connection limits might be one reason a user can’t connect to a
share. To check this, determine the number of connections to the share
and the maximum connections allowed. If the maximum number of connections has already been made, the user cannot connect to the shared
resource.
NOTE
Monitoring open files
Use the Open Files folder in the Shared Folders snap-in to view a list of open files
that are located in shared folders and the users who have a current connection to
each file (Figure 8-21). You can use this information when you need to contact
users to notify them that you are shutting down the system. You can also determine which users have a current connection and should be contacted when
another user is trying to access a file that is in use.
Figure 8-21 Open Files folder of the Shared Folders snap-in
FT08HT21.BMP
277
278
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The following list describes the information available in the Open Files folder:
■
Open File
■
Accessed By
■
Type The operating system running on the computer where the user
is logged on.
■
# Locks The number of locks on the file. Programs can request that
the operating system lock a file to gain exclusive access and prevent
other programs from making changes to the file.
■
Open Mode The type of access that the user’s application requested
when it opened the file, such as Read or Write.
The names of the open files on the computer.
The username of the user who has the file open.
Disconnecting users from open files
You can disconnect users from one open file or from all open files. You might
want to do this, for example, when you make changes to the NTFS file system permissions for a file that is currently opened by a user. The new permissions will
not affect the user until she closes and then attempts to reopen the file. You can
force these changes to take place immediately by doing one of the following:
■
Disconnect all users from all open files In the Shared Folders
snap-in console tree, click Open Files. On the Action menu, click
Disconnect All Open Files.
■
Disconnect all users from one open file In the Shared Folders
snap-in console tree, click Open Files. In the details pane, select the
open file. On the Action menu, click Close Open File.
Disconnecting users from open files can result in data loss.
It is always safer to notify the user to save and close the file normally
rather than disconnecting the user.
CAUTION
USING OFFLINE FOLDERS AND FILES
When the network is unavailable or when you are on the road and your laptop is
undocked, offline folders and files allow you to continue working on files that are
stored on shared folders on the network. These network files are cached on your
local disk so they are available even if the network is not. When the network
becomes available or when you dock your laptop, your connection to the network
is reestablished and the cached files and folders on your local disk are synchronized with those stored on the network.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Understanding Offline Files
To make shared folders available offline, copies of the files are stored in a
reserved portion of disk space on your computer called a cache. Because the cache
is on your hard disk, the computer can access it regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of
the Folder Options dialog box. You can also see how much space the cache is
using by opening the Offline Files folder and choosing Properties from the File
menu.
When you share a folder, you can allow others to make the shared folder available
offline by clicking Caching in the folder’s Properties dialog box. In the Caching
Settings dialog box (Figure 8-22), use the Allow Caching Of Files In This Shared
Folder check box to turn caching on or off.
Figure 8-22 The Caching Settings dialog box
FT08HT22.BMP
The Caching Settings dialog box contains three caching options:
■
Manual Caching Of Documents Users must manually specify all
files they want available when working offline. This option, the default,
is recommended for a shared network folder containing files that are to
be accessed and modified by several people. To ensure proper file sharing, the network version of the file is always opened.
■
Automatic Caching Of Documents This option makes every file
that a user opens from your shared folder available to that person
offline. Files that aren’t opened are not available offline. Each time a file
is opened, the older copy of the file is deleted. To ensure proper file
sharing, the network version of the file is always opened.
279
280
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Automatic Caching Of Programs And Documents This option
provides offline access to shared folders containing files that are read,
referenced, or run but that will not be changed in the process. This setting reduces network traffic because offline files are opened directly
without accessing the network versions in any way, and generally they
start and run faster than the network versions. This option is recommended for folders containing read-only data or applications that are
run from the network.
Configuring Your Computer to Use Offline Folders
and Files
Before you can use offline folders and files, you must enable offline file support
on your system:
1. In My Computer, choose Folder Options from the Tools menu.
2. On the Offline Files tab of the Folder Options dialog box, select the
Enable Offline Files check box and the Synchronize All Offline Files
Before Logging Off check box (Figure 8-23).
FT08HT23.BMP
Figure 8-23 The Offline Files tab of the Folder Options dialog box
Offline files are disabled if you have Fast User Switching
enabled on your system. You must use the User Accounts tool to disable
Fast User Switching before you can enable offline files.
IMPORTANT
On the Offline Files tab, you can also click Delete Files to delete the locally cached
copy of a network file. Click View Files to view the files stored in the Offline Files
folder; these are the locally cached files that you have stored on your system.
Click Advanced to configure how your computer responds when a network
connection is lost. For example, when a network connection is lost, you can
configure your computer to notify you and allow you to begin working offline.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Synchronizing files
File synchronization is straightforward if the copy of the file on the network does
not change while you are editing a cached version of the file. Your edits are simply
incorporated into the copy on the network. However, another user might edit the
network version of the file while you are working offline. If both your cached
offline copy of the file and the network copy of the file are edited, you must
decide what to do. You have a choice of retaining your edited version and not
updating the network copy with your edits, of overwriting your cached version
with the version on the network, or of keeping a copy of both versions of the file.
In the last case, you must rename your version of the file, and both copies will
exist on your hard disk and on the network.
Configuring the Synchronization Manager
To configure the Synchronization Manager, in Windows Explorer choose Tools |
Synchronize. Notice that you can manually synchronize your offline files with
those on the network by clicking Synchronize. You can also configure the
Synchronization Manager by clicking Setup.
In configuring the Synchronization Manager, you have three sets of options. The
first set of options is on the Logon/Logoff tab (Figure 8-24). You can configure
synchronization to occur when you log on, when you log off, or both. You can
also specify that you want to be prompted before synchronization occurs. You can
specify the items to be synchronized at logon or logoff, or both, and you can
specify the network connection.
Figure 8-24 The Logon/Logoff tab of the Synchronization Settings dialog box
FT08HT24.BMP
281
282
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The second set of options in configuring the Synchronization Manager is on
the On Idle tab (Figure 8-25). These are similar to the options on the Logon/
Logoff tab.
Figure 8-25 Configuring the settings on the On Idle tab in
FT08HT25.BMP
Synchronization Manager
The following items are configurable on the On Idle tab:
■
When I Am Using This Network Connection Allows you to
specify the network connection and which items to synchronize
■
Synchronize The Following Checked Items
which items to synchronize
■
Synchronize The Selected Items While My Computer Is
Idle Allows you to turn synchronization on or off during idle
time
Allows you to specify
Click Advanced on the On Idle tab (Figure 8-26) to configure the following
options:
■
Automatically Synchronize The Specified Items After My Computer
Has Been Idle For X Minutes
■
While My Computer Remains Idle, Repeat Synchronization Every
X Minutes
■
Prevent Synchronization When My Computer Is Running On Battery
Power
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Figure 8-26 Configuring advanced On Idle settings
FT08HT26.BMP
The third set of options for scheduling synchronization is on the Scheduled tab
(Figure 8-27), where you can add, edit, and remove scheduled synchronization
tasks.
Figure 8-27 The Scheduled tab in Synchronization Manager
FT08HT27.BMP
MANAGING INTERNET INFORMATION SERVICES
Windows XP includes Internet Information Services (IIS) to enable users to create Web servers for personal or small business intranet use. Enabling and using
IIS to share files is slightly different than standard file sharing. File sharing allows
clients to connect to and use files by using tools such as Windows Explorer and
My Computer; IIS serves files to clients using Web browsers such as Microsoft
283
284
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Internet Explorer and Mozilla. IIS also includes a feature called Web Distributed
Authoring and Versioning (WebDAV), which you might also see referred to as
Web folders.
Most Web serving of document files is read-only via HTML-based Web pages, but
you can share Microsoft Office documents via IIS as well. In this section, we will
discuss the installation and configuration of IIS for document serving.
Installing IIS
IIS is installed as a Windows component in Add/Remove Programs in Control
Panel:
1. Click Start | Control Panel.
2. Click Add/Remove Programs to launch the Add/Remove Programs
application.
3. Click Add/Remove Windows Components to launch the Windows
Components Wizard.
4. Select Internet Information Services (IIS), and click the Details button.
5. Optional components of the IIS installation are displayed. Choose the
default options.
6. Complete the rest of the Windows Components Wizard to complete
the installation of IIS.
IIS is designed for Internet communications. Be aware
that installing it on your system increases the system’s attack
surface—the portion of the system exposed to Internet probes and
attacks. Make sure you have enabled the protections of Windows Firewall
and Automatic Updates before activating IIS. We will discuss Internet
security topics in more depth in Chapter 11.
IMPORTANT
Also be careful to not install unnecessary services. IIS includes
many components, such as FTP services and Internet e-mail (SMTP)
services. To minimize your attack surface, do not install any of these
services unless they are absolutely neccessary.
NOTE
Using IIS
After installing IIS, you can manage it via the IIS console (Figure 8-28). This console presents the major administrative functions in a single interface for ease of
administration.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Figure 8-28 The IIS console
FT08HT28.BMP
You can start the IIS console in the following ways:
■
Open IIS from Administrative Tools in Control Panel.
■
Type IIS.msc at a command prompt.
■
Select the Internet Information Services item in Computer Management.
You can use the IIS console to add virtual folders to the Web server, restart the IIS
server services, manage Web server security settings, and manage server certificates for Secure Sockets Layer (SSL).
MORE INFO Extensive security and configuration of IIS is beyond
the scope of this course, but you can find additional resources at the
Microsoft Internet Information Services Web site at www.microsoft.com/
iis. The IIS Web site is targeted toward IIS 6, but it contains many useful
resources for the administration of IIS 5.1 (the version included with
Windows XP).
Sharing Web Folders
You can make your documents available for Internet use by configuring Web
folders. When you view the Properties dialog box for a folder after IIS is installed,
you will note the addition of a Web Sharing tab (Figure 8-29).
If you select the Share This Folder option, you will see the Edit Alias dialog box
(Figure 8-30). Use this dialog box to choose the permissions this folder will have
for Web users.
285
286
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 8-29 The Web Sharing tab of a folder’s Properties dialog box
FT08HT29.BMP
Figure 8-30 The Edit Alias dialog box
FT08HT30.BMP
Access permissions
By configuring access permissions, you can enable users to read, write, and edit
scripts contained in the published folder. The available options are:
■
Read Allows users to read documents in the folder.
■
Write Allows users to post and modify documents in the folder.
■
Script Source Access Allows users to access the source code of
scripts in this folder. If Write is enabled, this setting also allows users to
modify and upload scripts.
■
Directory Browsing Allows users to view the contents of the folder.
When this option is disabled, the user must know the exact names of
files to request them. This is fine for serving Web pages because the
links to the files are embedded into URLs in the pages themselves. But
when you serve documents, you might want to enable this option to let
users browse available files.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
Application permissions
Application permissions control the access that remote browsers have to execute
code and scripts on the local system. These permissions are not required for simple document sharing, but they come into play when you are serving Active
Server Pages (ASP) or other server-side scripts.
■
None Allows the browser to access only static files such as Web pages.
■
Scripts Allows only the execution of scripts, such as Active Server
Pages (ASP).
■
Execute (Includes Scripts) All file types can be accessed or executed.
When you enable Write permission on a Web Folder, you
receive a warning about enabling Write with either Script or Execute permission enabled. Doing so can open your server to the upload and execution of malicious code. If you are document sharing over the Internet, be
sure to allow only the None application permission on Web folders.
IMPORTANT
After configuring options in the Edit Alias dialog box, click Accept to enable Web
sharing for the folder. Users can locate the folder at http://servername/foldername
with their Web browsers. You can also construct a default Web page for your
server to link to the Web folders you have published.
As with all Internet-facing features, it is wise to be proactive about any patches and protections related to Web folders. Ensure
that Windows Firewall is enabled and that Automatic Updates are properly configured so the latest patches will be downloaded and deployed as
soon as they are available.
IMPORTANT
NTFS Permissions and Web Folders
You can also use NTFS permissions to control access to Web folders. You can
set the permissions as you would normally, and then enable Windows authentication in the Internet Manager console.
To enable Windows authentication:
1. Right-click the default Web site in Internet Manager, and select Properties.
2. On the Directory Security tab of the Properties dialog box for the
default Web site, click the Edit button under Anonymous Access And
Authentication Control.
3. In the Authentication Methods dialog box (Figure 8-31), choose the
appropriate options. Choosing integrated Windows authentication
allows NTFS permissions to be used. Choosing basic authentication
287
288
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
does as well, but basic authentication poses some security risks
(discussed below). If you choose to disable anonymous access,
unauthorized users cannot connect to the folder.
FT08HT31.BMP
Figure 8-31 Setting directory security in Internet Manager
This dialog box includes options to enable basic authentication
(to support non-Microsoft browsers), but passwords are sent as clear
text and might compromise security by revealing the users’ passwords.
NOTE
Using Web Folders
Users can navigate to a Web folder using their Web browser with the URL http:
//servername/foldername. This allows read-only access to the documents in the
folder. Users can also, with Internet Explorer 5 or later, connect to the folder as a
Web folder. They can then use the documents in the folder as if they were opening them in Windows Explorer. They can drag and drop additional files into the
folder, delete files (given the appropriate permissions in NTFS, of course), and
save documents using Office applications.
MORE INFO Other browsers are available for WebDAV folders. You can
obtain additional information about WebDAV support as www.webdav.org/
projects.
To open a Web folder:
1. On the File menu in Internet Explorer, click Open.
2. Enter the URL of the Web Folder, and select the Open As Web Folder
option. Internet Explorer opens the folder with a My Computer–like
interface.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
SUMMARY
■
You can make a folder and its contents available to other users over the
network by sharing the folder.
■
Using shared folder permissions is the only way to secure file resources
on FAT volumes.
■
Shared folder permissions apply to folders, not individual files.
■
To access a shared folder, users must connect to it and have the appropriate permissions. Shared folder permissions restrict access to users
who connect to the folder over the network, not to users who gain
access to the folder at the computer where the folder is stored.
■
The three shared folder permissions are Read, Change, and Full Control.
■
The default shared folder permission is Read, and it is assigned to the
Everyone group when you share the folder.
■
Best practices for security include removing the Everyone group from
Shared Folders and using another group, such as Users or Authenticated
Users, instead to prevent unauthorized access to files and folders.
■
Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which
hides them from users who browse the computer.
■
In Windows XP Professional, members of the built-in Administrators
and Power Users groups can share folders.
■
You can access a shared folder on another computer by using
My Computer, My Network Places, the Run command, or the NET
USE command.
■
On an NTFS volume, you can assign NTFS permissions to individual
users and groups to better control access to the files and subfolders in
the shared folders.
■
When you combine shared folder permissions and NTFS permissions,
the more restrictive permission is always the overriding permission.
■
Use the Shared Folders snap-in to monitor access to network resources
on local or remote computers.
■
Offline files are network files that are cached on your local disk so they
are available even if the network is not.
289
290
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Before you can use offline files, you must choose Folder Options from
the Tools menu of My Computer or Windows Explorer to configure
your computer to use offline files.
■
You must use the User Accounts tool to disable Fast User Switching
before you can enable offline files.
■
You use Synchronization Manager to configure synchronization of the
offline files you are using and the copies on the server.
■
You can use Synchronization Manager to configure synchronization to
occur when you log on, when you log off, or both, and you can specify
that you want to be asked before synchronization occurs.
■
Web folders offer a way to enable Internet file sharing via WebDAV.
REVIEW QUESTIONS
1. If you are using NTFS permissions to specify which users and groups
can access files and folders and what these permissions allow users to
do with the contents of the file or folder, why would you need to share
a folder or use shared folder permissions?
2. Which of the following are valid shared folder permissions? (Choose
all correct answers.)
a. Read
b. Write
c. Modify
d. Full Control
3. _______________ (Denied/Allowed) permissions take precedence
over ____________ (denied/allowed) permissions on a shared folder.
4. When you copy a shared folder, the original folder is _______________
(no longer shared/still shared) and the copy is ____________________
(not shared/shared).
5. When you move a shared folder, the folder is _____________________
(no longer shared/still shared).
6. When you rename a shared folder, the folder is ___________________
(no longer shared/still shared).
7. The system root folder, which is C:\Windows by default, is shared as
____________.
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
8. To assign permissions to user accounts and groups for a shared folder,
which of the following tabs do you use?
a. The Permissions tab of the Properties dialog box for the shared
folder
b. The Sharing tab of the Properties dialog box for the shared folder
c. The General tab of the Properties dialog box for the shared folder
d. The Security tab of the Properties dialog box for the shared folder
9. By default, how much of the available disk space is allocated for the
cache for making shared folders available offline?
a. 20 percent
b. 15 percent
c. 10 percent
d. 5 percent
10. Which of the following statements about combining shared folder
permissions and NTFS permissions are true? (Choose all correct
answers.)
a. You can use shared folder permissions on all shared folders.
b. The Change shared folder permission is more restrictive than the
Read NTFS permission.
c. You can use NTFS permissions on all shared folders.
d. The Read NTFS permission is more restrictive than the Change
shared folder permission.
11. Which of the following statements about shared folder permissions
and NTFS permissions are true? (Choose all correct answers.)
a. NTFS permissions apply only when the resource is accessed over
the network.
b. NTFS permissions apply whether the resource is accessed locally
or over the network.
c. Shared folder permissions apply only when the resource is
accessed over the network.
d. Shared folder permissions apply whether the resource is accessed
locally or over the network.
291
292
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
12. How do you determine which users have a connection to open files on
a computer and which files they have a connection to?
13. How can you disconnect a specific user from a file?
14. Which of the following statements are true about Web folders?
(Choose all correct answers.)
a. Web folders are designed to allow Internet file sharing.
b. Web folders work with all browsers.
c. Web folders use the FTP protocol to transfer files.
d. Web folders use WebDAV to transfer files.
CASE SCENARIOS
Scenario 8-1: Shared Folder Tree
You are designing security for a small office workgroup network. You have
decided to create a tree for data folders for all the departments in the office. The
departments (and the folders you will create) are: Accounting, Operations, Manufacturing, and Facilities. Answer the following questions about the configuration
of these folders:
1. To allow each department to have access only to its own folder but to
promote ease of administration for you, how should you arrange these
folders?
2. The operations department wants to allow all others to read their files
but not modify them. How can you assign permissions to the Accounting folder to enable this?
3. If you have Full Control permission to the folder containing all the
department folders, what is your permission to the Accounting
folder?
Scenario 8-2: Command-Line Nirvana
You are the administrator of a large network in a law office. Your office has just
joined with a larger law group, and you need to set up access to allow attorneys
from the other group to access your firm’s files. Your boss doesn’t want to give
them full access to all files just yet and has asked you to give them only the ability
to read files for now. You are creating a group of folders for users, and you want to
CHAPTER 8:
CONFIGURING AND MANAGING SHARED FOLDER SECURITY
automate folder creation by using the NET SHARE command. Answer the following questions about this scenario:
1. You are sharing the Pending Briefs folder, which is located at
D:\PendingBriefs. What NET SHARE command should you use?
a. NET SHARE Briefs=D:\Data\PendingBriefs /REMARK: “Pending
Briefs”
b. NET SHARE Briefs /DELETE
c. NET SHARE D:\Data\PendingBriefs=Briefs /REMARK: “Pending
Briefs”
d. NET SHARE Briefs=\\Server\PendingBriefs /REMARK: “Pending
Briefs”
2. After you share the Pending Briefs folder, what is the permission for
attorneys from the larger office?
3. After some time, you boss decides that the other attorneys can be
trusted and should have greater access to the files in the Pending Briefs
folder. He wants them to be able to modify documents there but not
delete them. How can you implement this?
293
CHAPTER 9
SUPPORTING APPLICATIONS
IN WINDOWS XP
PROFESSIONAL
Upon completion of this chapter, you will be able to:
■ Manage applications using Windows Installer packages
■ Manage distribution of applications using Group Policy
■ Verify application compatibility
■ Manage application compatibility settings
■ Troubleshoot application compatibility
Microsoft Windows XP supports a wide array of software, ranging from legacy
16-bit MS-DOS and Windows-based applications to modern 32-bit and 64-bit
applications. In this chapter, you will learn how to install, manage, and configure
applications in Windows XP. We will explore application installation using
Windows Installer technologies, managing application installation using Group
Policy, and application compatibility, including Windows Logo compatibility and
application compatibility features included with Windows XP Professional.
295
296
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING WINDOWS INSTALLER
TECHNOLOGIES
Organizations that operate large numbers of desktop computers need ways to
manage installed software effectively. They are also concerned with security.
In the past, these two concerns conflicted when it came to automating software
installation. Software was distributed on CD-ROM, shared in a network installation folder, or pushed with logon scripts.
In all these instances, the software was installed with default settings in the
environment of the user who was currently logged on to the system. This caused
problems for organizations that restricted users’ security permissions. If these
organizations restricted a user, the user would not have the required permissions
to execute the setup routines. If they relaxed security enough to allow the user to
run the installers, the user would have more permissions than the administrators
wanted them to have. They needed a solution to accommodate restricted user
security while allowing for automated installation of software.
Windows Installer
The Windows Installer was created as a solution to the installation issues facing
enterprise customers. It runs as a system service (at elevated privileges) and
receives instructions from an installation executable controlled from the user
environment. This executable—Msiexec.exe—is called by the user or by automated
installation settings placed into group policy objects (GPOs) stored in Active
Directory. It manages the installation of an application and also allows for sophisticated management capabilities by applying any customizations and updates
required at installation time or afterward. It can even allow installations to be
scripted to completely automate custom configurations and settings according to
the organization’s requirements.
Windows Installer Packages
Windows Installer executes installation instructions placed into Windows
Installer packages. These packages contain all the components and configuration
information required to completely install the packaged application. They can be
distributed by the software manufacturer or created as a customized installation
of a specific application by an administrator.
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
Components of Windows Installer packages
Windows Installer packages consist of a central installation package with associated transform files that can modify the installation. In addition, patch files are
used to install updates to the Installer packages.
The main components of the Windows Installer packages are:
■
Windows Installer Packages (.msi) Windows Installer packages
contain the entire application being installed, sometimes packaged
into a single .msi file, which is a database of application objects along
with installation settings. Large applications might be stored in a
folder, with the installation being directed by a smaller .msi file stored
in the folder with it.
■
Transform (.mst) Transforms contain custom installation parameters and settings. When specified along with the Windows Installer
package, the transform modifies the installation according to the settings contained within. These settings override any similar settings
contained in the original package.
■
Patch (.msp) Patch packages are used to install application updates
or patches. These files are designed to apply fixes to Windows Installer
packages by modifying settings and cabinet files contained in the original package.
Using Msiexec to execute Windows Installer packages
The Msiexec.exe application is associated with the .msi file extension in
Windows XP system settings. When an .msi file is executed, the Msiexec.exe
application, in concert with the Windows Installer, reads the .msi file and performs the package installation. If an .mst file is specified, it is also processed to
include the appropriate customizations in the installation.
Msiexec.exe can also be called directly to perform an installation action. Here is
an example of syntax for the Msiexec.exe application:
msiexec /I c:\sample\package.msi transform.mst
In this example, we are installing the “package” application, with custom settings
specified by the Transform.mst file. A complete list of command-line options
appears in Table 9-1.
297
298
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 9-1
Msiexec.exe Command-Line Options
Option
Parameters
Description
/I
/f
Package|ProductCode
[p|o|e|d|c|a|u|m
|s|v] Package|
ProductCode
Installs or configures a product.
Repairs a product using the original source files.
The default argument list for this option is
‘omus.’ The options are:
■
p Reinstalls only if the file is missing.
■
o Reinstalls if the file is missing or an
older version is installed.
■
e Reinstalls if the file is missing or an
identical or older version is installed.
■
d Reinstalls if the file is missing or a
different version is installed.
■
c Reinstalls if the file is missing or
the stored checksum does not match
the calculated value.
■
a Forces all files to be reinstalled.
■
u Rewrites all required user-specific
registry entries.
■
m Rewrites all required computerspecific registry entries.
■
s
Overwrites all existing shortcuts.
■
/a
Package
/x
Package|ProductCode
[u|m]Package
[u|m]Package /t
Transform List
[u|m]Package /g
LanguageID
/j
/L
v Runs from the source and recaches the local package.
Installs a product on the network. This option is
used to create administrative installation points for
installation from shared folders on the network.
Uninstalls a product.
Advertises a product.
■
u Advertises to the current user.
■
m
■
g Language identifier.
Advertises to all users of machine.
■
t Applies transform to advertised package.
[i|w|e|a|r|u|c|m| Writes logging information into a logfile at the
o|p|v|x|+|!|*]
specified path. Flags indicate which information to
Logfile
log. If no flags are specified, the default is ‘iwearmo.’
■
i Status messages.
■
w Nonfatal warnings.
■
e
All error messages.
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
Table 9-1
Msiexec.exe Command-Line Options (Continued)
Option
Parameters
Description
■
a Startup of actions.
■
r Action-specific records.
■
u
User requests.
■
c
Initial UI parameters.
■
m Out-of-memory or fatal exit information.
■
o
■
p Terminal properties.
■
v Verbose output.
■
x Extra debugging information. Only
available on Windows Server 2003.
■
+
■
! Flush each line to the log.
Out-of-disk-space messages.
Append to existing file.
■
/m
filename
* Wildcard. Log all information except
for the v and x options. To include the v
and x options, specify ‘/l*vx’.
Generates an SMS status .mif file. Must be used
with the install (-i), remove (-x), administrative
installation (-a), or reinstall (-f) option. Ismif32.dll
is installed as part of SMS and must be on the path.
The fields of the status .mif file are filled with the
following information:
■
Manufacturer Author
■
Product
Revision number
■
Version
Subject
■
Locale Template
■
Serial Number Not set
■
Installation Set by Ismif32.dll to
“DateTime”
■
InstallStatus
■
Description Lists error messages in the
following order:
“Success” or “Failed”
1. Any error messages generated by
installer.
2. Resource error message from
Msi.dll if installation could not
commence or user exited.
299
300
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Table 9-1
Msiexec.exe Command-Line Options (Continued)
Option
Parameters
Description
3. Any system error message.
/p
/q
/? or /h
PatchPackage
[;patchPackage2 . . .]
n|b|r|f
4. A formatted message: “Installer error
%i,” where %i is error returned from
Msi.dll.
Applies a patch.
Sets user interface level.
■
q No UI.
■
qn No UI.
■
qb Basic UI. Use ‘qb!’ to hide the Cancel
button.
■
qr Reduced UI with no modal dialog
box displayed at the end of the
installation.
■
qf Full UI and any authored FatalError,
UserExit, or Exit modal dialog boxes at
the end.
■
qn+ No UI except for a modal dialog
box displayed at the end.
■
qb+ Basic UI with a modal dialog
box displayed at the end. The modal
dialog box is not displayed if the user
cancels the installation. Use qb+! or
qb!+ to hide the Cancel button.
■
qb- Basic UI with no modal dialog
boxes. Note that /qb+- is not a supported UI level. Use qb-! or qb!- to hide
the Cancel button.
Note that the ! option is available with
Windows Installer 2 and works only
with basic UI. It is not valid with
full UI.
Displays syntax help and copyright information
for Windows Installer.
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
Table 9-1
Msiexec.exe Command-Line Options (Continued)
Option
Parameters
Description
/y
Module
Calls the system function DllRegisterServer(…)
to self-register modules passed in on the command line. Specify the full path to the DLL. For
example, for My_file.dll in the current folder,
you can use:
msiexec /y .\MY_FILE.DLL
/z
module
This option is used only for registry information that cannot be added using the registry
tables of the .msi file, and for modules capable
of self-registration.
Calls the system function DllUnRegisterServer(…)
to unregister modules passed in on the command line. Specify the full path to the DLL. For
example, for My_file.dll in the current folder,
you can use:
msiexec /z .\MY_FILE.DLL
/c
/n
ProductCode
This option is used only for registry information
that cannot be removed using the registry tables
of the .msi file and for modules capable of unregistering themselves.
Advertises a new instance of the product. Must
be used in conjunction with /t. Available starting
with the Windows Installer version that ships
with Windows Server 2003 and Windows XP SP1.
Specifies a particular instance of the product. This
option can be used to identify an instance of an
application installed using multiple instance support. Available starting with the Windows
Installer version shipped with Windows Server
2003 and Windows XP SP1.
Msiexec options are not case sensitive. In the preceding table,
/I and /L are capitalized for clarity.
NOTE
Advantages of Windows Installer packages
Software packaged using the Windows Installer technologies is tailor-made for
automated installation. You can advertise (or publish) it for installation using the
Msiexec.exe command-line command, and you can install it or publish it using
301
302
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Group Policy in Active Directory. You get amazing control and management abilities, essentially for free, just by taking advantage of these features.
NOTE
We will discuss publishing applications later in this chapter.
Another advantage of the Windows Installer technologies is the prospect of selfhealing applications. Simply reinstalling from Add/Remove Programs or executing the appropriate Msiexec.exe command causes the application to examine all
its files against the original installation source, replacing or repairing any missing
or corrupt files. Applications such as Microsoft Office can even launch this process from within the application to provide automatic self-repair.
DEPLOYING SOFTWARE USING GROUP POLICY
We’ve alluded to group policy objects (GPOs) several times in this chapter.
Group Policy is one component of Microsoft’s Intellimirror technologies, and it is
used to manage system and application configuration and software installation.
We will now examine the role of Group Policy in application management and
support.
Overview of Group Policy
Group Policy allows you to manage configuration of computers and user settings
in an Active Directory environment. Using Group Policy, you can control settings
for software configuration, manage registry settings, configure security, install
software updates, manage user profiles, and carry out many other tasks.
Group Policy settings are stored in group policy objects that are attached to
Active Directory domains, sites, or organizational units (OUs). GPOs can
store settings for users and/or computers, allowing administrators to configure
many settings at once.
MORE INFO There is obviously much more to Group Policy and
Active Directory that falls beyond the scope of this course. For more
information on Active Directory and Group Policy, see Microsoft Official
Academic Course 70-294: Planning, Implementing, and Maintaining a
Microsoft Windows Server 2003 Active Directory Infrastructure.
Software Installation Policies
Software installation policies are one facet of GPOs. They allow administrators
to specify .msi packages that are to be advertised or installed on systems. These
applications can be installed for specific users in the domain or for individual
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
computers themselves. We will examine the two methods of making software
available with GPOs: publishing and assigning (Figure 9-1).
Published
Installed on demand*
Assigned
Installed on first use*
*or first use of associated document
Software
Installation Policy
Installed on next restart
Figure 9-1 Managing software installation policy
FT09HT01.TIF
Publishing software
Publishing software is like advertising the availability of an application. The
application appears in the Add/Remove Programs area as available for installation; you can also install it on demand the first time a user executes an associated application extension. Because published applications require action from
a user to be installed, they can be made available only to users (rather than
being assigned to computers).
Assigning software
Software can be assigned to the user or directly to the computer. If an application
is assigned to the user, an icon for the application appears on the desktop or on
the Start menu, and the application is installed the first time the icon is activated
or the first time an associated file is opened.
Software assigned to the computer (Figure 9-2) installs on the system before the
next user logon. It is thus ready when any user of the system needs it. If userspecific options need to be installed, as specified by the .msi file, they are quickly
installed the first time the user runs the application.
Figure 9-2 Software assigned to a computer
FT09HT02.BMP
303
304
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Upgrading or patching software with Group Policy
In addition to directing installation of software, you can configure GPOs to
install application updates. You can configure these updates to upgrade the
existing application or even replace it (Figure 9-3).
Figure 9-3 Installing an application upgrade with Group Policy
FT09HT03.BMP
Removing Software Installation Policy
When a software installation policy for an application no longer applies to the computer or user, you can manage the application in either of two ways (Figure 9-2):
■
Uninstall the application when it falls out of the scope of
management This removes the application if the computer or user to
which it is attached leaves the domain or OU the GPO is assigned to. It also
removes the application if the GPO or its software installation policy is
deleted. This option is an excellent way to ensure that software licensed by
your company is uninstalled if a PC is ever lost or stolen. If a user removes
the computer from the company domain, the software is uninstalled.
■
Leave the application in place when it falls out of the scope of
management The software remains in place if the user or computer
falls out of management, either through changing domains or OUs or
the policy being deleted.
You explicitly select the Uninstall When It Falls Out Of The Scope Of
Management option when you configure a software installation policy. Leaving
the application in place is the result of not explicitly selecting that option.
NOTE
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
UNDERSTANDING APPLICATION COMPATIBILITY
Windows XP brought together the stability of the Windows NT family of operating
systems and the hardware compatibility of the Windows 9x family of operating
systems. The Windows XP designers were faced with hard choices. Users and
corporations needed the security and reliability features of the Windows NT operating systems but wanted to be able to use all the legacy applications they had
acquired over the years. Some of these applications were incompatible with the
strict requirements of the Windows NT line. Microsoft therefore designed application compatibility technologies into Windows XP. Users can customize settings to
emulate the environments that legacy systems require to operate effectively.
In this section, we will explore these application compatibility technologies and
how to configure them.
Windows Logo Program
Before we discuss application incompatibility, let’s take a look at application compatibility. Microsoft operates the Windows Logo Program Qualification Service
(Winqual) to test and certify products for compliance with Windows operating
systems. Software manufacturers submit their products to the Winqual service
for testing and obtain logo certification for their products, entitling them to submit their products to the Windows Catalog and use one of the Windows logos in
their advertising and on product packaging.
The Windows Logo Program specifies three levels of application compatibility:
■
Compatible with Windows XP This level indicates that the application will perform its primary function without crashing your system.
■
Designed for Windows XP Applications with this logo will not
interfere with other applications in use on your system, will install and
uninstall properly, and will not overwrite files that are needed by the
operating system. These applications will support Fast User Switching
and will not require a reboot unnecessarily.
Designed for Windows XP applications are eligible for inclusion in the
Windows Catalog (http://www.microsoft.com/windows/catalog). Users
can browse listings of compatible applications in the Windows Catalog
(Figure 9-4) and be confident that those applications have been certified for Windows compatibility.
■
Optimized for Windows XP These applications meet the Designed
for Windows XP logo requirements as well as take advantage of
305
306
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
advanced Windows XP technologies for gaming, multimedia, or accessibility. They might also be certified for compatibility with future Windows versions. They might even integrate the new Windows XP visual
styles or enable the ability to traverse network address translation
(NAT) firewalls in their Internet communications.
FT09HT04.BMP
Figure 9-4 The Windows Catalog displaying Designed for Windows
applications
Causes of Application Incompatibility
Legacy applications might be incompatible with Windows XP for a number of
reasons, including the following:
■
Changes in data formats The legacy application might fail to run if
the updated data access technologies in Windows XP do not support
access methods used by the application. An example of this would be
changes in Microsoft Data Access Components (MDACs) that require
programs using older versions to be updated to remain compatible.
■
Different user profile formats and locations Windows XP places
all user profiles in the Documents and Settings folder on the system
volume. If the application was specifically programmed to store user
data in the C:\WINNT\Profiles or C:\Windows\Profiles folders (the
locations in Windows NT and Windows 9x, respectively), it might fail
to properly store data files or application settings.
Systems upgraded from Windows NT Workstation and Windows 9x
will still use the former user profile folders.
NOTE
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
■
Windows reports wrong version number Some applications that were
designed for Windows 95 or Windows 98 will not run on other operating
system versions. Even if there is no functional reason for them not to run,
they simply won’t continue with the wrong operating system version.
■
Application cannot operate with large amount of resources The
application might not know how to operate with greater than 2 GB of
free disk space or too much RAM. The application will assume that
resources are insufficient for proper operation and will present an
error and/or shut down.
■
Application uses direct hardware access methods For stability
reasons, operating systems in the Windows NT family do not allow
applications to directly access hardware resources. Applications must
access hardware through a device driver. This causes incompatibility
with applications designed for Windows 9x that might have accessed
hardware directly. An example of this might be an application that
manipulates system memory directly.
Application Compatibility Tools
The developers of Windows XP recognized the challenges presented by legacy
software and designed several application compatibility technologies into
Windows XP.
During Windows XP setup, existing applications are compared against a list of
known incompatible applications stored in the Migdb.inf file (Windows 9x) or
Ntcompat.inf file (Windows NT/2K). These files allow Setup to warn users about
incompatibilities during setup, long before the incompatible application would
be used.
Compatibility fixes
Some incompatible applications can be supported if you modify how Windows
XP responds to the application or if you create an emulated environment that the
application will find suitable. You do this by using “shim technology” to insert
code between the application and the operating system to fool the application
into believing it is running in its preferred environment. These compatibility
fixes are stored in the application compatibility system databases sysmain.sdb
and apphelp.sdb. These databases are stored in the application compatibility
database folder (/AppPatch) in the Windows main system folder (usually
C:\Windows).
307
308
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Compatibility modes
Applications written for older applications often took advantage of specific (and
sometimes undocumented) features. If these features are no longer available in
Windows XP (for security or stability reasons), those applications will normally
not run in Windows XP. However, by mimicking the older operating system,
Windows XP can still execute the application.
Windows XP accomplishes this by using compatibility modes. These are collections of compatibility fixes that, taken together, mimic the earlier operating system.
There are three kinds of application compatibility modes:
■
FT09HT05.BMP
End-user modes These are the compatibility modes included with Windows XP and displayed when a user browses the Compatibility tab of an
application’s Properties dialog box (Figure 9-5). They apply a collection of
compatibility fixes designed to mimic the earlier operating system. Application compatibility modes are available to mimic Windows 95, Windows 98,
Windows Me, Windows NT 4, and Windows 2000. In addition, users can
choose to revert display settings to VGA resolution (256-color, 640×480)
and to disable visual themes and advanced device input.
Figure 9-5 Setting the compatibility mode for an application
■
System modes These modes are accessible to system administrators
and include, in addition to the end-user modes, fixes to enable users
with limited accounts to operate applications and fixes to support user
profile interaction changes in Windows XP. These modes are configured with the Compatibility Administrator tool (discussed later).
■
Custom modes Customized modes, consisting of fixes designed for
a specific application, can be created and applied with the Compatibility
Administrator tool.
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
You select end-user compatibility modes on the Compatibility tab of the Properties
dialog box for an application executable (Figure 9-5).
Program Compatibility Wizard
The Program Compatibility Wizard (Figure 9-6) is designed to allow end users
to manage their own application compatibility settings. The wizard walks you
through setting compatibility modes or display settings and allows you to test
compatibility. You launch the wizard from Help and Support Center by searching
on “application compatibility.”
Figure 9-6 Managing application compatibility with the Program Compatibility Wizard
FT09HT06.BMP
Advanced Compatibility Tools
System administrators can use two additional tools to manage compatibility fixes
for applications: the Compatibility Analyzer and the Compatibility Administrator.
They can scan for known application compatibility issues with installed software,
apply specific fixes to an application, and evaluate the results. You can obtain
them by downloading the Application Compatibility Toolkit from the MSDN
Web site at http://msdn.microsoft.com/compatibility.
Compatibility Analyzer
The Compatibility Analyzer tool (Figure 9-7) scans the computer for applications
and reports their compatibility status. It can also maintain a database of installed
software from data collected on computers around the enterprise, allowing
administrators to assess application compatibility issues on all their systems from
a central location.
309
310
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 9-7 The Compatibility Analyzer tool
FT09HT07.BMP
Compatibility Administrator
The Compatibility Administrator tool (Figure 9-8) lets you customize fixes for a
specific application. Of the hundreds of available fixes, you might apply one or
more to an incompatible application and test the results. If the program is made
compatible, you can store the compatibility settings in a database and apply them
to other systems in the organization.
Figure 9-8 The Compatibility Administrator tool
FT09HT08.BMP
Troubleshooting Application Compatibility Issues
When you’re faced with an incompatible application, you should eliminate any
potential installation mistakes before you call the software vendor. If reinstalling
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
the application according to the manufacturer’s instructions does not solve the
problem, you might consider the following steps:
■
Check the vendor’s Web site for application updates After your
company acquired the application, the application’s vendor might
have solved the compatibility issues with the application and made an
updated version available for download. Some software manufacturers
also make their updates available via the Windows Update Web site
(http://windowsupdate.microsoft.com).
■
Install the application using an administrator-level
account Some applications cannot store required files or make the
necessary registry modifications when they are installed by a limited
user account. Reinstalling the application as an administrator might
solve the problem.
■
Make sure no other users are logged on to the system If Fast
User Switching is enabled, other users might be logged on to the
computer. This might interfere with the installation or operation of a
program that was not designed to operate in this environment.
■
Analyze the program with the Program Compatibility
Wizard The wizard can apply compatibility modes to the program
and test the results. This might enable a legacy program to operate.
■
Manage the program with the Compatibility Administrator
tool This tool can apply individual or multiple compatibility fixes
and evaluate the results.
311
312
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Windows Installer runs as a system service (at elevated privileges) and
receives instructions from Msiexec.exe. It manages the installation of
an application and allows for sophisticated software installation management. It can completely automate custom configurations and settings according to the organization’s requirements.
■
Windows Installer packages consist of a central installation package (.msi)
with associated transform files (.mst) that might modify the installation.
■
The Msiexec.exe application is associated with the .msi file extension.
In concert with the Windows Installer, it reads the .msi file and any
.mst transforms and performs the package installation.
■
Group Policy allows you to manage configuration of computers and
user settings in an Active Directory environment.
■
Software installation policies allow administrators to specify .msi packages that are to be advertised or installed on systems. These applications can be installed for specific users or for the computer itself.
■
Microsoft operates the Windows Logo Program Qualification Service
(Winqual) to test and certify products for compliance with Windows
operating systems.
■
Legacy applications might have used features of older operating systems that are not available in Windows XP. By mimicking the older
operating system, Windows XP can still execute the application. You
accomplish this by defining compatibility modes.
■
The Program Compatibility Wizard helps users set compatibility
modes or display settings and allows them to test compatibility.
■
The Compatibility Analyzer tool scans for applications and reports
their compatibility status to an administrator.
■
The Compatibility Administrator tool allows you to customize fixes for
a specific application and package those fixes for distribution to multiple Windows XP systems.
REVIEW QUESTIONS
1. You are installing an application that should be available to specific
users wherever they use a computer. The application should be
installed when they execute it for the first time or open an associated
application. You are planning to implement a software installation
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
policy, and you have placed the users into an organizational unit. What
method of software policy implementation should you use to ensure
that only the users in this OU receive the application?
a. Assign the software to the users in the OU
b. Publish the software to the users in the OU
c. Assign the software to the computers in the OU
d. Publish the software to the computers in the OU
2. You are distributing an application to all computers in your organization. You want to install it with different settings for one department in
your home office. How can you configure software installation Group
Policy settings to accomplish this?
a. Create an OU for users requiring the special settings. Create a
transform for the special settings. Assign the Windows Installer
package to the users in the domain. Assign the package, along
with the transform for the special settings, to users in the special
settings OU.
b. Create an OU for users requiring the special settings. Create two
Windows Installer packages to support the different settings.
Assign the default package to the domain users, and assign the
other to the users in the special settings OU.
c. Create an OU for users requiring the special settings. Assign the
application’s Windows Installer package to the computers in the
domain. Create a transform for the special settings, and assign it
to the users in the special settings OU.
d. Create a transform for the special settings. Assign the Windows
Installer package to the computers in the domain. Instruct the
users who require special settings in how to reinstall the application with the special settings transform.
3. Which of the following Msiexec.exe commands would uninstall the
program.msi package?
a. msiexec /r program.msi
b. msiexec /x program.msi
c. msiexec /i program.msi
d. msiexec /f program.msi
313
314
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
4. You are purchasing a new accounting application for your small
business. You want to make sure the application is compatible with
Windows XP. Which of the following compatibility logos would you
look for?
a. Designed for Windows 98
b. Designed for Windows XP
c. Compatible with Windows XP
d. Designed for Windows Server 2003
5. You are configuring a legacy business application to run on Windows XP.
It presents several errors on startup, and you have tried several compatibility modes in your attempt to find a solution. Windows 95 mode
works best but still has a few issues. The manufacturer has gone out of
business, and you cannot find any other information about compatibility
upgrades. Which of the following tools might help you?
a. Compatibility Analyzer
b. Program Compatibility Wizard
c. Compatibility Administrator
d. Msiexec.exe
CASE SCENARIOS
Scenario 9-1: Windows Installer
You are planning the implementation of a complex business application to systems in a mid-size company. The application supports Microsoft Installer technology and is packaged into a single .msi file. All users of the application will
use the application’s default settings, but some will make use of features that
other users will not need. The business owner has asked you to install the application so that users have only the features of the application they require. The
users have been grouped into three groups based on the functionality they
require. The groups are Finance, Sales, and Production.
You know you can perform a custom installation from CD-ROM, but you want to
automate the installations in the interest of time and consistency. You discover a list
CHAPTER 9:
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL
of available installer transforms for different configurations. You select three that
seem like a good fit for users in the organization: Accounting.mst, Salesforce.mst,
and Manufacturing.mst.
Answer the following questions about this scenario:
1. If the users are maintained in an Active Directory domain environment,
how do you automate the installation of the application to the three
groups of users?
2. If Active Directory isn’t available, how do you automate this installation?
3. Which of the following Msiexec command lines installs the application
for the Finance group?
a. Msiexec /I Application.msi Finance.mst
b. Msiexec /a Application.msi Accounting.mst
c. Msiexec /x Application.msi
d. Msiexec /I Application.msi Accounting.mst
Scenario 9-2: Irreconcilable Differences?
You have been contracted by a small company to see if there is any way to make
their legacy business applications work with Windows XP. They have three applications in particular that are causing trouble. After some research, you discover
the following:
■
Application A has the Designed for Windows 98 logo and runs on
Windows XP. Errors occur when you attempt to access data files,
however. The manufacturer no longer produces or supports the
application.
■
Application B was written by a former employee that the business has
lost contact with. When the application is executed, it returns the error
“This application requires Windows 95.” It then terminates.
■
Application C does not run at all. The manufacturer is still in business
and has a version compatible with Windows XP. When one user
attempted to install it, the installation program returned the error
“Unable to write to program folder.”
315
316
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Answer the following questions about this scenario:
1. Which of the following actions will most likely help Application A
operate effectively?
a. Operate the application in Windows 98–compatibility mode
b. Run the application as an administrator
c. Remove and reinstall the application
d. Change the permissions on the application data files
2. What is most likely the cause of Application B’s error? How can you
configure Application B to operate?
3. What is the most likely cause of Application C’s failure during installation? How can you install this application?
CHAPTER 10
CONNECTING WINDOWS XP
PROFESSIONAL TO
A NETWORK
Upon completion of this chapter, you will be able to:
■ Configure and troubleshoot the TCP/IP protocol
■ Connect to a wireless network
■ Connect to the Internet using dial-up networking
■ Connect to a virtual private network (VPN)
■ Configure and troubleshoot Internet Connection Sharing (ICS)
■ Configure and manage Remote Desktop and Remote Assistance
We have so far concentrated on installing and supporting Microsoft Windows XP
and its applications. In the next few chapters we will explore networks and
connecting Windows XP to them.
In this chapter, we will discuss making the basic network connections. You will
learn about the properties of the TCP/IP protocol. You’ll explore dial-up networking and use it to connect to networks. You will also learn how to connect your
Windows XP system to the Internet and how to share that connection with other
systems on your network. Finally, we will configure and use Remote Desktop and
Remote Assistance to enable remote control.
317
318
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CONFIGURING TCP/IP
A protocol is a set of rules and conventions for sending information over a network. Windows XP Professional relies on the Transmission Control Protocol/
Internet Protocol (TCP/IP) for logon, file and print services, replication of information between domain controllers, and other common functions.
This section presents the skills and knowledge necessary to install, configure,
and troubleshoot TCP/IP. It also discusses the process for configuring network
bindings, which are links that enable communication among network protocols
and services.
The OSI Reference Model
Most discussions of network architecture begin with an overview of the Open
Systems Interconnection (OSI) model for networking (Figure 10-1). This reference model for designing networks was proposed in 1979 by the American
National Standards Institute (ANSI) to the subcommittee on Open Systems Interconnection of the International Organization for Standardization (ISO). It was
published in 1984 as a standard for designing open network applications.
The OSI Reference Model
The DARPA Model
Application
Application
Presentation
Session
Transport
Transport
Network
Internet
Data Link
Network
Physical
Figure 10-1 The OSI and DARPA reference models
FT10HT01.VSD
The seven layers designate discrete steps in a network communication, beginning
at the Application layer and progressing until the data is placed on the physical
network medium. Each layer adds its own information for use by its counterpart
in the destination stack. Data received at the next system passes up through the
protocol stack to the application at the top. Each layer in the upward progression
reads its information from the stack and passes the encapsulated data up to the
next layer. When the application layer receives the data, it recognizes it and
processes it. This process repeats for each communication over the network.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Applications designed strictly using the seven-layer model were found to be
ungainly and difficult to configure. Protocols were created to enable faster communication, and they evolved into the TCP/IP and IPX/SPX protocols in use
today.
The seven layers of the OSI model are:
■
Application (layer 7) Applications themselves are placed in this
layer. The application is responsible for communicating with the user.
An example of an application at this layer is a Web browser.
■
Presentation (layer 6) Converts the information entered by the
user into something meaningful to the application. This layer is also
responsible for making different data formats or character sets compatible, such as an ASCII–to-EBCDIC translator. Other tasks performed in
this layer include certain types of compression and encryption.
■
Session (layer 5) Provides a session or channel for communication
between two computers or users. A Session layer protocol is responsible for establishing and breaking down communication sessions. An
example of this is a streaming video session.
■
Transport (layer 4) Aids the Session layer in preparing data for
transmission. This layer is responsible for breaking up the data into
manageable units. It is also responsible for sequencing packets and
ensuring that lost packets are retransmitted so no data is lost during
the communication sequence.
There has always been some overlap between the Session and
Transport layers, which is one reason why applications that follow the OSI
model strictly can be ungainly. Protocols such as Transmission Control
Protocol (TCP) actually operate in both layers to ensure guaranteed
communication.
NOTE
■
Network (layer 3) Routes the information within individual networks and across networks. It maintains a routing table of possible
destinations and directs packets to the desired destination.
■
Data Link (layer 2) Connects the Network layer to the physical
media. This layer consists of device drivers and low-level protocols
(such as Ethernet and Token Ring) for communication with network
adapters. It begins the process of converting the data packets into
frames made up of binary signals (1s and 0s). The Data Link layer
exists partially in the device drivers and partially in the network
adapter firmware.
319
320
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Frame formation encapsulates data in a structure that
provides the correct signals for communication on the wire. Frames
begin with a preamble or unique sequence of bits that indicate the
start of the packet, and they end with a cyclical redundancy check or
checksum at the end of the packet. In between are addressing information and data. Other systems on the wire can examine Ethernet frames
to determine if those frames are intended for them. Frames received
by the final destination system are unpacked and sent up the protocol
stack.
NOTE
■
Physical (layer 1) This layer consists of the network hardware and
the physical network medium. It transmits the electrical or optical signal from one system to the next.
As you study networking, you will see references to layer 3
switches or layer 2 devices. This is industry terminology for devices
that have capabilities on the named layer. A layer 3 switch, for example,
can perform some of the functions of a router (a layer 3 Internet
device).
NOTE
The DARPA Reference Model
Around the same time that the OSI model was being conceived, the U.S. Department of Defense (DoD), in cooperation with a consortium of universities, was
creating its own model for communication (see Figure 10-1, shown earlier). This
model, called the DARPA (for Defense Advanced Research Projects Agency)
model or the DoD model, is simpler and more applicable to the protocols in use
today. Both models are excellent tools for understanding networking—we will
refer to them as we discuss the topics in this chapter.
The OSI and DARPA models are shown side by side in Figure 10-1
to give an approximate comparison of which layers in one correspond to
layers in the other. When you refer to these models, try to keep this relationship in mind so it will be less confusing when you hear someone speak
of layer 3 devices, for example. When we refer to numbered layers, we are
referring to the OSI model (layer 3 being the Network layer). Understanding the relationship between models will help you understand which TCP/IP
function would be happening at the respective layer (Internet layer).
Knowing this helps you understand that a layer 3 switch can actually
perform routing functions.
NOTE
The layers of the DARPA model are more simplified than the OSI model.
Internet protocols and applications also work more closely with these layers
(Figure 10-2).
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
The DARPA Model
TCP/IP Protocol Suite
Application
Telnet FTP SNMP DNS
Transport
TCP
UDP
ICMP IGMP
Internet
IP
ARP
Network
Ethernet
Frame Token
Relay Ring
Figure 10-2 The DARPA reference model compared with the TCP/IP protocol suite
FT10HT02.VSD
The layers of the DARPA model are:
■
Application layer Designates communication processes that are
typically internalized by the actual applications that end users use to
do their work. It receives user input and processes it for transmission
through the Transport layer. Examples of applications at this layer
include Telnet, FTP, and DNS. Applications that make use of Winsock
or NetBIOS access this layer.
■
Transport layer Determines the transport method, usually at the
urging of the application. This layer uses TCP or User Datagram Protocol
(UDP) as the situation warrants. Protocols in this layer can provide
ports or connecting points for multiple applications at once. When a
client application connects to a port, a socket is formed consisting of
the IP address and port. Systems can maintain many socket connections at once. Examples of Transport layer protocols include:
❑
TCP Provides connection-oriented, reliable communication for
applications that typically transfer large amounts of data at once or
require an acknowledgment for data received. TCP is connection
oriented, so a connection must be established before hosts can exchange
data. TCP provides reliable communication by assigning a sequence
number to each segment of data that is transmitted so the receiving
host can send an acknowledgment (ACK) to verify that the data was
received. If an ACK is not received, the data is retransmitted. TCP
guarantees the delivery of packets, ensures proper sequencing of the
data, and provides a checksum feature that validates both the packet
header and its data for accuracy.
321
322
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
■
UDP Provides connectionless communication but does not guarantee
the delivery or the correct sequence of packets. Applications that use
UDP typically transfer small amounts of data at once. Reliable delivery
is the responsibility of the application.
Internet layer The layer responsible for addressing and routing.
The four Internet layer protocols are:
❑
IP IP is primarily responsible for addressing and routing packets
between hosts. It provides connectionless packet delivery for all
other protocols in the suite. Does not guarantee packet arrival or
correct packet sequence. Does not try to recover from errors such
as lost packets, packets delivered out of sequence, duplicated packets,
or delayed packets. Packet acknowledgment and the recovery of
lost packets are the responsibility of a higher-layer protocol, such
as TCP.
❑
ARP Provides IP address mapping to the media access control
(MAC) address of the network device at the destination system.
IP address resolution is required when IP packets are sent on shared
access networking technology, such as Ethernet. IP broadcasts a
special Address Resolution Protocol (ARP) inquiry packet containing
the IP address of the destination system. The system that owns the
IP address replies by sending its physical address to the requester.
❑
ICMP Provides special communication between hosts, allowing
them to share status and error information. Higher-level protocols use
this information to recover from transmission problems. Network
administrators use this information to detect network trouble. The
Ping tool uses ICMP packets to determine whether a particular IP
device on a network is functional. One instance in which ICMP provides special communication between hosts occurs when IP is unable
to deliver a packet to the destination host; ICMP sends a Destination
Unreachable message to the source host.
❑
IGMP Informs neighboring multicast routers of the host group
memberships present on a particular network. An IP multicast group is
a set of hosts that listen for IP traffic destined for a specific IP multicast
address.
Multicast networking is a form of networking that allows a host
to direct information to a multicast address that is shared by multiple
computers. By joining a multicast group, a computer essentially “signs
up” for traffic sent to that address. A typical use of multicast networking is for streaming broadcasts of live audio or video streams.
NOTE
CHAPTER 10:
■
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Network layer The layer at the base of the model. It puts data on the
wire and pulls data off the wire. This layer comprises device drivers
and physical devices used for data transmission. Examples are Ethernet network adapters and their associated drivers, along with the physical cabling used to transmit Ethernet data frames.
The TCP/IP Protocol Suite
TCP/IP is an industry-standard suite of protocols that enables enterprise
networking and connectivity on Windows XP Professional–based computers.
Using TCP/IP with Windows XP Professional offers the following advantages:
■
A routable networking protocol supported by most operating
systems Most large networks rely on TCP/IP to be the glue that holds
disparate systems together. It enables programmers to use it as the lingua
franca of network communications due to its nearly universal acceptance.
■
A technology for connecting dissimilar systems You can use
many standard connectivity tools to access and transfer data across
dissimilar systems. Windows XP Professional includes several of these
standard tools, such as FTP, Telnet, and Microsoft Internet Explorer.
You can connect using Internet Explorer to another system running
UNIX/Linux that is serving Web pages and never know a thing about
the underlying operating system. The user experience is separated
from the inner workings of the underlying operating system due to the
compatibility of the network protocols.
■
A robust, scalable, cross-platform client/server framework TCP/IP
supports the Microsoft Windows Sockets (Winsock) interface, which is
ideal for developing client/server applications for Windows-based systems. It also eases the porting of any TCP/IP sockets-based application
and the development of tools that work with sockets applications on
other platforms.
■
A method of gaining access to Internet resources The TCP/IP suite
of protocols provides a set of standards for how computers communicate and how networks are interconnected. They form the backbone for
Internet addressing and routing of data from one network to another.
Understanding IP Addresses
Each IP address consists of a network ID and a host ID. The network ID, also
known as the network address, identifies the systems that are located on the same
physical network. All computers in the same physical network must have the
323
324
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
same network ID, and the network ID must be unique to the internetwork.
The host ID, also known as the host address, identifies each TCP/IP host within
a network.
IP addresses are logical 32-bit numbers that are broken down into four 8-bit fields
known as octets. Microsoft TCP/IP supports class A, B, and C addresses. The class
of an address defines which bits are used for the network ID and which bits are
used for the host ID. Classful addressing uses these classes to determine whether
a host is on a local or remote IP network based on the network portion of its
address.
Table 10-1 summarizes class A, B, and C IP addresses. Figure 10-3 graphically
represents the network and host ID portions of the different classes.
Table 10-1
TCP/IP Address Classes
Class
Description
A
Addresses in which the first binary digit of the first octet is 0.
This results in network IDs from 1.0.0.0 to 126.0.0.0 and allows
for 126 networks and 16,777,214 hosts per network. The class
A address 127.x.y.z is reserved for loopback testing and interprocess communication on the local computer. For class
A addresses, the network ID is always the first octet in the
address and the host ID is the last three octets.
Addresses in which the first two binary digits of the first
octet are 10. This results in network IDs from 128.0.0.0 to
191.255.0.0 and allows for 16,384 networks and 65,534 hosts
per network. For class B addresses, the network ID is always
the first two octets in the address and the host ID is the last two
octets.
Addresses in which the first two binary digits of the first
octet are 11. This results in network IDs from 192.0.0.0 to
223.255.255.0 and allows for 2,097,152 networks and 254
hosts per network. For class C addresses, the network ID is
always the first three octets in the address and the host ID is
the last octet.
B
C
Classful Addressing
A
12.123.123.123
B 134.123.123.123
C 213.123.123.123
Network
Host
Figure 10-3 Network and host IDs of classful IP addresses
FT10HT03.VSD
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Classful IP addressing is wasteful of IP addresses and is less
widely used than classless interdomain routing (CIDR) addressing
(covered in Chapter 11). CIDR provides the ability to split up the network
and host IDs into more manageable portions.
NOTE
Using a static IP address
By default, Windows client computers obtain TCP/IP configuration information
automatically from the DHCP Service, which is a service configured to automatically hand out IP addresses to client systems. However, even in a DHCP-enabled
environment, you should assign a static IP address to selected network computers.
For example, the computer running the DHCP Service cannot be a DHCP client,
so it must have a static IP address. If the DHCP Service is not available or is
not used in your organization, you can also configure TCP/IP to use a static IP
address. For each network adapter card that uses TCP/IP in a computer, you can
configure an IP address, subnet mask, and default gateway, as shown in Figure 10-4.
Figure 10-4 Configuring a static TCP/IP address
FT10HT04.BMP
The following list describes the options used in configuring a static TCP/IP
address:
■
IP address A logical 32-bit address that identifies a TCP/IP host.
Each network adapter card in a computer running TCP/IP requires a
unique IP address, such as 192.168.0.108. Each address has two parts:
a network ID, which identifies all hosts on the same physical network,
and a host ID, which identifies a host on the network. In this example,
the network ID is 192.168.0 and the host ID is 108.
■
Subnet mask Subnets divide a large network into multiple physical
networks connected with routers. A subnet mask blocks out part of the
IP address so TCP/IP can distinguish the network ID from the host ID.
When TCP/IP hosts try to communicate, the subnet mask determines
whether the destination host is on a local network or a remote network.
325
326
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To communicate on a local network, computers must have the network
address as defined by the subnet mask.
■
Default gateway The intermediate device (usually a router) on a local
network that stores network IDs of other networks in the enterprise or
Internet. To communicate with a host on another network, you configure an IP address for the default gateway. TCP/IP sends packets for
remote networks to the default gateway (if no other route is configured),
which then forwards the packets to the destination system, either
directly—if it is connected to the remote system—or through other gateways until the packet is delivered to a gateway connected to the specified
destination.
To configure TCP/IP to use a static IP address:
1. Click Start | Control Panel | Network And Internet Connections.
2. In the Network And Internet Connections window, click Network
Connections, double-click Local Area Connection, and then click
Properties.
3. In the Local Area Connection Properties dialog box, click Internet
Protocol (TCP/IP), verify that the check box to its left is selected, and
then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure10-4),
on the General tab, click Use The Following IP Address, type the TCP/IP
configuration parameters, and then click OK.
5. Enter any assigned DNS server addresses, and click OK to close the
Local Area Connection Properties dialog box. Close the Network
Connections window.
IP communication can fail if duplicate IP addresses exist on a
network. Therefore, you should always check with the network administrator
to obtain a valid static IP address.
CAUTION
Obtaining an IP address automatically
If a server running the DHCP Service is available on the network, it can automatically assign TCP/IP configuration information to the DHCP client, as shown in
Figure 10-5. You can then configure client computers and DHCP-compatible
network devices to obtain TCP/IP configuration information automatically from
the DHCP Service. This can simplify administration and ensure correct configuration information.
Windows XP Professional does not include the DHCP Service. Only
the Windows Server products provide the DHCP Service.
NOTE
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
DHCP Server
1 Request
2 IP address
DHCP Client
Figure 10-5 A server running the DHCP Service assigning TCP/IP addresses
FT10HT05.VSD
You can use the DHCP Service to provide clients with TCP/IP configuration information automatically. However, you must configure a computer as a DHCP client
before it can interact with the DHCP Service.
To configure a DHCP client:
1. Click Start | Control Panel | Network And Internet Connections.
2. In the Network And Internet Connections window, click Network
Connections, double-click Local Area Connection, and then click
Properties.
3. In the Local Area Connection Properties dialog box, click Internet
Protocol (TCP/IP), verify that the check box to its left is selected, and
then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure 10-6), on
the General tab, click Obtain An IP Address Automatically. Click OK.
5. Click OK to close the Local Area Connection Properties dialog box,
and then close the Network Connections window.
FT10HT06.BMP
Figure 10-6 Configuring Windows XP to obtain an IP address automatically
327
328
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Using Automatic Private IP Addressing (APIPA)
The Windows XP Professional implementation of TCP/IP supports automatic
assignment of IP addresses for simple LAN-based network configurations. This
addressing mechanism is an extension of dynamic IP address assignment for
LAN adapters, enabling configuration of IP addresses without using static IP
address assignment or installing the DHCP Service. APIPA is enabled by default
in Windows XP Professional so home users and small business users can create a
functioning, single-subnet, TCP/IP-based network without having to configure
the TCP/IP protocol manually or set up a DHCP server.
APIPA can assign a TCP/IP address to DHCP clients automatically. However, it
does not generate all the information that typically is provided by DHCP, such as
the address of a default gateway. Consequently, computers enabled with APIPA
can communicate only with computers on the same subnet that also have
addresses of the form 169.254.x.y.
APIPA address assignment carries with it certain disadvantages. While it allows local communication, it does not specify a default
gateway and is not routable on the Internet. Systems configured by
APIPA in the absence of a DHCP server cannot communicate with other
properly configured systems on the same network until they regain a
DHCP-assigned address.
NOTE
APIPA at startup The process for the APIPA feature (Figure 10-7) is as follows:
1. Windows XP Professional TCP/IP attempts to find a DHCP server on
the attached network to obtain a dynamically assigned IP address.
2. In the absence of a DHCP server during startup (for example, if the
server is down for maintenance or repairs, or if one does not exist), the
client cannot obtain an IP address.
3. APIPA generates an IP address in the form of 169.254.x.y (where x.y is
the client’s unique identifier) and a subnet mask of 255.255.0.0.
DHCP Server
2
1 Request
3 APIPA: Client assigns
its own IP Address
DHCP
Client
Figure 10-7 APIPA
FT10HT07.VSD
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
The Internet Assigned Numbers Authority (IANA) has reserved
the nonroutable range 169.254.0.0 through 169.254.255.255 for APIPA.
As a result, APIPA provides an address that is guaranteed not to
conflict with routable addresses.
NOTE
After the computer generates the address, it broadcasts to this address to see if
any other system is already using it; it assigns the address to itself if no other
computer responds. The computer continues to use this address until it detects
and receives configuration information from a DHCP server. It looks for the
DHCP server every 5 minutes until it returns online, at which time it obtains a
valid DHCP-assigned address.
APIPA with a previous address If the computer is a DHCP client that has
previously obtained a lease from a DHCP server and the lease has not expired at
boot time, the sequence of events is slightly different. The client tries to renew
its lease with the DHCP server. If the client cannot locate a DHCP server during
the renewal attempt, it attempts to ping the default gateway listed in the lease.
If pinging the default gateway succeeds, the DHCP client assumes that it is still on
the same network where it obtained its current lease, so it continues to use the
lease. By default, the client attempts to renew its lease when 50 percent of its
assigned lease time has expired. If pinging the default gateway fails, the client
assumes that it has been moved to a network that has no DHCP services currently
available and it autoconfigures itself as previously described. Once autoconfigured, it continues to try to locate a DHCP server every 5 minutes.
Windows 98, Windows Me, Windows 2000, Windows Server 2003,
and Windows XP Home Edition also support APIPA.
NOTE
Disabling APIPA
By default, APIPA is enabled. However, you can disable it by specifying an alternative
configuration to use if a DHCP server cannot be located (Figure 10-8), as discussed
in the next section.
Figure 10-8 Specifying an alternative TCP/IP configuration
FT10HT08.BMP
329
330
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Specifying an alternative configuration for TCP/IP
Auto-Configuration for Multiple Networks Connectivity provides easy access to
network devices and the Internet. You can configure Auto-Configuration for Multiple Networks Connectivity by specifying an alternative configuration for TCP/IP
to use if a DHCP server is not found. The alternative configuration is useful if a
computer is used on multiple networks, one of which does not have a DHCP
server and does not use an APIPA configuration. It also allows a mobile computer
user to seamlessly operate both office and home networks without having to
manually reconfigure TCP/IP settings.
To configure Auto-Configuration for Multiple Network Connectivity:
1. Click Start | Control Panel | Network and Internet Connections.
2. In the Network And Internet Connections window, click Network
Connections, double-click Local Area Connection, and then click
Properties.
3. In the Local Area Connection Properties dialog box, click Internet
Protocol (TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, choose the
Alternate Configuration tab.
5. Specify the alternative TCP/IP configuration (Figure 10-8).
Managing Network Bindings
Binding is the process of linking network components on different levels to enable
communication between those components. A network component can be
bound to one or more network components above or below it. The services that
each component provides can be shared by all other components that are bound
to it. For example, in Figure 10-9, TCP/IP is bound to both File and Printer Sharing for Microsoft Networks and to the Client for Microsoft Networks. Note also
that in Figure 10-9, NWLink is not bound to the Microsoft Networking components. It is installed in this scenario to support Client Service for NetWare and is
not required to communicate with the Microsoft network.
If you experience delays when you access network resources, check the binding
order and unbind unused protocols. Binding order controls the order in which
protocols are used when you support multiple protocols or clients. If a particular
network supports TCP/IP only and NWLink is bound first to the network client,
it will attempt to locate a server first using NWLink. Only if that fails will it
attempt to locate a server using TCP/IP.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Figure 10-9 Managing network bindings
FT10HT09.BMP
To configure network bindings:
1. Click Start | Control Panel | Network and Internet Connections.
2. In the Network And Internet Connections window, click Network
Connections.
3. In the Network Connections window, on the Advanced menu, click
Advanced Settings.
4. In the Advanced Settings dialog box, under Client for Microsoft Networks, do one of the following:
❑
To bind the protocol to the selected adapter, select the check box to the
left of the adapter.
❑
To unbind the protocol from the selected adapter, clear the check box
to the left of the adapter.
Only an experienced network administrator familiar with the
requirements of the network software should attempt to change binding
settings.
CAUTION
Troubleshooting TCP/IP
Microsoft provides several tools for troubleshooting TCP/IP connectivity. These
commonly used tools, which are executed from a command line, offer insight into
the nature of the failure. The following list describes their use:
■
Ping Ping is an ICMP testing tool that transmits ICMP ECHO packets to a destination computer and waits for a reply. If the remote system
replies, the connection is verified. Some systems are configured to not
331
332
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
reply to ICMP packets for security reasons, so Ping’s value as a troubleshooting tool is becoming somewhat limited.
■
ARP Displays the ARP resolution cache table, which displays which
systems on the local network have communicated with your system.
This is useful when you troubleshoot connectivity or investigate security
incidents in progress.
Addresses in the ARP cache are maintained for 2 minutes unless
they are used a second time. If used a second time, they are retained for
10 minutes after the final use of the address.
NOTE
■
Ipconfig Displays the current TCP/IP configuration. Ipconfig can
also be used to refresh the IP address and register your system with
Dynamic DNS (DDNS) servers.
■
Nbtstat Displays statistics and connections for the NetBIOS-overTCP/IP protocol. It is useful when you troubleshoot file and print
connectivity issues.
■
Netstat Displays current TCP/IP sessions and gives statistics about
each connection. It is useful for connectivity testing and security
investigations.
■
Route Displays or modifies the local routing table.
■
Hostname
■
Tracert Checks the route to a remote system by issuing ICMP ECHO
requests with varying time-to-live (TTL) values. As the values are incremented, the router that has the packet when TTL expires drops it and
returns a notification to the client. In this way, the client can trace the
route to a destination system across the Internet.
■
Pathping Similar to Tracert, except Pathping issues multiple ICMP
ECHO requests to each hop and records the resulting packet loss. This
tool is helpful when you investigate sporadic connectivity problems.
Returns the local computer’s host name.
Each of these tools has a help option that you can use to display
syntax and usage information. To display this help, type <command> /?
at a command line, where <command> is the name of the tool.
NOTE
Testing a TCP/IP configuration
After configuring TCP/IP and restarting the computer, you should use the Ipconfig
and Ping command-prompt tools to test the configuration and connections to other
TCP/IP hosts and networks. Such testing helps ensure that TCP/IP is functioning
properly.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Using Ipconfig You use the Ipconfig tool to verify the TCP/IP configuration
parameters on a host. It helps you determine whether the configuration is initialized or if a duplicate IP address exists. Use the Ipconfig tool with the /all switch
(Figure 10-10) to verify configuration information.
Figure 10-10 Output of the Ipconfig command
FT10HT10.BMP
Type ipconfig /all | more to prevent the Ipconfig output from
scrolling off the screen; to scroll down and view additional output, press
SPACEBAR.
NOTE
The result of the Ipconfig /all command is as follows:
■
If a configuration has been initialized, the Ipconfig tool displays the
IP address and subnet mask, and, if assigned, the default gateway.
■
If a duplicate IP address exists, the Ipconfig tool indicates that the
IP address is configured; however, the subnet mask is 0.0.0.0.
■
If the computer is unable to obtain an IP address from a server running
the DHCP Service on the network, the Ipconfig tool displays the
IP address provided by APIPA.
Using Ping After you have verified the TCP/IP configuration, use the Ping tool
to determine whether a particular TCP/IP host is available and functional. To test
connectivity, use the Ping tool with the following syntax:
ping 127.0.0.1
By default, the following message appears four times in response to a successful
Ping command:
Pinging 127.0.0.1 with 32 bytes of data:
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Reply from 127.0.0.1: bytes=32 time<10ms TTL=128
Ping statistics for 127.0.0.1:
Packets: Sent = 4, Received = 4, Lost = 0 <0% loss>,
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
333
334
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Using Ipconfig, Ping, and Pathping together to test connectivity Figure 10-11
shows the steps for verifying a computer’s configuration and for testing router
connections.
1
Display TCP/IP configuration using Ipconfig
2
Ping the loopback address (127.0.0.1)
3
Ping the local IP address
4
Ping the address of the default gateway
5
Ping the address of a remote host
6
Ping the hostname of a remote host
7
Pathping a remote host to test packet loss
Figure 10-11 Using Ipconfig and Ping together to test connectivity
FT10HT11.VSD
The following are the steps outlined in Figure 10-11:
1. Use the Ipconfig tool to verify that the TCP/IP configuration has
been initialized. Note the local address and the address of the default
gateway.
2. Use the Ping tool with the loopback address (ping 127.0.0.1) to verify
that TCP/IP is correctly installed and bound to your network adapter
card.
3. Ping the IP address of the local computer to verify that it was added
to the network correctly. If the routing table is correct, this simply
forwards the packet to the loopback address of 127.0.0.1.
4. Use the Ping tool with the IP address of the default gateway to verify
that the default gateway is operational and that your computer can
communicate with the local network.
5. Use the Ping tool with the IP address of a remote host to verify that the
computer can communicate through a router.
6. Use the Ping tool with the host name of a remote host to test name
resolution with a DNS server.
7. Use Pathping with the name and/or address of a remote host to test for
dropped packets. This might expose a failing router between you and
the remote system.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
If you ping the remote host by name (step 6) and the ping is
successful, steps 1 through 5 are usually successful by default. If the
ping is not successful, ping the IP address of another remote host before
completing the entire diagnostic process because the selected host
might be turned off. Use step 7 if there is any indication of unreliable
connectivity between the hosts.
NOTE
CONNECTING TO A WIRELESS ETHERNET NETWORK
Wireless Ethernet networks have exploded onto the scene in the last few years.
Beginning with Service Pack 1 and with further improvements in Service Pack 2,
Microsoft offers close support and autoconfiguration tools for 802.11 wireless
Ethernet networking.
Understanding Wireless Specifications
802.11 is an IEEE standard that defines protocols and configurations for wireless
communication. It operates in one of two frequency bands (2.4 GHz and 5.8 GHz)
and can operate at speeds from 1 Mbps to 108 Mbps (depending on signal
quality and vendor implementation of the 802.11 standard). There are three main
802.11 specifications:
■
802.11a This specification operates in the 5.8-GHz band and can
achieve speeds of 54 Mbps. It is less susceptible to radio interference
than the other two bands (being on a regulated frequency), but it is
more susceptible to signal attenuation than the 2.4-Ghz specifications.
It has an effective range of about 60 feet indoors.
■
802.11b The most widely used specification, 802.11b operates at
2.4 Ghz with an effective range of up to 300 feet. It can achieve transfer rates of 11 Mbps (22 Mbps with proprietary channel-bonding
enhancements). It is used in a wide variety of networked media devices
and PCs.
■
802.11g This specification is backward compatible with 802.11b
and pushes the transfer rates up to 54 Mbps (108 Mbps with proprietary channel-bonding enhancements).
Range and transfer rates of wireless networks depend heavily on
their environment. Attenuators such as water, metal, and concrete can
reduce signal strength. Distance can also adversely affect speed. These
specifications are designed to fall back to slower, more reliable signaling
techniques to try to preserve connectivity. They step all the way down to
1 Mbps before giving up and breaking the connection.
NOTE
335
336
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Wireless network terminology
Here are a few terms related to setting up or configuring a wireless network:
■
FT10HT12.BMP
Mode Wireless networks operate in one of two modes: Adhoc, a
peer-to-peer mode in which computers and devices communicate
directly with each other; and Infrastructure, a mode in which a network
access point manages network communication. Windows XP supports
both modes with Wireless Network Configuration (Figure 10-12).
Figure 10-12 Wireless network configuration
■
Service Set Identifier (SSID) SSID is a name used to distinguish one
wireless network from another. It is configured into an infrastructure
device such as an access point, and systems not configured with the same
SSID are not allowed to communicate on that network.
■
Wired Equivalent Privacy (WEP) WEP is an encryption method for
wireless communication that uses a fixed encryption key to encrypt the
network traffic. The key is entered into each device during configuration.
■
WiFi Protected Access (WPA) Newly ratified as the encryption
standard 802.11i, WPA is a newer encryption method that uses
changeable encryption keys to thwart key cracking. It initializes a key
when a connection is established and uses the Temporal Key Integrity
Protocol (TKIP) to manage key rotation.
Connecting Windows XP to a Wireless Network
When Windows XP detects a wireless network adapter, it enables an option
to view wireless networks from the first page of the New Connection Wizard
(Figure 10-13).
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
Figure 10-13 New Connection Wizard displaying option to view wireless networks
FT10HT13.BMP
Clicking this link launches the Wireless Network Setup Wizard (Figure 10-14),
which steps you through configuring the wireless network connection. It asks for
the SSID and the WEP key (if applicable) and creates your connection. If your network uses 802.11i WPA, you might be asked to provide authentication information
or an initial key value (depending on how the network was set up by the administrator). During the setup, you are also prompted to save your settings in a USB flash
drive. Doing so makes setting up additional systems or restoring your settings easier.
Figure 10-14 The Wireless Network Setup Wizard
FT10HT14.BMP
CONFIGURING OTHER NETWORK CONNECTIONS
When you install Windows XP, by default it sets up TCP/IP and the Client for
Microsoft Networks. This is most often how you would configure Windows XP
for use on a network. Occasionally, however, you will need to connect a
337
338
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Windows XP computer to a network that uses a different protocol or requires a
different network client.
Client Service for NetWare
In addition to Microsoft networking, Windows XP supports connections to
Novell NetWare networks using the Client Service for NetWare (CSNW). This
network client can communicate with NetWare networks running Bindery or
Novell Directory Services (NDS). You can install additional network clients by
navigating to the Properties dialog box for your local area connection and clicking
the Install button. You are prompted to choose Client, Service, or Protocol. If you
choose Client, you can select Client Service for NetWare (Figure 10-15).
Figure 10-15 Installing Client Service for NetWare
FT10HT15.BMP
When installing Client Service for NetWare, you are prompted for a preferred
server (Bindery) or default tree and context (NDS). When you set up this type
of connection, you need to work with a Novell administrator to obtain these
settings. Installing Client Service for NetWare also installs the NWLink IPX/SPX
NetBIOS-compatible transport protocol.
Novell also provides a NetWare client for Windows XP. Most Novellcentric networks use it for its additional functionality. In mixed server
environments, however, you achieve greater stability by using the two
Microsoft-provided clients.
NOTE
Installing the NWLink Protocol
Most Novell shops use TCP/IP networking due to the protocol suite’s universal
connectivity. However, some still use the Novell IPX/SPX protocol suite. IPS/SPX
forms a complete network protocol stack and can be used instead of or in
addition to TCP/IP. In this suite, IPX is roughly equivalent to IP, and it manages
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
addressing and routing. SPX is equivalent to TCP and manages session information
such as packet sequencing and guaranteed delivery. Like TCP/IP, applications can
make use of IPX without using SPX if guaranteed delivery is not required or is
managed by the application.
Both NWLink and TCP/IP can be used to access Microsoft and
Novell servers. You can also use just one of them to access servers from
both companies. Using NWLink exclusively does have disadvantages, however, including not being able to communicate with Internet resources
without the services of a protocol bridge.
NOTE
NWLink is Microsoft’s implementation of IPX/SPX. It is capable of detecting the
type of IPX frames in use on the network and configures itself to communicate
with the systems on the network.
You install NWLink from the Properties dialog box for the local area connection.
Click Install, choose Protocol, and click Add. You can then select NWLink IPX/
SPX NetBIOS Compatible Transport Protocol (Figure 10-16).
Figure 10-16 Installing NWLink IPX/SPX/NetBIOS Compatible Transport Protocol
FT10HT16.BMP
Installing Third-Party Clients and Protocols
By selecting Have Disk in the Select Network Client dialog box (Figure 10-15) or
the Select Network Protocol dialog box (Figure 10-16), you can install third-party
network clients or protocols (such as a client for LANtastic networks or the
NetBEUI protocol, which is installable from the Windows XP CD-ROM).
Installation of third-party clients and protocols should be done
only by administrators who are experienced with the operation of the
client or protocol in question. Security exposures or network instability
can result when these features are configured incorrectly.
NOTE
339
340
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CONNECTING TO COMPUTERS USING
DIAL-UP NETWORKING
Windows XP can connect to remote networks with a variety of technologies.
It can connect to the Internet via cable or DSL modem, dial-up modem, wireless
metropolitan area network (MAN), and even via cell phone. You can also use
many of these technologies when you connect to corporate networks. In
addition, virtual private networks (VPNs) allow you to use the Internet as a
medium for tunneling into a corporate network. One thing these network
connections all have in common is the Dial-Up Networking component of
Windows XP.
Windows XP provides the New Connection Wizard (see Figure 10-13, shown
earlier) for the purpose of configuring new network connections. Choices are
available for connecting to the Internet, making a connection to a network at your
workplace or school, setting up a home or small office network, and creating a
direct connection to another system using a direct connection cable. We will
examine the first two options in this section.
Connecting to the Internet Using Dial-Up Networking
The first option in the New Connection Wizard allows you to configure a
dial-up connection to an Internet service provider (ISP). Select Connect To
The Internet on the Network Connection Type page, and click Next. The New
Connection Wizard displays the Getting Ready page, which has the following
three options:
■
Choose From A List Of Internet Service Providers (ISPs) If you
select this option and then click Next, the wizard displays the
Completing The New Connection Wizard page. You can select Set
Up Internet Access Using MSN Explorer (U.S. Only) or Select From A
List Of Other ISPs and then click Finish.
■
Set Up My Connection Manually If you select this option and
then click Next, the wizard displays the Internet Connection page.
The following three options are available on that page:
❑
Connect Using A Dial-Up Modem Select this option if your
connection uses a modem and a regular or Integrated Services
Digital Network (ISDN) phone line. If you select this option and
click Next, you are prompted to enter a connection name, connection phone number, and username and password (provided by
your ISP).
CHAPTER 10:
■
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
❑
Connect Using A Broadband Connection That Requires A User
And Password Select this option if your high-speed connection uses a
Digital Subscriber Line (DSL) or cable modem. This type of connection
is also known as Point-to-Point Protocol over Ethernet (PPPoE). Use of
this connection type also requires username and password information
from your ISP.
❑
Connect Using A Broadband Connection That Is Always
On Select this option if your high-speed connection uses a cable
modem, DSL, or LAN connection that does not require a username
and password. If you select this option and click Next, the New Connection Wizard displays the Completing The New Connection Wizard
page because the connection should already be configured and working.
Use The CD I Got From An ISP If you select this option and then
click Next, the wizard displays the Completing The New Connection
Wizard page. You are instructed to click Finish and then insert
the CD-ROM you received from your ISP. The Setup program on the
CD-ROM should start automatically to assist you in connecting to
the Internet.
Connecting to a Network at Your Workplace
If you choose Connect To The Network At My Workplace, you are given two
options:
■
Dial-Up Connection Select this option if you want to connect to
the network at your office using a modem and phone line or an
ISDN phone line. If you select Dial-Up Connection and click Next,
you are prompted to enter the connection phone number. You are
prompted for your username and password when you initiate your
connection.
■
Virtual Private Network (VPN) Connection This option configures a VPN connection to your workplace. It asks for a company name
to use as the connection name and prompts you to choose the public
network connection to use (Figure 10-17). It then prompts you to enter
your VPN server address. The wizard finishes, and you can use the new
connection. You are prompted for a username and password on first
use of the new connection.
To use the VPN option, you must have first established your
primary Internet connection.
NOTE
341
342
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT10HT17.BMP
Figure 10-17 Choosing the public network connection for a VPN
CONFIGURING AND TROUBLESHOOTING INTERNET
CONNECTION SHARING (ICS)
Internet Connection Sharing (ICS) allows you to share an Internet connection
with other systems on your network. You can use it to give home computers concurrent access on a single Internet connection or to connect a small office to the
Internet. It allows you to mask TCP/IP addressing on your internal network from
the Internet by implementing network address translation (NAT). NAT allows
client systems to browse the Internet using the public address of the ICS computer. Internet hosts see only the public address. The internal network structure
is hidden from public view, adding a layer of protection against those who might
attempt to penetrate your systems.
NOTE NAT’s ability to hide the structure of a private network makes it
more difficult for hackers to discover the hosts inside, but you should not
rely on it as the sole protection for the network. Use other strategies, such
as firewalls and intrusion detection systems (IDSs), in any comprehensive
security solution. We will discuss Internet security in more detail in Chapter 11.
ICS enables limited addressing services on the ICS computer, changing its
address to 192.168.0.1. Other systems on the network configured for DHCP
addressing receive compatible addresses from the ICS system when they are
restarted. Any hosts with static IP addresses have to be manually configured to
an address in the 192.168.0 network to get access to the Internet.
Enabling ICS on a network served by a DHCP server causes
disruptions in address assignment. Make sure your network is not using
DHCP before you activate ICS.
CAUTION
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
To enable ICS:
1. Choose Start | My Computer | My Network Places | View Network
Connections. The Network Connections window opens.
2. Double-click the dial-up, LAN, PPPoE, or VPN Internet connection that
you want to share, and select Properties.
3. On the Advanced tab of the Properties dialog box, select the Allow
Other Network Users To Connect Through This Computer’s Internet
Connection check box (see Figure 10-18, below).
The following two additional check boxes are available when you enable ICS:
❑
Establish A Dial-Up Connection Whenever A Computer On My
Network Attempts To Access The Internet Allows you to enable
on-demand dialing for the shared connection. This causes your computer to dial your ISP whenever a client computer in your network
attempts to access an Internet resource. Once the connection is established, the connection to the Internet resource is established on behalf
of the internal client.
❑
Allow Other Network Users To Control Or Disable The Shared
Internet Connection Allows you to enable client control for this
shared Internet connection. Users on client computers can automatically discover and control the Internet connection using a feature
called Internet Gateway Device Discovery and Control (IGDDC).
MORE INFO For more information on IGDDC, search on “IGDDC” in the
Windows Help and Support.
FT10HT18.BMP
Figure 10-18 Enabling ICS on a dial-up connection
343
344
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The Advanced tab of a network connection’s Properties
dialog box also allows you to enable Windows Firewall. Windows Firewall is
a critical component for protection against Internet attacks. We will
explore Windows Firewall in Chapter 11.
IMPORTANT
You can allow inbound connections to systems in your network. To select the
services running on your network that Internet users can access, click Settings.
You can then select the service and the system in your network that will host
the service (Figure 10-19).
Figure 10-19 Enabling inbound Remote Desktop to 192.168.1.100
FT10HT19.BMP
If you enable any of the services, you allow anyone accessing
the Internet to contact a service or computer on your private network.
Your ICS computer will act as a conduit to the system on your internal
network, and the internal system will be accessible to any Internet
system that requests a connection. Therefore, you should protect the
internal system as if it were directly connected to the Internet.
CAUTION
USING REMOTE DESKTOP AND REMOTE ASSISTANCE
Windows XP includes two useful remote control features for work or troubleshooting: Remote Desktop and Remote Assistance.
Remote Desktop
Users can use Remote Desktop to control their office computer from home, to
catch up on work, and to access any resources available to the office system
(including printers, disk drives, network applications, and mapped drives). It is
just like being there. Users can also enable Remote Desktop to use disk drives and
printers attached to the controlling system to copy files to or from the remote system and to print remotely created documents locally (and locally created documents on remote printers).
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
To enable Remote Desktop:
1. Right-click any instance of My Computer, and choose Properties.
2. In the System Properties dialog box, on the Remote tab (Figure 10-20),
enable or disable Remote Desktop and grant remote users permission
to control your system.
By default, members of a system’s local Administrators group
have access to Remote Desktop.
NOTE
FT10HT20.BMP
Figure 10-20 Enabling Remote Desktop
To control a remote system with Remote Desktop:
1. Choose Start | All Programs | Accessories | Communications.
2. Click Remote Desktop Connection to launch the Remote Desktop
client.
3. Enter the name or address of the system you want to control.
4. To modify display settings or connect local drives or printers (Figure 10-21),
click the Options button.
5. When you are satisfied with the settings you have chosen, click Connect.
6. The remote system prompts you with a logon dialog box. Enter your
username and password to log on.
If the remote system is using Windows Firewall, you must
configure an exception to allow inbound connections to Remote
Desktop on that system. We will discuss firewall exceptions in
Chapter 11.
NOTE
345
346
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT10HT21.BMP
Figure 10-21 Connecting local drives and printers in a Remote Desktop session
Remote Assistance
Remote Assistance allows a user to take over the session of a second user at the
second user’s invitation. Both users can see the display and, if the local user gives
permission, the remote user can control the local user’s keyboard and mouse.
To enable Remote Assistance:
1. Right-click any instance of My Computer, and choose Properties.
2. In the System Properties dialog box (shown earlier in Figure 10-20), on
the Remote tab, specify whether Remote Assistance invitations can be
sent from your system.
Remote Assistance invitations
Remote Assistance can send invitations in three ways:
■
Windows Messenger The user requesting assistance can send an
invitation as an instant message using Windows Messenger. The recipient
can then respond to the invitation, connecting to the local system.
■
E-mail
■
File The requestor can save the request in a file that can be opened
by the recipient.
To request Remote Assistance:
The requestor can send an e-mail request for assistance.
1. In the Help and Support Center, choose Invite A Friend To Connect
To Your Computer With Remote Assistance.
2. On the Remote Assistance page, choose Invite Someone To Help You.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
3. Complete the appropriate invitation option (Figure 10-22).
FT10HT22.BMP
Figure 10-22 Requesting Remote Assistance
To offer Remote Assistance:
1. In the Help and Support Center, choose Pick A Task | Use Tools To
View Your Computer Information And Diagnose Problems.
2. On the Tools menu, choose Offer Remote Assistance (Figure 10-23).
FT10HT23.BMP
Figure 10-23 Offering Remote Assistance
347
348
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Windows XP Professional includes many standard connectivity tools
to access and transfer data between dissimilar systems.
■
The TCP/IP suite of protocols maps to a four-layer conceptual model:
network interface, Internet, transport, and application.
■
Microsoft’s implementation of TCP/IP enables a TCP/IP host to use a
static IP address, to obtain an IP address automatically from a DHCP
server, or to use automatic assignment of IP addresses.
■
Computers enabled with Automatic Private IP Addressing (APIPA) can
communicate only with computers on the same subnet that also have
addresses of the form 169.254.x.y.
■
Binding is the process of linking network protocols to network clients
or services.
■
You can configure all outbound connections in Windows XP Professional with the New Connection Wizard.
■
Remote Desktop allows the remote control of a Windows XP system by
a Remote Desktop or Terminal Services client.
■
Remote Assistance allows a user to invite another user to observe or
take control of a system over a network.
REVIEW QUESTIONS
1. Which of the following statements correctly describe IP? (Choose all
correct answers.)
a. Guarantees packet arrival and correct packet sequence
b. Provides connection-oriented, reliable communication for
applications that typically transfer large amounts of data at
one time
c. Primarily responsible for addressing and routing packets between
hosts
d. Provides connectionless packet delivery for all other protocols in
the suite
2. The two DARPA transport layer protocols are ____________________
and __________________.
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
3. Which of the following statements correctly describe TCP? (Choose all
correct answers.)
a. Provides connectionless communication but does not guarantee
that packets will be delivered
b. Provides connection-oriented, reliable communication for applications that typically transfer large amounts of data at one time
c. Provides services that allow the application to bind to a particular
port and IP address on a host
d. Provides and assigns a sequence number to each segment of data
that is transmitted
4. Which of the following statements about IP addresses are true?
(Choose all correct answers.)
a. IP addresses are logical 64-bit addresses that identify a TCP/IP
host.
b. Each host on a TCP/IP subnet requires a unique IP address.
c. 192.168.0.108 is an example of a class C IP address.
d. The host ID in an IP address is always the last two octets in the
address.
5. You are consulting for a company that wants to set up a wireless
network. The company is concerned about security and has not yet
purchased the equipment. Which wireless security technology would
you suggest to them?
a. 802.11g
b. WEP
c. WPA
d. 802.11i
6. Which of the following statements about obtaining an IP address automatically are true? (Choose all correct answers.)
a. Windows XP Professional includes the DHCP Service.
b. Windows XP Professional includes an Automatic Private IP
Addressing feature, which provides DHCP clients with limited
network functionality if a DHCP server is unavailable during
startup.
349
350
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
c. The Internet Assigned Numbers Authority (IANA) has reserved
169.254.0.0 through 169.254.255.255 for Automatic Private
IP Addressing.
d. You should always disable Automatic Private IP Addressing in
small workgroups.
7. Which of the following connection types can you use to connect to a
workplace network from home? (Choose all correct answers.)
a. Dial-up
b. Remote Desktop
c. VPN
d. Ethernet
8. When you manually configure a dial-up connection to an ISP, which of
the following do you need to configure? (Choose all correct answers.)
a. Username
b. IP address
c. Connection name
d. Password
9. Remote Desktop allows users to do which of the following tasks?
(Choose all correct answers.)
a. Transfer files
b. Print to remote printers
c. Power on a computer
d. Print to local printers
10. Remote Assistance allows users to do which of the following tasks?
(Choose all correct answers.)
a. Transfer files
b. Print to remote printers
c. Open remote documents
d. Print to local printers
CHAPTER 10:
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK
CASE SCENARIOS
Scenario 10-1: Small Office Networking
You are hired by a small firm to help with an office network. The firm has nine
computers currently on the network. The network consists of a single hub that
connects all computers to each other in a single segment. One system on the network has a DSL Internet connection that it shares with the rest of the network.
Answer the following questions about this scenario:
1. Does this network require a DHCP server?
2. If you install a Network-Attached Storage (NAS) device, what IP
address should you give it so other systems on the network can see it?
3. What type of logical network architecture has been implemented here?
a. Workgroup
b. Domain
c. Wide area network (WAN)
d. Local area network (LAN)
Scenario 10-2: Help!
A friend calls you one evening to ask for help with his computer. He has deleted
some critical files and can no longer run his favorite video game. Answer the
following questions about this scenario:
1. Which remote control technology do you use to let him show you
which files he deleted?
2. You determine that you need to copy some files to his system from
your own. How can you accomplish this?
351
CHAPTER 11
CONFIGURING TCP/IP
ADDRESSING AND SECURITY
Upon completion of this chapter, you will be able to:
■ Understand IP addressing
■ Manage IP subnetting and subnet masks
■ Understand IP security terminology
■ Manage Internet security features of Windows XP
■ Configure and troubleshoot Windows Firewall
In Chapter 10, we discussed the TCP/IP protocol suite and explored its architecture. In this chapter, we’ll explore Internet Protocol (IP) addressing and IP security.
We will describe the process of dividing IP networks into subnets and determining whether a given address is local or remote in relationship to your own. You
will learn the terms used by Internet security professionals and become familiar
with the Internet security tools included with Windows XP. Finally, we will configure Windows Firewall and explore how it secures your system while still letting
you share system resources over the Internet.
353
354
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING IP ADDRESSES
In Chapter 10, we discussed the format of IP addresses, the 32-bit binary
addresses that uniquely identify hosts on the Internet. In this chapter, we will
dissect these addresses and show you how they are used to route packets to their
ultimate destination. Let’s begin by examining binary numbers and their use in
IP addresses.
Binary Numbers
Those who have studied computer science will be familiar with binary
numbers—the 0s and 1s that signify on/off states in transistor logic. By
themselves, binary numbers can reflect only one of two states—off or on, 0
or 1, false or true. As binary numbers are strung together, however, they
begin to form the meaningful values we use for data storage and addressing.
Binary data as it pertains to IP addressing is organized into bits and bytes or
octets.
■
Bit A single binary digit. A bit is the smallest unit of storage and
equates to an on or off state of a transistor or switch. Its value can also
be used to signify true or false. Typical values used in conjunction with
bits are:
❑
0 Values equated with 0 are the number 0, the condition off, and the
Boolean false.
❑
1 Values equated with 1 are the number 1, the condition on, and the
Boolean true.
■
Byte A sequence of bits (usually 8). Having a sequence of bits allows
you to begin encoding data into the binary stream. Bytes are used to
signify character values such as letters, numerals, and punctuation
marks. Most mass storage is rated in bytes, kilobytes (1024 bytes),
megabytes (1,048,576 bytes), or gigabytes (1,073,741,824 bytes).
■
Octet A sequence of 8 bits in an IP address. An example of an octet
is the value 11111111, which is 255 when converted from binary to
decimal.
When we begin to build a sequence of binary numbers, we use the base 2 number
system. This system uses powers of 2 instead of powers of 10 when recording
values. The example in Figure 11-1 shows how the binary numbering system is
used to store a decimal number.
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
Binary Value 10110011 Equals Decimal Value 179
Binary
Number
1
0
1
1
0
0
1
1
x
x
x
x
x
x
x
x
x
1
Binary
Place Value
128
64
128 +
0
32
16
+ 32 + 16 +
8
0
4
+
0
2
+
2
+
1
=
179
1 x 128 = 128
or
0 x
64
=
0
1 x
32
=
32
1 x
16
=
16
0 x
8
=
0
0 x
4
=
0
1 x
2
=
2
1 x
1
=
1
179
Figure 11-1 The decimal number 179 represented in binary, showing place values
FT11HT01.VSD
Converting decimal numbers to binary
IP addresses are almost always expressed in dotted decimal notation, which is a
series of four decimal values separated by periods (or dots). Here’s an example:
192.168.23.142
Each decimal value in the above sequence equates to a binary octet. To be meaningful to the TCP/IP protocol suite, the numbers must be converted to their
binary values. Windows XP does this automatically, but you can do it manually to
better understand how these values are used.
To convert the above values to their binary equivalents, we can perform a series of
tests. Each number is tested against a place value in a binary octet, beginning with
the 128 place.
To convert the first octet (192):
1. Is 192 greater than 128? Yes, so there is a 1 in the 128 place in the
binary number.
1 _ _ _ _ _ _ _ _
2. We then subtract 128 from 192 (result 64). We then continue with the
64 place. Since the result of our subtraction is exactly 64, we place a 1
in the 64 place and finish the octet with zeros for the remaining place
values.
1 1 0 0 0 0 0 0
3. The final value (11000000) is placed in its proper position on the
binary version of the address.
1 1 0 0 0 0 0 0 . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _
355
356
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To convert the next octet (using the same process):
1. Is 168 greater than 128? Yes, there is a 1 in the 128 place in the binary
number.
1 _ _ _ _ _ _ _ _
2. We then subtract 128 from 168 (result 40). We then continue with the
64 place. Since the result of our subtraction is less than 64, we place a
0 in the 64 place and continue to the 32 place.
1 0 _ _ _ _ _ _
3. There is more than 32 remaining, so we put a 1 in the 32 place.
1 0 1 _ _ _ _ _
The remainder from subtracting 32 from 40 is 8. This means we have a
zero for the 16 place and a one in the 8 place.
1 0 1 0 1 _ _ _
4. Completing the octet:
1 0 1 0 1 0 0 0
5. The final value (10101000) is placed in its proper position on the
binary version of the address.
1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _
6. We continue this process until all four octets have been converted to
their binary values (Figure 11-2).
192.168.23.142
192
168
23
142
1 x 128
1 x 128
0 x 128
1 x 128
1 x
64
0 x
64
0 x
64
0 x
64
0 x
32
1 x
32
0 x
32
0 x
32
0 x
16
0 x
16
1 x
16
0 x
16
0 x
8
1 x
8
0 x
8
1 x
8
0 x
4
0 x
4
1 x
4
1 x
4
0 x
2
0 x
2
1 x
2
1 x
2
0 x
1
0 x
1
1 x
1
0 x
1
11000000
10101000
00010111
10001110
11000000.10101000.00010111.10001110
F11HT02.VSD
Figure 11-2 Converting 192.168.23.142 to binary octets
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
When you convert decimal numbers to binary values, if
the value you are converting is less than 128, be sure to fill all eight
positions in the binary octet (with a zero, if necessary). If places are left
empty, the resulting complete value will not be a full 32-bit number. The
completed binary address should be four complete octets separated by
periods (or dots).
IMPORTANT
Using Calculator to convert decimal numbers to binary
A somewhat simpler way to convert decimal numbers to binary values is to use
Calculator, which records the result in full binary notation.
1. Open Calculator by choosing Start | All Programs | Accessories |
Calculator.
2. Place Calculator in scientific mode by clicking View | Scientific.
3. Enter the decimal number.
4. Click the Bin button to convert the number to binary format (Figure 11-3).
Be sure to fill in any leading zeros to make the number eight
digits long.
NOTE
5. Convert each additional decimal value in turn.
6. Record the resulting binary values.
F11HT03.BMP
Figure 11-3 Converting decimal numbers to binary using Calculator
Converting binary numbers to decimal
Converting a binary number to its decimal equivalent is simply a reversal of the
process we used to convert the decimal number to binary. Beginning with the 128
place, multiply each position by its place value.
357
358
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To convert 1100000000 to decimal, multiply each bit by its base 2 place value:
1. Multiply the 128 place first.
1 x 128 = 128
2. Continue with the 64 place.
1 x 64 = 64
3. Complete the octet.
0
0
0
0
0
0
x
x
x
x
x
x
32 = 0
16 = 0
8 = 0
4 = 0
2 = 0
1 = 0
4. Finally, total the resulting values to obtain the decimal number.
128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192
5. Continue the process until the entire address is converted (Figure 11-4).
11000000.10101000.00010111.10001110
11000000
10101000
00010111
10001110
1 x 128
1 x 128
0 x 128
1 x 128
1 x
64
0 x
64
0 x
64
0 x
64
0 x
32
1 x
32
0 x
32
0 x
32
0 x
16
0 x
16
1 x
16
0 x
16
0 x
8
1 x
8
0 x
8
1 x
8
0 x
4
0 x
4
1 x
4
1 x
4
0 x
2
0 x
2
1 x
2
1 x
2
0 x
1
0 x
1
1 x
1
0 x
1
192
168
23
142
192.168.23.142
F11HT04.VSD
Figure 11-4 Obtaining a dotted decimal value from a binary octet value
Using Calculator to obtain a decimal result is also a reverse of the procedure outlined above. Beginning with binary values, convert each to its decimal equivalent
and record the result.
1. Open Calculator by choosing Start | All Programs | Accessories |
Calculator.
2. Place Calculator in scientific mode by choosing View | Scientific.
3. Enter the binary number into Calculator.
4. Click the Dec button to convert the number to decimal format
(Figure 11-5).
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
5. Convert each additional binary value in turn.
6. Record the resulting decimal values.
F11HT05.BMP
Figure 11-5 Converting binary numbers to decimal using Calculator
Programmers have created subnet calculators to make these
conversions easier. One such calculator is the SolarWinds Subnet
Calculator, available at www.solarwinds.net. Sometimes you will not have
access to these tools, however, so it is important to understand how to
convert addresses manually or by using Windows Calculator.
NOTE
Decoding IP Addresses
Converting the decimal numbers of the dotted decimal notation to their binary
equivalent is the first step in determining how your system fits into the IP networking picture in your organization. Beginning with the leftmost bits, the
address gets progressively more system specific.
In the addressing scheme of the Internet, the leftmost bits designate large networks. These large network address ranges, or netblocks, are assigned to the large
Internet service providers (ISPs) by the Internet Assigned Numbers Authority
(IANA). The ISPs, in turn, divide their netblocks into smaller networks (see
Figure 11-6). Some of these smaller networks are assigned to large corporate customers; some are assigned to yet smaller ISPs. These corporate customers or
smaller ISPs can then further divide these networks to serve their offices or clients.
As we progress from left to right, the digits get more location-specific. This lets
Internet routers zero in on an address by starting on the left and following the
routing information from the large network to the smaller one. Each step in the
route gets more specific as each router knows in more detail where the designated
system is. The last router in the route has the address of the designated system in
its routing tables.
359
360
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
A routing table is a database of known networks and the best
route for finding each of them. Internet routers share data with other
routers about routes they know in order to build this database. This
allows the routers to keep track of the best way to get data from one
location to another. Routers can even route packets around a downed
network if they have enough time to update their routes. This reconstruction of the network’s routes is known as convergence.
NOTE
12.56.176.23
Contoso Corporation
(A large network service provider)
Contoso North America
(a division of Contoso Corporation)
Northwind Traders Corporate Headquarters
(12.56.176.0 netblock assigned by Contoso North America)
www.nwtraders.com
Figure 11-6 Division of large netblocks into smaller networks
F11HT06.VSD
IP octets
Each IP address can be examined by octet. If you look at the IP address assigned
to your system, you will notice that it has the same first two or three octets as
other, nearby systems. In the simplest IP networks, these octets are used to designate the network your system is operating on. They help your system determine
whether it can speak to these nearby systems directly or if it will require the
services of a gateway to communicate with them. We will explore subnets and
subnet masks later in the chapter to clarify this concept.
Local vs. Remote Systems
When a system using TCP/IP wants to connect to another system, it needs the
IP address of the destination system. It might get this IP address from a DNS
server as the result of a name resolution, or the user or application might provide
it directly. By taking a close look at this address, the system can tell if it can talk to
this system directly or if it must relay its communications through a router.
Figure 11-7 depicts three systems. System A wants to communicate with systems
B and C. By looking at the address of system B, it sees the same octet values in the
portions of the IP addresses that correspond to 255s in the subnet mask. It
knows that this is a local system, so it can communicate with it directly. When
system A looks at the address for system C, however, it sees a different network
address. It checks its routing table to see if it has an entry for that network. If it
does not, it forwards its communication request to the network’s default gateway.
CHAPTER 11:
192.168.99.0 Network
192.168.99.1
CONFIGURING TCP/IP ADDRESSING AND SECURITY
192.168.100.0 Network
192.168.100.1
192.168.99.123
Gateway
(Router)
192.168.100.14
192.168.99.123
Figure 11-7 Determining whether a system is local or remote
F11HT07.VSD
USING SUBNET MASKS
The classful IP addressing scheme we discussed in Chapter 10 was a great way to
assign IP addresses when there were only several thousand systems connected
to the Internet and there was plenty of room to spare. However, it eventually
became apparent that the classful addressing scheme had a few flaws. Only a few
networks can be defined when only Class A, B, and C netblocks are used.
Organizations requiring more than 65,534 addresses were assigned Class A
netblocks. They often wasted a significant number of addresses. (Have you ever
seen a corporation with 1.7 million publicly accessible computers?) The Class A
netblocks were taken almost immediately.
The Class B networks were given to organizations requiring more than the 254
addresses available in a Class C netblock. Some smaller corporations needing
more than 254 addresses were assigned entire Class B networks, even if they
needed only 300 addresses! Class B network addresses became scarce, so some
organizations began to buy several Class C netblocks to serve their needs. This
required them to maintain routing table entries for each netblock, adding to the
number of routing table entries on Internet routers.
Internet engineers devised a way to further define networks so an organization
could carve out a niche just large enough for its purposes without wasting valuable addresses. By going to the basic binary structure of the IP address, they
were able to define network masks (commonly known as subnet masks) that
could be used to split large networks or combine smaller networks.
361
362
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Subnetting and Supernetting
The subnet mask for a system might look something like 255.255.0.0, for example. By itself, it does not appear very interesting. How can a few 255s and some 0s
solve the Internet’s addressing problems?
Let’s convert that subnet mask to binary octets: decimal 255 is equivalent to
the binary octet value 11111111. If we complete the conversion, we see that
255.255.0.0 is equivalent to 11111111.11111111.00000000.00000000. Still
not impressed?
Well, remember from Chapter 10 that the subnet mask defines which part of the
address belongs to the network and which part belongs to the host. If you superimpose this subnet mask over an IP address (in binary form), you can see immediately which part of the address belongs to the network and which belongs to
the host. By moving the division between the ones and zeros either left or right,
you can gradually change the number of addresses available on a given network.
This process also changes the number of available networks.
By providing this feature, called classless interdomain routing, or CIDR
(pronounced “see-duhr”), Internet engineers were able to preserve a significant
amount of address space on the Internet. With a slight modification of the subnet
mask, an organization needing only 300 addresses would no longer have to use
65,534. By moving the subnet mask one bit to the left, it could combine two Class
C networks and have 510 addresses. Likewise, a company with a Class A network
could divide the network into many smaller networks and sell them to other
organizations or return them to IANA. The ability to increase a network’s size by
modifying the subnet mask is called supernetting. Breaking a network into
smaller networks is called subnetting.
CIDR uses a special notation to designate subnet masks. After
counting the subnet mask bits, you can append the notation /n, where n
is the number of subnet mask bits. For example, the CIDR notation /24
would be the equivalent of a Class C subnet (255.255.255.0). This shorthand helps eliminate the need for tedious binary conversion when recording subnet masks.
NOTE
Breaking up larger networks
Subnetting is the more common use of subnet masks. By creating many smaller
networks, an owner of a netblock can divide his available address space according to the needs of his customers. For example, an ISP with a Class B netblock can
divide it into 254 Class C addresses. Or it can keep going to the right and create
as many as 16,384 networks of two addresses each!
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
Let’s take a look at how this is possible. In Figure 11-8, we see a single Class B
netblock. Suppose you are an ISP with two clients that each need 8000 addresses.
You could find them two Class B netblocks, or you could split the one you have
into smaller blocks.
2n (23) or 8 new networks
131.107.0.0
10000011.01101011.00000000.00000000
A
11111111.11111111.00000000.00000000
255.255.0.0
B 11111111.11111111.11100000.00000000
255.255.224.0
10000011.01101011.00000000.00000000
131.107.0.0/19
10000011.01101011.00100000.00000000
131.107.32.0/19
10000011.01101011.01000000.00000000
131.107.64.0/19
10000011.01101011.01100000.00000000
131.107.96.0/19
10000011.01101011.10000000.00000000
131.107.128.0/19
10000011.01101011.10100000.00000000
131.107.160.0/19
10000011.01101011.11000000.00000000
131.107.192.0/19
10000011.01101011.11100000.00000000
131.107.224.0/19
C
(CIDR /19)
131.107.0.0/19
131.107.32.0/19
131.107.64.0/19
131.107.96.0/19
131.107.128.0/19
131.107.160.0/19
131.107.192.0/19
131.107.224.0/19
Figure 11-8 Subnetting a Class B network
F11HT08.VSD
If you modify the default Class B subnet value of 255.255.0.0 (shown in
Figure 11-8 as A) by adding three more subnet mask bits, the resulting subnet
mask value, 255.255.224.0 (B in the figure), provides three more address bits for
designation of network IDs. (The subnet mask value for B in the figure is /19 in
CIDR notation.)
By analyzing the new bits, you can see 2n (where n is the number of new subnet
mask bits) additional new networks are made available. In this scenario, the three
363
364
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
additional subnet bits create 23 or 8 new networks (C in the figure), each with
more than 8000 addresses each.
You can calculate the number of addresses available in a newly
subnetted network by using the equation 2n–2 (where n is the number of
host bits available). We subtract 2 to allow for the network ID designation
(host address all zeros) and a broadcast address (host address all
ones). The example above yields 8190 addresses in each netblock.
NOTE
Splicing networks together
Figure 11-9 shows eight Class C networks. To be able to communicate with hosts
on all eight networks, you need to maintain a router with eight routing table
entries (one for each network). To combine these netblocks and make a router
unnecessary in this scenario, you can combine the networks into a single, larger
netblock by supernetting them.
Supernetting is also used to reduce the number of entries in
Internet routing tables by combining smaller networks into larger net
blocks that can be addressed by one entry.
NOTE
1
2
192.168.96.0
3
192.168.97.0
4
192.168.98.0
5
192.168.99.0
192.168.96.0/21
6
192.168.100.0
7
192.168.101.0
8
192.168.102.0
192.168.103.0
1
11000000.10101000.01100000.00000000
A
8
11000000.10101000.01100111.00000000
11111111.11111111.11111111.00000000
255.255.255.0
(CIDR /24)
11111111.11111111.11111000.00000000
255.255.248.0
(CIDR /21)
11000000.10101000.01100000.00000000
192.168.96.0/21
B
C
Figure 11-9 Determining the network ID
F11HT09.VSD
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
By looking closely at the third octet, you can see that all eight network IDs are
identical up until the last three digits (step A in the figure). By moving the subnet
mask left three digits (step B), you place the unique portion of the address into
the host address portion, making the network portion of each netblock the
same. By converting the new network ID to decimal numbers (step C), we get
192.168.96.0. All eight networks are now combined into one: one network, one
routing table entry, and no router required within the organization.
SECURING IP COMMUNICATIONS
Everyone has heard about security problems plaguing the Internet. Computer
viruses have been around since 1975, but more recently other pathogens have
gained prominence. Armies of bots infect computers and coordinate all-out
assaults on e-commerce sites. Spyware can spy on a user’s Web browsing habits,
monitor his e-mail communications, even record keystrokes—and send all this
information to someone who may use it for a variety of nefarious uses, including
identify theft. Trojan horses, once opened by users, load backdoor programs
onto their systems. Worms scan Internet addresses to look for systems with
specific vulnerabilities to infect. These vulnerabilities might be in the communications protocols, the applications the system uses for communication, or even the
operating system itself. Many of these rogue applications come under the category of malware, short for malicious software.
Microsoft Windows XP and the Microsoft Server operating systems and applications have been a primary target for malware authors. One reason for this is the
widespread availability of authoring tools for these systems. Some hackers even
make toolkits available for building viruses and worms.
Another reason for the targeting of Windows is the huge pool of potential victims.
If a worm programmer becomes aware of a specific, exploitable vulnerability, she
can safely assume that an enormous collection of vulnerable systems are on the
Internet. Many of the users of these systems are unaware of the vulnerability, let
alone what to do about patching their systems. All the worm author has to do is
seed enough systems to gain a foothold, and the worm will take it from there.
Internet Threats
Internet threats can take many forms, including viruses, worms, and direct hacks.
Viruses and worms are basically autonomous. They are programmed to seek out
vulnerable systems or users and to deliver a payload. The payload might be as
harmless as a funny song or as serious as a backdoor application that allows the
attacker to take control of your system.
365
366
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Direct hacking is an attempt to penetrate your system from the Internet. Attackers
might take advantage on a known vulnerability to gain access to your system and
plant applications or store files on it. Some applications planted by direct attack
are designed to operate in concert with other systems controlled by the hacker to
coordinate attacks against high-profile targets. Direct hacks can take many forms,
ranging from attempts to guess your passwords to attempts to overwhelm your
defenses in order to slip through them.
This list of Internet threats is by no means complete, but it
illustrates the importance of Internet protection. Microsoft recognizes
the importance of protecting systems and patching vulnerabilities. To
that end, it released Windows XP Service Pack 2 in 2004 with updated
Internet security components and improved Automatic Update features.
This chapter covers Internet communications security. For a review of
Automatic Updates, see Chapter 2.
NOTE
Protective Technologies
Windows XP has several built-in tools to help users protect their systems and
data. Among these are Windows Firewall, Internet Connection Sharing (ICS)
with network address translation (NAT), Windows XP Security Center (released
with Service Pack 2), and Automatic Updates. Third-party vendors also produce
antivirus applications that detect and defeat viruses, worms, Trojan horses, and
other malware.
■
Windows Firewall An update to the Internet Connection Firewall,
which shipped with Windows XP. Windows Firewall is a host-based
stateful packet inspection firewall, which means it maintains a state
table on all outbound communications traffic and does not accept
inbound communications that are not in response to the initial outbound traffic. It is integrated with Windows XP networking, enabled
by default on any Internet connection from system startup to system
shutdown, and, most importantly, it ships with Windows XP. You can
configure and control it centrally using Group Policy settings in Active
Directory, and it interfaces with Windows services such as Remote
Desktop and File and Printer Sharing to automatically allow traffic on
local networks for these uses without you having to manually configure exceptions.
■
Internet Connection Sharing (ICS) ICS allows the secure sharing
of an Internet connection with multiple systems on your local network.
It translates local network addresses, effectively hiding their existence
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
from Internet attackers. Those scanning your system see only a single
IP address. This lowers the number of systems that can be targeted
directly.
■
Desktop antivirus products Microsoft works with third parties to
enable them to produce desktop antivirus products that can detect and
clean infected applications and data files on your system or in your
e-mail. Some antivirus vendors also produce security suites that include
firewall functionality. These programs can disable Windows Firewall
and put their own firewall in its place.
■
Security Center Windows XP SP2 introduced the Security Center.
This console monitors the installation of Windows Firewall and
compatible third-party firewalls, checks for antivirus applications,
and reports the status of the Automatic Updates service. Users
can use this single console to quickly check the status of their
protection.
■
Automatic Updates We covered Automatic Updates in Chapter 2.
The importance of Automatic Updates cannot be stressed enough. Any
update or fix to Windows XP or its components is made available by
this method. Configuring Automatic Updates greatly improves a
system’s chances of defeating attempts to penetrate it.
Understanding Windows Firewall
Windows Firewall is relatively simple to enable and configure. You can access
controls for Windows Firewall in the Properties dialog box for any network
connection on your system or by double-clicking the Windows Firewall icon in
the Security Center. (To launch the Security Center, open Control Panel and click
Security Center.)
As we discuss Windows Firewall, we will use some of the following terms:
■
Packet filtering The process of inspecting packet headers to determine whether they are allowed to enter the network. Those that do not
conform to established rules for address, port, or protocol type are
dropped.
■
Stateful packet filtering A more advanced form of packet filtering
where inbound packets must be received in response to an initial communication from the system. With stateful packet filtering, outbound
traffic is tracked in a “state table” and inbound packets must conform
to expected reply traffic to those communications.
367
368
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Exceptions Rules that allow some inbound traffic to enter your
system. You might use exceptions to allow Remote Desktop to enter
your system so you can access your system from work or school. To
allow this, you would enable an exception.
■
Allowed traffic
■
Rejected traffic Packet traffic that has not met acceptance rules and
is dropped.
■
Logging The process by which firewalls maintain a history of acceptance and rejection events. Logging is often used to discover penetration
attempts or troubleshoot connectivity issues.
Packet traffic that is allowed to pass the firewall.
Enabling Windows Firewall
Windows Firewall is enabled by default in Window XP. You can verify its status
by launching the Security Center from Control Panel (Figure 11-10). The Security
Center displays the status of Windows Firewall or a compatible third-party firewall product.
Figure 11-10 The Security Center displaying the status of the firewall, virus protection,
and Automatic Updates
F11HT10.BMP
Windows Firewall is enabled and disabled in the Windows Firewall dialog box
(Figure 11-11), which you can launch by clicking on the Windows Firewall icon
in the Security Center. Notice the Don’t Allow Exceptions option. If this is
selected, you can override any exceptions that have been defined for the stateful
packet filtering rules.
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
Figure 11-11 Enabling Windows Firewall
F11HT11.BMP
Managing firewall exceptions
Firewall exceptions allow access to your system from outside for specific purposes. In Figure 11-12, exceptions have been made for Remote Assistance and
Remote Desktop.
Figure 11-12 Managing Windows Firewall exceptions
F11HT12.BMP
If you select an exception and click Edit, you can modify the scope of the exception
(as shown later in Figure 11-14) by designating which network connections are
included in the exception rule. This is an important aspect of Widows Firewall
security. You can create exception rules to allow some programs to communicate
locally but restrict traffic on those same ports that might be coming from the
Internet.
369
370
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Windows XP can also automatically modify exceptions. For instance, when you
enable File and Printer Sharing, Windows XP automatically configures Windows
Firewall exceptions for any local network connections for File and Printer Sharing
while still blocking inbound traffic from the Internet.
To add a new Windows Firewall program exception:
1. Open the Windows Firewall dialog box by clicking the Windows Firewall
icon in the Security Center.
2. If you are configuring an exception for a program installed on your
system, click the Exceptions tab and select Add Program. This launches
the Add A Program dialog box (Figure 11-13). You can select from one
of the programs listed or browse for an unlisted program. Windows
Firewall works with the program to enable the exception rule.
F11HT13.BMP
Figure 11-13 Adding a program exception in Windows Firewall
To also specify a scope for your program, click the Change Scope button
(Figure 11-14).
F11HT14.BMP
Figure 11-14
Defining a network scope for a port exception in Windows Firewall
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
To add a new Windows Firewall port exception:
Sometimes a program exception is not effective. If you know the ports required by
your program, you can open them manually be defining a port exception:
1. Open the Windows Firewall dialog box by clicking the Windows Firewall icon in the Security Center.
2. Select the Exceptions tab, and select Add Port to launch the Add A Port
dialog box (Figure 11-15).
F11HT15.BMP
Figure 11-15 Adding a port exception in Windows Firewall
If you want to also specify a scope for your port exception, click the
Change Scope button. (See Figure 11-14.)
Windows Firewall advanced configuration
The Advanced tab of the Windows Firewall dialog box (Figure 11-16) gives you
additional configuration opportunities:
Figure 11-16 Windows Firewall advanced settings
F11HT16.BMP
371
372
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Network Connection Settings You can select which connections
are protected by Windows Firewall. For each connection, you can click
the Settings button to modify settings for inbound Internet services
such as HTTP and SMTP as well as ICMP communications such as
Ping and Tracert:
❑
Services tab This tab (Figure 11-17) allows you to configure
inbound rules for services on your system or on another system on
your internal network. When you select a rule, you are presented with
a dialog box that allows you to select the internal IP address of the
system running that service.
If you are also using ICS, you can use its built-in NAT feature to
pass traffic to an internal server on behalf of an external client.
The rule you configure actually creates a connection that passes
communication from the system running Windows Firewall to
the system defined on the service entry.
If you are not using ICS, you can still use this setting to open the
applicable port on your computer to provide services directly to
Internet clients.
Figure 11-17 Configuring a service entry in Windows Firewall
F11HT17.BMP
❑
■
ICMP tab This tab allows you to configure ICMP exceptions for this
connection. These exceptions are discussed below under the global
ICMP settings.
Security Logging You can enable logging of Windows Firewall
packet filters for security analysis and troubleshooting (Figure 11-18).
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
The packet filter log format can be understood by several third-party
security analysis tools.
Note the location of Pfirewall.log. If you are responding to a security event, you will need to quickly locate this file.
NOTE
F11HT18.BMP
■
F11HT19.BMP
Figure 11-18 Configuring security logging in Windows Firewall
ICMP This option (Figure 11-19) allows you to set ICMP settings for
all enabled connections at once.
Figure 11-19 Configuring ICMP options in Windows Firewall
Here are some ICMP options you might enable:
❑
Allow Incoming Echo Request Received ICMP packets request
an echo from your system to be returned to the sending system. This
option is used for troubleshooting tools such as Ping and Tracert.
373
374
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
Allow Incoming Timestamp Request A message is returned to the
sending computer, telling it when the data was received.
❑
Allow Incoming Mask Request Tells this computer to respond to
queries for subnet mask information. This type of information is typically sent to diskless workstations when they boot to allow them to
configure their TCP/IP protocol stacks.
❑
Allow Incoming Router Request This ICMP request allows systems
to share routing information. It is typically used by routers to alert
other routers to their presence.
❑
Allow Outgoing Destination Unreachable Allows Internet routers
to tell your system why they were unable to reach an intended recipient.
❑
Allow Outgoing Source Quench Allows the system to tell other
systems on the Internet to slow their transmission rate to avoid overwhelming its capabilities.
❑
Allow Outgoing Parameter Problem Allows your system to report
a malformed or bad header to the sending system.
❑
Allow Outgoing Time Exceeded Allows your system to report to a
sending system that the timeout was reached for reassembly of some
inbound packets.
❑
Allow Redirect Allows Internet routers to alert your system to a
better route for its data.
❑
Allow Outgoing Packet Too Big Allows your system to report to
sending systems that the packets they are sending are too big (used
with the IPv6 protocol).
By default, Windows Firewall does not respond to ping attempts
from Internet sources. To test your connection with Ping, you should
enable ICMP echo long enough to complete the test and then disable it
again. The goal is for your system to respond to as few outside communications as possible, to ensure maximum security.
NOTE
■
Default Settings This option restores all Windows Firewall default
settings at once.
Windows Firewall with third-party firewalls
Windows Firewall comes with a Windows Management Instrumentation
(WMI) hook for third-party firewall vendors. This allows them to disable Windows Firewall during installation of their products to prevent conflicts. Figure 11-20
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
shows the Security Center displaying the status of a third-party firewall. In this
figure, the third-party firewall has disabled Windows Firewall to prevent
conflicts.
Figure 11-20 The Security Center displaying the status of a third-party firewall
F11HT20.BMP
Third-party firewalls might not turn on Windows Firewall when
they are uninstalled. Be sure to check the status of Windows Firewall
when you remove a third-party firewall to ensure that a lapse in protection doesn’t occur.
NOTE
Monitoring Internet Communications Security
Because Internet security tools and utilities are so important, you must ensure
they are operating properly and are doing what they were intended to do. Most
Internet protection applications can log their operation and might also issue
pop-up alerts when a particular item needs attention. Microsoft products are no
exception. Windows Firewall alerts and logs help ensure that your firewall is
operating effectively. You should be familiar with their format and the entries you
would expect to see during normal operation so you can quickly recognize when
something is out of place.
Windows Firewall alerts
When an application tries to open an inbound port for communication with
remote systems, if that application does not already have a configured exception,
Windows Firewall presents the user with an alert (Figure 11-21).
375
376
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 11-21 A Windows Firewall alert
F11HT21.BMP
The alert in the figure describes the application and gives the user three choices:
■
Keep Blocking Permanently blocks this application from Internet
communication. This option is useful when the application you are
working with should not accept communications from Internet systems. An example might be a local communications application that
you want to manage with a scoped exception.
■
Unblock Creates a permanent exception for this application. You
might use this option to allow an instant messaging program to receive
communications from its Internet servers.
■
Ask Me Later Causes Windows Firewall to deny the communication
for now. The next time the application initializes, Windows Firewall
will alert you again. You might use this option to cancel an alert until
you have time to better research whether to allow the application to
access the Internet.
Many of the dialog boxes included with the Security Center and
Windows Firewall have links to further information about their function.
The When Should I Unblock A Program? link in the Windows Security Alert
dialog box presents the user with more information about the options in
the dialog box.
NOTE
Windows Firewall logs
Windows Firewall logs packet filter events in the Pfirewall.log file stored by
default in the %SYSTEMROOT% folder (usually C:\Windows). You can browse
this file in Notepad or import it into a third-party intrusion detection system
(IDS) for analysis.
Figure 11-22 shows an excerpt from Pfirewall.log.
Note the Fields line. It lists the name of each data field in the order you see it on
the actual log lines. Do you see the three attempts to connect to the local system’s
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
Web server? This system is not running any public Web server, so these lines are
an indication of a random scan to locate vulnerable Web servers. The action taken
by Windows Firewall was to silently drop the packets. Any system scanning this
network will not be aware that a system even exists at this address.
Figure 11-22 Windows Firewall log displaying dropped packets
F11HT22.BMP
Protocol and service logs
Internet services such as those provided by Microsoft Internet Information
Services (IIS) maintain their own log files. These log files are useful for analyzing
the types of attempted attacks these services are experiencing. By becoming
familiar with these logs, you will begin to spot irregularities in their content.
Figure 11-23 shows an excerpt of the W3SVC (WWW service) log for a system.
Note the 403 (authentication) and 404 (file not found) errors.
Figure 11-23 An IIS WWW service log file
F11HT23.BMP
A large number of 403 errors can indicate that someone is attempting to crack a
password to gain access to sensitive information. Multiple 404s, especially for
certain types of files, might indicate an attempt by an Internet worm to locate
vulnerable Web server applications. If you spot these types of events, you might
be able to take action to block the source of the attack or notify its ISP.
377
378
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
IP addresses comprise four binary octets separated by periods (or
dots). These values can be converted to decimal numbers to represent
the address in dotted decimal notation.
■
The IP address of a destination system is compared to that of the local
system to determine if it is on the local network. If the portion of the
address covered by the subnet mask is identical, the system is local and
can be addressed directly. If there is no match, the sending computer
checks to see if it has a route to the destination. If it does not, the communication is sent to the sending computer’s default gateway.
■
Classless interdomain routing (CIDR) permits large networks to be
split (or subnetted) or smaller networks to be combined (or supernetted). It accomplishes this by modifying the subnet mask at the binary
level, gradually increasing or decreasing it.
■
Internet threats include worms, viruses, bots, spyware, and direct hack
attempts.
■
Windows Firewall is a host-based stateful packet inspection firewall.
■
Internet Connection Sharing (ICS) can protect a network by hiding its
actual IP addresses from external systems.
■
Windows Firewall can be configured with exceptions to allow inbound
communication with specified programs.
■
Windows Firewall alerts and logs let you monitor its operation
and alert you to possible penetration attempts or configuration
issues.
REVIEW QUESTIONS
1. Convert the IP address 131.107.125.234 to its binary octet values.
Which of the following answers is correct?
a. 01111101.11101010.10001001.1101011
b. 10000011.1101011.1111101.11101010
c. 1101011.1111101.10001001.11101010
d. 10000011.01101011.01111101.11101010
CHAPTER 11:
CONFIGURING TCP/IP ADDRESSING AND SECURITY
2. A host with the IP address 131.107.182.12/16 is trying to communicate
with a host with the address 131.107.87.18/16. Does this communication require a router? Why or why not?
3. Which of the following subnets would you use to supernet the networks 192.168.100.0 and 192.168.101.0?
a. 255.255.255.224
b. 255.255.248.0
c. 255.255.254.0
d. 255.255.0.0
4. Which of the following malware types can scan the Internet for victims?
a. Virus
b. Worm
c. Spyware
d. Trojan horse
5. Which of the following are uses for Windows Firewall? (Choose all correct answers.)
a. Protecting a system from Internet worms
b. Connecting multiple systems to the Internet
c. Blocking malicious connection attempts
d. Preventing a virus from infecting your system
6. A user wants to set up a Web server on a Windows XP Professional
computer on your network. You have a Windows XP Professional system connected to the Internet that uses ICS with Windows Firewall
enabled to securely share its Internet connection with the rest of the
network. Which feature of Windows Firewall do you configure to allow
inbound connections to that Web server while still retaining Windows
Firewall security for all other communications?
a. Exception
b. ICMP rule
c. Service entry
d. Packet filter
379
380
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 11-1: A Growing Enterprise
You are consulting for a company that has a growing office in your area. It has a
Class C network (192.168.12.0) that is running out of addresses. The company
has defined two additional Class C networks and has begun to add hosts to them.
Hosts in 192.168.12.0 cannot communicate with hosts in 192.168.10.0. Answer
the following questions about this scenario.
1. Why can’t hosts in 192.168.12.0 communicate with hosts in
192.168.10.0?
2. Name two ways to allows hosts on 192.168.12.0 to communicate with
hosts on 192.168.10.0.
3. Which method listed in the answer to question 2 is least expensive?
Scenario 11-2: Security on a Shoestring
You are volunteering for a charity by configuring its network and Internet operations. You have used IIS in Windows XP for the Web server and the Simple Mail
Transfer Protocol (SMTP) server. You set up a computer to connect to the Internet
with a DSL connection. You want to put the Web server and SMTP server on the
Internet, as well as allow office users to use the Internet with Internet Explorer.
Answer the following questions about this scenario.
1. How can you connect the entire office to the Internet inexpensively?
2. How can you allow inbound access to the Web server and the mail
server?
CHAPTER 12
MANAGING INTERNET
EXPLORER CONNECTIONS
AND SECURITY
Upon completion of this chapter, you will be able to:
■ Configure Internet connections in Internet Explorer
■ Connect to resources using Internet Explorer
■ Configure and manage Internet Explorer security settings
■ Configure and manage Internet Explorer privacy settings
■ Audit and control add-on programs and browser helper objects with
Add-On Manager
In this chapter, we will configure and manage Microsoft Internet Explorer, beginning with initial connection, configuration, and progressing to advanced security
settings. You will learn how to configure Web content zones and how to manage
sites in these zones. You will also be introduced to the privacy features of Internet
Explorer and how to configure privacy settings. Finally, we will explore the management of add-on programs and browser helper objects.
381
382
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
MANAGING INTERNET EXPLORER CONNECTIONS
You can connect Internet Explorer to the Internet in a variety of ways, including
direct access from an Internet-connected local area network (LAN), by dialing up
to an ISP, connecting through an Internet proxy server, or a combination of these
methods. We will discuss these connection methods and how to configure them.
Using the New Connection Wizard
You can configure connectivity for Internet Explorer using the New Connection
Wizard (as described it in Chapter 10). You launch the wizard by choosing Tools |
Internet Options in Internet Explorer. On the Connections tab (Figure 12-1)
of the Internet Options dialog box, click the Setup button.
Figure 12-1 The Connections tab of the Internet Options dialog box
FT12HT01.BMP
To configure a connection to an Internet service provider (ISP), select the
Connect To The Internet option (Figure 12-2) and then click Next.
Figure 12-2 The New Connection Wizard
FT11HT02.BMP
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
On the Getting Ready page (Figure 12-3), you will see three options:
■
Choose From A List Of Internet Service Providers (ISPs) Configures
a connection based on settings ISPs have given to Microsoft for inclusion
in this wizard.
■
Set Up My Connection Manually
in one of the following ways:
■
Allows a connection to be created
❑
Connect Using A Dial-Up Modem Allows you to manually create a
connection by entering settings provided to you by your ISP.
❑
Connect Using A Broadband Connection That Requires A User
And Password Allows configuration of a connection using Point-toPoint Protocol over Ethernet (PPPoE). Settings for this type of connection are provided by your ISP.
❑
Connect Using A Broadband Connection That Is Always On Allows
a basic LAN connection to be configured. This option assumes that all
settings are assigned from a DHCP server or Internet gateway device.
Use The CD I Got From An ISP Searches the CD-ROM drive for a
disk provided by your ISP. The required settings are programmed into
an application on the disk.
Figure 12-3 The Getting Ready page of the New Connection Wizard
FT12HT03.BMP
Managing Connection Settings
You can use the New Connection Wizard to configure most settings required by
Internet Explorer to enable Internet connectivity. After you define the dial-up
connection, you can manage it by using the Connections tab of the Internet
Options dialog box (shown earlier in Figure 12-1). You can add or remove dial-up
383
384
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
connections and select which connection will be dialed by default. You can also
manage advanced settings for dial-up connections or access settings for connections using a LAN. We will first examine the options for dial-up settings.
Dial-up settings
In addition to adding new connections and deleting those that are no longer
required, you can specify advanced settings for each dial-up connection, such as
the use of a proxy server. You select the dial-up connection to configure and then
click the Settings button. This opens the Settings dialog box for the selected connection (Figure 12-4).
Figure 12-4 Configuring settings for a dial-up connection
FT12HT04.BMP
The dialog box includes the following:
■
Automatic Configuration This section of the dialog box includes
settings that allow Internet Explorer to automatically detect and manage settings for connectivity. The options are:
❑
Automatically Detect Settings When this is selected, Windows XP
attempts to detect the required settings for this connection by querying
a DHCP or DNS server using the Web Proxy Auto-Discovery (WPAD)
protocol. This service is configured by a network administrator to
notify browsers of the location of proxy servers on the network.
You configure WPAD on the server side by configuring specific
DHCP server options to provide configuration information about proxy
servers. If a DHCP server is not configured for WPAD, Internet Explorer clients attempt to locate a proxy server by using Service Location Protocol
(SLP), which is designed to allow clients to locate and configure connections to servers, printers, video cameras, and other networked services.
NOTE
CHAPTER 12:
❑
■
FT12HT05.BMP
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Use Automatic Configuration Script This option allows you to
specify an automatic configuration script that contains additional configuration information for the browser. These scripts are typically used
by administrators to make changes to settings after deployment. The
browser checks the file periodically to look for updated settings.
Proxy Server Allows the manual configuration of proxy server settings. The Advanced button opens the Proxy Settings dialog box
(Figure 12-5), where you can specify the following additional settings:
❑
Servers Allows you to designate separate proxy server addresses or
ports for proxies of different Internet protocols.
❑
Exceptions Allows you to designate addresses or networks for
which Internet Explorer will bypass the proxy server. This option is
typically used to designate safe networks that do not require the services of a proxy server during the connection.
Figure 12-5 Configuring advanced proxy settings
Using the Automatically Detect Settings option can cause proxy
settings to be overridden when another proxy server is configured with
WPAD. If you do not want manually configured proxy settings to change,
be sure to disable automatic detection by clearing the Automatically
Detect Settings check box.
NOTE
■
Dial-Up Settings This section of the Settings dialog box allows you
to enter username and password information for this connection. It
also includes two buttons:
❑
Properties Opens the Properties dialog box for the connection itself
(Figure 12-6). This is the same dialog box you would access from the
385
386
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Network Connections window by right-clicking the connection and
choosing Properties. Here you can specify the connection’s phone
number, dialing options, and security settings. You can also choose
which protocols and clients will be bound to this connection and
whether Internet Connection Sharing or Windows Firewall will be
used on this connection.
Figure 12-6 Dial-up connection properties
FT12HT06.BMP
❑
Advanced Opens the Advanced Dial-Up dialog box for the connection (Figure 12-7). Here you can override dial-up settings from the
configured connection when you use Internet Explorer with this
connection. This is useful if you are using a connection for multiple
purposes and need different settings for idle disconnect when using
Internet Explorer to avoid dropping the connection during periods of
inactivity.
Figure 12-7 Advanced settings for a dial-up connection
FT12HT07.BMP
LAN settings
Click the LAN Settings button on the Connections tab of the Internet Options
dialog box to open the Local Area Network (LAN) Settings dialog box (Figure 12-8).
This dialog box is similar to the Dial-Up Settings dialog box, minus dial-up
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
options such as username and password or connection properties. The options in
this dialog box are:
■
Automatic Configuration The same options for automatic configuration of a proxy server that we discussed for dial-up connections are
available to LAN connections.
■
Proxy Server Allows you to manually configure proxy server settings.
The same options we discussed previously are available here as well.
Figure 12-8 The Local Area Network (LAN) Settings dialog box
FT12HT08.BMP
CONNECTING TO RESOURCES USING
INTERNET EXPLORER
You can do more with Internet Explorer than merely browse Web sites. You can
use it to connect to a wide variety of network and Internet resources including:
■
Web servers
■
File Transfer Protocol (FTP) servers
■
Web folders (using WebDAV)
■
Microsoft .NET server applications
■
Applications that use ActiveX or Java programs and scripts
We will look at the procedures for accessing these resources and discuss any special steps or extra components required to make use of them.
Uniform Resource Locators
Most people are familiar with the format of Uniform Resource Locators (URLs)
from publications and television. Let’s look at the parts of a URL (Figure 12-9)
more closely.
387
388
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
http://www.contoso.com:5680/docfiles/document_list.html#finance
Protocol
Hostname
Port
Path
Document
Named anchor
Figure 12-9 Parts of a URL
FT12HT09.VSD
■
Protocol indicator This indicates the Internet protocol that Internet
Explorer should use to access the resource. Some resources, prefaced
by indicators such as http:// and ftp://, are opened directly in Internet
Explorer. Other resources, prefaced by indicators such as mailto: and
news:, are passed to Microsoft Outlook Express or another e-mail or
Usenet application for processing. Other protocol indicators you may
see are:
❑
https:// Hypertext Transfer Protocol Secure. Uses Secure Sockets
Layer (SSL) to provide encrypted HTTP connections.
❑
file:// Local file system resources. (For example, file:///c:/deploy
opens the C:\Deploy folder on the local system.)
❑
telnet:// An address resource for the Telnet protocol.
❑
ipp:// Internet Printing Protocol address (used to connect to Internet printers).
❑
ldap:// Lightweight Directory Access Protocol.
This list is by no means complete. IANA maintains a registered
list of URL protocol schemes at http://www.iana.org/assignments/
uri-schemes.
NOTE
■
Host name Designates the host name or IP address of the system
hosting the URL.
■
Port An optional portion of the address. Most protocols use wellknown port numbers, such as 80 for HTTP, to identify their ports. This
value must be specified only if the host is using a nonstandard port
(for the indicated protocol) number to host this resource.
■
Path Designates the directory path on the host relative to the root of
the directory serving the document.
■
Document The actual file name of the document on the host system.
Some documents, such as HTML documents, are interpreted by the
browser and displayed, while others are simply downloaded to
the client system. Other types of files might be scripts or applications
that will be hosted in the browser windows during operation.
CHAPTER 12:
■
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Named anchor Allows the programmer of the site to provide shortcuts to specific points within documents. By inserting anchor tags into
the document code, the programmer can allow clients to rapidly find
certain passages in a very large file.
Other special characters and syntax can be used in URLs to
pass information into an application on the server end. An example of
this would be the query syntax you see displayed in the address box when
you are viewing the results of a search engine query.
NOTE
Connecting to Web Site Resources
By far the most common use of Internet Explorer is for entering a URL in the
Address bar to open the requested document in the Internet Explorer window.
Users enter the URL as a string (such as www.microsoft.com), and Internet
Explorer opens the default document from that address (Figure 12-10).
Figure 12-10 The microsoft.com site in Internet Explorer
FT12HT10.BMP
Other ways to access Web site resources include clicking on a hyperlink in
another Web document or in an e-mail. The hyperlink is interpreted by the system, Internet Explorer (or the default Web browser) opens, and the document is
requested from the specified host.
Accessing FTP Resources
You can also use Internet Explorer to access remote FTP servers (instead of using
the command-line FTP program included with Windows XP). If you enter ftp://
servername/directoryname/filename, Internet Explorer opens the FTP site and
389
390
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
requests the named document or opens the named folder. Some FTP sites require
users to enter a username and password to access FTP resources on that site. If
you need to enter a username and password, choose File | Login As to open the
Log on As dialog box (Figure 12-11).
Figure 12-11 Logging on to an FTP server
FT12HT11.BMP
Once a folder is open on an FTP site, Internet Explorer presents a folder view
similar to a standard Windows XP folder view. A user who has the appropriate
permissions can save, edit, or delete files from the FTP “folder.”
Accessing Web Folders
Using a technology called Web Distributed Authoring and Versioning
(WebDAV), Internet servers can make document repositories available to
clients. Windows XP and Internet Explorer can access shared resources on
WebDAV servers.
To access a Web folder using Internet Explorer, take the following steps:
1. In Internet Explorer, choose File | Open.
2. Enter the URL of the Web folder, and select the Open As Web Folder
option.
3. Internet Explorer opens the Web folder in a standard Windows XP
folder view.
Web folders behave exactly like file system folders; they allow users with the
appropriate permissions to open, edit, save, and delete documents in the
folder.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Connecting to Web Server–Based Applications
Many specialized applications exist on Web servers that use more than just plain
HTML to perform their functions. For example, some applications written using
the .NET Framework can leverage sophisticated back-end programs developed in
one of several compatible languages, such as Visual Basic or C#, and present the
interface to a client running Internet Explorer. No special accommodations are
needed on the client end to access these applications. The client typically sees
only the URL used to access the application while the application runs within the
browser window.
Some .NET applications use both client-side and server-side
components to accomplish their tasks.
NOTE
Other programs written in languages such as Java might require installation of a
Java Virtual Machine (JVM) provided as part of the Java Runtime Environment
(JRE) (which is available for free from Sun Microsystems).
Java-based server-side applications do not require a JVM on the
client system.
NOTE
MANAGING INTERNET EXPLORER SECURITY SETTINGS
Internet users can have heated debates on the relative merits and deficiencies of
the various browser platforms. The fact remains that Internet Explorer is the
browser most closely integrated with Windows XP Professional. In addition to
supporting all major W3C browser standards, it can be customized, and even
branded, by computer manufacturers and ISPs; managed remotely using Group
Policies; and updated for known security vulnerabilities via Microsoft’s Automatic
Updates feature.
Overview of Internet Explorer Security Features
Other browsers without ActiveX support might initially appear to be more secure
than Internet Explorer, but they fall short in terms of functionality and manageability. Internet Explorer also has much stronger security features in Windows XP
Service Pack 2, including the ability to block pop-up windows and the ability to
manage browser helper objects (BHOs) and other add-ons with Add-On Manager
(Figure 12-12).
391
392
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 12-12 Add-On Manager displaying loaded add-ons on a Windows XP
FT12HT012.BMP
SP2 system
You can also use Web content zones (Figure 12-13) in Internet Explorer to
restrict the level of privilege a remote application has on the local system.
For instance, you can limit ActiveX support to downloading and running
approved ActiveX controls in the Internet zone, blocking the downloading of
suspicious controls.
Figure 12-13 Internet Explorer Web content zones
FT12HT13.BMP
You can manage Internet Explorer security configuration using Local Security
Policy or Group Policy to implement security best practices across one or
thousands of systems. Administrators thus have the ability to apply security
configurations consistently and comprehensively.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Managing URL Actions for Web Content Zones
Before we launch into a discussion of Web content zones, let’s examine the
settings that are configured for each zone. You can view these settings, called URL
actions, by choosing Tools | Internet Options in Internet Explorer. On the Security tab of the Internet Options dialog box, click Custom Level for any Web
content zone. You will see a list of URL actions (Figure 12-14) with Disable and
Enable options and occasionally Administrator Approved and Prompt options.
Figure 12-14 URL actions for the Internet zone
FT12HT14.BMP
Let’s look at the individual URL actions that can be configured in each zone.
.NET Framework settings
This category of options configures the behavior of Internet Explorer with
Web components designed to support the .NET Framework, an environment for
building and running Web services and applications. You can manage the following .NET Framework settings:
■
Run Components Not Signed With Authenticode Controls
whether Internet Explorer will run a .NET Framework component that
has not been signed with an Authenticode code-signing certificate.
Unsigned applications can pose a risk because the user has no assurance that the author is who he claims to be or that the program has not
been modified by a hacker. The options available for this setting are
Disable, Enable, and Prompt.
393
394
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The options Disable, Enable, and Prompt must be taken in the
context of the description of the settings. When you manage these
settings, consider each option as preceding the settings. For example,
“(Disable) Run components not signed with Authenticode” makes more
sense than “Run components not signed with Authenticode (Disable).”
Prompt configures Internet Explorer to prompt the user when a controlled
component is requested by the Web page.
NOTE
■
Run Components Signed With Authenticode Enables or disables
the running of Authenticode-signed components. By disabling both
signed and unsigned components, you can completely disable .NET
Framework components. The options available for this setting are
Disable, Enable, and Prompt.
ActiveX controls and plug-ins
ActiveX controls are powerful tools for distributing Web applications and services. They do pose a risk, however, because malicious controls can be used to
load backdoor programs or damage data on the systems of unsuspecting users.
The ActiveX settings you can manage are:
■
Automatic Prompting For ActiveX Controls Specifies whether
Internet Explorer will notify users that the Web page they are loading
contains an ActiveX control. If this setting is enabled, a prompt opens
when a Web page attempts to load an ActiveX control that has not yet
been installed on the system. If this setting is disabled, the control is
blocked and the Internet Explorer Information Bar is presented to ask
the user what to do.
The Information Bar is a new feature of Internet Explorer in
Windows XP SP2. It alerts users to blocked downloads, pop-ups, and
controls and gives the user an opportunity to accept or reject the
blocked content.
NOTE
■
Binary And Script Behaviors Binary behaviors and script behaviors
are prepackaged bits of code that can be called by HTML commands on
a Web page. An example of a behavior is any Windows Media behavior
that can be called with the appropriate HTML commands. The options
for this setting are to allow only administrator-approved behaviors,
disable behaviors, or enable behaviors.
You can authorize Administrator-approved behaviors by using the
Group Policy Management console (Gpedit.msc). Look for the Binary
Behavior Security Restriction policy (Figure 12-15).
CHAPTER 12:
FT12HT15.BMP
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Figure 12-15 Configuring the Binary Behavior Security Restriction setting
in the Group Policy Management console
■
Download Signed ActiveX Controls Enables or disables downloading of signed ActiveX controls. The options available for this setting are
Disable, Enable, and Prompt.
■
Download Unsigned ActiveX Controls Enables or disables downloading of unsigned ActiveX controls. The options available for this
setting are Disable, Enable, and Prompt.
■
Initialize And Script ActiveX Controls Not Marked As Safe Enables
or disables scripting of ActiveX controls. When enabled, this option allows
any ActiveX control to be initialized and scripted. This option is not recommended for security reasons, but you can use it on highly secure zones
where ActiveX controls can be trusted. The options available for this setting
are Disable, Enable, and Prompt.
■
Run ActiveX Controls And Plug-ins Enables or disables running of
ActiveX controls for the specified zone. The options available for this
setting are Administrator Approved, Disable, Enable, and Prompt.
You manage Administrator-approved ActiveX controls using
Group Policy in the same way that you manage administrator-approved
behaviors.
NOTE
■
Script ActiveX Controls Marked Safe For Scripting Specifies
whether ActiveX controls that have been marked as safe for scripting
can be called on by scripts in Web pages in the specified zone. The
options available for this setting are Disable, Enable, and Prompt.
395
396
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Downloads
You can prevent users from downloading files using Internet Explorer by configuring the Download options:
■
Automatic Prompting For File Downloads Specifies whether
Internet Explorer prompts users when the Web page is attempting to
push a file to Internet Explorer. When this option is enabled, users are
prompted for all downloads they initiate. The options available for this
setting are Disable and Enable.
■
File Download Enables or disables file downloads. The options
available for this setting are Disable and Enable.
■
Font Download Specifies the response to a Web page attempting to
download HTML fonts to the browser. The options available for this
setting are Disable, Enable, and Prompt.
Miscellaneous settings
These settings that do not fit one of the other main categories.
■
Access Data Sources Across Domains Specifies whether a Web
page will instruct Internet Explorer to access data in another site using
Microsoft data access technologies. The options available for this setting are Disable, Enable, and Prompt.
■
Allow META REFRESH Specifies whether a Web page will be allowed to
redirect your browser to another site through the use of a META REFRESH
tag. The options available for this setting are Disable and Enable.
■
Allow Scripting Of Internet Explorer Webbrowser Control Specifies
whether scripts can control the Webbrowser ActiveX control. This control
is a component of Internet Explorer that can be used by developers to
provide Web browsing features in another application. By default, the
control is not marked as “safe for scripting,” which means it cannot be called
by scripts. The options available for this setting are Disable and Enable.
■
Allow Script Initiated Windows Without Size Or Position
Constraints Specifies whether Web page scripts can open pop-ups
and windows that do not display title and status bars. By default, this
action is not allowed. The options available for this setting are Disable,
Enable, and Prompt.
■
Allow Web Pages To Use Restricted Protocols For Active
Content Specifies whether Internet Explorer can use a protocol that
has been restricted by an administrator through use of the Network
Protocol Lockdown Group Policy. The options available for this setting
are Disable, Enable, and Prompt.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
■
Display Mixed Content Specifies whether users will receive a message
during a secure browsing session if they are receiving nonsecure content.
Enabling this setting blocks the message “This page contains both secure
and non-secure items. Do you want to display the non-secure items?” The
options available for this setting are Disable, Enable, and Prompt.
■
Don’t Prompt For Client Certificate Selection When No Certificates Or One Certificate Exists Specifies whether users will be
prevented from being prompted when they have only one certificate to
choose from or have no certificates for client authentication. When a
user accesses a Web site that uses digital certificates to authenticate
users, the user might be prompted to indicate which certificate to use
to authenticate to the Web site. The options available for this setting
are Disable and Enable.
■
Drag And Drop Or Copy And Paste Files Specifies whether users
can use drag-and-drop or copy-and-paste operations to save files from
the zone to their system. The options available for this setting are
Disable, Enable, and Prompt.
■
Installation Of Desktop Items Specifies whether users can install
Active Desktop Web components using sites or pages from the specified zone. The options available for this setting are Disable, Enable, and
Prompt.
■
Launching Programs And Files In An IFRAME Specifies whether
programs or scripts can be executed inside of inline frames, which are
essentially free-form frames inside Web pages. The options available
for this setting are Disable, Enable, and Prompt.
■
Navigate Sub-Frames Across Different Domains Specifies
whether Web pages can call subframes that are hosted by domains
other then the Web page. The options available for this setting are
Disable, Enable, and Prompt.
■
Open Files Based On Content, Not File Extension Specifies
whether Internet Explorer will attempt to detect the type of file it is
opening by examining its binary signature instead of its file extension.
Enabling this setting prevents file extension spoofing. The options
available for this setting are Disable and Enable.
■
Software Channel Permissions Controls the response of Internet
Explorer to software updates distributed over software update channels.
Software update channels are subscription-based notification channels
that third-party software publishers can use to notify their users about
news and updates. The options for this setting are Low Safety, Medium
397
398
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Safety, and High Safety. Low Safety allows the software to be automatically downloaded and installed. Medium Safety allows software to
be downloaded but not installed automatically. High Safety prevents
automatic download of software.
■
Submit Non-Encrypted Form Data Specifies whether users can
submit data from nonencrypted Web forms. The options available for
this setting are Disable, Enable, and Prompt.
■
Use Pop-Up Blocker Specifies whether Pop-Up Blocker is activated
for the specified zone. The options available for this setting are Disable
and Enable.
■
Userdata Persistence Specifies whether Internet Explorer will
retain user data information for successive visits to a page. Data persistence allows code in a Web page to store user data in an XML repository on the client to be used on later visits. This data can consist of
configuration preferences, form fields, even online game settings and
scores. Disabling this setting clears user data when the browser is
closed, requiring user data to be reentered again the next time a page is
visited.
■
Web Sites In Less Privileged Web Content Zone Can Navigate
Into This Zone Specifies whether Web sites in more restrictive
zones can open less restricted sites. Enabling this setting creates the
potential for zone elevation, so it is best to disable it. The options available for this setting are Disable, Enable, and Prompt.
Many of the settings discussed here are designed to prevent
cross-site scripting attacks and zone elevation attacks. Cross-site
scripting happens when a malicious user places scripts or tags into content on a site that will call up forms or pages from the attacker’s Web
server. These pages can obtain privacy information from victims who think
they are entering data into the legitimate site. Zone elevation is the use
of one site to leverage scripts or controls from a site in a less restrictive
zone to carry out malicious actions.
NOTE
Scripting settings
Settings in this category control how Internet Explorer responds to scripts in
Web pages.
■
Active Scripting Enables or disables all Web page scripts. The
options available for this setting are Disable, Enable, and Prompt.
■
Allow Paste Operations Via Script Controls a script’s ability to
copy or paste data using the Windows Clipboard. The options available for this setting are Disable, Enable, and Prompt.
CHAPTER 12:
■
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Scripting Of Java Applets Specifies whether scripts are allowed to
access Java applets. The options available for this setting are Disable,
Enable, and Prompt.
User Authentication
This setting controls how browser authentication is performed. The single setting
in this category, Logon, has four options:
■
Anonymous Logon Disables HTTP authentication. Internet
Explorer will not transmit any username or password.
■
Prompt For User Name And Password Queries users for user IDs
and passwords for sites in all zones. These values can be used silently
for the remainder of the session.
■
Automatic Logon Only In Intranet Zone Allows automatic
authentication using the current username and password for sites in
the Intranet zone. Queries users for user IDs and passwords for sites in
all other zones. Once provided, these values can be used silently for
the remainder of the session.
■
Automatic Logon With Current User Name And Password Attempts
logon using Windows NT challenge/response (NTLM) authentication. If
Windows NT challenge/response is not supported by the server, the user
is queried to provide a username and password.
Web Content Zones
The URL action settings would be hopelessly complex to administer if there were
not some way to consolidate them and apply them to specific sites. For this purpose, Microsoft has designed Web content zones. You can use these zones, also
known as security zones, to configure your browser’s response to a group of sites
with similar levels of trust. Let’s explore these zones from most restrictive (least
privileged) to least restrictive (most privileged).
■
Restricted Sites zone Contains sites that are suspected of containing malicious code. Default settings for this zone are very restrictive to
eliminate the possibility that malicious content will be activated.
■
Internet zone Contains all sites not otherwise designated. The settings defined for this zone balance security with functionality. Most
security-related settings will be configured to prompt the user for
acceptance of questionable content.
■
Local Intranet zone Defines domains, sites, and a host that have an
elevated level of trust. The default settings for this zone relax the
399
400
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
requirements somewhat because sites in this zone are more trusted
than those in the Internet and Restricted Sites zones.
■
Trusted Sites zone Contains sites explicitly trusted by the user.
Most prompts are turned off, and most content is executed by default.
■
Locked-Down Local Machine zone A special zone that adds an
extra measure of security by locking down the Local Machine zone.
When settings for this zone do not match those of the standard Local
Machine zone, the user is prompted to choose which setting to use.
■
Local Machine zone Defines objects that exist on the local system.
These might include HTML-formatted documents and tools located on
the local system. This zone does not apply to content accessed from
the browser cache. Cached content is activated in the zone of the site
from which it was downloaded.
The Local Machine and Locked-Down Local Machine zones are not
visible on the Security tab. This protects these very privileged zones from
inadvertent misconfiguration. You can manage these zones by using
Group Policy settings—either locally with Local Security Policy or
remotely using Active Directory group policy objects.
NOTE
Managing Web content zones
You can manage individual settings for Web content zones by clicking the
Custom Level button for the zone. This opens the Security Settings dialog box
(Figure 12-16). You can select options to create a custom security configuration
for that zone.
Figure 12-16 Setting URL actions in the Internet Web content zone
FT12HT16.BMP
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
URL action templates
To make setting multiple options simpler for users and administrators, Microsoft
has defined templates that can apply all settings at once to achieve a specific level
of security. Available templates are:
■
Low Used mostly for Web content zones that contain trusted sites.
This is the default security level for the Trusted Sites zone.
■
Medium-low For Web content zones that contain sites that are probably safe. This is the default security level for the Intranet zone.
■
Medium For zones with sites that require a balance between safety
and functionality. This is the default security level for the Internet zone.
■
High For zones that contain sites that can be expected to try to harm
your system. This is the default security level for the Restricted Sites
zone.
To assign a template to a Web content zone, you can move the slider control on
the Security tab to your preferred setting (Figure 12-17).
Figure 12-17 Setting the Internet Web content zone to the High template setting
FT12HT17.BMP
Adding sites to Web content zones
You can add Web sites to the Restricted, Intranet, and Trusted Sites zones. The
Internet zone comprises Internet sites that are not assigned to any other zone.
The Local Machine and Locked-Down Local Machine zones are restricted to Web
content that originates on the local system, so sites cannot be added to these
zones.
To add a site to a Web content zone, take the following steps:
1. Choose Tools | Internet Options | Security.
2. Select the zone you want to administer.
401
402
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. Click the Sites button to open the dialog box for that zone. The Intranet zone will prompt for network settings (Figure 12-18) that Internet
Explorer can use to decide which sites are intranet sites.
FT12HT18.BMP
Figure 12-18 Defining inclusion settings for the Local Intranet Web content zone
4. Click Advanced to open the sites list for this zone (Figure 12-19).
FT12HT19.BMP
Figure 12-19 Adding sites to the Intranet Web content zone
5. In the Add This Web Site To The Zone dialog box, type the URL for the
site you want to add. Click Add.
The Trusted Sites and Restricted Web content zones do not
display the Inclusion Settings dialog box shown in Figure 12-18.
NOTE
Advanced Internet Security Options
In addition to the security settings on the Security tab in the Internet Options
dialog box, you’ll find more security settings on the Advanced tab. These settings
control additional security-related options for Internet Explorer. There are many
possible combinations of settings. When you configure these settings, you must
keep in mind what the system is being used for because these settings are not
one-size-fits-all.
■
Allow Active Content From CDs To Run On My Computer Allows
active HTML content on a CD-ROM to run without prompting the user.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
■
Allow Active Content To Run In Files On My Computer
active content on the local system to run.
■
Allow Software To Run Or Install Even If The Signature Is
Invalid Allows the user to run an application that does not have
a valid code-signing certificate or digital signature.
■
Check For Publisher’s Certificate Revocation Checks a software
publisher’s certificate against published revocation lists to see if the
certificate has been revoked.
■
Check For Server Certificate Revocation (Requires Restart) Checks
the Web server’s SSL certificate against published revocation lists to see if
the certificate has been revoked.
■
Check For Signatures On Downloaded Programs Checks downloaded applications for digital certificates. If one exists, the user can
view the certificate.
■
Do Not Save Encrypted Pages To Disk Causes Internet Explorer to
maintain SSL pages in memory and not commit them to the Internet
cache on disk. This provides additional security when access to the
disk might reveal passwords or other private information.
■
Empty Temporary Internet Files Folder When Browser Is
Closed Causes Internet Explorer to delete the contents of its cache
when the user closes the browser.
■
Enable Integrated Windows Authentication (Requires
Restart) Causes Internet Explorer to authenticate the user to server
resources using Integrated Windows Authentication. When this
option is selected, Internet Explorer uses the username and password
of the user to access the resource.
■
Enable Profile Assistant Enables Profile Assistant, the feature of
Internet Explorer that maintains user information to automate completion of Web forms.
■
Use SSL 2.0 Enables use of the SSL version 2 secure sockets specification to access secure Web servers.
■
Use SSL 3.0 Enables use of the SSL version 3 secure sockets specification to access secure Web servers. SSL 3 is more secure than SSL 2.
■
Use TLS 1.0 Requires use of Transport Layer Security (TLS)
version 1, an enhancement to the secure sockets specification for
accessing secure Web servers. If this option is selected, TLS 1.0 will be
required by Internet Explorer. If a secure site does not support it,
pages will not load.
Allows
403
404
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Warn About Invalid Site Certificates Causes Internet Explorer to
prompt the user when a site she is connecting to does not have a valid
site certificate.
■
Warn If Changing Between Secure And Not Secure Mode Directs
Internet Explorer to warn the user when he is leaving a secure site.
■
Warn If Forms Submittal Is Being Redirected Causes Internet
Explorer to warn the user if a form is being directed to a site other than
the one from which it was opened.
MANAGING INTERNET EXPLORER PRIVACY SETTINGS
Privacy is important for Internet users. Many criminals make a good living stealing private information and using it in fraudulent transactions. Systems can fall
victim to malicious invasions of privacy that range from social engineering (also
referred to as “phishing”) attacks (in which users are tricked into entering private
information into a form or an e-mail) to spyware that’s designed to watch user
navigation or log users’ keystrokes.
In this section, we will discuss the privacy features of Internet Explorer. You will
learn about the settings you can use to protect users’ privacy and how to manage
private data stored on the system.
Cookies
Cookies track data about a user, her preferences, and often even her password on
a site. These small text files are placed on your system by your browser in cooperation with a remote Web site. The Web site instructs your browser to store certain
items of data in the file to allow the site to query your system on future visits to
obtain, and thus honor, your preferences.
This is a great tool for Web designers who are interested in providing a
customized experience to visitors. It does, however, raise a few privacy issues.
Types of cookies
Cookies are classified by how long they last and by the identity of the issuer:
■
Session cookies These cookies are destroyed when you close your
browser. They are used to track information that pertains only to
the current connection to a site, such as shopping cart data on an
e-commerce site.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
■
Persistent cookies These cookies are stored on your hard disk and
can be recalled by the Web site that stores them until they have reached
a preset expiration date. This type of cookie is useful for managing user
preferences for site display settings or for identifying a user on subsequent visits to the site.
■
First-party cookies These cookies are saved by the site you are visiting.
Most users allow first-party cookies because they are used for legitimate
usability purposes for the site.
■
Third-party cookies These cookies are usually saved by a third party
that has an ad banner or other frame on the page you have loaded. This
allows the third party to see if you appear on other sites it has banners on
and thus follow your click stream and compile demographic information
about your Internet surfing habits.
Managing cookies
You can manage cookies by adjusting the privacy slider on the Privacy tab of the
Internet Options dialog box (Figure 12-20).
Figure 12-20 Configuring privacy settings
FT12HT20.BMP
Options available for the privacy slider are:
■
Block All Cookies Blocks all sites from saving cookies on your system. If any cookies are already on your system, sites will not be allowed
to read them.
■
High Blocks any cookies from Web sites that do not have a
computer-readable privacy statement called a compact policy. Cookies
from first-party Web sites that use your personal information without
your explicit permission are blocked.
405
406
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Medium High Blocks cookies from third-party Web sites that do not
have a compact policy or that use your personal information without
your explicit permission. Cookies from first-party sites that use your
personal information without your implicit permission are also
blocked.
■
Medium Blocks cookies from third-party Web sites that do not have
a compact policy or that use your personal information without your
implicit permission. Cookies from first-party sites that use your personal information without your implicit permission are deleted from
your computer when you close Internet Explorer.
■
Low Blocks cookies from third-party Web sites that do not have a
compact policy. Cookies from third-party Web sites that use your personal information without your implicit consent are deleted from your
computer when you close Internet Explorer.
■
Accept All Cookies Saves all cookies on your computer. Existing
cookies on your computer can be read by the Web sites that created
them.
In addition to the slider settings for cookies, this section of the Privacy tab has
four other options:
■
Sites button Opens the Per Site Privacy Actions dialog box, where
you can specify sites to allow or block.
■
Import button Allows you to import Internet Explorer privacy
preferences based on the Platform for Privacy Preferences (P3P)
specification.
P3P is an open standard that allows users to specify their
privacy preferences and apply them to their Web communications. Users
answer questions to create a privacy profile that can be imported into
their Web browser. The browser then uses those settings to adjust its
own privacy controls for the sites the user visits.
NOTE
■
Advanced option
■
Default button Returns default settings.
Allows you to override cookie handling.
Deleting cookies
Occasionally you might want to delete cookies that have been stored on your
system by Web sites. You can do this by clicking the Delete Cookies button on the
General tab of the Internet Options dialog box (Figure 12-21).
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Figure 12-21 Deleting cookies in Internet Explorer
FT12HT21.BMP
Deleting cookies also deletes persistent cookies you might
want to keep. You will learn how to delete individual files later in the chapter.
CAUTION
Pop-Up Blocker
The ability to block pop-up ads was added in Windows XP SP2. You can configure the Pop-Up Blocker feature to block potentially harmful content. Options
for managing Pop-Up Blocker include the Pop-Up Blocker Settings dialog box
(Figure 12-22), which you can access from the Privacy tab of the Internet Options
dialog box or from the Tools menu in Internet Explorer.
Figure 12-22 Configuring Pop-Up Blocker
FT12HT22.BMP
Pop-Up Blocker offers three filter levels:
■
High Blocks all pop-ups. This is the most restrictive setting. You can
display individual pop-ups by holding down the CTRL key while the
window is opening.
407
408
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Medium Blocks most pop-ups.
■
Low Allows pop-ups to be displayed on sites using SSL security. This
setting assumes that you are on a secure site and would most likely
accept pop-ups as required by the site.
When a pop-up is blocked, you can choose to play a sound or activate the Information Bar to notify the user.
To configure Pop-Up Blocker to allow pop-ups from a site:
1. Choose Tools | Pop-Up Blocker | Settings.
2. In the Address Of Web Site To Allow field of the Pop-up Blocker Settings
dialog box, type the address of the site you want to allow.
3. Click Add.
Managing Internet Cache and History Data
Internet Explorer maintains a cache of recently loaded Web content to allow the
same content to load more quickly on subsequent attempts. This data can often
reveal of what types of data you have been viewing and can be used by someone
who is looking for information on your interests and browsing habits. The Internet Explorer History section can also provide a trail of activity that exposes
browsing patterns or personal associations you would rather keep private.
In this section, you will learn how to configure Internet cache and history settings
to prevent unwanted access to this type of data.
Configuring Internet caching
You can configure Internet caching by clicking the Settings button (Figure 12-23)
on the General tab of the Internet Options dialog box.
Figure 12-23 The General tab of the Internet Options dialog box
FT12HT23.BMP
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Clicking the Settings button opens the Settings dialog box (Figure 12-24).
Figure 12-24 The Settings dialog box for the Temporary Internet Files folder
FT12HT24.BMP
This dialog box includes the following settings:
■
Check For Newer Version Of Stored Page Allows the user to select
one of four options:
❑
Every Visit To The Page Checks whether the page has been
updated with newer content on every visit to the page.
❑
Every Time You Start Internet Explorer Causes Internet Explorer
to check for newer content once for each browsing session.
❑
Automatically Causes Internet Explorer to check for newer content
once for each browsing session initially, and then less often if page
content is not being renewed.
❑
Never Causes Internet Explorer to never check for newer content.
Internet Explorer always loads the latest version of a page when
you click the Refresh button or press the F5 button.
NOTE
■
Temporary Internet Files Folder A section of the Settings dialog
box where you can configure the size and location of the Temporary
Internet Files folder. You can also view and manage the contents of the
folder by clicking the View Files button or the View Objects button.
Settings in this section include:
❑
Amount Of Disk Space To Use Allows you to control the size of the
Temporary Internet Files folder. Drag the slider to the left or right to
select the desired size.
❑
Move Folder button Allows you to browse to a new location for the
Temporary Internet Files folder.
409
410
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
View Files button Opens the Temporary Internet Files folder in a
window where you can browse and delete individual files. This is
where you can find and delete individual cookies.
❑
View Objects button Presents a list of objects (such as ActiveX controls) that have been downloaded during browser operation.
Deleting temporary Internet files
To delete the contents of the Temporary Internet Files folder, you click the Delete
Files button on the General tab of the Internet Options dialog box. This opens
the Delete Files dialog box (Figure 12-25), where you can also select the option to
delete any files your system has downloaded for offline browsing.
Offline browsing differs from Internet caching in that the files
required for offline browsing are synchronized with the site while online
whether the site is visited or not and are available for use offline. Cached
files, on the other hand, are only stored when a site is visited.
NOTE
Offline files are stored separately from cached files to prevent their unintentional deletion. This is why you must choose to delete these files by
checking the appropriate option in the Delete Files dialog box.
Figure 12-25 Deleting temporary Internet files
FT12HT25.BMP
Configuring Internet Explorer history settings
Internet Explorer maintains a list of the Web pages visited. By default, 20 days of
browsing history are maintained (Figure 12-26).
Figure 12-26 Internet Explorer history settings
FT12HT26.BMP
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
You can configure the number of days to maintain the history by selecting a number from 0 (no history) to 999. You can click the Clear History button to clear the
currently displayed history. This will clear both the items in the History Folder
and the Address bar’s history of sites visited (Figure 12-27).
History folder contents
Sites Visited history in the Address bar
Figure 12-27 Internet Explorer History folder and Address bar history
FT12HT27.BMP
AutoComplete and Internet Explorer Password Caching
The AutoComplete feature of Internet Explorer and Internet Explorer password
caching can expose your private information under certain circumstances. These
features retain the items entered into fields in online forms and password boxes.
Those with the right tools (and access to your computer) can read the contents of
these repositories and find any private data you have entered into Web forms such
as your banking password, Social Security number, government ID, credit card
number, and so on. For this reason, knowing your configuration options for
AutoComplete is important to your privacy and security.
Configuring AutoComplete
You can use AutoComplete to fill in Web addresses as you type them, fill in fields
in forms, and even fill in password fields to help you authenticate to Web sites.
The information you enter is stored on your system and can be retrieved by a
hacker.
The options for managing AutoComplete include disabling it entirely or allowing
it to remember Web addresses, form entries, and passwords. You can also clear
form entries and passwords.
411
412
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To configure AutoComplete settings, take the following steps:
1. In Internet Explorer, choose Tools | Internet Options and then select
the Content tab.
2. Click the AutoComplete button to open the AutoComplete Settings
dialog box (Figure 12-28).
3. Choose the appropriate settings for your privacy needs or clear forms
or passwords as appropriate.
FT12HT28.BMP
Figure 12-28 Managing AutoComplete and password cache settings
USING ADD-ON MANAGER TO CONTROL
ADD-ON PROGRAMS
Internet Explorer uses add-on programs and browser helper objects (BHOs) to
enhance your Web surfing experience. Some browser add-ons and browser
helper objects can be classified as spyware and can be difficult to detect or manage without a special anti-spyware tool.
Many add-on programs, such as the Shockwave Flash Object, are used to display
dynamic content in the browser. Others assist with forms or special graphic
effects. Add-on programs can also, however, track your Internet usage or even
send your private data on to nefarious individuals.
BHOs are applications that “enhance” the browsing experience by interfacing
closely with Internet Explorer and providing a service. An example of a helpful
BHO might be a virus scanner that scans files as they are downloaded. Unfortunately, BHOs are not always helpful. Some hijack your browser and direct you
to sites or search engines as they detect keywords in your addresses or search
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
queries. Often they direct you to sites that pay them commissions based on the
number of users they send to the site.
For more information on how BHOs have been used to hijack
Internet Explorer, read TechNet article 322178.
MORE INFO
Spyware protection tools such as Spybot S&D and Ad-Aware also offer
excellent information on BHOs and other spyware on their Web sites.
You can manage add-ons and BHOs using Add-On Manager (Figure 12-29),
which was added to Internet Explorer in Windows XP SP2. This tool allows you
to view the add-ons and BHOs that are installed or loaded on your system.
Figure 12-29 You can manage browser helper objects and add-ons with Add-On
FT12HT29.BMP
Manager.
To manage add-ons and BHOs:
1. Open Add-On Manager by choosing Tools | Manage Add-Ons.
2. Select the add-on or BHO you want to manage.
3. You can choose to disable, enable, or update the object you have
selected.
If you need to isolate a problem add-on or BHO, you can disable
add-ons and BHOs one by one until you have isolated the one causing
undesirable effects on your system.
NOTE
413
414
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
Internet Explorer can connect to the Internet in a variety of ways,
including dial-up to a corporate network or ISP, broadband Point-toPoint Protocol over Ethernet (PPPoE) connection, direct LAN connection, or through a proxy server.
■
You can use the New Connection Wizard to configure most Internet
connections.
■
Most Internet resources are accessed by entering the appropriate URL
in the Internet Explorer Address bar or clicking on a hyperlink from
another site. Internet Explorer allows access to resources on Web or
FTP servers. You can also use it to access other server types, through
the use of add-ons.
■
Internet Explorer security is divided into content zones. Each zone can
have settings appropriate to that zone. Settings can be applied all at
once using URL action templates, or they can be customized one setting at a time.
■
Internet Explorer allows comprehensive cookie management and
includes other privacy features such as pop-up blocking and the ability
to control password and content caching.
■
Add-On Manager allows users to view and disable add-ons and
browser helper objects (BHOs) that might be causing problems on
their systems.
REVIEW QUESTIONS
1. When you type a URL in the Address bar of Internet Explorer, what
appears in the browser is not the Web site you have entered but a
search site that displays results related to the URL. You suspect that
you might have contracted a malicious BHO. How can you know
for sure?
2. You are annoyed by the large number of pop-up ads on the Web sites
you visit. What technology in Internet Explorer can you use to reduce
or eliminate these on your system?
a. Add-On Manager
b. Pop-Up Blocker
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
c. Privacy slider
d. Web content zones
3. You are giving your computer to a relative and want to be sure you
leave no obvious personal information on the system. What should
you do to be sure Internet Explorer retains no personal data? (Choose
all correct answers.)
a. Clear browsing history
b. Delete Temporary Internet Files
c. Clear AutoComplete data
d. Clear Recently Used Documents
4. You want to block all cookies that you have not personally accepted.
Which privacy setting should you select to achieve this?
a. Block All Cookies
b. High
c. Medium
d. Low
5. You are doing research for a novel that is a computer security thriller.
You need to explore some sites that you expect might harm your
system. Which Internet Explorer Web content zone should you place
these sites in?
a. Restricted Sites
b. Internet
c. Trusted Sites
d. Local Intranet
6. You want to access a file named review.html that is located in the
Examprep folder on a server located at www.adatum.com. Which URL
should you choose to access this document?
a. www.adatum.com/review.html
b. www.adatum.com/Examprep/review.html
c. www.adatum.com/Examprep
d. www.adatum.com/review
415
416
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 12-1: Getting Online
You work at a small office with eight other employees, and you are exploring
options for connecting the office to the Internet. The office has a local area network, and all systems are connected with static IP addresses. You have discovered
a device that will provide Internet access and Web filtering. It acts as a hardware
proxy server and a DHCP server, and it proxies DNS queries to an Internet DNS
server. It does not support either Web Proxy Auto-Discovery (WPAD) or Service
Location Protocol (SLP). Answer the following questions about this scenario.
1. Which option in the New Connection Wizard should you use to set up
your Internet connection?
a. Connect Using A Dial-Up Modem.
b. Connect Using A Broadband Connection That Requires A User
And Password.
c. Connect Using A Broadband Connection That Is Always On.
d. None of the above.
2. Which of the following options do you use to manually configure a
proxy server connection for a local area network?
a. On the Connections tab of the Internet Options dialog box, click
LAN Settings and configure a proxy server in the Local Area Network (LAN) Settings dialog box by selecting the Automatically
Detect Settings option.
b. On the Connection tab of the Internet Options dialog box, select
a dial-up connection and click Settings to open the Settings dialog
box for the connection. Select the Automatically Detect Settings
option to configure a proxy server.
c. On the Connections tab of the Internet Options dialog box, click
LAN Settings and configure a proxy server in the Local Area
Network (LAN) Settings dialog box by entering the proxy server
address and assigned port number.
d. On the Connection tab of the Internet Options dialog box, select
a dial-up connection and click Settings to open the Settings dialog
box for the connection. Configure a proxy server by entering the
proxy server address and assigned port number.
CHAPTER 12:
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY
Scenario 12-2: Managing Internet Explorer
Security and Privacy
You are representing a company that is beginning to market a new family of pharmaceutical drugs. Many aspects of your company’s technology are not yet patented and must be kept out of the wrong hands. You are configuring a laptop
computer for a trip to a trade show. You have enabled Encrypting File System
(EFS) and have exported the recovery agent’s key and deleted it from the system.
You have also purchased a hardware lock that requires an electronic key for
removal. You are concerned that information in your browser could compromise
your product line if the system fell into the wrong hands.
Answer the following questions about this scenario.
1. Which of the following settings in Internet Explorer can help ensure
no private data is accessible to Internet Explorer after you close the
browser? (Choose all correct answers.)
a. Do Not Save Encrypted Pages To Disk.
b. Empty Temporary Internet Files Folder When Browser Is Closed.
c. Set The Days To Keep Pages In History Settings To 0.
d. Set The Default Home Page To Use Blank.
2. You are concerned about attackers penetrating your system when you
use it on the trade show network. Which of the following strategies can
help prevent this? (Choose all correct answers.)
a. Download and install all critical updates.
b. Enable Windows Firewall with no exceptions enabled.
c. Disable your network connection.
d. Set the security level for the Internet zone to High.
417
CHAPTER 13
MANAGING USERS AND
GROUPS
Upon completion of this chapter, you will be able to:
■ Configure and manage user accounts
■ Manage user account properties
■ Manage user and group rights
■ Configure user account policy
■ Manage and troubleshoot cached credentials
This chapter covers user accounts and how to create, manage, delete, and troubleshoot issues arising from the management of these accounts. You will also learn
how to manage policies affecting users and how to manage rights that users have
on systems. Finally, we will briefly discuss cached credentials as a way to authenticate users, especially mobile users, when a domain controller is not available.
419
420
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
OVERVIEW OF USER ACCOUNTS
Almost all security settings in Windows XP Professional are assigned based on
the identity of those who need to access resources or services. The identity of a
person is based on a username and a correct password, both of which are
required to gain access to resources. Windows XP includes an authentication
framework and offers tools and utilities to allow administrators to manage user
accounts, place users into groups based on common resource access requirements, and assign access to resources to individual users or to groups.
Users and Groups
User accounts are the basic token of identity used in Windows XP. All tasks and
processes execute with the permissions, rights, and privileges of a user account.
Users can be collected into groups to simplify administration.
User accounts help identify a user to the system and to other users and can be
used to grant access to resources and to audit activity. In Active Directory implementations, the user account can also hold sophisticated directory and demographic information about a user. User accounts can be consolidated into groups
to simplify the process of managing security; individually, they provide very granular access to sensitive data.
Groups consolidate users for the purpose of assigning permissions to resources.
In Active Directory, they can also act as distribution lists for e-mail. By adding
users to a group, you can immediately grant them access to any resources that
have been opened to that group. This greatly simplifies management of resource
security.
User and Group Account Permissions
Depending on the permissions granted to them, users and groups can:
■
Access file and print resources
■
Manage access to files and printers
■
Manage computer systems
■
Manage other users and groups
By using NTFS and share-level permissions, you can provide access to resources
while protecting them from individuals who are not authorized to access them.
For example, in the Properties dialog box for a printer you can assign permission
to users or groups to print, manage documents, and manage printers.
CHAPTER 13:
MANAGING USERS AND GROUPS
Placing users into the Power Users or Administrators group on a system gives them
permission to manage aspects of system configuration and operation. Placing users
into the Administrators group also gives them the ability to manage other users.
One of an administrator’s principal tasks is adding user
accounts to a system for granting access to system resources. Many
organizations assign this task to junior administrators, but the ramifications of certain user security configuration choices should not be taken
lightly.
IMPORTANT
User Rights
In addition to granting permissions to users and groups to access resources, you
can assign rights. These rights can include, for example, the right to shut down a
system or the right to log on to a system locally or remotely. We will discuss these
rights in more detail later in this chapter.
User Profiles
When user accounts are created, you can also designate storage locations for user
settings and documents. These settings are organized into user profiles and
stored in designated locations. User profiles allow individual users to retain
familiar menus and desktop preferences even when multiple users use the same
system.
Built-In User Accounts and Groups
Several built-in user accounts and groups are installed during system setup (or
later, when certain services or applications are installed). These accounts are
designed for administration of the system or for the associated application to
log on to the system.
Built-in user accounts
Windows XP has two principal built-in user accounts that can be used for logging
on interactively:
■
Administrator The main administrative account for the system. It
has permission to perform any configuration or administration task on
the system. It can assign permissions and take ownership of resources
even if it has not been explicitly given permission to them.
■
Guest Allows limited access to the system to perform basic tasks
involving file and print usage or application usage. This account is
421
422
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
disabled by default. It does not have permission to perform any administrative tasks.
A third built-in account, the System account, has the permissions assigned to the Administrator account but cannot be used to log
on to a system interactively. It is used by the operating system itself to
access the files it must use to operate. By default, System is assigned
full-control access to all resources on the system. Restricting access to
this account can have undesirable consequences.
NOTE
Built-in groups
Built-in groups allow you to assign users to specific security or administration
roles in a uniform manner.
■
Administrators A group that has permission to manage all aspects
of system operation and configuration. These accounts have all rights
and privileges that a computer administrator requires to manage and
configure a system.
Built-in accounts that are default members of built-in groups
cannot be removed from those groups. The Administrator account can be
renamed, but it can never be removed from the Administrators group.
NOTE
■
Backup Operators A group of user accounts with access to files that
they normally would not be able to access, in order to back up those
files to archive media. They cannot open or read these files in any other
application, however.
■
Power Users A group with limited administrative privileges on a system. Users in this group can install applications, add users and modify
users they create, and create shared folders for use over a network.
■
Remote Desktop Users A group with permission to connect to the
system using Remote Desktop.
■
Users A group with basic system access; by default, it includes all
users added to the system.
■
Guests A group with very low-level, temporary access to the system.
Implicit Groups
Windows XP has a number of groups whose membership depends on environmental or usage factors. These groups are used to grant access that depends
on how or where resources are accessed. They do not appear in Local Users
CHAPTER 13:
MANAGING USERS AND GROUPS
and Groups in Computer Management. The most common of these implicit
groups are:
■
Interactive Includes any user logged on to the local system. This
group is used to control access that remote users have to a resource.
■
Network Includes all users who access the system across a network.
This group is used to control access that remote users have to a
resource.
■
Everyone Includes all interactive and network users. This group is
used to grant broad access to a system resource.
■
Authenticated Users Includes all users who have to be authenticated
by a security authority recognized by the system. Although the differences might seem slight, the Authenticated Users group is preferred over
the Users built-in group because Users can access anonymous (or null)
sessions (which do not require authentication), and it is preferred over
the Everyone implicit group because Everyone might allow access to the
Guest account.
Anonymous (or null) sessions are used by systems to exchange
lists of advertised resources or to create secure channels for user
authentication. They are typically not expected to access resources, but
hackers have devised methods for using these sessions to access files.
Using Authenticated Users prevents this unauthorized use, by ensuring
that the entity accessing the resource is an actual user.
NOTE
■
Creator Owner Includes the person who created a specific file or
folder (or other resource). This group is used to manage permissions
granted to the creator of that file or folder.
Service Accounts
Service accounts are used to provide access to defined services. A service will
access system resources using the appropriate service account, and you can
restrict that access only to files and other resources required by the service in
question. These accounts are managed differently than normal user accounts;
they are often set so passwords will not expire and cannot be changed by the
service. This protects against the service being hijacked and used against sensitive
files, which can happen if a malicious user gains control of the service through a
vulnerability in the service’s programming and attempts to cause damage to the
system or to data.
423
424
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Service accounts installed by system Setup
Setup installs three kinds of service accounts:
■
Service The account that represents the operating system. The system requires access to folders and files for normal operation. It has permissions similar to those of the Administrator account and is used by
system utilities and services to manage the system.
■
Local Service An account that allows you to restrict the access that
local applications and services have on the system. It can be assigned
to services to allow access to resources without giving the full authority
of the Service account.
■
Network Service An account that lets you restrict the access that
network services have to local resources for additional protection
against network attacks.
Accounts commonly installed by services and applications
Many applications install their own service account. Among the more familiar
service accounts are:
■
ASPNET The service account used to run processes for ASP.NET
applications in Microsoft Internet Information Services (IIS).
■
IUSR_<system name> The default account (named after the machine
on which it exists) that accesses local resources on behalf of anonymous
Internet users. IIS uses this account to open files and folders required
by anonymous user requests.
■
IWAM_<system name> An account used to run worker threads and
processes called by IIS and standard ASP applications.
Domain User Accounts and Groups
In Active Directory, user accounts and groups are organized in a slightly different
fashion. In this section, we will explore the user accounts and groups on a
Windows XP system that is a member of a domain.
Domain built-in groups
Domains also have built-in groups. Some of these groups are, by default, made
members of local groups when a Windows XP system is joined to a domain.
The principal built-in groups are:
■
Domain Admins A group that is placed into the Administrators
local group by default and inherits the ability to perform any task
performed by local administrators.
CHAPTER 13:
MANAGING USERS AND GROUPS
■
Domain Users A group that belongs to the Users group and gains
access to any resources granted to the Users group.
■
Domain Guests A member of the local Guests group.
Coordinating domain and local groups for assigning permissions and rights
You can add groups from an Active Directory domain to local groups that you
create on your system. By doing so, you can configure access to a resource and
have all users from the domain group gain access to that resource. This simplifies
management because users can be maintained at a central location and you can
simply insert the appropriate group into your access control list (ACL).
Tools for Managing Users and Groups
Users and groups can be managed in several ways. We will explore the most common user account and group management tools in this section.
Computer Management
Computer Management, which is used for many management tasks in Windows XP
(Figure 13-1), does not disappoint when it comes to managing users and groups.
It includes the Local Users and Groups snap-in, which manages users and groups
for the local system. We will use Computer Management in many of our examples
in this chapter. You can also add your own snap-in to a standalone Microsoft
Management Console.
Figure 13-1 Computer Management can be used to manage local users and groups.
FT13HT01.BMP
To create a custom user management console:
1. Open a new Microsoft Management Console.
2. Choose Start | Run, and type mmc in the Run dialog box. Click OK.
3. In the blank MMC session, choose File | Add/Remove Snap-In.
425
426
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
4. In the Add/Remove Snap-In dialog box, click Add.
5. In the Add Standalone Snap-In dialog box, choose the Local Users and
Groups snap-in (Figure 13-2).
FT13HT02.BMP
Figure 13-2 Adding the Local Users and Groups snap-in to a blank
Microsoft Management Console
6. When prompted to choose the local computer or another computer,
choose Local computer. Click OK.
7. Choose File | Save As. Give your new console a descriptive name.
This creates a console with just Local Users and Groups in it. You can add
additional computers to this console to have a master console for managing users on several systems (Figure 13-3). This is an excellent way to manage user accounts on multiple computers in a workgroup environment.
FT13HT03.BMP
Figure 13-3 A user management console with several systems added
CHAPTER 13:
MANAGING USERS AND GROUPS
User Accounts tool in Control Panel
The User Accounts tool (Figure 13-4) in Control Panel simplifies the creation and
management of users. However, it lacks the ability to manage group memberships
and user profile information.
Figure 13-4 User Accounts tool
FT13HT04.BMP
NOTE User Accounts is the only user management tool available for
use with Windows XP Home.
Active Directory Users and Computers
You can use Active Directory Users and Computers (Figure 13-5) to manage
user and computer accounts, security groups, distribution groups, organizational
units, and Group Policy settings in Active Directory domain environments.
Figure 13-5 Active Directory Users and Computers
FT13HT05.BMP
427
428
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Domain security groups are Active Directory user groups that
can be used domain-wide (domain local groups) or in multiple domains
(global groups). They are not used in our scenarios in this course, but
you will become more familiar with them as you advance to the Windows
Server 2003 courses.
NOTE
NET USER command
If you prefer command-line administration tools, you can use the Net.exe command with the User option to automate adding or managing many users at once.
The syntax for this command can take one of three forms:
■
Maintenance To modify a user account, use the NET USER command without the /ADD or /DELETE switch. Username is the logon
name of the user, and password is the password the user account is to
have. If you do not want to change the password, simply leave it out of
the command to change other aspects of the account.
NET USER username password <options>
■
Adding a user
/ADD switch:
To add a user, use the appropriate options with the
NET USER username password /ADD <options>
■
Removing a user To remove a user, use the /DELETE switch:
NET USER username /DELETE
Options for the NET USER command
Available options for the NET USER command include:
■
/Active: Yes | No Designates whether the user account is enabled
or disabled. Yes enables the user account, and No disables the user
account.
■
/Comment: “text” Specifies a comment that can be read by administrators. It must be enclosed in quotation marks.
■
/Expires: Date | Never Designates a date beyond which the user will
be deactivated. This is useful when you are creating an account that
will be used for only a short time.
■
/Fullname: “name” Specifies the user’s full name. Enter the full
name in quotation marks (example: NET USER dfield /Fullname:
“David Field”).
■
/Homedir: path Sets the path to the user’s home directory folder.
This becomes the default destination for documents for the user.
■
/Passwordchg: Yes | No When set to Yes, forces the user to change his
password at the next logon. The default is Yes.
CHAPTER 13:
MANAGING USERS AND GROUPS
■
/Passwordreq: Yes | No Specifies whether a password is required for
this user. The default is Yes.
■
/Profilepath: path Sets a path for the user’s profile (menus, documents, and preferences).
■
/Scriptpath: path Defines the logon script to run when this user
logs on. Logon scripts are script or batch files that run to set certain
options during a user logon. Examples include scripts to map network
drives or launch certain applications.
■
/Times: times | All Sets allowed logon times. The times option must be
carefully formatted. The format is “start day-end day, start time-end time.”
The day can be spelled out or abbreviated, and the time can be a range
using a 12-hour or 24-hour clock. Multiple entries can be separated by
semicolons (example: NET USER Dave /times:M-F,9:00am-5:00pm;Saturday,9:00-17:00;Su,9:00-17:00). Setting All allows all logon times, and
leaving the setting blank sets no logon times, effectively disabling the
account.
■
/Usercomment: “text” Configures a user comment for this user.
PLANNING USER ACCOUNTS AND GROUPS
You might think that the simplest way to start configuring your organization is to
compile a list of users and proceed from there, but experienced administrators
begin their work by listing the resources to control and the users who will need
access to those resources. You can then define user groups that you can use to
consolidate users. If you also carefully plan usernames, profile locations, and
logon scripts, you can save yourself a lot of work and make the user experience
much better.
In this section, we will discuss the planning process and how to create an effective
strategy for managing users and groups.
Mapping Out a User and Group Strategy
If you work to consolidate resources that require the same access controls and
combine users into groups with those access levels, you can greatly simplify the
management of resources.
Determining resource access requirements
If you have a collection of documents used by the Finance department, it makes
sense to combine them into a folder structure so you have a single place to control
permissions to the entire collection (Figure 13-6). Any documents that are added
429
430
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
to the collection will be included in the access control scheme, and users with
access to the collection will automatically have access to the new documents.
Consolidate users into groups
Consolidate documents into folders
Grant groups permissions to folders
New User
Figure 13-6 Gathering documents into folders to simplify security
FT13HT06.VSD
Simplifying user rights and permission management
If you collect users into groups according to their access requirements, you can
easily grant a new user access to an entire collection (or several collections) of
resources by simply making her a member of a group that has access to the
collection (or collections) (Figure 13-6). This principle is commonly used by administrators of large enterprises, but it translates well to the smallest organizations.
Creating user account templates
It is common to have multiple users (from several to hundreds) who need exactly
the same security configuration. To speed up the creation of new, identically configured user accounts, you can create an account template. This is simply a user
account that is configured with the correct properties for a specific task that you
copy when creating new users.
The ability to copy accounts is available only in Active Directory
Users and Computers. You can create template accounts with special
characters in the first position of the username so they can be sorted
first in a list of users and thus be easily found. If you want to add several
nearly identical accounts to a Windows XP computer, consider scripting
the creation of those accounts by using NET USER commands.
NOTE
User Account Naming Conventions
In an organization with up to a few dozen users, it is easy to come up with unique
usernames. But organizations with hundreds or thousands of users need a standard way of generating usernames. These naming conventions must be determined
CHAPTER 13:
MANAGING USERS AND GROUPS
in advance to eliminate the confusion of changing formats after you already have
users in the field.
Possible naming conventions include using the person’s first initial and last name
or using the first name and last initial. These conventions work well for smaller
organizations. But what happens if you have a John Smith, a Jeff Smith, and a
Jeff Stammler? You cannot assign two people JeffS or JSmith. You might have to
consider additional conventions such as appending numbers to duplicate names
(JSmith2) or using a middle initial (JASmith). Here are some other aspects of
naming conventions to consider:
■
Names can be no longer than 20 characters. User account names
can contain up to 20 uppercase or lowercase characters. The field accepts
more than 20 characters, but Windows XP Professional recognizes
only the first 20.
■
Logon names are not case sensitive. User logon names are not
case sensitive, but Windows XP Professional preserves the case for
display purposes.
■
Avoid characters that are not valid.
not valid: “ / \ [ ] : ; | = , + * ? < >
The following characters are
Some organizations also identify temporary employees in their user accounts.
For example, you can add a T and a dash in front of the user’s logon name, as in
T-johne, or use parentheses at the end, as in johne(Temp).
Setting Requirements for Complex Passwords
Simple passwords are easy for a hacker to guess. Anyone who knows the name of
the user’s children or pets has about a 50-percent chance of guessing that person’s
password. It is up to the system administrator to prevent this from happening.
Some argue that if you make passwords too complex, users will simply write
them down on a sticky note and stick the note on their monitor or under their
keyboard. To prevent this, you must educate your users about creating and
remembering complex passwords. (Instructors used to tell students to use the
password “password” during class, and many of those students went on to set up
all their new systems with that password!)
Here are two ways to create strong passwords:
■
Create passphrases. You can create an easily remembered password by using the first letter of each word in a phrase or sentence.
For example, you can use the sentence “My dog has been barking since
431
432
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
6 AM” to create the password “Mdhbbs6A,” which would be hard for a
hacker to crack.
■
Mix uppercase letters with lowercase letters, numbers, and nonalphanumeric characters (such as ~ and &). Passwords are case
sensitive, so mixing cases can help you create a strong password.
You can enforce complex passwords by configuring the appropriate settings in a computer’s Local Security Policy or by configuring the
appropriate Group Policy settings in an Active Directory domain. We will
discuss these settings later in this chapter and in Chapter 14.
NOTE
Changing the Way Users Log On or Log Off
Administrators can change the way users log on or log off the computer. In the
User Accounts tool in Control Panel, two options are available for controlling
how all users log on and log off the computer:
■
FT13HT07.BMP
Use The Welcome Screen Allows users to click their user account
on the Welcome screen to log on to the computer (Figure 13-7). This
check box is selected by default. When it is cleared, users must type
their username and password at a classic Windows logon prompt to
log on (Figure 13-8).
Figure 13-7 The Windows XP Welcome screen
CHAPTER 13:
FT13HT08.BMP
■
MANAGING USERS AND GROUPS
Figure 13-8 The classic Windows logon prompt
Use Fast User Switching Allows users to quickly switch to another
user account without first logging off and closing all programs. When
you are finished, you can switch to the first user account. This check
box is selected by default.
You configure these options as follows:
1. Choose Start | Control Panel | User Accounts.
2. In the User Accounts window, click Change The Way Users Log On Or
Off. The Select Logon And Logoff Options window (Figure 13-9) appears.
FT13HT09.BMP
Figure 13-9 Setting the logon options
3. Select or clear the appropriate check boxes.
433
434
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CREATING AND MANAGING USER ACCOUNTS WITH
LOCAL USERS AND GROUPS
After planning the relationships between users and resources, you need a plan for
the user accounts and groups you will use. In this section, you will learn how
to use Computer Management to create user accounts and groups and how to
manage the rights and permissions assigned to these users and groups.
Creating User Accounts
You can create user accounts in the Local Users and Groups snap-in located in
Computer Management or in your custom user management console.
To use Local Users and Groups to add a user account:
1. Locate and select Local Users And Groups in your console. If you are
using the Computer Management console, you might have to expand
System Tools to see it.
2. In the details pane, right-click Users, and then click New User. The
New User dialog box opens (Figure 13-10).
FT13HT10.BMP
Figure 13-10 The New User dialog box
3. Fill in the appropriate text boxes, click Create, and then click Close.
Managing User Account Properties
After a user is added to the system, you can modify her properties—such as which
groups she belongs to or her home and profile folders. This step completes the
CHAPTER 13:
MANAGING USERS AND GROUPS
creation of a user account, and you can revisit the user’s properties later to make
changes.
To modify a user’s properties:
1. Locate the user in the Users folder within Local Users and Groups.
2. Right-click the user’s name, and click Properties. The user’s Properties
dialog box opens (Figure 13-11).
FT13HT11.BMP
Figure 13-11 A user’s Properties dialog box
3. You can modify the user’s properties on the following tabs:
FT13HT12.BMP
❑
General You can configure the username and description, manage
the password status for the account, and enable or disable the account
(Figure 13-11).
❑
Member Of You can configures a user’s group memberships. To add
the user to a group, click the Add button and select the appropriate
group in the Select Groups dialog box (Figure 13-12).
Figure 13-12 Selecting security groups for a user account
435
436
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
FT13HT13.BMP
Profile You can specify the user’s profile path, logon script, and
home folder (Figure 13-13).
Figure 13-13 Managing a user’s profile configuration
Managing User Permissions
Once a user account has been created and placed in the appropriate groups, you
can assign permissions to the user or to the groups to which she belongs. You do
this in the Security dialog box for the resource being managed. For example, on
the Security tab for a file system folder (Figure 13-14), you can use users and
groups to assign permission to access files and folders and printers, and you can
use them in ACLs for other system objects (such as Group Policies).
Figure 13-14 Configuring security for a file system folder
FT13HT14.BMP
CHAPTER 13:
MANAGING USERS AND GROUPS
MORE INFO For more information on managing security for files or
printers, see Chapters 6, 7, and 8. We will discuss setting security on
Group Policies in Chapter 14.
Managing User Rights Assignment
You have a user who is required to change tapes in a system that stores files for
your network. One evening, he accidentally shuts down the system instead of
logging off. To prevent this from happening again, you can remove this person’s
right to shut down the system.
User rights are managed in a system’s Local Security Policy console (Figure 13-15).
By choosing the appropriate right and adding or removing the user or group from
that right, you can control some of the operations the user or group is allowed to
perform on the system.
Figure 13-15 The Local Security Policy console displaying User Rights Assignment
FT13HT15.BMP
Let’s say the user in our example is a member of the Backup Operators local
group. If you open the Shut Down The System user right, you see the allowed
groups listed (Figure 13-16). If you remove the Backup Operators local group
from the list in this dialog box, users who are members of this group alone can
no longer shut down the computer. Administrators, Power Users, and Users will
still have this right.
In the example above, users who are members of the Users group
will still be able to shut down the system. Be sure to consider all group
memberships when configuring user rights.
NOTE
437
438
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 13-16 Groups allowed to shut down the system
FT13HT16.BMP
We will discuss many more security management scenarios in
Chapter 14.
NOTE
CREATING AND MANAGING GROUPS
User groups are an important part of any effort to simplify management. They
allow the administrator to consolidate user accounts that have common access
requirements.
In Windows XP, you manage groups with the Local Users and Groups snap-in
in Computer Management or in a standalone user management console that
you have created (as explained earlier). You can also use the Net.exe commandline command with the localgroup option. We will discuss both of these
methods next.
Creating and Managing Groups Using Local Users
and Groups
The Local Users and Groups snap-in (Figure 13-17) provides a graphical way to
create and manage user groups. You can manage group membership directly
by configuring the properties for the chosen group or indirectly by managing
specific user accounts. We will explore both scenarios.
When you create a group using Local Users and Groups, you have the option to
add users to the group at that time or afterward.
CHAPTER 13:
MANAGING USERS AND GROUPS
Figure 13-17 The Computer Management console displaying local groups
FT13HT17.BMP
To create a group:
1. Select Local Users And Groups in your console. If you are in the Computer
Management console, you might have to expand System Tools to see it.
2. In the details pane, right-click Groups, and then click New Group to
open the New Group dialog box (Figure 13-18).
FT13HT18.BMP
Figure 13-18 The New Group dialog box
3. Fill in the appropriate text boxes, and use the Add button to add any
users you want to initially assign to this group. Click Create, and then
click Close.
439
440
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To add users to an existing group:
1. Open the group’s Properties dialog box by double-clicking the group
in Local Users and Groups.
2. Click the Add button to open the Select Users dialog box (Figure 13-19).
Enter the appropriate usernames.
FT13HT19.BMP
Figure 13-19 Selecting users for group membership
To search for users to add, click the Advanced button to open the
Advanced mode of the Select Users dialog box (Figure 13-20).
FT13HT20.BMP
Figure 13-20 Advanced options for locating users
3. After you specify or select the users, click OK to add them to the group.
You can also add users to groups by adding the appropriate
groups to the Member Of tab in the user’s Properties dialog box.
NOTE
CHAPTER 13:
MANAGING USERS AND GROUPS
To remove a group:
1. Locate and select Local Users And Groups in your console. You might
have to expand System Tools in the Computer Management console
to see it.
2. Select Groups. In the details pane, right-click the group you want to
delete and choose Delete.
Managing Groups Using Command-Line Tools
The Net.exe command has many powerful management and configuration
options, including the ability to manage users and groups. In this section, you
will learn how to use the Net Localgroup command to add a group and how to
manage the group’s membership.
Using Net Localgroup to manage groups
Net Localgroup has many options for managing groups from a command line.
This is an excellent way to script group management to make many additions or
deletions at once.
NOTE A related command (Net Group) is used to manage global group
creation and membership in an Active Directory domain environment.
■
Modifying a group Use the Net command with the appropriate
option switches. (Groupname is the name of the group you are
configuring.)
NET LOCALGROUP groupname <options>
■
Adding a group
Use the appropriate options with the /ADD switch:
NET LOCALGROUP groupname /ADD <options>
■
Adding users to the group You can also use the /ADD switch to
add users to the group. The Net Localgroup command recognizes the
existence of the group and understands the /ADD switch as an addition of users to the group.
NET LOCALGROUP groupname user1 user2 user3 /ADD
■
Removing a user Use the /DELETE switch:
NET LOCALGROUP groupname username /DELETE
■
Deleting a group Use the /DELETE switch:
NET LOCALGROUP groupname /DELETE
441
442
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Options for the Net Localgroup command
Options for the Net Localgroup command include:
■
/Comment: “text” Specifies a comment that can be read by administrators. It must be enclosed in quotation marks.
■
/domain Causes the command to manage an Active Directory
domain local group.
Domain local groups are groups that can control resources in
systems throughout a domain. They can contain users and global groups
from the domain and global groups from other domains.
NOTE
CREATING AND MANAGING USER ACCOUNTS WITH
THE USER ACCOUNTS TOOL
Some organizations use the User Accounts tool (Figure 13-21) in Control Panel
to create, modify, and delete local user accounts. This tool is wizard-driven and
simpler for some users to master. It is the same tool used in Windows XP Home
Edition.
Figure 13-21 The User Accounts tool
FT13HT21.BMP
User Account Types
If you use the User Accounts tool, you will notice immediately that users are
placed in one of two classes: Computer Administrators or Limited Accounts.
Table 13-1 summarizes the privileges each type of user account has on the
system.
CHAPTER 13:
Table 13-1
MANAGING USERS AND GROUPS
User Account Types and Capabilities
Computer
Administrator
Capability
Change your own picture
Create, change, or remove your password
Change other users’ pictures, passwords,
account types, and account names
Have full access to other user accounts
Create user accounts on this computer
Access and read all files on this computer
Install programs and hardware
Make system-wide changes to the computer
✓
✓
✓
Limited Account
✓
✓
✓
✓
✓
✓
✓
Accounts that are members of groups other than Administrators and Users might appear in the User Accounts tool as “Unknown
account type.” These users must be managed using Local Users and
Groups.
NOTE
Creating a New User Account
In the User Accounts tool, only administrators can create new user accounts, and
they can do it only on the Pick A Task screen if they are logged on with a user
account that is a member of the Administrators group.
To create a new user account, take these steps:
1. Click Start | Control Panel | User Accounts.
2. In the User Accounts window, click Create A New Account. The Name
The New Account window appears (Figure 13-22).
FT13HT22.BMP
Figure 13-22 Using the User Accounts tool to create a new user account
443
444
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. In the Type A Name For The New Account box, type a user logon name
(up to 20 characters), and then click Next. The Pick An Account Type
window appears (Figure 13-23).
FT13HT23.BMP
Figure 13-23 Selecting a user account type
4. Select the appropriate account type, and then click Create
Account.
5. After the account is created, select the new account and use Create A
Password to assign a password to the new user. You can also set other
options, such as the account picture, at this time.
Changing an Account
If you are logged on with an account that is a member of the Administrators
group, you can use the Pick A Task portion of the User Accounts tool to perform
the following tasks:
■
Change an account (including deleting the account)
■
Create a new user account
■
Change the way users log on or log off
If you are an administrator, you can use the Change An Account task (Figure 13-24)
to make changes to any user account on the computer.
CHAPTER 13:
MANAGING USERS AND GROUPS
Figure 13-24 Changing a user account
FT13HT24.BMP
Some of the actions an administrator can perform are:
■
Change The Name Changes the user account name of an account
on the computer. You see this option only if you are logged on as an
administrator because only an administrator can perform this task.
■
Create A Password Creates a password for an account. You see this
option only if the user account does not have a password. Only an
administrator can create passwords for other users’ accounts.
■
Change The Password Changes the password for an account. You
see this option instead of the Create A Password option if the user
account already has a password assigned to it. Only an administrator
can change passwords for other users’ accounts.
■
Remove The Password Removes the password for the account.
You see this option only if the user account already has a password
assigned to it. Only an administrator can remove passwords for other
users’ accounts.
■
Change The Picture Changes the picture that appears on the Welcome screen. Only an administrator can change the pictures for other
users’ accounts.
■
Change The Account Type Changes the account type for a specified
account. Only an administrator can change the account type for a user
account.
■
Delete The Account Deletes a specified user account. You see this
option only if you are logged on as an administrator because only an
administrator can perform this task.
445
446
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Users who view their own options (including the administrator
viewing her own account) will see a few differences, such as the rephrasing
of the action items to use “My” instead of “The.”
NOTE
A user or administrator looking at her own account will also see the Set Up My
Account To Use A .NET Passport option. Choosing this option starts the Add A
.NET Passport To Your Windows XP Professional Account Wizard. A .NET
Passport allows you to have online conversations with family and friends, create
your own personal Web pages, and sign in instantly to all .NET-enabled sites and
services. You can set up only your own account to use a .NET Passport.
When you delete a local user account, Windows XP Professional
displays the Do You Want To Keep local_user_account’s Files window. If
you click Keep Files, Windows XP Professional saves the contents of the
local user account’s desktop and My Documents folder to a new folder
called local_user_account on your desktop. However, it cannot save
the local user account’s e-mail messages, Internet Favorites, or other
settings.
NOTE
To change your account while logged on with a limited user account:
1. Click Start | Control Panel | User Accounts. The Pick A Task window
appears.
2. Click the option for the modification you want to make, and then follow the prompts on the screen.
To change an account while logged on as an administrator:
1. Click Start | Control Panel | User Accounts.
2. In the User Accounts window, click Change An Account. The Pick An
Account To Change window appears.
3. Click the account you want to change. The What Do You Want To
Change About account_name Account window appears.
4. Click the option for the modification you want to make, and then follow the prompts on the screen.
BEST PRACTICES FOR USER ACCOUNT MANAGEMENT
The following list presents best practices for managing user accounts:
■
Provide administrators with a standard user account for their nonadministrative tasks. This prevents them from inadvertently executing
CHAPTER 13:
MANAGING USERS AND GROUPS
any virus or other malware with Administrator privileges. Executing a virus
as an administrator can have devastating consequences.
Limited user accounts should be used for any task that
does not require administrator-level permissions.
IMPORTANT
■
Limit the number of users in the Administrators group. The role
of administrator should be reserved for experienced users who have an
administrative role in the organization. Giving this role to untrained
users can lead to system configuration mistakes and support issues.
■
Rename or disable the Administrator account. By renaming
Administrator, you make less identifiable the one account that hackers
know must be on your system. Many penetration attempts begin with
attacks on common Administrator passwords.
■
Rename and disable the Guest account. The Guest account does
not require a password, and it gives anyone a basic level of access to your
system. It is best to rename this account and leave it disabled and to create accounts with guest privileges by placing them in the Guests group.
■
Observe the principle of least privilege. Grant users and groups
only the lowest level of privileges they need to carry out their tasks.
MANAGING USER ACCOUNT–RELATED
SYSTEM POLICIES
In this section, we will discuss the Group and Local Policy settings you can configure that affect users on a Windows XP system. You will learn how to manage
user rights assignment using Group Policy and how to manage settings such as
user profiles and logon scripts that run when a user logs on to a system.
Managing User Rights with Group Policy
We discussed user rights briefly earlier in the chapter. User rights are privileges
that are separate from access permissions (such as those defined by ACLs) and
apply to the role a user performs on the system. User rights are divided into two
categories: privileges and logon rights.
User Privileges
The privileges Windows XP supports include:
■
Act As Part Of The Operating System Allows a process to be
authenticated like a user and thus gain access to the same resources as
447
448
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with
the user by default; the calling process might request that arbitrary
additional privileges be added to the access token. The calling process
might also build an access token that does not provide a primary identity for tracking events in the audit log.
Processes that require this privilege should use the LocalSystem
account, which already includes this privilege, rather than a separate
user account with this privilege specially assigned.
NOTE
■
Back Up Files And Directories Allows the user to circumvent file
and directory permissions to back up the system. The privilege is
selected only when an application attempts access through the NTFS
backup application programming interface (API). Otherwise, normal
file and directory permissions apply.
■
Bypass Traverse Checking Allows the user to pass through folders
to which she otherwise would have no access, while navigating an
object path in the NTFS file system or in the registry. This privilege
does not allow the user to list the contents of a folder; it allows her only
to traverse its directories. This can be useful when a user wants to share
a file located in his own personal folder. If he grants permission to the
file and sends the exact UNC path to another user, the other user can
open it even though she does not have permission to the folder containing the file.
■
Change The System Time Allows the user to set the time for the
internal clock of the computer.
■
Create A Pagefile Allows the user to create and change the size of
a pagefile (by specifying a paging file size for a particular drive under
Performance Options on the Advanced tab of the System Properties
dialog box).
■
Debug Programs Allows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical
operating system components.
■
Force Shutdown From A Remote System Allows a user to shut
down a computer from a remote location on the network. (See also the
Shut Down The System privilege.)
■
Generate Security Audits Allows a process to generate entries in
the Security log. The Security log is used to trace unauthorized system
access. (See also the Manage Auditing And Security Log privilege.)
CHAPTER 13:
MANAGING USERS AND GROUPS
■
Increase Scheduling Priority Allows a process that has Write Property access to another process to increase the execution priority of that
other process. A user with this privilege can change the scheduling priority of a process in Task Manager.
■
Load And Unload Device Drivers Allows a user to install and uninstall Plug and Play (PnP) device drivers. This privilege does not affect
the ability to install drivers for non-PnP devices. Drivers for non-PnP
devices can be installed only by Administrators.
Avoid assigning the Load And Unload Device Drivers privilege to
users other than administrators. Device drivers run as trusted (or highly
privileged) programs. A user who has the Load And Unload Device Drivers
privilege might unintentionally misuse it by installing malicious code masquerading as a device driver. Administrators generally exercise greater care
and install only drivers with verified digital signatures.
NOTE
■
Manage Auditing And Security Log Allows a user to specify object
access auditing options for individual resources such as files, Active
Directory objects, and registry keys. Object access auditing is not
actually performed unless you have enabled it in Audit Policy (under
Security Settings | Local Policies). A user who has this privilege also
can view and clear the security log from Event Viewer.
■
Remove Computer From Docking Station Allows the user of a
portable computer to undock the computer by choosing Eject PC from
the Start menu.
■
Restore Files And Directories Allows a user to circumvent file and
directory permissions when restoring backed-up files and directories
and to set any valid security principal as the owner of an object.
(See also the Back Up Files And Directories privilege.)
■
Shut Down The System Allows a user to shut down the local
computer.
■
Take Ownership Of Files Or Other Objects Allows a user to take
ownership of any securable object in the system, including Active
Directory objects, NTFS files and folders, printers, registry keys,
services, processes, and threads.
User rights, such as Take Ownership Of Files And Folders, override
even Deny permissions in NTFS. This allows Administrators to gain access
to files that might have been locked out.
NOTE
449
450
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
User logon rights
In addition to the privileges listed above, Windows XP provides the following
user logon rights:
■
Access This Computer From A Network Allows a user to connect
to the computer over the network.
■
Allow Logon Through Terminal Services Allows a user to log on
to this computer through a Remote Desktop connection.
■
Log On As A Batch Job
facility.
Allows a user to log on using a batch-queue
If IIS is installed, the Log On As A Batch Job right is automatically assigned to a built-in account for anonymous access to IIS.
NOTE
■
Log On Locally
■
Log On As A Service Allows a security principal to log on as a
service. Services can be configured to run under the LocalSystem,
LocalService, or NetworkService accounts, which have a built-in right
to log on as a service. Any service that runs under a separate user
account must be assigned this right.
■
Deny Access To This Computer From Network Prohibits a user or
group from connecting to the computer from the network.
■
Deny Local Logon Prohibits a user or group from logging on
directly at the console.
■
Deny Logon As A Batch Job Prohibits a user or group from logging
on through a batch-queue facility.
■
Deny Logon As A Service Prohibits a user or group from logging on
as a service.
■
Deny Logon Through Terminal Services Prohibits a user or group
from logging on as a Terminal Services client.
To configure user rights assignments in Windows XP:
Allows a user to log on at the computer’s console.
1. Open the Group Policy Management console by clicking Start | Run
and entering Gpedit.msc in the Run dialog box. Click OK.
2. Navigate to the User Rights Assignment item (Figure 13-25) by choosing Computer Configuration | Windows Settings | Security Settings |
Local Policies | User Rights Assignment. You will see the available user
rights and their current assignments.
CHAPTER 13:
FT13HT25.BMP
MANAGING USERS AND GROUPS
Figure 13-25 Managing user rights assignment using Group Policy
3. Double-click the right you want to assign. This opens the Properties
dialog box for the user right (Figure 13-26). You can add or remove
users or groups as needed for the right you are assigning.
FT13HT26.BMP
Local Security Setting granting users and groups the right to
shut down the local system
Figure 13-26
Managing User Account Settings with Group Policy
Local Security Policy allows you to manage settings such as the complexity of
passwords that are allowed, the number of incorrect logon attempts allowed, and
the logon script that runs after the user logs on. In an Active Directory environment, administrators have even more control of user account management—they
can control the management of roaming profiles and override Local Security
Policy with domain-level policies.
451
452
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Password Policy
You can manage the complexity of users’ passwords by using the Password Policy
settings under Account Policies (Figure 13-27).
Figure 13-27 Managing password policy settings
FT13HT27.BMP
The settings are:
■
Enforce Password History Configures the number of passwords
Windows XP remembers when requiring a user to select a unique password. If you configure this setting to 32, the user will not be allowed to
use any of her last 32 passwords when setting a new password.
■
Maximum Password Age Sets the password expiration interval for
user accounts. When an account’s password reaches the age specified
in this setting, the user is prompted to change his password.
■
Minimum Password Age Prevents a user from changing passwords
too frequently. If you set this value to 32, a user must change her password 32 times before going back to the one she was using when she
started. A minimum password age of 1 day would mean a minimum of
32 days to do this.
■
Minimum Password Length Prevents users from choosing passwords that are too short to have any real strength. Many organizations
set this value to 6, 8, or even 14.
■
Password Must Meet Complexity Requirements Implements several
strength requirements for a new password. It must not contain all or part of
the user’s account name, must be at least six characters in length, and must
contain characters from three of the following four categories:
❑
English uppercase characters (A through Z)
CHAPTER 13:
■
MANAGING USERS AND GROUPS
❑
English lowercase characters (a through z)
❑
Base 10 digits (0 through 9)
❑
Nonalphanumeric characters (such as !, $, #, %)
Store Password Using Reversible Encryption Causes Windows XP
to store the user’s password using a type of encryption that can be easily
reversed for use by programs that require the user’s password.
Enabling the Store Password Using Reversible Encryption
setting weakens a system’s security. It is only slightly better than storing the password as plaintext. You should avoid this setting if at all
possible because it drastically weakens security.
CAUTION
Account Lockout Policy
Strong passwords are part of a strong defense against penetration of the system. The ability to sense when someone is attempting to penetrate a system
and lock out the applicable account completes the equation. Account lockout
policies (Figure 13-28) provide this control.
Figure 13-28 Managing account lockout policy settings
FT13HT28.BMP
Windows XP has the following policies that control account lockouts:
■
Account Lockout Duration Controls how long an account is
locked out after the lockout threshold value has been met. Settings
of 30 minutes or more will thwart most hack attempts.
■
Account Lockout Threshold Controls the number of invalid
logon attempts against an account before it is locked out. Many organizations set this value to 3.
453
454
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Reset Account Lockout Counter After Controls the amount
of time that invalid logon attempts will accumulate toward the lockout threshold. If the time set here expires, the lockout counter
is reset.
USING CACHED CREDENTIALS IN WINDOWS XP
Windows XP operating in a standalone environment contains all the security
properties for users within its own security management database. When it is
a member of a domain, however, it relies on the domain’s Active Directory to
authenticate users during logon and while performing tasks that require
authentication.
The requirement of having Active Directory available for authentication would
pose a problem for mobile users or workstation users when a domain controller
is not available if it were not for the ability of Windows XP to cache a user’s
authentication credentials for use while offline. Cached credentials are also used
to make logging on quicker by allowing a user to be authenticated locally before
network services are fully launched during startup.
Understanding Cached Credentials
By default, Windows XP caches the logon credentials of the last 10 users who
have logged on to a system. A user can continue to log on and use a system that
might not be able to communicate with a domain controller, such as a notebook
computer away from the home office or a workstation during an outage of a
domain controller at the user’s site. When cached credentials are in use, the
user cannot access data stored in his home folder and the system will not
run logon scripts that might be used to connect him to additional network
resources.
Managing Cached Credentials
Cached credentials are encrypted and stored in a hidden portion of the registry.
You can control the number of logons that are cached by using Local Security
Policy (Figure 13-29). You can change the value of the Interactive Logon:
Number Of Previous Logins To Cache setting. Setting it to 0 disables cached
credentials.
CHAPTER 13:
MANAGING USERS AND GROUPS
Figure 13-29 Managing cached credentials
FT13HT29.BMP
Troubleshooting Cached Credentials
Issues arising from the use of cached credentials can take the following forms:
■
Cached credentials are out of date If a user’s credentials are out of
date—for instance, if her password has been changed—she might attempt
to access resources that already know about the new password. In this
case, she is presented with an additional logon dialog box before she can
access the resource.
■
User does not have credentials cached If the user has not logged
on to a system before and a domain controller is not available, she
will not be allowed to log on because her credentials are not yet
cached. In this case, a domain controller must be made available to
the system before the user can log on.
■
Cached credentials are disabled on a notebook computer If a
traveling user is using a notebook computer that has had cached
credentials disabled, she will not be able to log on because the notebook computer will not have credentials cached for her.
455
456
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
User accounts are used to control access to resources in Windows XP.
You can collect user accounts into groups and control permissions to
resources by group to simplify resource management.
■
User rights are used to control the tasks that users can perform with
the Windows XP operating system. Rights differ from permissions in
that they typically relate not to access control but to a user’s ability to
perform certain tasks.
■
Plan user accounts and resource permissions by gathering resources,
such as files, into collections. Assign permissions to user groups based
on their access requirements.
■
Use a naming convention to ensure that usernames are uniform and
meaningful to your organization. This might deciding to handle potential duplicate usernames by adding a middle initial or a number.
■
Require complex passwords to strengthen security. Passwords can be
strengthened by increasing their length and complexity. Methods of
increasing complexity might involve mixing uppercase and lowercase
letters, numbers, and nonalphanumeric characters.
■
User accounts can be managed with Local Users and Groups in Computer Management or in a custom user management console. You can
also manage them using the User Accounts application in Control
Panel and at the command line using the NET USER command.
■
Cached credentials allow users to access local resources during periods
when domain controllers are not available. They are stored in the registry. Before cached credentials can be used to access a system, the user
must have logged on while the system was in communication with a
domain controller.
REVIEW QUESTIONS
1. You are configuring users and groups on a Windows XP system that is used
as a file and print server. Using built-in groups, which group would you
place users in to allow them to add users and install applications?
a. Administrators
b. Power Users
c. Users
d. Backup Operators
CHAPTER 13:
MANAGING USERS AND GROUPS
2. A user accessing files on your system across the network is a member
of which implicit group(s)? (Choose all correct answers.)
a. Creator Owner
b. Everyone
c. Interactive
d. Network
3. Which of the following command-line commands will change Andy
Ruth’s password?
a. NET USER ARuth /Passwordchg:Brahman~234
b. NET USER ARuth Brahman~234
c. NET USER ARuth Brahman~234 /D
d. NET USER /U:ARuth /P:Brahman~234
4. Which of the following tools can you use to add, manage, and remove
local user accounts in Windows XP? (Choose all correct answers.)
a. Computer Management
b. User Manager
c. NET USER
d. Active Directory Users and Computers
5. Which of the following Net.exe commands adds the users CGarcia,
RWalters, and LMather to the Finance Local Group?
a. Net Group Finance CGarcia RWalters LMather /Add
b. Net Localgroup Finance CGarcia RWalters LMather
c. Net Group Finance CGarcia RWalters LMather
d. Net Localgroup Finance CGarcia RWalters LMather /Add
6. Which of the following tasks can you perform with the User Accounts
tool in Control Panel? (Choose all correct answers.)
a. Add users
b. Add groups
c. Rename users
d. Change users’ passwords
457
458
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
7. Which of the following user rights are required to allow a user to log on to a
system and back up files and folders to tape? (Choose all correct answers.)
a. Access This Computer From A Network
b. Log On Locally
c. Backup Files And Directories
d. Restore Files And Directories
8. A notebook computer user calls you from a hotel room. Her notebook
computer was assigned to her for this trip, and she didn’t have time to
log on and check it before she left. She cannot log on, and she gets an
error message that says a domain controller cannot be found. What
could be causing her problem? (Choose all correct answers.)
a. Her user account was not added in Local Users and Groups.
b. Cached credentials are disabled for that computer.
c. She never completed a domain logon to cache her logon credentials.
d. Her notebook computer is not a domain controller.
CASE SCENARIOS
Scenario 13-1: Designing Accounts for a Field Office
You have been hired to set up user accounts for a small sales office for a heavy
equipment manufacturer. The office has four salespeople, a manager, and two
part-time receptionists. The system used for file storage has three folders set up
for document storage. See Figure 13.30 for an illustration.
Sales
Reports
Sales
Marketing
Materials
Receptionists
Management
Documents
Manager
Figure 13-30 Sales office in need of user account management
F13HT30.VSD
CHAPTER 13:
MANAGING USERS AND GROUPS
The receptionists help the sales force with sales reports and are also responsible
for maintaining documents in the Marketing Materials folder as they come in
from the home office. The salespeople need to be able to work on their own
reports and print marketing materials as needed. The office manager needs
access to all folders and is also responsible for maintaining documents in the
Marketing Materials folder as they come in from the home office.
Answer the following questions about this scenario:
1. List the user groups you would set up in this scenario.
2. Which groups should have access to modify the contents of the Marketing Materials folder?
3. What level of permission should the receptionists have to each folder?
a. Modify permission to all folders
b. Modify permission to Sales Reports and Marketing Materials,
none to Management Documents
c. Modify permission to Sales Reports and Marketing Materials,
Read permission to Management Documents
d. Modify permission to Sales Reports, Read permission to Marketing Materials, none to Management Documents
Scenario 13-2: Protecting Files on a Military System
You are hired as a civilian contractor on a military installation. You are assigned to
manage the commanding general’s computer. He wants to be sure that documents
on the computer are accessible only by him, and not even by administrators.
Answer the following questions about this scenario:
1. If all the sensitive files are in a single folder, what permissions should
you give to that folder?
2. Administrators can use their ownership privileges to change permissions even when they do not have access, so how can you assure the
general that the files can never be seen by administrators? (Choose the
two answers that form the correct response.)
a. Remove the Administrators group’s privilege to take ownership of
files on that computer.
b. Remove all users from the Administrators group.
c. Have the general take ownership of the folder.
d. Assign the Administrators group Deny Take Ownership on the folder.
459
CHAPTER 14
CONFIGURING AND
MANAGING COMPUTER
SECURITY
Upon completion of this chapter, you will be able to:
■ Configure and manage Local Security Policy
■ Manage security configuration with templates
■ Establish and monitor a security audit policy
This chapter expands on the security topics discussed in earlier chapters. You
will learn more about the Local Security Policy console and the related Domain
Security Policy console. We will explore security policy templates and their use in
configuring multiple systems to a standard security profile. Finally, we will discuss implementing a security audit policy and monitoring security audit logs.
461
462
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING SECURITY POLICY
Policy-based management has been a goal for the Windows desktop and server
operating systems for a long time. Beginning with Windows 2000, policy management was unified under a single model that was applicable to any level of a
network infrastructure. Using Group Policy, you could apply a security policy to
a domain and have it apply to every computer in the domain. This dramatically
simplified security configuration for many organizations.
In this section, we will discuss policy-based management of security configurations. We will begin by exploring Local Security Policy. You will learn how to
configure security settings on an individual system and then see how that
method can be applied to hundreds or even thousands of systems by just changing the scope of control. You will learn how you can set default security policy
for an entire enterprise in just a few hours.
Local Security Policy
Local Security Policy is a subset of the Group Policy structure for a system.
You configure it in the Security Settings section of the Group Policy console
(Gpedit.msc). This section is located under Windows Settings in Computer
Configuration (Figure 14-1).
Figure 14-1 The Security Settings section of the Group Policy console
FT14HT01.BMP
You can also display Local Security Policy directly by opening the Local Security
Policy console (Figure 14-2). This console has only settings directly related to
computer security, so it is favored by administrators who want to concentrate
solely on security. You can launch this console from the Administrative Tools
menu or by executing Secpol.msc.
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
Figure 14-2 The Local Security Policy console
FT14HT02.BMP
The Account Policies section of Local Security Policy includes settings related to
passwords and account lockout (discussed in Chapter 13). The Local Policies section is for configuring security auditing, assigning user rights, and Windows XP
security configuration:
■
Audit Policy Specifies activities that will be audited and recorded in
the system’s Security event log. These can include successful and
unsuccessful logons, use of resources, and use of privileges. We will
discuss these options in more detail later in this chapter.
■
User Rights Assignment Specifies which tasks or roles a user can
perform on a system. User rights (covered in Chapter 13) include the
ability to shut down the system or to log on to the system interactively.
■
Security Options Includes more than 60 security options, some
relating to use in an Active Directory domain but most of them directly
affecting local system operation. (See Figure 14-2 above.)
Security options
The most important system-related security options are:
■
Accounts: Administrator Account Status Allows an Administrator
to disable the local Administrator account. Disabling the account
means it cannot be used in attempts to penetrate the system.
■
Accounts: Guest Account Status Allows you to enable the Guest
account, which is disabled by default. Enabling this setting prevents it
from being enabled by using Local Users and Groups.
■
Accounts: Rename Administrator Account Allows you to rename the
Administrator account. This prevents attempts to use the Administrator
463
464
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
account by name. Attempts to access the Administrator account by using
its security identifier (SID), however, can still work.
■
Accounts: Rename Guest Account Allows you to rename the Guest
account. Attempts to access the Guest account by using its SID can
still work.
■
Audit: Shut Down System Immediately If Unable To Log Security
Audits Specifies a system shutdown if the security audit log becomes
full. This prevents hackers from disguising their activities by overflowing
the Security log. It also ensures that all auditable events are recorded.
Use this setting carefully, however—you want to avoid unintended
system shutdowns. This setting is typically used only in systems where
security concerns override availability considerations.
■
Devices: Prevent Users From Installing Printer Drivers Blocks
system users from installing untrusted printer drivers. If this setting is
enabled, only administrators and power users are allowed to install
printer drivers.
■
Devices: Restrict CD-ROM Access To Locally Logged-On User
Only Prevents users from accessing the contents of a CD-ROM disk
across the network while a user is logged on to the system locally. This
avoids contention for the CD-ROM drive.
■
Devices: Restrict Floppy Access To Locally Logged-On User
Only Prevents users from accessing the contents of a floppy disk
across the network while a user is logged on to the system locally. This
avoids contention for the floppy drive.
■
Devices: Unsigned Driver Installation Behavior Administratively
configures the unsigned driver settings in Device Manager. The available options are:
❑
Silently Succeed
❑
Warn But Allow Installation
❑
Do Not Allow Installation
❑
Not Defined
For a review of the implications of using unsigned drivers, see the
section on driver signing in Chapter 4.
NOTE
■
Interactive Logon: Do Not Display Last User Name Causes Windows XP to clear the Username field in the Log On To Windows dialog
box. This setting prevents unauthorized users from seeing the previous
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
user’s username. Not having a username to crack makes it much
harder to mount an attack.
■
Interactive Logon: Do Not Require CTRL+ALT+DEL Disables the
requirement to use the CTRL+ALT+DEL sequence to log on to Windows.
(This secure sequence prevents a program from mimicking a logon dialog box to capture usernames and passwords.) Use this setting to allow
those with accessibility concerns to more easily log on to Windows.
■
Interactive Logon: Message Text For Users Attempting To Log
On Allows an administrator to configure a logon banner that can display a legal warning or other banner message prior to logon. This can
make the prosecution of an attacker more successful because there can
be no question about your policy regarding unauthorized access.
■
Interactive Logon: Number Of Previous Logons To Cache
(In Case Domain Controller Is Not Available) Configures the
number of previous logons to cache for use with cached credentials
(as covered in Chapter 13).
■
Interactive Logon: Prompt User To Change Password Before
Expiration Specifies display of a warning to users when their password is nearing expiration, to give them time to construct another
complex password.
■
Interactive Logon: Require Smart Card Requires a user to present
a smart card for authentication. This allows an organization to enforce
smart card use if its systems are configured for smart card authentication. (Smart card authentication requires a public key infrastructure
[PKI] to support the use of smart card certificates.)
■
Interactive Logon: Smart Card Removal Behavior Configures
how the system responds when a user removes her smart card.
Available options are:
■
❑
No Action
❑
Lock Workstation
❑
Force Logoff
❑
Not Defined
Network Access: Let Everyone Permissions Apply To Anonymous
Users Reverses the removal of anonymous users from the Everyone
user group. If you enable this setting, anonymous users (users who
have not provided identity information to enumerate shares and
account names in the system) are placed in the Everyone group on the
system, potentially increasing the security exposure of your system.
465
466
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Shutdown: Allow System To Be Shut Down Without Having To
Log On Allows a user to access the Shut Down command in the Log
On To Windows dialog box. If this setting is disabled, a user has access
to this command only if she is first authenticated by the system and
then granted the right to shut down the system. You can use this setting in concert with the Shut Down The System user right to protect
against shutdowns by unauthorized users.
■
Shutdown: Clear Virtual Memory Page File Ensures that any sensitive information in the virtual memory page file cannot be accessed
by booting the computer into another operating system. When this setting is enabled, the page file is cleared each time the system is shut
down. Enabling this setting increases shutdown times.
Domain Security Policy
The Domain Security Policy console (Figure 14-3) is nearly identical to the Local
Security Policy console. The principal difference is in the scope of the policy it
manages. Domain Security Policy is applied at the domain level and applies to
every computer that is part of the domain. Domain Security Policy overrides even
Local Security Policy, ensuring every system has consistent security settings.
Figure 14-3 Domain Security Policy console
FT14HT03.BMP
NOTE You can also define security policy at the organizational unit
(OU) level. OU-level policies override domain-level policies, allowing domain
administrators to create exceptions for a certain class or group of computers. An example of this practice can be found in the Domain Controllers OU in Active Directory.
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
MANAGING SECURITY POLICY
One great advantage of using Group Policy to implement security settings is that
you can collect a group of settings into a single template. You can create or change
templates using the Security Templates Microsoft Management Console snap-in,
and you can use templates with the Security Configuration and Analysis snap-in
to configure Local Security Policy. We will discuss how to manage templates with
both tools.
Domain administrators can also use security templates to configure Domain Security Policy, which means they can quickly configure
security policy for an entire enterprise.
NOTE
Predefined Security Templates
Windows XP ships with predefined security templates and creates a baseline
security template during installation for the purpose of returning any misconfigured settings to their original installation values. The security templates included
with Windows XP are:
■
Setup security.inf Stores all the security configuration settings that
were in effect when the system was installed. By importing portions of
this template, you can restore faulty security configurations to their initial settings. This is a large template, so you should not use it in a domain
setting to apply security configurations to a large number of systems.
Do not modify Setup security.inf—you might need to revert
to these settings someday. If you want to work with this template, copy
it and make modifications to the copy.
CAUTION
■
Compatws.inf Relaxes certain file system and registry settings to
allow programs not compatible with Windows XP to operate without
the need to elevate users to power user status. This template also
removes all users from the Power Users group. (Some users might
really belong in the Power Users group, so be sure to restore them after
applying this template.)
■
Securews.inf Configures security settings that are least likely to
affect application compatibility. They include:
❑
Stronger password, account lockout, and audit settings
❑
Strong authentication for connections to servers
❑
Restricts anonymous access to enumerating shares and usernames
467
468
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
The Securedc.inf template is similarly configured but is intended for
use with domain controllers.
■
Hisecws.inf A template designed for maximum workstation security. It removes all but the Local Administrator and Domain Admins
from the Administrators group and removes all users from the Power
Users group. It also requires strong authentication between clients and
servers. Hisecdc.inf is the equivalent template for domain controllers.
■
Rootsec.inf Applies default root file system security settings to a
workstation. This template is useful when the initial installation permissions might have been modified.
Creating a Custom Security Policy Management Console
To view, create, and modify security templates, you use the Security Templates
Microsoft Management Console snap-in. To analyze and apply security settings
from a template, you use the Security Configuration and Analysis snap-in. To
make all these management tasks easier, you can create a custom Security Policy
Management console that includes these two snap-ins. You can do so by modifying an existing custom Microsoft Management Console session or creating a new
console. In this section, we will construct a new custom console.
To create the custom console, take these steps:
1. Open a blank Microsoft Management Console session by choosing
Start | Run and entering mmc in the Run dialog box. Click OK to
launch the Microsoft Management Console (Figure 14-4).
FT14HT04.BMP
Figure 14-4 Opening a blank Microsoft Management Console session
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
2. Choose File | Add/Remove Snap-in to open the Add/Remove Snap-in
dialog box. Click Add to open the Add Standalone Snap-In dialog box
(Figure 14-5).
FT14HT05.BMP
Figure 14-5 Choosing a standalone snap-in
3. Select Security Templates, and click Add. This adds the snap-in used to
modify security configuration templates.
4. Select Security Configuration And Analysis. Click Add to add it to the
new console as well.
5. Click Close to close the Add Standalone Snap-In dialog box, and click
OK to close the Add/Remove Snap-In dialog box. This leaves you with a
console you can use to design and apply security templates (Figure 14-6).
FT14HT06.BMP
Figure 14-6 Your new Security Policy Management console
6. Save the new console with a descriptive name, such as Security Policy
Management Console.msc.
469
470
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Viewing, Modifying, and Creating a Security Template
To view, modify, or create a security template, expand the Security Templates
snap-in in your custom console. You will see the Security Templates folder listed;
this is where security templates are stored.
■
FT14HT07.BMP
■
Viewing a template Expand the Security Templates folder to see the
default templates. Expand a template to see its Local Security Policy
settings (Figure 14-7).
Figure 14-7 Viewing a security template
Modifying a template After expanding a template in the Security
Templates folder, double-click any Local Security Policy setting you
want to manage (Figure 14-8). Specify the settings you want, and save
your modified template by right-clicking the template name and choosing Save or Save As (Figure 14-9). Your settings will apply to any
computer or domain to which this template is applied.
The newly saved template appears with the other templates in the
Security Templates snap-in for future modification (Figure 14-10).
FT14HT08.BMP
Figure 14-8 Configuring a setting in the Compatws.inf template
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
FT14HT09.BMP
Figure 14-9 Saving a custom security template
FT14HT10.BMP
Figure 14-10 The new template
■
FT14HT11.BMP
Creating a new template Instead of using a standard template as
a baseline for a new template, you can also begin with a new, blank template. Right-click the Security Templates folder and choose New Template
(Figure 14-11). This creates a new template with no settings defined. You
can name it and then open it to configure security policy settings.
Figure 14-11 Creating a new security template
471
472
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Analyzing and Configuring Security Settings
Once you have created or modified a template, you can compare its settings to settings on a live system and apply your settings to the system’s Security Policy. You do
this using the second tool in our custom console: the Security Configuration and
Analysis snap-in (Figure 14-12). This snap-in allows you to manage a database of
security configuration settings and compare them with security templates. You can
thus see how a template would change security on the system you are evaluating.
Figure 14-12 The Security Configuration and Analysis snap-in
FT14HT12.BMP
Creating a security configuration database
To begin analyzing security for a system, you must first create a security analysis
database. This database holds the security template settings and allows them to
be compared against actual system configuration.
1. Right-click the Security Configuration And Analysis item in your custom console and choose Open Database (Figure 14-13). In the Open
Database dialog box, type a name for the database. Click Open.
FT14HT13.BMP
Figure 14-13 Creating a security configuration database
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
2. In the list of security templates you can import, choose the appropriate
template (Figure 14-14). Click Open.
FT14HT14.BMP
Figure 14-14 Importing a security template
The template you select will be used for comparison with actual
system settings. If you have previously imported a template, select
the Clear This Database Before Importing check box to remove any
previous items.
Analyzing and configuring security settings in the template
Using the security configuration database you have created, you can analyze or
configure the security settings in your template. Analyzing security settings
means comparing your existing settings with those in the security template you
have imported. Configuring the security settings means actually applying those
settings in the template.
Do not configure the security settings in the template until
you are certain they are correct for your application. You cannot undo
security settings by removing a template. The only way back to your original settings would be to import the settings from the Setup Security
template or perform a System Restore from a restore point saved before
the template was applied. The Setup Security template changes settings
back to those originally installed on the system. This might remove desirable settings that you configured in the interim.
CAUTION
To analyze or configure security settings in a template, take these steps:
1. Right-click Security Configuration And Analysis in your custom console, and choose Analyze Computer Now (Figure 14-15). When asked,
specify a logfile for errors. The analysis continues.
473
474
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
FT14HT15.BMP
Figure 14-15 Analyzing computer security settings
2. When the analysis is complete, you see a screen showing the results.
Browse to the settings you want to evaluate (Figure 14-16). You will see
a red circle with a white X next to settings that are not consistent with
the template, and a green check mark for settings that are consistent
with the template.
FT14HT16.BMP
Figure 14-16 Security analysis results
3. If you want the items marked with the red circle and white X to conform to the security template, right-click Security Configuration And
Analysis and choose Configure Computer Now.
Exporting Security Templates
If you have already applied the exact security configuration you need to your
entire system, you can export those security settings to a template file. You can
import this template into Domain Security Policy or the security policy for an OU
to define security settings for all systems in that domain or unit.
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
To export a security template, take these steps:
1. Right-click Security Configuration And Analysis in your custom console and choose Export Template (Figure 14-17).
FT14HT17.BMP
Figure 14-17 Exporting a security template
2. In the Export Template To dialog box, specify a name for the template
and then click Save. You can now use the exported template to configure security on other systems.
Managing Security Policy with Secedit.exe
You can also configure security from a command prompt, by using the
Secedit.exe command (Figure 14-18).
Figure 14-18 Using Secedit.exe to analyze system configuration against a security
FT14HT18.BMP
template
This command supports four options:
■
/Analyze Analyzes current configuration against a specified template.
The syntax for Secedit allows you to specify a database file and a template file. Analysis occurs in much the same way as with the Security
Configuration and Analysis tool.
475
476
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
/Configure Configures system security to conform to the specified
template.
■
/Export
■
/Validate Validates the structure and syntax of the specified template
file. This is useful before you import the template file to make sure it
contains no errors related to improper file format or syntax.
Exports the current security configuration as a template file.
For more on the syntax and use of Secedit.exe, search on
“Secedit” in the Windows XP Help and Support Center.
NOTE
MANAGING SECURITY AUDIT POLICY
Perhaps the most important aspect of security planning and implementation is
determining whether your efforts have been successful. Unwatched, a hacker can
gain access to sensitive documents, copy them, and exit your systems without
your knowledge. Only by monitoring the actions of users working with sensitive
data can you know whether security has been compromised.
Actions That Can Be Audited
The auditing of each type of action can detect a different type of suspicious
activity. You can configure audit policies to record events in the system’s security log for the following actions:
■
Successful and unsuccessful account logon events An account
logon event is generated each time a user tries to use credentials from
a logon at a local system to gain access to resources on a remote system. These pass-through logon attempts can be recorded to see if any
users are attempting to access documents or resources they have no
legitimate need to access.
■
Successful and unsuccessful user account management An
event of this type is generated each time an administrator manages
another user’s account. Auditing these events helps ensure that
administrators are not working in collusion with other users to commit theft or espionage by elevating their access temporarily and then
returning it to normal.
■
Directory service access This type of event is generated for each
attempt to access objects in Active Directory that have system access
control lists (SACLs) defined. You can define SACLs on certain Active
Directory objects to see who is accessing them. This policy activates
the actual logging of the access events.
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
Note that this is a two-part setting. To successfully audit access, you
must activate auditing with this policy and then establish SACLs in
the objects you want to audit. You do this on the Security tab of the
Properties dialog box for the object in question.
■
Successful and unsuccessful logon events This event logs
attempts to log on to the local system, either interactively or over the
network. Unsuccessful attempts to access the system might indicate a
penetration attempt. This policy differs from the account logon event
because it logs local logon attempts rather than attempts to access
remote resources. You can track attempted logon events in both
directions for additional corroboration.
■
Successful and unsuccessful object access This type of event
tracks attempts to access resources on the system. These resources
can be files, folders, printers, or even registry keys. To track this
action, you must enable auditing with a security policy and configure
a SACL on the object or objects you want to audit.
■
Policy changes This event tracks whether policies themselves
(including audit policies) have been changed. This is another important action to audit if administrator collusion in theft or espionage
is suspected.
■
Use of user rights and privileges This event monitors use of user
rights such as Shut Down The System to determine whether any
users are abusing their rights. For example, you can monitor the use
of the Take Ownership user privilege to help detect improper access
of certain sensitive documents.
■
Audit process tracking This event helps developers monitor the
behavior of their programs. This group of options enables auditing
for process startup, object accesses by the process, process failures,
and process shutdowns.
■
System events such as startups and shutdowns This series of
events helps you track who is restarting the system or shutting it
down. This helps you detect whether an administrator is installing
unauthorized software or restarting the system to cover certain suspicious activities.
In addition to the audit types, which are configured under Audit Policies, three
settings are configured in the Security Options area of Local Security Policy. (The
first two generate large volumes of audit log entries, so keep audit log management considerations in mind if you are considering using them.)
477
478
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
Audit The Access Of Global System Objects Enables the auditing
of attempts to access portions of the kernel such as threads and
mutexes. Suspicious programs might try to access these features to
attempt to work around security.
■
Audit The Use Of Backup And Restore Privilege Tracks the use
of the Backup and Restore Objects privilege for the backup and restoration of objects by users who do not normally have permission to
read or write those objects. This can expose attempts to use backup
privileges to copy files for malicious purposes, such as espionage.
■
Shut Down The System Immediately If Unable To Log Security
Audits Shuts down the system if the security log becomes full, to
prevent any security events from being missed. In this way, no auditable event will be missed. For full reliability of audit logs, this setting
also requires that the Security event log be configured to allow
growth to a maximum size and not allow security log entries to be
overwritten.
Planning an Audit Policy
Effective auditing requires careful planning. You need to know auditing goals and
what type of information you require from the process. You must make an administrator responsible for managing the event log and reporting suspicious activity
to the proper people.
Determining audit requirements
Before setting up auditing on a system, you must fully understand the types of
threats you are looking for. Are you mainly concerned about attempts to access
the system from the keyboard? Or are you more concerned about unauthorized
access over the Internet? Knowing the answer to this question will help you choose
meaningful events to audit and keep you from logging unnecessary events.
Sit down and define the likely threats. Determine which audits can best detect
these threats, and then implement the appropriate instance of these audits. Do
not audit successful object accesses if you only need to know when someone is
attempting to access items he does not have permission to access. Consider
whether success or failure logging is more appropriate.
Selecting objects for auditing
One you have determined what types of suspicious activity you are looking for,
decide which objects need to be audited. Do you want to enable auditing of every
object in a certain directory tree, or would you be better served by “setting a trap”
and only auditing certain attractive files?
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
Assigning responsibility for monitoring
Assign an administrative user the task of monitoring the audit logs. If events
occur and the logs are ignored, they might as well have never been audited. If you
are concerned about missing a critical entry, set a maximum security log size and
configure Windows to shut down when the file is full.
Configuring Windows to shut down when the security audit
log is full exposes the system to shutdown by an attacker who deliberately generates events to fill the logfile. This setting is typically used only
on systems where audit entries must never be lost. This is a requirement
only on highly secure systems.
CAUTION
Implementing and Managing an Audit Policy
In this section, we will present common audit scenarios and show you how to
configure auditing for each scenario. We will begin by introducing the Security
event log and its configuration.
Configuring the Security event log
The first task to perform when setting up an auditing infrastructure is to configure the size and behavior of the Windows Security event log. By doing so, you can
ensure that security audit events are processed according to your needs.
1. Launch Event Viewer by selecting it in Computer Management or executing Eventvwr.msc.
2. Right-click the Security log (Figure 14-19), and select Properties.
The Security Properties dialog box opens, showing the current size
of the security log and allowing you to manage settings related to
the log.
FT14HT19.BMP
Figure 14-19 Opening the Properties dialog box for the Security
log in Event Viewer
479
480
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. Set the maximum log size, and specify the action to take when the log
reaches its maximum size (Figure 14-20).
FT14HT20.BMP
Figure 14-20 The Security Properties dialog box in Event Viewer
The available options are:
❑
Log Size Sets the upper size limit for the Security log. Experience
will determine the size you need to support your auditing. Watch the
current size, and increase this value if necessary to make sure the log
does not overflow.
❑
Overwrite Events As Needed Allows events to be overwritten, the
oldest first, to enable newer events to be written when the log becomes
full. This option increases the risk of attacks by hackers who create a
large number of spurious events that cause the hacking activity to be
overwritten.
❑
Overwrite Events Older Than X Days Ensures that events less
than X days old are not overwritten. This gives you time to detect
problems but causes the log to fill up and stop logging events if the
maximum log size is reached before the oldest entries reach the deletion
threshold.
❑
Do Not Overwrite Events (Clear Log Manually) Ensures that no
events are overwritten. This option requires you to pay close attention
to the log because it will stop logging audit events once it is full. (In
fact, if you have also enabled the policy to shut down the system when
security events cannot be logged, the system will shut down when this
log gets full.)
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
If you are managing a security log manually, you can use the Clear
Log button to remove events that have already been evaluated.
NOTE
Monitoring NTFS object access
Once the Security event log is configured for auditing, you can enable auditing on
the NTFS objects that you have determined need auditing. Configuring auditing
on NTFS objects is a two-step process:
1. Enable auditing in Local Security Policy for object access (Figure 14-21)
by double-clicking the policy and choosing Success or Failure.
Successful object access events are numerous on normal systems, so
usually such events are audited for just one specific file or folder rather
than multiple objects. Failure events, which indicate attempts to open
files the user does not have permission to open, are usually more useful in a security audit.
FT14HT21.BMP
Figure 14-21 Enabling object access auditing in Local Security Policy
2. On the Security tab of the Properties dialog box for the object you want
to audit, click Advanced to open the Advanced Security Settings dialog
box for the object (Figure 14-22).
3. On the Auditing tab, click Add to select the users or groups you want
to monitor.
4. Click OK to open the Auditing Entry dialog box (Figure 14-23).
5. Select the operations to monitor, and then click OK. This creates
the SACL for the object that will be used to control the auditing
function.
481
482
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 14-22 The Auditing tab for an NTFS folder object
FT14HT22.BMP
Figure 14-23 Configuring an SACL for an NTFS folder object
FT14HT23.BMP
Monitoring user account administration events
Monitoring user account administration is not as complex as configuring object
access monitoring. All you do is enable the audit policy in Local Security Policy
(Figure 14-24).
Figure 14-24 Auditing account management
FT14HT24.BMP
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
Auditing both successes and failures will detect both excessive administration
(which might indicate administrator collusion in theft or espionage) and failed
attempts at administration (which might be a sign of hackers attempting to
elevate their privileges).
Monitoring shutdown and restart events
Suppose you have received reports of unusual downtimes on certain systems. You
see a restart event in the system log, but you do not know who is responsible. To
find out, you can enable system event auditing (Figure 14-25) to cause an event
log entry to be written for each shutdown or restart event.
Figure 14-25 Auditing system events
FT14HT25.BMP
Auditing both successes and failures detects shutdown and restart attempts by
authorized users and attempts to restart the system by those who do not have the
right to do so.
Quis Custodiet Ipsos Custodes? (Who Will Guard the Guardians?)
An administrator who manages the Security event log itself can erase his own
trail, so if you need to monitor the administrator, you have to look for gaps in the
log where it might have been cleared to remove suspicious activity. If you find
gaps, you can establish external monitoring by using Event Viewer (or a thirdparty log analyzer) remotely from another computer to view and archive the
logs frequently.
Monitoring Audit Logs
You can monitor audit logs with the Security event log in Event Viewer. (For
a large system, you might opt for an external log analyzer such as Microsoft
Operations Manager 2005 or another third-party log analyzer.)
1. Open Event Viewer via Computer Management or by executing
Eventvwr.msc.
483
484
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
2. Select the Security log by clicking in it in the console tree.
3. Browse events to locate suspicious activity. Open records by doubleclicking them. Each record displays the date and time of the event and
provides additional details about the event (Figure 14-26).
Figure 14-26 Displaying an NTFS object access success event
FT14HT26.BMP
Event Viewer also provides tools to find or filter events to locate specific events.
The Find dialog box (Figure 14-27), which you open by choosing View | Find,
allows you to enter event IDs or other event traits to search on in the event log.
Figure 14-27 Using the Find dialog box to locate events
FT14HT27.BMP
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
You can also use the Filter tab of the Security Properties dialog box
(Figure 14-28) to filter out all but the events you specify, thereby giving
you a cleaner display.
Figure 14-28 Using the Filter tab of the Security Properties dialog box to isolate
specific events
FT14HT28.BMP
485
486
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
By using Local Security Policy or Domain Security Policy, you can configure many aspects of a computer’s security configuration in a single place.
■
You can collect security policy settings into security templates that can
be applied to many systems at once using Group Policy.
■
You use the Security Templates and Security Configuration and Analysis snap-ins to manage security policy assignment with templates.
■
Security auditing is an important part of overall system security. Only
through auditing can you detect actual and attempted security breaches.
■
Auditing is enabled using Local Security Policy and monitored with
Event Viewer.
REVIEW QUESTIONS
1. Local Security Policy is a subset of __________.
a. Security Configuration and Analysis
b. Domain Security Policy
c. Group Policy
d. Audit policy
2. Which of the following audit policies do you enable to record attempts
to access resources on your system from the network?
a. Logon events
b. Account logon events
c. Object access events
d. System events
3. You are configuring a highly secure workstation and need to ensure
that no potential attack is missed in the audit logs. What two settings
must you configure to accomplish this?
a. Set up security log archiving
b. Configure audit policy to shut down the system if the security log
becomes full
c. Configure the security log to not overwrite events
d. Store event logs on a secure data storage unit
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
4. Which command-line tool can be used to configure security policy?
a. Secpol.msc
b. Eventvwr.msc
c. Secedit.exe
d. Gpedit.msc
5. Which of the following security templates can you use to restore security configuration settings in the event of a configuration problem?
a. Compatws.inf
b. Hisecws.inf
c. Setup security.inf
d. Rootsec.inf
6. You are concerned about a data folder that all users of your network
have access to. Someone has been deleting files, and you want to find
out who it is. Which audit policy and setting will detect this action?
a. Logon events (successful)
b. Logon events (failed)
c. Object access (successful)
d. Object access (failed)
CASE SCENARIOS
Case Scenario 14-1: Designing a Security Policy
You are designing security for a group of workstations configured in a workgroup
network environment. All the systems run identical applications and have similar
requirements for security. These security requirements include:
■
Users need to run a legacy application that does not run well unless
the users are placed in the Power Users group. You want to find a way
to allow the application to run for non–Power Users.
■
You want to implement a logon banner to warn potential hackers that
your organization pursues legal action against anyone who attempts to
defeat system security.
■
You want to clear the username entered in the Log On To Windows
dialog box after each logon.
487
488
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Answer the following questions about this scenario:
1. Which of the following security options will fulfill the security requirements? (Choose all correct answers.)
a. Accounts: Rename Guest Account
b. Interactive Logon: Do Not Display Last User Name
c. Interactive Logon: Do Not Require CTRL+ALT+DEL
d. Interactive Logon: Message Text For Users Attempting To Log On
2. Which security template should you use as a baseline for this
configuration?
a. Setup Security.inf
b. Compatws.inf
c. Securews.inf
d. Rootsec.inf
3. Which utility can you use to create a security template for this
configuration?
a. Notepad.exe
b. Local Security Policy
c. The Security Configuration and Analysis snap-in
d. The Security Templates snap-in
Case Scenario 14-2: Security Auditing
You are hired by a small office supply shop to find out who has been stealing
money from its computerized cash register system, which runs Windows XP. The
manager suspects that the system administrator is colluding with several cashiers
to falsify the register journals. She has sent the administrator to a training course
for a few days, and she wants you to configure auditing to track his activities. You
soon discover that no security auditing is being done and no Local Security Policy
has been configured on any of the registers.
Answer the following questions about this scenario:
1. The manager tells you she has never seen the administrator actually
log on to any register, and that he spends a lot of time on his computer
in the back office. You want to leave the administrator’s system
untouched so he does not become suspicious. What audit policy can
you configure to see if the administrator is accessing the registers over
CHAPTER 14:
CONFIGURING AND MANAGING COMPUTER SECURITY
the store’s local area network, and on which systems should you
configure it?
a. Account logon events on each register
b. Account logon events on the administrator’s computer
c. Logon events on the administrator’s computer
d. Logon events on each register
2. You want to be sure your activity does not affect the operation of the
registers. Which security log settings can you apply to keep the lowest
profile? (Choose all correct answers.)
a. Configure The Log To Overwrite The Oldest Events First
b. Configure The Log To Overwrite Events Over 7 Days Old
c. Manually Clear Logs
d. Shut Down The System When The Log File Gets Full
489
CHAPTER 15
BACKING UP AND
RESTORING SYSTEMS
AND DATA
Upon completion of this chapter, you will be able to:
■ Back up and restore the operating system
■ Back up and restore user data
■ Back up and restore system state data
■ Use Automated System Recovery (ASR) to recover a system
■ Use System Restore to recover system configuration
■ Use startup and recovery tools to recover a system
Despite all precautions, sometimes a user will inadvertently delete an important
document or find a way to render the system inoperative. At these times, it is
good to have a plan in place to recover the system, an application, or the user’s
data quickly and reliably.
This chapter introduces the Windows Backup utility and other system recovery
tools. You will learn how to back up your system and use the backups at a later
date to recover missing or corrupted files. You will explore the features of the
Recovery Console and discuss how to use recovery tools to reverse improper configurations and recover systems that will not boot.
491
492
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
UNDERSTANDING THE WINDOWS
BACKUP UTILITY
The centerpiece of recovery technologies in Windows XP is the Windows Backup
utility. You can use it to back up and restore anything from a single file to the
entire operating system. It can back up data to a variety of backup media, including CD-RW or DVD-RW media, a network share, or a tape device connected to
the system.
In this section, we will explore the features and menus of the Backup utility.
Later we will describe the use of this utility to back up and restore user and
system data.
Features of the Backup Utility
You can launch the Backup utility by choosing Start | All Programs | Accessories
| System Tools and then selecting Backup, or by executing Ntbackup.exe from a
command line or the Run dialog box. This utility has two modes:
■
FT15HT01.BMP
■
Wizard Mode Presents the Backup Or Restore Wizard, which steps
you through the process of creating a backup or restore job (Figure 15-1).
The wizard prompts you to select the scope of the backup or recovery
action, and then it creates the required settings.
Figure 15-1 The Backup Or Restore Wizard
Advanced Mode Allows an experienced user to select the specific
tasks and data to back up (Figure 15-2). This mode also allows you to
create a one-time backup job or a repetitive schedule to perform the
backup during times of low system activity.
CHAPTER 15:
FT15HT02.BMP
BACKING UP AND RESTORING SYSTEMS AND DATA
Figure 15-2 Using the Backup utility’s Advanced Mode
This chapter covers the operation of the Backup utility in
Advanced Mode to expose the full functionality of this tool.
NOTE
Volume shadow copy
Backing up open files has always been a challenge for backup tools. If a user or
the operating system has a file open at the time of the backup, that file might be
skipped and not saved on the backup medium. This results in the file not being
available if the system needed to be restored. This situation is not acceptable for
true disaster recovery, so administrators of systems prior to Windows XP have
been left to find strategies for backing up open files.
Beginning with Windows XP, Microsoft has included an operating system feature
called volume shadow copy, which takes a snapshot of open files, allowing them
to be backed up. Backup utilities created for Windows XP can use Volume
Shadow Copy to manage copying and backup of open files.
Use of Volume Shadow Copy requires NTFS. Backups made from
FAT volumes do not take advantage of this feature.
NOTE
Volume Shadow Copy creates a snapshot of open files by working with applications to create an offline version of the file. This shadow copy is used by the
Backup utility instead of the actual file. The Volume Shadow Copy service monitors open files during the backup, creating additional shadow copies of files that
might be opened during the course of the backup. This ensures that a best-effort
copy of all files is stored on the backup media.
Applications that are not designed for use with Volume Shadow
Copy will not help it create a shadow copy. The file is still copied, but it is
copied as is—as it would be if a system crash or power outage were to
occur when the file was open. We call this state crash-consistent.
NOTE
493
494
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Automated System Recovery
Automated System Recovery (ASR) creates a floppy disk that stores configuration
data about the operating system. An administrator can then reinstall the operating system in Automated System Recovery mode and use the disk to manage the
recovery of the system’s identity. After the ASR installation, the administrator can
use a current backup to fully recover the system.
ASR greatly simplifies the restoration of a system by managing most of the configuration and restoration for you. This can reduce the time required to completely
restore from a failure. In contrast, you can use a simple backup to tape or removable media only after installing a new operating system. This requires additional
time and configuration and does not ensure that the restored system will be completely consistent with its former configuration.
PLANNING A BACKUP AND RECOVERY STRATEGY
Any task involving the Windows XP operating system will go more smoothly if
you have a clear plan. Backing up data is no exception. By identifying the data you
want to protect, you can define the scope of the backup job. By understanding the
features and capabilities of the Backup utility and associated tools, you can create
a comprehensive plan for managing your backups.
Choosing a Backup Type
The Backup utility supports several types of data backups. Each has a specific role
in a disaster recovery scenario. Most backup types rely on the archive attribute
(Figure 15-3), the attribute set on each file by the operating system to indicate
whether the file has been modified since its last backup.
Figure 15-3 The archive attribute is found in the Advanced Attributes dialog box for a
file system object.
FT15HT03.BMP
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
You can also display files ready for archiving by using the command prompt Dir command with the /A:A option, as shown in Figure 15-4.
To view files with the archive attribute not set, use Dir /A:-A. (The hyphen
reverses the switch.)
NOTE
Figure 15-4 Viewing files with the archive attribute by using the Dir command
FT15HT04.BMP
Normal backup
During a normal backup, all selected files and folders are backed up. A normal
backup does not rely on archive attributes to determine which files to back up.
During a normal backup, any existing archive attributes are cleared, marking each
file as having been backed up. Normal backups speed up the restore process
because the backup files are the most current and you do not need to restore multiple backup jobs. But because normal backups back up all files, they are the largest backups, and they take the longest to complete. This can be undesirable when
you have limited time to complete the backup.
Copy backup
During a copy backup, all selected files and folders are backed up. A copy backup
neither looks for nor clears archive attributes. Use a copy backup if you do not
want to clear archive attributes. For example, use a copy backup between a normal and an incremental backup to create an archival snapshot of network data.
Incremental backup
An incremental backup backs up only those files and folders that have the archive
attribute set, and then it clears the archive attributes on those files and folders.
Because an incremental backup clears archive attributes, if you do two consecutive incremental backups on a file and nothing has changed in the file, the file is
not backed up the second time.
Differential backup
A differential backup backs up only selected files and folders that have the archive
attribute set, but it does not clear archive attributes. If you do two consecutive
differential backups on a file and nothing has changed in the file, the entire file is
backed up both times.
495
496
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Daily backup
A daily backup backs up all selected files and folders that have changed during
the day. This backup neither looks for nor clears archive attributes. If you want to
back up all files and folders that change during the day, use a daily backup.
Backing up system state
System state means the files and configuration settings that make the system
unique—the registry, boot and system files, user and group information, the
Microsoft Internet Information Services (IIS) metabase, files included in Windows File Protection, and the COM+ Class Registration database. Saving the
system state allows you to restore a system’s identity after a full operating system
reinstallation.
Determining What to Back Up
Many users run original equipment manufacturer (OEM) installations of Windows XP. Instead of going through the trouble of backing up the entire operating
system, can you reinstall it from the Windows XP CD-ROM? Or, better yet, from the
OEM’s system recovery disk? If your system came with a recovery disk, you can
use it to completely restore the system to the condition it was in when you unpacked
it. You can then restore any programs and data files from a recent backup.
If you don’t have a recovery disk, you can consider other options. Take a close
look at the configuration of the system. If you can substantially restore the operation of the system by using the Windows XP installation CD-ROM, you can save
a lot of time and space on the backup media by backing up only program files,
data files, and the system state. When it comes time to recover the system, you
can restore these items once the installation is complete. This will take longer
because a complete installation is typically not as fast as a system recovery.
You should also consider ASR. With an ASR backup and a current backup of your
data, you can restore your system faster than you could reinstall Windows. This
approach will also more completely restore your original configuration.
Continually evaluate your current backup methods as you become
more familiar with the backup technologies described in this chapter to
make sure you are not leaving out any critical steps.
NOTE
Selecting Backup Media
Once you have determined how much data to back up, you can make an intelligent decision about what type of backup media to employ. In this section, we will
examine the media options for use with the Windows XP Backup utility.
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
Backing up to a hard disk
Hard disk drives allow the quickest backups, whether internal disk drives or disk
drives attached to the system with a USB, SCSI, or FireWire interface. Backup
stores the backup as a single file on the backup disk. During the restore process,
this file is read by Backup as data is restored.
Use a hard disk drive as your backup medium only if you are confident that the storage disk will not be damaged or destroyed by a system
failure. If it is damaged, the backup files will be unusable for restoration
purposes.
NOTE
Using removable media
In addition to using a hard disk, you can use a removable medium—a CD-RW or
DVD-RW disk—to store backup files. This method is excellent for frequent smaller
backups, but it is limited for backups of very large file systems.
Backing up to a network share
You can also store backup files in a shared folder on a network server. This option
can allow many systems to consolidate their backups to a single system. The
backup server can then back up the files to its own large tape archive for longterm archival.
Backing up to a tape drive
For periodic large backups, nothing beats a tape drive. Tapes still offer the lowest
cost per megabyte of any storage technology, and they can store massive amounts
of data, with some tape libraries even reaching the terabyte range.
Choose a tape drive that offers the best performance and storage combination for
your system. Options for tape drives include internal and external installation
options; USB, FireWire, IDE and SCSI interfaces; and choices of several recording
technologies.
Consider storing one or more of your backup tapes at an offsite
location. If a disaster destroys your location, you will still have a copy of
your data to restore systems from. Some organizations have a cooperative arrangement with other organizations whereby they store tapes for
each other. Companies that require more security tend to use options
such as digital vaults and storage services.
NOTE
Choosing a Backup Schedule
Choosing how frequently to back up your data is as important as selecting what
data to back up. If you back up weekly and your failure occurs on the sixth day,
497
498
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
you will lose almost a week’s worth of data. Planning the type and frequency of
backup operations is extremely important.
Here are some potential backup schedules to consider:
■
Weekly normal backup and daily differential backups A normal
backup on Monday and differential backups Tuesday through Friday.
Differential backups do not clear archive attributes, which means that
each backup includes all changes since Monday. If data becomes corrupt on Friday, you only need to restore the normal backup from Monday and the differential backup from Thursday. This strategy takes
more time and space to back up but less time to restore.
■
Weekly normal backup and daily incremental backups A normal backup on Monday and incremental backups Tuesday through
Friday. Incremental backups clear archive attributes, which means that
each backup includes only the files that changed since the previous
backup. If data becomes corrupt on Friday, you must restore the normal backup from Monday and all incremental backups from Tuesday
through Friday. This strategy takes less time and space to back up but
more time to restore.
■
Mixing normal, differential, and copy backups This strategy is
the same as the first one, except that on Wednesday you perform a
copy backup. Copy backups include all selected files and do not clear
archive attributes or interrupt the usual backup schedule. Therefore,
each differential backup includes all changes since Monday. The copy
backup done on Wednesday is not part of the Friday restore. Copy
backups are helpful when you need to create a snapshot of your data
for archival purposes.
■
Daily normal backup Although this backup method takes the most
time, it ensures that all files are available on the most recent backup
medium (if it has sufficient space). This both speeds recovery time and
ensures that you have multiple recent backups of every file. If yesterday’s medium is corrupt, you can choose the previous day and lose
only one day’s data, not an entire week’s data.
Planning for Disaster Recovery
Amazingly, many organizations that regularly back up data have no idea how they
would restore it in the case of an actual loss of a system. Every organization
should develop a comprehensive disaster recovery policy that dictates the actions
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
to be taken to recover from each potential failure—ranging from the loss of a single
file or e-mail to the loss of a site.
You should test the disaster recovery plan by restoring a system in a lab environment
or by restoring recently deleted files just to see if you can. This will give you confidence and a familiarity with the tools and methods used to recover your systems.
BACKING UP THE SYSTEM
After you determine the number and type of backup jobs you need to support
your disaster recovery policy, you can use the Backup utility to create the required
jobs. This involves choosing the files and folders to backup, setting the backup
type, and scheduling the backup job to run at the correct time.
Creating a New Backup Job
You create new backup jobs on the Backup tab of the Backup utility. We will create a full system backup in this section.
To create a backup of the entire system, which you can execute immediately or
schedule for later, take these steps:
1. On the Backup tab of the Backup utility (Figure 15-5), select all local
drives and System State.
FT15HT05.BMP
Figure 15-5 Making backup selections
2. Choose the backup medium or backup file you want to use for backing
up the system.
3. Click Start Backup to open the Backup Job Information dialog box
(Figure 15-6), where you can manage media labels and description.
499
500
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
You can also specify whether to overwrite existing backups on the
medium or add yours to the end of the last previous backup.
FT15HT06.BMP
Figure 15-6 The Backup Job Information dialog box
4. Click the Advanced button to open the Advanced Backup Options
dialog box (Figure 15-7), where you can specify the backup type and
whether to verify the contents of the backup after completion. (You can
also choose Tools | Options to change these options.) Click OK to
close the Advanced Backup Options dialog box.
FT15HT07.BMP
Figure 15-7 Configuring advanced backup options
5. Click Start Backup in the Backup Job Information dialog box to begin
the backup immediately, or choose Schedule to set a backup schedule
for this job. If you choose Schedule, you will be prompted to save the
backup job for later use.
6. After the backup job completes, you can save your selections for use
again later; on the File Menu, select Save Selections. In the Save As
dialog box, enter a file name and click Save. Your selections will be
saved as a file with the BKS extension.
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
By modifying your selections, you can back up as little as a single
file using the procedure described above.
NOTE
Modifying a Backup Job
If you need to modify the settings or selections of a saved backup job, choose
File | Load Selections (Figure 15-8) and browse for the backup job you want to
modify. You can then change file and folder selections.
Figure 15-8 Opening an existing backup job
FT15HT08.BMP
Choose Tools | Options to modify other settings, and choose File | Save
Selections to save your changes.
Executing a Backup Job
You can execute any saved backup job by choosing File | Load Selections and
then clicking Start Backup. In the Backup Job Information dialog box, enter the
appropriate settings and click Start or schedule the job for later.
To back up files, you must have at least Read permission
to the files or be assigned the Backup Files And Directories user right.
For more information on user rights, see Chapter 13.
IMPORTANT
Performing an ASR Backup
ASR saves create a backup set with a floppy disk and the actual backup. Administrators can then use the ASR floppy disk during a Windows XP system installation to restore the operating system to full operation.
501
502
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
To perform an ASR system backup, take these steps:
1. Launch the Backup utility, and choose the Automated System
Recovery Wizard on the Welcome tab (Figure 15-9). (You can
also launch the wizard from the Tools menu within the Backup
utility.)
FT15HT09.BMP
Figure 15-9 Initiating the Automated System Recovery Wizard
2. The wizard prompts you for backup media (Figure 15-10).
FT15HT10.BMP
Choosing backup media for the Automated System Recovery
Preparation Wizard
Figure 15-10
3. The wizard presents the completion window (Figure 15-11). Click
Start to begin the backup job.
CHAPTER 15:
FT15HT11.BMP
BACKING UP AND RESTORING SYSTEMS AND DATA
Figure 15-11 Completing the Automated System Recovery Prepara-
tionWizard
4. The entire system is saved to the backup medium (Figure 15-12).
FT15HT12.BMP
Figure 15-12 Executing the ASR backup job
5. After the backup is complete, you are prompted to insert a floppy disk
(Figure 15-13).
FT15HT13.BMP
Figure 15-13 Inserting a floppy disk to save ASR data
6. The ASR Wizard completes and instructs you to label the disk and
store it in a safe place.
503
504
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
RESTORING A SYSTEM
What you hoped would never happen has occurred. A virus has deleted all
Microsoft Office document files from the system. You now need to restore them
as quickly as possible.
This section covers how to restore files and folders from backup media. We will
discuss determining which backups to restore and the process for restoring data.
We will conclude by examining the process for restoring an ASR backup.
Determining Which Backups to Restore
Before undertaking a restore operation, you must determine which backup contains the most recent version of the files you are missing. This requires knowledge
of the backup strategy in use and careful tracking of the backup media used. For
instance, if you are using a weekly normal backup with daily differential backups,
you need the most recent weekly tape and the tape from the last successful
backup.
Creating a Restore Job
You create a restore job by using the Restore And Manage Media tab of the
Backup utility. You select the restore medium and locate the backup set on it.
Then you can select the files and folders to restore.
To create a restore job, take these steps:
1. On the Restore And Manage Media tab of the Windows Backup utility,
browse to the device where your backup medium is stored. You will see
a facsimile of the files and folders on your system at the time of the
backup (Figure 15-14).
FT15HT14.BMP
Figure 15-14 Selecting folders and files to restore
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
If you backed up your system to tape, ensure that the appropriate backup tape is inserted and ready before you browse the media tree.
Tape cataloging takes a long time, so if you discover that you are browsing the wrong tape, the cataloging steps have to be repeated with the
next tape you insert.
NOTE
2. Navigate the folder tree and select the items you want to restore.
3. In the Restore Files To drop-down list, select the appropriate location
to restore the files to. You can choose the original location or specify a
different location.
To restore files, you must have at least Write permission
to the destination folder or be assigned the Restore Files And Directories user right. For more information on user rights, see Chapter 13.
IMPORTANT
By default, a restored file does not replace the original (if it still exists).
Occasionally, you are asked to restore files to replace corrupt versions.
If you are required to do this, you can restore them to an alternate location and copy them into the original folder, or you can choose Tools |
Options and specify overwriting of the originals (Figure 15-15).
FT15HT15.BMP
Figure 15-15 Selecting restore options
4. Click Start Restore to begin the restore process.
Using ASR to Recover a System
Restoring a system from an ASR save requires the ASR floppy disk created during
the backup process, the Windows XP installation CR-ROM, and the backup
media created during the ASR backup.
505
506
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
You can initiate an ASR restore by booting from the Windows XP CD-ROM:
1. Boot the system from the Windows XP CD-ROM.
2. Shortly after the CD-ROM launches Setup, you are prompted on the
bottom of the screen to press F2 to run ASR (Figure 15-16).
FT15HT16.BMP
Figure 15-16 Choosing the ASR option during Windows Setup
3. The Setup program asks for the ASR floppy disk (Figure 15-17), which
will be used to restore the original disk configuration. Insert this disk
and press any key to continue.
FT15HT17.BMP
Figure 15-17 Setup prompting to insert the ASR floppy disk
4. Setup continues as it would during a normal setup. In the Installing
Windows phase, you are asked to specify the backup medium
(Figure 15-18) from which the Automated System Recovery Wizard
should restore the original settings and data. Enter the file name and
click Next.
CHAPTER 15:
FT15HT18.BMP
BACKING UP AND RESTORING SYSTEMS AND DATA
Figure 15-18 Selecting the backup medium for an ASR restore
5. The wizard presents a completion page, where you confirm your intentions (Figure 15-19). Click Finish to restore the system and all data
from the backup medium.
FT16HT19.BMP
Figure 15-19 Completing the Automated System Recovery Wizard
USING SYSTEM RESTORE TO RECOVER DATA
AND SETTINGS
System Restore tracks system configuration changes and file deletions, and it
stores backup versions of these files and settings in a hidden portion of the free
space on the system. It allows a user to recover settings lost by the improper configuration of a program or inadvertent deletion of files.
507
508
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Configuring System Restore
System Restore is configured on the System Restore tab of the System Properties
dialog box (Figure 15-20). (Right-click My Computer and choose Properties.)
Figure 15-20 Accessing System Restore settings
FT15HT20.BMP
System Restore can be configured to use up to 12 percent (the default) of the
space on a disk. This setting is configured in the Settings dialog box for each disk
drive (Figure 15-21).
Figure 15-21 Configuring System Restore disk space
FT15HT21.BMP
Creating a Restore Point Manually
System Restore sets a restore point every 24 hours and whenever a significant event
such as the installation of a program, operating system update, or device driver
makes changes to the system. You will often see the message “Setting a system
restore point” when you are installing an application or running Windows Update.
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
You can also create a restore point manually at any time:
1. Open the System Restore console by choosing Start | All Programs |
Accessories | System Tools and choosing System Restore. The System
Restore Wizard starts (Figure 15-22).
FT15HT22.BMP
Figure 15-22 The System Restore Wizard Welcome page
2. Select the Create A Restore Point option, and click Next. This opens the
Create A Restore Point page (Figure 15-23). Provide a description for your
restore point and click Create. System Restore creates the restore point.
FT15HT23.BMP
Figure 15-23 Creating a restore point
509
510
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Restoring Settings and Data from a Restore Point
To restore settings from a system restore point, you use the same wizard as in the
previous example. You choose the appropriate restore point and let System
Restore recover the settings that were saved in the restore point:
1. Open the System Restore console by choosing Start | All Programs |
Accessories | System Tools and choosing System Restore.
2. Select Restore My Computer To An Earlier Time, and click Next.
3. Use the displayed calendar (Figure 15-24) to choose the appropriate
restore point. Click Next.
FT15HT24.BMP
Figure 15-24 Selecting a restore point
4. On the confirmation page that appears (Figure 15-25), click Next.
Windows restarts and restores the settings stored in the restore point.
FT15HT25.BMP
Figure 15-25 The System Restore confirmation page
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
USING STARTUP AND RECOVERY TOOLS
TO RECOVER A SYSTEM
Windows XP includes several other recovery methods you can use to restore
configurations and data, including rolling back device drivers, Safe Mode, Last
Known Good Configuration, and the Recovery Console.
NOTE
Device driver rollback was covered in Chapter 4.
Using the Recovery Console
The Recovery Console is a command-line based utility that you can install or run
from the Windows XP CD-ROM. In this section, we will install the Recovery
Console and show how to run it from the Windows XP CD-ROM.
Installing the Recovery Console
The Recovery Console is installed with the Windows XP Setup program
Winnt32.exe. By issuing the command with the /cmdcons option, you can install
the Recovery Console as a system startup option:
1. Insert the Windows XP CD-ROM. Close the Welcome To Microsoft
Windows XP splash screen.
2. At a command prompt, execute the following command:
D:\Winnt32.exe /cmdcons
3. The Windows Setup program will confirm that you intend to install
the Recovery Console (Figure 15-26). Click OK.
FT15HT26.BMP
Figure 15-26 Recovery Console installation confirmation
4. The Setup program installs the Recovery Command Console and displays a completion message (Figure 15-27). Click OK to complete the
installation.
FT15HT27.BMP
Figure 15-27 Recovery Command Console installation success message
511
512
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
If you are installing the Recovery Console on a system
that has had a service pack applied, do not install it from the original
CD-ROM. Instead, obtain a Windows XP CD-ROM that includes the service
pack. Failure to do so might render the Recovery Console inoperative.
IMPORTANT
Using the Recovery Console
You can select the Recovery Console at the operating system selection screen during startup (Figure 15-28). After startup, you are prompted to select which operating system to recover. On a single-boot system, the only selection is Windows.
You are then prompted to log on using the recovery password (Figure 15-29).
For workstations, this password is the local Administrator password.
Figure 15-28 The Recovery Console added as an operating system selection
FT15HT28.BMP
Figure 15-29 Logging on to the Recovery Console
FT15HT29.BMP
If the Recovery Console is not installed as a startup option, you can start it from
the Windows XP CD-ROM:
1. Boot the system from the Windows XP CD-ROM.
2. On the Welcome To Setup screen (Figure 15-30), press R to launch the
Recovery Console.
CHAPTER 15:
FT15HT30.BMP
BACKING UP AND RESTORING SYSTEMS AND DATA
Figure 15-30 Choosing the Recovery Console option on the Welcome To
Setup screen
3. Choose the operating system to maintain, and log on.
Features of the Recovery Console
The Recovery Console has many commands that you can use for recovering a
system. The two we will concern ourselves with here are Fixboot and Fixmbr:
■
Fixboot Writes a new boot sector to the system drive. The syntax for
this command is:
Fixmbr drive:
where drive is the letter of the system disk.
■
Fixmbr Repairs the master boot record of the system partition. This
command can be used to render a virus-damaged system bootable
again. The syntax for this command is:
Fixmbr device_name
where device_name is the name of the boot device. If you leave this
option blank, the Fixmbr command will repair the default boot device.
For a complete list of recovery commands, search on “Recovery
Console commands” in the Help and Support Center.
NOTE
Using the Last Known Good Configuration
When a system starts, it loads a set of drivers that are specified in the registry. But
during normal operation, you might make changes to the current driver configurations. Occasionally, when you restart the system, you will discover that a new or
altered device driver is causing problems that are preventing the system from successfully booting.
513
514
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
By using the Last Known Good Configuration, you can use the previous driver
configuration to get the system started. This ability to revert to previous drivers
exists as long as no user has logged on to the system. Once a user successfully
logs on, the new configuration is stored as the Last Known Good Configuration
for the next startup.
To use the Last Known Good Configuration, take these steps:
1. While Windows XP is booting, press F8 after you see your computer’s
BIOS screen but before you see the Windows XP loading screen. This
opens the Windows Advanced option menu (Figure 15-31).
FT15HT31.BMP
Figure 15-31 Windows Advanced options menu
2. Select Last Known Good Configuration, and press ENTER.
Starting a System in Safe Mode
Safe Mode is a restricted mode that launches only the minimum driver set
required to load the operating system. It can be used to diagnose problems with
drivers that would normally run during a normal Windows XP session. If the
problem disappears in Safe Mode, this is an indication that you have a faulty
device driver. You can remove or replace the faulty driver to repair your system.
Safe Mode is also an excellent place to conduct virus scans
because many applications and services that normally have files open
will not be running. This allows you to get more complete scan results.
NOTE
To Start Windows XP in Safe Mode, take these steps:
1. While Windows XP is booting, press F8 after you see your computer’s
BIOS screen but before you see the Windows XP loading screen. This
opens the Windows Advanced option menu (Figure 15-32).
CHAPTER 15:
FT15HT32.BMP
BACKING UP AND RESTORING SYSTEMS AND DATA
Figure 15-32 Windows Advanced Options menu
2. Select Safe Mode, and press ENTER.
3. In the Safe Mode notification message box, click Yes (Figure 15-33).
FT15HT33.BMP
Figure 15-33 Windows XP running in Safe Mode
Additional Safe Mode options such as Safe Mode With Networking and Safe Mode With Command Prompt allow you to access files (such
as drivers and applications) over a network or bypass the GUI entirely if
you wish.
NOTE
515
516
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
■
You can use the Windows Backup utility to back up and restore files,
folders, and system state objects.
■
The Backup utility uses features such as Volume Shadow Copy and
Automated System Recovery (ASR) to provide comprehensive disaster
recovery capabilities.
■
Careful disaster recovery planning is a crucial part of a backup
strategy.
■
You can create, save, modify, and schedule backup jobs by using the
Backup utility.
■
ASR creates a backup and associated floppy disk to be used to completely restore a system.
■
You can use System Restore to recover lost configuration settings or
applications.
■
The Recovery Console provides a command-prompt environment that
you can use to recover a system. It can be installed as a startup option
or loaded from the Windows XP CD-ROM.
■
The Last Known Good Configuration starts Windows XP with the
driver set used in the last successful startup.
■
Safe Mode, which allows you to start the system with a minimal
set of drivers, helps you to troubleshoot and repair configuration
issues.
REVIEW QUESTIONS
1. Which feature of Windows XP allows you to back up open files?
a. Automated System Recovery (ASR)
b. Differential backup
c. Incremental backup
d. Volume Shadow Copy
2. You are planning a backup strategy. You are required to ensure that any
file can be restored to a point within the last 24 hours. You also do not
want to have to load more than one backup tape. The time required to
perform the backup is not a concern. Which backup strategy makes
most sense in this scenario?
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
a. Weekly normal and daily differential backups
b. Weekly normal and daily incremental backups
c. Daily normal backups
d. Weekly normal and daily differential backups with a Wednesday
copy backup
3. Which of the following recovery technologies completely restores a
system?
a. System Restore
b. Safe Mode
c. Last Known Good Configuration
d. Automated System Recovery (ASR)
4. You want to install an application but are concerned about its effect on
system configuration. What can you do to ensure that you can quickly
recover your settings?
a. Create a restore point with System Restore
b. Perform a full system backup
c. Back up the system state
d. Create an Automated System Recovery (ASR) backup
5. You have installed a new device driver for your sound card, and now
your system will not boot. What recovery technology allows your
system to boot with the previous set of drivers?
a. Recovery Console
b. Last Known Good Configuration
c. Automated System Recovery (ASR)
d. Safe Mode
6. You have installed a driver that is causing system problems. You did
not notice the problems before you logged on to the system. Which of
the following technologies can help you fix this problem? (Choose all
correct answers.)
a. Recovery Console
b. Last Known Good Configuration
c. System Restore
d. Safe Mode
517
518
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 15-1: Backup Planning
You are helping a small company with its disaster recovery planning. It has 13
desktop computers in two configurations. Configuration A (12 systems) is a standard Windows XP Professional installation with Microsoft Office 2003 Professional Edition on each system. All documents are stored on a single Windows XP
Professional system (Configuration B) that functions as a file and print server.
Each of the 12 workstations has a floppy drive, a CD-ROM drive, and a
DVD-R drive. The file server system has a floppy drive and a high-capacity tape
drive.
Answer the following questions about this scenario:
1. What backup and restoration method will provide the ability to
quickly and completely recover a workstation?
a. Daily Normal backups to DVD-R. Restore from DVD-R after
reinstalling Windows.
b. Automated System Recovery backup set with floppy and DVD-R
disk. Use ASR restore to recover system. Refresh ASR set when
configuration changes.
c. Automated System Recovery backup set with floppy and DVD-R
disk. Use ASR restore to recover system. Use System Restore to
recover recent changes.
d. Single normal backup to DVD-R, daily differential backup to
the server. Recover by restoring DVD-R backup after reinstalling Windows, and restore remaining data from server backup
file.
2. You want to choose a backup schedule for the system that acts as a
file and print server. You want to find a way to minimize the nightly
backup window while not complicating the restore process. Which
of the following backup schedules offers the best balance between
backup speed and ease of restoration?
a. Daily normal backup
b. Weekly normal backup and daily incremental backup
c. Weekly normal backup and daily differential backup
d. Weekly copy backup and daily normal backup
CHAPTER 15:
BACKING UP AND RESTORING SYSTEMS AND DATA
Scenario 15-2: Power Problems
Your organization was struck with a severe brownout followed by a complete
power outage lasting a few hours. After power was restored, you discovered that
three systems would not boot. Two simply need new power supplies, but the
third is reporting “Operating system not found” when you attempt to start it.
Answer the following questions about this scenario:
1. Which of the following Windows XP recovery tools offers the best
chance of repairing this system quickly?
a. Automated System Recovery (ASR)
b. Safe Mode
c. Last Known Good Configuration
d. Recovery Console
2. After recovering this system, you discover that some files are still corrupted. Which of the following backups offer the best chance of restoring all corrupt files?
a. Normal backup done after the last major configuration change
b. Normal backup done three days before
c. Copy backup done the day before
d. Incremental backup done that morning
519
CHAPTER 16
MANAGING PERFORMANCE
Upon completion of this chapter, you will be able to:
■ Optimize memory performance
■ Monitor and optimize processor utilization
■ Improve disk performance
■ Improve application performance
■ Configure and manage scheduled tasks
■ Monitor and optimize performance for mobile users
Over time, the performance of a Windows XP system will decline as it becomes
filled with applications and documents. Newer applications that require more
memory will degrade performance by requiring virtual memory resources.
Administrators might neglect time-consuming disk management tasks because
they want to avoid disruptions to the system during business hours.
This chapter shows how to identify performance issues with a Windows XP system.
We will discuss using the Performance console to monitor system performance and
to detect bottlenecks (shortages or deficiencies that affect performance) in memory,
physical disks, and CPU utilization. You will learn how to identify which changes
offer the greatest improvements in overall performance and how to use scheduled
tasks to perform after-hours maintenance.
521
522
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
DESIGNING A SYSTEM FOR PERFORMANCE
Satisfactory performance depends largely on making sure the system meets the
needs of applications and allows them to run in the way they were designed to run.
Many manufacturers indicate the memory and CPU requirements of their applications, but few tell you what type of disk performance they require or how your
system might be affected if you run more than one instance of the application. In
this section, we will discuss the resources that applications require for optimum
performance and how to determine whether you have enough resources.
Factors Leading to Poor Performance
To operate most efficiently, an application needs three things: sufficient processor
cycles, sufficient memory space, and sufficiently quick access to data from a disk
or the network. Given these three things, it will thrive and perform to its fullest
potential. Take any of these three things away or replace it with an unsatisfactory
substitute, and performance will decline. Our task is to determine what is needed
in these three areas and balance the needs of the application against the needs of
other applications on the system and the needs of the operating system itself.
Memory
Sufficient memory is critical for good performance. Windows loads system
components and applications into physical memory for rapid access during
operation. When memory is insufficient, Windows is forced to use a portion of
the hard disk drive as virtual memory. It does this by transferring memory pages
to a portion of the physical disk set aside for this purpose. This process is called
paging, and the physical disk–based storage location is referred to as a paging file.
Use of paging files can provide massive amounts of memory space but it incurs
performance costs because hard disks transfer data at a much slower speed
compared with hardware memory (RAM).
Windows XP always maintains some memory pages in the paging file, but the
percentage of paged memory is relatively low until the system begins to run out
of RAM. As free space in RAM decreases, you will notice hard disk activity begin
to rise. When a system is short on RAM, performance will become very slow, and
the excessive disk activity might lead you to suspect that the system needs faster
physical disks when in fact it needs more physical RAM.
Disk and network access
Applications and data are loaded from hard disk or transmitted across a network
interface. Any delay in the loading of this data can affect performance. Slow or
CHAPTER 16:
MANAGING PERFORMANCE
excessively fragmented hard disks can noticeably hurt the performance of applications. Likewise, a slow network connection will contribute to slower application
performance.
Processor speed
Most users would be surprised to learn that CPU speed might have the least effect
on true performance. If you watch the processor charts in Task Manager, you will
likely see your CPU idling most of the time. Most Windows-based applications
use relatively little processing power because users spend much of their time
entering data or analyzing the results of calculations. When processing is called
for, it is typically handled in a few seconds, and then the CPU returns to idle.
Certain CPU-intensive tasks, such as video rendering, computer gaming, and
complex calculations, do require more processing power, but you can easily
discover those needs through monitoring.
Determining Resource Requirements
Software product packaging usually includes information on system requirements—
operating system version, CPU, memory, and free disk space. But it doesn’t say how
fast the disk has to be or how much memory you need to run two instances of the
application. When it says “Pentium III CPU,” is that enough to run the application
alongside Microsoft Office, or will you require somewhat more processing power?
What do these requirements really tell you?
Software manufacturers list requirements as if their application will run in isolation. It is up to you to put those requirements in context to see if your system’s
resources are adequate. Consider all the applications your system will be running
at once. Use the system requirements data to add up the total memory required.
To be safe, double the requirements for applications you might run multiple
instances of. For example, if your application requires 128 MB of RAM and you
plan to run it at the same time as an application that requires 256 MB, consider
installing at least 384 MB of RAM for satisfactory performance. If you plan to run
two instances of the new application concurrently, make it 512 MB. By making
these calculations, you can get a truer picture of your system requirements.
MONITORING PERFORMANCE
Perhaps the most overlooked cause of poor performance is not knowing what
good performance looks like. If you look at a system that is too slow or unresponsive, it can be difficult to determine which aspect of performance to improve first.
Only by starting with a clean system and seeing what the performance counters
523
524
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
look like when all is well can you evaluate the changes that occur as performance
declines. You can spot trends that indicate whether the system needs more memory,
more disk, or more CPU.
You can monitor performance of Windows XP in two ways:
■
F16HT01.BMP
■
F16HT02.BMP
Performance console Allows you to designate specific aspects of
system performance to monitor so you can spot trends and indications
of the cause of performance problems (Figure 16-1). You can add
counters for each major application you install. Overall, the Performance console can give you a comprehensive picture of what is causing
performance issues.
Figure 16-1 Performance console
Task Manager Allows you to view currently active tasks and see
their effect on CPU and memory utilization (Figure 16-2). This is a
quick way to view the main contributors to poor performance.
Figure 16-2 Task Manager
CHAPTER 16:
MANAGING PERFORMANCE
The Performance Console
The Performance console is the primary performance analysis tool in Windows XP.
It allows you to create charts, histograms, and reports that depict performance
statistics collected by performance counters.
The Performance console includes two performance monitoring snap-ins:
■
System Monitor Manages the interactive reporting of performance
data. It includes an active charting tool that displays performance data
in real time, and it also allows administrators to view the contents of
previously captured logs.
■
Performance Logs and Alerts Performance Logs and Alerts logs
performance data and generates alerts when certain counters reach a
specified threshold.
Performance objects and performance counters
The Performance console uses performance objects to help you configure monitoring. Each performance object corresponds to an aspect of system operation.
Performance objects contain multiple counters, which are discrete items or statistics that offer detailed information about a facet of the object’s performance.
Commonly used performance objects include:
■
Processor Contains a collection of performance counters that report
on CPU statistics. The most commonly used counter in this object is
%Processor Time, which tracks processor utilization. Greater than
80 percent utilization for long periods indicates an overloaded CPU.
■
Memory Tracks statistics involving the system’s physical and virtual
memory. Commonly used counters from this object include:
❑
Available Bytes Indicates the number of free bytes in the system’s
physical memory. A small amount of free memory indicates a possible
memory bottleneck. Windows XP dynamically manages the paging file
on disk in an attempt to balance free memory. As the free memory total
decreases, page file usage increases, reducing performance.
❑
Pages / sec Indicates the number of times per second that the system needs a specific memory page but has to go to the paging file for
it rather than finding it in RAM. For this counter, a number higher
than 15 or 20 indicates excessive paging activity and a need for more
physical RAM.
525
526
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
❑
■
■
Page faults / sec Also indicates the amount of paging activity. This
counter is a combination of the number of hard page faults (when the
page is not in RAM but on disk) and soft page faults (when the page is
elsewhere in RAM and has to be mapped into the current process).
Physical Disk Monitors activity and statistics related to the physical
hard disk drives in the system. Common counters for this object include:
❑
Average Disk Read Queue Length Records the average length of a
disk’s read queue. This statistic indicates number of read requests waiting for the disk.
❑
Average Write Queue Length Records the average length of a disk’s
write queue. This statistic indicates number of write requests waiting
for the disk.
❑
% Disk Time Indicates the percentage of the time the disk is busy
servicing read and write requests.
Logical Disk Monitors activity and statistics related to the logical
disk drives (volumes and volume sets) in the system. Common
counters for this object include:
❑
Average Disk Queue Length Records the average length of a disk’s
read and write queues. This statistic indicates the number of read and
write requests waiting for the disk. Any consistent number recorded in
this counter indicates that the physical disks are unable to keep up
with demand.
❑
% Disk Time Indicates the percentage of the time the disk is busy
servicing read and write requests.
Viewing Performance Charts with System Monitor
The default view for System Monitor is the chart view. The first time you open
System Monitor, you see the default chart (Figure 16-3) with three performance
counters : % Processor, Average Disk Queue Length, and Pages / sec. These are
commonly used as the primary indicators of system health. You can add performance objects, each with many counters, to track data about virtually any
application or process on the system.
Applications can install their own performance objects for monitoring their
performance. For example, Microsoft Exchange Server and Microsoft SQL Server
add performance objects on server class systems, and the .NET Framework and
Microsoft Internet Information Services (IIS) installations add performance
objects on both workstation and server systems.
CHAPTER 16:
MANAGING PERFORMANCE
Figure 16-3 System Monitor with default counters
F16HT03.BMP
To add additional counters to a System Monitor chart:
1. In Control Panel, choose Administrative Tools | Performance. Click the
System Monitor item to display the default chart (as shown earlier in
Figure 16-3).
You can also launch the Performance console by executing
Perfmon.msc at a command line or in the Run dialog box. (Choose
Start | Run.)
NOTE
2. Add a counter by clicking the + button on the toolbar or right-clicking
the chart and selecting Add Counters. This opens the Add Counters
dialog box (Figure 16-4).
F16HT04.BMP
Figure 16-4 Adding counters in System Monitor
527
528
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
3. Select the appropriate new counter, choose an instance of the counter
if necessary, and click Add.
To see information on the purpose of any counter, click the
Explain button.
NOTE
4. Add any additional instances of the counter, and click Close.
Instances are counters tied to a specific processor, disk, or
queue. They are helpful in determining which actual device is generating
delays. However, be careful about how many instances you add. The chart
can quickly become cluttered. Instead, consider creating a separate
chart for other instances of the same counter.
NOTE
Managing chart properties
In addition to adding counters to the chart view, you can manage properties such
as display scale, color, sample rate, and the scale of individual counters. This
allows you to organize the monitor data into a meaningful display that can be
both informative and persuasive. You might use this data at some point to justify
a large budget for new equipment or system upgrades. Or you might use it to
demonstrate the performance improvement brought about by an action you
have taken.
To configure chart properties, right-click on the System Monitor chart view and
select Properties. The System Monitor Properties dialog box appears, with the following tabs:
■
F16HT05.BMP
General Allows you to configure which view is displayed and the
attributes of the view such as whether to show the legend or the toolbar (Figure 16-5). You can also select the sample rate for the view.
Figure 16-5 The System Monitor Properties dialog box
CHAPTER 16:
MANAGING PERFORMANCE
Choosing a sample rate is an important part of designing a chart
view. Faster rates will catch short-term events, but will not allow the view
to display for a very long time period. Slower sample rates will allow the view
to show more data, but may miss short-term events. You will have to
determine which option is best for your needs.
NOTE
■
Source Allows you to choose the data source for the current view.
You can choose to display real-time data or data that has been recorded
to a log or database.
■
Data Allows you to manage individual counters (Figure 16-6). You
can configure their color, line width, line style, and the scale used in
the chart view.
F16HT06.BMP
Figure 16-6 The Data tab of the System Monitor Properties dialog box
■
Graph Allows you to configure visual elements of the System Monitor chart. You can enable or disable the appearance of grid lines and
change the scale of the chart.
■
Appearance Allows you to select color schemes and fonts for the
current System Monitor view.
Saving a chart view
You might need to save a particular chart view—for example, to refer to later or
because you are particularly pleased about the statistics it displays. You can save
the view as an HTML file that contains the performance monitor object with the
data that was displayed when the file was saved. You can also activate the display
with new data by clicking the Freeze Display button (Figure 16-7). This activates
the chart view and displays the performance counters in real time in your
browser.
529
530
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Figure 16-7 Activating a saved HTML view of System Monitor
F16HT07.BMP
NOTE You can use saved views to import counters into Performance
Logs and Alerts, as you will see in the next section.
Using Histograms and Reports
You can also display performance data using histograms, which look like moving
bar graphs, and reports, which display performance data in a text format. These
two views are typically used less than the chart view, but they can make certain
performance trends easier to spot or understand.
Using Histograms to Analyze Performance
Histograms (Figure 16-8) excel at identifying differences in multiple instances of
one performance counter. Because histograms use a bar graph analogy, they can
quickly present the relative levels at which counters are operating. This makes
busy counters stand out better.
You activate the histogram view by clicking the bar graph icon on the System
Monitor toolbar. You can add and remove counters in the same way that you can
with the chart view.
Using Reports to Summarize Performance Data
The report view (Figure 16-9) allows you to present data as text. This can be helpful when you need to present performance information to a decision maker as
justification for purchasing additional hardware or systems.
You can save performance reports as HTML or formatted text (Figure 16-10) by
right-clicking in the report frame and choosing the appropriate option.
CHAPTER 16:
MANAGING PERFORMANCE
Histogram view
Figure 16-8 Using the histogram view to identify busy counters
F16HT08.BMP
Report view
Figure 16-9 System Monitor’s report view
F16HT09.BMP
Figure 16-10 Displaying a performance report in WordPad
F16HT10.BMP
531
532
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Using Performance Logs to Spot Trends
Let’s say you have been hired for a performance-tuning job. The system performs
well when it first starts, but it runs more slowly each day until it eventually needs to
be restarted. You open System Monitor and begin charting the major performance
indicators: memory, processor, physical disk, and network. Unfortunately, even by
lowering the sample rate, you can only display a fixed time span in the chart view.
With Performance Logs and Alerts, you can easily create a performance log that
runs for a week or more to spot trends in one or more counters. You can display the
log in the System Monitor chart view or use the report view of System Monitor to
create a report of your findings. You can also set alerts to notify you when a counter
reaches a critical threshold so you can open a chart view to see what is going on.
Performance Logs and Alerts includes three tools:
■
Counter logs Traditional performance logs that record a specified
counter for a specified interval. You can configure logs to run for a
certain amount of time or stop them manually.
■
Trace logs Track process data to assist with debugging tasks. You probably won’t use trace logs for common performance-monitoring tasks.
■
Alerts Notify users or administrators when a counter has reached a
specified threshold. Alerts are useful when you are trying to see what is
happening at a certain time. You can respond to the alert by opening a
saved System Monitor view to view activity in real time.
Configuring a performance log
You can create performance logs from scratch by adding the applicable counters
to your log task, or you can copy counters from a saved System Monitor view. You
configure performance logs by using the Properties dialog box for a new or existing performance log (Figure 16-11).
Figure 16-11 Properties dialog box for a performance log
F16HT11.BMP
CHAPTER 16:
MANAGING PERFORMANCE
Configuration settings for performance logs are found on three tabs:
■
General Specifies counters to be monitored and the sample rate. You
can add entire performance objects or individual counters to your
performance log.
■
Log Files Includes log file settings such as log type and naming
convention.
■
Schedule Specifies start and stop times for the log. You can configure a log to run at certain times of day, or you can specify a logging
interval of a week. You can also specify an action to take when the log
file closes. You can launch a new log or run a program or batch file
to process the log file that just closed.
Creating a performance log
To create a performance log, take these steps:
1. In Control Panel, choose Administrative Tools | Performance to open
the Performance console. Expand the Performance Logs And Alerts
item in the console tree.
You will see the System Overview log created by Microsoft. You can use
this log as is or browse its settings for ideas on how to configure your
own log. Note the counters, sample intervals, and log file names in
this log.
2. You can create a new log from settings saved in a System Monitor view
by right-clicking Counter Logs and choosing New Log Settings From
(Figure 16-12). Browse to and select the saved view.
F16HT12.BMP
Figure 16-12 Creating a new performance log
533
534
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
You can also choose New Log Settings to create a new blank log.
You must then specify your own counters and settings.
NOTE
3. After providing a name for your log, you will be presented with the
Properties dialog box for your new log (Figure 16-13). Configure the
appropriate settings and schedule, and click OK.
F16HT13.BMP
Figure 16-13 Configuring performance log properties
Many performance experts recommend creating a baseline
performance log soon after you acquire a system. This makes it easier
later on to see which aspects of performance are declining and take
appropriate action.
NOTE
Using Performance Alerts
Performance alerts notify users or administrators when a specified counter
crosses a threshold value configured by an administrator. The alert can simply
be a notification, or it can perform tasks such as starting a performance log or
running an application or batch file.
To configure an alert:
1. In Control Panel, choose Administrative Tools | Performance to open
the Performance console. Expand the Performance Logs And Alerts
item in the console tree.
2. Right-click Alerts and choose New Alert Settings From (Figure 16-14)
to copy alert settings from a saved System Monitor view.
You can also create a new alert without using saved settings.
Simply choose New Alert Settings and specify your own counters.
NOTE
CHAPTER 16:
F16HT14.BMP
MANAGING PERFORMANCE
Figure 16-14 Creating a new performance alert
3. After naming your new alert, configure counters and settings in the
Properties dialog box for the new alert. Use the General tab (Figure 16-15)
to configure counters, alert thresholds, and sample intervals.
F16HT15.BMP
Figure 16-15 Configuring alert properties
4. On the Action tab, configure the alert action (Figure 16-16).
F16HT16.BMP
Figure 16-16 Configuring alert actions
535
536
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Monitoring Performance with Task Manager
Task Manager provides real-time information about the programs and processes
running on your computer and the computer’s performance. You can use Task
Manager to start programs, stop programs and processes, and view a simplified
chart view of your computer’s performance.
You can start Task Manager in the following ways:
■
Press CTRL+SHIFT+ESC.
■
Right-click the Windows taskbar, and then click Task Manager.
■
Press CTRL+ALT+DELETE.
Depending on your system’s configuration, you might have to
select Task Manager from the Security Configuration dialog box after
pressing CTRL+ALT+DELETE.
NOTE
Task Manager has the following tabs:
■
F16HT17.BMP
■
Applications Displays the running foreground applications and
allows you to switch from one to another or to end an application
that has stopped responding to the system (Figure 16-17).
Figure 16-17 Displaying active foreground applications in Task Manager
Processes Lists all system processes and allows you to manage them
(Figure 16-18). You can end individual processes or change their
execution priority.
Note the Show Processes From All Users check box. You can
select it to display processes running for all users currently logged on to
the system.
NOTE
CHAPTER 16:
F16HT18.BMP
■
F16HT19.BMP
■
F16HT20.BMP
MANAGING PERFORMANCE
Figure 16-18 Displaying active processes in Task Manager
Performance Provides a quick glimpse of processor and memory
graphs (Figure 16-19). These graphs can show you at a glance whether
the system is in trouble.
Figure 16-19 Viewing performance in Task Manager
Networking Graphs the utilization level of any network interfaces
installed on the system (Figure 16-20). You can quickly see if your
system is experiencing bandwidth-related performance issues.
Figure 16-20 Displaying network utilization
537
538
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
■
F16HT21.BMP
Users Lists users who log on to the system while Fast User Switching is enabled (Figure 16-21). You will not see this tab on systems that
are members of an Active Directory domain or that have Fast User
Switching disabled.
Figure 16-21 Displaying users currently logged on to a system
Ending Runaway or Locked Processes
Occasionally, you will face a system with a process that has locked or is consuming
all available resources. Using the Processes tab, you can identify which process is
hogging the processor or memory and end it.
To end a runaway or locked process, right-click the process you want to end and
choose End Process (Figure 16-22).
Figure 16-22 Ending a process in Task Manager
F16HT22.BMP
You can also end tasks by using the Applications tab. Simply
select the application and click the End Task button.
NOTE
CHAPTER 16:
MANAGING PERFORMANCE
Managing Users with Task Manager
If you are administering a system with multiple users logged on via Fast User
Switching and you need to log someone off, you can do so from the Users tab in
Task Manager.
To log off a user, right-click the username on the Users tab and choose Log Off
(Figure 16-23). The user’s applications will be ended and he will be logged off.
Figure 16-23 Logging off a user in Task Manager
F16HT23.BMP
You can also use the Users tab to send a message to a user who is logged on to the
system. Right-click the username on the Users tab and choose Send Message.
Enter the message into the Send Message dialog box (Figure 16-24), and click OK
to send it.
Figure 16-24 The Send Message dialog box
F16HT24.BMP
Sending a message using Task Manager sends the message even
if the Messenger service is disabled.
NOTE
IMPROVING PERFORMANCE
Monitoring and improving performance is as much an art as a science. You must
carefully analyze and interpret performance counters and performance logs.
Solving severe performance issues can be an iterative process, often requiring you
539
540
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
to reanalyze performance after you have made changes, to gauge their effect. In
this section, we will discuss how to improve performance in key areas of system
operation.
Memory Performance
Improving memory performance or size often leads to the largest improvements
in performance. Each application that runs on your system attempts to carve out
its own memory space. You can look at the system requirements on the product
packaging to get an idea of how much memory your application needs.
To determine whether you need more memory, check out a few key performance
counters:
■
Memory: Available Bytes Shows how close your system is to running out of memory. For example, on a 512-MB system, 24 MB of free
space is not a good statistic. As your system approaches the limit of
physical memory, it begins to swap more and more pages to disk to
retain enough free memory to handle sudden requests.
■
Memory: Pages / sec Indicates the relative mount of paging taking
place. As the use of the page file increases, this counter rises. Page file
usage is extremely detrimental to performance.
■
Page File: % Usage Indicates the percentage of the page file that is
currently in use. If your system has 512 MB of RAM and is using
another 512 MB in the page file, you have about half the physical
memory you need.
Disk Performance
When you monitor disk performance, you should consider the source of disk
activity. On a system with low memory, page file traffic will account for much of
your disk activity. If, after ensuring that your system has ample memory, you still
suspect disk performance issues, look at the following counters:
■
Physical Disk: Average Disk Queue Length Records the average
length of a disk’s read and write queues. This statistic indicates the
number of read and write requests waiting for the disk. Any consistent
number recorded in this counter indicates that the physical disks
cannot keep up with demand. Consider faster disks or a hardware
RAID solution to improve performance.
■
Physical Disk: % Disk Time Indicates the percentage of the time
the disk is busy servicing read and write requests. Again, if you need
to improve these numbers, consider faster disks or a hardware RAID
solution.
CHAPTER 16:
MANAGING PERFORMANCE
Managing disk performance tasks using scheduled tasks
Disk performance can be affected not only by hardware but also by the effects of
fragmentation. You can use scheduled tasks to manage a weekly defragmentation
job on your system.
To schedule defragmentation on your system:
1. Select the appropriate command-line Disk Defragmenter command. For
the C: drive, you can use:
C:\Windows\System32\Defrag C:
2. In Control Panel, open Scheduled Tasks.
3. Double-click the Add Scheduled Task item to launch the Scheduled
Task Wizard (Figure 16-25). Click Next to begin configuring the task.
F16HT25.BMP
Figure 16-25 Adding a new scheduled task
4. Browse to C:\Windows\System32\Defrag.exe (Figure 16-26). Click
Open to advance to the next page of the wizard.
F16HT26.BMP
Figure 16-26 Selecting Defrag.exe
541
542
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
5. Choose Weekly to run this task every week (Figure 16-27). Click Next.
F16HT27.BMP
Figure 16-27 Scheduling the defragmentation job to run weekly
6. Set the day of the week and time you want to run the task (Figure 16-28).
Click Next.
F16HT28.BMP
Figure 16-28 Choosing to run the task every Sunday
7. Provide the name and password of the Administrator-level account you
will run the task under (Figure 16-29). Click Next.
F16HT29.BMP
Figure 16-29 Providing a user account to use for the Defrag.exe task
CHAPTER 16:
MANAGING PERFORMANCE
8. On the final wizard page, select the Open Advanced Properties For This
Task When I Click Finish check box. Click Finish.
9. The task’s Properties dialog box opens. You can modify the command line for the task to specify your disk drive (Figure 16-30).
Click OK.
F16HT30.BMP
Figure 16-30 Completing the Defrag.exe command line
Managing Paging Files to Improve Disk Performance
Excessive paging of memory affects the performance of a system’s hard disks
and results not only in reduced read/write performance of the disks but also
reduced paging efficiency when applications vie with virtual memory for disk
time. To alleviate some of these concerns, you should place the paging file on a
different disk than the operating system. File reads and writes can then happen
concurrently with virtual memory paging, thereby improving efficiency.
If your system runs out of space in the paging file, all activity will essentially cease
while the system increases the paging file size. This might take as long as several minutes and will severely affect performance.
You can manage page file location and size by using the System Properties
dialog box.
To change the location or size of the paging file:
1. Right-click My Computer and choose Properties to open the System
Properties dialog box.
2. On the Advanced tab (Figure 16-31), click the Settings button under
Performance to open the Performance Options dialog box.
543
544
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
F16HT31.BMP
Figure 16-31 The Advanced tab of the System Properties dialog box
3. On the Advanced tab (Figure 16-32), find the Virtual Memory
option. Click Change to open the Virtual Memory dialog box
(Figure 16-33).
F16HT32.BMP
Figure 16-32 The Performance Options dialog box
CHAPTER 16:
F16HT33.BMP
MANAGING PERFORMANCE
Figure 16-33 Managing virtual memory
4. Select the disk to use for the paging file. You can change the size of the
paging file on each disk.
If you are moving the paging file, select another disk and configure the
paging file size for that disk. Once the new file size is defined, you can
restart the system to begin using the new file. You can then use the
Virtual Memory dialog box to remove the original paging file.
The default size for the paging file is 1.5 times the amount of
physical RAM in the system.
NOTE
Adding CPUs
If you have a dual-processor-capable system, you might consider adding a second
CPU if required, but you should exhaust all other options before you do so. The
true bottleneck often lies in memory or on the disk. However, if CPU utilization
consistently hovers above 80 percent on your system while you are working, you
should consider adding an additional CPU. Be sure to buy an exact twin of your
existing CPU—the same processor family, model, and stepping number, and preferably from the same die lot. If you cannot find a matching processor, you can
buy two processors from a current batch. However, this might be so expensive
that you are better off buying a newer system. After analyzing performance and
eliminating other possible causes, you will have all the information you need to
make the decision when the time comes.
545
546
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Hyper-Threading CPUs
Some recently released CPU models support a feature called simultaneous multithreading or hyper-threading. This feature allows a CPU to execute multiple
threads of an application in parallel, gaining some of the benefits usually seen
with multiple CPUs. This parallel execution can improve performance of multithreaded applications by as much as 25 percent and can improve performance
of applications compiled for hyper-threading even more.
Hyper-threading CPUs appear to the system as two processors, and they actually have duplicate circuitry for managing application threading. They do not
have separate execution units (the component that actually executes program
instructions).
Mobile System Performance
Managing mobile system performance requires understanding the unique
challenges posed by mobile systems: multiple processor speeds, slow network
connections, slower hard disk drive technology, and less RAM.
Some CPUs use speed-switching technology to reduce CPU power consumption
while on battery. Check if your system performs better on AC power. If this is the
case, and you are not concerned about battery life, consider disabling the reduction in CPU speed that might occur when you disconnect power. You can do this
by selecting the Always On power management scheme.
Other improvements to consider include adding memory or switching to a faster
disk. Consider how these changes will affect battery life. Some faster disks require
more power to operate.
CHAPTER 16:
MANAGING PERFORMANCE
SUMMARY
■
Common factors leading to poor performance include insufficient
memory, slow disk or network performance, and insufficient
CPU speed.
■
The Performance console provides tools for viewing performance data,
logging performance data, and sending alerts when certain performance
thresholds are met.
■
Performance objects contain performance counters that relate to certain
aspects of system or application performance.
■
Performance counters report the statistics of a single aspect of system
or application performance.
■
Improving system performance often requires several rounds of monitoring and adjustments to achieve the desired results.
REVIEW QUESTIONS
1. Adding __________ is usually the easiest way to improve performance.
(knowledge demonstration)
a. CPUs
b. Memory
c. Disks
d. Power
2. Which of the following performance counters can help you determine
whether a system has adequate memory? (Choose all correct answers.)
(knowledge application)
a. Memory: Available Bytes
b. Page File: % Usage
c. Memory: Pages / sec
d. Physical Disk: Average Disk Queue Length
3. You are analyzing performance of your Windows XP system. Physical
Disk: % Disk Time is well over 50, Page File: % Usage is less than 10,
and Memory: Pages / sec is less than 5. Which of the following items
is most likely causing the performance issues on your system? (knowledge application)
547
548
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
a. Memory
b. Disk
c. CPU
d. Network
4. From which of the following sources can you copy counters when you
configure a performance alert? (knowledge demonstration)
a. Page file
b. Performance log
c. Saved System Monitor view
d. Performance object
5. You notice that your mobile computer seems to run more slowly when
you are not using the AC adapter. What could be causing this? (knowledge application)
a. The CPU is designed to run more slowly while on battery power.
b. The CPU isn’t getting the power it needs to run efficiently.
c. The battery is of the wrong type.
d. The battery needs charging.
6. Which Windows XP system utility can you use to perform scheduled
maintenance tasks on your system? (knowledge demonstration)
a. System Restore
b. Scheduled tasks
c. Maintenance Manager
d. Disk Defragmenter
CASE SCENARIOS
Scenario 16-1: A Slow Application
The CFO calls you in because he is running a large spreadsheet on his system
and it is running unusually slowly. He wants you to try to get his system moving
faster again.
CHAPTER 16:
MANAGING PERFORMANCE
Answer the following questions about this scenario:
1. Which Windows XP utility will give you a quick look at the performance
of this system?
2. Available memory seems to be fine, but you notice that the system’s
hard disk thrashes excessively whenever you launch a new application.
Which of the following performance counters can you use to check the
status of the physical disk?
a. Memory: Available Bytes
b. Page File: % Usage
c. Memory: Pages / sec
d. Physical Disk: Average Disk Queue Length
3. You ask the CFO about his use of the system. Nothing has changed in
terms of applications or data—the system has just been getting slower.
You check Physical Disk: Average Disk Queue Length and find the
value excessive. Which of the following factors might be responsible
for the poor disk performance?
a. The hard disk is failing.
b. The system needs faster disks.
c. The disk is seeing excessive use of virtual memory.
d. The disk is excessively fragmented.
Scenario 16-2: Spotting the Cause of
Performance Issues
You are analyzing a system with System Monitor and have noted the following
statistics:
Memory: Available Bytes (768 MB Ram total)
Memory: Pages / sec
Page File: % Usage
Physical Disk: Average Disk Queue Length
234 MB
2
24
4
Answer the following questions about this scenario:
1. Is memory probably an issue on this system?
2. Do you have enough information to know definitively whether disk
performance is an issue on this system? If not, what additional
counters can you use to monitor disk performance?
549
GLOSSARY
access control entry (ACE) An entry in
an object’s discretionary access control
list (DACL) that grants permissions to a
user or group. An ACE is also an entry
in an object’s system access control list
(SACL) that specifies the security
events to be audited for a user or group.
access control list (ACL) Commonly
used to refer to DACL. See Discretionary Access Control List (DACL).
Active Directory The directory service
that stores information about users,
computers, files, printers, and other
objects on a network and makes this
information available to users and network administrators. Active Directory
gives network users a single logon process to access permitted resources anywhere on the network. It provides
network administrators with an intuitive, hierarchical view of the network
and a single point of administration for
all network objects.
Active Directory domain An Active
Directory domain is a collection of
computers defined by the administrator of a Windows network. These computers share a common directory
database, security policies, and security
relationships with other domains. An
Active Directory domain provides
access to the centralized user and
group accounts maintained by the
domain administrator. An Active Directory forest is made up of one or more
domains, each of which can span more
than one physical location.
ActiveX A set of technologies that allows
software components to interact with
one another in a networked environment, regardless of the language in
which the components were created.
Address Resolution Protocol
(ARP) In TCP/IP, a protocol that uses
broadcast traffic on the local network
to resolve a logically assigned IP
address to its physical hardware or
media access control layer address.
Advanced Configuration and Power
Interface (ACPI) An open industry
specification that defines power management on a wide range of mobile,
desktop, and server computers and
peripherals. ACPI is the foundation for
the OnNow industry initiative that
allows system manufacturers to deliver
computers that will start at the touch of
a keyboard. ACPI design is essential for
taking full advantage of power management and Plug and Play (PnP).
alert
See performance alert.
APIPA See Automatic Private IP
Addressing (APIPA).
ARP See Address Resolution Protocol
(ARP).
attribute For files, information that
indicates whether a file is read-only,
hidden, ready for archiving (backing
up), compressed, or encrypted, and
whether the file contents should be
indexed for fast file searching.
auditing The process of tracking users’
activities by recording selected types of
events in the security log of a server or a
workstation.
audit policy A policy that determines
which security events are to be reported
to the network administrator.
Authenticode A security feature of
Internet Explorer. Authenticode
allows vendors of downloadable programs (plug-ins or ActiveX controls,
for example) to attach digital certificates to their products to assure users
that their code is from the original
developer and has not been altered.
Authenticode lets users decide before
downloading begins whether to accept
or reject software components posted
on the Internet.
551
552
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Automatic Private IP Addressing
(APIPA) A feature of Windows XP
TCP/IP that automatically configures a
unique IP address from the range
169.254.0.1 through 169.254.255.254
and a subnet mask of 255.255.0.0
when the TCP/IP protocol is configured for dynamic addressing and a
Dynamic Host Configuration Protocol
(DHCP) server is not available.
bit Short for binary digit. The smallest
unit of information handled by a computer. One bit expresses a 1 or a 0 in a
binary numeral, or a true or false logical condition. It is represented physically by an element such as a high or
low voltage at some point in a circuit,
the polarity of a magnetized spot on a
magnetic disk, or the presence or
absence of a spot on an optical disk.
base 2
Boolean Of, pertaining to, or characteristic of logical (true/false) values.
base 10
See binary.
See decimal.
basic disk A physical disk that can be
accessed by MS-DOS and all Windowsbased operating systems. Basic disks
can contain up to four primary partitions, or three primary partitions and
an extended partition with multiple
logical drives. To create partitions that
span multiple disks, you must first convert the basic disk to a dynamic disk
using Disk Management.
basic input/output system (BIOS) On
x86-based computers, the set of essential software routines that test hardware
at startup, start the operating system,
and support the transfer of data among
hardware devices. The BIOS is stored in
read-only memory (ROM) so that it can
be executed when the computer is
turned on. Although critical to performance, the BIOS is usually invisible to
users.
BHO
See browser helper object (BHO).
binary Having two components, alternatives, or outcomes. The binary number system has the number 2 at its base,
so values are expressed as combinations of two digits, 0 and 1.
binary number A number expressed in
base 2 or binary form. Binary numbers
are composed of zeros and ones. See
also binary.
bot On the Internet, a program that performs a repetitive or time-consuming
task, such as searching Web sites or
newsgroups or indexing them in a database or other recordkeeping system.
This term is also increasingly used to
describe a malicious program that
scans the Internet address space looking for systems with a particular vulnerability. This kind of bot, also known as
a zombie, infects the host to control it
remotely, using it to launch attacks on
other systems or to spew unsolicited email messages across the Internet.
broadband connection A high-speed
connection. Broadband connections
are typically 256 kilobytes per second
(KBps) or faster. Broadband includes
DSL and cable modem service.
browser helper object (BHO) A DLL
that allows developers to control Internet Explorer to perform certain tasks
for which it was not initially designed,
thus extending Internet Explorer’s
capabilities. Examples of BHOs are
antivirus scanners, download managers, and navigation monitors.
byte A unit of data that typically holds a
single character, such as a letter, digit,
or punctuation mark. Some single characters can take up more than one byte.
cached credentials Stored logon credentials that are used to authenticate a
user when a domain controller is not
available for authentication.
GLOSSARY
CIDR See classless interdomain routing
(CIDR).
classless interdomain routing
(CIDR) An address scheme that uses
aggregation strategies to minimize the
size of top-level Internet routing tables.
compatibility mode A feature of a computer or operating system that allows it
to run programs written for a different
system. Programs often run more
slowly in compatibility mode.
convergence The process of stabilizing
a system after changes occur in the network. In routing, if a route becomes
unavailable, routers send update messages throughout the internetwork,
reestablishing information about preferred routes.
decimal A numbering system based on
powers of 10. Each successive placeholder represents a progression of a
multiple of 10.
desktop The on-screen work area on
which windows, icons, menus, and dialog boxes appear.
device driver A program that allows a
specific device, such as a modem, network adapter, or printer, to communicate with the operating system.
Although a device might be installed on
your system, Windows cannot use the
device until you have installed and configured the appropriate driver. If a
device is listed in the Hardware Compatibility List (HCL), a driver is usually
included with Windows. Device drivers
load (for all enabled devices) when a
computer is started or new hardware is
installed, and thereafter run invisibly.
DHCP See Dynamic Host Configuration
Protocol (DHCP).
DHCP client Any network-enabled
device that supports the ability to communicate with a DHCP server for the
purpose of obtaining dynamic leased IP
configuration and related optional
parameter information.
DHCP server A computer running a
DHCP service that offers dynamic configuration of IP addresses and related
information to DHCP-enabled clients.
Digital Subscriber Line (DSL) A type
of high-speed Internet connection that
uses standard telephone wires. This is
also referred to as one type of broadband connection.
discretionary access control list
(DACL) The part of an object’s security descriptor that grants or denies
specific users and groups permission to
access the object. Only the owner of an
object can change permissions granted
or denied in a DACL; thus, access to the
object is at the owner’s discretion.
display adapter See video adapter.
Domain Name System (DNS) A hierarchical, distributed database that contains mappings of DNS domain names
to IP addresses. DNS enables the location of computers and services by userfriendly names, and it also enables the
discovery of other information stored
in the database.
dotted decimal notation The process
of formatting an IP address as a 32-bit
identifier made up of four groups of
numbers, each representing a binary
octet, with each group separated by a
period. An example of an IP address
using dotted decimal notation might
look like this:
192.168.100.214
DSL
See Digital Subscriber Line (DSL).
553
554
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
dynamic disk A disk that can be
accessed only by Windows 2000, Windows Server 2003, and Windows XP.
Dynamic disks provide features that
basic disks do not, such as support for
volumes that span multiple disks.
Dynamic disks use a hidden database
to track information about dynamic
volumes on the disk and other dynamic
disks in the computer. You convert
basic disks to dynamic disks by using
the Disk Management snap-in. When
you convert a basic disk to a dynamic
disk, all existing basic volumes become
dynamic volumes.
Dynamic Host Configuration Protocol
(DHCP) A TCP/IP service protocol
that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to
eligible network clients. DHCP provides safe, reliable, and simple TCP/IP
network configuration, prevents
address conflicts, and helps conserve
the use of client IP addresses on the
network.
Dynamic Update A feature of Windows
XP Setup that queries Microsoft for
product updates that can be incorporated into the Windows XP installation
to enhance its operation. These updates
might include replacement setup files
or updated device drivers.
Encrypting File System (EFS) A Windows feature that enables users to
encrypt files and folders on an NTFS
volume to keep them safe from access
by intruders.
encryption The process of disguising a
message or data in order to hide its content.
Ethernet An IEEE standard for contention networks, in which devices connected to the network compete for
access to the network. Ethernet uses a
bus or star topology and relies on the
form of access known as Carrier Sense
Multiple Access with Collision Detec-
tion (CSMA/CD) to regulate communication-line traffic. Network nodes are
linked by coaxial cable, fiber-optic
cable, or twisted-pair wiring. Data is
transmitted in variable-length frames
containing delivery and control information and up to 1,500 bytes of data.
The Ethernet standard provides for
transmission at rates of 10 megabits (10
million bits), 100 megabits (100 million
bits), 1 gigabit (1 billion bits), or 10
gigabits (10 billion bits) per second.
exception In Windows Firewall, a
packet filtering rule that allows
inbound connections to certain applications or ports.
file system In an operating system, the
overall structure in which files are
named, stored, and organized. NTFS,
FAT, and FAT32 are types of file systems.
File Transfer Protocol (FTP) A member of the TCP/IP suite of protocols
that is used to copy files between two
computers on the Internet. Both computers must support their respective
FTP roles: one must be an FTP client
and the other must be an FTP server.
FilterKeys A keyboard feature that
instructs your keyboard to ignore brief
or repeated keystrokes. You can also
adjust the keyboard repeat rate, which
is the rate at which a key repeats when
you hold it down.
firewall A combination of hardware and
software that provides a security system, usually to prevent unauthorized
access from the outside to an internal
network or intranet.
FTP
See File Transfer Protocol (FTP).
gateway A device connected to multiple
physical TCP/IP networks that is capable of routing or delivering IP packets
among them.
giga One billion. In data storage, a prefix meaning 2 to the 30th power, or
1,073,741,824.
GLOSSARY
GPO
See Group Policy Object (GPO).
group A collection of users, computers,
contacts, or other groups. Groups can
be used for security or as e-mail distribution lists. Distribution groups are
used only for e-mail. Security groups
are used both to grant access to
resources and as e-mail distribution
lists.
Group Policy Object (GPO) A collection of Group Policy settings. Group
Policy Objects are essentially the documents created by the Group Policy
snap-in, a Windows utility. GPOs are
stored at the domain level, and they
affect users and computers contained
in sites, domains, and organizational
units (OUs). In addition, each Windows computer has exactly one group
of settings stored locally, called the
local GPO.
hibernation A state in which your computer shuts down after saving everything in memory on your hard disk.
When you bring your computer out of
hibernation, all programs and documents that were open are restored to
your desktop.
hive A section of the registry that
appears as a file on your hard disk. The
registry subtree is divided into hives
(named for their resemblance to the
cellular structure of a beehive). A hive is
a discrete body of keys, subkeys, and
values that is rooted at the top of the
registry hierarchy. A hive is backed by a
single file and a .log file, which are in
the systemroot\System32\Config or
the systemroot\Profiles\username
folders.
Hypertext Markup Language
(HTML) A simple markup language
used to create hypertext documents
that are portable from one platform to
another. HTML files are simple ASCII
text files with codes embedded (indicated by markup tags) to denote formatting and hypertext links. HTML is
the basis for most World Wide Web
communications.
ICMP See Internet Control Message
Protocol (ICMP).
IDS See intrusion detection system
(IDS).
IGMP See Internet Group Management
Protocol (IGMP).
Internet Control Message Protocol
(ICMP) A required maintenance protocol in the TCP/IP suite that reports
errors and allows simple connectivity.
ICMP is used by the Ping tool to perform TCP/IP troubleshooting.
Internet Group Management Protocol
(IGMP) A protocol used by IP hosts
to report their multicast group memberships to any immediately neighboring multicast routers.
Internet Protocol (IP) A routable protocol in the TCP/IP protocol suite that
is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets.
Internet service provider (ISP) A company that provides individuals or companies access to the Internet and the
World Wide Web. An ISP provides a
telephone number, username, password, and other connection information so users can connect their
computers to the ISP’s computers. An
ISP typically charges a monthly or
hourly connection fee.
interrupt request (IRQ) A request for
attention from the processor. When the
processor receives an interrupt, it suspends its current operations, saves the
status of its work, and transfers control
to a special routine known as an interrupt handler, which contains the
instructions for dealing with the particular situation that caused the interrupt.
intrusion detection system (IDS) A
type of security management system for
computers and networks that gathers
and analyzes information from various
sources to identify possible security
breaches.
IP
See Internet Protocol (IP).
555
556
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
IP address A 32-bit address used to
identify a node on an IP internetwork.
Each node on the IP internetwork must
be assigned a unique IP address, which
is made up of the network ID plus a
unique host ID. This address is typically represented with the decimal
value of each octet, separated by a
period (for example, 192.168.7.27). In
Windows XP Professional, you can configure the IP address statically, dynamically through DHCP, or automatically
through automatic private IP addressing (APIPA).
ISP
See Internet service provider (ISP).
kernel The core of layered architecture
that manages the most basic operations
of the operating system and the computer’s processor. The kernel schedules
different blocks of executing code,
called threads, to keep the processor as
busy as possible, and coordinates multiple processors to optimize performance. The kernel also synchronizes
activities among Executive-level subcomponents, such as the I/O Manager
and the Process Manager, and handles
hardware exceptions and other hardware-dependent functions.
kilo One thousand. In digital storage, a
prefix meaning 2 to the 10th power, or
1,024.
Line Printer Daemon (LPD) A service
on a UNIX-like print server that
receives documents (print jobs) from
Line Printer Remote (LPR) utilities running on client systems. Windows print
servers can support LPD to provide
interoperability with UNIX.
Line Printer Remote (LPR) A connectivity utility that runs on client systems
and is used to print files to a computer
running an LPD server. Windows clients can be configured to print using
LPR for interoperability with UNIX.
logon script A file that can be assigned
to user accounts. Typically a batch file,
a logon script runs every time the user
logs on. It can be used to configure a
user’s working environment at every
logon, and it allows an administrator to
influence a user’s environment without
managing all aspects of it. A logon
script can be assigned to one or more
user accounts.
loopback address The address of the
local computer used for routing outgoing packets back to the source computer. This address is used primarily for
testing.
MAC address See Media Access Control
(MAC) address.
malware Software created and distributed for malicious purposes, such as to
invade computer systems in the form of
viruses, worms, or innocent-seeming
plug-ins and extensions that mask
other destructive capabilities.
Master File Table (MFT) An NTFS system file on NTFS-formatted volumes
that contains information about each
file and folder on the volume. The MFT
is the first file on an NTFS volume.
Media Access Control (MAC)
address A hardware address that
uniquely identifies each node of a network. MAC addresses are globally
unique—no two network adapters have
a duplicate MAC address—and they are
encoded directly into the firmware of
the network adapter.
media library A data-storage system
usually managed by Removable Storage. A library consists of removable
media (such as tapes or discs) and a
hardware device that can read from or
write to the media. The two major types
of libraries are robotic libraries (automated multiple-media, multidrive
devices) and standalone drive libraries
(manually operated, single-drive
devices). A robotic library is also called
a jukebox or a changer.
GLOSSARY
media pool A logical collection of
removable media that have the same
management policies. Media pools are
used by applications to control access
to specific tapes or discs within libraries managed by Removable Storage.
The four media pools are: unrecognized, import, free, and application-specific. Each media pool can only hold
media or other media pools.
mega One million. In data storage, a prefix meaning 2 to the 20th power, or
1,048,576.
metadata Data about data. For example, the title, subject, author, and size of
a file constitute the file’s metadata.
MFT
See Master File Table (MFT).
netblock A contiguous group of IP
addresses, often described as a single
block with a common network ID.
network A group of computers and
other devices, such as printers and
scanners, that are connected by a communications link, enabling all the
devices to interact with each other. Networks can be small or large, permanently connected through wires or
cables, or temporarily connected
through phone lines or wireless transmissions. The largest network is the
Internet, which is a worldwide group of
networks.
network adapter A device that connects your computer to a network. This
device is sometimes called an adapter
card or a network interface card (NIC).
network basic input/output system
(NetBIOS) An application programming interface (API) that can be used
by programs on a local area network
(LAN). NetBIOS provides programs
with a uniform set of commands for
requesting the lower-level services
required to manage names, conduct
sessions, and send datagrams between
nodes on a network.
network ID In IP addressing, the base
address of an IP network address block,
in which the host portion of the
address (expressed in binary form) is
all zeros.
notification area The area on the taskbar to the right of the taskbar buttons.
The notification area displays the time
and can also contain shortcuts that provide quick access to programs such as
Volume Control and Power Options.
Other shortcuts can appear temporarily, providing information about
the status of activities. For example,
the printer shortcut icon appears
after a document has been sent to the
printer and disappears when printing
is complete.
NT file system
See NTFS.
NTFS An acronym for NT file system,
NTFS is an advanced file system that
provides performance, security, reliability, and advanced features not found in
any version of FAT. For example, NTFS
guarantees volume consistency by
using standard transaction logging and
recovery techniques. If a system fails,
NTFS uses its log file and checkpoint
information to restore the consistency
of the file system. In Windows 2000
and Windows XP, NTFS also provides
advanced features such as file and
folder permissions, encryption, disk
quotas, and compression.
octet A unit of data that consists of
exactly 8 bits.
offline A state that marks a component
in a cluster as unavailable. A node in an
offline state is either inactive or not running. Resources and groups also have
an offline state.
557
558
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
Open Systems Interconnection (OSI)
reference model A networking
model introduced by the International
Organization for Standardization (ISO)
to promote multivendor interoperability. OSI is a seven-layer conceptual
model consisting of the application,
presentation, session, transport, network, data-link, and physical layers.
organizational unit (OU) An Active
Directory container object used within
domains. An organizational unit is a
logical container into which users,
groups, computers, and other OUs are
placed. It can contain objects only from
its parent domain. An OU is the smallest scope to which a Group Policy
object can be linked, or over which
administrative authority can be delegated.
OU
See organizational unit (OU).
P3P See Platform for Privacy Preferences (P3P).
packet An Open Systems Interconnection (OSI) network layer transmission
unit that consists of binary information
representing data and a header containing an identification number, source
and destination addresses, and errorcontrol data.
packet filtering The process of controlling network access based on IP
addresses.
packet header The portion of a data
packet that precedes the body. The
header contains data that is needed for
successful transmission, such as source
and destination addresses and control
and timing information.
partition A portion of a physical disk
that functions as if it were a physically
separate disk. After you create a partition,
you must format it and assign it a drive
letter before you can store data on it.
password A shared authentication
mechanism stored in each user’s
account. Each user generally has a
unique user password and must type
that password when logging on or
accessing a server.
performance alert A feature that
detects when a predefined counter
value rises above or falls below the configured threshold and notifies a user by
means of the Messenger service.
performance counter In System Monitor, a data item that is associated with a
performance object. For each counter
selected, System Monitor presents a
value corresponding to a particular
aspect of the performance that is
defined for the performance object.
performance counter instance In System Monitor, a term used to distinguish
between multiple performance objects
of the same type on a computer.
performance object In System Monitor, a logical collection of counters that
is associated with a resource or service
that can be monitored.
permission A rule associated with an
object to regulate which users can gain
access to an object and the manner in
which they can gain access. Permissions are granted or denied by the
object’s owner.
Platform for Privacy Preferences
(P3P) An open World Wide Web
Consortium (W3C) protocol that
allows Internet users to control the
type of personal information collected
by the Web sites they visit. P3P uses
User Agents built into browsers and
Web applications to allow P3P-enabled
Web sites to communicate privacy practices to users before they log on to the
Web site. P3P compares the Web site’s
privacy policies with the user’s personal set of privacy preferences, and it
reports any disagreements to the user.
GLOSSARY
Plug and Play A set of specifications
developed by Intel that allows a computer to automatically detect and configure a device and install the
appropriate device drivers.
Point-to-Point Protocol (PPP) An
industry standard suite of protocols for
the use of point-to-point links to transport multiprotocol datagrams. PPP is
documented in RFC 1661.
Point-to-Point Protocol over Ethernet
(PPPoE) A specification for connecting users on an Ethernet network to the
Internet through a broadband connection, such as a single DSL line, wireless
device, or cable modem. Using PPPoE
and a broadband modem, local area
network (LAN) users can gain individual authenticated access to high-speed
data networks. By combining Ethernet
and Point-to-Point Protocol (PPP),
PPPoE provides an efficient way of creating for each user a discrete connection to a remote server.
port An interface for program communication over a network connection.
Together with a network address, a port
defines a socket.
PostScript A page-description language
(PDL) developed by Adobe Systems for
printing with laser printers. PostScript
offers flexible font capability and highquality graphics. It is the standard for
desktop publishing because it is supported by imagesetters, the high-resolution printers used by printing services
for commercial typesetting.
PPP
See Point-to-Point Protocol (PPP).
PPPoE See Point-to-Point Protocol over
Ethernet (PPPoE).
print job The source code that contains
both the data to be printed and the
commands for printing. Print jobs are
classified into data types based on what
modifications, if any, the spooler must
make to the job for it to print correctly.
print server A computer that is dedicated to managing the printers on a network. The print server can be any
computer on the network.
printer permissions Permissions that
specify the type of access that a user or
group has to a printer. The printer permissions are Print, Manage Printers,
and Manage Documents.
printing pool Two or more identical
printers that are connected to one print
server and act as a single printer. In this
case, when you print a document, the
print job is sent to the first available
printer in the pool.
protocol A set of rules and conventions
for sending information over a network. These rules govern the content,
format, timing, sequencing, and error
control of messages exchanged among
network devices.
proxy server A firewall component that
manages Internet traffic to and from a
local area network (LAN) and can provide other features, such as document
caching and access control. A proxy
server can improve performance by
supplying frequently requested data,
such as a popular Web page, and can
filter and discard requests that the
owner does not consider appropriate,
such as requests for unauthorized
access to proprietary files.
Recovery Console A command-line
interface that provides a limited set of
administrative commands that are useful for repairing a computer.
559
560
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
registry A database repository for information about a computer’s configuration. The registry contains information
that Windows continually references
during operation, such as profiles for
each user; the programs installed on
the computer and the types of documents each can create; property settings for folders and program icons;
what hardware exists on the system;
and which ports are being used. The
registry is organized hierarchically as a
tree and is made up of keys and their
subkeys, hives, and value entries.
Remote Installation Services (RIS) A
software service that allows an administrator to set up new client computers
remotely, without having to visit each
client. The target clients must support
remote booting.
restore point A representation of a
stored state of your computer. A restore
point is created by System Restore at
both specific intervals and when applications register important changes to
your computer. You can also create
restore points manually at any time.
rights Tasks that a user is permitted to
perform on a computer system or
domain. The two types of user rights
are privileges (such as the right to shut
down the system) and logon rights
(such as the right to log on to a computer locally). Both types are assigned
by administrators to individual users or
groups as part of the security settings
for the computer.
roaming user profile A server-based
user profile that is downloaded to the
local computer when a user logs on and
that is updated both locally and on the
server when the user logs off. A roaming user profile is available from the
server when a user logs on to a workstation or server computer. When logging
on, the user can use the local user profile if it is more current than the copy
on the server.
router Hardware that helps networks
achieve interoperability and connectivity and can link networks that have different network topologies (such as
Ethernet and Token Ring). Routers
match packet headers to network segments and choose the best path for the
packet, optimizing network performance.
routing table In data communications,
a table of information that provides network hardware with the directions
needed to forward packets of data to
locations on other networks.
SACL See system access control list
(SACL).
safe mode In some versions of Windows, a boot mode that bypasses
startup files and loads only the most
basic drivers. Safe mode allows the user
to correct some problems with the system—for example, if the system fails to
boot or the registry has become corrupted.
screen resolution The setting that
determines the amount of information
that appears on screen, measured in
pixels. Low resolution, such as
640×480, makes items on the screen
appear large, although the screen area
is small. High resolution, such as
1024×768, makes the overall screen
area large, although individual items
appear small.
screen saver A moving picture or pattern that appears on your screen when
you have not used the mouse or keyboard for a specified period of time.
Secure Sockets Layer (SSL) An open
standard for establishing a secure communications channel to prevent the
interception of sensitive information,
such as credit card numbers. It primarily enables secure electronic financial
transactions on the World Wide Web,
although it is designed to work over
other Internet services as well.
GLOSSARY
security descriptor A data structure
that contains security information associated with a protected object. Security
descriptors include information about
who owns the object, who can access it
and in what way, and what types of
access will be audited.
security ID (SID) A data structure of
variable length that identifies user,
group, and computer accounts. Every
account on a network is issued a
unique SID when the account is first
created. Internal processes in Windows
refer to an account’s SID rather than
the account’s user or group name.
Service Set Identifier (SSID) A name
used to distinguish one wireless network from another. It is configured into
an infrastructure device such as an
access point, and systems not configured with the same SSID are not allowed
to communicate on that network.
session A logical connection created
between two hosts to exchange data.
Sessions typically use sequencing and
acknowledgments to send data reliably.
share To make resources, such as folders and printers, available to others.
Also used as a synonym for shared
folder.
share name A name that refers to a
shared resource on a server. Each
shared folder on a server has a share
name that can be used by PC users
when they access the folder.
shared folder A folder that is located on
a remote computer that has been made
available for users to access over a network.
shared folder permissions Permissions
that restrict to only certain users on the
network the availability of a shared
resource.
Simple Network Management Protocol
(SNMP) A network protocol used to
manage TCP/IP networks. In Windows,
the SNMP service is used to provide status information about a host on a TCP/
IP network.
site One or more well-connected (highly
reliable and fast) TCP/IP subnets. A site
allows administrators to configure
Active Directory access and replication
topology quickly and easily to take
advantage of the physical network.
When users log on, Active Directory clients locate Active Directory servers in
the same site as the user.
smart card A credit card–sized device
that is used with an access code to
enable certificate-based authentication
and single sign-on (SSO) to an enterprise. Smart cards securely store certificates, public and private keys,
passwords, and other types of personal
information. A smart card reader
attached to the computer reads the
smart card.
SNMP See Simple Network Management Protocol (SNMP).
socket An identifier for a particular service on a particular node on a network.
The socket consists of a node address
and a port number, which identifies the
service. For example, port 80 on an
Internet node indicates a Web server.
spyware Software designed for the purpose of collecting data, sometimes personal, about users or their computer
use. Often this data is transmitted by
the software to a remote site for tabulation or analysis.
SSID
SSL
See Service Set Identifier (SSID).
See Secure Sockets Layer (SSL).
StickyKeys A keyboard feature that
enables you to press a modifier key
(CTRL, ALT, or SHIFT) or the Windows
logo key and have it remain active until
a non-modifier key is pressed. This is
useful for people who have difficulty
pressing two keys simultaneously.
561
562
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
subnet mask A 32-bit value that
enables the sender of IP packets to distinguish the network ID and host ID of
a destination system.
subnetting Dividing a network into
smaller networks or subnets to improve
network security or performance or to
make available a portion of the network
to another person or organization.
supernetting Aggregating multiple networks of the same address class into a
single, larger netblock.
synchronize To reconcile the differences between files stored on one computer and versions of the same files on
other computers. Once the differences
are determined, both sets of files are
updated.
system access control list (SACL) The
part of an object’s security descriptor
that specifies which events are to be
audited per user or group. Examples of
auditing events are file access, logon
attempts, and system shutdowns.
taskbar The bar that contains the Start
button and appears by default at the
bottom of the desktop. You can click
the taskbar buttons to switch among
programs. You can also hide the taskbar, move it to the sides or top of the
desktop, and customize it in other
ways.
TCP/IP See Transmission Control Protocol/Internet Protocol (TCP/IP).
Temporal Key Integrity Protocol
(TKIP) A protocol used to manage
the rotation or changing of encryption
keys for wireless communications.
theme A set of visual elements that provide a unified look for your computer
desktop. A theme determines the look
of the various graphic elements of your
desktop, such as the windows, icons,
fonts, colors, and the background and
screen saver pictures. It can also define
sounds associated with events such as
opening or closing a program.
Time to Live (TTL) A timer value
included in packets sent over TCP/IPbased networks that tells the recipients
how long to hold or use the packet or
any of its included data before expiring
and discarding the packet or data.
TKIP See Temporal Key Integrity Protocol (TKIP).
TLS
See Transport Layer Security (TLS).
ToggleKeys A feature that sets your keyboard to beep when one of the locking
keys (CAPS LOCK, NUM LOCK, or
SCROLL LOCK) is turned on or off.
Token Ring An Institute of Electrical
and Electronics Engineers (IEEE) standard for polling networks. In this type
of network, all the computers are schematically arranged into a circle. A
token, which is a special bit pattern,
travels around the circle. To send a message, a computer catches the token,
attaches a message to it, and then lets it
continue to travel around the network.
The Token Ring standard provides for
transmission at 4 megabits (4 million
bits), 16 megabits (16 million bits), 100
megabits (100 million bits), or 1 gigabit
(1 billion bits) per second.
Transmission Control Protocol/Internet Protocol (TCP/IP) A widely
used set of networking protocols on the
Internet. TCP/IP provides communication across interconnected networks of
computers with diverse hardware architectures and various operating systems.
TCP/IP includes standards for how
computers communicate and conventions for connecting networks and routing traffic.
Transport Layer Security (TLS) A
standard protocol that provides secure
Web communications over the Internet
or intranets. It enables clients to
authenticate servers and optionally
allows servers to authenticate clients. It
also provides a secure channel by
encrypting communications. TLS is the
latest and most secure version of the
SSL protocol.
GLOSSARY
Trojan horse A destructive program disguised as a game, utility, or application.
TTL
See Time to Live (TTL).
UDP See User Datagram Protocol
(UDP).
UNC See Universal Naming Convention
(UNC).
uniform resource locator (URL) An
address that uniquely identifies a location on the Internet. A URL for a World
Wide Web site starts with http://,
as in the (fictitious) URL http://
www.example.contoso.com/. A URL can
contain more detail, such as the name
of a page of hypertext, usually identified by the filename extension .html or
.htm.
uninterruptible power supply
(UPS) A device placed between a
computer and a power source to ensure
that electrical flow is not interrupted.
UPS devices use batteries to keep the
computer running for a period of time
after a power failure. UPS devices usually provide protection against power
surges and brownouts as well.
Universal Naming Convention
(UNC) The convention used for the
full name of a resource on a network. It
conforms to the \\servername\sharename syntax, where servername is the
name of the server and sharename is the
name of the shared resource. UNC
names of directories or files can also
include the directory path under the
share name, with the following syntax:
\\servername\sharename\directory\
filename.
user account A record that consists of
all the information that defines a user
to Windows. This includes the username and password required for the
user to log on, the groups to which the
user account belongs, and the rights
and permissions the user has for the
computer and network and for accessing his resources.
User Datagram Protocol (UDP) A
TCP complement that offers a connectionless datagram service that, much
like IP, guarantees neither delivery nor
correct sequencing of delivered packets.
user profile A file that contains configuration information for a specific user,
such as desktop settings, persistent network connections, and application settings. Each user’s preferences are saved
to a user profile that Windows uses to
configure the desktop each time a user
logs on.
username A unique name identifying a
user account to Windows. An account’s
username must be unique among the
other group names and usernames
within its own domain or workgroup.
video adapter An expansion board that
plugs into a personal computer to give
it display capabilities. A computer’s display capabilities depend on both the
logical circuitry (provided in the video
adapter) and the monitor. Each adapter
offers several video modes. The two
basic categories of video modes are text
and graphics. Within the text and
graphics modes, some monitors also
offer a choice of resolutions. At lower
resolutions, a monitor can display more
colors.
Modern adapters contain memory, so
the computer’s RAM is not used for
storing displays. In addition, most
adapters have their own graphics
coprocessor for performing graphics
calculations. These adapters are often
called graphics accelerators.
virtual memory Temporary storage
used by a computer to run programs
that need more memory than the computer has. For example, programs
might have access to 4 gigabytes (GB)
of virtual memory on a computer’s
hard drive even if the computer has
only 32 megabytes (MB) of RAM. The
program data that does not currently fit
into the computer’s memory is saved
into paging files.
563
564
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
virtual private network (VPN) The
extension of a private network that
encompasses encapsulated, encrypted,
and authenticated links across shared
or public networks. VPN connections
can provide remote access and routed
connections to private networks over
the Internet.
virus A program that attempts to
spread from computer to computer and
either cause damage, by erasing or corrupting data, or annoy users, by printing messages or altering what is
displayed on the screen.
volume An area of storage on a hard
disk. A volume is formatted by using a
file system, such as FAT or NTFS, and
has a drive letter assigned to it. You can
view the contents of a volume by clicking its icon in Windows Explorer or in
My Computer. A single hard disk can
have multiple volumes, and volumes
can also span multiple disks.
volume shadow copy A volume that
represents a duplicate of the original
volume taken at the time the copy
began.
VPN
See virtual private network (VPN).
WebDAV See Web Distributed Authoring and Versioning (WebDAV).
Web Distributed Authoring and Versioning (WebDAV) An application
protocol related to HTTP version 1.1
that allows clients to transparently publish and manage resources on the
World Wide Web.
Web Proxy Auto-Discovery (WPAD)
protocol A protocol that allows a
Web browser to automatically locate
and configure settings for a proxy
server.
WEP See Wired Equivalent Privacy
(WEP).
WiFi Protected Access (WPA) A newer
encryption method that uses changeable encryption keys to thwart key
cracking. WPA will be ratified as the
encryption standard 802.11i. It initializes a key when a connection is established and uses the Temporal Key
Integrity Protocol (TKIP) to manage
key rotation.
Windows Management Instrumentation (WMI) A management infrastructure in Windows that supports
monitoring and controlling system
resources through a common set of
interfaces and provides a logically organized, consistent model of Windows
operation, configuration, and status.
Wired Equivalent Privacy (WEP) An
encryption method for wireless communication that uses a fixed encryption key to encrypt the network traffic.
The key is entered into each device during configuration.
WMI See Windows Management Instrumentation (WMI).
worm A program that propagates across
computers, usually by creating copies
of itself in each computer’s memory.
WPA
See WiFi Protected Access (WPA).
SYSTEM REQUIREMENTS
To complete the exercises in this textbook, your computer needs to meet the
following minimum system requirements:
■
Microsoft Windows XP Professional with Service Pack 2 (SP2). (A 120day evaluation edition of Windows XP Professional With SP2 is
included on the CD-ROM.) Service Pack 2 may be installed separately
on pre-Service Pack 2 systems.
■
Microsoft PowerPoint or Microsoft PowerPoint Viewer. (PowerPoint
Viewer is included on the supplemental student CD-ROM.)
■
Microsoft Word or Microsoft Word Viewer. (Word Viewer is included
on the supplemental student CD-ROM.)
■
Internet Explorer 6 or later.
■
Minimum CPU: 233 megahertz (MHz) Pentium-compatible. (Pentium
II 300 MHz or faster processor is recommended.)
■
Minimum RAM: 64 megabytes (MB). (128 MB or more is recommended.)
■
Disk space for setup: 4.5 gigabytes (GB).
■
Display monitor capable of 800 x 600 resolution or higher.
■
CD-ROM drive.
■
Microsoft mouse or compatible pointing device.
Uninstall Instructions
The time-limited release of Windows XP Professional with SP2 will expire 120
days after installation. If you decide to discontinue the use of this software, you
will need to reinstall your original operating system. You might need to reformat
your hard drive.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement