MCSA/MCSE Managing and Maintaining a Windows

MCSA/MCSE Managing and Maintaining a Windows

271_70-292_FM.qxd 8/20/03 4:11 PM Page i

Syngress knows what passing the exam means to you and to your career. And we know that you are often financing your own training and certification; therefore, you need a system that is comprehensive, affordable, and effective.

Boasting one-of-a-kind integration of text, DVD-quality instructor-led training, and Web-based exam simulation, the

Syngress Study Guide & DVD Training System guarantees 100% coverage of exam objectives.

The Syngress Study Guide & DVD Training System includes:

Study Guide with 100% coverage of exam objectives By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of the exam objectives.

Instructor-led DVD This DVD provides almost two hours of virtual classroom instruction.

Web-based practice exams Just visit us at www.syngress.com/

certification to access a complete exam simulation.

Thank you for giving us the opportunity to serve your certification needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening.

www.syngress.com/certification

271_70-292_FM.qxd 8/20/03 4:11 PM Page ii

271_70-292_FM.qxd 8/20/03 4:11 PM Page iii

MCSA/MCSE

Managing and Maintaining a Windows Server

2003 Environment for an MCSA

Certified on Windows 2000

Will Schmied

Robert J. Shimonski

Technical Editor

271_70-292_FM.qxd 8/20/03 4:11 PM Page iv

Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

KEY

001

002

003

004

005

006

007

008

009

010

Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission

Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress

Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies.

SERIAL NUMBER

TH33SLUGGY

Q2T4J9T7VA

82LPD8R7FF

Z6TDAA3HVY

P33JEET8MS

3SHX6SN$RK

CH3W7E42AK

9EU6V4DER7

SUPACM4NFH

5BVF3MEV2Z

PUBLISHED BY

Syngress Publishing, Inc.

800 Hingham Street

Rockland, MA 02370

Managing and Maintaining a Windows Server 2003 Environment for an MCSA Certified on Windows

2000 Study Guide & DVD Training System

Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of

America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

Printed in the United States of America

1 2 3 4 5 6 7 8 9 0

ISBN: 1-932266-56-9

Technical Editor: Robert J. Shimonski

Technical Reviewer: Laura E. Hunter

Acquisitions Editor: Catherine B. Nolan

DVD Production: Michael Donovan

Cover Designer: Michael Kavish

Page Layout and Art by: Patricia Lupien

Copy Editor: Judy Eby

Indexer: Rich Carlson

DVD Presenters:Will Schmied,

Robert J. Shimonski

271_70-292_FM.qxd 8/20/03 4:11 PM Page v

Acknowledgments

We would like to acknowledge the following people for their kindness and support in making this book possible.

Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent

Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty

Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal,

Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise.

Duncan Enright, AnnHelen Lindeholm, David Burton, Febea Marinetti, and Rosie Moss of Elsevier Science for making certain that our vision remains worldwide in scope.

David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim,

Audrey Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive our books.

Kwon Sung June at Acorn Publishing for his support.

Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,

Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada.

Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at

Jaguar Book Group for their help with distribution of Syngress books in Canada.

David Scott, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of

Woodslane for distributing our books throughout Australia, New Zealand, Papua New

Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.

Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines.

Special thanks to Daniel Bendell from Assurance Technology Management for his 24x7 care and feeding of the Syngress network. Dan expertly applies the principles of our books in a highly professional manner and under severe time constraints while keeping a good sense of humor.

271_70-292_FM.qxd 8/20/03 4:11 PM Page vi

Author and DVD Presenter

Will Schmied

(BSET, MCSE, CWNA,TICSA, MCSA, Security+,

Network+, A+), is the President of Area 51 Partners, Inc. (www.area51partners.com), a provider of wired and wireless networking implementation, security and training services to businesses in the Hampton Roads,Virginia, area.

Will holds a Bachelor’s degree in Mechanical Engineering Technology from

Old Dominion University in addition to various IT industry certifications.

Will has previously authored and contributed to several other publications from Syngress Publishing, including, Building DMZs for Enterprise

Networks (ISBN: 1-931836-884), Implementing and Administering Security in a

Microsoft Windows 2000 Network: Exam 70-214 Study Guide and DVD Training

System (ISBN: 1-931836-84-1), Security+ Study Guide and DVD Training

System (ISBN: 1-931836-72-8), and Configuring and Troubleshooting Windows

XP Professional (ISBN: 1-928994-80-6).Will has also worked with Microsoft

in the MCSE exam development process.

Will currently resides in Newport News,Virginia, with his wife, Chris, their children, Christopher, Austin, Andrea, and Hannah.When he’s not busy working, you can find Will enjoying time with his family.

Will would like to add special thanks to the following individuals:

For my wife Chris—thank you for your endless support and encouragement.

You are my guiding light even during the hardest of times.

Thank you to the entire staff at Syngress publishing—you made this project an easy one.

Thanks to my fantastic Technical Editor, Robert Shimonski, for keeping me honest and making this work even better than I had hoped for.

271_70-292_FM.qxd 8/20/03 4:11 PM Page vii

Technical Editor and DVD Presenter

Robert J. Shimonski

(TruSecure TICSA, Cisco CCDP, CCNP, Symantec

SPS, NAI Sniffer SCP, Nortel NNCSS, Microsoft MCSE, MCP+I, Novell

Master CNE, CIP, CIBS, CNS, IWA CWP, DCSE, Prosoft MCIW, SANS.org

GSEC, GCIH, CompTIA Server+, Network+, Inet+, A+, e-Biz+, Security+,

HTI+) is a Lead Network and Security Engineer for a leading manufacturing company, Danaher Corporation. At Danaher, Robert is responsible for leading the IT department within his division into implementing new technologies, standardization, upgrades, migrations, high-end project planning and designing infrastructure architecture. Robert is also part of the corporate security team responsible for setting guidelines and policy for the entire corporation worldwide. In his role as a Lead Network Engineer, Robert has designed, migrated, and implemented very large-scale Cisco and Nortel based networks. Robert has held positions as a Network Architect for

Cendant Information Technology and worked on accounts ranging from the

IRS to AVIS Rent a Car, and was part of the team that rebuilt the entire Avis worldwide network infrastructure to include the Core and all remote locations. Robert maintains a role as a part time technical trainer at a local computer school, teaching classes on networking and systems administration whenever possible.

Robert is also a part-time author who has worked on over 25 book projects as both an author and technical editor. He has written and edited books on a plethora of topics with a strong emphasis on network security.

Robert has designed and worked on several projects dealing with cutting edge technologies for Syngress Publishing, including the only book dedicated to the

Sniffer Pro protocol analyzer. Robert has worked on the following Syngress

Publishing titles: Building DMZs for Enterprise Networks (ISBN: 1-931836-88-4),

Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8), Sniffer

Pro Network Optimization & Troubleshooting Handbook (ISBN: 1-931836-57-4),

Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-

6),SSCP Study Guide & DVD Training System (ISBN: 1-931836-80-9), Nokia

Network Security Solutions Handbook (ISBN: 1-931836-70-1) and the MCSE

Implementing and Administering Security in a Windows 2000 Network Study Guide

& DVD Training System (ISBN: 1-931836-84-1).

vii

271_70-292_FM.qxd 8/20/03 4:11 PM Page viii

Robert’s specialties include network infrastructure design with the Cisco product line, systems engineering with Windows 2000/Server 2003, NetWare

6, Red Hat Linux and Apple OSX. Robert’s true love is network security design and management utilizing products from the Nokia, Cisco, and Check

Point arsenal. Robert is also an advocate of Network Management and loves to ‘snif f ’ networks with Sniffer-based technologies.When not doing something with computer related technology, Robert enjoys spending time with his fiancée Erika, or snowboarding wherever the snow may fall and stick.

viii

Technical Reviewer

Laura E. Hunter

(CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA,

A+, Network+, iNet+, Security+, CNE-4, CNE-5) is a Senior IT Specialist with the University of Pennsylvania, where she provides network planning, implementation, and troubleshooting services for various business units and schools within the University. Her specialties include Microsoft Windows NT and 2000 design and implementation, troubleshooting and security topics. As an “MCSE Early Achiever” on Windows 2000, Laura was one of the first in the country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the

Director of Computer Services for the Salvation Army and as the LAN administrator for a medical supply firm. She also operates as an independent consultant for small businesses in the Philadelphia metropolitan area and is a regular contributor to the TechTarget family of websites.

Laura has previously contributed to the Syngress Publishing’s Configuring

Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also con-

tributed to several other exam guides in the Syngress Windows Server 2003

MCSE/MCSA DVD Guide and Training System series as a DVD presenter, contributing author, and technical reviewer.

Laura holds a bachelor’s degree from the University of Pennsylvania and is a member of the Network of Women in Computer Technology, the

Information Systems Security Association, and InfraGard, a cooperative undertaking between the U.S. Government other participants dedicated to increasing the security of United States critical infrastructures.

271_70-292_FM.qxd 8/20/03 4:11 PM Page ix

Special Contributors

Michael Cross

(MCSE, MCP+I, CNA, Network+) is an Internet

Specialist/Computer Forensic Analyst with the Niagara Regional Police

Service. He performs computer forensic examinations on computers involved in criminal investigations, and has consulted and assisted in cases dealing with computer-related/Internet crimes. In addition to designing and maintaining their Web site at www.nrps.com and Intranet, he has also provided support in the areas of programming, hardware, network administration, and other services. As part of an Information Technology team that provides support to a user base of over 800 civilian and uniform users, his theory is that when the users carry guns, you tend to be more motivated in solving their problems.

Michael also owns KnightWare (www.knightware.ca), which provides computer-related services like Web page design; and Bookworms (www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and published over three dozen times in numerous books and anthologies. He currently resides in

St. Catharines, Ontario Canada with his lovely wife Jennifer and his darling daughter Sara.

Jeffery A. Martin

(MCSE, MCDBA, MCT, MCP+I, MCP, MCNE, CNE,

CNA, CNI, CCNA, CCNP, CCI, CCA, CTT, A+, Network+, I-Net+,

Project+, Linux+, CIW, ADPM) has been working with computers and computer networks for over 15 years. Jeffery spends most of his time managing several companies that he owns and consulting for large multinational media companies. He also enjoys working as a technical instructor and training others in the use of technology.

Chris Peiris

(MVP) currently lectures on Distributed Component

Architectures (.NET, J2EE, and CORBA) at Monash University, Caulfield,

Victoria, Australia. He also works as an independent consultant for .NET and

EAI implementations. He is been awarded the title “Microsoft Most Valuable

Professional” (MVP) for his contributions to .NET Technologies. He has been designing and developing Microsoft solutions since 1995. His expertise ix

271_70-292_FM.qxd 8/20/03 4:11 PM Page x lies in developing scalable, high-performance solutions for financial institutions and media groups. He has written many articles, reviews and columns for various online publications including 15Seconds, Developer Exchange

(www.Devx.com) and Wrox Press (www.wrox.com). He co-authored the book C# Web Service with .NET Remoting and ASP.NET (Wrox Press). It was followed by C# for Java Programmers (Syngress Publishing, 1-931836-54-X) as a primary author. Chris frequently presents at professional developer conferences on Microsoft technologies.

x

271_70-292_Obj.qxd 8/22/03 4:09 PM Page xi

MCSA/MCSE 70-292 Exam Objectives Map and Table of Contents

All of Microsoft’s published objectives for the MCSA/MCSE

70-292 Exam are covered in this book. To help you easily find the sections that directly support particular objectives, we’ve listed all of the exam objectives below, and mapped them to the Chapter number in which they are covered. We’ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the book to identify objective coverage. In some chapters, we’ve made the judgment that it is probably easier for the student to cover objectives in a slightly different sequence than the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100% of Microsoft’s MCSA/MCSE 70-292 Exam objectives.

Exam Objective Map

Objective Chapter

Number Objective Number

1

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2

1.2.1

1.2.2

Managing Users, Computers, and Groups

Create and manage groups

Identify and modify the scope of a group

Find domain groups in which a user is a member

Manage group membership 1

Create and modify groups by using the Active 1

Directory Users and Computers Microsoft

Management Console (MMC) snap-in

1

1

Create and modify groups by using automation 1

Create and manage user accounts 1

Create and modify user accounts by using the 1

Active Directory Users and Computers MMC snap-in

Create and modify user accounts by using automation

1

1

1 xi

271_70-292_Obj.qxd 8/22/03 4:09 PM Page xii

xii

Exam Objective Map

Objective Chapter

Number Objective Number

1.2.3

1.3

2

2.1

2.1.1

2.1.2

3

3.1

3.2

3.2.1

3.2.2

3.2.3

3.3

3.3.1

3.3.2

4

4.1

4.1.1

4.1.2

4.1.3

4.1.4

5

5.1

5.1.1

5.1.2

Import user accounts

Troubleshoot user authentication issues

Managing and Maintaining Access to

Resources

Troubleshoot Terminal Services

2

Diagnose and resolve issues related to client access to Terminal Services

2

Diagnose and resolve issues related to Terminal 2

Services security

2

Managing and Maintaining a Server

Environment

Manage software update infrastructure

Manage servers remotely

Manage a server by using Remote Assistance

Manage a server by using Terminal Services remote administration mode

Manage a server by using available support tools 3

Manage a Web server 4

Manage Internet Information Services (IIS)

Manage security for IIS

Managing and Implementing Disaster

Recovery

5

4

4

Perform system recovery for a server 5

Implement Automated System Recovery (ASR) 5

Restore data from shadow copy volumes

Back up files and System State data to media

5

5

Configure security for backup operations 5

Implementing, Managing, and Maintaining 6

Name Resolution

Install and configure the DNS Server service

Configure DNS server options

Configure DNS zone options

6

6

6

3

3

8

3

1

1

3

271_70-292_Obj.qxd 8/22/03 4:09 PM Page xiii

Exam Objective Map

xiii

Objective Chapter

Number Objective Number

5.1.3

5.2

5.2.1

5.2.2

5.2.3

6

6.1

6.1.1

6.1.2

6.2

6.2.1

6.2.2

6.2.3

Configure DNS forwarding

Manage DNS

Manage DNS zone settings

Manage DNS record settings

Manage DNS server options

Implement secure network administration procedures

6

Implementing, Managing, and Maintaining 7

Network Security

7

Implement security baseline settings and audit 7 security settings by using security templates

Implement the principle of least privilege 7

Install and configure software update infrastructure 8

Install and configure software update services 8

Install and configure automatic client update 8 settings

Configure software updates on earlier operating systems

8

6

6

6

6

271_70-292_Obj.qxd 8/22/03 4:09 PM Page xiv

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xv

Contents

Foreword

About the Study Guide and DVD Training System xxix xxxvii

Chapter 1 Managing Users, Computers, and Groups 1

Introduction …………………………………………………………2

1.1

Creating and Managing Groups ………………………………………2

1.1.1

Group Types ………………………………………………………3

Group Scopes ……………………………………………………6

Using Domain Local Groups …………………………………6

Using Global Groups …………………………………………8

Using Universal Groups ………………………………………8

Default Groups …………………………………………………10

1.1.2/

Managing and Modifying Groups ………………………………14

1.1.3/

1.1.4/

1.1.5

1.1.4

1.1.3

1.1.1

1.1.4

1.1.2

Changing the Domain Functional Level ……………………15

Creating New Groups ………………………………………17

Adding Members to Group …………………………………19

Removing Members from Groups …………………………23

Converting Group Type ………………………………………23

Changing Group Scope ………………………………………26

Deleting Groups ………………………………………………27

Modifying Group Properties …………………………………28

Finding Groups in Which a Particular User is a Member ……30

Assigning User Rights and Permissions to a Group …………31

1.2/1.2.1/

Creating and Managing User Accounts ……………………………36

1.2.2

xv

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xvi

xvi

Contents

Default User Accounts …………………………………………36

Managing and Modifying User Accounts ………………………37

1.2.1/

Creating New User Accounts ……………………………………37

1.2.2

1.3

Resetting the User Account Password …………………………39

Copying a User Account …………………………………………41

Disabling or Enabling A User Account …………………………42

Configuring User Account Properties …………………………44

The General Tab ……………………………………………44

The Address Tab ………………………………………………45

The Account Tab ……………………………………………45

The Profile Tab ………………………………………………48

The Telephones Tab …………………………………………49

The Organization Tab ………………………………………49

The Member Of Tab …………………………………………50

Deleting User Accounts …………………………………………50

Assigning User Rights and Permissions to a User Account ……52

Troubleshooting User Authentication Issues ……………………52

Creating and Managing Computer Accounts ………………………53

Creating and Modifying Computer Accounts Manually ………54

Creating Computer Accounts by Joining to the Domain ………55

1.1.5/1.2.2

Importing and Exporting Active Directory Data ……………………58

/1.2.3

Summary of Exam Objectives ………………………………………61

Exam Objectives Fast Track …………………………………………61

Exam Objectives Frequently Asked Questions ………………………64

Self Test ………………………………………………………………66

Self Test Quick Answer Key …………………………………………71

Chapter 2 Managing and Maintaining

Terminal Services Access

73

Introduction …………………………………………………………74

The Need for Terminal Services:

A Survey of Computing Environments ……………………………75

Centralized Computing versus Distributed Computing ………75

Mixed Environments ……………………………………………80

Terminal Services Design Issues …………………………………81

Introduction to Windows Server 2003 Terminal Services ……………83

Terminal Server …………………………………………………83

Terminal Server Session Directory ………………………………86

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xvii

Contents

xvii

Installing and Configuring a Terminal Server ………………………87

Installing the Terminal Server ……………………………………87

2.1/2.1.1/

Configuring the Terminal Server ………………………………92

2.1.2

2.1/2.1.1/

2.1.2

Using the Terminal Services Configuration Console …………93

Configuring Server Settings with the

Terminal Services Configuration Console …………………99

Using the Terminal Services Manager Console ……………101

Advanced Terminal Server Configuration via Group Policy ……102

Terminal Services Computer Options ………………………102

2.1.2

Terminal Server Licensing …………………………………………105

Using the Terminal Server Licensing Tool ……………………106

2.1/2.1.1

Troubleshooting Terminal Services …………………………………110

2.1.2

Not Automatically Logged On …………………………………110

“This Initial Program Cannot be Started” ……………………111

Clipboard Problems ……………………………………………111

License Problems ………………………………………………111

Security Issues …………………………………………………112

Summary of Exam Objectives ………………………………………114

Exam Objectives Fast Track …………………………………………115

Exam Objectives Frequently Asked Questions ……………………118

Self Test ……………………………………………………………120

Self Test Quick Answer Key ………………………………………125

Chapter 3 Managing and Maintaining Remote Servers 127

Introduction ………………………………………………………128

3.2.3

Types of Management Tools ………………………………………128

Administrative Tools Folder ……………………………………129

Custom MMC Consoles ………………………………………131

Command-Line Utilities ………………………………………134

Wizards …………………………………………………………134

Windows Resource Kits ………………………………………135

The Run as Command …………………………………………135

Administration Tools Pack (adminpak.msi) ……………………136

Windows Management Instrumentation ………………………136

Computer Management Console ………………………………137

3.2

Using Terminal Services Components for Remote Administration …137

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xviii

xviii

Contents

3.2.2

3.2.1

Terminal Services Components ………………………………137

Remote Desktop for Administration ………………………138

Remote Assistance …………………………………………138

Using Remote Desktop for Administration ……………………140

Configuring Remote Desktop for Administration …………140

Allowing Users to Make Remote

Desktop for Administration Connections ………………140

Advantages of Remote Desktop Administration over Other Remote Administration Methods ……………142

Remote Desktop Security Issues ……………………………143

Using Remote Assistance ………………………………………144

How Remote Assistance Works ……………………………144

Configuring Remote Assistance for Use ……………………145

Asking for Assistance ………………………………………146

Using Windows Messenger to Request Help ………………147

Using E-mail to Request Help ……………………………149

Using a Saved File to Request Help ………………………152

Completing the Remote Assistance Connection ……………154

Managing Open Invitations …………………………………157

Remote Assistance Security Issues …………………………158

3.2/3.2.2

Using Terminal Services Client Tools ………………………………160

Using the Remote Desktop Connection Utility ………………160

Installing the Remote Desktop Connection Utility ………161

Launching and Using the

Remote Desktop Connection Utility ……………………162

Configuring the Remote Desktop Connection Utility ……164

Using the Remote Desktops Console …………………………170

Adding a New Connection …………………………………172

Configuring a Saved Remote Connection’s Properties ……173

Connecting and Disconnecting ……………………………175

Using the Remote Desktop Web Connection Utility …………176

Installing the Remote Desktop Web Connection Utility …176

Using the Remote Desktop

Web Connection Utility from a Client …………………177

Using Web Interface for Remote Administration ………………181

3.2.3

Using Emergency Management Services …………………………183

Summary of Exam Objectives ………………………………………187

Exam Objectives Fast Track …………………………………………188

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xix

Contents

xix

Exam Objectives Frequently Asked Questions ……………………190

Self Test ……………………………………………………………192

Self Test Quick Answer Key ………………………………………197

Chapter 4 Managing and Maintaining Web Servers 199

Introduction ………………………………………………………200

What is New in IIS 6.0? ……………………………………………200

New Security Features …………………………………………200

Advanced Digest Authentication ……………………………201

Server-Gated Cryptography …………………………………202

Selectable Cryptographic Service Provider …………………203

Configurable Worker Process Identity ………………………203

Default Lockdown Status ……………………………………203

New Authorization Framework ……………………………204

New Reliability Features ………………………………………205

Health Detection ……………………………………………206

New Request Processing Architecture:

HTTP.SYS Kernel Mode Driver …………………………206

Other New Features ……………………………………………207

ASP.NET and IIS Integration ………………………………208

Unicode Transformation Format-8 (UTF-8) ………………208

XML Metabase ……………………………………………208

Installing and Configuring IIS 6.0 …………………………………209

Installation Methods ……………………………………………210

Using the Configure Your Server Wizard …………………210

Using the Windows Component Wizard to Install IIS 6.0 …215

Using Unattended Setup to Install IIS 6.0 …………………217

3.3 /3.3.1

Managing IIS 6.0 ……………………………………………………219

Creating New Sites and Virtual Servers with IIS Manager ……220

Creating New Web Sites

Using the Web Site Creation Wizard ……………………220

Creating New FTP Sites

Using the FTP Site Creation Wizard ……………………224

Creating New SMTP Virtual Servers

Using the New SMTP Virtual Server Wizard …………227

Creating New NNTP Virtual Servers

Using the New NNTP Virtual Server Wizard …………229

Common Administrative Tasks …………………………………232

Enabling Web Service Extensions …………………………232

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xx

xx

Contents

Creating Virtual Directories …………………………………233

Hosting Multiple Web Sites …………………………………235

Configuring Web Site Performance …………………………238

Working with ASP.NET ……………………………………238

Backing Up and Restoring the IIS Metabase ………………239

Enabling Health Detection …………………………………241

3.3.2

Managing IIS Security ……………………………………………243

3.3.1

User Authentication Methods …………………………………244

Anonymous Authentication …………………………………244

Basic Authentication ………………………………………245

Integrated Windows Authentication ………………………246

Digest Authentication ………………………………………246

.NET Passport Authentication ………………………………248

Using Client Certificate Mapping …………………………248

Configuring User Authentication ………………………………249

Configuring IP Address/Domain Restrictions …………………252

Configuring SSL-Secured Communications ……………………253

Troubleshooting IIS 6.0 ………………………………………258

Troubleshooting Content Errors ………………………………258

Static Files Return 404 Errors ………………………………258

Dynamic Content Returns a 404 Error ……………………259

Sessions Lost Due to Worker Process Recycling …………259

ASP.NET Pages are Returned as Static Files ………………260

Troubleshooting Connection Errors ……………………………260

503 Errors …………………………………………………260

401 Error – Sub-authentication Error ………………………262

Client Requests Timing Out ………………………………262

Troubleshooting Other Errors …………………………………263

File Not Found Errors for UNIX and Linux Files …………263

ISAPI Filters Are Not Automatically

Visible as Properties of the Web Site ……………………263

The Scripts and Msadc Virtual

Directories Are Not Found in IIS 6.0 ……………………263

Summary of Exam Objectives ………………………………………264

Exam Objectives Fast Track …………………………………………266

Exam Objectives Frequently Asked Questions ……………………266

Self Test ……………………………………………………………268

Self Test Quick Answer Key ………………………………………273

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxi

Contents

xxi

Chapter 5 Managing and Implementing Disaster Recovery 275

Introduction ………………………………………………………276

Creating a Backup Plan ……………………………………………276

Backup Basics …………………………………………………277

Backup Types ……………………………………………………278

Backup Media …………………………………………………279

Media Types …………………………………………………280

Offsite Storage ………………………………………………282

Media Rotation ……………………………………………282

4.1

Using the Windows Backup Utility ………………………………287

4.1.3

Understanding System State Data ………………………………288

4.1.3

Backup Configuration Options …………………………………289

4.1.3

4.1.3

4.1.4

Configuring the General Options …………………………290

Configuring the Restore Options …………………………292

Configuring the Backup Type Options ……………………293

Configuring the Backup Log Options ………………………293

Configuring the Exclude File Options ……………………294

Using the Backup Utility in Advanced Mode …………………295

Using the Backup Utility in Wizard Mode ……………………303

Configuring Security for Backup Operations …………………308

Restoring Backup Data …………………………………………309

4.1.1

Using Automated System Recovery ………………………………312

4.1.2

Working with Volume Shadow Copy …………………………314

Making Shadow Copies of Shared Folders ……………………315

Enabling Shadow Copies on the Shared Resource …………315

Changing Settings for Shadow Copies ……………………318

Deploying the Client Software for Shadow Copies ……………322

Restoring Previous Versions of a File …………………………322

Shadow Copies Best Practices …………………………………324

Summary of Exam Objectives ………………………………………325

Exam Objectives Fast Track …………………………………………326

Exam Objectives Frequently Asked Questions ……………………328

Self Test ……………………………………………………………329

Self Test Quick Answer Key ………………………………………336

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxii

xxii

Contents

Chapter 6 Implementing, Managing, and

Maintaining Name Resolution 337

Introduction ………………………………………………………338

5.1

Introducing and Planning the DNS Service ………………………339

5.1.3

The DNS Hierarchical Namespace ……………………………340

Determining Namespace Requirements ………………………342

Determining Zone Type Requirements ………………………345

Determining Forwarding Requirements ………………………348

Installing the DNS Service …………………………………………352

5.1.1

Configuring DNS Server Options …………………………………360

5.1.3

The Interfaces Tab ………………………………………………360

The Forwarders Tab ……………………………………………360

The Advanced Tab ………………………………………………363

The Root Hints Tab ……………………………………………365

The Debug Logging Tab ………………………………………365

The Event Logging Tab ………………………………………367

The Monitoring Tab ……………………………………………367

5.1.2

Configuring Zone Options …………………………………………368

Configuring Forward Lookup Zone Options …………………368

The General Tab ……………………………………………369

The Start of Authority (SOA) Tab …………………………372

The Name Servers Tab ……………………………………374

The WINS Tab ……………………………………………376

The Zone Transfers Tab ……………………………………377

Configuring Reverse Lookup Zone Options …………………378

The General Tab ……………………………………………378

The SOA Tab ………………………………………………379

The Name Servers Tab ……………………………………379

The WINS-R Tab …………………………………………380

The Zone Transfers Tab ……………………………………381

5.2

Managing the DNS Service ………………………………………381

5.2.3

Managing DNS Server Options ………………………………381

Connecting to Remote DNS Servers ………………………382

Removing Servers from the DNS Management Console …383

Configuring Aging and Scavenging for All Zones …………383

Manually Initiating Record Scavenging ……………………384

Updating the DNS Server Zone File ………………………384

Clearing the DNS Server Local Cache ……………………385

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxiii

Contents

xxiii

5.2.1

5.2.2

Launching the nslookup Command …………………………385

Starting, Stopping, or Pausing DNS Servers ………………385

Managing DNS Zone Settings …………………………………386

Managing DNS Record Settings ………………………………386

Summary of Exam Objectives ………………………………………390

Exam Objectives Fast Track …………………………………………391

Exam Objectives Frequently Asked Questions ……………………395

Self Test ……………………………………………………………396

Self Test Quick Answer Key ………………………………………402

Chapter 7 Implementing, Managing, and Maintaining Network Security 403

Introduction ………………………………………………………404

6.1.2

Using the Principle of Least Privilege ………………………………404

6.1/6.1.1

Implementing Security with Security Templates ……………………405

Introduction to Security Templates ……………………………406

The Security Configuration Manager Tools ……………………409

The Security Configuration and Analysis Snap-in …………411

The Security Templates Snap-in ……………………………419

Group Policy Security Extensions …………………………420

The secedit.exe Command …………………………………424

Configuring Security Templates ………………………………428

Account Policies ……………………………………………428

Local Policies ………………………………………………431

Event Log ……………………………………………………442

Restricted Groups …………………………………………443

System Services ……………………………………………448

Registry ……………………………………………………450

File System …………………………………………………452

Deploying Security Templates via Group Policy ………………454

6.1/ 6.1.1

Auditing Security Events ……………………………………………458

Auditing Areas …………………………………………………458

Audit Account Logon Events ………………………………459

Audit Account Management ………………………………460

Audit Directory Service Access ……………………………462

Audit Logon Events …………………………………………462

Audit Object Access …………………………………………463

Audit Policy Change ………………………………………465

Audit Privilege Use …………………………………………466

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxiv

xxiv

Contents

Audit Process Tracking ………………………………………466

Audit System Events ………………………………………467

Planning for Auditing …………………………………………468

Configuring and Implementing Auditing ………………………469

Summary of Exam Objectives ………………………………………473

Exam Objectives Fast Track …………………………………………474

Exam Objectives Frequently Asked Questions ……………………476

Self Test ……………………………………………………………478

Self Test Quick Answer Key ………………………………………485

Chapter 8 Managing and Implementing

Software Updates 487

Introduction ………………………………………………………488

6.2

Installing, Configuring, and Managing

6.2.1

6.2.2

3.1

the Software Update Infrastructure ………………………………488

Installing Software Update Services ……………………………489

Installing and Configuring the Automatic Update Client ……497

Managing Software Update Services ……………………………507

Viewing the Synchronization Logs …………………………507

Viewing the Approval Logs …………………………………508

Monitoring the SUS Server …………………………………509

Examining the Event Logs …………………………………510

Viewing the SUS IIS Logs …………………………………512

Troubleshooting SUS and Automatic Updates …………………512

6.2.3

Managing Updates for Legacy Clients ……………………………513

Windows Update ……………………………………………514

Windows Update Catalog …………………………………518

Systems Management Server and Third-party Applications ………………………………521

Summary of Exam Objectives ………………………………………522

Exam Objectives Fast Track …………………………………………523

Exam Objectives Frequently Asked Questions ……………………524

Self Test ……………………………………………………………525

Self Test Quick Answer Key ………………………………………534

Appendix A MCSA Command-Line Reference 535

Introduction ………………………………………………………536

Active Directory Management ……………………………………536 dsadd ……………………………………………………………537 dsadd computer ……………………………………………537

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxv

Contents

xxv

dsadd contact ………………………………………………538 dsadd group …………………………………………………539 dsadd ou ……………………………………………………540 dsadd user ……………………………………………………540 dsadd quota …………………………………………………542 dsmod …………………………………………………………543 dsmod computer ……………………………………………543 dsmod contact ………………………………………………543 dsmod group ………………………………………………544 dsmod ou ……………………………………………………545 dsmod server ………………………………………………546 dsmod user …………………………………………………546 dsmod quota ………………………………………………548 dsmod partition ……………………………………………548 dsrm ……………………………………………………………549 dsmove …………………………………………………………549 dsquery …………………………………………………………550 dsquery computer …………………………………………550 dsquery contact ……………………………………………551 dsquery group ………………………………………………552 dsquery ou …………………………………………………553 dsquery site …………………………………………………553 dsquery server ………………………………………………554 dsquery user …………………………………………………555 dsquery quota ………………………………………………556 dsquery partition ……………………………………………556 dsquery * ……………………………………………………557 dsget ……………………………………………………………558 dsget computer ………………………………………………558 dsget contact ………………………………………………559 dsget group …………………………………………………560 dsget ou ……………………………………………………561 dsget server …………………………………………………562 dsget user ……………………………………………………563 dsget subnet …………………………………………………564 dsget site ……………………………………………………565 dsget quota …………………………………………………565 dsget partition ………………………………………………566

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxvi

xxvi

Contents gpresult …………………………………………………………567 whoami …………………………………………………………567 csvde and ldifde …………………………………………………568

DNS Management …………………………………………………570 dnscmd …………………………………………………………570 dnscmd /ageallrecords ………………………………………571 dnscmd /clearcache …………………………………………572 dnscmd /config ……………………………………………572 dnscmd /createbuiltindirectorypartitions ……………………578 dnscmd /createdirectorypartition ……………………………578 dnscmd /deletedirectorypartition ……………………………578 dnscmd /directorypartitioninfo ……………………………579 dnscmd /enlistdirectorypartition ……………………………579 dnscmd /enumdirectorypartitions …………………………579 dnscmd /enumrecords ………………………………………579 dnscmd /enumzones ………………………………………580 dnscmd /info ………………………………………………581 dnscmd /nodedelete …………………………………………581 dnscmd /recordadd …………………………………………581 dnscmd /recorddelete ………………………………………582 dnscmd /resetforwarders ……………………………………582 dnscmd /resetlistenaddresses …………………………………583 dnscmd /startscavenging ……………………………………583 dnscmd /statistics ……………………………………………583 dnscmd /unenlistdirectorypartition …………………………584 dnscmd /writebackfiles ……………………………………584 dnscmd /zoneadd ……………………………………………584 dnscmd /zonechangedirectorypartition ……………………585 dnscmd /zonedelete …………………………………………585 dnscmd /zoneexport ………………………………………586 dnscmd /zoneinfo …………………………………………586 dnscmd /zonepause …………………………………………586 dnscmd /zoneprint …………………………………………586 dnscmd /zoneresettype ……………………………………586 dnscmd /zonerefresh ………………………………………587 dnscmd /zonereload …………………………………………587 dnscmd /zoneresetmasters …………………………………587 dnscmd /zoneresetscavengeservers …………………………588

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxvii

Contents

xxvii

dnscmd /zoneresetsecondaries ………………………………588 dnscmd /zoneresume ………………………………………589 dnscmd /zoneupdatefromds …………………………………589 dnscmd /zonewriteback ……………………………………589 dnslint …………………………………………………………589 nslookup ………………………………………………………590

IIS 6.0 Management ………………………………………………593 iisweb.vbs ………………………………………………………593 iisweb /create ………………………………………………593 iisweb /delete, /start, /stop, /pause …………………………594 iisweb /query ………………………………………………594 iisvdir.vbs ………………………………………………………595 iisvdir /create ………………………………………………595 iisvdir /delete ………………………………………………595 iisvdir /query ………………………………………………596 iisftp.vbs …………………………………………………………596 iisftp /create …………………………………………………596 iisftp /delete, /start, /stop, /pause ……………………………597 iisftp /query …………………………………………………597 iisftp /setadprop ……………………………………………598 iisftp /getadprop ……………………………………………598 iisftpdr.vbs ………………………………………………………598 iisftpdr /create ………………………………………………598 iisftpdr /delete ………………………………………………599 iisftpdr /query ………………………………………………599 iisback.vbs ………………………………………………………600 iisback /backup ……………………………………………600 iisback /restore ………………………………………………601 iisback /delete ………………………………………………601 iisback /list …………………………………………………601 iiscnfg.vbs ………………………………………………………601 iiscnfg /export ………………………………………………602 iiscnfg /import ………………………………………………602 iiscnfg /copy ………………………………………………603 iiscnfg /save …………………………………………………603

Security Template Management ……………………………………603 secedit …………………………………………………………604 secedit /analyze ……………………………………………604

271_70-292_TOC.qxd 8/22/03 5:29 PM Page xxviii

xxviii

Contents secedit /configure …………………………………………605 secedit /export ………………………………………………605 secedit /import ……………………………………………606 secedit /validate ……………………………………………607 secedit /GenerateRollback …………………………………607

Windows Backup Management ……………………………………607 ntbackup ………………………………………………………607

Self Test Appendix 609

Index 681

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxix

Foreword

Congratulations! By picking up this book you have taken a big step in keeping your

Windows skills up to date.Whether you are an IT guru with years of experience, a neophyte fresh to the exciting world of IT, or somewhere in the middle, this book will help you get to your destination by providing you with the information and tools you need to pass the 70-

292 exam, Managing and Maintaining a Microsoft Windows Server 2003 Environment for an

MCSA Certified on Windows 2000.

Exam 70-292 is a new exam introduced by Microsoft in February 2003 as the only requirement for Microsoft Certified Systems Administrators (MCSAs) currently certified on

Windows 2000 Server to upgrade their certification to MCSA on Windows Server 2003.

Currently, certified Microsoft Certified Systems Engineers (MCSEs) on Windows 2000

Server must take this exam and the 70-296 exam, Planning, Implementing, and Maintaining a

Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000 to complete their upgrade to an MCSE on Windows Server 2003.

This book was written by a team of authors who are extremely familiar with Windows

Server 2003 and Windows 2000 Server. Rest assured that this book contains the best information available and is based on real-world scenarios and applications that you may likely face one day.

What is the MCSA/MCSE?

The Microsoft Certified Professional (MCP) program turned 10 years old in the spring of

2002. From its humble beginnings, the MCP program has grown into one of the largest and most prestigious IT certification programs. Microsoft leads the way in the number and subject matter of exams delivered, with one or more exams to fit just about every person.Today,

Microsoft has a dozen different IT certification tracks, ranging from networking to office suites.The MCSA and MCSE tracks specifically deal with the networking side of Microsoft’s product line.

xxix

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxx

xxx Foreword

MCSA Background

At the time of this writing, Microsoft’s newest networking certification track (the MCSA) is two years old. In those two years, it has quickly gained popularity as a solid foundation for those who are tasked with the day-to-day administration and maintenance of Windows

Server 2003 and Windows 2000 Server networks.

Typical duties of the MCSA certified individual include managing, supporting, and troubleshooting daily needs associated with the operation of a Windows Server 2003 or Windows

2000 Server network. Microsoft specifies that an MCSA typically have at least 6 to 12 months of hands-on experience managing and supporting workstations and servers in an existing Windows Server 2003 or Windows 2000 Server infrastructure.This is a key distinction from the MCSE certification, which may involve designing and implementing new

Windows Server 2003 or Windows 2000 Server infrastructures.

Some typical job titles that MCSAs may have include:

Systems administrator

Network administrator

Information Systems administrator

Network operations analyst

Network technician

Technical support specialist

MCSE Background

The MCSE certification dates back to the Windows NT 3.51 days, and possibly earlier.The

MCSE certification came under fire during the Windows NT 4.0 track due to the ease of obtaining it. Many people simply memorized the material and took the exams, achieving the

MCSE certification without having enough (or in some cases, any) hands-on experience with the product. Microsoft took great pains when it rolled out the Windows 2000 MCSE track to ensure that it corrected these issues by changing the testing experience. New question types and larger, more complex question banks were implemented in an effort to make the MCSE certification meaningful.With the introduction of the Windows Server 2003 certification track, it appears that Microsoft intends to continue this progression by introducing new exam question types such as hot area, active screen, and drag-and-drop types. More information about the testing innovations that Microsoft is working on can be found at www.microsoft.com/traincert/mcpexams/faq/innovations.asp.

The typical duties of the Windows Server 2003 MCSE include planning, designing, and implementing Windows 2000 server solutions and architectures. In other words, an MCSE certified individual should expect to spend more time designing and implementing new solutions than would the MCSA certified individual.This explains why the exam

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxi

Foreword xxxi

requirements for the MCSE certification include a design exam in which the candidate must not only understand the networking problems at hand, but also the business problems to be dealt with.To this end, Microsoft recommends that the MCSE-certified individual have one or more years of real-world hands-on experience analyzing business and technical requirements to support the planning, designing, and implementing of solutions capitalizing on

Microsoft products and technologies—not just to include Windows Server 2003.

Some typical job titles that MCSEs may have include:

Systems engineer

Network engineer

Systems analyst

Network analyst

Technical consultant

The Path to MCSA/MCSE

The MCSA and MCSE each have their own certification requirements, as outlined in the following sections.

The MCSA Track

To become certified as an MCSA on Windows Server 2003, you must pass three core exams and one elective exam.The required core exams consist of one client operating system exam and two networking system exams. A combination of specific CompTIA exams may be used as the elective, or the elective may be chosen from the given list of elective exams. If previously taken, exam 70-240 can be used as credit in the form of the 70-210 exam towards the

MCSA requirements. As well, the 70-292 exam is an upgrade exam for currently certified

MCSAs on Windows 2000 Server and is the only required exam for the upgrade to MCSA on Windows Server 2003 status.

The core exams consist of one client operating system exam and two network system exams.You will need to pass one of the following client operating system exams:

Exam 70-210 Installing, Configuring, and Administering Microsoft Windows 2000

Professional

Exam 70-270 Installing, Configuring, and Administering Microsoft Windows XP

Professional

You also need to pass the following two core network systems exams.

Exam 70-290 Managing and Maintaining a Microsoft Windows Server 2003

Environment

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxii

xxxii Foreword

■ Exam 70-291 Implementing, Managing, and Maintaining a Microsoft Windows

Server 2003 Network Infrastructure

You also need to pass one elective exam from the following list:

Exam 70-086 Implementing and Supporting Microsoft Systems Management

Server 2.0

Exam 70-227 Installing, Configuring, and Administering Microsoft Internet

Security and Acceleration (ISA) Server 2000, Enterprise Edition

Exam 70-228 Installing, Configuring, and Administering Microsoft SQL Server

2000 Enterprise Edition

Exam 70-284 Implementing and Managing Microsoft Exchange Server 2003

Exam 70-299 Implementing and Administering Security in a Microsoft Windows

Server 2003 Network

Alternatively, you can substitute one of the following combinations of CompTIA exams for the required elective exam:

A+ and Network+

A+ and Server+

Security+

For help in getting your CompTIA certifications put towards your MCSA certification, see the CompTIA Web site at www.comptia.org/certification/mcsa.You can get the latest news on the MCSA certification track from the Microsoft MCSA Web site, located at www.microsoft.com/traincert/mcp/mcsa/default.asp.

Once you have met all of the requirements for achieving MCSA certification, you will receive an e-mail confirmation of your new MCSA status from Microsoft approximately 72 hours after successfully completing the last requirements.You can also expect to receive your

MCSA welcome kit from Microsoft confirming your MCSA status, in about 6 to 8 weeks in

North America, sometimes longer than this worldwide.

The MCSE Track

The MCSE certification is considered a premier certification, and thus requires a total of seven MCP exams to complete as outlined here.You must pass one core client operating system exam, four core network system exams, one core design exam and one elective exam.

You need to pass one required client operating system exam from the following choices:

Exam 70-210 Installing, Configuring, and Administering Microsoft Windows 2000

Professional

Exam 70-270 Installing, Configuring, and Administering Microsoft Windows XP

Professional

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxiii

Foreword xxxiii

You need to pass these four core network system exams:

■ Exam 70-290 Managing and Maintaining a Microsoft Windows Server 2003

Environment

Exam 70-291 Implementing, Managing, and Maintaining a Microsoft Windows

Server 2003 Network Infrastructure

Exam 70-293 Planning and Maintaining a Microsoft Windows Server 2003

Network Infrastructure

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows

Server 2003 Active Directory Infrastructure

You will also need to pass one of the following core design exams:

Exam 70-297 Designing a Microsoft Windows Server 2003 Active Directory and

Network Infrastructure

Exam 70-298 Designing Security for a Microsoft Windows Server 2003 Network

Lastly, you will need to pass one elective exam from the following list:

Exam 70-086 Implementing and Supporting Microsoft Systems Management

Server 2.0

Exam 70-227 Installing, Configuring, and Administering Microsoft Internet

Security and Acceleration (ISA) Server 2000, Enterprise Edition

Exam 70-228 Installing, Configuring, and Administering Microsoft SQL Server

2000 Enterprise Edition

Exam 70-229 Designing and Implementing Databases with Microsoft SQL Server

2000 Enterprise Edition

Exam 70-232 Implementing and Maintaining Highly Available Web Solutions with

Microsoft Windows 2000 Server Technologies and Microsoft Application Center

2000

Exam 70-284 Implementing and Managing Microsoft Exchange Server 2003

Exam 70-297 Designing a Microsoft Windows Server 2003 Active Directory and

Network Infrastructure

Exam 70-298 Designing Security for a Microsoft Windows Server 2003 Network

Exam 70-299 Implementing and Administering Security in a Microsoft Windows

Server 2003 Network

Alternatively, you can substitute the following CompTIA exam for a required elective exam:

■ Security+

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxiv

xxxiv Foreword

You can get the latest news on the MCSE certification track from the Microsoft MCSE

Web site, located at www.microsoft.com/traincert/mcp/mcse/default.asp. Note that although some exams are listed under more than one requirement, you can use an exam to fulfill only one requirement. Also, many exams are either/or, meaning that you can use either Exam 70-

210 or Exam 70-270 to fulfill a requirement.

Once you have met all of the requirements to achieve MCSE certification, you will receive e-mail confirmation of your new MCSE status from Microsoft approximately 72 hours after successfully completing your last requirements.You can also expect to receive a

MCSE welcome kit from Microsoft confirming your MCSE status in about 6 to 8 weeks in

North America, sometimes longer than this worldwide.

Registering For Exams

MCP exams are administered by two third-party organizations,VUE and Thompson-

Prometric.You can register for an exam online or by telephone. At the time of this writing,

MCP exams cost $125.00 each to register, although the prices are periodically adjusted.

VUE, www.vue.com, 800-837-8734 (United States and Canada). See www.vue.com/contact/ms for a list of worldwide MCP exam registration phone numbers.

Thompson-Prometric, www.2test.com, 800-755-EXAM (United States and

Canada). See www.prometric.com/candidates/contactus2.asp?aoc=gen&pnum

=2&PgpName=contactus for a list of worldwide MCP exam registration phone numbers.

MCP Status

If this is your first Microsoft MCP exam, you will become an MCP upon the successful completion of this exam.You will receive an e-mail confirmation of your new MCP status from Microsoft approximately 72 hours after successfully completing the exam.You will also receive your MCP welcome kit from Microsoft in approximately 6 to 8 weeks in North

America, sometimes longer than this worldwide, confirming your MCP status.

Exam Day Experience

If you are unfamiliar with the examination process and format, taking your first MCP exam can be quite an experience.You should plan on arriving at your testing center at least 15 minutes before your scheduled exam time. Remember to bring two forms of identification with you, as testing centers are required by the vendor (Microsoft in this case) to verify your identity.

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxv

Foreword xxxv

Types of Questions

You should expect to see a variety of question types on this exam, as Microsoft tends to use multiple question types to further discourage cheating on exams. Some types of questions that you may encounter include:

Multiple Choice

This is the standard exam question followed by several answer choices.You will see questions that require only one correct answer and also questions that require two or more correct answers.When multiple answers are required, you will be told this in the question, such as “Choose all correct answers” or “Choose three correct answers.”

Hot Area

This type of exam question presents a question with an accompanying image and requires you to click on the image in a specific location to correctly answer the question. CompTIA regularly uses this type of question on the A+ exams.

Active Screen

This type of question requires you to configure a Windows dialog box by performing tasks to change one or more elements in the dialog box.

Drag-and-Drop

This type of exam question requires you to select objects and place them into the answer area as specified in the question.

Exam Experience

The exam itself is delivered via a computer.You will be allowed to use the Windows calculator at all times during the exam, but all other functions of the testing computer are locked out during the testing process.The testing center will have some means in place to monitor the testing room, either via video camera or one-way mirror glass, to discourage cheating.

Before starting the exam, you may be asked to complete one or more short surveys.The time spent completing these surveys is separate from the time you will be allotted to complete the exam itself. If you are not taking the exam in English you may be entitled to extra testing time, make sure you talk to the testing center personnel about this issue.You may also be asked to complete one or more surveys following the exam. Again, any surveys you are asked to complete after the exam will not take away from your exam time.You will know immediately after completion of the exam whether or not you have passed and will receive an official score report from the testing center. However, it will take several business days for your online transcript to be updated on Microsoft’s Web site.You can access your online transcript at www.microsoft.com/traincert/mcp/mcpsecure.asp.

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxvi

xxxvi Foreword

Final Thoughts

While studying for your 70-292 exam, be sure to get as much hands on experience as you can with not only Windows Server 2003, but also with Windows XP Professional,Windows

2000 Professional, and Windows 2000 Server.You might be surprised by some questions that expect you to have a detailed knowledge of Windows Server 2003 and Windows 2000

Server. Setting up a small two- or three-computer test lab will benefit you greatly by allowing you to perform some tasks you would not otherwise be able to.

I would like to wish you the best of luck in pursuing your certification goals and thank you for choosing this text to help you take the next step toward those goals. Everyone involved in this project has put their best efforts into creating and delivering a thorough and useful work that not only covers the exam objectives, but also provides additional information that we believe will be useful to you to in keeping your network running smoothly.

Will Schmied

July 2003

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxvii

About the Study Guide and

DVD Training System

In this book, you’ll find lots of interesting sidebars designed to highlight the most important concepts being presented in the main text.These include the following:

Exam Warnings

focus on specific elements on which the reader needs to focus in order to pass the exam.

Test Day Tips

are short tips that will help you in organizing and remembering information for the exam.

Configuring & Implementing

contain background information that goes beyond what you need to know from the exam, providing a deep foundation for understanding advanced design, installation, and configuration concepts discussed in the text.

New & Noteworthy

discussions and explanations of features and enhancements to Windows Server 2003.

Head of the Class

discussions are based on the author’s interactions with students in live classrooms and the topics covered here are the ones students have the most problems with.

Each chapter also includes hands-on exercises. It is important that you work through these exercises in order to be confident you know how to apply the concepts you have just read about.

You will find a number of helpful elements at the end of each chapter. For example, each chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to the published objectives. Each chapter also contains an Exam Objectives Fast Track, which boils all exam objectives down to manageable summaries that are perfect for last minute review. The Exam Objectives Frequently Asked Questions answers those questions that most often arise from readers and students regarding the topics covered in the chapter.

Finally, in the Self Test section, you will find a set of practice questions written in a multiplechoice form that will assist you in your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam.You can use the Self Test Quick Answer Key that follows the Self Test questions to quickly determine what information you need to review again.The Self Test Appendix at the end of the book provides detailed explanations of both the correct and incorrect answers.

www.syngress.com

271_70-292_Fore.qxd 8/22/03 4:10 PM Page xxxviii

xxxviii About This Book

Additional Resources

There are two other important exam preparation tools included with this Study Guide. One is the DVD included in the back of this book.The other is the concept review test available from our Web site.

Instructor-led training DVD provides you with almost two hours of virtual classroom instruction.

Sit back and watch as an author and trainer reviews all the key exam concepts from the perspective of someone taking the exam for the first time. Here, you’ll cut through all of the noise to prepare you for exactly what to expect when you take the exam for the first time.You will want to watch this

DVD just before you head out to the testing center!

Web based practice exams.

Just visit us at www.syngress.com/certification to access a complete Windows Server 2003 concept multiple choice review.These

remediation tools are written to test you on all of the published certification objectives.The exam runs in both “live” and “practice” mode. Use “live” mode first to get an accurate gauge of your knowledge and skills, and then use practice mode to launch an extensive review of the questions that gave you trouble.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 1

Chapter 1

MCSA/MCSE 70-292

Managing Users,

Computers, and Groups

Exam Objectives in this Chapter:

1.1

Create and manage groups

1.1.1

Identify and modify the scope of a group

1.1.2

Find domain groups in which a user is a member

1.1.3

Manage group membership

1.1.4

Create and modify groups by using the Active Directory

Users and Computers Microsoft Management Console

(MMC) snap-in

1.1.5

Create and modify groups by using automation

1.2

Create and manage user accounts

1.2.1

Create and modify user accounts by using the Active

Directory Users and Computers MMC snap-in

1.2.2

Create and modify user accounts by using automation

1.2.3

Import user accounts

1.3

Troubleshoot user authentication issues

1

271_70-292_01.qxd 8/21/03 12:40 PM Page 2

2 Chapter 1 • Managing Users, Computers, and Groups

Introduction

It seems natural to start a book for network administrators with the nuts and bolts of administration—groups and accounts.Windows Server 2003 follows in the footsteps of

Windows 2000 Server by providing network administrators with intuitive and easy-to-use tools that can be used to accomplish these tasks within a graphical user interface (GUI).

Windows Server 2003 also has the ability to perform these tasks from the command line using interactive commands, or pre-written scripts and batch files.

This chapter works extensively with users and groups, and presents the information required for the “Managing Users, Computers, and Groups” objective of the 70-292 exam.

Additionally, this chapter examines some common user authentication issues.

Extended Command Line Functionality

Some of the biggest improvements in Windows Server 2003 are the significant enhancements made to the command line utilities. The following new command line tools have been added to make the administrator’s job easier:

dsadd Can be used to add new objects into Active Directory such as contacts, computers, groups, organizational units, and users.

dsmod Can be used to modify an existing object in Active Directory.

dsrm Can be used to remove an existing object from Active Directory.

dsmove Can be used to move a single object in Active Directory within the same domain from one location to another. Can also be used to rename an object without moving it.

dsquery Can be used to query Active Directory per the specified criteria to locate a specific object or object type.

dsget Can be used to display the properties of a specific object in

Active Directory.

EXAM

70-292

OBJECTIVE

1.1

Creating and Managing Groups

Before network administrators can begin working with groups in Windows Server 2003, they need to understand what groups are and why they are used. A group is a collection of user and/or computer accounts, contacts, and other groups that are managed as a single object.The users and computers that belong to the group are known as group members. In

Windows, as with most operating systems, groups are used to simplify the administrative process of assigning permissions and rights to a large number of user and computer accounts at the same time, resulting in these groups’ members having inherited (or implicit) permissions from the group. Groups make rights management easier and less prone to error.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 3

Managing Users, Computers, and Groups • Chapter 1

A set of default groups, known as local groups, is created during the installation of

Windows Server 2003. Computers that are part of an Active Directory domain environment also have a set of default groups; however, these default groups are objects that reside within the Active Directory database structure. Additional groups can be created as required for both workstation- and domain-based computers. For the purposes of this discussion, it is assumed that you are working with an Active Directory environment when discussing the creation and management of groups.

When using groups in Active Directory, the following three major benefits are provided:

1. Security groups allow network administrators to simplify and reduce administrative requirements by assigning permissions and rights for a shared resource (think printer or file share) to the group rather than to each individual user that requires access. In this way, all users (and groups) that are members of the group receive the configured permissions and rights through inheritance.This is much more efficient and accurate than explicitly assigning permissions and rights to users on an individual basis.This also provides the network administrator with the ability to move users in and out of groups as their job and task requirements dictate.

2. Security groups allow network administrators efficiently delegate administrative responsibilities for performing specific tasks in Active Directory. As an example, an administrator might have a group of six help desk workers that they wish to assign the ability to reset user passwords. By placing these six users in a group and then delegating this ability to the group, they can easily allow these users to perform this specific task that might otherwise be outside their standard permissions.

Again, using groups this way allows the network administrator to move users in and out of the group as required.

3. Security and distribution groups allow network administrators to quickly create email distribution groups by assigning an e-mail address to the group itself. All members of that group that are mailbox-enabled will receive e-mail that is sent to the group’s e-mail address.This is an added ability of security groups and the only usage for distribution groups (discussed later in the “Group Type” section).

When talking about groups, there are two basic characteristics to keep in mind: type and scope, which are discussed in the next sections.

Group Types

There are two types of groups available for use in both workgroup and domain environments:

Distribution Groups

Distribution groups are used for distributing messages to group members. Distribution groups are used with e-mail applications, such as

Microsoft Exchange, to send e-mail to all members of a group in a quick and efficient manner by sending an e-mail to the group e-mail address. All members of

3 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 4

4 Chapter 1 • Managing Users, Computers, and Groups

■ the distribution group that are mailbox-enabled receive the e-mail message.

Distribution groups are not security-enabled, and therefore cannot be listed on the Discretionary Access Control Lists (DACLs) that are used by Windows to control access to resources.

Security Groups

Security groups can be used for the distribution of e-mail as described for distribution groups, but can also be listed on DACLs, thus allowing them to control access to resources. Security groups can be used to assign user rights to group members. User rights include actions such as Backup files and direc-

tories or Restore files and directories, both of which are assigned to the Backup

Operators group by default. As mentioned previously, the network administrator can delegate rights to groups to allow the members of the group to perform a specific administrative function that is not normally allowed by their standard user rights. Network administrators can also assign permissions to security groups to allow them to access network resources such as printers and file shares.

Permissions, which should not be confused with user rights, determine which users can access specified resources and what they can do (read, write, execute, and so on) to that resource. By assigning these permissions to a group instead of individual users, the network administrator can ensure that all members of the group have the required permissions.

T

EST

D

AY

T

IP

Workgroup environments are those that do not use a directory service such as

Active Directory. Computers that are part of a workgroup cannot share account or group information between them, thus the settings would need to be configured on each computer individually. Workgroups are also commonly referred to as peer-

to-peer networks. This type of network is usually best suited for very small groups of computers, including those that are geographically remote from the core network or otherwise isolated from it.

In contrast to workgroups, a domain environment typically relies heavily on a directory service such as Active Directory for user and computer management and security enforcement. In a Windows Server 2003 Active Directory domain environment, accounts and groups need only be created once in Active

Directory and are then available for use throughout the entire network.

Computers in a domain environment still have local accounts and groups, with the exception of domain controllers, thus allowing users to log into the local computer should they need to. This also allows domain administrators to install applications and perform other management tasks on computers in the domain.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 5

Managing Users, Computers, and Groups • Chapter 1

When creating a new group, network administrators have the option to create it either as a distribution group or a security group.When the domain functional level (discussed in the “Changing the Domain Functional Level” section) is Windows 2000 native or higher, the administrator will be able to convert distribution groups to security groups and vice versa. If the domain functional level is set to Windows 2000 mixed, no conversions can be performed.

5

Domain and Forest Functionality

Domain and forest functionality is a new feature being introduced in Windows

Server 2003. Having different levels of domain and forest functionality available within an Active Directory implementation allows for different features being available to the network.

As an example, if all of a network’s domain controllers are Windows Server 2003 and the domain functional level is set to Windows Server 2003, then all domain features become available. For example, you can only make use of the new ability to rename a domain controller if the domain functional mode is set to Windows Server

2003. If the entire Active Directory forest is set at the Windows Server 2003 functional level, you also gain the new ability to rename entire domains. The specifics of how domain functionality levels affect groups is discussed in the “Group Scopes” section of this chapter.

There are three domain functional levels available:

Windows 2000 Mixed The default domain functional level; allows for

Windows NT 4.0 backup domain controllers (BDCs), Windows 2000

Server domain controllers, and Windows Server 2003 domain controllers.

Windows 2000 Native The minimum domain functional level at which universal groups become available, along with several other Active

Directory features; allows for Windows 2000 Server and Windows Server

2003 domain controllers.

Windows Server 2003 The highest domain functional level, providing the most features and functionality; allows only Windows Server 2003 domain controllers.

Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be used in that domain. For example, should a network administrator decide to raise the domain functional level to Windows Server

2003, Windows 2000 Server domain controllers cannot be added to that domain.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 6

6 Chapter 1 • Managing Users, Computers, and Groups

EXAM

70-292

OBJECTIVE

1.1.1

Group Scopes

Unlike group types, which are fairly simple to understand, group scopes can be frustrating to those new to working with Windows Server 2003 and Active Directory.The scope of the group identifies the extent to which the group is applied throughout the domain tree or forest.There are three group scopes:

Universal Groups

Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups.

Global Groups

Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.

Domain Local Groups

Domain local groups can include other groups and user/computer accounts from Windows Server 2003,Windows 2000 Server, and

Windows NT domains. Permissions for only the domain in which the group is defined can be assigned to domain local groups.

Table 1.1 outlines the behavior and usage of the scopes of groups as the domain functional level changes.The following guidelines will help the network administrator to make better decisions when trying to figure out how to use each group scope:

Using Domain Local groups

Using Global groups

Using Universal groups

Each of these guidelines are discussed in detail in the following sections.

Using Domain Local Groups

A Domain Local group should be used to manage access to resources located within a single domain. Consider the following example on how Domain Local groups can be used: a network administrator has a network file share for which they want to configure access for 20 user accounts.They manually configure the share permissions to allow each of the 20 user accounts to have the required access. Later, they need to configure the permissions on a second network file share for the same 20 user accounts.They now need to perform the manual permissions assignment again for the 20 users.The easier, more accurate and secure way to assign the permissions needed would be to create a Domain Local group and assign it the required permissions on the file shares. After doing this, the administrator could create a

Global group and place the 20 user accounts into that Global group. Adding the Global group to the Domain Local group results in all 20 users inheriting the Domain Local group’s assigned permissions, which therefore allows them to gain access to the two file shares.This

www.syngress.com

Table 1.1

Group Scope Behaviors versus Domain Functional Level

Domain Status

Windows Server

2003 or Windows

2000 native

Windows 2000 mixed

Global

Windows Server

2003 or Windows

2000 native

Windows Server

2003 or Windows

2000 native

Windows Server

2003 or Windows

2000 native

Windows 2000 mixed

Behavior Universal Group Global Group

Domain Local

Group

Group membership Members can include Members can inMembers can user accounts, comclude used accounts, include user puter accounts, and computer accounts, accounts, global other Universal groups and other Global accounts, computer from any domain.

groups from the domain.

groups, and Universal groups from the same domain.

Group membership Universal groups canMembers can inMembers can not be created.

clude user and include user computer accounts accounts, computer from the same accounts, and

Group nesting domain.

groups from any domain.

Can be added to other Can be added to Can be added to groups.

other groups.

other Domain Local groups.

Group permissions Can be assigned permis-Can be assigned Can be assigned persions in any domain.

permissions in any missions only in the domain.

same domain.

Group scope changes Can be changed to Can be changed to Can be changed to

Global groups as long Universal groups as Universal groups as as no group members long as the group long as no group are other Universal is not a member of members are other groups. Can be any other Global Domain Local converted to Domain Group.

groups.

Local Groups with no restrictions.

Group scope changes Not allowed.

Not allowed.

Not allowed.

271_70-292_01.qxd 8/21/03 12:40 PM Page 8

8 Chapter 1 • Managing Users, Computers, and Groups

is much faster and more accurate than attempting to manually configure permissions for 20 users on two different file shares. Now imagine how this example could be scaled up to include dozens, perhaps hundreds, of shared objects in a network.

Using Global Groups

Global groups should be used to manage objects that will likely require frequent maintenance and management operations, such as user accounts and computer accounts. Global groups are not replicated beyond the boundaries of their own domains.Thus, changes can be made to Global group members without creating large amounts of replication traffic to the domain Global Catalog servers. (This is in direct contrast to Universal groups, which are discussed later in this chapter) Permissions and user rights that are assigned to Global groups are only valid in the domain in which they are assigned. Global groups (or Universal groups) should be used when applying permissions on domain objects that are replicated to the Global Catalog.

Using Universal Groups

Universal groups are best used to consolidate Global groups into one location. Since user accounts are added to Global groups, membership changes in the Global groups do not have an effect on the Universal group. Consider an example where there are two domains, east and west, with Global groups GFinanceEast and GFinanceWest, respectively. User accounts are added to their respective Global group.The two Global groups are then added to one Universal group named UFinance.The UFinance Universal group can be used anywhere within this enterprise and changes that are made to the GFinanceEast and

GFinanceWest Global groups do not cause replication to occur for the UFinance group— this provides a bandwidth (and cost) savings.

Membership in Universal groups should not change often as changes to Universal groups are replicated to every Global catalog server in the forest, a potentially very bandwidth-intensive operation.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 9

Managing Users, Computers, and Groups • Chapter 1 9

Nesting Groups

You’ve seen how groups can have other groups as members. This concept is known as group nesting. Groups can be nested to help consolidate large numbers of user and computer accounts to reduce replication traffic. The type of nesting that can be performed is determined by the domain functional level of the domain.

If the domain functional level is set to Windows 2000 native or Windows Server

2003, groups can have the following members:

Domain Local Groups Other Domain Local groups in the same domain,

Global groups from any domain, Universal groups from any domain, user accounts from any domain, and computer accounts from any domain.

Global Groups Other Global groups in the same domain, user accounts in the same domain, and computer accounts in the same domain.

Universal Groups Other Universal groups from any domain, Global groups from any domain, user accounts from any domain, and computer accounts from any domain.

If the domain functional level is set to Windows 2000 mixed, distribution groups can also have the same membership as detailed for Windows 2000 native or

Windows Server 2003 functional level security groups.

If the domain functional level is set to Windows 2000 mixed, security groups can have the following members:

Domain Local Groups Other Global groups from any domain, user accounts from any domain, and computer accounts from any domain.

Global Groups User accounts in the same domain and computer accounts in the same domain.

T

EST

D

AY

T

IP

The discussion about group types and group scopes applies only to Active

Directory domain controllers and member servers. Group features such as group nesting and the distinction between security groups and distributions groups are not available elsewhere. Stand-alone servers and workstations participating in a workgroup environment can only use local groups. Local groups can only be assigned permissions on that local computer. The bottom line is that in a non-

Active Directory environment, network administrators are limited to configuring rights and permissions on a computer-by-computer basis.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 10

10 Chapter 1 • Managing Users, Computers, and Groups

Default Groups

Several default groups are created during the creation of an Active Directory domain.These

groups should be used as much as possible to control access to shared resources and to grant rights to perform specific administrative tasks. Many of these default groups are assigned a specific set of user rights that allow group members to perform the tasks for which the group was created. For example, any user that is a member of the Backup Operators group will have the right to perform backup and restore operations for domain controllers, even though they might not otherwise be able to perform this task.

The default groups are created in two places in Active Directory: the Builtin container and the Users container. Figure 1.1 shows the Active Directory Users and Computers console; from this location the network administrator can perform all group, user account, and computer account management tasks (discussed later in the “Managing and Modifying

Groups” section of this chapter).

Figure 1.1

The Active Directory Users and Computers Console

Table 1.2 details the default groups that are created in the Builtin container.

Table 1.2

The Default Groups Located in the Builtin Container

Group Name

Account Operators

Administrators

Group Function

The members of this group can create, modify, and delete user accounts, computer accounts, and groups located in the User or Computers containers and all Organizational

Units in the domain except for the Domain Controllers

Organizational Unit. Account Operators cannot make any changes to the Administrators or Domain Admins groups, and they cannot make modifications to members of these groups.

The members of this group have full and complete control over all domain controllers in the domain. The Domain

Admins and Enterprise Admins groups are members of the Administrators group by default.

Continued www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 11

Managing Users, Computers, and Groups • Chapter 1

Table 1.2

The Default Groups Located in the Builtin Container

Group Name

Backup Operators

Guests

Incoming Forest

Trust Builders

Network Configuration

Operators

Performance Monitor

Users

Performance Log Users

Pre-Windows 2000

Compatible Access

Print Operators

Remote Desktop Users

Replicator

Server Operators

Group Function

The members of this group have user rights to back up and restore files on all domain controllers in the domain, regardless of what their individual user rights allow them.

Additionally, members of the Backup Operators group can logon to domain controllers and shut them down.

The Guest group includes the Domain Guests group and the Guest account by default.

The members of this group can create one-way

(incoming) forest trusts to the root domain of the forest tree.

The members of this group can configure changes to the Transmission Control Protocol/Internet

Protocol (TCP/IP) settings as well as renewing and releasing Dynamic Host Control Protocol (DHCP) leases on all domain controllers in the domain.

The members of this group have the ability to mon itor the performance on all domain controllers in the domain, both locally and remotely.

The members of this group can manage the performance counters, logs, and alerts on all domain controllers in the domain, both locally and remotely.

The members of this group are provided with read-only access to all user and computer accounts in the domain.

This group provides compatibility with computers run ning Windows NT 4.0 and earlier.

The members of this group can manage printers in the domain. Print Operators also have the ability to log on locally to domain controllers in the domain and shut them down.

The members of this group can remotely logon to domain controllers in the domain using Remote

Desktop (RDP).

The Replicators group is a service group that is used to support directory replication functions and is used by the

File Replication Service (FRS) domain controllers in the domain.

The members of this group can log on locally to domain controllers. They are allowed to create and delete shared resources, start and stop specific services, backup and restore files, format disks, and shut down computers.

Continued

11 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 12

12 Chapter 1 • Managing Users, Computers, and Groups

Table 1.2

The Default Groups Located in the Builtin Container

Group Name

Users

Group Function

The members of this group are provided the ability to perform most common tasks such as executing applica tions, using network and local printers, and accessing network shares. The Domain Users group and the

Authenticated Users group are members of the Users group. User accounts automatically become members of the Users group upon creation.

Table 1.3 details the default groups that are created in the Users container.

Table 1.3

The Default Groups Located in the Users Container

Group Name

Cert Publishers

DnsAdmins

DnsUpdateProxy

Domain Admins

Domain Computers

Domain Controllers

Domain Guests

Domain Users

Enterprise Admins

Group Function

The members of this group can publish certificates for users and computers.

The members of this group can perform administrative tasks on DNS servers.

The members of this group are DNS clients that are permitted to perform dynamic updates on behalf of other clients, such as DHCP servers.

The members of this group have full and complete control over the entire domain. The Domain Admins group is a member of the Administrators group on all computers once they are joined to the domain. The

Administrator account is a member of the Domain

Admins group.

The Domain Computers group contains all worksta tions and member servers that are joined to the domain. All computer accounts created in the domain are automatically placed in this group by default.

The Domain Controllers group contains all domain con trollers in the domain.

The Domain Guests group contains all domain guests.

The Domain Users group contains all domain users. All user accounts created in the domain are automatically placed in this group by default.

The members of this group have full control of all domains in the forest tree. The Enterprise Admins group is a member of the Administrators group on all domain controllers in the forest by default. Additionally, the

Administrator account is a member of the Enterprise

Admins group.

Continued www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 13

Managing Users, Computers, and Groups • Chapter 1

Table 1.3

The Default Groups Located in the Users Container

Group Name

Group Policy Creator

Owners

IIS_WPG

RAS and IAS Servers

Schema Admins

Group Function

The members of this group can modify Group Policy in the domain. The Administrator account is a member of this group by default.

This group is installed when IIS 6.0 is installed and functions as the worker process group.

The members of this group (Remote Access Server

[RAS] and IAS servers) are allowed to access the remote access properties of users.

The members of this group have the ability to modify the Active Directory schema. The Administrator account is a member of the Schema Admins group by default.

Default groups are also created on stand-alone servers. Although the primary focus of this exam is on Windows Server 2003 in an Active Directory environment, there are still many times when knowledge of the local default groups will be useful.Table 1.4 details the default local groups.These groups are listed in the Groups node of the Local Users and

Groups console.

Table 1.4

The Default Local Groups

Group Name

Administrators

Backup Operators

DHCP Administrators

DHCP Users

Guests

HelpServicesGroup

Group Function

The members of this group have full control of the com puter and perform any task on the server. The

Administrator account is a member of this group by default.

The members of this group can back up and restore files on the computer, regardless of any permissions that protect those files.

The members of this group have administrative access to the DHCP service.

The members of this group have read-only access to the

DHCP service, allowing them to view information and properties without being able to make configuration changes.

The members of this group do not have a real profile, using only a temporary profile. The Guest account is a member of this group.

The HelpServicesGroup allows the setting of user rights that are common to support applications. Members should not be added to this group.

Continued www.syngress.com

13

271_70-292_01.qxd 8/21/03 12:40 PM Page 14

14 Chapter 1 • Managing Users, Computers, and Groups

Table 1.4

The Default Local Groups

Group Name

Network Configuration

Operators

Performance Monitor

Users

Performance Log Users

Power Users

Print Operators

Remote Desktop Users

Replicator

Terminal Server Users

Users

WINS Users

Group Function

The members of this group can make changes to TCP/IP settings and renew and release DHCP leases on the computer.

The members of this group can monitor performance counters on the computer, both locally and remotely.

The members of this group can manage performance counters, logs, and alerts on a computer, both locally and remotely.

The members of this group can create new user accounts and modify and delete the accounts they have created. Additionally, they can create local groups and then add or remove users from the local groups they have created. Members of the Power Users group can create and administer shared resources; however, they cannot take ownership of files, back up or restore files, or load or unload device drivers.

The members of this group can manage printers and print queues on the local computer.

The members of this group can remotely logon to the computer using RDP.

The Replicator group supports replication functions.

User accounts of actual users should not be added to this group.

The members of this group are those users who are cur rently logged onto the system using Terminal Services.

The members of this group are provided the ability to perform most common tasks such as executing applica tions, using network and local printers, and accessing network shares. The Domain Users group and

Authenticated Users group are members of the Users group. User accounts automatically become members of the Users group upon creation.

The members of this group have read-only access to the to WINS service, allowing them to view information and properties without being able to make configuration changes.

EXAM

70-292

OBJECTIVE

1.1.2

1.1.3

1.1.4

1.1.5

Managing and Modifying Groups

The Active Directory Users and Computer console, as seen in Figure 1.2, identifies the tools available for working with groups in Active Directory.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 15

Managing Users, Computers, and Groups • Chapter 1

Figure 1.2

The Active Directory Users and Computers Console

15

The most common tasks performed in relation to groups include the following:

Creating new groups

Adding members to groups

Removing members from groups

Converting the group type

Changing the group scope

Deleting groups

Modifying group properties

Finding groups in which a particular user is a member

Assigning user rights and permissions to a group

Before performing any of these administrative tasks, the network administrator should know how to change the domain functional level of their domain in order to support

Universal groups and scope type changes.

Changing the Domain Functional Level

If a domain contains only Windows 2000 Server and Windows Server 2003 domain controllers, the domain functional level should be raised. Raising the domain functional level from Windows 2000 mixed to Windows 2000 native or Windows Server 2003 allows the network administrator to increase the functionality of their domain and their domain controllers.They will be able to create Universal groups and also gain the ability to convert groups from distribution groups to security groups and vice versa, as well as the ability to change the group scope. Exercise 1.01 details the process involved in changing the domain functional level of an Active Directory domain.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 16

16 Chapter 1 • Managing Users, Computers, and Groups

E

XERCISE

1.01

R

AISING THE

D

OMAIN

F

UNCTIONAL

L

EVEL

1. Click Start | Programs | Administrative Tools | Active Directory

Users and Computers to open the Active Directory Users and

Computers console seen previously in Figure 1.2.

2. Click on the domain whose functional level you wish to change (refer back to the highlighted domain in Figure 1.2).

3. Click Action and select Raise Domain Functional Level from the menu, as seen in Figure 1.3.

Figure 1.3

Raising the Domain Functional Level

4. The Raise Domain Functional Level window opens, as seen in Figure

1.4. From the drop-down box, select the functional level you wish to configure. Note that you can only go up in functional level—you can never go back down. By selecting Windows 2000 native, you will no longer be allowed to have Windows NT 4.0 domain controllers on the network. By selecting Windows Server 2003, you can have only

Windows Server 2003 domain controllers on the network. Click Raise after making your selection.

Figure 1.4

Selecting the New Domain Functional Level

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 17

Managing Users, Computers, and Groups • Chapter 1

N

OTE

You must be a member of the Account Operators group, the Domain Admins group, or the Enterprise Admins group in order to perform most of the administrative actions discussed in the following sections. You can also perform this task if you have been delegated the authority to do so.

17

EXAM

70-292

OBJECTIVE

1.1.4

Creating New Groups

The exam objectives for exam 70-292 expect you to be able to create and modify users both from within the Active Directory Users and Computers console and from the command line.To create a new group from within the GUI, perform the procedure outlined in

Exercise 1.02.

E

XERCISE

1.02

C

REATING

G

ROUPS WITH

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the node in which you want to create the new group.

3. Right-click on the node and select New | Group from the context menu, as seen in Figure 1.5.

4. The New Object – Group window opens, as seen in Figure 1.6.

Figure 1.5

Starting the New Group Creation Process

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 18

18 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.6

Entering the New Group Information

5. Enter the Group name. By default, the pre-Windows 2000 Group name is the same; however, you can change it as required to make it compatible with Network Basic Input/Output System (NetBIOS) naming requirements.

6. Select the Group scope and Group type as required. Click OK to create the new group.

New groups can also be created from the command line using the dsadd command.The

syntax required to create a new group is as follows: dsadd group GroupDN [-secgrp {yes | no}] [-scope {l | g | u}] [-samid SAMName] [desc Description]

The function of each switch is explained briefly in Table 1.5. Appendix A contains a complete listing of the dsadd command and its switches.

Table 1.5

dsadd Switches for Adding a New Group

Switch

Group

GroupDN

-secgrp {yes | no}

-scope {l | g | u}

Function

Required modifier; instructs dsadd that it is to work with groups.

Required item; specifies the distinguished name of the group to be created.

Specifies the group type. A yes answer (the default) indicates a security group and a no answer indicates a distribution group.

Specifies the scope of the group: Domain Local,

Global, or Universal.

Continued www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 19

Managing Users, Computers, and Groups • Chapter 1

Table 1.5

dsadd Switches for Adding a New Group

Switch

-samid SAMName

-desc Description

Function

Specifies the Security Accounts Manager (SAM) name to be used for the group—this will become the pre-Windows 2000 group name. If not specified, this name is derived from the distinguished name.

Specifies the description of the group being created.

Figure 1.7 demonstrates the usage of the dsadd command to add a new domain local security group named West Region Sales using the following command: dsadd group "CN=West Region Sales,DC=corp,DC=mcsaworld,DC=com" -samid WestSales secgrp yes -scope l -desc "This group contains all members of the Western Resgion

Sales department"

19

Figure 1.7

Creating a New Group from the Command-Line

T

EST

D

AY

T

IP

Anytime there are blank spaces in an entry as seen in Figure 1.7 (West Region

Sales), the entire entry must be placed in quotation marks. Thus, the entire distinguished name must be placed in quotation marks in order for Windows to properly parse the command and produce the desired results.

For more information on using the dsadd command, refer to Appendix A.

EXAM

70-292

OBJECTIVE

1.1.3

Adding Members to Group

Once a group is created, members are added to it. It is important to remember that group members can be user accounts, computer accounts, or other groups as allowed. Exercise

1.03 walks through the process of adding user accounts and groups to the previously created West Region Sales group using the Active Directory Users and Computers console.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 20

20 Chapter 1 • Managing Users, Computers, and Groups

E

XERCISE

1.03

A

DDING

G

ROUP

M

EMBERS WITH

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the group to have members added.

3. Double-click on the group to open its Properties dialog box.

4. Switch to the Members tab, as seen in Figure 1.8.

Figure 1.8

Adding Members to a Group

5. Click the Add button to open the Select Users, Contacts, Computers or

Groups dialog box. To search for users, click the Advanced button. Click

Find Now to search for appropriate members, as seen in Figure 1.9.

Figure 1.9

Locating Members to Add to the Group

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 21

Managing Users, Computers, and Groups • Chapter 1

6. To add an account or group, double-click it. To add multiple accounts or groups, click on them one at a time while pressing the Ctrl key.

Remember that you must abide by the rules for nested groups outlined in the “Group Scopes” section earlier in this chapter. After making your selections, click the OK button.

7. After the Select Users, Contacts, Computers or Groups dialog box collapses, click OK to confirm and add the selected accounts and groups.

The results will be shown as seen in Figure 1.10.

Figure 1.10

Viewing Group Members

21

8. Click OK or Apply to accept the membership change.

9. You can also make this group a member of another group by switching to the Member Of tab, as seen in Figure 1.11. The process is the same as the rules for adding nesting groups as outlined in the “Group

Scopes” section earlier in this chapter.

Figure 1.11

Adding the Group to Another Group

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 22

22 Chapter 1 • Managing Users, Computers, and Groups

Members can also be added to an existing group from the command-line using the

dsmod command.The syntax required to add a member to a group is as follows: dsmod group GroupDN -addmbr MemberDN

The function of the switches is self-explanatory, as they represent the distinguished name of the group to add the member to and the distinguished name of the member to be added. Appendix A contains a complete listing of the dsmod command and its switches.

Figure 1.12 demonstrates using the dsmod command twice to add two user accounts to the

West Region Sales group using the following commands: dsmod group "CN=West Region Sales,DC=corp,DC=mcsaworld,DC=com" -addmbr "CN=Rick

Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" dsmod group "CN=West Region Sales,DC=corp,DC=mcsaworld,DC=com" -addmbr "CN=Jeff

Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com"

Figure 1.12

Adding Users to a Group from the Command-Line

A quick check of the West Sales Region Group Members tab, seen in Figure 1.13, indicates that the user accounts were successfully added to the group.

Figure 1.13

Verifying the Results of the dsmod Command

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 23

Managing Users, Computers, and Groups • Chapter 1

Removing Members from Groups

The process for removing a member from a group using the Active Directory Users and

Computer console is simple: highlight the member or members to be removed on the

Group Members

tab, seen previously in Figure 1.12, and click the Remove button.You

will be prompted to confirm your actions before they are carried out.

To remove group members from the command line, use the dsmod command.This

time, however, the command being issued would look like: dsmod group "CN=West Region Sales,DC=corp,DC=mcsaworld,DC=com" -rmmbr "CN=Jeff

Smith,CN=Users,DC=lab1,DC=corp,DC=mcsaworld,DC=com"

Figure 1.14 shows this command in action.

Figure 1.14

Removing Group Members from the Command-Line

23

Again, a check of the Group Members tab will confirm that the user has in fact been removed from the group.You will not be prompted to verify your intent to remove a group member when issuing the command from the command line.

Converting Group Type

If the domain functional level is Windows 2000 native or higher, security groups can be converted to distribution groups at will, and vice versa. Recall that distribution groups do not have DACL entries and can only be used for e-mail distribution. Security groups can be used for e-mail distribution as well, and can also be used to effectively manage user rights, assignments, and permissions. Converting a group from one type to another can be easily accomplished from the Active Directory Users and Computers console, as discussed in Exercise 1.04.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 24

24 Chapter 1 • Managing Users, Computers, and Groups

E

XERCISE

1.04

C

ONVERTING

G

ROUP

T

YPE FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the group whose type you wish to convert.

3. Double-click on the group to open its Properties dialog box.

4. On the General tab, seen in Figure 1.15, you will be able to change the group type.

Figure 1.15

Converting the Group Type

5. For conversions from Distribution to Security, you simply make the change and click OK or Apply.

6. For conversion from Security to Distribution, make the change and click

OK or confirm. You will be warned, as seen in the warning dialog of

Figure 1.16, that users may gain or lose access to resources in an unwanted way. This is due to the fact that you are removing the DACLs from the group by converting it to a distribution group.

Figure 1.16

The Conversion Warning Dialog Box

7. If you want to make the conversion to a distribution group, click Yes.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 25

Managing Users, Computers, and Groups • Chapter 1 25

About DACLs

A DACL is an internal listing that is attached to files, folders, and other directory services objects on volumes that are formatted with the NTFS file system. DACLs are configured by administrators and used to specify which users and/or groups are allowed to perform different actions on the file, folder, or object in question. The implementation of a DACL varies from files and folders to other objects due to the specific requirements of other objects. For example, files and folders have the Read access permission, but printers do not.

Each DACL is made up of Access Control Entries (ACEs). Each ACE specifies the security identifier (SID) of the security principal (user or group) that it applies to as well as the level of access to the file, folder, or object that is permitted for that specific security principal.

Group type conversions can also be performed from the command-line using the dsmod command.The syntax required to perform the conversion is as follows: dsmod group GroupDN [-secgrp {yes | no}]

Again, the function of the switches are self-explanatory as they represent the distinguished name of the group to be converted and the type of group conversion being made.

Appendix A contains a complete listing of the dsmod command and its switches.

Figure 1.17 demonstrates using the dsmod command twice, first to convert a distribution group into a security group and then back into a distribution group using the following commands: dsmod group "CN=Arizona Sales Division,DC=corp,DC=mcsaworld,DC=com" -secgrp yes dsmod group "CN=Arizona Sales Division,DC=corp,DC=mcsaworld,DC=com" -secgrp no

Figure 1.17

Converting the Group Type from the Command-Line

A check of the group type from the General tab will confirm that the change has been made.You will not receive any warning dialogs when converting the group type from the command-line.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 26

26 Chapter 1 • Managing Users, Computers, and Groups

EXAM

70-292

OBJECTIVE

1.1.1

Changing Group Scope

Just as a network administrator might want to convert the group type, they may also need to change the group scope over time. If the domain functional level is Windows 2000 native or higher, they will be able to use Universal groups. A network administrator can change the scope of a group (within the guidelines established in Table 1.1) from the Active

Directory Users and Computers console by performing the steps outlined in Exercise 1.05.

E

XERCISE

1.05

C

HANGING THE

G

ROUP

S

COPE FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the group whose scope you wish to change.

3. Double-click on the group to open its Properties dialog box.

4. On the General tab, as seen in Figure 1.18, you can change the group scope.

Figure 1.18

Changing the Group Scope

5. Change the group scope as desired and click OK or Apply to accept the changes. Remember, you can only change the group scope as previously outlined in Table 1.1.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 27

Managing Users, Computers, and Groups • Chapter 1

Group scope changes can also be performed from the command line using the dsmod command.The syntax required make scope changes is as follows: dsmod group GroupDN [-scope {l | g | u}]

The function of the switches are self-explanatory, as they represent the distinguished name of the group to be converted and the type of scope to change the group to. Appendix

A contains a complete listing of the dsmod command and its switches.

Figure 1.19 demonstrates using the dsmod command three times: first to (unsuccessfully) change a Domain Local group into Global group, second to (successfully) change this same

Domain Local group into a Universal group, and lastly to (successfully) change the

Universal group into a Global group using the following commands: dsmod group "CN=California Sales Division,DC=corp,DC=mcsaworld,DC=com" -scope g dsmod group "CN=California Sales Division,DC=corp,DC=mcsaworld,DC=com" -scope u dsmod group "CN=California Sales Division,DC=corp,DC=mcsaworld,DC=com" -scope g

27

Figure 1.19

Changing the Group Scope from the Command-Line

A check of the group scope from the General tab will confirm that the change has been made. Changing from a domain local group to a global group is not supported by the

dsmod command.

Deleting Groups

A group can easily be deleted from within the Active Directory Users and Computers console as outlined in Exercise 1.06. Note that deleting a group does not cause any members of the group to be deleted from Active Directory—only to be removed from that group and lose any rights and permissions that may have been applied to them if the group is a security group. If the group is a distribution group, e-mails will no longer be able to be sent to the group e-mail address.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 28

28 Chapter 1 • Managing Users, Computers, and Groups

E

XERCISE

1.06

D

ELETING

G

ROUPS FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the group to be deleted.

3. Right-click on the group and select Delete from the context menu.

4. When prompted if you want to delete the group, click Yes.

A group can also be deleted from the command-line using the dsrm command.The

syntax required to delete a group is as follows: dsrm GroupDN

Appendix A contains a complete listing of the dsrm command and its switches. Figure

1.20 demonstrates using the dsrm command to remove the Washington Sales Division group using the following command: dsrm "CN=Washington Sales Division,DC=corp,DC=mcsaworld,DC=com"

Figure 1.20

Removing a Group Using the Command-Line

A check of Active Directory Users and Computers will show that the group has been deleted. As can be seen, you will be required to confirm the deletion when using the dsrm command.

EXAM

70-292

OBJECTIVE

1.1.4

Modifying Group Properties

After a group is created, the properties may need to be changed. Most commonly, these changes include supplying an e-mail address for the group and denoting someone as being

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 29

Managing Users, Computers, and Groups • Chapter 1

the person responsible for the group.These changes can be easily made from Active

Directory Users and Computers as outlined in Exercise 1.07.

E

XERCISE

1.07

M

ODIFYING

G

ROUP

P

ROPERTIES

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the group to have its scope changed.

3. Double-click on the group to open its Properties dialog box.

4. On the General tab (seen in Figure 1.21), you can enter an e-mail address to be used to distribute e-mail to all mailbox-enabled members of the group.

Figure 1.21

Entering a Group E-mail Address

29

5. If you want to list a user as being responsible for the group, switch to the Managed By tab. Go through the process to locate and add a user as demonstrated earlier in Exercise 1.03. You will see the pertinent details, as seen in Figure 1.22, after confirming the responsible user.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 30

30 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.22

Viewing the Group Manager Details

EXAM

70-292

OBJECTIVE

1.1.2

Finding Groups in Which a Particular User is a Member

The ability to determine which groups a user is a member of can be helpful in many situations, including troubleshooting permissions and user rights assignments.To determine which groups a user is member of (this also applies for computers) from the Active

Directory Users and Computers console, perform the steps in Exercise 1.08.

E

XERCISE

1.08

D

ETERMING THE

G

ROUPS A

U

SER IS A

M

EMBER

O

F

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the user in question.

3. Double-click the user to open the Properties dialog box.

4. Switch to the Member Of tab, seen in Figure 1.23, to quickly determine what groups the user is a member of.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 31

Figure 1.23

Viewing User Group Membership Details

To determine what groups a user is a member of from the command-line, use the dsget command.The syntax required is as follows: dsget user UserDN -memberof

Appendix A contains a complete listing of the dsget command and its switches. Figure

1.24 demonstrates using the dsget command to determine the group membership of user

Rick Smith using the following command: dsget user "CN=Rick Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" –memberof

Figure 1.24

Determining Group Membership from the Command-Line

Assigning User Rights and Permissions to a Group

Although somewhat beyond the scope of the 70-292 exam, the assignment of user rights and permissions to a group is important. After learning about groups in an effort to make administration of a network easier and more exact, it is only natural that we conclude the

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 32

32 Chapter 1 • Managing Users, Computers, and Groups

discussion of groups with a brief examination of how user rights and permissions can be assigned to them.

Assigning user rights to a group can be done in several places, each at a different level within the overall Active Directory domain hierarchy.The following list contains some locations and ways that user rights can be assigned to a group:

Default Domain Controller Security Settings Console

Located in the

Administrative Tools folder, this console can be used to configure user rights assignments for all domain controllers. Domain controllers are located in the

Domain Controllers container in Active Directory Users and Computers.

Default Domain Security Settings Console

Located in the Administrative

Tools folder, this console can be used to configure user rights that will be applied to the domain as a whole.

Local Security Policy Console

Located in the Administrative Tools folder, this console can be used to configure user rights that will be applied only to the local computer.

Group Policy Objects (GPOs)

GPOs can be applied at various levels in

Active Directory, such as the domain level or to a specific Organizational Unit.

Within each GPO, user rights can be assigned that will affect all objects the GPO has been applied to.

Security Templates

Security Templates can be used to quickly and uniformly apply security settings to all objects they have been applied to. Security Templates can be applied directly to a local computer or imported into a GPO for application to all objects the GPO is applied to. Security Templates are discussed in more detail in Chapter 7.

Exercise 1.09 presents the basic process to configure user rights at the domain level using the Default Domain Security Policy console. Recall that there are many other options available as far as where and how to apply user rights to a group.

E

XERCISE

1.09

A

PPLYING

U

SER

R

IGHTS TO A

G

ROUP

1. Click Start | Programs | Administrative Tools | Domain Security

Policy to open the Default Domain Security console seen in Figure 1.25.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 33

Managing Users, Computers, and Groups • Chapter 1

Figure 1.25

Locating the User Rights Node

33

2. Expand the nodes to locate the User Rights Assignment node shown in Figure 1.25.

3. Locate the User Right you wish to define, and double-click it to open it for editing. As seen in Figure 1.26, place a check in the Define these

policy settings option.

Figure 1.26

Adding User Rights to a Group

4. Click the Add User or Group button to open the Add User or Group dialog box. If you know the name you want to configure the rights for, enter it and click OK. If not, click then click the Browse button to open the standard Select Users, Computers or Groups dialog box, which will allow you to search for the user or group to add.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 34

34 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.27

Locating the User or Group

More often than not a group is used to simplify the management of access to shared resources on a network. Assigning these permissions takes a different approach than has been seen thus far in our dealings with groups.This is a setting that needs to be configured directly on the object in question, such as a file share or shared printer for example.

Exercise 1.10 walks through assigning NT File System (NTFS) permissions to a group for a shared network resource named SalesDocs

E

XAM

W

ARNING

Do not confuse user rights and NTFS permissions. User rights define actions that users or groups are allowed to perform, such as logon locally, shutdown the computer, and so on. Permissions (both NTFS and share) define a level of access that is allowed for the user or group to an object, such as a file, folder, or printer.

Moreover, do not confuse NTFS and share permissions. NTFS permissions can be applied only on NTFS volumes such as those in Windows 2000, Windows XP, and

Windows Server 2003, and apply to a user whether the resource is being accessed interactively (at the local computer) or remotely (over the network). Share level permissions can be applied on Windows 9x computers, as well and only apply to resource access over the network.

E

XERCISE

1.10

A

SSIGNING

NTFS P

ERMISSIONS TO A

G

ROUP

1. Open Windows Explorer and locate the shared resource that you want to configure NTFS permissions on—in this example a shared folder.

2. Right-click on the folder and select Properties from the context menu.

3. Switch to the Security tab as seen in Figure 1.28.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 35

Managing Users, Computers, and Groups • Chapter 1

Figure 1.28

Configuring NTFS Permissions

35

4. To add a group to the DACL, click the Add button. This opens the

Select Users, Contacts, Computers or Groups dialog box as discussed previously in Exercise 1.03.

5. Locate and add the group that you wish to assign permissions to.

6. After adding the group, you will see the results on the Security tab, as seen in Figure 1.29.

Figure 1.29

Configuring the Required Permissions for the New Group

7. Configure the required permissions for the group and click OK to accept the changes.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 36

36 Chapter 1 • Managing Users, Computers, and Groups

EXAM

70-292

OBJECTIVE

1.2

1.2.1

1.2.2

Creating and Managing User Accounts

Up to this point, we have discussed groups only. Groups can be used to collect large numbers of accounts for ease of administration. Networks exist to make the sharing of information easier. As in the previous discussion of groups, the following sections examine user accounts from the perspective of an Active Directory domain environment.

Before discussing creating and managing user accounts, let’s examine the default user accounts that are found in the Windows Server 2003 environment.

Default User Accounts

Several default user accounts are created during the installation of Windows Server 2003 and the creation of an Active Directory domain.Table 1.6 lists the most common default user accounts that are created, although several more may be created depending on the specific applications and services installed on the computer.

Table 1.6

The Default User Accounts

User Name

Administrator

Guest

IUSR_computername

IWAM_computername krbtgt

SUPPORT_xxxxxxxx

User Description

A built-in account that is provided for administering the computer and domain. This account is a member of the following groups: Administrators, Domain Admins, Domain

Users, Enterprise Admins, Group Policy Creator Owners, and Schema Admins.

A built-in account that is used for guest access to the computer and domain. This account is a member of the following groups: Domain Guests and Guests. The guest account is disabled by default.

A built-in account that is used to allow anonymous access to Internet Information Services (IIS) resources. This account is a member of the following groups: Domain

Users and Guests.

A built-in account that is used by IIS to start out-of-process applications. This account is a member of the following groups: Domain Users and IIS_WPG.

A built-in account that serves as the Kerberos Key

Distribution Center (KDC) service account. This account is a member of the Domain Users group.

A built-in account that is used for the Help and Support

Service. This account is a member of the following groups:

Domain Users and HelpServicesGroup. The SUPPORT account is disabled by default.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 37

Managing Users, Computers, and Groups • Chapter 1

Managing and Modifying User Accounts

It is fairly safe to say that, in most cases, a network administrator will work with user accounts on a daily basis in most networks. Users are the lifeblood of a network—the very reason the network exists is to provide information and other resources to users in a secure and efficient way. As such, there are several common tasks to perform when administering user accounts:

Creating new user accounts

Resetting a user account password

Copying a user account

Disabling or enabling a user account

Configuring user account properties

Deleting user accounts

Assigning user rights and permissions to a user account

Each of these tasks is discussed in the following sections.We will also examine using two additional command line-based utilities to perform bulk import and export of Active

Directory information, including user accounts.

EXAM

70-292

OBJECTIVE

1.2.1

1.2.2

Creating New User Accounts

Creating a new user accounts one at a time is one that can be accomplished from either the

Active Directory Users and Computer console or from the command line.The process to create a new user account from the Active Directory Users and Computers console is detailed in Exercise 1.11.

E

XERCISE

1.11

C

REATING A

N

EW

U

SER

A

CCOUNT WITH

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the location in which you wish to create the new user.

3. In our example, we are going to create a new user in the Sales

Organizational Unit. Right-click on the node where you want to create the new user and select New | User. The New Object – User dialog box opens. Supply the user’s name and logon name and click Next to continue.

37 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 38

38 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.30

Creating a New User Account

4. In the next window, as seen in Figure 1.31, supply the password for the user. Good practice dictates that the password assigned here be a temporary one by selecting the User must change password at next logon option, which is selected by default. If you are creating an account that is not to be used yet, network security can be increased by disabling it at this time. After entering your selections, click Next to continue.

Figure 1.31

Specifying Password Related Items

5. You will be given the chance to review your configuration from a summary page. If all is well, click Finish to create the user. You can click

Back to go back and make changes as required.

Alternatively, user accounts can be created one at a time from the command-line using the dsadd command.The specific context to be used to create a new account is: dsadd user UserDN [-UPN UPN] [-samid SAMName] -pwd {Password|*}

The UserDN and SAMName modifiers have been previously explained.The UPN modifier specifies the users User Principal Name (UPN), such as [email protected]; the pwd modifier specifies the account password, or if set as * specifies that you want to be

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 39

Managing Users, Computers, and Groups • Chapter 1

prompted to enter the password. Figure 1.32 demonstrates using the dsadd command to create a new user, Roger Smith, in the Sales OU using the following command: dsadd user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -UPN [email protected] -samid rogersmith -pwd *

Figure 1.32

Creating a New User from the Command Line

39

As seen in the example, we exercised the ability to specify a password at the time of account creation. A quick check of the Sales OU would determine that the new user,

Roger Smith, was in fact created as indicated here. It should be noted that many other attributes of the user object that could have been supplied with the dsadd command were left out in this example. Appendix A has a complete listing and explanation of the available

dsadd options.

Resetting the User Account Password

It happens more than any administrator wants to talk about: resetting user passwords. In some organizations with particularly challenging password complexity requirements, this can become a burden on network administrators. Even in those organizations where the password policies are not nearly as stringent, users will still forget their passwords. Additionally, the network administrator will oftentimes need to reset the password on an expired or locked out user account. Fortunately, you can you quickly and easily reset a user’s password from within the Active Directory Users and Computers console as discussed in Exercise 1.12.

E

XERCISE

1.12

R

ESETTING

U

SER

P

ASSWORDS WITH

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the user in question.

3. Right-click on the user and select Reset Password from the context menu to open the Reset Password dialog box seen in Figure 1.33.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 40

40 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.33

Resetting User Passwords Does

Not Require You to Know the Current Password

4. Enter the new password. For enhanced security, select the User must

change password at next logon option. Click OK to reset the user’s password.

A user’s password can also be easily reset from the command-line using the dsmod command with the following syntax: dsmod user UserDN -pwd NewPassword -mustchpwd {yes|no}.

The –mustchpwd modifier denotes whether or not the user will be forced to change their password during the next logon attempt. Figure 1.34 demonstrates using the dsmod command to reset the password of user Roger Smith using the following command: dsmod user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -pwd *

-mustchpwd yes

Figure 1.34

Resetting the User Account Password from the Command-Line

Again, the password was supplied interactively during the reset procedure. Also, the user will be forced to change their password the next time they logon to the domain. Appendix

A has a complete listing and explanation of the available dsmod options.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 41

Managing Users, Computers, and Groups • Chapter 1 41

Delegating Administrative Authority

Although referenced several times in this chapter, you may be wondering exactly what delegation is when it comes to Active Directory. It works the same way in

Active Directory as it does in real life. Say, for example, that you are the department head in a large manufacturing conglomerate. You have thousands of people who work for you and an administrative assistant that helps to keep you on track, making sure that you get the things done that you need to. You might, in many cases, delegate some of your authority to your administrative assistant to allow them to handle some things for you and take some of the burden off your shoulders. This also allows a continuity of operations to a certain degree should you be unavailable for a period of time.

Active Directory works the same way. Users have specific user rights that are assigned to them through their membership in certain groups. Users can have specific explicit user rights configured on their accounts individually. The Delegation of

Control Wizard allows you to easily and accurately delegate administrative responsibility to groups and users. For example, it is fairly common for members of the help desk staff to be delegated the ability to reset users passwords. This saves the higher-level network administrators from being burdened with low-level administrative tasks. This delegation can be easily accomplished in three easy steps:

1. Create a new group called Password Reset.

2. Place all applicable help desk member user accounts in the newly created group.

3. Run the Delegation of Control Wizard to delegate the right to reset user passwords to the Password Reset group.

Copying a User Account

Many organizations have standardized the way that they create and configure user accounts by creating an account template. An account template is nothing more than a user account that has been created and configured in a specific fashion and then used to create new accounts without the administrative burden of needing to configure each new account in a similar fashion. Although the need for this is somewhat offset by the diligent usage of groups and configuring rights and permissions on the group level, there may be the need to copy a user account, creating a new user account with the same features except that the new user account will posses a different SID. User accounts can be copied from the Active

Directory Users and Computers by performing the steps outlined in Exercise 1.13.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 42

42 Chapter 1 • Managing Users, Computers, and Groups

E

XERCISE

1.13

C

OPYING

U

SER

A

CCOUNTS FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the user in question.

3. Right-click on the user and select Copy from the context menu to open the Copy Object – User dialog box as seen in Figure 1.35.

Figure 1.35

Copying a User Account to Create a New User Account

4. You will need to supply the same information for the copy process as you did when creating a new user account.

By default, only the most common attributes are copied during the user account copy process.These include log on hours, workstation restrictions, and account expiration date.

You can modify which attributes are copied to the newly created user from the Active

Directory Schema snap-in.This is, however, beyond the scope of the 70-292 exam.There is no corresponding command line alternative for copying user accounts.

Disabling or Enabling A User Account

A network administrator may need to disable a user account for any number of reasons.

Commonly, they will disable user accounts when the user is gone for an extended period of time, or as a security measure to keep unused accounts from becoming a weakness in their network security plan.The administrator can quickly disable a user account from the Active

Directory Users and Computers console by right-clicking on the account and selecting

Disable Account

from the context menu. Similarly, they can enable a disabled user account by right-clicking on the account and selecting Enable Account.They can also

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 43

Managing Users, Computers, and Groups • Chapter 1

disable or enable a user account from the Account tab on the Properties dialog page as seen in Figure 1.36.

Figure 1.36

Disabling a User Account from the Properties Dialog Box

43

An account can also be disabled or enabled from the command-line using the dsmod command with the following syntax: dsmod user UserDN -disabled {yes|no}.

Figure 1.37 demonstrates using the dsmod command to disable the user account of

Roger Smith using the following command: dsmod user "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com" -disabled yes

Figure 1.37

Disabling the User Account from the Command-Line

E

XAM

W

ARNING

Be aware that disabling a user account only prevents it from being used—it does not alter or otherwise change the user account in any other way. Network administrators should always disable newly created user accounts if they are being prestaged and will not be used immediately. Additionally, they should always disable user accounts for users that are currently on vacation or otherwise not logging into

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 44

44 Chapter 1 • Managing Users, Computers, and Groups

the network. Disabled user accounts serve to increase the overall security of the network by preventing these unused (and typically unmonitored) accounts from being subjected to password guessing and other attacks.

Configuring User Account Properties

When user accounts are created using the Active Directory Users and Computers console or using the minimum required command syntax of the dsadd command, many user attributes and information items still need to be configured. Most of these items can be configured using the dsadd command at the time of account creation, or the dsmod command after the fact.The following sections examine the configuration process entirely from the Active Directory Users and Computers console.

Within Active Directory Users and Computers, locate the user account that you wish to configure account properties for and double-click it to open the Properties dialog box as seen in Figure 1.38.

N

OTE

The Remote Control, Terminal Services Profile, COM+, Dial-in, Environment, and

Sessions tabs contain configuration options that are beyond the scope of the 70-

292 exam and will not be examined here.

The General Tab

The General tab of the account Properties dialog box, seen in Figure 1.38, allows the network administrator to configure basic user information such as first and last name, display name, a description of the account, office location, telephone number, e-mail address, and

Web page information.

Figure 1.38

Configuring the General User Account Properties

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 45

Managing Users, Computers, and Groups • Chapter 1

The Address Tab

The Address tab of the account Properties dialog box, seen in Figure 1.39, allows the network administrator to configure a complete mailing address for the user.

Figure 1.39

Configuring the Address User Account Properties

45

The Account Tab

The Account tab of the account Properties dialog box, seen in Figure 1.40, allows the network administrator to modify account attributes such as the logon name, the pre-Windows

2000 log-on name, logon hours, logon location restrictions, account expiration date, and several other account options.

Figure 1.40

Configuring the Account User Account Properties

The account options that can be configured are explained in detail in Table 1.7.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 46

46 Chapter 1 • Managing Users, Computers, and Groups

Table 1.7

User Account Options

Account Option Option Description

User must change password at next logon

User cannot change password

Specifies that the user must change their password the next time they logon to the network.

Specifies that the user is not allowed to change their password.

Password never expires

Store passwords using reversible encryption

Account is disabled

Specifies that the configured password never expires.

Specifies that the user’s password is to be used to allow the user to logon from an Apple computer.

Specifies that the user account is not to be made available for logon.

Smart card is required for Specifies that a smart card must be used to logon to interactive logon the network.

Account is trusted for delegation

Account is sensitive and cannot be delegated

Specifies that services running under this account can perform operations on behalf of other user accounts.

Specifies that the account shall not be assigned for delegation by another account.

Use DES encryption types Specifies that support for the Data Encryption Standard for this account (DES) encryption algorithms is to be provided.

Do not require Kerberos Specifies that support is to be provided for alternate preauthentication implementations of the Kerberos protocol.

Account logon restrictions can also be configured on the user account that can limit both the hours the user can logon to the network and also the computers in the network from which the user can logon. Exercise 1.16 presents the required steps to configure these options.

E

XERCISE

1.16

C

ONFIGURING

U

SER

L

OGON

T

IME AND

C

OMPUTER

R

ESTRICTIONS

1. On the Account tab of the user Properties dialog box, click the Logon

Hours button to open the Logon Hours for User dialog box, seen in

Figure 1.41.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 47

Managing Users, Computers, and Groups • Chapter 1

Figure 1.41

Examining the Default Logon Hours Configuration

47

2. Blue squares represent those times when a user is allowed to logon to the network, while white squares represent those times when the user is not allowed to logon. By default, logon is allowed 7 days per week,

24 hours per day.

3. To configure a log-on hours restriction, click the Logon Denied button.

4. Select a starting day and time (Monday, 6

A

.

M

. for example) and drag the cursor to highlight the time you wish to allow logon. Click the

Logon Permitted button to make the changes, as seen in Figure 1.42.

In this example, Roger Smith will now be allowed to logon only during the time period of Monday – Friday, from 6

A

.

M

. – 6

P

.

M

.

Figure 1.42

Configuring the Logon Hours for a User Account

5. Click OK to accept the changes.

6. To configure a log-on computer restriction, which will limit the computers the user can logon to the network from, click the Log On To button on the Account tab of the user Properties dialog box.

7. The Logon Workstations dialog box, seen in Figure 1.43, will open allowing you enter the NetBIOS names of the computers this user will be allowed to logon in from.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 48

48 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.43

Configuring Account Logon Workstation Restrictions

8. To enter computer names, select the The following computers button.

9. Enter the NetBIOS computer name, such as MCSAWKS042, for each computer that is to be allowed user logon. Note that the NetBIOS computer name MCSAWKS042 would belong to the computer with the following Fully Qualified Domain Name (FQDN) in this example domain:

MCSAWKS042.corp.mcsaworld.com.

10. Click OK to accept the logon computer restrictions

The Profile Tab

The Profile tab of the account Properties dialog box, seen in Figure 1.44, allows the network administrator to specify a profile path, logon script, and home folder for the account.

Figure 1.44

Configuring the Profile User Account Properties

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 49

Managing Users, Computers, and Groups • Chapter 1

The Telephones Tab

The Telephones tab of the account Properties dialog box, seen in Figure 1.45, allows the network administrator to enter several different telephone numbers for a user including home, fax, pager, and mobile and IP phone numbers.

Figure 1.45

Configuring the Telephones User Account Properties

49

The Organization Tab

The Organization tab of the account Properties dialog box, seen in Figure 1.46, allows the network administrator to configure title and departmental information about the user.

Additionally, they can enter the user’s supervisor. On the Organization tab of the selected supervisor, the user’s name will appear in the Direct reports area.

Figure 1.46

Configuring the Organization User Account Properties

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 50

50 Chapter 1 • Managing Users, Computers, and Groups

The Member Of Tab

The Member Of tab of the account Properties dialog box, seen in Figure 1.47, allows the network administrator to add or remove this user from groups. Additionally, they can also change the user’s Primary group if the user is one that logs onto the network using Services for Macintosh or runs POSIX-compliant applications.

Figure 1.47

Configuring the Member Of User Account Properties

Deleting User Accounts

Occasionally, user accounts must be deleted, most commonly when a user no longer works for an organization. It is important to delete an inactive user account as soon as possible.

For example, company policy might dictate that user accounts are to be disabled starting the day a user leaves the company. After 45 days if the user has not returned to the company, the user account is deleted to prevent its misuse. Exercise 1.17 outlines the process to delete a user using Active Directory Users and Computers.

E

XERCISE

1.17

D

ELETING

U

SERS FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the user to be deleted.

3. Right-click on the user and select Delete from the context menu.

4. When prompted if you want to delete the user, click Yes.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 51

Managing Users, Computers, and Groups • Chapter 1 51

Reassigning User Accounts

As an alternative to deleting user accounts, an administrator may consider reassigning them. Consider the situation in which a user leaves the company and is immediately replaced by another user in the same job function. If this user’s account has been extensively configured and has explicitly configured permissions, the administrator may find it difficult to create and configure the new account for the replacement worker in an exactly similar fashion. They can just rename the account and change the account password and reassign it to the new user.

To rename a user account and allow it to be reassigned, right-click on the user account and select Rename from the context menu. After renaming the account the Rename User dialog box will appear, allowing the network administrator to change the following key account items:

Full name

First name

Last name

Display name

User logon name

User logon name (pre-Windows 2000)

After this information is entered, the administrator can then go back and change any other items, such as telephone numbers, addresses, and so on. By reassigning a user account, they can quickly and accurately ensure that new users receive the exact same rights and permissions as their predecessors.

A user account can be deleted from the command-line using the dsrm command with the following syntax: dsrm ObjectDN.

Figure 1.37 demonstrates using the dsrm command to delete the user account of Roger

Smith using the following command: dsrm "CN=Roger Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com"

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 52

52 Chapter 1 • Managing Users, Computers, and Groups

Figure 1.48

Deleting a User Account from the Command Line

The network administrator will be prompted when using the dsrm command to ensure they are sure about deleting the account—once it is gone, it cannot be brought back except through a restoration action.

Assigning User Rights and

Permissions to a User Account

User rights and permission assignment is done in the same fashion as that for groups, as seen previously in this chapter in Exercise 1.09 and Exercise 1.10 with the exception that you would select the applicable user instead of the applicable group.

EXAM

70-292

OBJECTIVE

1.3

Troubleshooting User Authentication Issues

It is safe to assume that at one time or another a network administrator will have problems with a user that cannot successfully logon to the network.While any number of things may cause this problem behavior, there are several key items that can be quickly checked to rule out the easy—and the obvious—problems that may occur.

The user may not be allowed to logon to the specific computer interactively. If the user does not have the user right to perform interactive logons, they will receive an error dialog informing them of this situation.The network administrator should check to ensure that the user has the correct user rights. If the user rights assignment is correct, they should ensure that the user is not trying to logon to a server or domain controller that they should not normally be using interactive logon for.

The user may be using the wrong account type for the logon attempt.This

problem typically occurs when a user is attempting to use a local user name and password combination to perform a network logon. If the user is using the correct credentials (network credentials), the network administrator should check to ensure that the Global Catalog (GC) server(s) are available.When the GC is unavailable, only users with administrative credentials will be able to logon to the network.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 53

Managing Users, Computers, and Groups • Chapter 1

The user’s account may be disabled or locked out.The network administrator should check the Account tab of the user Properties dialog box to ensure that the account is not locked out or disabled. If the user account is locked out, the network administrator should check the Security Log to determine if the account is disabled, determine the reason why, and enable the account if permissible.

The user may not be allowed to logon to the network during the current time period. User log-on hour restrictions may be preventing the user from performing the network logon. From the Account tab of the user Properties dialog box, the network administrator should click the Logon Hours button to verify the current logon hours configured for the user.

The user may not be allowed to logon to the network from the computer being used. User logon workstation restrictions may be configured that do not allow the user to use the current computer to perform a network logon. From the Account tab of the user Properties dialog box, the network administrator should click the

Log On To

button to view the current list of allowed logon computers.

If none of these items correct the problems that the user is experiencing, the network administrator may also need to perform network troubleshooting to determine whether or not network connectivity or congestion problems may the root of the problem. For more information on TCP/IP addressing and network connectivity troubleshooting, see

MCSA/MCSE Exam 70-291 Study Guide & DVD Training System: Implementing, Managing,

and Maintaining a Windows Server 2003 Network Infrastructure, Syngress Publishing 2003,

ISBN: 1-931836-92-2.

Creating and

Managing Computer Accounts

Computer accounts serve the same basic function as user accounts: they are used to determine the rights and permissions that a computer will have in the domain. Although computer accounts can be created for any Windows computer on a network, only Windows

2000 or better computers will be able to fully participate in Active Directory and receive security and management configuration from Active Directory.Windows 9x and Windows

NT computers will require the use of System Policies to configure security and management options.You can learn more about System Policies at www.microsoft.com/technet/ prodtechnol/windowsserver2003/proddocs/server/tattooing.asp.

Computer accounts can be created in one of two ways: manually though usage of the

Active Directory Users and Computers console or from the command-line, or automatically by joining a Windows 2000,Windows XP, or Windows Server 2003 computer to a domain. Each of these events is examined in more detail in the following sections.

53 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 54

54 Chapter 1 • Managing Users, Computers, and Groups

Creating and Modifying

Computer Accounts Manually

Computer accounts can be manually created in much the same fashion as user accounts. A network administrator can create a computer account from the Active Directory Users and

Computers console, or from the command-line as desired. Exercise 1.18 presents the required steps to create a new computer account from the Active Directory Users and

Computers console.

E

XERCISE

1.18

C

REATING

C

OMPUTER

A

CCOUNTS FROM

A

CTIVE

D

IRECTORY

U

SERS AND

C

OMPUTERS

1. Open the Active Directory Users and Computers console.

2. Expand the console tree until you locate the location in which you wish to create the new computer.

3. Right-click on the node and select New | Computer from the context menu to open the New Object – Computer dialog box, seen in Figure

1.49.

Figure 1.49

Creating a New Computer Account

4. Enter the computer name and pre-Windows 2000 information. If this is a pre-Windows 2000 computer, select the appropriate option. If this computer is a Windows NT 4.0 BDC, select the appropriate option.

After making your selections, click Next to continue.

5. On the Managed page, seen in Figure 1.50, click Next to continue without making any configuration changes. You would only need to enter information in this location if the computer were being prestaged for Remote Installation Service (RIS) installation of an operating system.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 55

Managing Users, Computers, and Groups • Chapter 1

Figure 1.50

You Can Pre-stage RIS Installation Computers If Desired

55

6. From the summary page, click Finish to complete the computer account creation process.

Computer accounts can also be created from the command-line by using the dsadd command with the following syntax: dsadd computer ComputerDN

Figure 1.51 demonstrates using the dsadd command to create the computer account for a computer with a NetBIOS name of A51WXP3142 in the Sales OU using the following command: dsadd computer CN=MCSAWXP3142,CN=Computers,DC=corp,DC=mcsaworld,DC=com

Figure 1.51

Creating a Computer Account from the Command-Line

Creating Computer

Accounts by Joining to the Domain

As an alternative to creating a computer account manually, a network administrator may also create a computer account automatically by joining the computer to a domain.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 56

56 Chapter 1 • Managing Users, Computers, and Groups

Exercise 1.19 presents the required steps to join a Windows 2000 Professional client computer to a Windows Server 2003 domain.The process is similar for Windows XP

Professional and Windows Server 2003 computers.

E

XERCISE

1.19

J

OINING A

C

OMPUTER TO THE

D

OMAIN

1. On the computer to be joined to the domain, log on using an account that has local Administrative credentials.

2. Open the System applet in the Control Panel and click on the Network

Identification tab.

3. Click the Properties button to open the Identification Changes dialog box seen in Figure 1.52. As seen in this example, this computer is currently part of a workgroup.

Figure 1.52

Joining the Computer to a Domain

Figure 1.53

You will need to supply the proper credentials

4. Select the Domain button, enter the domain name that the computer is to be joined to, and click OK.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 57

Managing Users, Computers, and Groups • Chapter 1

5. You will be prompted for the credentials of a user authorized to add computers to the domain. Supply them as seen in Figure 1.53.

6. Click OK. After some delay, depending on network conditions, you will receive the Welcome dialog box seen in Figure 1.54.

Figure 1.54

The Computer has Successfully been Joined to the Domain

57

7. Click OK to acknowledge the successful joining. You will be informed that you will need to restart the computer to complete the process.

8. Close the System applet and restart the computer.

9. When you log on next time from that computer, you will be logging onto your domain.

T

EST

D

AY

T

IP

You can supply your user credentials in either of two ways in most instances: as shown in Figure 1.53 using what is referred to as the User Principal Name (UPN), or in the older, traditional Windows authentication way using DOMAIN\USER. You may find as you work your way around Windows that one way may not work in some instances where the other will. Both provide the same information to be used to authenticate the user.

E

XAM

W

ARNING

By default, members of the Account Operators group can add computers only to the Computers container (the default location for computers) or to Organizational

Units. Authenticated Users in a domain are assigned the “Add workstations to a domain user” right and can add up to 10 new computer accounts to the domain with no action from an administrator. In this instance, new computer accounts are placed in the same container as the user account.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 58

58 Chapter 1 • Managing Users, Computers, and Groups

EXAM

70-292

OBJECTIVE

1.1.5

1.2.2

1.2.3

Importing and

Exporting Active Directory Data

Realizing that administrators may need to import and export data into and out of Active

Directory and other Lightweight Directory Access Protocol (LDAP) directory services,

Microsoft has provided two utilities to accomplish just that task.

csvde (CSV Directory Exchange

) csvde uses files formatted in the Microsoft comma-separated value (CSV) format.The advantage of the CSV format is that it is supported by many other applications such as Microsoft Excel and Microsoft Access, thus allowing network administrator’s to manipulate data in these applications before importing it.The downside to using csvde is that it only allows the addition of new objects; whereas ldifde allows the modification of existing objects.

ldifde (LDAP Data Interchange Format Directory Exchange)

ldifde can be used to extend the Active Directory schema, export data from Active Directory into other LDAP applications and services, and to populate the Active Directory database with LDAP data from other directory services. LDIF is an Internet standard file format used to perform batch import and export operations that conform to LDAP standards.

The full syntax of the csvde command is as follows: csvde [-i] [-f FileName] [-s ServerName] [-c String1 String2] [-v]

[-j Path] [-t PortNumber] [-d BaseDN] [-r LDAPFilter] [-p Scope]

[-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k]

[-a UserDistinguishedName Password] [-b UserName Domain Password] [-?]

The ldifde command also posesses the exact same syntax: ldifde [-i] [-f FileName] [-s ServerName] [-c String1 String2] [-v]

[-j Path] [-t PortNumber] [-d BaseDN] [-r LDAPFilter] [-p Scope]

[-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k]

[-a UserDistinguishedName Password] [-b UserName Domain Password] [-?]

The switches and modifiers for both commands are also the same as detailed in Table 1.8.

Table 1.8

csvde/ldifde Switches and Modifiers

Switch/Modifier Description

Basic Global Parameters

-i

-f FileName

Specifies import mode is to be used; if not specified export mode is assumed.

Specifies the file name for the import or export operation.

Continued www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 59

Managing Users, Computers, and Groups • Chapter 1

Table 1.8

csvde/ldifde Switches and Modifiers

Switch/Modifier

-s ServerName

-c String1 String2

-t PortNumber

-v

Description

Specifies the domain controller that is to be used to perform the import or export operation.

Specifies that all instances of String1 to be replaced with

String2.

Specifies a port number to connect on. The default is port

389 for LDAP and 3268 for Global Catalog serves.

Sets verbose mode.

Export Related Parameters

-d BaseDN

-r LDAPFilter

-p Scope

-l LDAPAttributeList

-o LDAPAttributeList

-m

-n

-j Path

-g

Specifies the distinguished name of the search base for data export.

Specifies an LDAP search filter for data export.

Specifies the search scope; the scope options are Base,

OneLevel, or SubTree.

Specifies the list of attributes to return in the results of an export query.

Specifies the list of attributes to omit from the results of an export query.

Specifies to omit attributes that only apply to Active

Directory objects such as the ObjectGUID, ObjectSID, pwdLastSet, and samAccountType attributes.

Specifies that the export of binary values to be omitted.

Specifies the log file path and name.

Specifies that paged searches are to be omitted.

Import Related Parameters

-k Specifies that errors during the import operation should be ignored and processing should continue.

Credentials Parameters

-a UserDistinguishedName Specifies that the command is to be run using

Password

UserDistinguishedName and Password. By default, the credentials of the user currently logged on are used.

-b UserName Domain

Password

Specifies that the command is to be run as Username

Domain Password. By default, the credentials of the user currently logged on are used.

The following code example demonstrates what the CSV file might look like for the addition of three users into Active Directory.

59 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 60

60 Chapter 1 • Managing Users, Computers, and Groups

dn,cn,givenName,sn,description,objectClass,SAMAccountname,userPrincipalName

"CN=Richard Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com","Richard

Smith",Richard,Smith,"West Regional Sales

Manager",user,richardsmith,[email protected]

"CN=Howard Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com","Howard

Smith",Howard,Smith,"East Regional Sales

Manager",user,howardsmith,[email protected]

"CN=Toby Smith,CN=Users,DC=corp,DC=mcsaworld,DC=com","Toby Smith",Toby,Smith,"South

Regional Sales Manager",user,tobysmith,[email protected]

As can be seen, the first line defines the data fields of the rest of the file, just the same as any other flat database file in CSV format. Figure 1.55 demonstrates the command syntax used to perform the import, and the results of the process.

Figure 1.55

Using csvde to Import Data into Active Directory

In this example, three user accounts that were imported were all created and disabled.

They need to be either manually or programatically enabled before being used. Also, no passwords were provided in this example. It is important to be aware that all accounts created this way will also be marked as requiring a password change upon the first logon.

T

EST

D

AY

T

IP

Do not try to memorize every last detail of the csvde and ldifde commands.

Instead, be aware of what they are used for and what differentiates them from each other. As well, be familiar with some of the more important (and commonly used) switches such as -i, -f, -j and -k.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 61

Managing Users, Computers, and Groups • Chapter 1

Summary of Exam Objectives

This chapter covers a large amount of information that a network administrator will use on a daily basis.The largest purpose for networks is managing the creation of and access to shared resources. An examination of groups, user accounts, and computer accounts provides the necessary foundation to begin to work with Windows Server 2003 and networks as a whole.

In the Windows Active Directory domain model, groups are used as the first means to collect together users for the assignment of user rights and permissions. A group is a collection of user and/or computer accounts, contacts and even other groups that are managed as a single object.The users and computers that belong to the group are known as group members. In Windows, as with most operating systems, groups are used to simplify the administrative process of assigning permissions and rights to a large number of user and computer accounts at the same time, resulting in these groups’ members having inherited

(or implicit) permissions from the group.This is contrary to the older, and much more labor intensive practice of applying permissions and rights directly to users, which are then known as explicit permissions. A set of default groups known as local groups is created during the installation of Windows Server 2003. Computers that are part of an Active

Directory domain environment also have a set of default groups; however these default groups are objects that reside within the Active Directory database structure.

Every user and computer in an Active Directory domain requires its own account.

These user and computer accounts can be most easily managed by adding them to previously configured groups. User accounts are used for more than just network authentication and access control; they also contain pertinent contact and other information such as a telephone number and e-mail address that can be used to locate and contact users through searches of Active Directory. Many times, user authentication problems can be traced back to very simple and easily correctable problems.

The csvde and ldifde commands can be used to import and export data from LDAP compatible directory services, including Active Directory.While ldifde can be used to extend the Active Directory schema and modify existing objects, csvde can only be used to create new objects.The strength of csvde lies in the CSV file format that it uses which can be opened and modified by other applications, such as Microsoft Excel or Microsoft Access.

Exam Objectives Fast Track

Creating and Managing Groups

Distribution groups are used for distributing messages to group members.

Distribution groups are used with e-mail applications, such as Microsoft

Exchange, to send an e-mail to all members of a group in a rapid and efficient fashion by sending an e-mail to the group e-mail address. All members of the

61 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 62

62 Chapter 1 • Managing Users, Computers, and Groups

distribution group that are mailbox-enabled will receive the e-mail message.

Distribution groups are not security enabled, and therefore cannot be listed on the

DACLs that are used by Windows to control access to resources.

Security groups can also be used to for the distribution of e-mail as described for distribution groups, but can be listed on DACLs, thus allowing them to be used to control access to resources. Security groups can be used to assign user rights to group members. User rights include actions such as “Backup files and directories” or “Restore files and directories,” both of which are assigned to the Backup

Operators group by default.The network administrator can delegate rights to groups to allow the members of that group to perform a specific administrative function that is not normally allowed by their standard user rights.The network administrator can also assign permissions to security groups to allow them to access network resources such as printers and file shares.

Universal groups can include other groups and user/computer accounts from any domain in the domain tree or forest. Permissions for any domain in the domain tree or forest can be assigned to universal groups.

Global groups can include other groups and user/computer accounts from only the domain in which the group is defined. Permissions for any domain in the forest can be assigned to global groups.

Domain Local groups can include other groups a user/computer accounts from

Windows Server 2003,Windows Server 2000, and Windows NT domains.

Permissions for only the domain in which the group is defined can be assigned to

Domain Local groups.

Several default groups are created in an Active Directory infrastructure and are located in both the Builtin and Users containers. In a workgroup environment, several default groups are created in the Local Users and Groups node of the

Computer Management console.

New in Windows Server 2003, group management can be carried out from the command-line, as well as from within Active Directory Users and Computers.

Creating and Managing User Accounts

User accounts are much simpler to understand and work with than groups.

Several default users are created during the installation of Windows Server 2003.

They are located in the Users container in Active Directory and include the following: Administrator, Guest, IUSR_computername, IWAM_computername, krbtgt, and SUPPORT_xxxxxxxx.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 63

Managing Users, Computers, and Groups • Chapter 1

The IUSR_computername account is used to allow anonymous access to IIS resources.This account is a member of the Domain Users and Guests groups:.

The IWAM_computername account is used by IIS to start out-of-process applications.This account is a member of the Domain Users and IIS_WPG groups.

The SUPPORT_xxxxxxxx account is used for the Help and Support Service.

This account is a member of the Domain Users and HelpServicesGroup groups.

The SUPPORT account is disabled by default.

New in Windows Server 2003, user account management can be carried out from the command line as well as from within Active Directory Users and Computers.

Account logon restrictions can be configured for user accounts that can limit both the hours during which the user can logon to the network, and also the computers in the network from which the user can logon.

Creating and Managing Computer Accounts

Computer accounts are created and managed in much the same fashion as for user accounts.

Computer accounts can be created automatically for Windows 2000,Windows

XP, and Windows Server 2003 computers when they are joined to an Active

Directory domain.

Computer accounts can be created manually for all Windows computers if desired. If the computer is a pre-Windows 2000 computer or an NT 4.0 BDC, the correct options should be selected to denote it as such.

New in Windows Server 2003, computer account management can be carried out from the command line as well as from within Active Directory Users and

Computers.

Importing and Exporting Active Directory Data

csvde is a command line tool that can be used to import and export data from Active

Directory in Microsoft CSV format.The advantage of the CSV format is that it is supported by many other applications such as Microsoft Excel and Microsoft Access, thus allowing the network administrator to manipulate data in these applications before importing it.The downside to using csvde is that it only allows the addition of new objects—ldifde allows the modification of existing objects.

63 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 64

64 Chapter 1 • Managing Users, Computers, and Groups

ldifde is a command line tool that can be used to extend the Active Directory schema, export data from Active Directory into other LDAP applications and services, and to populate the Active Directory database with LDAP data from other directory services. LDIF is an Internet standard file format for performing batch import and export operations that conform to LDAP standards.

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

It seems like creating groups, assigning them user rights and permissions, and then placing users in the groups is an awful lot of work.Why can’t I just manage the user rights and permissions directly on the users themselves?

A:

You can, however it will quickly become a very time- and labor-intensive process as the number of users in your network grows. Also, by managing user rights and permissions through group membership, you can absolutely ensure that all members of the group have the correct configuration. Lastly, you can quickly add or remove users from a group as required to change the user rights and permissions that are assigned to individual users, such as in the case where an employee moves from one job to another within the company.

Q:

I have an employee that just quit the company last week. Should I delete her user account from Active Directory?

A:

Yes and no.The most prudent thing to do in the short term would be to disable the user account, which effectively prevents it from being used to logon to the network. In this way, you will have the account available for a predetermined amount of time to see if the user is returning, or if you can perhaps reassign the account to the replacement employee.

Q:

Why would I ever want to rename a user account and reassign it to another user?

A:

In most cases you will not need to do this. In this case, however, where the user has had specific configuration performed directly on their user account (user rights, permissions, and so on) you may actually benefit from reusing the account after changing the key elements: user name, logon, and other personal details.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 65

Managing Users, Computers, and Groups • Chapter 1

Q:

How can I use the command line utilities to quickly create large numbers of user accounts?

A:

You can create a batch file or script using the dsadd command to create and completely populate a user account with all pertinent information items. If the batch file or script can be stored in a secure location, you can even enter default password information directly into the script itself, forcing the user to change the password at the first logon.

By default, all user accounts created programmatically are disabled, further adding security to them if they will not be used immediately.You can, however, have them created in the enabled state should you desire.

Q:

How can the csvde and ldifde tools help me?

A:

They can be used to quickly export and import large amounts of data from one LDAPcompliant directory service to another. Active Directory and Exchange Server can both create and work with CSV files that can be used by the csvde command. csvde and ldifde can also be used, with a little bit of experience, to create new Active Directory objects in bulk.

Q:

Do all Active Directory manipulations have to be performed locally on a domain controller?

A:

No, and in fact they should not be performed locally on a domain controller if it all possible. Domain controllers, just like other critical servers, should be physically isolated and secured from normal access by the use of locked server racks and specially located and secured server rooms.You can perform all network management and configuration tasks from a workstation connected to the network as long as you possess the required user rights and permissions.

65 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 66

66 Chapter 1 • Managing Users, Computers, and Groups

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Creating and Managing Groups

1. You are an assistant network administrator for Billy’s Jeans, Inc.You have been tasked with creating three new groups, one for each of the following divisions: Sales,

Marketing, and Production.The Sales group is to be configured with permissions required to access a shared network folder named Sales.The Marketing group is to be configured only for e-mail distribution to its members.The Production group is to be configured for both e-mail distribution and with the required permissions to access the Sales folder.Which of the following set of actions presents the correct steps to accomplish the requirement you have been tasked with?

A. Create a security group named Sales and configure the Sales folder with the required permissions for this group. Create a security group named Marketing and configure the Sales folder with the required permissions for this group. Create a distribution group named Production and configure the Sales folder with the required permissions for this group. Additionally, configure an e-mail address for the Production group.

B. Create a distribution group named Sales and configure the Sales folder with the required permissions for this group. Create a distribution group named Marketing and configure an e-mail address for this group. Create a security group named

Production and configure the Sales folder with the required permissions for this group. Additionally, configure an e-mail address for the Production group.

C. Create a security group named Sales and configure the Sales folder with the required permissions for this group. Create a distribution group named

Production and configure an e-mail address for this group. Create a security group named Marketing and configure an e-mail address for this group.

D. Create a security group named Sales and configure the Sales folder with the required permissions for this group. Create a distribution group named Marketing and configure an e-mail address for this group. Create a security group named

Production and configure an e-mail address for this group. Additionally, configure the Sales folder with the required permissions for the Production group.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 67

Managing Users, Computers, and Groups • Chapter 1

2. Hannah is preparing to configure user rights and permissions for 1,600 users that are spread out over five different departments: Sales, Marketing, Production, Engineering, and Administration. Each department is composed of two divisions: East and West.The

network is also composed of two child domains under the root domain: East and

West.The network has a total of ten divisions. How can Hannah create groups to use in assigning user rights and permissions without causing excessive directory replication between the two child domains? (Choose two correct answers)

A. Hannah should create universal groups for all ten divisions.

B. Hannah should create two universal groups, UEast and Uwest, and place the five respective departmental groups in them.

C. Hannah should create global groups for all ten divisions.

D. Hannah should create two global groups, GEast and Gwest, and place the five respective departmental groups in them.

3. You are preparing to assign user rights and permissions to 150 users on your network.

Which of the following reasons explain why assigning the rights and permissions to a group and then placing the users into the group is the best course of action? (Choose three correct answers)

A. Configuring user rights and permissions on groups is more accurate than configuring user rights and permissions on individual user accounts.

B. Configuring user rights and permissions on groups requires less administrative time and labor to perform.

C. Configuring user rights and permissions on groups allows you to quickly manage which users get these rights and permissions by adding or removing them from the group.

D. Configuring user rights and permissions on groups prevents attackers from using the user accounts in an unauthorized fashion.

4. Austin is attempting to create a new group for his network that he wants to place several global groups into.When he tries to create the new group as a universal group, the option to do so is not available.What is the most likely reason for this problem?

A. Austin’s domain is operating in the Windows NT 4.0 native functional mode.

B. Austin’s domain is operating in the Windows 2000 mixed functional mode.

C. Austin’s domain is operating in the Windows Server 2003 functional mode.

D. Austin’s domain is operating in the Windows 2000 native functional mode.

67 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 68

68 Chapter 1 • Managing Users, Computers, and Groups

5. Andrea has created a new security group for several help desk staff in her company.

She has configured the required user rights and permissions on this security group and placed the help desk staff user accounts into the group.When Andrea tries to send an e-mail message to the security group, she gets a bounce back informing her that no such user was found.What is the most likely reason for this problem?

A. One of the users in the group is not mailbox enabled.

B. The group does not have an e-mail address configured for it.

C. The group is not a distribution group.

D. None of the users in the group are mailbox enabled.

6. Jon is creating several dozen new domain local security groups for his network.What

command line utility could Jon use to create these groups for him?

A. dsadd group GroupDN -secgrp yes -scope l -samid SAMName -desc Description

B. dsadd group GroupDN -secgrp yes -scope g -samid SAMName -desc Description

C. dsadd group GroupDN -secgrp no -scope l -samid SAMName -desc Description

D. dsadd group GroupDN -secgrp yes -scope u -samid SAMName -desc Description

7. You have been tasked with determining the group membership status of several hundred employees within your organization.You have determined that it would be more efficient to perform this task from the command line.Which command line utility can be used to determine which groups a specified user is a member of?

A. dsquery

B. dsget

C. dsmod

D. dsrm

8. Andrew is a member of the help desk staff for Tim’s Tents, Inc.Where can Andrew look to determine what groups that a user is a member of from within the Windows

GUI?

A. The Member Of tab in the group Properties dialog box.

B. The Member Of tab in the user Properties dialog box.

C. The Account tab in the user Properties dialog box.

D. The Managed By tab in the group Properties tab.

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 69

Managing Users, Computers, and Groups • Chapter 1

Creating and Managing User Accounts

9. Which of the following user accounts is used to provide anonymous access to IIS resources and is a member of the Domain Users and Guests groups?

A. IWAM_computername

B. SUPPORT_xxxxxxxx

C. IUSR_computername

D. krbtgt

10. You have just completed a clean installation of Windows Server 2003 on a new server in your organization. Several default user accounts are created by the installation process.Which of the following default users are disabled by default? (Choose two correct answers.)

A. Administrator

B. Guest

C. IUSR_computername

D. SUPPORT_xxxxxxxx

11. You are in the process of creating new user accounts from the command line using the dsadd command. If the –pwd * modifier is specified, what is the net result?

A. The password is to be randomly assigned.

B. The password is to be left blank.

C. The password is to be taken from another list.

D. The password is to be supplied during the creation process.

12. You are a help desk staff member for your organization. A member of the Advertising department has requested that her password be changed.Which of the following items of information will you need to know in order to reset the password for her?

A. The user’s current password.

B. The user’s e-mail address.

C. The user account name.

D. The user’s supervisor’s name.

69 www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 70

70 Chapter 1 • Managing Users, Computers, and Groups

Creating and Managing Computer Accounts

13. Which of the following computers can have computer accounts in Active Directory?

(Choose all correct answers.)

A. Windows 2000 Professional

B. Windows XP Professional

C. Windows 98

D. Windows 95

14. In what two ways can computer accounts be created in Active Directory? (Choose two correct answers.)

A. By joining a Windows 95 computer to the domain.

B. By joining a Windows 2000 Professional computer to the domain.

C. Through manual creation from Active Directory Sites and Services.

D. Through manual creation from Active Directory Users and Computers.

Importing and Exporting Active Directory Data

15. Chris is preparing to import a CSV file containing data from another LDAP-compliant directory service into the Active Directory of her domain.What is the minimum command that she will need to issue to perform the importation of the data in the file named userlist.csv?

A. csvde –f filename

B. ldifde –i –f filename

C. csvde –i –f filename

D. csvde –i

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 71

Managing Users, Computers, and Groups • Chapter 1

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

71

1. D

2. B, C

3. A, B, C

4. B

5. B

6. A

7. B

8. B

9. C

10. B, D

11. D

12. C

13. A, B, C, D

14. B, D

15. C

www.syngress.com

271_70-292_01.qxd 8/21/03 12:40 PM Page 72

271_70-292_02.qxd 8/21/03 1:32 PM Page 73

Chapter 2

MCSA/MCSE 70-292

Managing and

Maintaining Terminal

Services Access

Exam Objectives in this chapter:

2.1

Troubleshoot Terminal Services

2.1.1

Diagnose and resolve issues related to Terminal Services security

2.1.2

Diagnose and resolve issues related to client access to

Terminal Services

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

73

271_70-292_02.qxd 8/21/03 1:32 PM Page 74

74 Chapter 2 • Managing and Maintaining Terminal Services Access

Introduction

Windows Server 2003 is a robust operating system that builds off of the successes (and failures) of previous Windows operating systems. One of the most useful improvements in

Windows Server 2003 is in the area of Terminal Services. Although Terminal Services is not a completely new feature, having been around since Windows NT (as an add-on) and integrated in Windows 2000 Server,Windows Server 2003 Terminal Services is more powerful and easier to use than ever before.

Regarding Terminal Services, it is important to understand two things prior to studying—how the service works, and its basic configuration principles.These two background information items are examined before looking at the troubleshooting end of the

Terminal Service, which directly relates to the exam objectives for exam 70-292.Windows

Terminal Services is, in some respects, similar to Citrix MetaFrame (www.citrix.com), where applications are loaded on a main server (sometimes consisting of a cluster of load balanced servers) for thin clients to access and use.This concept dates back to the IBM mainframe concept, with green screen dumb terminals, where all applications resided on a centralized system. For those unfamiliar with the term “dumb terminal,” it refers to a terminal with no real intelligence located on the system, for instance a central processing unit

(CPU) or hard drive storage. All processing is done on the central system (mainframe) and only screen changes (referred to as screenshots) are sent to the dumb terminal.

Terminal Services is available in two major modes—one that provides applications to clients, and one that provides for remote administration.This chapter is primarily concerned with the former role known as Terminal Server (formerly known as Application Server

Mode in Windows 2000 Server).The use of Terminal Services for remote administration of servers and workstations are examined later in Chapter 3. As it pertains to the Terminal

Server mode of Terminal Services, this chapter examines installation, configuration, and troubleshooting of Terminal Services.

T

EST

D

AY

T

IP

A lot of time is spent in the beginning of this chapter to bring you up to speed on

Terminal Services, what has changed in Windows Server 2003, design issues, and the background behind the service. Although 90 percent of this information will not directly relate to an exact test question, it is all valuable information.

The test objectives for Terminal Services that are listed at the beginning of this chapter and online at www.microsoft.com/traincert/exams/70-292.asp relate to more advanced areas than previously seen for the Windows 2000 MCP exams.You must be able to perform troubleshooting operations after installation and configuration has been completed. If you are not comfortable with the Terminal Services features of Windows 2000 Server, you should read up on it at www.microsoft.com/windows2000/technologies/ terminal/default.asp.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 75

Managing and Maintaining Terminal Services Access • Chapter 2

The Need for Terminal Services:

A Survey of Computing Environments

When working with any major service, the network administrator must first understand how it works and how it should be deployed before entering into a production installation.

Terminal Services is no exception to this rule.This chapter discusses how the service came about, and why it is so important to understand it. It is critical that the administrator understand how Terminal Services works to be able to plan deployments and troubleshoot problems.

N

OTE

An additional detailed discussion on remotely managing servers is found in

Chapter 3, “Managing and Maintaining Remote Servers.”

75

Centralized Computing versus Distributed Computing

This section looks at centralized versus distributed computing environments to help you understand the importance of Terminal Services, and why it is such an integral component of

Windows Server 2003. Before beginning, a proper definition of centralized and distributed computing is required to illustrate their differences.This section examines some background information on this set of environments that will help you eliminate obvious wrong answers during your exam experience. Additionally, you will gain an understanding of the important role that Terminal Services plays in a production network, thus providing you with some ammunition to help you justify the cost of the solution to your management team.

This section examines the following areas of concern:

Centralized Computing

In the centralized computing model, all network resources are located on one or more central servers or mainframes. Clients access these resources remotely and have little intelligence and little to no processing power. All processing and storage of data are done on the centralized server or servers and only screenshots of the resulting outcome are transmitted back to the client.The clients are generally referred to as thin clients or dumb terminals.This is the truest form of Terminal Services.

Distributed Computing

In the distributed computing model, network resources are still located on the central server, however, some processing is done by both the servers and the network clients.The clients are generally referred to as fat clients and typically consist of a standard PC or workstation. Data is stored on the central servers that are providing the services, but the manipulation of the data is done on the local workstation.This is a fairly common model in use today:

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 76

76 Chapter 2 • Managing and Maintaining Terminal Services Access

■ consider the situation of network clients connecting to a centralized Microsoft

Exchange server for mail and messaging.

Mixed Environment

In the mixed environment model, both a centralized and a distributed computing environment coexist together on the same network.This

is a combination of thin clients and fat clients, and can utilize resources as required. By some accounts, network administrators have the best of both worlds.

Consider the example of a mixed environment that places thin clients on a manufacturing floor that only run a process control application from a centralized server, with fat clients located in offices that access files on network file servers, manipulating the data locally on the workstation.

E

XAM

W

ARNING

Although this information will not be explicitly tested on the exam, these definitions are necessary for the proper planning of a Terminal Services infrastructure.

Before the days of fully loaded computer rooms stocked with the latest blade servers,

1U rack-mounted systems, and so on, there was the mainframe, which was responsible for creating a centralized computing environment where all resources existed, including the main CPU where all the data was processed.This is not to be mistaken for mainframe centralized computing systems that have since been declared obsolete with the advent of distributed computing solutions.Today there is a potpourri of different types of systems the network administrator can use, and there has even been a push to go back to the original centralized model, as evidenced by the strong market presence of Citrix and the enhancement made in Terminal Services in Windows Server 2003.The market for Terminal Services is growing larger every year, as the need to keep applications current is becoming more important to many managers looking at their Total Cost of Ownership (TCO).

Figure 2.1 illustrates the concept of a centralized computing environment where all processing is done on the mainframe and only the resultant screenshots are returned to the dumb terminals.There are a few other important points to note about the environment illustrated in Figure 2.1:

There are two small local area networks (LANs) separated geographically and connected via a wide area network (WAN) link.

In the core location, a mainframe exists where all the resources are located.

In the core location, dumb terminals are present, which access the resources located on the mainframe.

In the remote location, a front-end controller is present that allows communication with the remote mainframe across the WAN link.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 77

Managing and Maintaining Terminal Services Access • Chapter 2

■ The bulk of the computing power is located on the mainframe, and hence the bulk of the cost as well.The mainframe will likely be costly to install, maintain, and fix if required.

Figure 2.1

The Centralized Computing Environment

Router

Front End

Controller

Dumb

Terminals

77

Wide Area

Network

Mainframe

Router

Dumb

Terminals

The distributed computing environment is completely different from the centralized computing solution. However, it does have some similarities that will affect the network administrator’s decision to implement and maintain it. Figure 2.2 illustrates the distributed computing environment.The biggest difference here is in the placement of resources and where the processing is done.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 78

78 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.2

The Distributed Computing Environment

Router

Workstations

File and

Print Server

Wide Area

Network

Workstations

Router

Exchange

Server

Taking a closer look at Figure 2.2, let’s finalize what we need to know about a distributed computing environment.

In the example there are two small LANs separated geographically and connected via a WAN link.

In both locations, servers respond to user requests for resources they are allowed to access and use.

There are PCs on both LANs (not dumb terminals) that incorporate more than just a monitor, keyboard, and network connection. In some cases these PCs are just as powerful, if not more so, than some of the servers being used. PCs contain their own storage, CPU, and so forth.

The processing of information by the end user can be distributed between the servers they access for resources, or on their own machine with installed applications and so on.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 79

Managing and Maintaining Terminal Services Access • Chapter 2

■ A distributed computing solution also means that the costs are distributed among the PCs and servers.The PCs and servers both have a considerable amount of intelligence and computing strength, with PCs running desktop applications such as Outlook or Word and servers running server applications such as Exchange or

Dynamic Host Configuration Protocol (DHCP).This results in servers that are less costly to operate, maintain, and fix. However, the network administrator must make a more significant investment in desktop PCs and be prepared to support them over time.

Returning to the centralized computing environment previously shown in Figure 2.1, let’s implement Windows Server 2003 Terminal Services.The results are illustrated in Figure 2.3 as a centralized computing environment with Windows Server 2003 in use, utilizing Terminal

Services in the Terminal Server mode of operation. As you will notice, dumb terminals and mainframes are no longer thin clients and Terminal Services servers now come into play.

N

OTE

For an example of a thin client sold by HP/Compaq, visit http://h18004.www1.

hp.com/products/thinclients/. You can also run a search online for other vendors like Sun Microsystems, IBM, and so on.

79

Figure 2.3

The Centralized Computing Environment with Windows Server 2003

Router

Thin

Clients

Wide Area

Network

Router

Thin

Clients

Terminal

Server

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 80

80 Chapter 2 • Managing and Maintaining Terminal Services Access

In the mode shown in Figure 2.3, applications are loaded on the Terminal Server and thin clients access the server (via login). From here the thin clients are able to access, utilize, and manage applications and data from the Terminal Server.Though this sounds similar to a mainframe environment (which it resembles), there a few major differences to be aware of:

Thin clients (not dumb terminals) are used to access the Terminal Server.You have to go back in history (or work in a site that still utilizes dumb terminals) to appreciate what was affectionately called the “green screen.” Basic text was shown on the terminal, and was all you had to work with.

A solution like this means that most of the costs associated with running this solution are placed on the Terminal Server, where all the intelligence and computing strength is.The hardware used to run the Terminal Server client is fairly inexpensive.

N

OTE

You could imply from this section that thin clients are the only things you can use with Windows Server 2003 Terminal Services. This is not true, but you may want to design the network to save cash and lower your budget on a project of this scope by utilizing thin clients. You can use your PC also, but again, this ruins the return on investment (ROI) you get from implementing this solution in the first place. The way to justify this solution is to have a mixed environment

Mixed Environments

Mixed environment is not a term you that need to memorize, or something that will appear on the exam, but rather more of a real world reality. It is important to understand that all the previously described environments (Figures 2.1 through 2.3) can be mixed, as shown in Figure 2.4. In this particular example, note that there are thin clients getting the resources they need from the Terminal Server, while the PCs are getting what resources they need from the File Server. Provided that the routers have paths to both locations and everything is configured properly, there is no reason why an infrastructure like this cannot be used. If your network infrastructure looks anything like most others, you are probably operating in a mixed environment where you are using what you need, where you need it.

This type of implementation implies that you possess some solid design skills for the purpose of understanding network architectures, and that you will not always implement a solution unless it deals with and provides a solution to a specific need. Many systems administrators and engineers who would like to implement thin client technologies are aware that the true driver for implementing the technology is to save money. Placing a

Terminal Services-based thin client solution in your current infrastructure can significantly lower your TCO, but you may still have a high amount of value placed on your other resources such as existing file servers and so on.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 81

Managing and Maintaining Terminal Services Access • Chapter 2

Figure 2.4

A Mixed Environment

81

Router

Workstations

Thin

Clients

Terminal

Server

Wide Area

Network

Workstations

Router

Thin

Clients

File and

Print Server

Exchange

Server

The network depicted in Figure 2.4 already had a fully functional distributing computing environment; however, the thin client solution has been introduced to provide an application to a specific group of users across the network. Implementing a thin client solution saved money, time, and resources in this case, and there was no added cost in removing the current network that was addressing a business need already in place.

N

OTE

You are not expected to know all the details discussed regarding distributed versus centralized computing environments for the MCSA 70-292 Exam.

Terminal Services Design Issues

Now that you understand the basic design issues around Terminal Services, let’s take a look at a very complex layout where your knowledge of Terminal Services design will be put to the test.The purpose of this it to make you are aware of the issues you most likely will see when you roll out Terminal Services. If you are planning on deploying an application to a remote site, you will need to take many factors into account.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 82

82 Chapter 2 • Managing and Maintaining Terminal Services Access

The points made in this section offer insight into ways that you can prevent massive problems on your network by rolling out thin client solutions to all your sites.You will have to consider bandwidth to be one of the most critical analysis points for the future.You must verify that the Terminal Services-based solution, which uses centralized computing, can travel over the WAN without errors, in order to give you the best experience possible.

N

OTE

Lack of proper bandwidth is almost always the culprit when you experience latency on your terminal sessions.

Remember the following key analysis and design points when deploying Terminal

Services:

If you roll out Terminal Services, you will need to continually analyze your bandwidth consumption and traffic flow. Some WAN links are not currently ready to support the traffic that Terminal Services will add to it; you may have to upgrade some existing WAN links.

Inexpensive PCs can be bought at a comparable cost as a thin client to give remote sites some time (or life support) if your true intention is to just replace

PCs.This is not always the best solution if you have to upgrade all of your WAN links to T1s.

Deploying Terminal Services, if utilized completely, will most likely affect other applications and services on WAN links that may not have been previously affected.

E

XAM

W

ARNING

Learning how to troubleshoot Terminal Services begins with the ability to analyze the design, placement, and practical use of the service in order to spot potential problems. In simple terms, not planning out the service before implementing it can lead to troubleshooting-based problem with Terminal Services.

Since screenshots have to traverse the network to get from the server to the client utilizing the service, you have to think about the bandwidth available on the network so you know how latency will affect it. For example, if your

WAN link is saturated, you may see Terminal Services suffer in the form of disconnects, hesitation with keystrokes, and so on. Always test and consider this for future implementations, especially if you are going to be providing applications over the network to your clients.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 83

Managing and Maintaining Terminal Services Access • Chapter 2

Introduction to Windows

Server 2003 Terminal Services

With Terminal Services, it is important to note that Windows Server 2003 will allow you to enhance your company’s software deployment ability. Not only will it allow for more flexibility, but this flexibility can be gained in both the management and application modes available.

When discussing Terminal Services in Windows Server 2003, you should be aware of the following major components and features:

Remote Assistance

Remote Desktop for Administration

Terminal Server

Terminal Services Licensing

Terminal Server Session Directory

Remote Assistance and Remote Desktop for Administration are examined later in

Chapter 3.The remaining three items:Terminal Server mode,Terminal Services Licensing, and the Terminal Service Session Directory, are examined throughout the remainder of this chapter.

Terminal Server

The Terminal Server mode is one that few people understand and even fewer people use.

However, that may soon change as the cost of maintaining full-featured desktop workstations and licensing the most current version of application software gets more expensive, making Terminal Server a more attractive solution. In brief,Terminal Server allows the network administrator to deliver Windows-based applications or the Windows desktop itself to clients that do not have the processing power to run Windows locally.

Terminal Server mode is supported in the following versions of Windows Server 2003:

Windows Server 2003 Standard Edition

Windows Server 2003 Enterprise Edition

Windows Server 2003 Datacenter Edition

Terminal Server is not supported on Windows Server 2003 Web Edition;Web Edition is a stripped down, and therefore less expensive, version of Windows Server 2003 that has been optimized for providing Internet Information Server (IIS)-based services to clients.

But, what exactly is new and noteworthy with regards to the Terminal Server mode in

Windows Server 2003? Consider the following points:

83 www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 84

84 Chapter 2 • Managing and Maintaining Terminal Services Access

Naming Conventions have Changed

It seems that with every successive version of Windows, many components get new names. In the case of Terminal

Services, the Terminal Server mode was previously referred to as Terminal Services

Application mode in Windows 2000. In addition, Remote Desktop for

Administration has replaced what was previously referred to as Remote

Administration mode in Windows 2000.

Rapid, Centralized Deployment of Applications

When the Terminal Server mode is used, you have the power to add greater flexibility to your network and the systems and applications. Say you have a single application that remote users need to use over a Virtual Private Network (VPN) or at remote sites.Would you rather place a server locally at each site and incur those costs, or could you let the users create a session with the Terminal Server to utilize the application and then disconnect when done? Another benefit of providing applications via Terminal

Server is that the application can be updated on the server with hotfixes, Service

Packs, and other updates without the need to visit remote desktop clients or roll out complex (and sometimes bandwidth consuming) updates via Group Policy,

System Update Service (SUS), or some other means such as System Management

Server (SMS).

Low-bandwidth Access to Data

When the Terminal Server mode is used, the bandwidth consumption over a switched LAN is almost transparent.When operating over a WAN link, you may need to analyze and consider upgrading the link, although in most cases this will not be a problem as the screenshots are sent as very compressed data.Terminal Server does not require an excessive amount of bandwidth to make available the functionality it offers.

Windows Anywhere

When the Terminal Server mode is used, you have a wider reach to include those users who may not be using Windows 2000 or

Windows XP.Terminal Services support is provided for a number of devices, such as a the old Pentium 133MHz workstation running Windows 95 to a brand new iPAQ that provides support for 802.11b connectivity.The ability to deliver the

Windows experience to a broad base of users can be helpful in those environments where the cost of upgrading 600 desktops to Windows 2000 just to utilize a new application is not worth the cost or effort.TCO and ROI are a large part of IT budgets these days and providing solutions that keep costs down while providing an acceptable level of functionality will go a long way towards staying in budget.

Increased Scalability

What good is any solution if users cannot access it? That is the question to keep in mind when deploying any mission critical solution,

Terminal Services included. Scalability is often examined from one of the following two points of view:

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 85

Managing and Maintaining Terminal Services Access • Chapter 2

1. Scaling up is to build up a server by adding more random access memory

(RAM), additional CPUs, more and faster network adapters, and more storage devices. As you scale up a server, the cost goes up, thus making the term easy to remember.

2. Scaling out a solution refers to expanding the number of systems that are part of the solution. Additional servers are added to the Terminal Services solution and a technology such as Network Load Balancing (NLB) is used to distribute requests and load amongst all participating servers, as illustrated in Figure 2.5.

Figure 2.5

A NLB Terminal Server Cluster

85

Remote Thin Clients

Remote Workstation

WAN

Public Network

Local Workstations

TS1 TS2 TS3

Private Network

(NLB management traffic)

TS4

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 86

86 Chapter 2 • Managing and Maintaining Terminal Services Access

Improved Manageability

The bulk of the Terminal Server-related options can be configured and managed directly through Group Policy settings, allowing the administrator to configure the desired settings and have them applied to their network users during the subsequent Group Policy refresh event. Advanced users may want to consider taking advantage of the powerful management features provided by the Windows Management Instrumentation (WMI) that allows for complete remote management capability through scripting.

T

EST

D

AY

T

IP

Make sure that you are familiar with the new Windows Server 2003 Terminal

Services features for this exam.

Terminal Server Session Directory

The Terminal Server Session Directory is a new feature that was created to allow users to easily reconnect to a disconnected session if they are using a NLB Terminal Server farm

(refer back to Figure 2.5).When a request is made for an application hosted by the

Terminal Server cluster, the request is actually sent to the Virtual Internet Protocol (IP) address that represents the entire cluster. NLB uses a mathematical algorithm to determine which of the available nodes should receive the new client request, and hands off the request to the appropriate server’s dedicated IP address, which is specific to each server in the cluster. If the client disconnects the session and later wants to reconnect, the default behavior of NLB is to run the request through the algorithm again, possibly putting the new session on a different Terminal Server.The Terminal Server Session Directory function prevents this problem by allowing the clients to reconnect to the Terminal Server that their existing session is located on.

The session directory for Windows Server 2003 maintains a list of sessions, indexed by user name. Once this indexing takes place, a user who has terminated a session with the

Terminal Server is able to reconnect and resume the previous session so that work in that session can be completed.The session directory is best placed on a server that is not part of the NLB cluster group, although it can be placed on one of the members if required

(although not recommended).

T

EST

D

AY

T

IP

Although not likely to be on the test, you should be aware of the capabilities that the session directory gives you. For more information see the following Microsoft

Knowledge Base articles: http://support.microsoft.com/default.aspx?scid=kb;enus;301926 and http://support.microsoft.com/default.aspx?scid=kb;en-us;301923.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 87

Managing and Maintaining Terminal Services Access • Chapter 2

Installing and

Configuring a Terminal Server

This section examines the installation and configuration of the Terminal Server service. It starts off by installing the Terminal Server and then examines the configuration options that are available for the Terminal Server.

Installing the Terminal Server

There are two different ways to install Terminal Server: using the Manage Your Server utility or using the Windows Component Wizard. Each of these methods are examined in

Exercises 2.01 and 2.02, respectively.

E

XERCISE

2.01

I

NSTALLING A

T

ERMINAL

S

ERVER

U

SING

M

ANAGE

Y

OUR

S

ERVER

1. Click Start | Programs | Administrative Tools | Manage Your Server to start the Manage Your Server utility, as seen in Figure 2.6.

Figure 2.6

The Manage Your Server Utility

87

2. To start adding the Terminal Server role to your server, click the Add or

remote a role link.

3. The Preliminary Steps dialog box appears, as seen in Figure 2.7, prompting you to ensure that you are ready to proceed. Click Next to continue.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 88

88 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.7

Verifying Preliminary Steps

4. The Configure Your Server Wizard dialog box will appear briefly while your server is analyzed. If any problems are found, you will be informed of them before proceeding. You need to click Continue if any problems are found.

5. On the Server Role dialog box, as seen in Figure 2.8, you can start the installation process of the Terminal Server. Select the Terminal server option and click Next to continue.

Figure 2.8

Configuring a Server Role

6. The Summary of Selections dialog box appears informing you of your selections. Click Next to continue.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 89

Managing and Maintaining Terminal Services Access • Chapter 2

7. You may be prompted with a warning, as seen in Figure 2.9, informing you that the server will require a restart to complete the installation process. Click OK to continue.

Figure 2.9

Acknowledging the Restart Warning

89

8. The Windows Components Wizard appears to finalize the installation.

Click Next if required.

9. After the restart, you will see the dialog box, as seen in Figure 2.10.

Click Finish to close the dialog box.

Figure 2.10

Terminal Server Installation Complete

N

OTE

You have now configured a server role, but where is the proof of this configuration? See the log located at %systemroot%\ debug.configureyourserver.log for information on what the Manage Your Server utility has done.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 90

90 Chapter 2 • Managing and Maintaining Terminal Services Access

To install the Terminal Server from the Windows Component Wizard complete the steps outlined in Exercise 2.02. Installing the Terminal Server via the Windows Component

Wizard is the preferred method as it offers greater control over the installation.

E

XERCISE

2.02

I

NSTALLING A

T

ERMINAL

S

ERVER

U

SING

W

INDOWS

C

OMPONENTS

W

IZARD

1. Click Start | Settings | Control Panel | Add or Remove Programs to open the Add or Remove Programs applet.

2. Click the Add/Remove Windows Components button to start the

Windows Components Wizard.

3. When the Windows Components Wizard opens, scroll down and select

Terminal Server, as seen in Figure 2.11. Click Next to continue.

N

OTE

The installation of the Terminal Server Licensing component is examined later in this chapter.

Figure 2.11

Selecting the Terminal Server Option

4. The Terminal Server setup dialog box appears, as seen in Figure 2.12, warning you of the consequences of your selection as follows:

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 91

Managing and Maintaining Terminal Services Access • Chapter 2

This option installs Terminal Server, which configures the computer to run programs for multiple simultaneous users. Note: By default only members of the local Administrators group will be able to connect to this Terminal

Server. You will need to add user accounts to the local Remote Desktop

Users group to allow users to connect to this Terminal Server. Do not install Terminal Server if you only need Remote Desktop for administration, which is installed by default, and may be enabled by opening the Remote tab of the System control panel applet and enabling remote connections.

Program Installation: If you continue with this installation, programs that are already installed on your server will no longer work and will have to be reinstalled. You must use Add or Remove Programs in Control

Panel whenever you install programs to use on a Terminal Server.

Licensing: To continue using Terminal Server after an initial grace period of 120 days from today, you must set up a server running Terminal Server

Licensing. For details see Terminal Server Help.

It is very important that you read and understand the information that this dialog box is presenting as it will affect the way your Terminal

Server performs and behaves. Click Next to continue.

Figure 2.12

Viewing the Terminal Server Setup Warning

91

5. On the next dialog box, you must select what level of permission you are willing to allow for the applications that are to be run on the

Terminal Server. The default option of Full Security provides the most security for your Terminal Server, but may not allow some legacy applications to run properly. The Relaxed Security option allows users and applications to have more access to the Registry and therefore may allow legacy applications to run properly—at the cost of decreased environment security. Make your selection and click Next to continue.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 92

92 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.13

Selecting the Default Permissions for the Terminal Server

6. The Windows Component Wizard now installs the Terminal Server on your server.

7. Click Finish when prompted by the Windows Component Wizard.

8. You will be prompted to restart your server, as seen in Figure 2.14. Click

Yes to complete the installation process.

Figure 2.14

Restarting the Terminal Server to Complete the

Installation

EXAM

70-292

OBJECTIVE

2.1

2.1.1

2.1.2

Configuring the Terminal Server

With the Terminal Server now installed, it is time to begin the configuration process.The

easiest place to start is the Manage Your Server utility. As seen in Figure 2.15, there are four basic options to choose from.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 93

Managing and Maintaining Terminal Services Access • Chapter 2

Figure 2.15

Using the Manage Your Server utility to Configure the Terminal Server

93

These options include:

Review Licensing Requirements

A Help-based function discussing the specifics of Terminal Services licensing (discussed in more detail later in the

“Terminal Service Licensing” section of this chapter).

Open Terminal Services Configuration

Opens the Terminal Services

Configuration console, where the majority of configuration tasks can be performed for the Terminal Server.This is discussed in more detail in the “Using the

Terminal Services Configuration Console” section of this chapter.

Open Terminal Services Manager

Opens the Terminal Services Manager console that allows the network administrator to manage the users, sessions, and resources for Terminal Servers in their enterprise.This is discussed more in the

“Using the Terminal Services Manager Console” section of this chapter.

Review the Next Steps for this Role

A Help-based function to review the future steps that should be performed.

Using the Terminal Services Configuration Console

The Terminal Services Configuration console, as seen in Figure 2.16, allows the administrator to perform the basic configuration of their Terminal Server.The following sections discuss all of the available options in this area in detail.

N

OTE

You will need to use Group Policy to be able to set more advanced Terminal

Services options, as discussed in the “Advanced Terminal Server Configuration via

Group Policy” section of this chapter.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 94

94 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.16

Using the Terminal Service Configuration Console

Selecting the Connections node and double-clicking the RDP-Tcp object opens the

RDP-Tcp Properties dialog box, as seen in Figure 2.17.This dialog box has eight tabs that are used to configure the Terminal Services connection properties, each of which are discussed in the following sections.

The General Tab

The General tab, as seen in Figure 2.17, offers some basic configuration options for the

Terminal Server.

Figure 2.17

The General Tab of the RDP-Tcp Properties Dialog Box

From this tab, the network administrator is able to enter a comment about the connection type, select the encryption level to be used for the connection type, and enable standard Windows authentication.The available encryption options are:

Low

Data sent between the client and server is encrypted using 56-bit encryption.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 95

Managing and Maintaining Terminal Services Access • Chapter 2

Client Compatible

Data sent between the client and server is encrypted at the maximum key strength that the client supports.

High

Data sent between the client and server is encrypted using strong 128-bit encryption.

Federal Information Processing Standard (FIPS) Compliant

Data sent between the client and the server is encrypted using the FIPS encryption algorithms.

The Logon Settings Tab

The Logon Settings tab, as seen in Figure 2.18, allows the network administrator to configure how log-on credentials are supplied to the session.

Figure 2.18

The Logon Settings Tab of the RDP-Tcp Properties Dialog Box

95

Selecting the Use client-provided logon information option specifies that logon credentials are to be retrieved from the client, such as through Remote Desktop

Connection or the Client Connection Manager. Selecting the Always use the following

logon information

option specifies a fixed set of logon credentials that are to be used for making connections. Selecting the Always prompt for password option specifies that the user is to always be prompted for a password even if a password is configured.

The Sessions Tab

The Sessions tab, as seen in Figure 2.19, allows the network administrator to override client-configured settings associated with time limits and session maintenance.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 96

96 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.19

The Sessions Tab of the RDP-Tcp Properties Dialog Box

Selecting the Override user settings option specifies that the settings configured in the other sections of the tab are to override the settings that are configured via Group

Policy for time limits. Selecting the second Override user settings option specifies that the settings configured below it are to override the settings that are configured via Group

Policy for the action that is to occur when a session limit is reached or a connection is broken. Selecting the third Override user settings option allows the network administrator to configure from where clients will be allowed to reconnect to an existing session.

The Environment Tab

The Environment tab, as seen in Figure 2.20, allows the network administrator to override the settings that are configured via Group Policy for the initial program path and file name.

Figure 2.20

The Environment Tab of the RDP-Tcp Properties Dialog Box

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 97

Managing and Maintaining Terminal Services Access • Chapter 2

The Remote Control Tab

The Remote Control tab, as seen in Figure 2.21, allows the network administrator to configure the remote control settings for this connection.

Figure 2.21

The Remote Control Tab of the RDP-Tcp Properties Dialog Box

97

Selecting the Use remote control with default user setting option specifies that remote control settings are to be retrieved from Group Policy. Selecting the Do not allow

remote control

option specifies that remote control is not to be allowed on this connection. Selecting the Use remote control with the following settings option specifies that remote control is to be allowed with the settings the network administrator configures below it. The Require user’s permission option specifies that the user must give permission allowing the session to be remotely controlled.The View the session option specifies that the remote user can view the session, but not control it.The Interact with the

session

option specifies that the remote user can control the remote users session.

The Client Settings Tab

The Client Settings tab, as seen in Figure 2.22, allows the network administrator to configure settings relating to the user’s experience during the Terminal Server connection.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 98

98 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.22

The Client Settings Tab of the RDP-Tcp Properties Dialog Box

The User connection settings from user setting option specifies that the connection settings are to be retrieved from the Group Policy configuration.The Limit

Maximum Color Depth

option limits the maximum color depth for the remote clients; this setting can be used to reduce required bandwidth for screenshots.The network administrator can also select to disable additional options, further controlling the bandwidth usage.

The Network Adapter Tab

The Network Adapter tab, as seen in Figure 2.23, allows the network administrator to configure which network adapters are to be used for the connection and how they are to behave.

Figure 2.23

The Network Adapter Tab of the RDP-Tcp Properties Dialog Box

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 99

Managing and Maintaining Terminal Services Access • Chapter 2

The network administrator can select all network adapters that are configured for

RDP-Tcp or a specific adapter from the Network adapter drop-down list.They can also configure the maximum number of connections that are to be allowed using the

Unlimited connections

and Maximum connections options.

The Permissions Tab

The Permissions tab, as seen in Figure 2.24, provides the standard NT File System (NTFS) permissions setting dialog that allows the network administrator to control which users can connect to the Terminal Server and what level of permissions they are to have.

Figure 2.24

The Permissions Tab of the RDP-Tcp Properties Dialog Box

99

Configuring Server Settings with the Terminal Services Configuration Console

The RDP-Tcp properties are not the only thing that can be configured from the Terminal

Service Configuration console.The network administrator can also configure several server settings from the Server Settings node, as seen in Figure 2.25.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 100

100 Chapter 2 • Managing and Maintaining Terminal Services Access

Figure 2.25

Configuring the Terminal Service Server Settings

The following settings are available for configuration:

Delete Temporary Folders on Exit

Specifies whether temporary folders are to be deleted upon disconnecting from a session.

Use Temporary Folders per Session

Specifies whether a new set of temporary folders should be created for each session.

Licensing

Specifies whether Terminal Server licensing is to be per device or per user.

Active Desktop

Specifies whether or not the Active Desktop is to be allowed for remote connections.

Permission Compatibility

Specifies the permission compatibility mode that the Terminal Server is to operate in as configured previously and has the following options: Full Security and Relaxed Security (discussed previously).

Restrict Each User to One Session

Specifies whether or not users should be limited to one concurrent session at a time.

Session Directory

Allows the network administrator to enable and configure the Terminal Server Session Directory, as seen in Figure 2.26. Refer back to the

“Terminal Server Session Directory” section of this chapter for more information.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 101

Managing and Maintaining Terminal Services Access • Chapter 2 101

Figure 2.26

Configuring the Terminal Server Session Directory Settings

Using the Terminal Services Manager Console

The Terminal Services Manager console, as seen in Figure 2.27, allows the network administrator to view information about and manage Terminal Servers that are in trusted domains.They can monitor users, sessions, and applications on each server and perform various management actions from this console.

Figure 2.27

Configuring the Terminal Server Session Directory Settings

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 102

102 Chapter 2 • Managing and Maintaining Terminal Services Access

EXAM

70-292

OBJECTIVE

2.1

2.1.1

2.1.2

Advanced Terminal Server

Configuration via Group Policy

Although the Terminal Services Configuration console can be used to implement basic

Terminal Services settings, using Group Policy may yield better results while providing a wealth of additional configuration options.Terminal Services options are located in both the

Computer Configuration and User Configuration sections of a Group Policy Object (GPO).

Terminal Services Computer Options

The Terminal Services node of the Computer Configuration section of a GPO, as seen in

Figure 2.28, has several advanced configuration options that the network administrator may find useful (and necessary) for maintaining and managing a Terminal Server.

Figure 2.28

Configuring the Terminal Services Computer Options in Group Policy

The following options are available to configure Terminal Services from the Computer

Configuration section:

■ Computer Configuration\Administrative Templates\Windows

Components\Terminal Services node:

1. Keep-Alive Messages

2. Automatic reconnection

3. Restrict Terminal Services users to a single remote session

4. Enforce Removal of Remote Desktop Wallpaper

5. Deny log off of an administrator logged in to the console session

6. Limit number of connections

7. Limit maximum color depth

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 103

Managing and Maintaining Terminal Services Access • Chapter 2 103

8. Allow users to connect remotely using Terminal Services

9. Do not allow local administrators to customize permissions

10. Remove Windows Security item from Start menu

11. Remove Disconnect item from Shut Down dialog

12. Set path for Terminal Services Roaming Profiles

13. Terminal Services User Home Directory

14. Sets rules for remote control of Terminal Services user sessions

15. Start a program on connection

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Client/Server data redirection node:

1. Allow Time Zone Redirection

2. Do not allow clipboard redirection

3. Do not allow smart card device redirection

4. Allow audio redirection

5. Do not allow COM port redirection

6. Do not allow client printer redirection

7. Do not allow LPT port redirection

8. Do not allow drive redirection

9. Do not set default client printer to be default printer in a session

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Encryption and Security node:

1. Always prompt client for password upon connection

2. Set client connection encryption level

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\RPC Security Policy node:

1. Secure Server (Require Security)

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Licensing node:

1. License Server Security Group

2. Prevent license upgrade

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Temporary folders node:

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 104

104 Chapter 2 • Managing and Maintaining Terminal Services Access

1. Do not use temp folders per session

2. Do not delete temp folder upon exit

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Session Directory node:

1. Terminal Server IP Address Redirection

2. Join Session Directory

3. Session Directory Server

4. Session Directory Cluster Name

Computer Configuration\Administrative Templates\Windows Components\

Terminal Services\Sessions node:

1. Set time limit for disconnected sessions

2. Set time limit for active sessions

3. Set time limit for idle sessions

4. Allow reconnection from original client only

5. Terminate session when time limits are reached

T

EST

D

AY

T

IP

You should not stress over being able to remember all of the available Terminal

Services options presented here. Instead, be aware of their existence and purpose.

The Terminal Services node of the User Configuration section of a GPO, as seen in

Figure 2.28, has many more advanced configuration options that the network administrator may use to maintain and manage a Terminal Server.

Figure 2.29

Configuring the Terminal Services User Options in Group Policy

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 105

Managing and Maintaining Terminal Services Access • Chapter 2 105

The following options are available to configure Terminal Services from the User

Configuration section:

User Configuration\Administrative Templates\Windows Components\Terminal

Services node:

1. Start a program on connection

2. Remote control settings

User Configuration\Administrative Templates\Windows Components\Terminal

Services\Sessions node:

1. Set time limit for disconnected sessions

2. Set time limit for active sessions

3. Set time limit for idle sessions

4. Allow reconnection from original client only

5. Terminate session when time limits are reached

EXAM

70-292

OBJECTIVE

2.1.2

Terminal Server Licensing

To fully understand Terminal Services, the network administrator must know how to license it and utilize the licensing services on the server.This can be very confusing if they have never worked with Terminal Services before.With the release of Microsoft Windows

Server 2003, they need to understand the nuances associated with Terminal Services licensing so as not to wind up without the proper licensing they need.

Every Windows Server 2003 Terminal Server must possess a valid Windows

Server License.

A Terminal Server Client Access License (TS CAL) is required to connect to a

Terminal Server with a remote graphical user interface (GUI) session, except for a console session.This is a major change from Terminal Services in Windows 2000, when every Windows 2000 and Windows XP client was automatically granted a

TS CAL by default.

TS CALs are now available in Per User and Per Device options to coincide with the Windows CAL options available with the release of Windows Server 2003.

1. A TS Device CAL permits one device used by any user to conduct Windows

Sessions on any of the servers.

2. A TS User CAL permits one user using any device to conduct Windows

Sessions on any of the servers.

3. Any combination of TS Devices and TS User CALs can be used at the same time on a single server.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 106

106 Chapter 2 • Managing and Maintaining Terminal Services Access

■ The Terminal Server External Connector (TS-EC) License can be purchased to enable external users to access a company’s Terminal Servers, without the need to purchase individual TS CALs for them or their devices. One TS-EC license must be purchased for every Terminal Server that is accessible to the external user. An example of an external user is a person who is not an employee or similar personnel of the company or its affiliates.The TS-EC License replaces the TS

Internet Connector license in Windows 2000.

N

OTE

As of this writing, this is the current licensing plan in effect for Terminal Services. We have kept this short because the licensing plans may change, and often do. To make sure you are 100 percent compliant, you should visit the Microsoft main licensing page to check the most current information when you plan on licensing a production server. You can use the following URLs for more information: www.microsoft.com/ windowsserver2003/howtobuy/licensing/ts2003.mspx, www.microsoft.com/ windowsserver2003/howtobuy/licensing/overview.mspx, and https://activate.

microsoft.com.

Using the Terminal Server Licensing Tool

Now that you are aware of the specifics of Windows Server 2003 Terminal Services licensing, you are ready to move on and examine the Terminal Server Licensing console.

You must install Terminal Server Licensing if you have not done so already, by performing the steps outlined in Exercise 2.03.

Selecting Enterprise or Domain Licensing

Before you install your Terminal Server License Server, you should ensure that you understand the different server types that you can choose from: Enterprise License

Server or Domain License Server.

The Enterprise License Server is appropriate if your network is comprised of several domains. The Enterprise License Server can provide licenses for the Terminal

Servers located in any domain in the enterprise, provided the domain is a Windows

Server 2003 or Windows 2000 domain. Terminal Servers poll Active Directory every

60 minutes looking for an Enterprise License Server, even when one has been previously located.

The Domain License Server is appropriate if you must maintain a separate license server for each domain in your enterprise. The drawback to this method is that Terminal Servers can access Domain License Servers only if they are in the same domain as the license server. If your network still has Windows NT 4.0 domains or

Continued www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 107

Managing and Maintaining Terminal Services Access • Chapter 2 107

workgroups, then the domain license server is the only type you will be able to use.

Terminal Servers search for a Domain License Server every 15 minutes until they find one. After the Domain License Server is located, the Terminal Servers will search for it every 2 hours.

E

XERCISE

2.03

I

NSTALLING

T

ERMINAL

S

ERVER

L

ICENSING

1. Click Start | Settings | Control Panel | Add or Remove Programs to open the Add or Remove Programs applet.

2. Click the Add/Remove Windows Components button to start the

Windows Components Wizard.

3. When the Windows Components Wizard opens, scroll down and select

Terminal Server Licensing. Click Next to continue.

4. You will be prompted to specify the scope of the licensing server, as seen in Figure 2.30. You can create the licensing server for either the entire enterprise or only for your domain or workgroup. Click Next to continue.

Figure 2.29

Configuring the Licensing Server Scope

5. Click Finish when prompted to close the Windows Components

Wizard.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 108

108 Chapter 2 • Managing and Maintaining Terminal Services Access

T

EST

D

AY

T

IP

If you are only using Remote Desktop for Administration, then you will not need a

Terminal Server License Server for these connections.

After installation, the Terminal Server Licensing console can be found in the

Administrative Tools folder by clicking Start | Programs | Administrative Tools |

Terminal Server Licensing

.The Terminal Server Licensing console is seen in Figure 2.31.

Figure 2.31

The Terminal Services Licensing Console

The installation of the Terminal Server Licensing console does not actually grant you any licenses. Exercise 2.04 outlines the process by which you will activate your Terminal

Server Licensing server, by acquiring and installing TS CALs from the Microsoft

Clearinghouse. Once the TS Licensing server is installed, the following three steps must occur to activate the Terminal Services Licensing server.

1. Activate your Terminal Server Licensing server by requesting a special digital certificate from the Microsoft Clearinghouse that allows the license server to securely install TS CALs.

2. Connect to the Microsoft Clearinghouse and acquire TS CAL tokens.

3. Distribute TS CAL tokens to requesting clients.

E

XERCISE

2.04

A

CTIVATING YOUR

T

ERMINAL

S

ERVER

L

ICENSING

S

ERVER

1. Open the Terminal Server Licensing console by clicking Start |

Programs | Administrative Tools | Terminal Server Licensing.

2. Right-click on the licensing server you want to activate and select

Activate Server from the context menu. The Terminal Server License

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 109

Managing and Maintaining Terminal Services Access • Chapter 2 109

Server Activation Wizard starts. After reading the important text contained on the Welcome page of the Wizard, click Next to continue.

3. On the Connection method dialog box, as seen in Figure 2.32, you must select the connection method you want to use. Selecting the

Automatic connection option allows the server to automatically connect to the Microsoft Clearinghouse and complete the procedure. You can also select to use your Web browser or a Telephone to active the licensing server. After making your selection, click Next to continue.

Figure 2.32

Selecting the Connection Method

N

OTE

If you are still using a pre-release version of Windows Server 2003 such as RC2, you will not be able to connect to the Microsoft Clearinghouse servers to acquire

Terminal Services licensing until you have installed the Release to Manufacturing

(RTM) version of Windows Server 2003.

4. Continue with the licensing process as prompted by the Wizard.

One Terminal Server Licensing Server can provide TS CALs for multiple Terminal

Servers; however, you may want to install the licensing server component on a server that is not actively providing Terminal Services in order to increase performance.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 110

110 Chapter 2 • Managing and Maintaining Terminal Services Access

N

OTE

When you activate a license server, Microsoft provides the server with a digital certificate that validates server ownership and identity. The license server can then make subsequent transactions with the Microsoft Clearinghouse to acquire additional TS CALs in the future.

EXAM

70-292

OBJECTIVE

2.1

2.1.1

2.1.2

Troubleshooting Terminal Services

Troubleshooting Terminal Services components is never an easy task.The complexity of

Terminal Services often makes for strange occurrences, that are difficult to track down.

Nonetheless, some of the exam objectives published by Microsoft relate to troubleshooting

Terminal Services, so this is an important section with which you should become familiar.

The most important keys to understanding how to troubleshoot Terminal Services come from the background knowledge in this chapter. Knowing how it all works is essential to answering the troubleshooting questions correctly.This section provides an overview of common problems and solutions that are drawn from Microsoft’s support materials, that have not been previously covered in earlier parts of the chapter, and that relate to the exam objectives.

Not Automatically Logged On

A common problem occurs when you want to automatically log on to the server, but you are still prompted for your user credentials when you connect to the Terminal Server.There

are a number of possible causes and solutions.

If you are using a Windows NT 4.0 Terminal Services client, be aware that these clients are not always able to detect and pass on the underlying system logon credentials to the

Windows Server 2003 Terminal Server, even if your system log-on credentials are the same as those for the Terminal Server. In the Windows NT 4.0 Client Connection Manager, select

Automatic logon

on the General tab in the Properties box for the connection. Enter the appropriate logon credentials in the User name, Password, and Domain text boxes.

If you are using a Windows 2000 Terminal Service client or the Remote Desktop

Client, it is possible that you entered the incorrect credentials on the General tab. If you mistyped the user name or password, the Terminal Server will not be able to verify your credentials and will prompt you for the correct ones.The solution is to edit the User name,

Password, and/or Domain text box(es) on the General tab of the client utility.

Another possibility is that your client settings are configured correctly, but Group

Policy is configured to require users to enter at least part of the credentials (the password).

Group Policy settings override client settings.The only way to correct this is to remove the

Group Policy setting that is enforcing this restriction.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 111

Managing and Maintaining Terminal Services Access • Chapter 2 111

“This Initial Program Cannot be Started”

Occasionally a client may receive a message stating “This initial program cannot be started.”

At the client level, a user can specify that program be launched when they connect to a server instead of receiving a desktop. Likewise, an administrator can specify this at the connection level for all users that connect to a specific listener connection. Finally, this can also be set in Group Policy.

The error may be caused by something as simple as an input error.You should first check to ensure that the path and executable names specified are correct. If you have entered them incorrectly, they will be pointing to a file that does not exist.This will make it impossible for Windows Server 2003 to launch the application.

Another possibility is that the correct permissions are not set on the executable file. If

Windows cannot access the file, it will not be able to launch the program for you.You

should verify that the appropriate Read and Execute permissions are applied to both the file and the working directory (if specified). If neither of these two possible solutions resolve the issue, the application may have become corrupt.Try to launch the application from the server console. If it will not open, you may need to uninstall and reinstall the application.

Clipboard Problems

Ordinarily, when text is copied to the clipboard in a session, it is synchronized with the local clipboard on the client. Because the text is available on each clipboard, it should be available to paste into local applications as well as applications running remotely in a session.You should note that it works the same way when you copy text to the clipboard locally. It is synchronized with the clipboard running in the Terminal Services session and can be used in either local or remote applications.

Microsoft states that there are instances in which text that is copied to the clipboard in a remote session is unable to be pasted into an application on the local client. Currently there is no fix available for this problem. First, try to reinstall the client application you are using. If it is still malfunctioning, try to uninstall the client application and reinstall it.

License Problems

Once a Terminal Server License Server is installed and activated with the appropriate number of licenses, things typically work well without any problems.You may, however, still encounter some licensing-related issues that bear discussion. Recall that the Terminal Server requires a TS CAL for each who client logs on a Terminal Server—each client must possess a valid TS CAL, issued by a Terminal Server Licensing Server, before they will be permitted to log on to the Terminal Server. If you receive messages similar to those below, you have license component problems.

■ The remote session was disconnected because there are no TS CALs available for this computer. Please contact the server administrator.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 112

112 Chapter 2 • Managing and Maintaining Terminal Services Access

■ The remote session was disconnected because there are no Terminal Server License

Servers available to provide a license. Please contact the server administrator.

Error messages such as these can indicate several different types of issues. First, verify that the license server is online and able to communicate on the network. It is also important to verify name resolution during this step. Next, ensure that the license server component has been activated properly. Check event logs on the license server and look for more subtle problems that simple connectivity checks will not spot.

Verify that the license server has a sufficient number of valid client licenses for your network, and that the licenses are valid.The Terminal Server draws licenses from the license server, so you should also ensure that these two servers can communicate with each other.

Finally, do not forget to check the clients. It is possible that the clients never received a valid license. After you have installed a Terminal Server, unlicensed clients are granted a

120-day grace period (from the date of first logon) during which they are allowed to make connections to the Terminal Server without a valid TS CAL. After this 120-day grace period has ended, the Terminal Server will no longer allow these clients to connect to it unless it can locate a Terminal Server Licensing Server to issue valid TS CALs to the clients.

Should your clients start to have problems connecting to Terminal Servers around this 120day time, the lack of valid TS CALs should be your first thing you check.

T

EST

D

AY

T

IP

When faced with a troubleshooting question on the exam, focus on whether or not it is a connectivity issue. Underlying connection problems are often the root cause when you have problems in a Terminal Services environment.

Security Issues

As already discussed,Terminal Server in Windows Server 2003 supports four levels of clientserver encryption. A mismatch between the server settings and the client’s capabilities will prevent the client from being able to make a connection to the Terminal Server, especially in cases where older legacy clients are still in use. Recall that the four available encryption settings are:

Low

Client Compatible

■ High

■ FIPS Compliant

Additional details on these encryption levels can be found in the “The General Tab” section earlier in the chapter.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 113

Managing and Maintaining Terminal Services Access • Chapter 2 113

T

EST

D

AY

T

IP

You cannot change the encryption level using other Group Policy or Terminal Services configurations if FIPS compliance has already been enabled by the “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing” GPO.

If you have any doubts about the encryption level capabilities of your clients, try setting this value to Client Compatible and attempting to make a connection then. If this fixed the problem, you may want to consider upgrading the encryption capabilities of your clients.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 114

114 Chapter 2 • Managing and Maintaining Terminal Services Access

Summary of Exam Objectives

Terminal Services is a Windows component that allows users and administrators to connect to network resources using the Remote Desktop Protocol (or ICA, with Citrix client software) and obtain a desktop from a remote server.The connection transmits cursor and keyboard input from the client to the server, and transfers the image of the desktop with any running applications back to the client.This is called a screenshot. All applications that are run from within a session are executed on the server.

The Terminal Server role must be installed and configured after installation of the operating system. If the Terminal Services License component is not installed and configured correctly,Terminal Server connections will no longer be allowed 120 days after the first client connects.The Terminal Server role can be installed from either the Manage Your

Server utility or via Add or Remove Programs in Control Panel.The Terminal Server

License component can only be installed from Add or Remove Programs.There are three basic client tools that can be used to establish a Terminal Services connection (discussed in greater detail in Chapter 3).

The Terminal Services Manager console is the primary graphical tool for managing users who are connected to a server. It can be used to manage multiple servers simultaneously through a single interface. As an administrator, you can use this utility to monitor, connect to, disconnect from, log off, remotely control, and reset sessions.The Terminal

Services Configuration utility can be used to configure new listener connections (RDP-

Tcp connections) or modify the properties of existing ones, and control settings on a perconnection basis (applying to all users who connect to the Terminal Server via the connection). User account extensions are installed by default and add several tabs related to

Terminal Services to the user account properties interface.These tabs enable you to control a wide range of Terminal Services settings on an individual per-user basis.

You can also use Group Policy to manage Terminal Services settings. Most settings that can be configured at the client, user account, or connection property levels have a corresponding Group Policy setting.When settings conflict between these various levels, the

Group Policy settings always take precedence.There are some settings that can only be configured using Group Policy. In addition to these graphical utilities, Microsoft makes a wide range of command-line utilities for Terminal Services available.These are primarily designed for use in creating administrative scripts to automate tasks.

Finally, it is especially important to have a good understanding of the Terminal Services architecture.This makes it easier to troubleshoot problems that occur. Simple connection issues between a Terminal Server and the license server can cause severe problems. Because

Terminal Services environments are much more complex than standard client-server environments, they often exhibit strange problems that require hours of research.The reasons for this are easy to understand when you consider that you have multiple users essentially using the same computer at the same time.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 115

Managing and Maintaining Terminal Services Access • Chapter 2 115

Exam Objectives Fast Track

The Need for Terminal Services:

A Survey of Computing Environments

When using a centralized computing model all of your resources are located on a central server or mainframe. Clients access resources remotely.The clients have very little intelligence or little if any processing power. All processing of data and its storage are done on the centralized CPU, Server,Terminal Server, or mainframe and only screenshots of output are sent to the client. Clients are generally thin clients or dumb terminals.

Using a centralized computing environment will mean that most of the costs associated with running this solution are placed on the Terminal Server, where all the intelligence and computing strength is.

When using a distributed computing model, you still have resources located on servers, but processing is done on both the server and the client. Clients are generally called “fat clients” and are characterized by a PC or workstation with its own CPU and disk storage. Files can be opened on the server, but the processing is done on the local PC.

A mixed environment is one in which you can have a mainframe with dumb terminals, thin clients with a Terminal Server, or PCs with servers in a client/server formation.

Introduction to Windows Server 2003 Terminal Services

Learning how to troubleshoot Terminal Services begins with the ability to analyzing the design, placement, and practical use of the service in order to spot potential problems.

Since screenshots have to traverse the network to get from the server to the client utilizing the service, you have to think about the bandwidth available on the network so you know how latency will affect it. For example, if your WAN bandwidth is too saturated, you may see Terminal Services suffer in the form of disconnects, hesitation with keystrokes, and so on.

Windows Server 2003 offers Remote Desktop for Administration.This was formerly known as Terminal Services in Remote Administration mode, and allows you to remotely administer any server you have it configured on.This service was designed to allow you to manage your servers without actually being at the console.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 116

116 Chapter 2 • Managing and Maintaining Terminal Services Access

Another portion of the Terminal Service is the Terminal Server Session Directory.

The Terminal Server Session Directory is a new feature that was created to allow users to easily reconnect to a disconnected session within a NLB Terminal Server farm.

When implementing the Session Directory Service, the Session Directory Server you configure should be a highly available network server that is not a Terminal

Server for best results.

Installing and Configuring a Terminal Server

In order for a Windows Server 2003 computer to function properly as an application server, both the Terminal Server role and Terminal Server Licensing component must be installed.

The Terminal Server role can be installed from either the Manage Your Server utility or the Add or Remove Programs applet (or utility) in Control Panel.

The Terminal Server Licensing component can only be installed via Add/Remove

Programs in Control Panel.

If the Terminal Server Licensing component is not installed or proper licenses are not configured on it,Terminal Server connections will be rejected when the evaluation period expires (120 days after the first client connection occurs).

Terminal Services Manager is the primary session management tool. It allows an administrator to monitor, connect to, disconnect from, log off, remotely control, and reset sessions.

The Terminal Services Configuration utility is used to create listener (RDP-Tcp) connections on the server, and configure server settings that apply to all users who use a particular connection.There can only be one listener connection bound to each network card.

Connections can be used to control a wide range of user settings, from encryption levels to how long the user can remain connected.

Settings at the connection level, when enabled, override settings at the user and client property levels.

Terminal Services user account extensions are installed and enabled by default.

They add additional tabs to the user account properties and enable administrators to control a wide range of settings on an individual basis. Most user level settings can be overridden at the connection level.

Group Policy can be used to control many of the same settings that can be configured at the connection, user, and client levels.When settings conflict between Group Policy and one of these other levels, the Group Policy settings take precedence.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 117

Managing and Maintaining Terminal Services Access • Chapter 2 117

Terminal Server Licensing

To install Licensing, go to Start | Control Panel | Add or Remove

Programs

and select the Add Windows Components icon. Once you do, simply add the Terminal Services Licensing option.You have to know how to configure Licensing for the exam.

The Licensing tool can be found by going to Start | Administrative Tools |

Terminal Server Licensing

.This tool helps you keep track of License usage.

With the Terminal Services Licensing tool, you can install and configure licensing fairly quickly and with little effort. Once configured, you are essentially creating a

“license server” for your organization.

When you activate a license server, Microsoft provides the server with a digital certificate that validates server ownership and identity. If you use this certificate, a license server can make subsequent transactions with Microsoft to receive client licenses for the servers that have Terminal Services enabled.

You cannot deactivate or reactivate a license server by using either the fax or

World Wide Web (WWW) connection methods. If you reactivate a license server, a record of your license is retained. Licenses that were already issued remain valid.

If you have any unissued licenses, these licenses are also valid, but Microsoft must reissue them.

Troubleshooting Terminal Services

Licensing error messages can occur because the Terminal Server cannot contact the license server, or because the client’s license has become corrupt.

If clipboard mapping fails between the client and server, the client may have become corrupted and should be removed and reinstalled. However, you do not have full clipboard functionality between the local computer and the Terminal

Server session.You can cut and paste data, but not files and folders.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 118

118 Chapter 2 • Managing and Maintaining Terminal Services Access

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

There seem to be a number of different utilities that can be used to connect to

Terminal Services and establish a session.Which one is the primary client tool for end users?

A:

The Remote Desktop Connection utility is the primary end user connection tool. It comes pre-installed with Windows XP and Windows Server 2003 and can be installed on Windows 9x, NT, and 2000 computers. It can be used to save connection settings to a file so that reconfiguration is not necessary when connecting to different servers. It also has a wide range of options that allow for optimization over almost any bandwidth.

It includes several improvements over the Windows 2000 Terminal Services client, including the ability to redirect audio from the server to the client.

Q:

Yesterday I was able to connect to our Terminal Server with no problems, but this morning no one can log on.We keep getting a license message.What’s going on?

A:

It sounds as if you may have hit the 120-day limit. In a nutshell, you have 120 days from your first Terminal Server client connection to install and configure the Terminal Server

License component. Microsoft provides this evaluation period so you can try the

Terminal Server role and decide whether you want to use it before having to purchase

TS CALs. After this time, you will not be able to establish a session unless you install the License Server component and install at least one client license.

Q:

What is the best utility to use for managing existing client connections?

A:

Terminal Services Manager is designed for just this purpose. It allows you to monitor, connect to, disconnect from, log off, remotely control, and reset sessions. Using it, you can manage all of your servers from one interface.

Q:

Can Group Policy be used to manage Terminal Services?

A:

In Windows Server 2003, there are approximately 50 dedicated Terminal Services settings in Group Policy. Using them, you can manage just about everything you can possibly imagine.These Group Policy settings override conflicting settings in other utilities, allowing for centralized management consistency.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 119

Managing and Maintaining Terminal Services Access • Chapter 2 119

Q:

I am considering clustering two Terminal Services servers in a NLB cluster. I would like to make sure that this solution is reliable, as the Terminal Server will be hosting some mission critical applications. It should be highly available, hence the NLB cluster, and it should be reliable.What advancements in Windows Server 2003 are available to add reliability to my NLB clustered Terminal Server solution?

A:

The Session Directory Service runs on all editions of Windows Server 2003. However, in order to participate in a Session Directory Service the server must be running

Windows Server 2003, Enterprise Edition or Windows Server 2003, Datacenter

Edition, including the 64-bit editions of the Windows Server 2003 family.To participate in a Session Directory-enabled farm, you must be using Windows Server 2003,

Enterprise Edition, or Windows Server 2003, Datacenter Edition. Also, make note that when you are working with the Session Directory Service, the Session Directory Server you configure should be a highly available network server that is not a Terminal Server.

Q:

As a newly minted MCSA on Windows Server 2003, I need to design and configure a

Terminal Server solution in a new company.There are 20 existing workstations, and there is a need for a total of 50 users. All 50 users need to have access to file and print services, Active Directory, and a new financial application called “Money-Maker.”This application is updated with new software updates once a week.There is also a need for

5 CAD workstations for the production engineering team.What would you recommend that I design for this solution?

A:

You need to design a mixed environment. Simply put, a mixed environment is one in which you can have a mainframe with dumb terminals, thin clients with a Terminal

Server, or PCs with servers in a client/server formation.You basically have the best of all worlds and you utilize needed resources where you need them, taking advantage of all solutions and the best they have to offer.You are basically fitting your business needs as you see fit with any technology that is best of breed.

Q:

I am trying to configure the Windows Server 2003 Remote Desktop Connection client but cannot connect at the color resolution I am choosing. For some reason, no matter what I choose, I cannot connect using that resolution.What could the problem be?

A:

When you connect to a Windows Server 2003-based computer by using the Windows

Server 2003 Remote Desktop Connection client, you can select the resolution you want, but you may not receive this resolution when you connect.This is because you are not guaranteed any color resolution other than what the server can negotiate and configure at that time.There are many other variables that go into this selection, so you may not always get the resolution you want.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 120

120 Chapter 2 • Managing and Maintaining Terminal Services Access

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

The Need for Terminal Services:

A Survey of Computing Environments

1. Jim is the systems administrator for NVC Corporation, the makers of world famous widgets. NVC Corporation has 20 Windows Server 2003 servers, and 200 Windows

XP Professional and Windows 2000 Professional client workstations. Management would like to deploy services to three new remotes sites.The need is to deploy a single application to five remote users at each site. Jim has been tasked with designing a brand new Terminal Services infrastructure. Jim needs to choose a computing model.Which model does Jim require?

A. Centralized Computing Model

B. Distributed Computing Model

C. Mixed Environment

D. Terminal Services should not be used here

2. Jake is the systems engineer for Runners Inc. Runners Inc. has 30 Windows Server

2003 servers, and 500 Windows XP Professional and Windows 2000 Professional client workstations. Jake’s boss has asked him to help in the development of a new solution for two small branch offices that will be used to deploy two applications to approximately 10 users at each office. Jim has been asked to explain what the most cost would be associated with.What is the best answer Jim could offer?

A. The clients

B. The Terminal Server

C. A PC workstation at each site

D. You should not use a Terminal Server solution

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 121

Managing and Maintaining Terminal Services Access • Chapter 2 121

Introduction to Windows Server 2003 Terminal Services

3. Several components use the Terminal Services service in Windows Server 2003.Which

of the following are used primarily for remote administration? (Select all that apply.)

A. Remote Desktop for Administration

B. Remote Assistance

C. The Terminal Server Role

D. The RDP protocol

4. One of your co-workers asks how to install Terminal Services on his newly installed

Windows Server 2003 server so he can perform administrative tasks on the server.

Which of the following is the correct advice to give him?

A. Add the Terminal Server role from the Manage Your Server utility.

B. Add the Terminal Server role from the Add or Remove Programs utility.

C. The Terminal Server role is installed by default.

D. Do nothing.

5. A co-worker asks you what type of system can be used as a thin client to a Windows

Server 2003 Terminal Server.Which of the following answers would you give her?

(Select all that apply.)

A. A PDA running Windows CE

B. A PDA running Windows Pocket PC

C. A desktop computer running Macintosh OS X

D. A desktop computer running Windows 95

Installing and Configuring a Terminal Server

6. Will is the systems administrator for Wiley’s, the makers of world famous pretzels.

Wiley’s has 20 Windows Server 2003 servers, and 200 Windows XP Professional and

Windows 2000 Professional client workstations.Will needs to ensure that clients can connect to his Terminal Servers using only 128-bit encryption.What encryption option should he select?

A. High

B. FIPS Compliant

C. Low

D. Client Compatible

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 122

122 Chapter 2 • Managing and Maintaining Terminal Services Access

7. Andrew is the systems administrator for NVC Corporation, the makers of widgets.

NVC Corporation has 20 Windows Server 2003 servers, and 200 Windows XP

Professional and Windows 2000 Professional client workstations. Andrew needs to configure a Server Role.Where in the Windows Server 2003 interface can Andrew configure a Server Role?

A. He can use the Control Panel.

B. He can use the Administrative Tools MMC.

C. He can use the Local Security MMC.

D. He can use the Manage Your Server utility.

8. Barbara is the systems engineer for Runners, Inc. Runners, Inc. has 30 Windows

Server 2003 servers, and 500 Windows XP Professional and Windows 2000

Professional client workstations. Barbara needs to deploy two new Windows Server

2003 systems to two remote offices, one in each. She is sending the servers to the remote sites and has hired Jimmy, a MCSE certified consultant to set up and configure the two servers. Jimmy needs to set up one as a File and Print Server and the other as a Terminal Server. From which utility can Jimmy quickly set up and deploy the two servers using Server Roles?

A. He can use the Active Directory Sites and Services console.

B. He can use the Active Directory Users and Computers console.

C. He can use the Manage Your Server utility.

D. Barbara needs to do it remotely; she can use the Maintain Your Server console.

9. You have been asked to create and configure a new Terminal Services connection that will allow users to connect only with 128-bit encryption.Which of the following utilities will you use to accomplish this task?

A. Terminal Services Manager

B. Terminal Services Configuration

C. Terminal Server Licensing

D. Remote Desktops MMC

10. You recently implemented a Terminal Server at your company. Right from the start, you notice that performance is slow.You carefully benchmarked and stress tested your beta system, and you thought you had planned for any amount of capacity that would be required. Upon further investigation, you notice that most of the resources are being taken up by disconnected sessions, some of which are days old.You decide to set a timeout for the termination of disconnected sessions.Which of the following could you use to set the timeout? (Select all that apply.)

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 123

Managing and Maintaining Terminal Services Access • Chapter 2 123

A. The properties of user accounts

B. The properties of connections in the Terminal Services Configuration utility

C. Group Policy

D. The server properties in the Terminals Services Manager utility

11. One of your co-workers has been reading up on Terminal Services and asks if she can run a few questions by you to see if she understands the concepts.Which of the following statements will you tell her are accurate? (Select all that apply.)

A. Many Terminal Services settings have a corresponding setting in Group Policy.

B. In Group Policy,Terminal Services settings can be found under both the User and

Computer Configuration nodes.

C. When different Terminal Services settings are specified at the user properties, connection properties and Group Policy levels, the connection properties are the effective settings.

D. Group Policy can be used to prevent an administrator from being forcibly logged off from a console session when another administrator is attempting to connect.

12. Jess is the systems engineer for Runners, Inc. the makers of really fast sneakers.

Runners, Inc. has 30 Windows Server 2003 servers, and 30 Windows 98 PCs, and 500

Windows XP Professional and Windows 2000 Professional client workstations. Jess needs to configure 56-bit encryption for his clients.What encryption option should

Jess select?

A. FIPS Compliant

B. Client Compatible

C. High

D. Low

Terminal Server Licensing

13. Another administrator in a different region of the country is installing the Terminal

Server role. Knowing that you recently did this, the administrator asks for your advice.

You mention to him that he must also be sure to install the Terminal Server License component.What will you tell him about installing this component?

A. That the License Server role must be installed from the Manage Your Server utility.

B. That Terminal Server License must be selected and installed from Add or Remove

Programs.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 124

124 Chapter 2 • Managing and Maintaining Terminal Services Access

C. That the License Server is automatically installed with Terminal Services.

D. That the License Server does not come with Windows Server 2003 and must be purchased separately.

Troubleshooting Terminal Services

14. Several months ago, you installed the Terminal Server role on one of the servers at your company.This morning, clients are having difficulty connecting to Terminal

Services but are still able to use file and print services on the server.The error message says it is a licensing issue but you are sure that you properly licensed your Windows

Server 2003 server, as well as all of your client systems.What might be causing this?

(Select all that apply.)

A. The temporary evaluation period has expired.

B. You failed to properly configure Terminal Services client licenses on the license server.

C. The server was installed with a temporary license code, which has expired.

D. You did not properly install a license server.

15. Your network uses Windows NT clients running the Terminal Services Client

Connection Manager utility.The user working next to you notices that when you connect to a Terminal Server, you are automatically logged in, while she is always prompted for a password. She asks if you can help to configure her system to automatically log on as well.Which of the following will you recommend?

A. Configure Automatic logon on the General tab in the Properties of the connection, and enter the appropriate logon credentials in the User name,

Password

and Domain text boxes.

B. Log on to her Windows 2000 client using your user name and password.

C. Configure Always use the following logon information: on the Logon

Settings tab in the connection properties of the Terminal Services Configuration utility.

D. Configure the User name, Domain, Password, and Confirm password text boxes on the Logon Settings tab for the connection in the Terminal Services

Configuration utility.

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 125

Managing and Maintaining Terminal Services Access • Chapter 2 125

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. A

2. B

3. A, B

4. D

5. A, B, C, D

6. A

7. D

8. C

9. B

10. A, B, C

11. A, B, D

12. D

13. B

14. A, B, D

15. A

www.syngress.com

271_70-292_02.qxd 8/21/03 1:32 PM Page 126

271_70-292_03.qxd 8/21/03 2:04 PM Page 127

Chapter 3

MCSA/MCSE 70-292

Managing and

Maintaining Remote

Servers

Exam Objectives in this Chapter:

3.2

Manage servers remotely

3.2.1

Manage a server by using Remote Assistance

3.2.2

Manage a server by using Terminal Services remote administration mode

3.2.3

Manage a server by using available support tools

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

127

271_70-292_03.qxd 8/21/03 2:04 PM Page 128

128 Chapter 3 • Managing and Maintaining Remote Servers

Introduction

The network administrator’s daily tasks can be made easy or difficut depending on the number and quality of administrative tools they have available for performing those tasks. In

Windows Server 2003, Microsoft provides administrators with a wealth of graphical and command-line utilities for carrying out their job duties. (Appendix A provides a detailed listing of some of those utilities.) The Administrative Tools menu contains predefined management consoles for configuring and managing most of Windows Server 2003’s services and components, including Active Directory tools, Domain Name System (DNS) tools,

Security policies, Licensing, Routing and Remote Access,Terminal Services, Media

Services, and more. Administrators can also create customized Microsoft Management

Consoles (MMCs), that makes it easier to perform tasks and delegate administrative tasks to others. Network administrators can create consoles for specific purposes and enable only limited user access to them. For those who prefer the power and flexibility of the command-line utilities, many of these same administrative tasks can be performed, as well as other tasks that have no graphical user interface (GUI) interface.Windows Server 2003 includes a large number of command-line utilities, including dozens of new ones that were not included in Windows 2000 Server.

But what does the network administrator do when they cannot physically access a server to perform their required administrative tasks? Microsoft provides a wealth of remote administrative tools (and tools that have the ability to connect to remote servers).This

chapter examines the general types of management tools that are available for keeping servers and networks running smoothly. It then covers the remote management tools that are available for Windows Server 2003.

N

OTE

The use of the command line for management is not just limited to those administrators with the budget to support third-party add-ons such as KiXtart (www.kixtart.org). Windows Server 2003 makes it easier than ever to create powerful scriptand batch file-based management solutions from the command line with its wide selection of tools and intuitive online help system.

EXAM

70-292

OBJECTIVE

3.2.3

Types of Management Tools

A number of administrative tools are available, which are located in many different places. It can be daunting for a new Windows Server 2003 system administrator to know where to start to look. Experience brings familiarity, but even experienced administrators occasionally discover a tool that they have not seen before.This section reviews where most of the common administrative tools are located, including:

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 129

Managing and Maintaining Remote Servers • Chapter 3 129

Administrative Tools folder

Custom MMC consoles

Command-line utilities

Wizards

Windows Resource Kits

The “Run as” command

Administration Tools Pack (adminpak.msi)

Windows Management Instrumentation (WMI)

Computer Management Console

Administrative Tools Folder

The Administrative Tools folder contains many of the most common administrative tools.

This folder can be located by clicking Start | Programs | Administrative Tools. Figure

3.1 shows the tools that may be found on a domain controller in the Administrative Tools folder. Another way to access the Administrative Tools folder is by clicking Start |

Settings | Control Panel

and then double-clicking the Administrative Tools icon.

Figure 3.1

Tools in the Administrative Tools Folder

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 130

130 Chapter 3 • Managing and Maintaining Remote Servers

N

OTE

The items in the Administrative Tools menu folder are shortcuts, rather than the programs or console files themselves. Many of the actual management console files (.MSC files) are located in the %systemroot%\system32 folder, as seen in

Figure 3.2.

The location of the .MSC files can be found by right-clicking the shortcut in the right pane (shown in Figure 3.2), selecting Properties, and then checking the Target field on the Shortcut menu.

Figure 3.2

Locating the Administrative Tools

N

OTE

If you want specific tools to be available in the menu only when the Administrator account (or another specific account) is logged on, you can copy the shortcuts for those tools from the All Users | Start Menu | Programs | Administrative Tools folder to the same folder under that user’s profile (for example, Administrator |

Start Menu | Programs | Administrative Tools).

Several of the management tools located in the Administrative Tools folder are discussed later in this chapter.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 131

Managing and Maintaining Remote Servers • Chapter 3 131

Custom MMC Consoles

The MMC is the framework for nearly all Windows graphical administrative tools. It provides an empty console where the network administrator can add their favorite or necessary administration tools.The idea is that all administrative tools have a common look and feel and that the management tool for an administrative task, such as adding users and groups, is written as a snap-in for an MMC.The administrator can then choose which snap-ins to have in a console, or use one of the many pre-configured ones found in the Administrative

Tools folder. Some of the MMC snap-ins can be used to manage remote computers as well as the local computer (assuming they have the appropriate rights). Many vendors of thirdparty management tools are also starting to provide snap-ins for their products, that can be added to MMC consoles.

N

OTE

Some of the tools in the Administrative Tools folder, such as the Licensing tool, are standalone programs that do not work with an MMC. When you look at the properties of those shortcuts, you will find that the target files are executables (.EXEs) instead of MMCs (.MSCs).

After an MMC has been created, it can be saved as a standalone file and even e-mailed to another administrator to use. Possession of an MMC file does not in itself give a user any additional rights. For example, if a network administrator e-mails an MMC file with the

Disk Management snap-in to a non-administrative user, that user will not be able to complete any disk management tasks even though they can see the snap-in.

MMC consoles can also be configured to prevent anyone from changing them. A console can be saved in one of four modes, each of which has varying restrictions.Table 3.1

shows the four modes and the functionality of each.You can create your own customized

MMC consoles by performing the steps outlined in Exercise 3.01.

Table 3.1

MMC Console Modes

Console Mode Functionality

Author mode

User mode - full access

Full access to the MMC and the ability to change all aspects.

Full access to the windowing commands but cannot add or remove snap-ins.

User mode - limited access, Access only to the areas of the console as it was when multiple windows saved. Can create new windows but not close existing windows.

User mode - limited access, Access to the console as it was when saved. Cannot single window open new windows.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 132

132 Chapter 3 • Managing and Maintaining Remote Servers

E

XERCISE

3.01

C

REATING A

C

USTOM

MMC

1. Click Start | Run and type mmc in the dialog box. An empty MMC console appears, as seen in Figure 3.3.

Figure 3.3

Creating a Customized MMC

2. Select File | Add/Remove Snap-in.

3. In the Add/Remove Snap-in dialog-box, click the Add button.

4. In the Add Standalone Snap-in dialog box, scroll through the list and select a snap-in you want contained in your custom console and then click the Add button.

5. Continue to add snap-ins as desired.

6. Click Close in the Add Standalone Snap-in dialog box, and then click

OK in the Add/Remove Snap-in dialog box.

7. Your customized MMC console is now ready and may look similar to

Figure 3.4.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 133

Managing and Maintaining Remote Servers • Chapter 3 133

Figure 3.4

Examining the Customized MMC Console

8. To save this console for future use, select File | Save. In the File name field, type CustomConsole and then click Save. The console is saved, by default, in the Administrative Tools folder of the currently logged in user.

9. To change the mode the console operates in, select File | Options. The

Options dialog box appears, as seen in Figure 3.5, allowing you to change the mode.

Figure 3.5

Configuring the Console Mode

10. Close the console, saving it if prompted.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 134

134 Chapter 3 • Managing and Maintaining Remote Servers

T

EST

D

AY

T

IP

Make sure that you are familiar with creating custom MMC consoles to manage local and remote servers. Practice creating your own consoles and adding snap-ins to manage the local computer and remote servers.

Command-Line Utilities

As the name suggests, command-line utilities are designed to be run in a command window or as part of batch files or scripts. Administrators are forever looking for ways to simplify administration, and using command lines in batch files is a very good way of handling routine, repetitive tasks. Some administrative tasks can be performed by using only a graphical interface, some by using only a command-line utility, and others can be done using either.

Some command-line utilities are written using a language that must be run using a scripting host such as Windows cscript, and others run as compiled programs or executables. Command-line utilities are harder to find because they are not in any of the Start menus (although they can be added). A good place to look for information is in Windows

Help and Support. A search on Command-line Reference provides an alphabetical listing of

Windows command-line tools. In addition, Appendix A of this book has a command line utility reference.

Wizards

Wizards guide the network administrator through potentially complex tasks by taking them through a series of dialog boxes where they answer questions or make choices.Wizards are essentially wrappers around the underlying graphical- or command-line-based tool. Each version of Windows increases the number of wizards in an attempt to make administration easier for the inexperienced administrator. However, in some cases it can be quicker for the experienced administrator to perform a task directly using the appropriate administrative tools rather than using a wizard. Many wizards can be accessed by opening the Manage

Your Server tool and the Configure Your Server Wizard in the Administrative Tools folder.

N

OTE

As the Microsoft Windows operating system evolves, more wizards are added because the operating system itself continues to grow more complex.

Understanding the wizards available will help you perform complex tasks quickly at first. As you increase your skills, you may find yourself moving onto other means to accomplish these tasks, such as from the command-line.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 135

Managing and Maintaining Remote Servers • Chapter 3 135

Windows Resource Kits

The Windows Server 2003 Resource Kit and the Windows Server 2003 Deployment Kit each provide a wealth of tools for administrators to use to manage Windows servers in a large network. If you are responsible for many servers, you should definitely consider acquiring the Resource Kit for your products.You can visit the Microsoft Resource Kit

Web page at www.microsoft.com/windows/reskits/default.asp.

The Run as Command

It is good practice for administrators not to log on using an account that has administrative rights.This prevents accidental changes to the file server, viruses having more access than they otherwise would have, and so on. Administrators should log on using an ordinary user account, and when they need to perform an administrative task they can also use the Run

as

option to choose an administrator account. Run as is available by right-clicking an item in the Start menu, as seen in Figure 3.6.

Figure 3.6

The Run as Command

The Run as option will not appear in the right-click context menu for every Start menu item, only for executables, management consoles, and other programs that can be run.The runas command can also be used in a command prompt for command-line utilities. Start a command prompt and then type runas /user:administrator cmd.This starts a new command prompt with administrator privileges.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 136

136 Chapter 3 • Managing and Maintaining Remote Servers

Administration Tools Pack (adminpak.msi)

The Windows Server 2003 Administration Tools Pack (sometimes referred to as the Admin

Pack) is used on client computers running Windows XP Professional to provide management tools for Windows Server 2003 computers.The client computer the administrator is installing the Administrative Tools Pack on must have Windows XP Service Pack 1 applied.

The Administration Tools Pack can be installed from the adminpak.msi file, which is found on the Windows Server 2003 CD or in the system32 folder of a computer running

Windows Server 2003. Double-click the adminpak.msi file to install the tools.

After the tools are installed, all of the Administrative Tools mentioned earlier in this section are available on the Windows XP computer and the network administrator can perform server and network administrative tasks from the Windows XP client. In particular, this includes tools for server-based services such as DNS, dynamic host control protocol

(DHCP), and Active Directory.

T

EST

D

AY

T

IP

The Windows Server 2003 Administration Tools Pack can only be installed on computers running Windows XP Professional or later. However, they can be used to manage servers running Windows 2000 Server as well as Windows Server 2003.

Windows Management Instrumentation

WMI provides an object-based method for accessing management information in a network. It is based on the Web-Based Enterprise Management (WBEM) standard specified by the Distributed Management Task Force (DMTF) organization, and is designed to enable the management of a wide range of network devices.WMI is Microsoft’s implementation of WBEM for Windows operating systems.

WMI is used with programs or scripts to retrieve management information or change configurations of Windows computers. But using WMI is not trivial and requires programming skills.WMI can be used at the command-line by typing WMIC at a command prompt, but this requires knowledge of the WMI database of objects. For more information on this topic, refer to Microsoft’s WMI Software Development Kit. Some enterprise

Microsoft tools such as Systems Management Server (SMS) and the Health Monitor for the

Back Office suite of products use WMI to manage computers.For more information on

WMI, go to www.microsoft.com/windows2000/techinfo/howitworks/management/ wmiscripts.asp.

Computer Management Console

The Computer Management console is available on client and server computers to perform management tasks and is itself a pre-configured MMC console. Click Start | Program |

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 137

Managing and Maintaining Remote Servers • Chapter 3 137

Administrative Tools | Computer Management

to open the Computer Management console. Alternatively, you can right-click the My Computer icon and select Manage.

You can also use the Computer Management console to connect to another computer

(providing you have the appropriate rights). Select Action | Connect to another com-

puter

and then enter the name of the remote computer in the Another computer dialog box, or browse for it by clicking the Browse button.

EXAM

70-292

OBJECTIVE

3.2

Using Terminal Services

Components for Remote Administration

How often have you had to walk to the other end of a building to perform a server task or, even worse, had to drive or fly to another office? One of the main goals for any administrator is to be able to manage all of the servers without leaving their desk—this provides for faster administration and the ability to lock servers away in a secure server room.Windows

Server 2003 provides a variety of methods to remotely manage servers depending on the scenario.

Most of what is new in Windows Server 2003 Terminal Services relates to remote administration. Microsoft really listened to customer feedback and created major improvements to Terminal Services.The test objectives focus on two major Terminal Services components: Remote Desktop for Administration and Remote Assistance. Although a predecessor to Remote Desktop for Administration (Terminal Services in remote administration mode) existed in Windows 2000, many changes were made for Windows Server

2003. Remote Assistance is a new component for Microsoft’s server operating systems that was initially released with Windows XP.

Terminal Services Components

The Terminal Services service in Windows Server 2003 supports a number of components.

These include:

Remote Desktop for Administration (formerly called Remote Administration mode in Windows 2000)

Remote Assistance (a feature introduced in Windows XP)

The Terminal Server role (formerly called Application Server mode in

Windows 2000)

The exam objectives focus on your ability to use Terminal Services components to remotely administer a Windows Server 2003 system. Consequently, you can expect an emphasis on client and server applications relating to the Remote Desktop for

Administration and Remote Assistance features. However, it is important to understand that

Terminal Services do not end there. Many organizations use Terminal Services to deploy multi-user Application servers, as discussed previously in Chapter 2.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 138

138 Chapter 3 • Managing and Maintaining Remote Servers

Remote Desktop for Administration

Remote Desktop for Administration is the key component of Terminal Services that enables remote server administration. It is installed by default, but is disabled. Remote

Desktop for Administration must be manually enabled and configured by an administrator before you can connect to it.This component allows a maximum of two concurrent connections for the purposes of remotely administering the server. By default, when a Terminal

Services client connects to this component, a new session is created and a copy of the

Windows Server 2003 desktop is displayed in a window on the client machine.

It is important to note that this copy of the desktop is not the actual server desktop that the user would see if they were sitting down at the server’s keyboard—that session is called the console.This is an important distinction, because often the operating system or an installed application will send a popup message to the server console. An administrator connecting to the server using Terminal Services will not see the console by default, and thus will not see the pop-up messages.They also will not see any applications that might be running on the console session unless they use a Remote Desktop Protocol (RDP) 5.1 or later client to run a remote console session.

In Windows 2000, there was no way to remotely view the console session. However, one of the new Terminal Services client utilities (discussed in more detail later in the chapter) includes this capability.This is a dramatic improvement that enables administrators to more fully take advantage of Terminal Services for remote administration. Because this feature was missing from earlier versions, many companies had no choice but to use thirdparty software to connect to the console sessions on their Windows servers.

N

OTE

An example of a third-party software used to connect to and control remote servers was “PC Anywhere,” a product used to perform the same tasks that now come with the operating system by default.

Remote Assistance

Remote Assistance depends on and uses the Terminal Services service. However, the way the administrator connects to it is substantially different from the methods used to establish a session with Remote Desktop for Administration or a client session connecting to the multi-user Terminal Server. Remote Assistance allows a user at one computer (the Novice) to ask for help from a user at another computer (the Expert or the Assistant), on the local area network (LAN) or across the Internet.This request can be made through Windows

Messenger, e-mail, or through a transferred file.The Expert can also offer Remote

Assistance without receiving an explicit request from the Novice if Group Policy settings are configured to allow offering of Remote Assistance, and the Expert user is listed as an assistant in the Offer Remote Assistance policy or is a local administrator. However, the

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 139

Managing and Maintaining Remote Servers • Chapter 3 139

Novice must grant permission; the Expert can never take over the Novice’s computer without the Novice’s agreement.This differs from Remote Desktop in that administrators and users on the Remote Desktop Users list can start a remote session without getting permission from the person who is using the computer locally.

When an Expert receives a request from a Novice, they can initiate a connection to the

Novice’s computer. Once connected, the Expert is able to view the actual desktop and applications that are being used by the Novice on their computer. In addition, a special application is launched on the Novice’s computer that allows them to chat with the Expert and control the session, either via text messages or audio (as long as both computers are equipped with full-duplex sound cards, speakers, and microphones). If the Novice desires, the Expert can be allowed to control the Novice’s desktop and applications, including taking control of the Novice’s cursor. In addition, files can be transferred easily between the two through the Remote Assistance interface.

Remote Assistance requires that both computers be running Windows XP or Server

2003. Because security is always a concern in the business environment, Remote Assistance invitations can require that the assistant provide a password to prevent an imposter from connecting to the computer while pretending to be the assistant.The amount of time for which a Remote Assistance invitation will remain valid can also be specified. Users also have the option of turning off the Remote Assistance feature entirely.

N

OTE

Both Remote Desktop and Remote Assistance are also included in the Windows XP

Professional operating system (only Remote Assistance is included in Windows XP

Home Edition). However, whereas a Windows Server 2003 computer can have two

Remote Desktop for Administration sessions running simultaneously, only one

Remote Desktop session at a time can connect to an XP Professional system. In addition, when connecting via Remote Desktop to an XP Professional computer you will see all the applications that are running on the desktop of that XP computer just as if you were sitting at that local machine. If Word is open on the local desktop, it will be open in the Remote Desktop Connection session. Conversely, when you connect to a Windows Server 2003 via the Remote Desktop, you will not see applications that are open on the local (console) session. When a remote session is connected to an XP computer, the local session is locked and cannot be accessed until the remote session is terminated. With Windows Server 2003, an administrator sitting at the console can continue to do tasks while the remote administrator runs a session.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 140

140 Chapter 3 • Managing and Maintaining Remote Servers

EXAM

70-292

OBJECTIVE

3.2.2

Using Remote Desktop for Administration

As mentioned, no installation is necessary for the Remote Desktop for Administration component of Terminal Services. It is installed with the operating system by default.

However, for security purposes it is not enabled. Once it is enabled, members of the

Administrators group can connect and use it. Non-administrators must be specifically granted access.

Configuring Remote Desktop for Administration

To configure Remote Desktop for Administration, click Start | Control Panel |

System

and click the Remote tab.To enable the feature, simply check the box next to

Allow users to connect remotely to this computer

located in the Remote Desktop section of the tab, as shown in Figure 3.7.

Figure 3.7

Enabling Remote Desktop for Administration

Allowing Users to Make Remote

Desktop for Administration Connections

When Remote Desktop for Administration is enabled, any user accounts that are members of the Administrators built-in group on the server will be allowed to establish a remote session. However, other accounts must be explicitly approved for access by adding them to the

Remote Desktop Users group on the server.To grant a user access using this method, perform the steps outlined in Exercise 3.02.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 141

Managing and Maintaining Remote Servers • Chapter 3 141

E

XERCISE

3.02

A

DDING

U

SERS TO THE

R

EMOTE

D

ESKTOP

U

SERS

G

ROUP

1. Click Start | Programs | Administrative Tools | Computer

Management to open the Computer Management console.

2. Expand the following nodes: Systems Tools | Local Users and Groups

| Groups, as seen in Figure 3.8.

Figure 3.8

Locating the Remote Desktop Users Group

3. Right click the Remote Desktop Users group. From the context menu, select Add to Group to open the Remote Desktop Users Properties dialog box, as seen in Figure 3.9.

Figure 3.9

Adding Users to the Remote Desktop Users Group

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 142

142 Chapter 3 • Managing and Maintaining Remote Servers

4. Click the Add button to open the standard Select Users, Computers or

Groups dialog box.

5. Type (or search for and select) the account name of the user to whom you wish to grant access.

6. Click OK to close the Remote Desktop User Properties dialog box.

An easier way to access the Remote Desktop Users group and grant access is to use an option provided in the Remote tab of the System applet, seen previously in Figure 3.7.To

use this method, perform the following steps:

1. In the Remote Desktop section of the Remote tab, click the Select Remote

Users

button.

2. In the Remote Desktop Users dialog box that appears, click the Add button.

3. Type (or search for and select) the account name of the user requiring access.

4. Click OK to close the Remote Desktop Users dialog box.

The methods of creating Remote Desktop connections are examined later in the

“Using Terminal Services Client Tools” section of this chapter.

Advantages of Remote Desktop Administration over Other Remote Administration Methods

Windows Server 2003 includes many ways to remotely administer servers. Server administration tools (including Active Directory Users and Computers, Active Directory Sites and

Services, Active Directory Domains and Trusts and many others) can be installed on a client computer. A network administrator can use the Computer Management console on one computer on the network to connect to and manage another.They can also use commandline tools to connect to and manage computers across the network.

Many administrators prefer Remote Desktop for Administration because they are able to see and use the entire server desktop exactly as if they were sitting at the console.They

can do things such as promote or demote a domain controller, defragment the server’s disk, install applications, run a backup job, or upgrade the operating system.They can change configurations that are difficult or impossible to configure by other remote methods, such as Control Panel settings.They can control the server from a computer on which they would not want to install the administrative tools.With the Remote Desktop Web

Connection, the administrator does not even have to have Remote Desktop Connection or the Terminal Services client installed on the computer from which they initiate a Terminal

Service session; only Internet Explorer 5.0 or later is required. Because of the efficiency of the latest version of RDP, performance over the LAN is almost as fast as if they were physically sitting at the server.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 143

Managing and Maintaining Remote Servers • Chapter 3 143

Remote Desktop Security Issues

When enabled, Remote Desktop for Administration opens Transmission Control Protocol

(TCP) port 3389 and listens for connection requests.This port is a significant target and is often sought during port scans. Most open ports link to applications that must be attacked in complex ways to permit administrator level access to a computer—but this service is designed to actually provide it, which makes it a prime target for attackers.There are several best practices that should be followed to maximize the security of this component.

Remember, with the exception of administrators, users must be authorized to connect using Remote Desktop for Administration.This is accomplished by adding a user’s account to the Remote Desktop Users group using one of the methods previously mentioned. If a user does not require this access, their account should never be a member of this group.The

administrator should control membership in this group through Group Policy or review it manually on a regular basis.

It is important to enforce strong security precautions on all accounts that are allowed to connect using Remote Desktop for Administration. Strong passwords and the use of account lockout are essential to make it difficult for an attacker to successfully use a brute force attack to gain system access. Administrators should be required to logon using a standard user account and perform administrative duties in the session using the Run as feature.

This ensures maximum security of the administrator credentials, minimal damage to the

Windows Server 2003 computer if the session is hijacked, and that Trojans and other malicious code are more difficult to install accidentally when using the session.

All users should be required to use the most recent client available for their platform.

This will ensure that the latest security features are available to them. It should be standard policy to check frequently for software updates to both client and server components, as these may contain critical security fixes. In addition, users should be discouraged from storing their logon credentials in the properties of the client.This allows anyone with physical access to the user’s machine to establish a session. It also stores sensitive information such as their username and domain in a clear text file with an RDP extension in the user’s

My Documents folder.

Finally, denial of service (DoS) is a significant possibility when using Remote Desktop for Administration because it allows for only two sessions to exist on the server. Both active and disconnected sessions count. So if a company has three administrators and two of them leave disconnected sessions, the third will not be able to connect using Terminal Services until one of the existing sessions has been terminated.The solution to this may appear to be setting the time out value so that sessions are reset shortly after they enter the disconnected state. However, this can cause serious problems.

An administrator may establish a session, begin an installation process, and then disconnect to allow the installation to finish unmonitored.The previous settings would terminate the session, including the installation routine it was running, with potentially disastrous effects for the server. Special circumstances like these must be taken into account when configuring policies.

Because session timeout values can be set at the user property level, Microsoft recommends

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 144

144 Chapter 3 • Managing and Maintaining Remote Servers

the use of a special shared administrative account for such circumstances as this.The strategy applies a timeout for disconnected sessions that are started by every user account except the shared account, which has no timeout settings applied. In this way, there should always be one connection available to a server, even though the second allowed connection is being consumed by a session involving the shared administrative account.

EXAM

70-292

OBJECTIVE

3.2.1

Using Remote Assistance

As with Remote Desktop for Administration, the Remote Assistance components of

Windows Server 2003 are installed with the operating system. And similar to Remote

Desktop for Administration, Remote Assistance needs to be enabled and configured before the feature can be used.

Two major components comprise the default installation: the Terminal Services service and the Remote Desktop Help Session Manager service. In addition to installing these two components, Microsoft also creates a special user account for connections involving

Remote Assistance, called SUPPORT_xxxxxxxx. On your system, the x’s will be replaced with a unique alphanumeric code, and the account name will appear as something similar to this: SUPPORT_388945a0.This account will be disabled until Remote Assistance is enabled. Although Remote Assistance is based on and uses Terminal Services, it works very differently from the Remote Desktop for Administration or the Terminal Server role.

T

EST

D

AY

T

IP

Be sure that you are familiar with Remote Assistance. As a new component in the

Windows server family that directly relates to test objectives, it is likely to be featured in one or more exam questions.

How Remote Assistance Works

Remote Assistance allows a user at one computer (the Novice) to request help from a user at another computer (the Expert).The underlying technologies are Windows Terminal

Services and the RDP. Although these are the same technologies that were originally developed for thin client computing and that are used for Remote Desktop for Administration and Terminal Server, Remote Assistance is not a thin client solution. In fact, both computers must be running Windows XP or Windows Server 2003. Another difference between

Remote Assistance and traditional Terminal Services is that typically, the session is initiated when the Novice sends an Invitation to the Expert soliciting their assistance.The Novice must typically be present at the machine that needs assistance to allow the Expert to access their system after the Expert receives and accepts the Invitation.With Remote Desktop for

Administration or the Terminal Server role, a user can connect from a wide range of client systems without permission, provided the user has a valid username and password.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 145

Managing and Maintaining Remote Servers • Chapter 3 145

Using Remote Assistance, the Expert actually views and (if allowed) interacts with the same desktop and applications that the Novice is using, at the same time.This is very different from the other forms of Terminal Services, in which a connection is established to a unique session on the Terminal Services computer. During a Remote Assistance session, both the Novice sitting at the keyboard and the remote assistant (Expert) can control the computer at the same time.

As with any form of Terminal Services, RDP is still used so that only screen updates are sent to the client (which in this case is the Expert) while keystrokes and mouse movements are sent back to the server (which in this case is the Novice).

Configuring Remote Assistance for Use

Remote Assistance is relatively easy to configure; the same tab can be used that is used to configure Remote Desktop for Administration.To enable Remote Assistance, click Start |

Settings | Control Panel

, and select the Remote tab in the System properties applet.

Select the check box next to Turn on Remote Assistance and allow invitations to be

sent from this computer

, as seen in Figure 3.10.

Figure 3.10

Enabling Remote Assistance

Invitations do not stay valid indefinitely.They have an expiration time of one hour by default, but the Novice can alter the expiration time of the Invitations, from 0 minutes to

99 days.The acceptance and opening of a session in response to an Invitation does not cause it to expire; it is good until it reaches the specified expiration time. In other words, if you save an Invitation to a file with an expiration time of 30 days, that Invitation can be used to establish Remote Assistance connections as many times as desired within that 30day timeframe.To modify the default expiration time, click the Advanced button, as seen in Figure 3.10, to open the Remote Assistance Settings dialog box, as seen in Figure 3.11.

Choose the desired number (0 to 99) and interval (minutes, hours, or days) and click OK.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 146

146 Chapter 3 • Managing and Maintaining Remote Servers

Figure 3.11

Configuring Remote Assistance Settings

In addition to modifying the expiration time, the Remote Assistance Settings dialog box can be used to allow (or not allow) the Expert to control the Novice’s desktop and applications during a Remote Assistance session.When the Allow this computer to be

controlled remotely

box is checked, the Expert will be allowed to send mouse and keyboard input to the Novice’s system and interact directly with their desktop and applications.

When it is unchecked, the Expert will be able to see the Novice’s desktop and any actions the Novice performs, but cannot control the cursor or send keyboard commands.

N

OTE

It is important to be aware that, when you enable Remote Assistance, the Allow

this computer to be controlled remotely checkbox is enabled by default.

Asking for Assistance

A Novice can use a variety of methods to request help by sending an Invitation using

Remote Assistance:

The request can be sent using Windows Messenger

The request can be sent via e-mail

The request can be saved to a file

To create an Invitation, click Start | Help and Support. On the right side of the

Help and Support Center

utility, click Remote Assistance under the Support heading.

In the next screen, click the Invite someone to help you link.You will then be able to select the method that you want to use in asking for assistance, as shown in Figure 3.12.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 147

Managing and Maintaining Remote Servers • Chapter 3 147

N

OTE

Windows Messenger is not installed by default in Windows Server 2003. If you want to send a request for Remote Assistance using Windows Messenger, you need to first install it. Be careful not to install MSN Messenger—you must install

Windows Messenger.

Figure 3.12

Starting Remote Assistance

E

XAM

W

ARNING

Although a Remote Assistance session can be solicited using an Invitation sent in a file or via e-mail, Microsoft emphasizes sending an invitation using Windows

Messaging. Make sure you are very familiar with all of the details of this method of solicitation.

Using Windows Messenger to Request Help

Windows Messenger is a chat program available at no cost from Microsoft that is similar to

ICQ and AOL Instant Messenger. (MSN Messenger is a separate but related application; both use the .NET Messenger Service.) When you use Windows Messenger for Remote

Assistance, the Invitation travels through a messaging server infrastructure that can include the Internet, or can work with a Microsoft Exchange Server within the LAN. Expert and

Novice data packets that contain connection information are exchanged through this infrastructure. However, once these have been exchanged, the actual RDP connection attempt and subsequent session take place directly between the Novice and Expert computers.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 148

148 Chapter 3 • Managing and Maintaining Remote Servers

Windows Server 2003 does not install Windows Messenger by default. If the administrator has not installed it prior to arriving at the Remote Connection screen, they will only see a link notifying them that it is not installed and prompting them to download and install it. If Windows Messenger is installed, the user from whom they wish to solicit help must be on the network and logged on to their Windows Messenger client. If this is the case, the administrator can click the name of the contact from which they want to solicit assistance, followed by the Invite this person link.The invitee can then accept the

Invitation. A Remote Assistance dialog box displays on the screen until the Expert invitee accepts or until the administrator clicks the Cancel button on the dialog box.

The network administrator can also request assistance from within the Windows

Messenger application by double-clicking on a contact to establish a conversation with the

Expert and then selecting the Ask for Remote Assistance link on the right side of the conversation window.This adds a notification to their conversation window, with a link on which they can click to cancel the request.They will also be notified in the conversation window when the Expert receives and accepts their request.

Remember that Remote Assistance only works on computers running Windows XP and

Server 2003. If an invitation is sent to a person at a computer running the Windows 2000 operating system or earlier or a non-Microsoft operating system, it will not be received.

If an administrator does not have Windows Messenger installed, they can begin the process from the Help and Support Center by clicking on the Download Windows

Messenger

link, after beginning the process of asking for Remote Assistance, as seen previously in Figure 3.12.This opens an Internet Explorer window with a Web page that displays the Windows XP version of Windows Messenger for download. At the time of this writing, a Windows Server 2003 version of Windows Messenger is not available; however, the Windows XP version works just fine.

Responding to a Request for Help Using Windows Messenger

If the invited Expert has the Windows Messaging application running, a request from a

Novice for assistance will be displayed in a Conversation window on the Expert’s system.

The Expert can click the Accept link in the window to initiate the connection, or click the Decline link to reject it, as seen in Figure 3.13. If the Invitation is neither accepted nor declined before the invitation expires, the Expert will be unable to establish a connection in response to that Invitation.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 149

Managing and Maintaining Remote Servers • Chapter 3 149

Figure 3.13

Accepting the Remote Assistance Invitation

Using E-mail to Request Help

To use e-mail to send a Remote Assistance invitation, the administrator must first have a default mail client configured on the Windows Server 2003 computer.This mail client can be Microsoft Outlook Express, which is installed with Windows, Outlook (installed as separate application or with Microsoft Office), or a third party e-mail application.To create a

Remote Assistance Invitation using e-mail, complete Exercise 3.03:

E

XERCISE

3.03

S

ENDING AN

E-

MAIL

R

EQUEST

1. Click on Start | Help and Support Center.

2. On the right side of the Help and Support Center screen, click Remote

Assistance under the Support heading.

3. In the next screen that is displayed, click the Invite someone to help

you link.

4. In the next screen, in the Prepare an e-mail invitation section, type the first name of the person you want to use as an Expert in the Type your assistant’s first name in the text box and click on the Continue link.

5. The following screen, as seen in Figure 3.14, contains two sections. The first is titled “Set the invitation to expire” and contains a drop-down box for specifying a number between 0 and 99, and an interval drop-down box with selections for minutes, hours, or days. This means that the possible time period during which the invitation is valid ranges anywhere

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 150

150 Chapter 3 • Managing and Maintaining Remote Servers

from 0 minutes to 99 days. Verify that the second section of this screen is enabled by default by selecting Require the recipient to use a pass-

word. The intent is that, should the invitation accidentally fall into the wrong hands, a password would still be required to use it. Obviously, you should not include the password in the e-mailed invitation. Instead, you should communicate it to the person in some other manner (for example, by telephone). The password is entered twice, once in the Type password text box and again in the Confirm password text box.

Figure 3.14

Creating an E-mail Remote Assistance Invitation

6. After the password had been entered into each box, the Create E-mail

Invitation button at the bottom of the can be clicked. An e-mail message opens on your computer, as seen in Figure 3.15. You need to enter the recipient’s e-mail address and any additional information you want to the message before sending it.

Figure 3.15

Sending an E-mail Remote Assistance Invitation

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 151

Managing and Maintaining Remote Servers • Chapter 3 151

7. After you have sent the e-mail, the process of asking for Remote

Assistance using the e-mail method is complete.

Responding to a Request for Help from an E-mail Request

When e-mail has been used to send you an invitation for Remote Assistance, a short e-mail message entitled “YOU HAVE RECEIVED A REMOTE ASSISTANCE INVITATION” will show up in your inbox.The message will contain a link to click, which will look something like this: https://www.microsoft.com/remoteassistance/s.asp#1AjK8A2TD,4H8S

QYYfvIpQF5prHYajrReyrAd2j6oHb4Qe/Eo1Ahs=,zb2.0RJ81UIfxb4Xfkp8thzdy8A=Z.

When you click on the link, your browser will open to a page on Microsoft’s Web site.The

entire process of the two computers finding each other using this method takes place through the Microsoft’s Web site. In addition, e-mail based Remote Assistance depends on a downloaded control.

When you visit the site, a Security Warning dialog box will appear and you will be prompted to specify whether you wish to install the Remote Assistance Server Control, as seen in Figure 3.16.

Figure 3.16

Downloading the Remote Assistance Server Control

If you select Yes, the control will download and the page will load. If you are not accessing the page from a Windows XP or Windows Server 2003 computer, a message will display informing you that you must be running one of these operating systems to complete the connection. If you are accessing the Web page from a Windows XP or Windows

Server 2003 computer, you will see a button entitled Start Remote Assistance in the middle of the Web page.When you click on this button, a small Remote Assistance dialog box appears, prompting you to enter the password associated with the invitation (if one was used). After you have typed in the password, click the Yes button to begin the connection.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 152

152 Chapter 3 • Managing and Maintaining Remote Servers

Using a Saved File to Request Help

The third and final way of requesting assistance is to use a saved file. Obviously, if you use this method, you need to somehow transfer the file containing the invitation to the Expert.

This can be done in one of several ways:

The file can be e-mailed

The file can be saved to a share on the network

You can create a link to the file on a Web page (perhaps on the local Intranet)

You can save the file on a floppy diskette and hand it to the person

To create a Remote Assistance invitation using a saved file, complete the steps discussed in Exercise 3.04.

E

XERCISE

3.04

S

ENDING A

F

ILE

B

ASED

R

EQUEST

1. Click Start | Help and Support Center.

2. On the right side of the Help and Support Center screen under the

Support heading, click Remote Assistance.

3. In the next screen that is displayed, click the Invite someone to help

you link. At the bottom of the next screen, click the Save invitation as

a file (Advanced) link. This leads to a screen that contains two parts, as seen in Figure 3.17.

Figure 3.17

Creating an Remote Assistance Invitation Using a File

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 153

Managing and Maintaining Remote Servers • Chapter 3 153

4. The first section is entitled Enter your name and contains a text box into which you can type your name. When you send someone a request using Windows Messenger or e-mail, the recipient can easily see who sent the request. This is not true with a file-based request, so this dialog box is used to embed that information into the request and make it readily available to the Expert.

5. The second portion of this screen is entitled Set the invitation to expire and contains a drop-down box that lets you specify a number between

0 and 99, and an interval drop-down box with selections for minutes, hours, or days. The possible range for the duration of a valid invitation is from 0 minutes to 99 days.

6. After you fill in the requested information, click on the Continue button at the bottom of the screen. On the next page verify that the option Require the recipient to use a password is selected. By default, the check box is selected and this requirement is enabled.

Again, the intent is that if the invitation accidentally falls into the wrong hands, at least a password will be required to use it. The password must be entered twice, once in the Type password text box and again in the Confirm password text box.

7. After the password has been entered into each box, click the Save

Invitation button at the bottom of the screen. This displays a Save As dialog box that allows you to specify a name and location for the file.

The file will be saved with an .MSRCINCIDENT extension. After it is saved, the final screen is displayed. It confirms the file name and where it was saved. At the bottom of the screen, there are links to manage your outstanding invitation requests and create additional invitations.

Figure 3.18 displays the file that is creating during this process.

Figure 3.18

Examining the Remote Assistance File

Responding to a Request for Help Using a Saved File

Responding to a Remote Assistance request that has been saved to a file is simply a matter of double clicking the file.When you do this, a small Remote Assistance dialog box

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 154

154 Chapter 3 • Managing and Maintaining Remote Servers

appears, asking you to enter the password associated with the invitation if one was specified.

After you type in the password, click the Yes button to initiate the connection.The following section shows how to complete the connection process for each of the methods described, and demonstrates what can be done when the connection has been established.

Completing the Remote Assistance Connection

After a request for assistance is accepted by the Expert user, a small Remote Assistance dialog box appears on the Expert’s computer with a message indicating that a connection is being attempted.When the connection is established, the full Remote Assistance application opens, displaying a status message that says it is waiting for an answer from the Novice computer.When the connection is accepted by the Novice user, the status of the Remote

Assistance application changes to Connected.

During this time, the Novice’s system displays a small Remote Assistance dialog box that asks the user if they want to allow the Expert to view the computer’s screen and chat with them. If the Novice clicks the No button, the connection is rejected. If the Novice clicks the Yes button, the connection is established. If too much time passes after the

Expert attempts to establish the connection and before the Novice accepts it, a dialog box opens to inform the Novice that the invitation was accepted but has expired.This dialog box also states that a new invitation needs to be generated and offered. A dialog box is also displayed on the Expert’s computer, indicating that the remote connection could not be established.When a connection is successfully established, a Remote Assistance application opens on the Novice’s system.

Using the Completed Connection as the Expert

The Remote Assistance application on the Expert’s computer consists of a tool bar across the top, a chat option on the left side, and a replica of the Novice’s remote desktop on the right, as shown in Figure 3.19.

Figure 3.19

The Remote Assistance Utility on the Expert’s Computer

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 155

Managing and Maintaining Remote Servers • Chapter 3 155

The buttons on the tool bar across the top include the following:

Take Control

Initiates a request to allow the Expert to remotely control the cursor and keyboard input on the Novice’s computer.When this button is clicked, a dialog box pops up on the Novice’s computer, asking the Novice to allow or reject control by the Expert. Remote control is only possible if the Allow this

computer to be controlled remotely

box is checked on the Remote tab of the System applet in the Control Panel. If remote control is accepted by the

Novice, a dialog box appears in the Remote Assistance application on the Expert’s computer over the display of the Novice’s desktop, stating that remote control has been accepted. Either party can end the remote control at any time by using the

Esc

key. After remote control is established, the Remote Control button changes to read Release Control and can be clicked to end the remote control of the session without ending the Remote Assistance session itself. Both the Novice and

Expert can control the cursor and keyboard input for the Novice’s system, so it is recommended that only one party be using the pointing device or typing at any given time.The Expert can use Remote control by clicking on the Novice desktop that is displayed in their Remote Assistance application.

Send a File

Allows the administrator to transmit a file from the Expert’s to the

Novice’s computer.

Start Talking

Establishes an audio connection between the Novice’s and

Expert’s computers for voice and/or video communication.When this button is clicked, the Audio and Video Tuning Wizard opens.The wizard allows the administrator to specify and test their microphone, audio card, and other related settings.

Settings

Opens the Remote Assistance Settings dialog box and allows adjustment of audio quality in accordance with the capacity of the underlying network.

The Audio and Video Tuning Wizard, mentioned in the previous bullet point, can also be opened from this dialog box.

Disconnect

Terminates the connection between the Novice’s and Expert’s computers and ends the Remote Assistance session.

Help

Displays the About Remote Assistance help screen.

The left side of the Remote Assistance application on the Expert’s computer contains a chat window.This allows the Novice and Expert to exchange text messages. In addition to chat communication, this portion of the application also contains status messages such as the names of users who are part of the connection, whether remote control is enabled, and how to stop remote control.

The right side of the Remote Assistance application on the Expert’s computer displays the desktop of the Novice’s system.When the connection is initially established, the desktop appears in View Only mode.This allows the Expert to view the desktop of the Novice, but the Expert cannot interact with it.The Expert can still exchange text messages or voice

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 156

156 Chapter 3 • Managing and Maintaining Remote Servers

communications with the Novice in this mode, and can exchange files. If the Expert and

Novice agree to switch from View Only to Remote Control, the Expert can then interact with the remote desktop and applications on the Novice’s system.To do this, the Expert uses their pointing device and keyboard to select and input data into the desktop that is displayed on the right side of the Remote Assistance application.

Using the Completed Connection as the Novice

The Remote Assistance application on the Novice’s computer consists of a chat window on the left side and a series of option buttons along the right, as shown in Figure 3.20.

Figure 3.20

The Remote Assistance Utility on the Novice’s Computer

This application allows the Novice to send messages to and receive messages from the

Expert. It also contains the following buttons:

Stop Control

Terminates the ability of the Expert to control the cursor and keyboard input on the Novice’s computer.

Send a File

Allows for transmitting a file from the Novice’s to the Expert’s computer.

Start Talking

Establishes an audio connection between the Novice and Expert computers for voice and/or video communication.When clicked, the Audio and

Video Tuning Wizard opens.The wizard allows the administrator to specify and test their microphone, speaker, and related settings.

Settings

Opens a dialog box that allows for the adjustment of audio quality in accordance with the capacity of the underlying network.The Audio and Video

Tuning Wizard can also be opened from this dialog box.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 157

Managing and Maintaining Remote Servers • Chapter 3 157

Disconnect

Terminates the connection between the Novice’s and Expert’s computers and ends the Remote Assistance session.

Help

Brings up the About Remote Assistance help screen.

The left side of the Remote Assistance application on the Novice’s computer contains a chat window.This allows the Novice and Expert to exchange text messages. In addition to chat communication, the left side of the application also displays status messages such as the names of users who are part of the connection, whether remote control is enabled, and how to stop remote control.

Managing Open Invitations

Sometimes the administrator might want to know the names of users with whom they have active Remote Assistance invitations open.They might want to cancel an invitation because they have solved the problem or because they want someone else to help them.The Help and Support Center provides a number of options for managing open invitations.

To manage your active invitations, follow these steps:

1. Click Start | Help and Support.

2. On the right side of the Help and Support Center screen, click Remote

Assistance

under the Support heading.

3. In the following screen, click the View Invitation Status (x) link.The (x) will be replaced on your screen by the number of invitations you have outstanding.

4. The next screen shows you a list of the invitations that are outstanding, as seen in

Figure 3.21.The list consists of three columns: Sent To, Expiration Time, and

Status.The Sent To column contains the name of the person to whom you sent the Windows Message or e-mail. If you saved the request to a file, this column will display the word Saved.The Expiration Time column will show the date and time that the invitation will expire.The Status column will show whether the invitation’s status is Open or Expired. Now you can view or modify any of these invitations.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 158

158 Chapter 3 • Managing and Maintaining Remote Servers

Figure 3.21

Viewing Remote Assistance Requests

Each invitation has a radio button next to it, as seen in Figure 3.21.You can click a radio button to select one of the Invitations and then choose an action to perform using the buttons under the list box.The buttons include:

Details

Allows the administrator to view to whom the invitation was sent, when it was sent, when it expires, its current status, and whether it is password protected.

Expire

Allows the administrator to cause an invitation to expire immediately, regardless of the expiration time that was set when the invitation was originally created.

Resend

Can only be used with expired invitations.When selected, this option displays a screen that walks the administrator through the creation process for the invitation all over again. Remember that the request was originally saved to a file or sent via e-mail. Because of this, the screens and options presented are identical to those outlined earlier in the chapter.

Delete

Allows the administrator to permanently delete the invitation. If the invitation’s status is Open when they select to delete it, a dialog box will pop up, informing them that the invitation will not be usable for connection. If the invitation’s status is Expired, it is simply deleted and no pop-up box appears.

Remote Assistance Security Issues

Remote Assistance is a valuable tool, but it also contains serious security risks that must be planned for and managed. Remote Assistance makes it easy for any user to ask virtually

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 159

Managing and Maintaining Remote Servers • Chapter 3 159

anyone using a Windows XP or Windows Server 2003 computer to connect to their desktop—this person can be inside the company or a friend that is outside of the company.

Although an outside person may be qualified to assist the user, in doing so they will likely receive full control of a client in the network.

This, of course, is unacceptable because they could place malicious software on the system while in control of it, view sensitive company information that normally is not allowed outside of the organization, and so forth.The best way to prevent this is to use the company’s firewalls to prevent connection to Remote Assistance from outside the company’s network. Remote Assistance uses the same port that all Terminal Services components do,TCP 3389. Simply blocking this port on the external firewalls prevents this type of unauthorized access.

Several other key security concerns should be addressed in a company’s Remote

Assistance policies. E-mail and file-based invitations allow the administrator to specify passwords. An invitation without password protection can be used by anyone that receives it by accident or intercepts it maliciously. Because of this, the use of these passwords should always be mandated.

A company may also want to protect traffic that contains Remote Assistance requests. Email is normally sent in unencrypted form on the network.This means that URL that is sent in the e-mail invitation is available for easy interception while it is in transit on the network.

Likewise, a simple XML format is used for the invitation file. A simple pattern match could be used when monitoring the network to detect and automatically save this information to an unauthorized system while it is being sent across the network. If the e-mail or file invitations do not have passwords, they can be used immediately when they are captured in this way. Even if a password is specified, there is no limit to the number of times requests like these can be used for connection. A brute force attack could be used to attempt to break the password and successfully establish a session. For this reason, it is important that the Remote

Assistance policy also specify a short expiration time for the invitation. Once expired, no connections are possible with it. A shorter time reduces the chances of successfully using a brute force attack. And, if no password is specified, at least the open window for misuse of the invitation is shorter.

Users should also be educated on when it is appropriate to accept Remote Assistance requests. As mentioned previously, a request saved to a file is stored in a standard XML file.

These can easily be modified to perform malicious actions when run by a user on a local system.The e-mail request contains a URL to click on and can also be altered. In this case it may take the user to a page that performs malicious actions on their local system, or requires the download and installation of an unauthorized ActiveX control that is designed to appear legitimate to the user. Even an unsolicited request received through Windows messaging has security worries.

The best option is to maintain a tight policy that asks users to reject remote assistance invitations in all but a few instances.What is acceptable will relate specifically to a company.

Some organizations allow acceptance only from immediate co-workers and known help desk

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 160

160 Chapter 3 • Managing and Maintaining Remote Servers

staff. Others are more liberal and allow invitations to be accepted from any verifiable employee within the company.The most important rule is to not allow connections from outside of the organization. Again, this can be further prevented by the use of firewall rules.

N

OTE

A Remote Desktop connection to computers running Windows XP is also possible, but only one connection is allowed (including a locally logged on user). This means that when you connect to the computer using Remote Desktop, if someone is already logged on at the computer, that user is logged off.

EXAM

70-292

OBJECTIVE

3.2

3.2.2

Using Terminal Services Client Tools

There are three primary tools that can be used to connect from a client system to Terminal

Services for remote administration.These tools include:

The Remote Desktop Connection utility

The Remote Desktops console

The Remote Desktop Web Connection utility

Each tool is designed to fill a very specific role, and it is important to be familiar with the capabilities and uses of each.The following sections examine how to install and use these utilities.

T

EST

D

AY

T

IP

Be sure to familiarize yourself with the properties available for configuration in each of the client tools prior to taking the exam.

Using the Remote Desktop Connection Utility

The Remote Desktop Connection utility (formerly the Terminal Services Client Connection

Manager) is the standard client for connecting to Terminal Services via Remote Desktop for

Administration on a server or Terminal Services on a Terminal Server. It can be used for remote administration or full Terminal Server client use. It enables a user to connect to a single server running Terminal Services using the RDP over TCP/IP.The utility is installed with the operating system in Windows XP and Server 2003 and can be accessed by clicking

Start | Programs | Accessories | Communications

in those operating systems. If you use the client often, you might want to create a shortcut to it on your desktop.The Remote

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 161

Managing and Maintaining Remote Servers • Chapter 3 161

Desktop Connection utility can also be installed and used on a number of older Windows operating systems, including Windows 2000, NT, ME, 98, and 95.

The older Terminal Services Client Connection Manager can still be used to connect to a

Terminal Server from a Windows 3.11 computer with the 32-bit TCP/IP stack installed.

There is also a 16-bit version of the Windows 2000 TS client for Windows for Workgroups

3.11 and a Macintosh client. If you need to connect MS-DOS, Linux or other client operating systems, you will need third party RDP or ICA client software.The Remote Desktop

Connection utility is backward compatible and capable of communicating with Terminal

Services in Windows XP,Windows 2000 and Windows NT 4.0,Terminal Server Edition. Let’s take a look at how to install, configure, and use this critical utility.

E

XAM

W

ARNING

The Remote Desktop Connection utility is the primary end user client connection tool for Terminal Services. Do not forget that it comes preinstalled on Windows XP and Windows Server 2003 and does not need to be installed separately.

Installing the Remote Desktop Connection Utility

If an administrator wants to use the Remote Desktop Connection utility on systems older than Windows XP, they need to install it first.The installation files can be retrieved from the

Microsoft Web site, or if they have installed Windows Server 2003 they can share the client setup folder located at %systemroot%\system32\clients\tsclient. After they share this folder, computers on the network can connect to the share and run the setup.exe utility in the

Win32 folder. If the administrator wants to deploy the client using Group Policy, Microsoft also includes an MSI installation file, msrdpcli.msi, in this directory.

Perform the following steps to install the Remote Desktop Connection client:

1. When you double click the setup.exe file, the installation wizard will launch.

Read the initial welcome screen and then click the Next button.

2. Review the license agreement and then click the radio button next to I accept

the terms of the license agreement

, followed by the Next button.

3. On the Customer Information screen, enter your name for licensing purposes in the User Name text box, and your company for licensing purposes in the

Organization text box.

4. In the Install this application for section, select the radio button next to Anyone

who uses this computer (all users)

if you want the utility to be available on the Windows Start menu for every user that logs on to the system. Select the radio button next to Only for me (-) if you only want the utility to appear in your Windows Start menu.When you have finished making your selection, click the Next button.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 162

162 Chapter 3 • Managing and Maintaining Remote Servers

5. On the next screen, click the Install button to proceed with the installation or the Back button to review your choices.The application will remove any previously installed similar applications, and then complete its own installation.

6. Click the Finish button to close the wizard.

Launching and Using the

Remote Desktop Connection Utility

After the application is installed, click Start | Programs | Accessories |

Communications

| Remote Desktop Connection.This opens the utility, as seen in

Figure 3.22, with most of its configuration options hidden.To proceed with the connection, type the name or IP address of the Terminal Server,Windows Server 2003 computer, or Windows XP Professional computer to which you want to connect in the Computer drop-down box, or select it from the drop-down list if you have previously established a connection to it. By default, the name or IP address of the last computer to which you connected will be displayed. Finally, click on the Connect button.

Figure 3.22

Viewing Remote Assistance Requests

N

OTE

Refer back to Chapter 2 for more discussion on the various components and configuration of Terminal Services in Terminal Server (Application) mode.

A Remote Desktop window will open. If the user name and password with which you are logged on to your current system are valid for connection to Terminal Services on the server, you will be automatically logged on and a session will appear. If not, you will be prompted to enter a valid user name and password.When you are connected, the remote desktop will appear in a window on your system by default, as seen in Figure 3.23.You can move your cursor over it, and then click on and use any item in the remote desktop just as you would if you were using your local system.You can also copy and paste between the remote and local computers.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 163

Managing and Maintaining Remote Servers • Chapter 3 163

Figure 3.23

The Remote Desktop Window

Connecting is a simple process; however, terminating a session requires a bit more explanation.There are two methods that can be used to end a session:

Logging off

To log off, simply click the Start | Log Off on the remote desktop.

When you do this, it will completely log you out of the remote system in much the same way as if you logged out on your local system. Registry entries are properly written, programs are closed, and so forth.The session is completely removed from the Terminal Services computer, freeing up any system resources that were being used by your session. Make sure that you select Log Off, rather than Shut Down.

If you select Shut Down, and you are logged onto the remote session with rights that allow your account to shut down the server, it will power down or reboot the server.This will affect everyone who is currently using the server.

Disconnecting

The second method of terminating your session is to use the process known as disconnection.When you disconnect from Terminal Services, your session remains on the server and is not removed. It continues to consume resources, although the video stream coming to your local computer and the input stream going from your local computer to the Terminal Services system are terminated.When you launch the Remote Desktop Connection utility again and connect to the same computer running Terminal Services, your session will still be there, exactly as you left it, and you can take up where you left off.This can be helpful in cases where an application is being run that requires lengthy processing.

You do not have to remain connected for the application to run, and you can check back in later and obtain the result.

In general, it is best to properly log off and free up the resources being used by a session you no longer need. As will be seen a bit later, an administrator can cause a

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 164

164 Chapter 3 • Managing and Maintaining Remote Servers

disconnected session to be reset if they do not return to it for a specified period of time. If they have left unsaved documents or other files open in their session, resetting will cause them to lose all work.Thus, it is usually safest to save your work before disconnecting.

Disconnect from your session by clicking the close button (the X) in the top right corner of the Remote Desktop window.

You can also log off or disconnect using the Windows Security dialog box.This can be accessed by clicking Start | Windows Security, or by using the Ctrl + Alt + End key combination from within the session (this has the same effect as Ctrl + Alt + Del on the local machine). Once in the dialog, you can log off by clicking Start | Log Off button, or by selecting Start | Shut Down and then selecting Log Off from the drop-down box that appears.This same drop-down box also contains the Disconnect option.

Configuring the Remote Desktop Connection Utility

In the previous section, we simply launched the Remote Desktop Connection utility and established a connection.When the utility is initially launched, most of its configuration information is hidden.To display it before using it to establish a connection, click the

Options

button.This reveals a series of tabs and many additional settings that need to be configured.

The General Tab

The General tab, as seen in Figure 3.24, contains the Computer drop-down box, which contains names and IP addresses of computers to which the administrator previously connected, along with an option to browse the network for computers not listed. It also contains User name, Password, and Domain text boxes. Remember, by default the credentials with which you are logged on locally are used to establish your remote session. If you always want to ensure that a specific set of credentials is used to log onto Terminal Services, you can type the account information into these text boxes.

Figure 3.24

The Remote Desktop Connection General Tab

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 165

Managing and Maintaining Remote Servers • Chapter 3 165

N

OTE

In general, it is a poor security practice to leave the user name and password information saved in the utility. If you choose to do this, keep in mind that anyone with access to your computer can use the utility to establish a Terminal Services session.

This tab also allows you to save your connection settings.You might have several different systems to which you connect using Terminal Services. If so, it is helpful to not have to configure the utility each time you open it.When you click the Save As button, a Save As dialog box opens, asking you where you would like to save the file that contains your configuration information.The file will be saved with an .RDP extension, and can be double-clicked later to establish a Terminal Session.You can also use the Open button on this tab to specify that the settings from a previously saved RDP file be loaded into the utility.

The Display Tab

The Display tab, as seen in Figure 3.25, configures how the remote desktop appears on the client computer.The top portion of the screen contains a slider that controls the size of the remote desktop that will be displayed on the screen.The slider has four possible positions:

640x480, 800x600, 1024x768, and Full Screen.The default is 800x600.

Figure 3.25

The Remote Desktop Connection Display Tab

The next portion of this tab controls the color depth (in bits) of the remote desktop when it is displayed on the local computer.The drop-down list box contains the following options: 256 colors, High Color (15 bit), High Color (16 bit), and True Color (24 bit).

Higher color depths require more resources. Note that the settings on the server itself may override your selection.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 166

166 Chapter 3 • Managing and Maintaining Remote Servers

Finally, the bottom of the tab contains a check box entitled Display the connection

bar when in full screen mode

.When selected, this setting places a small bar, seen in

Figure 3.26, at the top of a full screen remote desktop which makes it easier to size, minimize or maximize (to full screen), or close the Remote Desktop window.

Figure 3.26

The Full Screen Connection Bar

The Local Resources Tab

The Local Resources tab, as seen in Figure 3.27, allows you to control whether or not client resources are accessible in your remote session. Remember that when you are working in a session, you are actually working on the remote computer.This means that when you open Windows Explorer, the disk drives you see are the ones that are physically located on the Terminal Services computer, not the ones installed in your local computer.

Selections on the Local Resources tab can be used to make your local disk drives, clientattached printers, and similar client side resources available for use within your remote desktop session.

Figure 3.27

The Remote Desktop Connection Local Resources Tab

The first setting on the tab deals with whether audio will be used in the session.The

default setting, Bring to this Computer, allows for any sounds played in the session to be transferred from the Terminal Services computer to the client. Audio transfer can be bandwidth-intensive in a thin client environment, so Microsoft also gives you the opportunity to not transfer this audio.The Leave at Remote Computer setting plays the audio in the session on the Terminal Services computer but does not transfer the audio to the client.The

Do not play

setting prevents audio in the session altogether.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 167

Managing and Maintaining Remote Servers • Chapter 3 167

N

OTE

The ability to transfer audio is one of the important differences between the Remote

Desktop Connection client and the older Windows 2000 Terminal Server client.

The next setting on the Local Resources tab relates to whether keyboard shortcut combinations are used by the local operating system or the Remote Desktop window.

There are three possible settings for keyboard shortcut combinations:

In full screen mode only

In this mode (which is the default), when you use a shortcut combination, the system applies it to the local operating system, unless there is a full screen Remote Desktop window open.

On the local computer

This setting applies all shortcut combinations to the local operating system.

On the remote computer

This setting applies all shortcut combinations to the

Remote Desktop window.

It is important to note that you cannot redirect the Ctrl + Alt + Del keyboard combination.This combination only works on the local operating system. An equivalent that can be used in the Remote Desktop window (mentioned earlier in the chapter) is Ctrl +

Alt + End

.

The final section of the tab contains a series of check boxes that can be selected to determine which devices from the client system are automatically made available to the user within the remote desktop session. By default, the following are selected: Disk drives,

Printers

, and Smart cards (if installed). An additional one, Serial ports, is not selected by default.When Disk drives, Serial ports, or Smart cards are selected, you may see a Remote

Desktop Connection Security Warning box appear when you begin the connection process.This happens because opening up devices that allow input or may relate to the underlying security of your local machine can be risky.You should consider carefully whether these settings are actually needed, and configure the utility appropriately.

The Programs Tab

By default, when an administrator connects to a Terminal Services session, they will receive a Windows Server 2003 desktop.The selections on the Programs tab, as seen in Figure 3.28, allow them to receive only a specified application instead. If Terminal Services are being used to provide only a single application for each user, this setting can increase security by ensuring that users do not receive a full desktop upon connection.This prevents them from performing tasks on the server other than running the specified application. If the check box next to Start the following program on connection is selected, only that application will be available in the session.This option enables the Program path and file name text box. If the path to the application is already contained in one of the Windows path variables on the Terminal Services computer, the administrator can just type the name of

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 168

168 Chapter 3 • Managing and Maintaining Remote Servers

the application’s executable file in this box. If not, they must include the full path and file name of the executable.The check box also enables the Start in the following folder text box. If the application requires the specification of a working directory, enter it here.This is often the same directory in which the application itself is installed.

Figure 3.28

The Remote Desktop Connection Programs Tab

N

OTE

Because the Programs tab on the Remote Desktop Connection utility can be configured by the user at the client computer, this is not the best way to control what the user can do on the Terminal Server. Administrators can use Group Policy to configure Terminal Server connection settings and user policies for better security.

After the connection is made with a specified program starting, the traditional methods of ending a session will not always be possible. Most programs have an Exit command on a menu, embedded in a button, or contained in a link.When you have specified an initial program, the Exit command is the equivalent of logging out.To disconnect, simply close the Remote Desktop Connection utility.

T

EST

D

AY

T

IP

If you are connecting to the console session, the settings on this tab are ignored because a new session is not being created for you when you connect.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 169

Managing and Maintaining Remote Servers • Chapter 3 169

The Experience Tab

The Experience tab, as seen in Figure 3.29, allows the administrator to customize several performance features that control the overall feel of their session. All of these settings except

Bitmap Caching can generate substantial amounts of additional bandwidth and should be used sparingly in low bandwidth environments.

Figure 3.29

The Remote Desktop Connection Experience Tab

The check boxes on this page include the following:

Desktop background

Allows the background image of the desktop (wallpaper) in the remote session to be transferred to and displayed on the client.

Show contents of window while dragging

Rapidly refreshes a window so that its contents are visible as the user moves it around the screen in their Remote

Desktop window.

Menu and window animation

Enables some sophisticated effects, such as the

Windows Start menu fading in and out, to be displayed in the Remote Desktop window on the client computer.

Themes

Enables any themes used in the remote session to be enabled and transferred to the Remote Desktop window on the client.

Bitmap Caching

Enables bitmaps to be stored locally on the client system and called up from cache, rather than being transmitted multiple times across the network. Examples of bitmaps include desktop icons and icons on application toolbars.This setting improves performance, but not all thin client systems have a hard drive or other storage mechanism in which to store the bitmaps.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 170

170 Chapter 3 • Managing and Maintaining Remote Servers

At the top of the Experience tab, there is a drop-down box that contains several predefined combinations of these settings that Microsoft has optimized for different levels of available bandwidth.Table 3.2 shows which bandwidth level corresponds to which settings:

Table 3.2

Preconfigured Bandwidth Settings

Connection Desktop speed Background selection

Show contents Menu and Themes Bitmap of window while dragging animation caching

Modem (28.8Kbs)

Modem (56Kbs)

– default

Broadband X

(128 Kbps

– 1.5 Mbps)

LAN (10Mbps or higher)

Custom

X X

X

X

X

X

X

X

X

X

X

X

X

The Experience tab also contains a check box entitled Reconnect if connection is

dropped,

which is selected by default.The versions of Terminal Services included with

Windows Server 2003 and Windows XP SP1 or later include the Automatic Reconnection feature. If dropped packets, network service interruptions, or other network errors cause a

Terminal Services connection to disconnect, this feature will automatically attempt to reconnect to the session without requiring the administrator to reenter their logon credentials. By default, there will be a maximum of 20 reconnection attempts, which occur at 5second intervals. Generally, a notification message will appear, informing the administrator that the connection has been lost and counting down the remaining connection attempts.

Using the Remote Desktops Console

The Remote Desktops console, as seen in Figure 3.30, is another utility that can be used to establish Terminal Services connections to Windows Server 2003 servers and Terminal

Servers.The Remote Desktops console can safely be considered the primary Terminal

Services client connection tool for administrators. It contains two outstanding features that are not found in the Remote Desktop Connection utility:

The Remote Desktops console can be used to connect to multiple

Windows Server 2003 servers using Terminal Services

An administrator can configure and save the console with connection information for multiple servers.These connections can be used to establish and switch between sessions.

For example, the administrator could configure the snap-in with connections for each of their servers and have a single tool that allows for remote administration of them.With the Remote Desktop Connection utility, they must open a new

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 171

Managing and Maintaining Remote Servers • Chapter 3 171

■ instance of the utility for each server to which they want to connect simultaneously.With the Remote Desktops console, they can quickly click between multiple running Terminal Service sessions.

The Remote Desktops console allows a remote connection to the console session

In the past, the inability to connect to the console session has prevented many administrators from being able to use Terminal Services for remote administration. In Windows 2000, this was not possible and as a result many administrators continued to use other remote administration utilities such as PC

Anywhere and VNC.There are a number of server-based applications that send notification pop-up windows only to the console session on a server.Their messages cannot be redirected to another system, the Event Viewer, and so forth. If one or more of these applications is running on a server, the administrator needs to be able to view the actual console session to see these messages.With the

Remote Desktop Connection utility and previous versions of Terminal Services and its clients, when an administrator connects to Terminal Services a new session is established.There is simply no way for the administrator to connect to the existing console session and see these messages.

Figure 3.30

The Remote Desktops Console

E

XAM

W

ARNING

Remember, the Remote Desktop console is designed to allow administrators to connect to multiple Terminal Servers, as well as the console session. The Remote

Desktops console is not available on Windows XP Professional computers, only on

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 172

172 Chapter 3 • Managing and Maintaining Remote Servers

Windows Server 2003. However, you can use it on your Windows XP Professional computer to manage your servers by installing the Admin Pack (adminpak.msi, located in the i386 folder on the Windows Server 2003 installation CD).

Adding a New Connection

By default, no connections are configured. If you click on the Remote Desktops node at this point, nothing will appear to happen. Begin by right clicking the Remote Desktops node in the tree view on the left side of the utility. From the context menu that appears, select Add new connection.This will open the Add New Connection dialog box seen in

Figure 3.31.

Figure 3.31

Creating a New Remote Desktop Connection

The top portion of the window contains the connection information. In the Server name or IP address text box, enter the fully qualified domain name (FQDN), NetBIOS name, or IP address of the server to which you wish to connect. If you use a FQDN or

NetBIOS name, you must make sure that you have the necessary name resolution services running and properly configured on your network.

Next, enter a name to identify the connection in the Connection Name text box, or accept the default (which will be the same as the server name or IP address you entered in the previous field).This name will only be used to identify the connection within the utility.

Finally, leave the Connect to console check box selected if you want to connect to the server’s console as mentioned earlier. Because this snap-in is intended for remote administration, this is the default setting. If you deselect the check box,Terminal Services will create a new session for you to use when you connect. If you leave it checked, you will be able to view and interact with the console session. Note that after you are authenticated,

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 173

Managing and Maintaining Remote Servers • Chapter 3 173

if someone else is connected to and using the console session (either locally or remotely) when you attempt your connection, you will be notified.The notification message will include the user name, whether the user is connected locally or remotely, and the session state. It is important to realize that only one user can be connected to and using the console session at any time.This means that if someone is using the console, whether remotely or locally, your new connection will force them out.

The lower half of the Add New Connection window allows you to store logon information to be used with the session. For security reasons, it is recommended that you not store user names and passwords in utilities such as this one. However, if you wish to do so, enter your logon name in the User name text box, followed by your password in the

Password text box. Finally, in the Domain text box, type the name of your domain and select the Save Password check box if you wish to have your password information saved.

When you are finished entering the information in the Add New Connection dialog box, click the OK button to save the connection.The connection should now appear under the

Remote Desktops node in the tree view on the left of the MMC window.

Configuring a Saved Remote Connection’s Properties

You can configure several properties for saved connections. Right-click the node in the left pane of the MMC that represents the connection you want to modify, and select Properties from the context menu.The Properties dialog box opens, as seen in Figure 3.32.

Figure 3.32

Configuring a Remote Desktop Connection

The General tab is essentially the same as the Add New Connection dialog box and contains the same fields for configuration.You can change any of the settings you made when you created the connection.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 174

174 Chapter 3 • Managing and Maintaining Remote Servers

The Screen Options tab, as seen in Figure 3.33, allows you to choose the size of the remote desktop window that will appear in the snap-in.The desktop will appear in the currently blank space on the right side of the MMC window.You can select the size of the desktop that appears there.The default is for the desktop to fill all of the available space in the right pane of the MMC window.This default setting is called Expand to fill MMC Result

Pane

in Properties window.You can change this by selecting the radio button next to one of the other choices on the tab.The second choice is entitled Choose desktop size.When

selected, it enables a drop-down box containing two standard resolutions: 640 x 480 and 800 x 600.The final option on the tab is Enter custom desktop size.When selected, it enables two text boxes:Width and Height. If the other available options do not provide you with the desired desktop size, you can manually enter the size you want into these text boxes.

Figure 3.33

The Screen Options Tab

N

OTE

It should be noted that the desktop size will be set at connection and will not change. If you start with the Remote Desktops console not maximized, connect to the remote server, and then maximize the console window, the desktop will not expand to fill the right side of the utility. If you change the properties to choose a specific desktop size or custom size while the session is running, you will not see any change. You can right click the connection name, select Disconnect, then right-click again and select Connect to see the size change.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 175

Managing and Maintaining Remote Servers • Chapter 3 175

Switch to the Other tab, as seen in Figure 3.34, to view the final set of options.You

will see some settings that are familiar from your experience with the Remote Desktop

Connection utility: the ability to start a program and/or redirect local drives.

Figure 3.34

The Other Tab

By default, you will receive a Windows Server 2003 desktop when you connect to a

Terminal Services session.The first selection on this tab allows you to receive only a specified application instead. If the check box next to Start the following program on con-

nection

is selected, only that application will be available in the session. Selecting the box enables the Program path and file name text box. If the path to the application is already contained in one of the Windows path variables, you can type the file name of the application’s executable file in this box. If not, you must include the full path and file name of the executable.The check box also enables the Working directory text box. If the application requires the specification of a working directory, enter it here.This is often the same directory into which the application itself is installed.

At the bottom of this tab is another check box entitled Redirect local drives when

logged on to the remote computer

. If this check box is selected, the drives on the client will be visible from within the session.This provides you with access to those local drives from Windows Explorer, as well as Open and Save As dialog boxes within applications. If it is not necessary to allow clients access to their local drives, you should leave this option disabled for security purposes. Note that there is no option to redirect local printers, serial ports, and smart cards as with the Remote Desktop Connection utility.

Connecting and Disconnecting

When you have your connection added and configured, connecting is a snap.To connect, simply right-click the node that represents your saved connection in the tree view in the

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 176

176 Chapter 3 • Managing and Maintaining Remote Servers

left MMC pane and select Connect from the context menu. If you did not save your logon information in the Properties window for the connection, the information you provided was incorrect, or you want to log on with a different account, you will be required to enter a user name and password when the session appears in the right pane of the snap-in.

Disconnecting is just as simple. Right-click the node that represents your saved connection in the tree view in the left pane of the Remote Desktops console, and select

Disconnect

from the context menu.You can also use some of the other methods for logging off and disconnecting mentioned earlier in this chapter.

E

XAM

W

ARNING

Only the Remote Desktop MMC snap-in and the mstsc /console command can be used to connect to the console session of a Terminal Services computer. However, an administrator actually sitting at the server and using the console session can request help by using the Remote Assistance functionality in Terminal Services. It is important to note that, for security reasons, a console session cannot be viewed using Remote Desktop Control utility.

Using the Remote Desktop Web Connection Utility

The Remote Desktop Web Connection utility is designed to access a Terminal Services session through Microsoft Internet Explorer (MSIE) over TCP/IP. It consists of an ActiveX component that is downloaded to the client browser and sample Web pages with which that the client uses IE to connect. It replaces Windows 2000’s Terminal Services Advanced

Client (TSAC).

This utility depends on Internet Information Services 6 (IIS 6.0), which is not installed by default.Thus, in order to use the Remote Desktop Web Connection utility, you must begin by installing IIS 6.0 as discussed in Chapter 4.

Installing the Remote Desktop Web Connection Utility

The Remote Desktop Web Connection utility does not install automatically with IIS 6.0. It is not available for installation from the Configure Your Server Wizard, but must be added using the Add or Remove Programs utility from the Control Panel.To install it, perform the steps outlined in Exercise 3.05.

E

XERCISE

3.05

I

NSTALLING THE

R

EMOTE

D

ESKTOP

W

EB

C

ONNECTION

1. Open the Windows Components Wizard by clicking Start | Settings |

Control Panel | Add/Remove Programs and then click the

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 177

Managing and Maintaining Remote Servers • Chapter 3 177

Add/Remove Windows Components icon. After a few moments the

Windows Component Wizard will open.

2. In the Components list, scroll down to select the check box next to

Application Server and click the Details button.

3. In the Application Server dialog box that appears, select Internet

Information Services (IIS) and click the Details button.

4. In the Internet Information Services (IIS) dialog box, select World Wide

Web Service and click on the Details button.

5. In the World Wide Web Service dialog box, select the check box next to

Remote Desktop Web Connection, as seen in Figure 3.35, and click the OK button. Also click the OK buttons on the Internet Information

Services (IIS) and Application Server dialog boxes.

Figure 3.35

Installing the Remote Desktop Web Connection Utility

6. This will return you to the main screen of the Windows Components

Wizard, where you should click the Next button. You may be prompted to supply the Windows Server 2003 installation files.

Using the Remote Desktop

Web Connection Utility from a Client

To use the Remote Desktop Web Connection utility, open a version of Internet Explorer 5 or later on a client computer on the network, and connect to the following URL: http://SERVER/tsweb.When you do so, the Web page for the utility will appear and

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 178

178 Chapter 3 • Managing and Maintaining Remote Servers

automatically detect whether you have the Remote Desktop ActiveX Control installed. If you do not, a Security Warning dialog box will appear, asking if you would like to install it, as seen in Figure 3.36. Click the Yes button to proceed with the installation.The control will then be downloaded and installed on your system.

Figure 3.36

Installing the Remote Desktop ActiveX Control

The default Web page contains two options.The Server text box is used to enter the name or IP address of the server to which you want to connect.The Size drop-down box contains a number of different screen resolutions that can be specified for the connection.The

default is Full Screen, but other available options include: 640 x 480, 800 x 600, 1024 x 768,

1280 x 1224, and 1600 x 1200.There is also a check box entitled Send logon information

for this connection

.When selected, it adds two additional text boxes to the screen:

User name

Can be used to specify the account with which you want to connect

Domain

Can be used to specify the domain in which the account is located.

If you do not select this check box, you will be prompted for logon information when you attempt to connect. Once you have made your selections, click on the Connect button, as seen in Figure 3.37.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 179

Managing and Maintaining Remote Servers • Chapter 3 179

Figure 3.37

The Remote Desktop Web Connection Logon Page

If you select any size setting less than Full Screen, the session will appear in the Web page itself, as shown in Figure 3.38.

Figure 3.38

Viewing a Session that is Embedded in a Browser Window

When you scroll through the Web page, the Terminal Services session will move with it.When you log off using the method described earlier in the chapter, the desktop disappears and the Web page displays the connection information and text boxes again. If you select Full Screen, a separate connection window is launched.The Web page changes to display a large blank box with text at the bottom of the page that indicates you are con-

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 180

180 Chapter 3 • Managing and Maintaining Remote Servers

nected.The Remote Desktop can be minimized, sized, disconnected from, and logged off, in all of the ways mentioned earlier in the chapter.

Regardless of how you connect, a full session is established, which allows you to interact with a complete Windows Server 2003 desktop and all applications, as with the other clients. An important advantage of the Web client is that it does not require any client software to be installed.The ActiveX control that downloads to the browser upon connection to the default Web page is the only client software needed. In other words, if you are away from the computer you normally use for administration, this client can be used to administer one of your servers in an emergency from anywhere in the world. All that is needed on the client system is IE 5 or later.

Configuring IE for Use with the Remote Desktop Web Connection utility

IE 6.0 is installed by default on a Windows Server 2003 system. During the installation, a special security configuration is applied to it that places significant restrictions on its use. The Internet Explorer Enhanced Security Configuration feature can significantly affect the way in which Web sites are displayed in the browser. Among other things, it prevents the download and installation of ActiveX components.

Because the Remote Desktop Web Connection utility relies on an ActiveX control, by default you cannot use the browser on a Windows Server 2003 server to establish a Terminal Services session. You can configure the Enhanced Security

Configuration so it will not apply to administrators. This can be accomplished by performing the following steps:

1. Click Start | Settings | Control Panel | Add/Remove Programs.

2. Click the Add/Remove Windows Components button on the left side of the window.

3. In the Windows Component Wizard dialog box, scroll down and select

Internet Explorer Enhanced Security Configuration.

4. Click on the Details button.

5. In the Internet Explorer Enhanced Security Configuration dialog box, clear the check box next to For administrator groups and click the OK button. It may take a few moments for the configuration changes to be made.

6. Click the Next button, followed by the Finish button on the final page of the wizard.

7. Close Add or Remove Programs.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 181

Managing and Maintaining Remote Servers • Chapter 3 181

Using Web Interface for Remote Administration

If you need to manage your servers from home or from another office, one option is to use a standard Web browser to administer your servers using the remote administration component of Windows Server 2003.You must configure your server first, but after you have done this, you can simply point the browser to your server’s IP address and administer it from anywhere in the world.To access the server over the Internet, the following conditions must be met:

The Remote Administration (Hypertext Markup Language [HTML]) component must be installed on the server. It is not installed by default with the exception of

Windows Server 2003 Web Edition.

Port 8098 on the server must be accessible through your Internet connection.

Your server must have a valid external IP address.

If you want to access your servers only over your company network, an external IP address is not necessary, but you must still be able to communicate with port 8098 on the server. Microsoft recommends that the browser you use for remote administration be IE version 6.0 or later.

N

OTE

Remote administration over the Web is not available for servers that are domain controllers.

To access your server over the Web, browse to https://servername:8098.You must use a secure connection.The :8098 in the URL directs the browser to connect to port 8098 on the server instead of the default port 80.You can change your server to work on a different port in IIS Manager. After you have connected to the server, you will see the Welcome page, as seen in Figure 3.39.

Through this Web site, you can carry out the more common administration tasks, such as configuring Web sites, managing network settings, and administering local user accounts.

In Exercise 3.06, you will install Remote Administration (HTML) on a server.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 182

182 Chapter 3 • Managing and Maintaining Remote Servers

Figure 3.39

Welcome Page for Server Web Administration

E

XERCISE

3.06

I

NSTALL

R

EMOTE

A

DMINISTRATION

(HTML)

1. Open the Windows Components Wizard by clicking Start | Settings |

Control Panel | Add or Remove Programs and then click the

Add/Remove Windows Components icon. After a few moments the

Windows Component Wizard will open.

2. In the Components list, scroll down to select the check box next to

Application Server and click the Details button.

3. In the Application Server dialog box that appears, select Internet

Information Services (IIS) and click the Details button.

4. In the Internet Information Services (IIS) dialog box, select World Wide

Web Service and click on the Details button.

5. In the World Wide Web Service dialog box, select the check box next to

Remote Administration (HTML), as seen in Figure 3.40, and click the

OK button. Also click the OK buttons in the Internet Information

Services (IIS) and Application Server dialog boxes.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 183

Managing and Maintaining Remote Servers • Chapter 3 183

Figure 3.40

Installing the Remote Administration (HTML) Option

6. This will return you to the main screen of the Windows Components

Wizard, where you should click the Next button. You may be prompted to supply the Windows Server 2003 installation files.

7. You can access the Remote Administration (HTML) Web page by opening your Web browser and typing https://servername:8098, where servername is the name of your server. Alternatively, you can use the Web Interface for Remote Administration option within the

Administrative Tools folder.

EXAM

70-292

OBJECTIVE

3.2.3

Using Emergency Management Services

Emergency Management Services (EMS) is a new feature in Windows Server 2003 that enables the administrator to remotely manage a server when normal network connectivity has failed. Under normal conditions, the administrator uses the tools described in this and other chapters to manage their server either by being physically present at the server or over the network. However, what happens if the network crashes or the server does not boot properly?

Providing the server has the appropriate hardware and firmware, the administrator can remotely manage it without the presence of a local keyboard, mouse, or display.This is called out-of-band or “headless” operation.The key aim of out-of-band management is to get a server that is not working properly back to a normal operating state.

A number of situations might require an administrator to resort to out-of-band management:

The server has stopped responding to normal network management commands.

The network card in the server has failed.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 184

184 Chapter 3 • Managing and Maintaining Remote Servers

The server has not booted properly.

The server has been shut down and you need to bring it up again.

The extent to which an administrator can use out-of-band management depends on the hardware of their server. At the very least, on a server with Windows Server 2003, a serial port, and EMS enabled, they can connect a VT100-type terminal or a computer with a terminal emulator to the serial port and perform certain tasks using the Special

Administration Console (SAC). However, the server must be up and running to be able to manage it in this way.

If an administrator needs to be able to manage the server remotely when it has crashed or even been switched off, they need special hardware and firmware on the motherboard that provide features such as firmware console redirection.This means that they can monitor the server via the serial port right from the moment it starts up and even check out basic input/output system (BIOS) settings. EMS is not enabled by default, but can be enabled during an installation, an upgrade, or after setup has been completed.

Managing Several Windows

Server 2003 Computers with EMS

EMS provides a useful service for managing your servers in an emergency situation.

But what if you have a large number of computers running Windows Server 2003 in a computer room? What is the best way of hooking to EMS on all of them without having an array of terminals? A tidy way of providing access is to use a ter-

minal concentrator (sometimes called a Terminal Server, not to be confused with

Terminal Services).

A terminal concentrator has several serial ports (16 is a common number) and a network connection. You use a program like Telnet to connect to the terminal concentrator over the network, and then choose a particular port on the concentrator to connect to the device attached to that port. Connect each of the serial ports on the servers to the serial ports on the terminal concentrator and you can then connect to EMS over the network. Of course, if the terminal concentrator fails, then you will not be able to connect to any of the servers.

Exercise 3.07 outlines the process by which you can use Emergency Management

Services.This exercise requires two computers—one with Windows Server 2003 and the other with any operating system and a terminal emulator—and a special serial cable with two female ends and a crossover, sometimes called a null-modem cable. Alternatively, you can use a single computer and a dumb terminal that connects to the serial port of the server computer.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 185

Managing and Maintaining Remote Servers • Chapter 3 185

E

XERCISE

3.07

C

ONNECTING TO

EMS

1. Connect the serial cable between the two computers using COM1 on both computers.

2. On the server to be managed, open a command window and type the command bootcfg /ems on /id 1 /port COM1. This enables EMS on serial port COM1. The /id option specifies the operating system in the boot.ini list on which EMS is to be enabled. If you have more than one operating system on your computer, be sure to adjust the value of /id accordingly.

3. On the second computer, start Hyperterminal or any other terminal emulator and connect to COM1 using a baud rate of 9600. You will not see anything in the terminal window yet.

4. Reboot the server computer. Watch the terminal window as the server computer restarts. You should see the normal server-starting messages, including the operating system loader where you can choose which operating system to boot. At this stage, you can interact with the boot process through the terminal window.

5. When the computer has finished booting, the SAC prompt appears, as shown in Figure 3.41.

Figure 3.41

The SAC

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 186

186 Chapter 3 • Managing and Maintaining Remote Servers

6. Type cmd to start a command-prompt channel.

7. To switch to the command-prompt channel type ch si 1 and press the

spacebar to view the channel.

8. Enter your logon name, domain, and password. Use the name of the computer for the domain if your computer is not part of a domain.

9. After you have successfully authenticated, you get the normal command prompt where you can navigate the directory tree and run commands.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 187

Managing and Maintaining Remote Servers • Chapter 3 187

Summary of Exam Objectives

Windows Server 2003 provides a wide range of management tools; some are graphical and others are command-line based.There are also many wizards to help less-experienced administrators through particular tasks.

Many of the graphical tools are built using the MMC and snap-ins.You can use snapins to configure your own customized administrative tools. It is important to realize that most tools (graphical and command-line) work over the network so that you can manage remote servers from your computer.

When you need to manage a server remotely, you can choose from a variety of tools, including a browser (for remote administration), Remote Desktop connection (using

Terminal Services), snap-ins for the MMC, and the Administration Tools Pack. Some tasks, such as adding a user, can be carried out using any of the remote administration tools, whereas others require you to use a specific tool. End-users can use Remote Assistance to enable others access to their desktop to guide them through resolving a problem or show them how to do something.

Terminal Services contains two components for remote administration.The first,

Remote Desktop for Administration, allows up to two administrators to simultaneously connect remotely to the server. Each receives their own session with a separate desktop.

Using this mode, an administrator can also connect to the console session of the server.This

option was not available in Windows 2000 and it allows the administrator to view the server’s main desktop, just as if sitting at its keyboard.The second mode, Remote Assistance, allows a user, called the Novice, to request assistance from someone more knowledgeable, called the Expert. An invitation is sent from the Novice to the Expert, which enables the

Expert to connect to and view the actual desktop of the Novice’s computer. Only one of the Remote Assistance sessions can exist on a computer at any given time.The Novice can also allow the Expert to have cursor and keyboard input within the Novice’s session. Both the Remote Desktop for Administration and Remote Access components must be enabled manually on the server.

There are three basic client tools that can be used to establish a Terminal Services connection.The Remote Desktop Connection utility is the primary tool designed for end users. It allows for connection to a single Terminal Server per instance of the utility and has a wide range of configuration options.The Remote Desktops MMC snap-in allows for connections to multiple Terminal Services computers within the same interface, and also allows you to connect to the console session. It is primarily designed for administrators.The

Remote Desktop Web Connection utility is an IIS component that is installed from Add or

Remove Programs in the Control Panel. IIS 6.0 must be installed on the Terminal Server to enable Wweb connections. It uses a client side ActiveX control as the client.When used in full screen mode, it launches a session window independent of the browser window.The

Web client requires MSIE 5.0 or later, with security settings configured to allow ActiveX controls to be downloaded and installed.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 188

188 Chapter 3 • Managing and Maintaining Remote Servers

Sometimes you will not be able to connect to a server over the network at all or it might have crashed completely. If the server is physically distant from you, consider using

EMS. Provided that you have the appropriate hardware, you can establish access to the server even when the operating system is not running. Even with a server with no special hardware, you can still use EMS via the serial port to remotely manage the server using the

SAC, but this will work only while the operating system is running.

Exam Objectives Fast Track

Recognizing Types of Management Tools

Windows Server 2003 provides administrators with a variety of management tools including wizards, graphical administration tools, and command-line utilities.

Most graphical administration tools can be found as pre-configured management consoles accessible via Start | Programs | Administrative Tools.

Many graphical management tools are built using the MMC and snap-ins.

You can create your own customized management tools by using snap-ins provided by the operating system or third-party products.

Using Terminal Services

Components for Remote Administration

Remote Desktop for Administration allows up to two administrators to remotely connect to the server simultaneously, each in their own session, to perform administrative tasks.

Remote Assistance allows a user, called the Novice, to request help from someone more knowledgeable, called the Expert.The Expert is able to view and interact with the Novice’s desktop remotely if permission is granted by the Novice.

Though installed with the operating system, both Remote Desktop for

Administration and Remote Assistance must be enabled manually after installation before they can be used.

Using Terminal Services Client Tools

The Remote Desktop Connection utility is the primary Terminal Services client for end users. It comes with Windows Server 2003 and Windows XP, and can be installed on Windows 9x, NT, and 2000 computers.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 189

Managing and Maintaining Remote Servers • Chapter 3 189

The Remote Desktop MMC snap-in is designed for administrators. It allows for connections to multiple servers within a single interface, as well as console session connections.

The console session is the server’s primary desktop, the one you would see if you were actually sitting at its physical keyboard.

Only one administrator can be logged on to the console session at any given time. If another administrator attempts to log on, the current administrator will be logged off unless Group Policy prevents this.

The Remote Desktop Web Connection utility can be used from client machines that do not have one of the other Terminal Services clients installed. It requires and is a subcomponent of IIS 6.0.When a user connects, an Active X control is downloaded to their system to serve as the local Terminal Services client.This

utility is only supported by MSIE 5.0 and higher.

End-users can use Remote Assistance to invite another person to view or take control of their desktops.

The Web Interface for Remote Administration enables you to manage a server from anywhere in the world using a Web browser. However, the range of administration tasks is limited.

Remote Desktop for Administration enables you to connect to a Windows 2000

Server or a Windows Server 2003 desktop via Terminal Services and act as if you were at the server.This enables you to perform any task on the server.

You can install the Administration Tools Pack on a Windows XP computer to enable you to remotely manage servers.

WMI provides a programming interface for developers to design management tools.

Computer Management (a pre-configured MMC) and other MMC snap-ins provide local and remote management capability.

Using EMS

EMS provides a means for managing a server even when network connectivity has failed.

To manage a server even when the operating system is not running, special hardware is required.

EMS provides a SAC that runs on the serial port and enables remote access via a serial cable or modem.The SAC runs when the operating system is running.

EMS must be installed before it can be used.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 190

190 Chapter 3 • Managing and Maintaining Remote Servers

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

What type of administrative tools does Windows Server 2003 provide?

A:

You can work with graphical tools, command-line utilities, or wizards.

Q:

Which type of remote management tool would be most appropriate if you needed to manage your server from a customer’s office?

A:

The Web Interface for Remote Administration is generally best, assuming that your customer has Internet access.

Q:

What management feature can users use to request help from someone else?

A:

Computers running Windows XP or later include the Remote Assistance feature.This

enables a user to send an invitation to another person to remotely view or take control of the user’s desktop and provide assistance. Remote Assistance is enabled by default, but you can turn it off via the Control Panel | System | Remote tab.

Q:

Can you manage Windows Server 2003 computers from your desktop computer?

A:

Yes.There are several methods: Remote Desktop,Web Interface, Administration Tools

Pack, and MMCs.

Q:

What is the difference between Remote Desktop for Administration and the Terminal

Server role?

A:

Both are designed to allow remote Terminal Services connections. However, the Terminal

Server role contains additional multi-user code that keeps user session and application settings separate.This allows for many users to connect using Terminal Services without having problems with the applications they are using. By default,Terminal Services allows only two connections for remote administration.When the Terminal Server role is installed, an unlimited number of users can connect simultaneously.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 191

Managing and Maintaining Remote Servers • Chapter 3 191

Q:

How can I connect to, view, and interact with the console session using Terminal

Services?

A:

The Remote Desktop MMC snap-in is designed for administrator use. It allows for connection to multiple Terminal Services computers, in addition to defaulting to console session access.You can also connect to the console from the command-line by typing mstsc /console.

Q:

Is Remote Assistance a part of Terminal Services or a separate component?

A:

Like Remote Desktop for Administration, Remote Assistance exists in both Windows

XP and Windows Server 2003 (Remote Desktop is only included in XP Professional, not XP Home, but Remote Assistance comes with both editions of XP). It is an additional service that uses the Terminal Services service to provide its core capabilities.

Q:

There seem to be a number of different utilities that can be used to connect to Terminal

Services and establish a session.Which one is the primary client tool for end users?

A:

The Remote Desktop Connection utility is the primary end user connection tool. It comes pre-installed with Windows XP and Server 2003 and can be installed on

Windows 9x, NT, and 2000 computers. It can be used to save connection settings to a file so that reconfiguration is not necessary when connecting to different servers. It also has a wide range of options that allow for optimization over almost any bandwidth. It includes several improvements over the Windows 2000 Terminal Services client, including the ability to redirect audio from the server to the client.

Q:

I have enabled Remote Desktop connections.Why are administrators the only ones who can log on?

A:

By default, only administrators can establish remote administration sessions.This makes sense when you think about it, since they are most likely to be the ones that will be connecting to the server remotely to do the work. However, if you need to allow others to connect, you can add them to the Remote Desktop Users group.This differs from Windows 2000 Terminal Services in remote administration mode, where there was no way to allow non-administrative users to connect.

Q:

What does EMS provide?

A:

The capability to manage a server, even when there is no network connectivity and sometimes even when the operating system has crashed (if you have the proper server hardware).

Q:

What is the name of the management tool that EMS provides over the serial port?

A:

SAC, the Special Administration Console.This enables you to run command-line programs in a terminal emulator.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 192

192 Chapter 3 • Managing and Maintaining Remote Servers

Q:

What is out-of-band management?

A:

Out-of-band management refers to using a different set of tools from the standard ones; including tools that do not run over the network.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Recognizing Types of Management Tools

1. You are logged on to the server using an ordinary user account (i.e., without administrator privileges).You need to add several new printers on the server and you decided to use the prncnfg command-line utility. How do you do this without logging off?

A. Select Start | Run, and then type runas /user:administrator cmd. In the command window run the prncnfg command.

B. Select Start | Programs | Administrative Tools | Prncnfg, and then rightclick and select Run as.

C. Select Start | Settings | Command. In the command window type runas

/user:administrator cmd

and run the prncnfg command in the new command window that appears.

D. Select Start | Run and then type cmd. In the command window run the

prncnfg

command.

2. You are creating a new MMC console for use by your help desk team that will be used to perform low level administrative functions in your network.You want the help desk team to be able to use the custom console, but not allow them to create any new windows or change the configuration of the console.What mode should you save this custom console in?

A. Author mode

B. User mode - full access

C. User mode - limited access, multiple windows

D. User mode - limited access, single window

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 193

Managing and Maintaining Remote Servers • Chapter 3 193

Using Terminal Services

Components for Remote Administration

3. One of your users is having problems getting a productivity application to work correctly.You suspect that he is performing the steps involved in using the application incorrectly, but the application interface is complex and it is difficult for you to explain over the phone what he needs to do.The user is running Windows XP, and you want to connect to his PC and show him how to perform the task in question so that he can actually see you go through the steps. How would you arrange to do this?

A. Send the user a Remote Assistance Request.

B. Get the user to send a Remote Assistance Invitation.

C. Connect to the user’s PC using Remote Desktop.

D. Connect to the user’s PC using the Web Interface for Remote Administration.

4. You are at a branch office of your company assisting a user on her PC.While assisting the user, you receive a call that requires you to alter a DNS setting on the server back at the main office.The user has many applications open and you would prefer to not have to log her out if at all possible.What would be the best way to connect to the server?

A. Install the Windows Administration Tool Pack on the user’s PC.

B. Connect to the server using the Web Interface for Administration.

C. Use Computer Management on the PC and connect to the server.

D. Connect to the server using Remote Desktop for Administration.

5. You are the network administrator for Joe’s Crab Shack.While at a meeting in

Redmond,Washington, you are informed that one of your newly installed Windows

Server 2003 DNS servers has stopped performing name resolution.Your CEO has asked you to make a Remote Desktop connection to the server via your virtual private network (VPN) connection to the network. After you have connected to your internal network via VPN, you attempt to create a Remote Desktop connection to the server and cannot.The DNS server is located on the same IP subnet as the VPN server.What is the most likely reason for this problem?

A. TCP port 3389 is being blocked at your firewall.

B. Remote Desktop is not enabled on the server.

C. You do not posses the required credentials.

D. Your Internet connection does not support the RDP 5.1 protocol.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 194

194 Chapter 3 • Managing and Maintaining Remote Servers

6. You have just installed Windows Server 2003 on one of your servers and would like to set up Remote Desktop for Administration so that you can connect to it remotely.

Which of the following must you do? (Select all that apply.)

A. Open the System properties in Control Panel

B. On the Remote tab and select the check box next to Turn on Remote

Assistance and allow invitations to be sent from this computer

C. On the Remote tab, select the check box next to Allow users to connect

remotely to your computer

D. Do nothing

7. You are the network administrator for Joe’s Crab Shack.While at a meeting in

Redmond,Washington, you are informed that one of your Windows Server 2003

DHCP servers is not leasing any more DHCP leases to clients.Your assistant administrator has verified that there are plenty of unused leases in the current DHCP scope, but is unable to determine the cause of the problem. Company policy prohibits the use of any Instant Messaging clients within your internal network. How can your assistant get Remote Assistance from you to help troubleshoot the DHCP server?

A. Use an e-mail-based request.

B. Use MSN Messenger to make the request.

C. Use Emergency Management Services to make the request.

D. Use the Recovery Console to make the request.

8. No matter how hard you try, you just cannot seem to figure out how to access your e-mail using the new application that was installed over the weekend.You decide to use the Remote Assistance feature to ask an administrator to walk you through the process.Which of the following are valid methods that you can use to request assistance? (Select all that apply.)

A. E-mail an administrator

B. Use ICQ to contact an administrator

C. Use Windows messaging to contact an administrator

D. Save the request to a file and transfer it to an administrator

9. You are attempting to initiate a Remote Desktop for Administration session with one of your Windows Server 2003 servers over the Internet.The server has a publicly accessible IP address but it is located behind an external firewall and a screening router.You can ping the server and establish Telnet session to the server.You have verified with onsite personnel that Remote Desktop is enabled for this server and that your user account is allowed to make connections.What is the most likely reason for the inability to make the Remote Desktop for Administration connection?

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 195

Managing and Maintaining Remote Servers • Chapter 3 195

A. Port 3389 is being blocked

B. Port 8088 is being blocked

C. IIS 6.0 is not installed

D. ASP.NET is not enabled on the server

10. You are configuring one of your Windows Server 2003 computers to allow Remote

Desktop for Administration connections to it.What group do you need to add user accounts to in order to allow those users to create Remote Desktop for

Administration connections?

A. Network Configuration Operators

B. Remote Desktop Users

C. Help Services Group

D. Telnet Clients

11. You are assisting a user with a configuration issue on his computer using a Remote

Assistance session.You have tried unsuccessfully to take control of the user’s computer.

What possible reasons are there to explain why you have not been able to take control? (Select two correct answers.)

A. The Novice is not allowing you to take control of his computer.

B. A firewall is in place blocking the request.

C. The remote computer is not configured to allow it to be controlled remotely.

D. Your computer is not configured to allow it to initiate remote control sessions.

12. You have sent an e-mail request for Remote Assistance to your support desk but the request expired before they could answer it and assist you with your problem.

Company policy only allows members of the support desk to create Remote

Assistance connections.You want to allow the request to be answered.What is the easiest way to go about this?

A. Create a new request and send it to the support desk.

B. Delete the expired request, causing it to be recreated anew.

C. Resend the expired request to the support desk.

D. Initiate the Remote Assistance connection yourself.

13. You need to connect to your server’s console remotely.Which graphical terminal services utility can you use to accomplish this?

A. The Remote Desktop Connection tool

B. The Remote Desktops console

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 196

196 Chapter 3 • Managing and Maintaining Remote Servers

C. The Remote Desktop Connection Web utility

D. The Terminal Services Client Configuration Manager utility

14. You are the network administrator for Joe’s Crab Shack.You are creating the company policy for the usage of Remote Desktop for Administration.When discussing the differences between disconnecting and logging off from an RDA session, which of the following two statements are correct? (Select two correct answers.)

A. Disconnected sessions do not remain on the server.

B. Disconnected sessions remain on the server, often consuming resources.

C. Logged off sessions do not remain on the server.

D. Logged off sessions remain on the server, often consuming resources.

Using EMS

15. You have a computer that has Windows Server 2003 and Windows XP Professional installed on it.You have connected a terminal to the serial port of the computer so that you can manage it remotely using EMS.You reboot the server and see the list of available operating systems on the terminal.You select Windows XP Professional from the boot list and then find that there is no further response on the terminal.What has happened?

A. The computer crashed while booting into Windows XP Professional.

B. EMS was enabled on the wrong serial port in the Windows XP Professional installation.

C. EMS was not enabled in the Windows XP Professional installation.

D. Windows XP Professional does not support EMS.

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 197

Managing and Maintaining Remote Servers • Chapter 3 197

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. A

2. D

3. B

4. D

5. B

6. A, C

7. A

8. A, C, D

9. A

10. B

11. A, C

12. C

13. B

14. B, C

15. D

www.syngress.com

271_70-292_03.qxd 8/21/03 2:04 PM Page 198

271_70-292_04.qxd 8/21/03 5:10 PM Page 199

Chapter 4

MCSA/MCSE 70-292

Managing and

Maintaining Web Servers

Exam Objectives in this Chapter:

3.3

Manage a Web server

3.3.1

Manage Internet Information Services (IIS)

3.3.2

Manage security for IIS

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

199

271_70-292_04.qxd 8/21/03 5:10 PM Page 200

200 Chapter 4 • Managing and Maintaining Web Servers

Introduction

Microsoft’s Internet Information Services (IIS) is one of the most popular Web servers used on the Internet and in Intranets throughout the world.Windows Server 2003 includes the latest version, IIS 6.0.There have been changes, additions, and improvements to the software in the areas of core functionality and services, administration, security, and performance. IIS

6.0 has been redesigned to provide better reliability and more flexibility in configuring application environments.

In the past,Web servers have been a common vulnerability for hackers. It has been common for servers to be running rogue Web services without the knowledge of administrators.Thus, for security reasons, IIS 6.0 is not installed by default on Windows Server

2003 servers, with the exception of the Web Server Edition.When it is installed, it is initially configured in a high security mode.

Web servers are common targets due to their exposure to those outside the local network; therefore security is a priority in IIS 6.0. Consequently, a number of important Web services features—which worked automatically in previous versions—now need to be explicitly enabled before they will work.This new focus on security means network administrators need to familiarize themselves with these changes in order to provide the Web server services needed on their networks.

This chapter examines the installation and configuration process for IIS 6.0 and introduces new security features, reliability features, and other new features.This chapter also shows how to use the Web Server Security Lockdown Wizard and how to manage security issues for Web servers. Lastly, this chapter discusses some common troubleshooting issues that may arise.

What is New in IIS 6.0?

Many of the new features in IIS 6.0 were designed to address technical and architectural issues found in IIS 5.0.The new features can be divided into several broad categories.The

most important categories are security and reliability. Microsoft has invested a large number of resources on its new Trustworthy Computing initiative. IIS 6.0 is one of the first products to be developed under this security-focused strategy. Performance is also enhanced by key architectural modifications to the IIS 6.0 object model.The following sections investigate these changes in detail.

New Security Features

IIS 5.0 and earlier versions were constantly patched up by hot fixes from Microsoft. IIS was once considered one of the main security holes in the Windows platform, which was a major deterrent to using IIS as a commercial Web server. IIS 6.0 comes with an impressive list of new security features designed to win back commercial users. IIS 6.0 includes the following new security features:

www.syngress.com

271_70-292_04.qxd 8/21/03 5:10 PM Page 201

Managing and Maintaining Web Servers • Chapter 4 201

Advanced Digest authentication

Server-Gated Cryptography

Selectable Cryptographic Service Provider

Configurable Worker Process Identity

Default lockdown status

New authorization framework

Advanced Digest Authentication

Advanced Digest authentication is an extension of Digest security. Digest security uses Message

Digest 5 (MD5) hashing to encrypt user credentials such as the user name, password, and user role.

What is the purpose of MD5 hashing? Basic authentication sends the user name and password details over the network medium in base64 encoded format.These details can be easily “sniffed” (captured with a protocol analyzer) and decoded by an intruder, who can then use the credentials for nefarious purposes.The MD5 hash enhances security by applying more sophisticated and more difficult-to-crack cipher algorithms to deter these intruders. An MD5 hash is made up of binary data consisting of the user name, password, and realm.The realm is the name of the domain that authenticates the user.This means that

Digest security is more secure than Basic authentication.These security features are explained in more detail in the “Managing IIS Security” section of this chapter.

E

XAM

W

ARNING

An MD5 hash is embedded into a Hyper Text Transfer Protocol (HTTP) 1.1 header, which is only supported by HTTP 1.1-enabled browsers. Digest or Advanced Digest authentication mechanisms cannot be enabled if the target browsers do not support HTTP 1.1. Internet Explorer 5.0 and above versions support HTTP 1.1, as well as recent versions of Netscape, Opera, Mozilla, and other popular browsers.

Advanced Digest authentication takes the Digest authentication model a bit further by storing the user credentials on a domain controller as an MD5 hash.The Active Directory database on the domain controller is used to store the user credentials.Thus, intruders need to get access to the Active Directory in order to steal the credentials.This adds another layer of security to protect access to Windows Server 2003 Web sites, and the network administrator does not need to modify the application code to accommodate this security feature.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 202

202 Chapter 4 • Managing and Maintaining Web Servers

T

EST

D

AY

T

IP

Both Digest and Advanced Digest authentication only work on Web Distributed

Authoring and Versioning (WebDAV)-enabled directories. WebDAV is a file sharing protocol commonly used in Windows Internet-related applications. WebDAV was previously referred to as Web Folders. It is a secure file transfer protocol over intranets and the Internet. Network administrators can download, upload, and manage files on remote computers across the Internet and intranets using

WebDAV.

Server-Gated Cryptography

Communication between an IIS Web server and the Web client is completed using HTTP.

These HTTP network transmissions can be easily compromised due to their text-based messaging formats.Therefore, HTTP calls must be encrypted between the client and the server. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the most common encryption mechanisms used for Web sites. SSL and TLS enable a secure communication by encrypting the communication channel with a cipher algorithm.TLS is the later version of the SSL protocol and is more flexible because it can be used with any application layer protocol.

IIS 5.0 and earlier versions included SSL/TLS for secure communication between the

Web client and the server. Server-Gated Cryptography (SGC) is an extension of SSL/TLS, which uses a strong 128-bit encryption algorithm to encode data. SGC does not require an application to run on the client machine, but does need a valid certificate at the client Web browser, which can be encoded and decoded. A special SGC certificate is needed to enable the SGC support built into IIS 6.0. Network administrators can obtain a certificate by contacting a certificate authority (CA) internally to the network or from a trusted third party such as VeriSign. Once the certificate has been acquired, it can be added to IIS like any other certificate.The “Configure Authentication Settings” section of this chapter discusses this in more detail. IIS 6.0 supports both 40-bit and 128-bit encryption sessions.This means that old 40-bit SGC certificates are still valid in IIS 6.0. SGC is commonly used to protect data for financial sector applications, such as banking and financial institutions.

E

XAM

W

ARNING

If you try to open an existing 40-bit SGC certificate, you may get a “The certificate has failed to verify for all of its intended purposes” warning. These certificates are targeted to Windows 2000 servers. Thus, you can have a valid certificate and can be misled by this warning. Windows 2000 only supports 40-bit encryption and

Windows Server 2003 supports both 40-bit and 128-bit encryption.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 203

Managing and Maintaining Web Servers • Chapter 4 203

Selectable Cryptographic Service Provider

SSL/TLS offers a secure environment in which to exchange data.The downside is performance—SSL/TLS is very CPU-intensive. IIS 6.0 comes with a new feature called Selectable

Cryptographic Service Provider (CSP) that allows the user select from an optimized list of cryptography providers. A cryptographic service provider will provide an interface to encrypt communication between the server and the client. A CSP is not specific to IIS and can be used to handle cryptography and certificate management for all Windows applications.

Microsoft implements two default security providers: the Microsoft DH SChannel

Cryptographic provider and the Microsoft RSA SChannel Cryptographic provider.The Microsoft implementations are optimized for IIS 6.0 to provide faster communication, and the private keys are stored in the Registry.The Microsoft Cryptographic API (Crypto API) contains an identical interface for all providers that enable developers to switch between providers without modifying the code. Each provider creates a public and a private key to enable data communication.The private key is stored on hardware devices (such as PCI cards, smart cards, and so forth) or in the Registry.The public CSP keys can also be stored in the Registry.The

CSP can be configured using the IIS Certificate Wizard (discussed in Exercise 4.12).

Configurable Worker Process Identity

One of the most serious problems with previous IIS versions was the instability of the

World Wide Web (WWW) Publishing Service.The failure of this service could result in the shutdown of a machine. IIS 6.0 runs each Web site in an isolated process environment called a worker process. If a Web site malfunctions, the problem is limited to its process environment and therefore does not cause the entire server to fail.

IIS 5.0 did not implement a worker process model, but instead had an isolated environment. IIS 6.0 can also run an IIS 5.0 isolated environment, if desired.With IIS 6.0, the network administrator can choose between a worker process model and an IIS 5.0 isolation model.The administrator can click the Run WWW service in IIS 5.0 isolation mode option box to run IIS in IIS 5.0 isolation mode. IIS will run in worker process model if this option is not selected. IIS can only run at one mode at a time; it is not possible to run worker process model Web sites and IIS 5.0 isolation mode Web sites simultaneously.

The worker process can be run with a lower permission level than the system account.

The worker process shuts down the application if the IIS server is targeted with malicious code. IIS 6.0, which by default is run by the local system account, is not affected since the worker process can be configured to run under a less privileged account.

Default Lockdown Status

The default installation of IIS 6.0 results in a lightweight Web server.The only default feature available is the access to static content.This is to deter malicious access by intruders.This

restricted functionality is referred to as default locked down status.This feature forces system administrators to manually enable and disable the necessary application features, thus preventing many of the attacks that have plagued IIS 5.0 implementations in the past.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 204

204 Chapter 4 • Managing and Maintaining Web Servers

New Authorization Framework

Authorization refers to the concept of confirming a user’s access for a given resource.

Authentication refers to obtaining access to the resource.When a user is authenticated, the system administrator must make sure that they are authorized to perform any tasks on the resource—this is the basis of authorization.There are two types of ASP.NET authorization options available for IIS 6.0:

File Authorization

The FileAuthorizationModule class is responsible for file authorization on Windows Server 2003.The module is activated by enabling

Windows Authentication

on a Web site.This module checks the Access Control

List (ACL) on an ASP.NET file for a given user. If the ACL confirms that the user has access to the file, it is made available to the user.

URL Authorization

The URLAuthorizationModule class is responsible for URL authorization on Windows Server 2003.This mechanism uses the URL namespace to store user details and access roles.The URL authorization is available to use at any time.The authorization information is stored in a text file in a directory.The text file has an <authorization> tag to allow or deny access to the directory. A sample authorization file might look like this:

<authorization>

<allow users=”Chris”/>

<allow roles=”Admins”/>

<deny users=”kirby”/>

<deny users=”?”/>

</authorization>

This file enables Chris to access its content. It also allows any one with Admins user roles to access its content.The user Kirby is denied access to the content. No one else will be able to gain access to this directory as indicated by the ? wildcard.

ASP versus ASP.NET…What’s the Difference?

Active Server Pages (ASPs) are used to create Web-based applications combining

HTTP, scripting, and ActiveX applets to provide dynamic Web sites. ASP uses a combination of VBScript, Jscript, and Component Object Model (COM) components.

ASP is executed completely on the Web server and returns its output as standard

Hypertext Markup Language (HTML) to the user’s browser. In IIS, ASP is implemented as an Internet Server Application Programming Interface (ISAPI) filter named asp.dll that resides in the same memory space as IIS. When a user requests an ASP page, which has the extension. ASP, the request is processed by the filter which then loads the required DLLs to interpret the script on the page, executes the script on the server, and then returns the output to the user’s browser.

Continued www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 205

Managing and Maintaining Web Servers • Chapter 4 205

ASP.NET is a more advanced platform for developing Web applications, services, and forms under the .NET platform. ASP.NET solution can be developing in

Microsoft Visual Studio .NET and ASP.NET supports application creation using C#,

VB.NET, and various other programming languages, which was not previously possible using ASP. ASP.NET is the successor to ASP and ASP+, and is backwards compatible with its earlier predecessors. ASP.NET offers a significant performance improvement because it is compiled instead of interpreted. Additionally, ASP.NET is more modular, allowing developers to piece together applications as required, resulting in a smaller footprint and overall improved performance. ASP.NET also supports a number of different authentication methods natively, including Basic authentication, Digest authentication, NT LAN Manager (NTLM) authentication, cookie-based authentication, and Microsoft .NET Passport authentication.

For more information about ASP and ASP.NET, see www.activeserverpages.

com/learnasp/.

New Reliability Features

Microsoft has done a great job of redeveloping IIS to be more reliable and robust. Perhaps the most significant modification is the emphasis on the worker process model. IIS separates all user code from its World Wide Web Publishing service.The user application (different virtual sites) functions as a separate ISAPI application.The separate ISAPI workspace is referred to as a worker process. In IIS 5.0, each Web site ran within its own inetinfo.exe

memory space—inetinfo.exe is the application that implements IIS 5.0.The IIS 6.0 worker process Web sites do not run within the inetinfo.exe memory space. Since the worker process runs in an isolated environment from the World Wide Web Publishing service, an error in the Web site application code (or malicious attack) will not cause the Web server to shut down.The worker process can also be configured to run on a specified central processing unit (CPU).The worker process model can store application-specific data on its own memory space; IIS 5.0 stored all the application data within the inetinfo.exe memory space.

The following reliability features are discussed next in this chapter:

Health detection

HTTP.sys kernel mode driver

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 206

206 Chapter 4 • Managing and Maintaining Web Servers

Is the IIS 6.0 Worker Process

Model Identical to IIS 5.0 Isolation Mode?

By default, IIS 6.0 runs using the worker process model. This mode of operation is more flexible and stable than the IIS 5.0 isolation model, providing the ability to isolate individual Web sites from each other. By isolating Web sites from one another, an attack on one Web site will not necessarily cause the entire IIS server to stop functioning or responding normally, as is often the case when using IIS 5.0.

With IIS 5.0 or IIS 6.0 in IIS 5.0 isolation mode, all Web site applications take place within the inetinfo.exe memory space, so an error or an attack on the application can result in the entire IIS server going down. IIS 5.0 uses ASP as its default scripting language, and IIS 6.0 uses ASP.NET which provides numerous security and performance enhancements over ASP. IIS 6.0 can run ASP, thus all of your IIS 5.0

ASP applications should run smoothly after an upgrade to IIS 6.0 in worker process model. If your ASP code does not function properly, you may have no choice but to consider using the IIS 5.0 isolation mode of IIS 6.0.

Health Detection

Health detection simplifies IIS Web site management. Health detection is performed by IIS over all its worker processes, which adds another level of reliability to the Web applications.

The inetinfo.exe process (IIS) checks the availability of each worker process (different Web sites) periodically.This time limit can be configured by the IIS manager and is 240 seconds by default.Therefore, IIS will maintain a heartbeat between its worker processes—attempting to communicate with worker processes to make sure they are alive.

New Request Processing Architecture:

HTTP.SYS Kernel Mode Driver

In Windows Server 2003, the HTTP stack is implemented as a kernel mode device driver called HTTP.sys. All incoming HTTP traffic goes through this kernel process, which is independent of the application process. IIS 6.0 is an application process and therefore external to HTTP.sys. HTTP.sys is responsible for the following tasks:

Connection Management

Managing the database connections from the

ASP.NET pages to data bases

Caching

Reading from a static cache as opposed to recompiling the ASP.NET

page

Bandwidth Throttling

Limiting the size of the Web requests to a Web site

Logging

Writing IIS information into a text log file

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 207

Managing and Maintaining Web Servers • Chapter 4 207

N

OTE

Application processes run in user mode while operating system functions run in kernel mode.

In IIS 5.0, the HTTP request was consumed by IIS inetinfo.exe; in IIS 6.0, HTTP.sys

relieves IIS of this responsibility. In doing so, it enhances IIS performance in the following ways:

HTTP.sys enables caching, referred to as flexible caching, at the kernel level so that static data can be cached for faster response time.This is independent of, and much faster than user mode caching.

HTTP.sys introduces a mapping concept called application pooling. Application pooling allows Web sites to run together in one or more processes, as long as they share the same pool designation.Web sites that are assigned different application pools never run in the same process. A central Web site (such as a credit card verification Web site) can be accessed by other miscellaneous sites (various eCommerce Web sites, and the like) by using this method. By using the correct application pool information, HTTP.sys can route the HTTP traffic to the correct

Web site.

HTTP.sys increases the number of Web sites that can be hosted using the application pool concept.This architecture also increases performance and more controlled access to valuable IIS resources.

Other New Features

The following sections examine some of the other new features in IIS 6.0. All of these changes are designed to improve IIS scalability. Some of these changes are a byproduct of the Microsoft .NET strategy, including:

ASP.NET and IIS Integration

Unicode Transformation Format-8

XML Metabase

ASP.NET and IIS Integration

IIS is a Web server, and one of its functions is to accept HTTP requests.Thus, a scripting language is needed that can communicate with IIS in order to do this. Earlier versions of

IIS (2.0 through 5.0) used ASP; IIS 6.0 uses ASP.NET for the same purpose.There are some significant changes to the ASP.NET architecture as compared to ASP. Some of the changes include the following:

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 208

208 Chapter 4 • Managing and Maintaining Web Servers

ASP.NET is based on Microsoft .NET framework, thus ASP.NET can be coded in multiple languages such as C#,VB.NET, JScript.NET, and so forth.

There can be multiple language code in the same ASP.NET page. In other words, a VB.NET function can reside in a C# ASP.NET page.

ASP code is interpreted, meaning that the code is complied line by line, not as the complete source file at once. ASP.NET code is compiled, meaning that the complete source file is complied once, not line-by-line compilation.This is a significant performance increase in IIS 6.0.

ASP.NET allows for three levels of caching.The first option is to cache complete pages.The second option is to cache selected parts of the pages, which is referred to as fragment caching.The third option is to use Caching API. Developers can use this for control over caching behavior, and thus increase performance.

Unicode Transformation Format-8 (UTF-8)

Earlier versions of IIS log files were only available in English.This was a major issue for multilingual Web sites. Multilingual support is enabled by supporting Unicode

Transformation Format 8 (UTF-8) characters codes. Computer applications do not understand human-readable characters; they only understand binary code.There are conversion tables available to convert a key value to a human readable character.These conversion tables are referred to as Local Character Sets or Unicode formats and are language specific, thus an English log file entry cannot be read in Japanese. UTF-8 format rectifies this problems.

HTTP.sys can be configured to log details in a specific language format; therefore multiple log files can be maintained in multiple languages.

XML Metabase

The information store that contains IIS configuration settings is referred to as the metabase.

The metabase is a hierarchical database in which all the information needed to configure

IIS is stored.

In earlier IIS versions, the metabase data was in binary format, which made it difficult to edit or read the entries.The IIS 6.0 metabase, on the other hand, is in Extensible

Markup Language (XML) format.These XML files are plaintext. A general text editor can be used to change the XML entries, and these changes can be performed when IIS 6.0 is running. Editing the XML metabase while IIS is running is referred to as edit while running.

IIS does not need to be restarted to reflect the changes unless the schema file was completely overwritten with a new version.

This design change has also significantly increased the performance of IIS 6.0. It has considerably reduced the startup and shutdown time of IIS. Previously, in IIS 5.0, all of the

IIS settings were kept in inetinfo.exe and the Registry.This resulted in multiple reads from the Registry and accessing of system resources during start-up. Now with all of this information contained in the XML metabase, this is not necessary; thus IIS 6.0 starts faster.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 209

Managing and Maintaining Web Servers • Chapter 4 209

The metabase consists of the following two XML files:

metabase.xml

An XML document that contains IIS configuration values for the server such as Web site details and virtual directory details.

mbschema.xml

An XML document in which the metabase XML schema is stored, which acts as a validation tool to enter correct metabase values in metabase.xml.

The metabase files are located in the %systemroot%\System32\Inetsrv directory.

You must possess administrator privileges to view the contents of the metabase entries.

E

XAM

W

ARNING

Be sure that you completely understand the structure of the new IIS 6.0 metabase including the files that make up the metabase.

Installing and Configuring IIS 6.0

Before a network administrator can use IIS, they must first install it unless they happen to be using Windows Server 2003 Web Edition. Remember that IIS is not installed by default in any of the other Windows Server 2003 family members.This is to minimize unauthorized access to the server.

If this IIS server is to act as a publicly accessible Internet Web server (as opposed to an intranet server), then the network administrator needs to register a domain name and obtain an IP address for the server.They will also need to obtain DNS services for the domain, from an ISP or another public DNS server. For more information on DNS, refer to Chapter 6.

The network administrator also needs to assign an Internet Protocol (IP) address or a unique machine name for references inside the enterprise.These details should be taken care of before any installations occur.

N

OTE

Microsoft strongly recommends that IIS be installed on an NT File System (NTFS) formatted drive. The executable files and the virtual directories should reside on NTFS volumes. NTFS provides more secure file access than the FAT32 file system. It is recommended that the file system be converted if upgrading from an IIS 5.0 FAT32 system. A command-line utility called convert.exe can be used for this purpose.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 210

210 Chapter 4 • Managing and Maintaining Web Servers

Installation Methods

IIS is not installed by default in the Windows Server 2003 setup, except in the Web Server

Edition.There are three different ways to install IIS:

Use the Configure Your Server Wizard

Use the Windows Component Wizard

Use the Unattended Setup

Each option is examined in the following sections.

Default IIS Access Options

Each of the installation methods described in this chapter install IIS in Locked Down mode, which means you get access only to static Web material. All the ASP.NET

scripts—Server Side Includes (SSI), WebDAV access, and Front Page Extensions—are disabled by default. If you try to access any of these facilities, you will get a “404

(Page not found)” error. These features must be enabled through the Web Services

Extensions node in IIS Manager.

The details regarding how to enable dynamic features are discussed in the section titled “Common Administrative Tasks.” If these features are enabled, they can be disabled later to increase security. Any Web service extension can be enabled or disabled individually as long as it is registered in the Web Service Extensions node, or all extensions can be prohibited from running. New extensions can be added and IIS can be configured so that a specific application can use the Web service extensions.

Using the Configure Your Server Wizard

In addition to its other possible roles (domain controller, file server, DNS server, and so forth), the Windows Server 2003 can act as an application server, and the components of the application server can be configured through the Configure Your Server Wizard.The

application server components are COM+, ASP.NET, and IIS.

N

OTE

In this context, the term application server has a different meaning from the one you may have used in the past. Here, we are not talking about a server that provides a network location on which productivity applications such as Microsoft

Office are installed, nor or we talking about a server that you connect to and run applications from a thin client (a terminal server functioning as an application server). Instead, the “applications” we are referring to are Web-based applications such as Web-hosting services, as well as newsgroup services, File Transfer Protocol

(FTP) services, and Simple Mail Transfer Protocol (SMTP) services.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 211

Managing and Maintaining Web Servers • Chapter 4 211

Exercise 4.01 outlines the steps you will perform to install IIS 6.0 using the Configure

Your Server Wizard.

E

XERCISE

4.01

I

NSTALLING

IIS 6.0 U

SING THE

C

ONFIGURE

Y

OUR

S

ERVER

W

IZARD

1. Click Start | Programs | Administrative Tools | Manage Your Server to open the Manage Your Server utility, as seen in Figure 4.1. Click the

Add or remove a role link to start the Configure Your Server Wizard.

Figure 4.1

Using the Manager Your Server Utility

2. The Configure Your Server Wizard starts and displays the Preliminary

Steps dialog box, as seen in Figure 4.2. After verifying that you are ready to continue, click Next.

Figure 4.2

Viewing Preliminary Steps for the Configure Your

Server Wizard

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 212

212 Chapter 4 • Managing and Maintaining Web Servers

3. In the Configuration Options dialog box, you will be required to make a selection about how the configuration will proceed. The Typical config-

uration for a first server option enables the basic server communication options. It sets up a domain controller by installing Active

Directory, DNS services, and dynamic host control protocol (DHCP) services. The Custom configuration option enables you to configure your server by selecting specific options from a list. Select the Custom con-

figuration option and click Next to continue.

4. In the Server Role dialog box, as seen in Figure 4.3, you can select the new configuration for your Windows Server 2003. Several possible roles are shown on the Server Role dialog box. Select the Application Server

(IIS, ASP.NET) option and click Next to continue.

Figure 4.3

The Server Role Dialog Box

5. In the Application Server Options dialog box, as seen in Figure 4.4, you can select dynamic content options for the IIS installation. You can choose to install Enable ASP.NET and FrontPage Server Extensions.

ASP.NET is a scripting framework that is used to execute IIS applications. The FrontPage extensions enable your Web application to be ported to another Integrated Development Environment (IDE). The

FrontPage extensions also enable users to develop Web content and manage the Web site remotely. For this example, select both options and click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 213

Managing and Maintaining Web Servers • Chapter 4 213

Figure 4.4

The Application Server Options Dialog Box

6. In the Summary of Selections dialog box, as seen in Figure 4.5, you can review the configuration that you have selected. Note that Windows may add options to be installed that you did not explicitly select, as they are required to support the options that you did select. Click the

Back button if you need to change any of the settings. When you are ready to complete the installation, click Next.

Figure 4.5

The Summary of Selections Dialog Box

7. The Windows Component Wizard appears, as seen in Figure 4.6. You may be prompted to provide the location to the Windows Server 2003 installation files.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 214

214 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.6

The Windows Components Wizard Performs the

IIS Installation

8. After some time, the Configure Your Server Wizard informs you that the installation of IIS has been completed, as seen in Figure 4.7. Click

Finish to close the Wizard.

Figure 4.7

Completing the Configure Your Server Wizard

The next section examines how IIS 6.0 can be installed using the Windows

Component Wizard directly.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 215

Managing and Maintaining Web Servers • Chapter 4 215

Using the Windows Component Wizard to Install IIS 6.0

If you are more comfortable directly installing components onto your server, you can use the Windows Components Wizard to perform the installation of IIS 6.0 as outlined in

Exercise 4.02.

E

XERCISE

4.02

I

NSTALLING

IIS 6.0 U

SING THE

W

INDOWS

C

OMPONENT

W

IZARD

1. Click Start | Settings | Control Panel | Add or Remove Programs to open the Add or Remove Programs applet.

Figure 4.8

The Add or Remove Programs Applet

2. Click the Add/Remove Windows Components button to start the

Windows Component Wizard, as seen in Figure 4.9.

Figure 4.9

The Windows Components Wizard

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 216

216 Chapter 4 • Managing and Maintaining Web Servers

3. Select the Application Server option and click the Details button to open the Application Server dialog box, as seen in Figure 4.10.

Figure 4.10

Examining the Application Server Options

4. Select the ASP.NET and Internet Information Services (IIS) options. The

Enable network COM+ access option is automatically selected for you.

You do not need to select the Application Server Console option—this is an optional management component. With the Internet Information

Services (IIS) option selected, click the Details button to open the

Internet Information Services (IIS) dialog box seen in Figure 4.11.

Figure 4.11

Examining the Internet Information Services (IIS) Options

5. Select the options that want to install from the Internet Information

Services (IIS) dialog box, as seen in Figure 4.11. By default, the Internet

Information Services Manager and the World Wide Web Service are selected for you. You may wish to select additional options such as File

Transfer Protocol (FTP) Service, NNTP Service or SMTP Service as well

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 217

Managing and Maintaining Web Servers • Chapter 4 217

at this time. Highlight the World Wide Web Service and select the

Details button to open the World Wide Web Service dialog box, as seen in Figure 4.12.

Figure 4.12

The World Wide Web Service Dialog Box

6. The World Wide Web Service is automatically selected for you. You can select other World Wide Web Services options as desired, such as

Server Side Includes or Active Server Pages. After making your selections click OK to close the World Wide Web Service dialog box.

7. Click OK to close the Internet Information Services (IIS) dialog box.

8. Click OK to close the Application Server dialog box.

9. On the Windows Component Wizard dialog box, click Next to start the

IIS installation.

10. The Configuring Windows dialog box appears, as seen previously in

Figure 4.6. You may be prompted to provide the location to the

Windows Server 2003 installation files.

11. After some time the Windows Component Wizard will inform you that the installation of IIS has been completed. Click Finish to close the

Wizard.

Using Unattended Setup to Install IIS 6.0

The third option for installing IIS is using the unattended setup feature, which is commonly used by system administrators to install IIS 6.0 on multiple computers.When using this option, the setup program does not require manual intervention.The configuration settings—the selections that are made during an attended setup—are read from a text file and

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 218

218 Chapter 4 • Managing and Maintaining Web Servers

applied automatically by the operating system.The network administrator only needs to initiate the process, and IIS 6.0 will be installed according to the text file settings.

The script that provides the configuration settings is referred to as an answer file because it provides answers to the installation questions encountered in an attended setup. After creating the answer file, the administrator then runs winnt32.exe or the sysocmgr.exe command-line utility with the answer script as the parameter.The answer file has an .INF file extension. Some of the important options that are included in the answer file are shown in

Table 4.1.

Table 4.1

Answer File Parameters for IIS Unattended Setup

Component

ASP.NET

FTP service

IIS Manager

NNTP Service

SMTP Service

WWW Service

Active Server Pages

WebDAV Publishing (discussed later)

Answer File Parameter

asp.net = on/off iis_ftp = on/off iis_inetmgr = on/off iis_nntp = on/off iis_smtp = on/off iis_www = on/off iis_asp = on/off iis_webdav = on/off

Differences Between winnt32.exe and sysocmgr.exe

winnt32.exe is used by network administrators to install Windows Server 2003 and its components (including IIS 6.0). When a properly configured answer file is used with winnt32.exe, it installs Windows Server 2003 with IIS 6.0. In some cases, the administrator may need to install IIS 6.0 after the operating system is installed. The sysocmgr.exe utility is used to install IIS 6.0 with unattended setup after the operating system has been installed. Following are the steps for using sysocmgr.exe:

1. First, the answer file needs to be created. Open a text editor such as

Notepad, and type the following:

[DefaultInstall]

Asp.net=on

Iis_inetmgr=on

Iis_www=on

Iis_asp=on

2. Save the file using a meaningful name, such as c:\temp\iisSetup.inf.

3. Click Start | Run.

Continued www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 219

Managing and Maintaining Web Servers • Chapter 4 219

4. Type sysocmgr.exe /i:sysoc.inf /u:c:\temp\iisSetup.inf and the installation will begin. The /i:sysoc.inf attribute is the Windows 2003 Server master initialization file for unattended setup.

Installing IIS with unattended setup is very straightforward. The help files available for unattended setup can be found by using the syscomgr.exe /? syntax.

EXAM

70-292

OBJECTIVE

3.3

3.3.1

Managing IIS 6.0

The primary tool for managing IIS 6.0 is the Internet Information Services (IIS) Manager console. Most of the management of IIS functions can be done using the IIS Manager, as seen in Figure 4.13. In the left pane, there is a node for each instance of IIS that is installed.

Folders/subnodes underneath each node (identified by the server name) contain the FTP,

Application Pools,Web Sites,Web Service Extensions, Network News Transfer Protocol

(NNTP), and SMTP Server information.

Figure 4.13

The Internet Information Services (IIS) Manager Console

IIS Manager is the primary interface that handles all Internet-related functions. New

Web sites, FTP sites, SMTP virtual servers, and NNTP virtual servers can be set up using this console. IIS servers can also be stopped and restarted from this interface. A very useful, and often overlooked, feature of the IIS Manager is that it allows the network administrator to manages the IIS servers running on several computers from a single location.The following sections explore some of the common uses for the IIS Manager.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 220

220 Chapter 4 • Managing and Maintaining Web Servers

Creating New Sites and

Virtual Servers with IIS Manager

IIS Manager can be used to create new sites for any of the installed services:Web, FTP, SMTP, and NNTP.The creation of each site is made simple through an intuitive Wizard-driven interface.We will outline the process to create new sites and virtual servers as follows:

Exercise 4.03 discusses creating new Web sites using the Web Site Creation

Wizard.

Exercise 4.04 discusses creating new FTP sites using the FTP Site Creation

Wizard.

Exercise 4.05 discusses creating new SMTP virtual servers using the New SMTP

Virtual Server Wizard.

Exercise 4.06 discusses creating new NNTP virtual servers using the New NNTP

Virtual Server Wizard.

N

OTE

It is common practice to remove the default installations created by IIS and create new Web sites, FTP sites, NNTP servers, and SMTP servers that are configured exactly as your organization requires.

Creating New Web Sites

Using the Web Site Creation Wizard

The Web site is the most common implementation of IIS in Windows, thus we start our discussion with creating new Web sites.

E

XERCISE

4.03

C

REATING

N

EW

W

EB

S

ITES

U

SING THE

W

EB

S

ITE

C

REATION

W

IZARD

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Navigate to the Web Sites node and right-click it. Select New | Web

Site from the context menu, as seen in Figure 4.14.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 221

Managing and Maintaining Web Servers • Chapter 4 221

Figure 4.14

Creating a New Web Site in IIS Manager

3. The Web Site Creation Wizard appears. Click Next to dismiss the opening dialog.

4. On the Web Site Description dialog box, as seen in Figure 4.15, you must enter a descriptive name for your new Web site. For our purposes, we will use Internal Web site. After entering the required information, click Next to continue.

Figure 4.15

Enter a Descriptive Web Site Name

5. In the IP Address and Port settings dialog box, as seen in Figure 4.16, you must configure the IP addresses and port number that this new Web site will use. This dialog box is often one of the most confusing ones you will have to deal with during your administration of IIS. For example, suppose you have an intranet Web site that users will access by entering intranet

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 222

222 Chapter 4 • Managing and Maintaining Web Servers

in their browsers. In this case, you would enter intranet into the Host

Header area. If you wanted users to access the site on port 81, they would enter Intranet:81 in their browser, and then you would enter 81 in the TCP port of this Web site. If you want the Web site to respond on all IP addresses assigned to the server, you can leave the default setting

All Unassigned in the Enter the IP address to use for this web site area.

(Using host headers to host multiple Web sites is discussed more in the

“Hosting Multiple Web Sites” section of this chapter.) After making your configurations, click Next to continue.

Figure 4.16

Entering the IP Address and Port Settings for a Web Site

6. On the Web Site Home Directory dialog box, as seen in Figure 4.17, you must enter the location on the computer or network where the Web site’s files are physically located. You can use the Browse button to locate this location, if required. By default, the Allow anonymous

access to this web site option is selected; allowing anonymous access enables users to navigate the site without authenticating themselves.

You may wish to disable anonymous access if you are hosting sensitive data on the Web site. For public Internet sites, you will most often want to allow anonymous access though, this setting can be changed later if needed. Click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 223

Managing and Maintaining Web Servers • Chapter 4 223

Figure 4.17

Entering the Home Directory for a Web Site

7. On the Web Site Access Permissions dialog box, as seen in Figure 4.18, you can configure the user access level to the new Web site. By default, the Run and Read scripts options are selected. Depending on the intended use of your new Web site, you may need to select additional user permissions.

■ Selecting the Execute option grants permission to execute Dynamic

Link Libraries (DLLs) such as ISAPI DLLs or Common Gateway

Interface (CGI) applications in the IIS space. Most of the business logic and interfaces to third party business models are stored as

ISAPI DLLs or CGI applications, therefore you may need to enable the Execute permission to utilize these functions.

The Write option enables the user of the Web site to upload and write data into the Web site’s home directory.

■ The Browse option enables directory browsing on the Web site— allowing the user to view a complete directory information list (files and their attributes: size, last modified time stamp, and so on) when navigating a directory. This is not widely recommended since it exposes all the files and interfaces to Web site users. If anonymous access is also enabled, it can result in a large security problem for Internet Web sites.

Click Next to finish the creation of the Web site after making your selections.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 224

224 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.18

Entering Access Permissions for a Web Site

8. Click Finish to complete the Web Site Creation Wizard.

Creating New FTP Sites

Using the FTP Site Creation Wizard

Creating a new FTP site is very similar to creating a new Web site. FTP sites enable the sharing of data with other users through the FTP, which is more efficient at moving large amounts of data than the Hyper Text Transfer Protocol (HTTP) is. Exercise 4.04 presents the steps required to create a new FTP site.

E

XERCISE

4.04

C

REATING

N

EW

FTP S

ITES

U

SING THE

FTP S

ITE

C

REATION

W

IZARD

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Navigate to the FTP Sites node and right-click it. Select New | FTP Site from the context menu.

3. The FTP Site Creation Wizard appears. Click Next to dismiss the opening dialog.

4. In the FTP Site Description dialog box you must enter a descriptive name for your new FTP site. After entering the required information, click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 225

Managing and Maintaining Web Servers • Chapter 4 225

5. In the IP Address and Port Settings dialog box, as seen in Figure 4.19, you must select an available IP address for the FTP site to use. Unlike

Web sites, you do not have the option to use host headers to differentiate several Web sites using the same IP address and port number. The default port for FTP is 21 and should be used in most cases, although this can be changed as required. After making your configuration, click

Next to continue.

Figure 4.19

Entering IP Address and Port Numbers for an FTP Site

6. On the FTP User Isolation dialog box, as seen in Figure 4.20, you are presented with a critical decision—one that cannot be changed after you complete the creation of the FTP site. The user access for FTP server can be managed in several ways. The default setting is that every user has access to other user directories. This will not be a problem in many cases since a company FTP site distributes generic information regardless of the user (for example, enabling Beta product downloads to the test users).

Users will have access to all files if the user is authenticated. In some cases, you may need to give different users access to different information. In this case, you need to isolate users to different directories. FTP user isolation prevents users from accessing the FTP home directory of another user on this FTP site. Select the Isolate users option to accommplish this scenario. This option uses NTFS directory authentication to perform this task. You can also go a step further and ask Active Directory to authenticate the user and assign an FTP home directory for the user. This is configured using the Isolate the users using Active Directory option.

After making your selection, click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 226

226 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.20

FTP Site User Isolation Options

7. In the FTP Site Home Directory dialog box you must enter the physical path where the FTP site’s files will reside. Click Next to continue.

8. In the FTP Site Access Permission dialog box, as seen in Figure 4.21, you are given the ability to control user access to the new FTP site. The default setting is Read. If required, you can also enable Write access if users need to upload files to the server. This option can be helpful in some cases; for example, your sales team needs to upload sales data to the FTP server for the weekly accounting purposes. However, this option can also be dangerous by allowing users to upload unauthorized content such as copyrighted materials. Therefore, it is not recommended that you enable Write access unless necessary. After making your selections, click Next to finish the creation of the FTP site.

Figure 4.21

FTP Site Access Permissions Dialog Box

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 227

Managing and Maintaining Web Servers • Chapter 4 227

9. Click Finish to complete the FTP Site Creation Wizard.

Creating New SMTP Virtual Servers

Using the New SMTP Virtual Server Wizard

SMTP virtual servers enable IIS to provide simple e-mail functionality to its Web sites. Email is used for transmitting a variety of business or administrative information, such as Web site errors that are sent to the Web site administrator.Therefore, Microsoft included the

SMTP server with IIS 6.0. SMTP servers use TLS encryption to protect e-mail information and they communicate with DNS servers to validate the recipient’s e-mail address. Sent emails are transferred to the drop directory; the SMTP server transmits all of the messages in the drop directory, allowing other non-IIS 6.0 applications to also send e-mail by putting their messages in the drop directory.The delivered e-mail is picked up from a pickup directory. Exercise 4.05 presents the required steps to create a new SMTP virtual server.

E

XERCISE

4.05

C

REATING

N

EW

SMTP V

IRTUAL

S

ERVERS

U

SING THE

N

EW

SMTP V

IRTUAL

S

ERVER

W

IZARD

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Navigate to the Default SMTP server node and right-click on it. Select

New | Virtual Server from the context menu.

3. Unlike most other Wizards, the New SMTP Virtual Server Wizard starts immediately. Enter the name of the new SMTP virtual server you are creating, as seen in Figure 4.22. For this example, we will use

IntranetSMTPserver. Click Next to continue.

Figure 4.22

Entering the Name of the SMTP Virtual Server

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 228

228 Chapter 4 • Managing and Maintaining Web Servers

4. In the Select IP Address dialog box, as seen in Figure 4.23, you must select the IP address of the new SMTP virtual server. Click Next to continue.

Figure 4.23

Configuring the IP Address of the SMTP Virtual Server

5. In the Select Home Directory dialog box, as seen in Figure 4.24, enter the location where the SMTP virtual server will physically store its files.

Non-IIS 6.0 applications can also use the SMTP server to send e-mail; therefore it is a good practice to have general access to the home directory. Click Next to continue.

Figure 4.24

Configuring the Home Directory of the SMTP

Virtual Server

6. In the Default Domain dialog box, as seen in Figure 4.25, you must configure the default domain of the new SMTP virtual server. Click

Finish to create the new SMTP virtual server.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 229

Managing and Maintaining Web Servers • Chapter 4 229

Figure 4.25

Configuring the Default Domain of the SMTP

Virtual Server

Entering IP Address Details SMTP Server

The IIS installation creates default SMTP and NNTP virtual servers, which are bound to the (All Unassigned) IP address. Therefore, if you try to select the default for the

IP Address and Port Settings screen (that is, the All Unassigned option) the operation will fail. You can use the 127.0.0.1 IP address if you want to refer to the local machine. You can also use any other valid IP address available.

You can run multiple SMTP servers on a single IP address by using multiple port numbers. You can add these extra port numbers by opening the SMTP server properties dialog box, switching to the General tab, clicking the Advanced button, and entering IP and port number settings. You can also run multiple SMTP virtual servers on a single IIS 6.0 node. The best practice is to use multiple IP addresses for each virtual server. For example, run a single SMTP server for intranet use and dedicate another SMTP virtual server to Internet use.

Creating New NNTP Virtual Servers

Using the New NNTP Virtual Server Wizard

The NNTP virtual server assists the IIS 6.0 server in facilitating discussion group functionality.The IIS setup creates one NNTP virtual server by default. Exercise 4.06 discusses the procedure for creating additional NNTP virtual servers.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 230

230 Chapter 4 • Managing and Maintaining Web Servers

E

XERCISE

4.06

C

REATING

N

EW

NNTP V

IRTUAL

S

ERVERS

U

SING THE

N

EW

NNTP V

IRTUAL

S

ERVER

W

IZARD

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Navigate to Default NNTP server node and right-click on it. Select New

| Virtual Server from the context menu.

3. Again, like the New SMTP Virtual Server Wizard, the New NNTP Virtual

Server Wizard starts immediately. Enter the name for the new NNTP virtual server and click Next to continue.

4. In the Select IP Address and Port Number dialog box, as seen in Figure

4.26, you must select the IP address and port number to be used by this NNTP virtual server. By default, port 119 is assigned for NNTP, but you can change this if desired. You can host multiple NNTP virtual servers on a single server, however it is best practice to use a dedicated

IP address for each NNTP virtual server. After making your configuration, click Next to continue.

Figure 4.26

Entering IP Address and Port Numbers for the

NNTP Server

5. In the Select Internal Files Path dialog box, enter the location where the NNTP virtual server will store its internal operating files (this is not the location where the NNTP virtual server will store the NNTP related files). Click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 231

Managing and Maintaining Web Servers • Chapter 4 231

6. In the Select Storage Medium dialog box, as seen in Figure 4.27, you can decide if the NNTP files should be stored locally (File System) or remotely (Remote Share). After making your selection, click Next to continue.

Figure 4.27

Selecting a Storage Medium for the NNTP Server

7. In the Select News Content Medium Info dialog box, as seen in Figure

4.28, you must enter the location where the NNTP files will be physically kept. You can use the Browse button to locate the folder you will use, if required. Click Finish to create the NNTP virtual server.

Figure 4.28

Selecting a News Content Path for the NNTP Server

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 232

232 Chapter 4 • Managing and Maintaining Web Servers

Common Administrative Tasks

IIS 6.0 networks administrators commonly find themselves performing the following administrative tasks:

Enabling Web Service Extensions

Creating virtual directories

Hosting multiple Web sites

Configuring Web site performance

Working with ASP.NET

Backing up and restoring the IIS metabase

Enabling health detection

These topics are examined in the following sections.

Enabling Web Service Extensions

Web Service Extensions is a new feature in IIS 6.0 that provides network administrators with a Control Panel-like functionality for their IIS components.The Web Service

Extensions allow the administrator to allow, prohibit, or change the component’s properties.

New IIS extensions (ISAPI applications and third-party IIS tools) can also be added to the

IIS 6.0 server. By default, the following Web Service Extensions are available:

ASP.NET extensions

ASP extensions

CGI and ISAPI applications

Front Page Server extensions

WebDAV support for IIS directories

The Web Service Extensions in the IIS Manager can be located by selecting the Web

Service Extensions node

, as seen in Figure 4.29.Right-clicking on any of the Web

Service Extensions allows the network administrator to permit or prohibit it as well as examine its properties. Right-clicking on the Web Service Extensions node allows the administrator to add new extensions, prohibit extensions, or allow all extensions.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 233

Managing and Maintaining Web Servers • Chapter 4 233

Figure 4.29

Viewing the Web Service Extensions

Creating Virtual Directories

A virtual directory is a reference to an existing directory on a Web or FTP site. Access can be obtained to the subdirectories from a root Web or FTP directory. And sometimes the network administrator needs to go beyond the root directory access information to process a

Web request.Virtual directories can be used to remedy these scenarios. For example, suppose an administrator stores all image files for a large shopping catalogue in one directory.

This allows them to point multiple Web servers to this single virtual directory, resulting in a low maintenance solution where they simply need to maintain one images directory instead of several.The Web or FTP site can refer to this directory as it exists within its directory structure, even if it physically exists outside of the Web server’s directory structure.

The only real limitation to using virtual directories is that they are not a physical element—you cannot simply cut and paste its contents from one server to another. In addition, all virtual directories must be manually configured.The process for creating a virtual directory for a Web server is discussed in Exercise 4.07.The process for creating a virtual directory for an FTP server is very similar to that for a Web server.

E

XERCISE

4.07

C

REATING A

N

EW

V

IRTUAL

D

IRECTORY

: W

EB

S

ERVER

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Select the Web site you are creating the virtual directory for. Right-click on it and select New Virtual Directory from the context menu.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 234

234 Chapter 4 • Managing and Maintaining Web Servers

3. The Virtual Directory Creation Wizard appears. Click Next to dismiss the opening page of the Wizard.

4. In the Virtual Directory Alias dialog box, as seen in Figure 4.30, you must enter a name for this new virtual directory. In this example the

Alias is ImageFiles. Click Next to continue.

Figure 4.30

Entering the Virtual Directory Alias

5. In the Web Site Content Directory dialog box, you must select the physical directory location that the virtual directory should point to. In our example, the virtual directory ImageFiles is pointing at

D:\WWWImageFiles. Click Next to continue.

Figure 4.31

Entering the Web Site Content Directory

6. In the Virtual Directory Access Permissions dialog box, as seen in Figure

4.32, you must configure the permissions that will be allowed on the

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 235

Managing and Maintaining Web Servers • Chapter 4 235

new virtual directory. You will have the same options (Read, Run

scripts) as you did when you previously created a new Web site. After making your selection, click Next to create the virtual directory.

Figure 4.32

Configuring the Virtual Directory Permissions

Hosting Multiple Web Sites

Hosting multiple Web sites can be done in one of three different ways:

The most common is to assign an IP address to every new Web site.The obvious limitation is the number of IP addresses available for the organization, which is not a major issue for internal access within an enterprise.This practice can be an expensive one to manage depending on the number of public IP addresses that must be acquired.

The second method is to use a single IP address, but different port numbers for each Web site.

The third method of hosting multiple Web sites is to use host headers, as seen previously in the “Creating New Web Sites Using the Web Site Creation Wizard” section of this chapter.

Exercise 4.08 outlines the steps to change IP addresses and host headers for a Web site.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 236

236 Chapter 4 • Managing and Maintaining Web Servers

E

XERCISE

4.08

C

REATING A

N

EW

V

IRTUAL

D

IRECTORY

: FTP S

ERVER

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Select the Web site you want to manage and right-click on it. Select

Properties from the context menu to open the Web Site Properties dialog box, as seen in Figure 4.33.

Figure 4.33

Examining the Web Site Properties

3. You can change the IP address that is assigned to the Web site by using the IP address drop-down menu.

4. Alternatively, you can change the port number that is assigned to the

Web site by using the TCP port box.

5. If you want to change the host header that is assigned to the Web site, click the Advanced button to open the Advanced Web Site

Identification dialog box, as seen in Figure 4.34. Host headers are unique DNS names that identify different Web sites. IIS receives all requests for a single IP address and filters them using the host header information, forwarding them to the correct Web site according to the header name. This is a good mechanism for implementing small to medium Web sites on a single machine. You should use a dedicated IP address for larger Web sites.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 237

Managing and Maintaining Web Servers • Chapter 4 237

Figure 4.34

Examining the Header Information for a Web Site

6. Click the Add button to add a new host header using the Add/Edit Web

Identification dialog box, as seen in Figure 4.35. From this location, you can select the IP address of the Web site and its port number. You can also enter the host header information. After entering all of the information, click OK to save it.

Figure 4.35

Entering a Host Header for a Web Site

N

OTE

SSL certificates are issued for a Web site and are tied to an IP address or machine name. SSL Web sites should have a dedicated IP address for the Web site and not use host headers.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 238

238 Chapter 4 • Managing and Maintaining Web Servers

Configuring Web Site Performance

The performance of a Web site can be configured in two different ways:

The bandwidth throttling option can be used to restrict resources for a given Web site. Bandwidth throttling limits the network bandwidth resources for a Web site.

The maximum bandwidth value is 1024KB per second.This is also the default value. Bandwidth throttling can be enabled by selecting the Limit the network

bandwidth to this Web site

check box and specifying the maximum kilobytes per second value.

The number of connections to the Web site can also be limited by selecting the

Unlimited

or Connections limited to option buttons and specifying a connection value.

Figure 4.36 illustrates the configuration for bandwidth throttling and connection limitiations.The Performance tab can be accessed by right-clicking on a Web site and selecting

Properties

from the context menu.

Figure 4.36

Configuring Performance Options for a Web Site

Working with ASP.NET

ASP.NET is an advanced version of Active Server Pages. IIS 6.0 allows the network administrator to run both ASP and ASP.NET applications.The ASP.NET scripts are built on the

.NET model and the ASP scripts follow the old Windows COM.The ASP.NET model is scalable and performs better than the ASP model. ASP scripting can be used inside

ASP.NET scripts. ASP.NET applications can be built on any .NET-compatible language

(C#,VB.NET, JScript.NET, and so forth).

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 239

Managing and Maintaining Web Servers • Chapter 4 239

Before using ASP.NET, the administrator must first enable it as outlined in the following steps:

1. Start the IIS Manager by clicking Start | Programs | Administrative Tools |

Internet Information Services (IIS) Manager

.

2. Select the Web Server Extensions node.

3. Select the ASP.NET object, right-click on it, and select Allow from the context menu, as seen in Figure 4.37.

Figure 4.37

Enabling ASP.NET Support

Backing Up and Restoring the IIS Metabase

The IIS metabase in IIS 6.0 uses two XML files to store its configuration information:

■ metabase.xml

mbschema.xml

It is a good practice to back up the metabase regularly in the event disaster strikes the

IIS server.When the backup is performed, both the metabase itself and the metabase schema files are backed up.The metabase backup will back up both the metabase and metabase schema files. A file with the extension .mdVersionNumber is created for the metabase, and a file with the extension .scVersionNumber is created for the schema.

The metabase can be safely restored from the backup should disaster strike, however this process does not back up any IIS data such as Web site or FTP site content.The network administrator must back up and restore this content using the Windows Backup

Utility, as discussed in Chapter 5.

When backing up the metabase, the administrator can encrypt it with a password to protect it. If the computer running IIS fails, the metabase can be restored from the backup on a new installation of Windows Server 2003 or on a different computer (if using secure

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 240

240 Chapter 4 • Managing and Maintaining Web Servers

backup). It is also possible to restore the metabase with a previous version of the metabase files that are saved in the history folder. However, the administrator cannot restore a backup from an earlier version of IIS. If they restore from the history files, they cannot restore to a different IIS installation or different computer.

IIS automatically makes regular backups of the metabase in addition to manual backups made by the administrator. History files are also created automatically, as long as the history feature is enabled (by default, it is). IIS Manager can be used to restore history files, as well as restoring from backup. Exercise 4.09 outlines the steps required to backup the IIS metabase.

E

XERCISE

4.09

B

ACKING

U

P THE

IIS M

ETABASE

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Right-click on the server root and select All Tasks | Backup/Restore

Configuration from the context menu, as seen in Figure 4.38.

Figure 4.38

Starting the Metabase Backup

3. The Configuration Backup/Restore dialog box appears, as seen in

Figure 4.39.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 241

Managing and Maintaining Web Servers • Chapter 4 241

Figure 4.39

Performing a Backup or Restoration

4. To create a new backup, click the Create Backup button. The

Configuration Backup dialog box appears, as seen in Figure 4.40.

Figure 4.40

Configuring the Metabase Backup

5. Enter a name for the configuration backup. For this example we use

FirstManualBackup. You can also select to back up with a password by selecting the Encrypt backup using password checkbox. If you select this option, type and confirm the password. Click OK to create the backup.

6. Your new backup will appear in the list of backups. Restoring IIS from a backup is done through the same interface. Select the backup and click the Restore button if you wish to restore the backup.

7. Click Close to close the Configuration Backup/Restore dialog box.

Enabling Health Detection

Health detection enables IIS to monitor its worker process functionality.The network administrator can enable pinging and configure rapid application failover, discussed more in the

“Troubleshooting IIS 6.0” section of this chapter. Administrators can also set the start up and

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 242

242 Chapter 4 • Managing and Maintaining Web Servers

shut down times for a worker process using the options discussed in Exercise 4.10.You can enable health detection by following the steps outlined in Exercise 4.10. Note that this process only works if you are running in worker process isolation mode—not in IIS 5.0 isolation mode.

E

XERCISE

4.10

E

NABLING

H

EALTH

D

ETECTION

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Expand the Application Pools node.

3. Locate the application pool that contains the Web site you wish to enable health detection for. Right-click on it and select Properties from

Figure 4.41

Locating the Application Pool the context menu, as seen in Figure 4.41.

4. Switch to the Health tab of the Application Pool Properties dialog box, as seen in Figure 4.42.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 243

Managing and Maintaining Web Servers • Chapter 4 243

Figure 4.42

Examining the Health Detection Properties

5. You can configure the ping interval using the Enable pinging option.

This interval describes the timeframe to contact a worker process to make sure it is functioning accordingly. The default setting is 30 seconds. The Enable rapid-fail protection option is explained in the “503 error” section later in this chapter. You can also configure the worker process startup time (if the worker process restarts) with the Startup time limit option, and shutdown time (if the worker process gets into a deadlock position) using the Shutdown time limit option available on this tab.

6. Click OK to accept any changes you have made.

EXAM

70-292

OBJECTIVE

3.3.2

Managing IIS Security

Security in IIS revolves around three main areas:

User authentication

IP address/domain restrictions

SSL secured connections

Overall, these concepts have not changed significantly since IIS 5.0, except that the

Windows Server 2003 default installation extends more security features than the previous

Windows server versions.The following sections examine each of these three areas in more detail. All security configurations are performed from the Directory Security tab of the

Web/FTP site Properties dialog box, as seen in Figure 4.43.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 244

244 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.43

Configuring Directory Security Properties

User Authentication Methods

Authentication is the process of validating a user’s credentials. Since IIS 6.0 runs on

Windows Server 2003, users cannot access IIS without being authenticated. IIS 6.0 supports the following types of authentication:

Anonymous

Basic

Integrated Windows

Digest

.NET Passport

Certificate mapping

Each of these authentication methods are examined in more detail in the following sections.

Anonymous Authentication

Anonymous authentication is the most commonly used method on the Internet. It is used for public Web sites that are not concerned with user-level authentication. Using anonymous access, companies do not have to maintain user accounts for everyone who will be accessing their sites. Anonymous access also works with browsers other than Internet

Explorer.

IIS runs all HTTP and FTP requests in the security context of a Windows Server 2003 user account.Windows Server 2003 requires a logon.This means that for someone to log on or access files on a server, they must have a user account. For anonymous Web access to work,

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 245

Managing and Maintaining Web Servers • Chapter 4 245

a Windows Server 2003 user account must exist.This account is used anytime someone connects to the server anonymously. IIS 6.0 creates a user account for this purpose when it is installed.The account is named IUSR_computername. computername is a variable that is replaced with your computer’s name.This user account is a member of the Everyone group and the

Guest group. It also has permission to logon locally to the Web server.

Basic Authentication

Basic authentication is used by almost every Web browser to pass usernames and passwords back to the server. It is widely supported in both Web browsers and Web servers. Basic authentication has several benefits:

It works through firewalls and proxy servers.

It is compatible with lower versions of Internet Explorer.

It allows users to access resources that are not located on the IIS server.

It allows the administrator to use NTFS permissions on a user-by-user basis to restrict access. Unlike anonymous access, each user has a unique username and password.

Basic authentication also has some drawbacks:

Information is sent over the network as cleartext.The information is encoded with base64 encoding (see RFC 1521 for more information on base64 encoding), but it is sent in an unencrypted format. Someone could easily use a tool such as

Network Monitor to view the information as it travels across the cable and use a base64 decoder to read it.

By default, users must have the “Log on Locally” right to use basic authentication.

For Web requests, the network administrator can make basic authentication more secure using SSL to encrypt the session. SSL is a secure communication protocol invented by

Netscape, used to encrypt communication between two computers. SSL is processor-intensive and will degrade the performance of a system. SSL must be used during the entire session because the browser sends the username and password to the server every time the user makes a request. Even if the administrator used SSL for only the initial logon, as soon as the user requested a different file, the user would be sending their username and password over the network as cleartext again. SSL should be used only on Web sites with sensitive data.

Users authenticating with basic authentication must provide a valid username and password.The user account can be a local account or a domain account. By default, the IIS server looks locally or in its local domain for the user account. If the user account is in another domain, the user must specify the domain name during logon.The syntax for this is domain name\username, where domain name is the name of the user’s domain. For example, if you wanted to login as the user Bob in the Syngress domain, you would enter

Syngress\Bob

in the username field.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 246

246 Chapter 4 • Managing and Maintaining Web Servers

Integrated Windows Authentication

Integrated Windows Authentication (IWA) is a secure IIS authentication method because usernames and passwords are not transmitted across the network. IWA is convenient, because if a user is already logged on to the domain and if the user has the correct permissions for the site, they are not prompted for their username and password. Instead, IIS attempts to use the user’s cached credentials for authentication.The cached credentials are hashed and sent to the IIS server for authentication. If the cached credentials do not have the correct permissions, the user is prompted to enter a different username and password.

IWA uses either NTLM or Kerberos for authentication.The Web browser and the IIS server negotiate which one to use. Both Kerberos and NTLM have their own advantages and disadvantages. Kerberos is less likely to be compromised because it is more secure than

NTLM. Unlike NTLM, which authenticates only the client, Kerberos authenticates both the client and the server.This helps prevent spoofing. Kerberos allows users to access remote network resources not located on the IIS server. NTLM restricts users to the information located on the IIS server only.

Kerberos is the preferred authentication method.The following are requirements for

Kerberos to be used instead of NTLM:

The client machine must be in either the same domain as the IIS server or in a trusted domain.

The client machine must be running Windows 2000.

The client must be using Internet Explorer 5.0 or higher as its browser.

There are a few limitations of IWA:

It works only with Internet Explorer 2.0 or higher (for NTLM authentication).

While NTLM can generally get past firewalls, it is usually stopped by proxy servers.

Kerberos can generally get past the proxy server, but is generally stopped by the firewall.

You must configure a realm when using Integrated Windows Authentication.

Digest Authentication

Digest authentication has many similarities to basic authentication, but it overcomes many of its associated problems. Digest authentication does not send usernames or passwords over the network. It is more secure than basic authentication, but requires more planning to make it work.

Some of the similarities with basic authentication are:

Users must have the Log on Locally right.

Both methods work through firewalls and proxy servers.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 247

Managing and Maintaining Web Servers • Chapter 4 247

Like all authentication methods, digest authentication has some drawbacks:

■ Users can only access resources on the IIS server.Their credentials cannot be passed to another computer.

The IIS server must be a member of a domain.

All user accounts must store passwords using reversible encryption.

The method works only with Internet Explorer 5.0 or higher.

Digest authentication is secure due to the way it passes authentication information over the network. Usernames and passwords are never sent. Instead, IIS uses a message digest

(also called a hash) to verify the user’s credentials—hence the name Digest authentication. A hash works by applying a one-way mathematical formula to data.The data used here is the user’s username and password. Because the hash is one-way, it cannot be reversed to recover a user’s information.

In order for Digest authentication to work, all user accounts must be stored using reversible encryption.When an IIS server receives a Digest authentication request, it receives a hash value instead of a username and password. IIS sends the hash value to Active

Directory to verify that the user’s information is correct. Active Directory runs the same hashing formula against the user’s information. If the hash value that Active Directory comes up with matches the hash it received from IIS, the user’s information is correct. If

Active Directory reaches a different value, the user’s information is considered to be incorrect. Active Directory can only run the hashing formula against the user’s information if it has a plaintext copy of the password. Choosing the Store password using reversible

encryption

option on a user account, as seen in Figure 4.44, stores a plaintext copy of the password in Active Directory. After enabling this setting for a user account, the user’s password must be changed to create the plaintext copy.

Figure 4.44

Enabling Digest Authentication for a User Account

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 248

248 Chapter 4 • Managing and Maintaining Web Servers

.NET Passport Authentication

The .NET Passport option uses .NET passports to authenticate Web users—a new feature in IIS 6.0. .NET Passport is a single sign-on mechanism.The incoming HTTP requests must have the passport credentials (user name and password) inside the query string or as a cookie value. As cookies can be compromised by attacks, it recommended that .NET

Passport authentication be used over SSL. Network administrators must configure a default domain when using .NET Passport authentication.

E

XAM

W

ARNING

Support for .NET Passport authentication is a new feature to IIS 6.0. As such, make sure you have a complete understanding of it, including requirements to configure and implement it.

Using Client Certificate Mapping

Client certificate mapping is the process of mapping a certificate to a user account.There

are two types of certificate mappings that are supported in IIS. Both methods require the use of SSL.

One-to-one mapping

Many-to-one mapping

Why is mapping beneficial? Normally, if an administrator wanted to give a user access to a site, they would create a user account.They would give the user a username and password and let them use one of the three authentication methods previously discussed—basic, digest, or Windows Integrated.This is done because the operating system requires the use of user accounts for controlling access.This takes a lot of administrative effort, because now the administrator has to maintain a large database of user accounts.They also have to worry about someone’s password being compromised.

To provide better security and reduce the administrative workload, the network administrator could give their users a digital certificate. Certificates can be used to verify a user’s identity. It is more efficient to use a certificate than a user account because certificates can be examined without having to connect to a database. It is generally safer to distribute certificates than user accounts. It is much easier to guess or crack someone’s password than it is to forge a certificate.

Where does mapping fit into the picture? If certificates are more secure and easier to distribute than user accounts, but the operating system requires a user account to control access, what do we do? The administrator can create a mapping between the user account and the certificate.When the user presents the certificate to the operating system, the user is given whatever rights are assigned to the mapped account.The end result is identical to

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 249

Managing and Maintaining Web Servers • Chapter 4 249

the user logging on with a username and password.This solution provides the best of both worlds.The administrator does not have to distribute usernames and passwords to all of their users, but they still employ user accounts to secure resources.

One-to-One Certificate Mapping

As the name indicates, one-to-one mappings map one user account to one certificate.The

user presents their certificate, and IIS compares this certificate to the certificate that it contains for the user. If the certificates match, the user is authenticated with their mapped account. For this system to work, the server must contain a copy of all the client certificates. Generally, one-to-one mappings are used in smaller environments. One of the reasons mapping is used is to make the network easier to administer. Network administrators do not want to have to maintain a large database of user accounts. If one-to-one mappings are used in a large environment, a large database is created because every certificate is mapped to a unique account.

Many-to-One Certificate Mapping

Many-to-one mappings map many certificates to one user account and are usually processed differently than one-to-one mappings. Since there is not a one-to-one association between user accounts and certificates, the server does not have to maintain a copy of individual user certificates.The server uses rules to verify a client. Rules are configured to look for certain things in the client’s certificate. If those things are correct, the user is mapped to the shared user account. For example, we could set up a rule to check which CA issued the certificate. If our company’s CA issued the certificate, we would allow the mapping. If the certificate were issued by another CA, the user would be denied access.

T

EST

D

AY

T

IP

You may find it helpful to write down the various methods of Web authentication on your scratch paper before beginning the exam. Be sure to write down the pros and cons of each method and any special considerations that must be taken into account when working with each method.

Configuring User Authentication

Clicking the Edit button on the Directory Security tab opens the Authentication Methods dialog box, as seen in Figure 4.45

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 250

250 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.45

Configuring Authentication Methods

To configure the authentication methods to be used for a Web site, follow the steps outlined in Exercise 4.11.

E

XERCISE

4.11

C

ONFIGURING

W

EB

S

ITE

A

UTHENTICATION

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Select your Web site, and right-click and select Properties from the context menu.

3. Click the Directory Security tab.

4. Click Edit in the Authentication and Access control section of the

Directory Security tab to open the Authentication Methods dialog box, as seen previously in Figure 4.45.

5. By default, the Enable anonymous access and Integrated Windows

authentication options are enabled.

6. You can enable Digest authentication by selecting the Digest authenti-

cation for Windows domain servers option. You will be presented with a dialog box, as seen in Figure 4.46, warning you that Digest authentication can only be used for Active Directory domain user accounts. Click Yes to acknowledge the warning.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 251

Managing and Maintaining Web Servers • Chapter 4 251

Figure 4.46

Configuring Authentication Methods

7. After you are returned to the Authentication Methods dialog box, ensure that you configure a realm so that digest authentication will function properly.

8. You can enable basic authentication by selecting the Basic authentica-

tion option. You will be presented with a warning dialog box, as seen in Figure 4.47, informing you that basic authentication transmits user credentials in clear text and recommends that you only use basic authentication over SSL-secured connections. Click Yes to acknowledge the warning.

Figure 4.47

Configuring Authentication Methods

9. You can enable .NET Passport authentication by selecting the .NET

Passport authentication option. You must configure a default domain in order for .NET Passport authentication to function properly.

10. If you want to change the user account that is to be used for anonymous access, click the Browse button in the Enable anonymous access section of the dialog box. The standard Select User dialog box opens, as discussed in Chapter 1. You can also opt to disable anonymous access to your Web site by deselecting the Enable anonymous access option.

11. Click OK on the Authentication Methods dialog box to close it.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 252

252 Chapter 4 • Managing and Maintaining Web Servers

Configuring IP Address/Domain Restrictions

If desired, a network administrator can also opt to restrict users at the IP address or DNS domain level.This can be used to allow or block all but the configured IP addresses or domains. On the Directory Security tab, as seen previously in Figure 4.43, click the Edit button in the IP address and domain name restrictions section to open the IP Address and Domain Name Restrictions dialog box, as seen in Figure 4.48.

Figure 4.48

Assigning IP Address Restrictions on a Web Site

The administrator can choose to grant or deny access to all computers except those listed in the Except the following area of this dialog box.To add a new entry, click the Add button to open the dialog box, as seen in Figure 4.49. In this case an entry is being configured that will deny access to the specified IP address or domain name.

Figure 4.49

Assigning IP Address Restrictions on a Web Site

An entry can be configured using one of the following three methods:

The IP address of a single computer

An IP address range for a group of computers

A domain name

Click OK after making your access control entry.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 253

Managing and Maintaining Web Servers • Chapter 4 253

Configuring SSL-Secured Communications

SSL can be used to provide a digital certificate-based method of authenticating and securing communications that occur with the IIS server. Before a network administrator can use certificates on their Web servers for authentication, there are two server certificates that they must have.The first is for the CA, and the second is for the Web server.The

administrator must have two different certificates for these two different functions, even if both reside on the same server.

It is assumed that you already have a Windows Server 2003 CA in place, if not you may want to review the concepts covered in MCSE Planning and Maintaining a Windows Server

2003 Network Infrastructure: Exam 70-293 Study Guide and DVD Training System, ISBN:

1931836930, 2003 by Syngress Publishing.

Exercise 4.12 outlines the process you must follow to obtain a server certificate for your IIS server.

E

XERCISE

4.12

R

EQUESTING A

S

ERVER

C

ERTIFICATE FOR THE

IIS S

ERVER

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Select your Web site, right-click and select Properties from the context menu.

3. Click the Directory Security tab.

4. Click Server Certificate in the Secure Communications section of the

Directory Security tab to start the IIS Certificate Wizard. Click Next to dismiss the opening dialog box.

5. On the Server Certificate dialog box, as seen in Figure 4.50, you can select how you want to create the server SSL certificate. For this example, select the Create a new certificate option and click Next to continue.

6. In the Delayed or Immediate Request dialog box, as seen in Figure 4.51, you can decide when to send the certificate request. If you already have an online CA configured, you should select the Send the request

immediately to an online certification authority option. Click Next to continue.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 254

254 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.50

Selecting How to Create the Server SSL Certificate

Figure 4.51

Selecting how to Transmit the Server SSL Certificate

7. In the Name and Security Settings dialog box, as seen in Figure 4.52, you must configure a descriptive name for the new certificate as well as the key length. In this example we have chosen to use

SSLSecurityforDefaultWebSite. Click Next to continue.

Figure 4.52

Configuring the Certificate Name and Key Length

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 255

Managing and Maintaining Web Servers • Chapter 4 255

8. In the Organization Information dialog box enter or select the

Organization and Organizational unit that the certificate is being issued for. Click Next to continue.

9. In the Your Site’s Common Name dialog box, as seen in Figure 4.53, you must enter the IIS server’s common name—its FQDN if on the

Internet or its NetBIOS name if on an Intranet. This name is extremely critical and must be configured exactly the same as the name that users will use to connect to the site. Click Next to continue.

Figure 4.53

Configuring the Web Site’s Common Name

10. In the Geographical Information dialog box, enter the required geographical information and click Next to continue.

11. In the SSL Port dialog box, enter the TCP port that the Web site will use for SSL. The default is 443 and should not be changed in most cases.

Click Next to continue.

12. In the Choose a Certification Authority dialog box, you must select the

CA from the available listing that is be used to issue the new server SSL certificate. After making your selection, click Next to continue.

13. The Certificate Request Submission dialog box appears, as seen in

Figure 4.54, allowing you a chance to review your settings before submitting the certificate request. If all is well, click Next to request the certificate.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 256

256 Chapter 4 • Managing and Maintaining Web Servers

Figure 4.54

Reviewing the Certificate Request Summary

14. Click Finish to close the IIS Certificate Wizard.

Now that you have gotten the server certificate, you must configure the server to use it. Exercise 4.13 outlines the process to configure SSL for secure communications and user authentication. User authentication via SSL uses certificate mapping.

N

OTE

Remember that SSL uses port 443 by default, so make sure you have not blocked this at your firewall.

E

XERCISE

4.13

C

ONFIGURING

W

EB

S

ECURITY AND

A

UTHENTICATION

U

SING

SSL

1. Start the IIS Manager by clicking Start | Programs | Administrative

Tools | Internet Information Services (IIS) Manager.

2. Select your Web site, right-click and select Properties from the context menu.

3. Click the Directory Security tab.

4. Click Edit in the Secure communications section of the Directory

Security tab to open the Secure Communications dialog box, as seen in

Figure 4.55.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 257

Managing and Maintaining Web Servers • Chapter 4 257

Figure 4.55

Configuring SSL Properties for a Web Site

5. Configure your secure communication settings as desired:

■ Select the Require secure channel (SSL) check box to configure

SSL-encrypted communication for visitors using a Web browser that supports secure communications—URLs starting with https://.

Select the Require 128-bit encryption check box to require a 128bit encrypted communication link for a Web browser to connect with this Web site. This setting is only available once you have selected the Require secure channel (SSL) option.

Selecting the Ignore client certificates option allows users to have access without being prompted to present a client certificate. This is not a recommended setting as it degrades overall security.

Selecting the Accept client certificates option allows users with client certificates access, but does not require the certificate. A user that has a valid certificate can use certificate mapping, a user without a valid certificate will use one of the previously discussed authentication methods.

Selecting the Require client certificates allows only users with a valid client certificate to connect to the Web site. Users without a valid client certificate are denied access. This setting is only available once you have selected the Require secure channel (SSL) option.

6. If you want to use certificate mapping, select the Enable client certifi-

cate mapping check box and then click Edit to configure the mappings, as previously discussed.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 258

258 Chapter 4 • Managing and Maintaining Web Servers

7. To create or edit approved certificate trust lists (CTL) for the Web site, enable this option and click New or Edit to configure it. A CTL is a list of approved CAs for a particular Web site.

8. Click OK to close the Secure Communications dialog.

T

EST

D

AY

T

IP

If you set the Require 128-bit encryption option and clients connect with a valid certificate but with a browser that cannot support 128-bit encryption, they will not be able to connect. Select this option with care!

EXAM

70-292

OBJECTIVE

3.3.1

Troubleshooting IIS 6.0

Let’s examine some of the troubleshooting associated with IIS 6.0.Troubleshooting can be divided in three different areas:

Content errors

Connection errors

Miscellaneous errors

Troubleshooting Content Errors

Content errors are often caused by ASP or ASP.NET application codes.These application codes or scripts are required to perform business intelligence tasks to manipulate data. Some of the more common content errors are discussed in the following sections.

Static Files Return 404 Errors

This is the most common IIS error and could be due to one of two main reasons:

The user may have entered an incorrect URL

The file extension is invalid

IIS is configured to only accept requests from files that have a valid extension. For example, IIS will understand the “.ASPX” extension, but it will not understand an “.ABC” file extension.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 259

Managing and Maintaining Web Servers • Chapter 4 259

T

EST

D

AY

T

IP

You can enable IIS 6.0 to accept all requests for any file extension by adding the

“*,application/octet-stream” value to the MIME types list in IIS 6.0.

IIS checks for the file extension upon its receipt of a request. All of the valid file extensions are available as Multipurpose Internet Mail Extensions (MIME) formats in IIS. MIME types instruct the Web server how to process the incoming requests. For example, if an administrator requests an “.ASPX” file, the Web server knows to instruct ASP.NET to process the request.The MIME type does not have any effect on the returned data to the client.

E

XAM

W

ARNING

If you change the MIME settings, you need to restart the World Wide Web

Publishing service. IIS 6.0 worker process needs to be recycled to detect the new

MIME types. Therefore, a restart of the WWW service is necessary.

Dynamic Content Returns a 404 Error

IIS 6.0 default installation does not activate ASP.NET and CGI applications.These have to be manually enabled using the Web Service Extensions node of the IIS Manager, as previously discussed previously in the “Enabling Web Service Extensions” section. If the

ASP.NET or CGI applications are not enabled, users will receive a 404 error on dynamic content.

Sessions Lost Due to Worker Process Recycling

A session could best be described as a data storage mechanism for a single user on a Web site. HTTP cookies are used to store information about the user activities; this information is referred to as session data.These ASP sessions were alive until the IIS server was restarted or they timed out. IIS 6.0 works on a worker process model, as previously discussed.

Therefore, when the worker process stops, all session information is lost.The default installation configures IIS to recycle worker process every 120 minutes.

This session information is kept in RAM on the IIS server and can grow quite bulky in larger IIS implementations.This can result in adverse performance on the servers; therefore IIS 6.0 empties the session information by recycling the worker process every 1,740 minutes (or 29 hours) by default.The network administrator can either disable worker process recycling or extend the time settings if this creates problems.Worker process recycling can be configured by completing the steps outlined here:

1. Start the IIS Manager by clicking Start | Programs | Administrative Tools |

Internet Information Services (IIS) Manager

.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 260

260 Chapter 4 • Managing and Maintaining Web Servers

2. Expand the Applications Pools node and select the application pool that contains your Web site.

3. Right right-click on the selected application pool and select Properties from the context menu.

4. The Recycling tab, as seen in Figure 4.56, is shown by default and allows you to configure recycling as needed.

Figure 4.56

Configuring the Recycling Properties for an Application Pool

ASP.NET Pages are Returned as Static Files

ASP.NET files are processed at the server and the HTML is returned to the browser. In some cases this could be DHTML, depending on the complexity of the browser. If the IIS server does not recognize an ASP.NET file or the .ASPX file extension, the server returns the static text as the reply.This can happen if IIS is reinstalled without reregistering

ASP.NET.

Troubleshooting Connection Errors

Typically, connection issues are related to the performance of IIS and ASP.NET. Some of the more common connection errors are discussed in the following sections:

503 Errors

This error is generally caused by HTTP.sys overload and is usually due to one of two reasons:

The request queue length has exceeded the number of available application pool resources

Rapid-fail protection has been initiated by IIS

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 261

Managing and Maintaining Web Servers • Chapter 4 261

Every application pool has a configurable queue length. If the request pool queue exceeds this amount, the HTTP.sys cannot process the requests.This results in a 503 error being sent to the client.The queue length of an application pool can be changed by performing the following steps:

1. Start the IIS Manager by clicking Start | Programs | Administrative Tools |

Internet Information Services (IIS) Manager

.

2. Expand the Applications Pools node and select the application pool that contains your Web site.

3. Right right-click on the selected application pool and select Properties from the context menu.

4. Switch to the Performance tab, as seen in Figure 4.57.

Figure 4.57

Configuring the Performance Properties of an Application

5. In the Request queue limit area, select the Limit the kernel request queue option and put a value in the text box.

6. Click OK to close the application pool Properties dialog box.

IIS initiates rapid-fail protection when too many application pool errors are generated for a specified time frame, which is usually the result of a memory leak in the application code.

The default is five errors occurring in five minutes.This scenario triggers IIS to restart and issue a 503 error to the client. Alternatively, you can increase the error count and expand the timeframe by performing these steps:

1. Start the IIS Manager by clicking Start | Programs | Administrative Tools |

Internet Information Services (IIS) Manager

.

2. Expand the Applications Pools node and select the application pool that contains your Web site.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 262

262 Chapter 4 • Managing and Maintaining Web Servers

3. Right right-click on the selected application pool and select Properties from the context menu.

4. Switch to the Health tab, as seen previously in Figure 4.42.

5. In the Enable rapid-fail protection area, enter the value for Failures and Time

Period (in minutes)

spaces.

6. Click OK to close the application pool Properties dialog box.

401 Error – Sub-authentication Error

Anonymous access to Web sites is managed by the sub-authentication component

(iissuba.dll). This DLL is not enabled by default in IIS 6.0, to avoid potential security risks due to anonymous access.The network administrator can enable the sub-authentication component by registering iissuba.dll and setting the AnonymousPasswordSync attribute in the metabase to true.The IIS administrator gets a warning when anonymous access is enabled.

T

EST

D

AY

T

IP

The sub-authentication component for anonymous access is enabled by default in

IIS 5.0 and lower. Remember, it is not enabled by default in IIS 6.0.

Client Requests Timing Out

There was less emphasis on connections timing out in IIS 5.0 and below; IIS 6.0 has made some considerable ground on this issue. IIS 6.0 has locked down and reduced the size of many client request properties, which has resulted in better efficiency and performance.

Here are the new features in IIS 6.0 that deal with time outs:

Limits on response buffering

The network administrator can buffer all the process output at the server end and send the whole output to the client as a single entity, as opposed to processing some data, sending the information and starting to process the next bit of the initial request.This is referred to as response

buffering. A timeout will result if the buffer exceeds the limit.This feature can be modified by using the ASPBufferingLimit metabase property.

Limits on posts

The maximum ASP post size is 204,800 bytes. A post refers to a

HTTP POST response to the Web server.This is usually done as an HTML form submission. Sometimes these HTML form variables can be very lengthy.The

maximum size allowed as HTTP POST request is referred to as Post limit/size.

Each individual field can have up to 100k of data. If these fields are exceeded, a time out error is caused.This property can also be modified from the

AspMaxRequestEntityAllowed

property of the metabase.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 263

Managing and Maintaining Web Servers • Chapter 4 263

Header size limitation

HTTP.sys only accepts a request that has less than 16K as the request header. HTTP.sys believes that anything larger is malicious and terminates the connection.The administrator can change this value by modifying the

MaxRequestBytes registry key.

Troubleshooting Other Errors

The rest of the common errors you may experience do not clearly fall into content or connection categories, thus they are referred to as “other” errors.

File Not Found Errors for UNIX and Linux Files

IIS 6.0 can access and share information with UNIX and Linux systems. IIS 6.0, UNIX, and Linux all support mixed-case filenames. Unfortunately, the IIS static file cache stores filenames as upper case. UNIX and Linux systems are case sensitive whereas IIS is not.This

results in the first file access occurring trouble-free; subsequent access to the same file will result in a File Not Found error because IIS 6.0 will try to extract it from the static file cache.The remedy is to disable static file cache if dealing with UNIX or Linux systems.

To disable static file cache on a Web site or a virtual directory, change the metabase property MD_VR_NO_CACHE to 1. To disable static file cache for all sites, edit the

DisableStaticFileCache=1 value in the registry. Changing these settings affect only

ASP.NET files. ASP files are not affected by this change.The static file cache caches all of the static Web content for faster response times. Performance slips if this facility is disabled.

ISAPI Filters Are Not Automatically

Visible as Properties of the Web Site

IIS 5.0 used to display all the ISAPI filters that are associated with a particular site. IIS 6.0

does not load an ISAPI DLL until it is actually invoked from a client request.Therefore, until the ISAPI DLL is loaded, it will not show up in the ISAPI tab of the Properties window.The network administrator must run IIS 6.0 in isolation mode if they want to get a complete list of ISAPI DLLs available for a site.

The Scripts and Msadc Virtual

Directories Are Not Found in IIS 6.0

IIS 5.0 had executable permission on the Scripts and Msadc directories.This was one of the common security breaches of IIS 5.0. A malicious user could start to execute code in these virtual directories and take control of the IIS server.Therefore, IIS 6.0 is configured not to have these two directories to beef up security.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 264

264 Chapter 4 • Managing and Maintaining Web Servers

Summary of Exam Objectives

This chapter examined the installation, configuration, management, and troubleshooting of

IIS 6.0 in Windows Server 2003.The objective was to get familiar with the new features and learn the main features of IIS. IIS 6.0 incorporates World Wide Web Service, FTP service, NNTP server, and SMTP server.

It investigated the new features in IIS 6.0.There are several new security features, including Advanced Digest authentication, SGC, SCP, and default lock down status.The

new reliability features in IIS 6.0 are Health Detection and request processing architecture using HTTP.sys. Miscellaneous new features include XML Metabase, UTF-8 support and

ASP.NET integration with IIS 6.0

We learned to create, start, stop, and delete all of these sites and virtual servers.The

management of the IIS 6.0 functions is mainly done through the IIS Manager console.

There are also command-line utilities available for these functions, as discussed in Appendix

A.This chapter ended by examining security options available in IIS 6.0. Digest security,

Basic Authentication,Windows Integrated Security, and .NET passport security models can be used to manage security.The new Web Service Extensions window can be used to conveniently enable or disable ASP, ASP.NET, FrontPage extensions, and WebDAV support on an IIS server.

Exam Objectives Fast Track

What is New in IIS 6.0?

The new feature can be categorized into two main sections: security and reliability.

Advance Digest authentication, Server-gated Cryptography, Selectable

Cryptography Service Provider, separate Worker Process, and Default Lockdown

Wizard are some of the new security features.

IIS 6.0 runs on a separate worker process model.This means every Web site is a separate ISAPI application memory space, which is detached form IIS.

There is Heath Detection system between IIS and the separate worker processes.

HTTP.sys is the new kernel process that accepts all incoming IIS traffic. It uses application pools to assign resources to Web sites.

ASP.NET is the default scripting mechanism available in IIS 6.0. It still supports the old ASP applications.

IIS configuration settings are stored in a XML Metabase.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 265

Managing and Maintaining Web Servers • Chapter 4 265

Installing and Configuring IIS 6.0

IIS can be installed in three different ways.The first is by using Configure your

Server Wizard.The second option is to use Add/Remove Programs from Control

Panel.The final option is unattended setup.

Systems administrators use the unattended setup to configure multiple computers.

Managing IIS 6.0

Common management tasks that you should be familiar with include:

Creating new Web sites, FTP sites, NNTP virtual servers, and SMTP virtual servers

Enabling Web Service Extensions

Creating virtual directories

Hosting multiple Web sites

Configuring Web site performance

Working with ASP.NET

Backing up and restoring the IIS metabase

Enabling health detection

The IIS Manager is the primary interface that you will use to perform all IIS functions.

The IIS Manager can be used to manage multiple IIS servers from one location.

Managing IIS Security

The network administrator can force the user to authenticate using Digest, Basic,

Integrated Windows, and .NET Passport security.

Anonymous access is not recommended for a Web site containing sensitive data.

The safest authentication is the Digest Security option.

The network administrator can also include IP restrictions to restrict known offenders and networks.

Another security mechanism is to use SSL certificates to encrypt the communication between the server and the client.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 266

266 Chapter 4 • Managing and Maintaining Web Servers

Troubleshooting IIS 6.0

Troubleshooting IIS can be categorized into two main sections: Content and

Connection errors.

Α 404 error is due to a misspelled URL or an invalid file extension.

Session data in IIS 6.0 can be lost because the worker process is recycled every two hours. (This is the default configurable setting.)

503 errors are due to an influx of HTTP requests to HTTP.sys.This can lead to

Rapid-fail protection to restart the worker process.

The time out parameters in IIS 6.0 are much more extensive than the IIS 5.0

settings.

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

How do I replicate Web content on multiple servers?

A:

IIS 6.0 does not have a built-in content replication tool. Content replication is a major issue in managing large Web farms. Please use Microsoft Content Management Server

(CMS) or Site Server tools for content replications.

Q:

Can I remotely administer my IIS Server?

A:

Yes. Both IIS Manager and the command-line tools provide tools to do this. IIS

Manager lets you add remote computers as nodes to the IIS Manager console. All command-line utilities come with parameters to configure user name/password support for remote computers. All command-line utilities come with /s parameters for the remote computer name, /u parameters for the user name to logon to the remote machine, and

/p parameters for the password for the user account. Appendix A covers a variety of the command-line utilities in additional detail.

Q:

Can I give different access points to different users for a FTP site?

A:

Yes. Using the FTP isolation utilities in IIS, you can point different FTP users to different physical FTP home directories.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 267

Managing and Maintaining Web Servers • Chapter 4 267

Q:

How can I convert a FAT system to an NTFS system?

A:

There is a command-line utility called convert.exe for this purpose.The syntax is convert DriveLetter: /FS:NTFS. It is important to understand that a NTFS system cannot convert to a FAT system using this tool.

Q:

How do I obtain SSL security access information?

A:

This can be achieved by using the IIS Manager. Click on the Web site and select

Properties

.Then select the Directory Security tab. Chose the View Certificate button under the Secure Communications group box.The Certificate will have information on the version, serial number, signature algorithm (i.e. sha1RSA), Issuer,

Valid From,Valid To, Subject, and Public Key.

Q:

Can we have multiple SSL security certificates for a single Web site?

A:

No. Only one security certificate is permitted for a single Web site.

Q:

Can I reuse the same server certificate for multiple Web sites?

A:

Yes.You can use the same SSL security certificate in multiple Web sites. Multiple sites have to be configured separately to use the same certificate.

Q:

Can I attach SSL security certificates for FTP sites?

A:

No. FTP sites do not support SSL without third party add-ons.

Q:

Can I count my FTP users at a given point of time?

A:

Yes. Click on the Properties of the FTP site. Click Current Sessions on the FTP

Site tab.The FTP User Sessions message box will display the value.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 268

268 Chapter 4 • Managing and Maintaining Web Servers

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

What is New in IIS 6.0?

1. You have created a commercial Web site with sensitive business information.Your senior architect has advised you to use Advanced Digest authentication to maximize security benefits on IIS 6.0.You have been doing research on Advanced Digest authentication.

What is an incorrect piece of information you came across in your research?

A. It uses Active Directory to store user credentials

B. It only works with HTTP 1.1 enabled browsers

C. It will work with Internet Explorer 4.0 with JavaScript 1.3 support

D. It only works with WebDAV enabled directories

2. IIS 6.0 introduces a worker process model concept. A worker process model is a separate ISAPI application (Web site) that runs in isolation. In previous IIS versions (version 5.0 and below) all applications ran in the same memory space as inetinfo.exe. IIS

6.0 does not let the applications run in the same space as inetinfo.exe.The IIS 6.0

concept of tracking its Web sites is referred as what?

A. Using Health Detection

B. Using HTTP.sys

C. Using XML Metabase entries

D. Using ASP.NET scripts that directly communicate to .NET Framework.

Installing and Configuring IIS 6.0

3. You have been instructed to install Windows Server 2003 on a Windows 2000 machine.The current Windows 2000 Server is running under a FAT32 system.The

Windows Server 2003 installation will permit you to upgrade or perform a clean installation.When you are performing the upgrade you have an option between

FAT32 and NTFS file systems.Which ones would you choose?

A. FAT

B. FAT32

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 269

Managing and Maintaining Web Servers • Chapter 4 269

C. NTFS

D. FAT64

4. You have installed the standard default installation of Windows Server 2003.You were disappointed to find out that the IIS 6.0 was not installed by default.You have read that you can install IIS in several ways.You pick the Configure your Server Wizard option.You have discovered that the Windows server acts like an Application Server while investigating this option.What technology is not included in the Windows

Server 2003 application server technologies?

A. COM+

B. ASP.NET

C. ASP

D. IIS 6.0

5. You are employed as a Systems Administrator for a large Internet Server Provider.Your

organization develops and hosts multiple Web sites for commercial users.Your organization is upgrading a Windows 2000 Web farm to Windows Server 2003 servers.

There are ten production servers, two staging servers, and three development Web servers in the organization.You have been asked to perform the Windows Server 2003 installation on all of these servers.What is the best installation method for your organization?

A. Use the Configure Your Server Wizard

B. Use winnt32.exe with an answer file

C. Use wyscomgr.exe with an answer file

D. Use Control Panel | Add/Remove Programs

Managing IIS 6.0

6. You are creating a commercial Web site using IIS Manager 6.0.This Web site needs to communicate to the legacy payroll system of the organization.The communication is done using an ISAPI DLL from the Web site.Which permission right is important to read the payroll data with the help of the ISAPI DLL?

A. Read

B. Run Scripts

C. Browse

D. Execute

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 270

270 Chapter 4 • Managing and Maintaining Web Servers

7. You are trying to create an SMTP virtual server using IIS Manager.You have entered the SMTP site name and are being asked to enter the IP address and the Port number for the SMTP server.You selected the default IP address option (All Unassigned) and

Port 25.You click the Next button and get an error stating that the IP address and the port number is already in use.What is the cause of this error message?

A. You must provide an IP address. (All Unassigned) is not acceptable

B. You cannot use port number 25

C. The default SMTP site used these settings already.

D. You should use port number 80.

8. Web Services Extensions is a new feature in IIS 6.0. Using Web Services Extensions, we can configure IIS 6.0 components.We can enable and disable them from the IIS

Manager console.You have been experimenting with enabling and disabling these components.You could not find some of the item(s) below.Which item(s) fall into this category?

A. WebDAV

B. ASP.NET

C. File Sharing

D. ASP

Managing IIS Security

9. There are several ways to apply security on Web sites. All of these can be configured by the Properties tab of a Web site.Which one of the following is not a security measure to prevent intruders from hacking into IIS 6.0 Web sites?

A. Using SSL certificates

B. Using WebDAV

C. Using an authentication method to force the user to authenticate

D. Apply IP restrictions on known offenders and networks

10. You have configured Digest authentication for your Web servers. Jon, one of your users who needs to authenticate to the Web servers, cannot do so.You have checked

Jon’s user account properties and found that the Store Passwords Using Reversible

Encryption

option has been checked, but Jon still cannot authenticate.What is the most likely reason for his troubles?

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 271

Managing and Maintaining Web Servers • Chapter 4 271

A. Jon’s user account is disabled.You should enable it from Active Directory Users and Computers.

B. Jon did not change his password after the Store Passwords Using Reversible

Encryption

option was enabled for his account.

C. Jon changed his password after the Store Passwords Using Reversible

Encryption

option was enabled for his account, which disabled this setting.

D. Jon’s computer that he is attempting to make the connection with does not have the 128-bit high encryption patch applied.

11. Andrew is the network administrator for a small Windows Server 2003 Active

Directory domain. He has configured IWA for users attempting to authenticate to the

Web server. Andrew’s network is protected from the Internet by a Cisco PIX firewall.

User’s attempting to authenticate using IWA complain that they cannot authenticate.

What is the most likely cause of the troubles?

A. Andrew has not configured the user’s account properties with the Store

Passwords Using Reversible Encryption

option.

B. IWA fails when access is through a firewall due the fact that the firewall places its

IP address in the hash, thus rendering the authentication request invalid.

C. Andrew has not configured for IWA in the Group Policy Object that covers the

IIS server’s computer account.

D. Andrew has not configured for IWA in the Group Policy Object that covers the user’s accounts.

12. You have enabled SSL on your Web site but now users complain that they cannot establish secure connections on port 80.You know that port 80 is the standard HTTP port, not the secure HTTP port.What port should they be attempting to connect to?

A. 8080

B. 443

C. 25

D. 110

Troubleshooting IIS 6.0

13. You are hosting an ASP application that used session variables to store common data across the site.The ASP site was performing well in Windows 2000 server.Then you upgraded the server to Windows Server 2003 servers. After the upgrade your site seems to be losing session data regularly. It seems to be working fine after a reboot. As the day passes by it loses all of its session data.What could be the potential problem?

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 272

272 Chapter 4 • Managing and Maintaining Web Servers

A. Session data is not supported in Windows Server 2003.

B. IIS 6.0 worker process is getting recycled every two hours

C. IIS 6.0 user isolation mode gets recycled every two hours.

D. You need to enable ASP.NET to handle sessions in Windows Server 2003 server.

14. Your Web server is running ASP.NET applications on IIS 6.0. An incorrect configuration setting has caused you to reinstall IIS 6.0 on this machine.Therefore, you have used the Control Panel | Add Remove Programs method to uninstall and reinstall IIS 6.0.Then you tried to load up your ASP.NET pages. Unfortunately, all

ASP.NET pages are displayed as text.What could be the solution to this problem?

A. You need to reregister ASP.NET

B. You need to reformat the drive as NTFS and reinstall Windows Server 2003 with

IIS.

C. You need to edit the Metabase XML file to recognize ASP.NET files.

D. You need to restart IIS from IIS Manager.

15. Your company’s new MP3 player is getting very popular on the Internet.You are getting close to 2,500 requests per minute to download the product. Unfortunately your

Web server is continuously getting 503 error for this product downloads.Your boss has asked you to look into this problem.What could be the issue?

A. Not enough bandwidth for the users.

B. HTTP.sys cannot handle the incoming traffic.

C. The worker process is getting recycled every five minutes.

D. The FTP Server needs to be run on isolation mode.

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 273

Managing and Maintaining Web Servers • Chapter 4 273

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. C

2. A

3. C

4. C

5. B

6. D

7. C

8. C

9. B

10. B

11. B

12. B

13. B

14. A

15. B

www.syngress.com

271_70-292_04.qxd 8/21/03 5:11 PM Page 274

271_70-292_05.qxd 8/20/03 4:19 PM Page 275

Chapter 5

MCSA/MCSE 70-292

Managing and

Implementing Disaster

Recovery

Exam Objectives in this Chapter:

4.1

Perform system recovery for a server

4.1.1

Implement Automated System Recovery (ASR)

4.1.2

Restore data from shadow copy volumes

4.1.3

Back up files and System State data to media

4.1.4

Configure security for backup operations

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

275

271_70-292_05.qxd 8/20/03 4:19 PM Page 276

276 Chapter 5 • Managing and Implementing Disaster Recovery

Introduction

Regardless of how hard network administrators work to protect their networks and systems from disaster, sometimes the worst occurs. Servers are subject to hardware failure from age, overuse, or defects, data loss from hack attacks, and natural disasters such as fires or floods that can destroy both the data and the systems themselves. Planning for disaster is an important part of every network administrator’s job.

Windows Server 2003 includes several tools to help network administrators prepare for a serious system failure or attack, ensure that mission-critical data will not be lost and that server downtime is minimized. A good disaster preparation plan starts with a strategy for regularly scheduled backups.The Windows Backup Utility provides an easy way to back up data with Backup and Restore Wizards. Also included is the Automated System Recovery

(ASR) Utility.The ASR Wizard helps the network administrator create a two-part backup of the essential system components: a floppy disk containing system settings and a backup of the local system partition on other media.

Windows Server 2003 also supports other, more sophisticated approaches to recovering from server hardware failure. Fault tolerant disks (Redundant Array of Independent Devices

[RAID]) can be an important part of a disaster preparation plan, and if a network administrator is running the Enterprise Edition of Windows Server 2003, they also have the option of using server clustering—the ultimate in fault tolerance.

This chapter shows how to create a basic backup plan for an organization’s network and servers using the backup and recovery tools included with the Windows Server 2003 operating system.

Creating a Backup Plan

A backup allows data and system files to be archived to another location on the hard disk or to other media. Backups can be compared to making a photocopy of an original document, which creates a duplicate that can be stored safely in case the original is destroyed. As with a photocopy, a backup of data is a duplicate of the original data on a computer at the time the backup was taken. Unlike a photocopy, however, the quality of the backup data is equal to the quality of the original.

When problems occur, the backed up files can be restored to the location from which the data was originally copied, or to another location such as a different directory or a different machine.The ability to restore data is just as important as performing regular backups; if a backup cannot be restored, then the backed up data is lost as well as the original data.

Backing up and restoring data is a fundamental part of any disaster recovery plan. A backup plan provides procedures that detail which data should be backed up, how this data is to be backed up, and when it is to be backed up.The plan also provides information regarding the storage of backed up data and how it can be restored. Such information can be used during a disaster to restore system files and other data that may have been damaged or destroyed.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 277

Managing and Implementing Disaster Recovery • Chapter 5 277

As discussed in the following sections, there are many different elements to a good backup plan. In addition to knowing how the Backup Utility can be used, the system administrator needs to make decisions about what data will be backed up, where it will be stored, and other issues. A good backup plan should be part of every network administrator’s daily routine.

Backup Basics

Backing up data begins with deciding what information needs to be archived. Critical data such as trade secrets and other data crucial to business needs must be backed up. Other data, such as temporary files, applications, and so on may not need to be backed up, as they can easily be reinstalled or are simply not needed. Such decisions, however, vary from company to company and even from department to department.

In addition to data, it is important to back up the System State, which consists of the files that the operating system uses.These include the boot files, system files, the Registry, COM+ class registration database, and other files that Windows Server 2003 (depending on the server configuration) requires the network administrator to back up as a single unit. If the server fails at any point, these files can be used to restore the system to a functioning state.

Rather than simply backing up bits and pieces of a server, it is wise to back up everything on a server at the same time.This includes all data on the server and the System State.

If the hard disk on the server fails or the entire server is lost in a disaster, then a full backup of everything can be used to restore the server quickly.

As seen later in the “Using Automated System Recovery” section of this chapter, the

Backup Utility provided with Windows Server 2003 allows the network administrator to create an ASR set. An ASR set is a backup of system files that can be used to restore

Windows Server 2003 if a major system failure occurs.When creating an ASR set, only system files are backed up, not data.

When creating a backup, the network administrator should always program the Backup

Utility to create log files. Backup log files show which files were backed up, and can be saved or printed as a reference for restoring data. If a particular file or folder needs to be restored, the log file shows whether it was included in a particular backup.

When a backup is performed, the copied data is usually kept on media other than the local hard disk, because if the hard disk failed, both the original data on the disk and the backup would be lost. As discussed in the “Backup Media” section later in this chapter, other media such as tapes can be used to store backups safely. Microsoft recommends that three copies of the media be stored, with one copy kept offsite. Doing this ensures that if one or two of the copies are destroyed in a disaster, the third can be used to restore data and the system.

To prevent backups from being stolen and used to restore data to another machine, it is important that backup devices and media be kept physically secure. Backup media should be stored in a secure location such as a fire safe.The area in which it is stored should not be easily accessible. Likewise, the devices used to create backups should also be secured.

Removable devices should be stored in secure environments, while servers with backup

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 278

278 Chapter 5 • Managing and Implementing Disaster Recovery

devices installed on them should be kept secure in locked server rooms.The physical security of devices and media should be as high as the security of data on the server.

It is important for personnel to be trained in how to perform backups and restores.

Designated members of the Information Technology (IT) staff should be knowledgeable in the steps involved in creating backups and restoring data.They should know where media is stored, and should be aware of what data is to be backed up and when. If a disaster occurs, they should be able to follow the backup plan without incident.

It is important to test whether data can actually be restored. If a device seems to be backing up data properly but is actually failing to do so, the network administrator may not be aware of it until they need to restore the data. Rather than assuming everything is being backed up properly, the administrator should test their equipment by restoring data from a previous backup job. If files and folders are restored properly, the network administrator will be confident that the data can be restored during a disaster.

Backup Types

Before describing each of the backup types, it is important to understand that the type chosen affects how the archive attribute is handled.The archive attribute is a property of a file or folder that is used to indicate whether a file has changed since the last time it was backed up. Depending on the backup type used, the archive attributes of a file may or may not be cleared after it is backed up.When the file is modified, the archive attribute is reset to indicate it has changed and needs to be backed up again.Without the archive attribute, the Backup Utility is unable to tell whether files need to be backed up or not.

Normal

Normal backups are used when a network administrator wants to back up all of the files selected in a single backup job.When this type of backup is selected, the Backup Utility backs up the selected files to a file or tape, ignoring whether the archive attribute is set or cleared. In other words, it does not matter whether the file has been backed up before; it will be backed up again. After backing up a file, the archive attribute is changed to indicate that the file was backed up. Normal backups are commonly selected when performing full backups in which all files on a volume are backed up.

Incremental

Incremental backups are used to back up all files that have changed since the last normal or incremental backup.When each file is backed up, the archive attribute is cleared. Because only files that have changed are backed up, this type of backup takes the least amount of time to perform. However, it also takes the most amount of time to restore, because the last normal backup and every subsequent incremental backup must be restored to fully restore all data and make the contents of the computer as up-to-date as possible.

Differential

Differential backups are also used to back up all files that have changed since the last normal backup. However, when this type of backup is performed, the archive attribute is not cleared.This means that the data on one

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 279

Managing and Implementing Disaster Recovery • Chapter 5 279

■ differential backup contains the same information as the previous differential backup, plus any additional files that have changed. Since unchanged data is continually being backed up with this method, differential backups take longer to perform than incremental backups. However, when restoring backed up data, only the last normal backup and the last differential backup need to be restored.This

makes the time it takes to fully restore a system faster than with a combined normal and incremental backup method.

Copy

Copy backups are similar to normal backups in that they can both be restored from a single backup job, but differ because this type of backup does not change the archive attribute. Because the archive attribute is not modified, it will not affect any other backups that are performed afterwards.This is useful if the network administrator wants to make a copy of data on the computer, but does not want it to interfere with other backup operations involving normal and incremental backups.

Daily

Daily backups are used to back up all selected files that have been modified on a particular day. Files that have not been modified that day will not be backed up. As with a copy backup, daily backups can be restored from a single backup and do not affect the archive attribute. Because the archive attribute is not cleared, it will not interfere with other backup operations involving normal and incremental backups.

E

XAM

W

ARNING

Not all backups are the same. Remember that normal and incremental backups reset the archive attribute after backing up a file, but differential, copy, and daily backups do not. Normal, copy, and daily backups can be used to restore files from a single backup job. Incremental and differential backups are used in conjunction with normal backups. Differential backups back up all files that have changed since the last normal backup (even if backed up during a previous differential backup), and incremental backups only back up files that have changed since the last normal or incremental backup.

Backup Media

There are many different types of media to which backed up data can be stored.The media type you choose determines how much data can be stored on a single media target, and the speed at which backups can be performed. In choosing the type of media to use, the network administrator should estimate how much data will be copied during a backup job.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 280

280 Chapter 5 • Managing and Implementing Disaster Recovery

The Backup Utility that comes with Windows Server 2003 allows the network administrator to back up files to a tape or a file.The ability to back up to a file was introduced with the version of ntbackup.exe that came with Windows 2000. Prior to that, the Backup

Utility for Windows NT 4.0 worked only with tape. If an administrator does not have a tape backup drive and wishes to use the Backup Utility, they can back up files to a file on the hard disk and then copy the file to a compact disk (CDR/CD-RW), digital video disk

(DVD/DVD-R), or other media.While this requires an extra step in backing up data, it allows the administrator to use the Backup Utility if they do not have a tape unit or wish to store backup files on a server or in another location.

Media Types

Tapes are the most common media available on which backups can be stored.Tape backups use magnetic tapes to store data sequentially, which requires the tape to be cued up to the point where the data is located.This is similar to the tapes used in a cassette recorder, where you have to fast-forward or reverse the tape to find the information you want.The biggest advantage of tape backups is the relatively small expense of the media; more data can be stored on tape for a lesser cost than with other backup media types.

There are a number of different types of tape drives available, which support different sizes of data and allow an assorted number of tapes.Two of the most common types of tape drives are:

Digital Audio Tape (DAT)

Digital Linear Tape (DLT)

DAT stores data on 4mm tapes, while DLT stores it on a half-inch magnetic reel-to-reel tape, in which one reel is contained in the cartridge while the other is stored inside the DLT drive. DAT is not as fast as DLT, and does not provide as much storage capacity. However, it is less expensive than DLT, which makes DAT a popular method of tape backup.

DAT uses the Digital Data Storage (DDS) format, which uses a process similar to that used in VCRs to store data on the DAT tape. It performs a helical scan, in which read/write heads spin diagonally across a DAT tape.Two read heads and two write heads are used.When data is written, the read heads verify that data has been written correctly to the tape. If they detect any errors, the data is rewritten.

As shown in Table 5.1, there are different formats of DDS available for tape drives.These

different versions of DDS provide different levels of storage capacity.The original DDS format only allowed storage for up to 1.3GB of data, but the next generation increased storage to

2GB of data on a 120-minute cartridge.The data on the original DDS format tapes was uncompressed, so less data could be stored on the tape than with the other methods. DDS-1 was the first format to use compression, and allows for storage of up to 4GB of data on a

120-minute cartridge. DDS-2 increased compression on a 120-minute cartridge to allow up to 8GB of data storage. DDS-3 uses a 125-minute cartridge and allows for storage of up to

24GB of compressed data.This format also introduced the use of Partial Response Maximum

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 281

Managing and Implementing Disaster Recovery • Chapter 5 281

Likelihood (PRML), which eliminates noise so that data is transferred to the tape cleaner and with fewer errors. Finally, DDS-4 allows 40GB of compressed data to be stored on a 125minute cartridge. Each of these formats is backward compatible.This means that if an administrator has a DDS-3 device, they can use DDS-1 or DDS-2 cartridges.

Table 5.1

DDS Formats for DAT Drives

Type of Format

DDS

DDS-1

DDS-2

DDS-3

DDS-4

Storage Capacity

(Uncompressed/Compressed)

2GB

2/4GB

4/8GB

12/24GB

20/40GB

As mentioned, DLT is faster than DDS and provides a higher storage capacity. Using this method, a network administrator can put more data on the tape, allowing them to use this media with larger hard disks, and/or relieving them from having to change tapes as often. As shown in Table 5.2, there are different generations of DLT that accommodate different levels of storage capacity.

Table 5.2

DLT Types and Capacities

DLT Type

DLT2000

DLT4000

DLT7000

DLT8000

Storage Capacity

(Uncompressed/Compressed)

15/30GB

20/40GB

35/70GB

40/80GB

Unlike DDS, each version of DLT provides data compression. DLT2000 allows the network administrator to store up to 30GB of data, DLT4000 allows up to 40GB of data,

DLT7000 allows up to 70GB of data, and DLT8000 allows up to 80GB of data storage.

However, if compression is not used, then only half of this amount can be stored on the tape.

T

EST

D

AY

T

IP

While the information included here about backup tapes is useful for understanding what type of backup drive and tapes your server needs, do not expect exam questions dealing with detailed information about backup media and equipment. Instead, remember that the Backup Utility is designed to store backups to a file or a tape.

Backups cannot be stored directly to media such as a CD-R/RW or DVD.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 282

282 Chapter 5 • Managing and Implementing Disaster Recovery

Offsite Storage

It is not a good practice to keep all backup media in the same location or in the same area as the computers whose data was backed up. If all of the backups are together in the same location, they can all be destroyed simultaneously. For instance, if a fire or flood occurs and destroys the server room, all backup tapes stored in that room could also be destroyed.To

protect the data, the network administrator should store the backups in different locations so that they will be safe until they are needed.

Offsite storage can be achieved in a number of ways. If a company has multiple buildings in different cities or different parts of a city, the backups from each site can be stored in one of the other buildings. Doing this makes it more likely that if one location experiences a disaster, the original data or backups will remain safe. If this is not possible, the network administrator can consider using a firm that provides offsite storage facilities. Some organizations store their offsite backups in a safety deposit box at a bank.The key is keeping the backups away from the physical location of the original data.

When deciding on an offsite storage facility, the network administrator should ensure that it is secure and has the environmental conditions necessary to keep the backups safe.

They should ensure that the site has air conditioning and heating, as temperature changes may affect the integrity of data. It should also be protected from moisture and flooding, and have fire protection in case a disaster befalls the storage facility.The backups need to be locked up, and the network administrator’s organization should have policies that dictate who can pick up the data when needed. Conversely, the network administrator will want the data to be quickly accessible, so that they can acquire the data from the facility if needed, without having to wait until the next time the building is open for business.

Media Rotation

Every good plan has an Achilles’ heel. In the case of the backup plan, that weak point will most likely be the backup media itself. By implementing a well thought out and documented media rotation system, the network administrator can overcome the two largest issues that plague backup media:

Backup Media Lifetime

As already discussed, the most common type of backup media is some form of magnetic tape.While the tapes that are currently available are much more durable than their predecessors, they do not last forever. A backup plan must take steps to ensure that the backup jobs use a rotaion over several tapes to extend the lifetime of each tape as well as increase the reliability that each tape offers should the backup media be needed to perform a restoration. By using some form of documented rotation scheme, the network administrator can prevent one or a few tapes from being used repeatedly, thus reducing its lifetime and reliability. In short, the time to decide that a backup media needs to be retired is not after it has failed in a time of need.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 283

Managing and Implementing Disaster Recovery • Chapter 5 283

Availability of Data History

In many small networks, it is feasible to simply perform a full backup every night. Unfortunately, this condition does not represent the reality that the vast majority of large networks experience. More often than not, time constraints limit the amount of data that can be backed up during the week, forcing the network administrator to perform full backups during non-peak hours, such as on a Saturday or Sunday morning. Another factor to consider is that larger networks may find themselves backing up data from multiple locations over the network.This can cause significant network traffic and performance issues during times when users are utilizing other network resources.The solution to these issues is to create a backup plan that includes a combination of available backup types, such as full, incremental, daily, and/or differential.To successfully perform the restoration, the network administrator will need to have all of the correct tapes available and restore the data from them in the correct order. As well, a good media rotation scheme can be used to provide the administrator with a history of data in the event that they need to recover an older version of a file. In all cases, having a well-documented media rotation system is a must for a backup plan.

There are an almost infinite amount of media rotation systems that can be created and used.The following sections examine three of the more common and popular ones currently in use. Each of the three examples has its strengths and weaknesses—the one chosen depends on the network administrator’s requirements and available budget.

The Five-tape Rotation System

The five-tape rotation system is the easiest to perform and the least expensive to initially implement. As the name implies, five backup tapes are required for this system, with one being used each day of the normal workweek. If required, this media rotation system can be easily modified to include six or seven days of backups, depending on when users create and modify files on the network. Backup tapes are normally labeled for each day of the week such as Monday,Tuesday, and so on, to ensure easy identification.The network administrator must perform a full backup on the first day they start using this media rotation system. Once the initial full backup is performed, the administrator can perform daily, differential, or incremental backups on the first four days of the week (assuming that only five backup tapes are being used), with a full backup being performed every Friday.

This media rotation system provides simplicity in that it only requires a limited number of backup tapes and can be easily implemented without requiring a complicated scheduling system. However, simplicity comes at a price: the five-tape rotation system only provides a week’s worth of backup history, making recovery of files modified prior to this time impossible. Figure 5.1 illustrates a sample five-tape rotation system for a month containing 31 days. Note that an administrator can use any combination of daily, differential, or incremental backups for those days they are not performing a full backup.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 284

284 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.1

The Five-tape Rotation System is the Simplest to Implement

The Grandfather, Father, Son System

The Grandfather, Father, Son (GFS) system is one of the most popular methods used today.

The GFS system provides an entire year of backup history. However, this benefit comes at an increased price—it takes 20 backup tapes per year to implement the GFS system.There

are three tape types that make up the GFS system:

Son

The son backup tapes are used Monday,Tuesday,Wednesday, and Thursday to perform daily, differential, or incremental backups as required by an organization.

The network administrator needs four backup tapes for the son tapes.

Father

The father backup tapes are used each Friday except for the last Friday of the month.The father tapes are used to perform full backups, requiring four backup tapes.They provide an entire month of backup history.

Grandfather

The grandfather tapes are used only on the last Friday of the month to perform a full backup.Twelve backup tapes are required for the grandfather tapes, and they provide a full year of backup history.

When starting a new GFS rotation, the network administrator will need to perform a full backup on the first day, regardless of the day they are starting on.This ensures that they have the backup data needed in the event that disaster strikes before they use a father backup tape. Figure 5.2 illustrates a sample GFS rotation system for a month containing 31 days and four Fridays. Note that any combination of daily, differential, or incremental backups can be used for those days where a full backup is not being performed.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 285

Managing and Implementing Disaster Recovery • Chapter 5 285

Figure 5.2

The GFS Rotation System is Easy to Implement and Provides a Year’s

Worth of Backup History

The Tower of Hanoi System

The Tower of Hanoi method is based on a challenging disk and post game bearing the same name.The strengths of the Tower of Hanoi method are that it can be implemented with a minimum of five backup tapes and quickly scaled up to create backup histories for as long as a year and a half (or more) by adding additional tapes.When the basic configuration of five tapes is used, the Tower of Hanoi method provides a backup history stretching back 16 days, which is often adequate for the majority of organizations. Assuming that only five backup tapes are being used for the Tower of Hanoi method, they would be used as follows:

Tape #1

Used every other day for a full backup.

Tape #2

Used every fourth day for a full backup.

Tape #3

Used every eighth day for a full backup.

Tape #4

Used every sixteenth day for a full backup; alternates with Tape #5.

Tape #5

Used every sixteenth day for a full backup; alternates with Tape #4.

The primary disadvantage of the Tower of Hanoi method is that the network administrator must perform a full backup each night—something that larger organizations may not be able to accommodate. As well, managing the Tower of Hanoi method can be difficult unless adequately documented and scheduled. Figure 5.3 illustrates a sample Tower of

Hanoi rotation system that uses five backup tapes.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 286

286 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.3

The Tower of Hanoi Rotation System can be Difficult to Implement

As seen in Figure 5.3, it can become difficult to maintain a Tower of Hanoi rotation system if careful planning and scheduling is not done beforehand. Creating and posting schedules at least two months in advanced helps alleviate this problem and make the Tower of Hanoi system more manageable. Should a network administrator desire to create a backup history longer than 16 days, they can easily do so by adding additional tapes.

Consider the following:

Adding a sixth tape (Tape #6) yields 32 days of backup history.Tape #6 is used every thirty-two days.

Adding a seventh tape (Tape #7) yields 64 days of backup history.Tape #7 is used every sixty-four days.

Adding an eighth tape (Tape #8) yields 128 days of backup history.Tape #8 is used every one-hundred and twenty-eight days.

The network administrator can continue to add tapes as required.Ten backup tapes provides a backup history of 512 days. However, there is an inherent flaw that exists with the Tower of Hanoi rotation method:Tapes #1 and #2 receive an extraordinary amount of wear and tear and will likely need to be replaced often, perhaps quarterly.

T

EST

D

AY

T

IP

You are not likely to see any questions on the exam asking about specific media rotations. The discussion is included in this text as a reference for your backup planning and implementation.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 287

Managing and Implementing Disaster Recovery • Chapter 5 287

EXAM

70-292

OBJECTIVE

4.1

Using the Windows Backup Utility

Windows Server 2003 provides a native Backup Utility that allows the network administrator to archive any files on the computer, regardless of whether the hard disk is formatted with File Allocation Table (FAT), FAT32, or New Technology File System (NTFS).When

data is backed up, it is copied to an area of the hard disk or other media that can be stored in a separate location. If a user accidentally deletes a file, the data becomes corrupted, or a disaster occurs, the backup can then be used to copy this data back to the server.

N

OTE

The Backup Utility in Windows Server 2003 uses the Volume Shadow Copy technique to create copies of data. This means that files that are open and being used by users or the system can be backed up. Volume shadow copies are discussed in more detail later in this chapter in the “Working with Volume Shadow Copies” section.

The Backup Utility has two modes:

Backup and Restore Wizard

Advanced Mode

When the Backup Utility is started for the first time after installing Windows Server

2003, the Backup or Restore Wizard appears, as seen in Figure 5.4.This Wizard takes the network administrator through the step-by-step process of backing up the server or restoring an existing backup from the hard disk or other media. From the initial welcome page of the wizard, the administrator can open the utility in Advanced Mode, which provides more features for those who are more comfortable with backing up and restoring data.

Figure 5.4

The Backup or Restore Wizard

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 288

288 Chapter 5 • Managing and Implementing Disaster Recovery

N

OTE

The Welcome page of the Backup Utility provides a checkbox to configure backup to always start in Advanced Mode. This disables the wizard.

The Backup Utility can be opened in one of two ways:

Click Start | Programs | Accessories | System Tools | Backup.

Click Start | Run and type ntbackup.

EXAM

70-292

OBJECTIVE

4.1.3

Understanding System State Data

Before moving further into a discussion about how to configure and use the Backup Utility, it is important to examine an often misunderstood item: the System State.The System State is the critical data stored on each computer that contains the information required for the proper startup and operation of the computer. Exactly what data this is varies from one computer to the next, depending on what function the computer is fulfilling. For example, domain controllers contain data pertinent to the Active Directory, while servers that are acting as Hyper Text Transfer Protocol (HTTP) or File Transfer Protocol (FTP) servers will have data that is specific to Internet Information Server (IIS).The following items are all part of the

System State, but may not all be present on a single computer:

Boot and system files (such as boot.ini, NTLDR, and so on)

The Registry

The COM+ class registration database

The system files that are protected by Windows File Protection (located in %systemroot%\system32\dllcache)

The Active Directory service if the server is a domain controller

The SYSVOL directory if the server is a domain controller

The cluster service information if the server is a member of a cluster

The IIS metadirectory if IIS is installed on the server

The Certificate Services database if the server is a Certificate Authority (CA)

Depending on the size of a network and the function of a specific server, the network administrator may need to back up the System State. For example, they should back up the

System State data for domain controllers, cluster members, and IIS servers. On the other hand, they might also need to back up System State data for member servers providing file or print shares to the network.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 289

Managing and Implementing Disaster Recovery • Chapter 5 289

It is important to understand that all of the files needed to completely restore a server are not included in the System State. Microsoft recommends that when backing up the System

State, the network administrator also back up all of the files on the boot and system volumes of the server.This backs up all of the files used by the operating system and allows the administrator to restore a duplicate of the server (as it was when the backup was performed).

E

XAM

W

ARNING

When backing up the System State, you can only back up the System State of the local computer. You cannot back up the System State of a remote computer.

System State files have dependencies that require you to back them up as a unit.

You cannot back up individual components of the System State with the Backup

Utility.

Special Backup Situations

Some types of data require that you follow special procedures to back them up. The

System State data is one such special situation. Another special situation occurs when you want to back up files that are associated with Windows Media Services.

To backup these files, you must follow the procedures that are outlined in the WMS

Help files. You cannot use the normal backup procedures to back up and restore these files.

Microsoft recommends that if you want to back up database files on a

Structured Query Language (SQL) server, you should use the backup and restore utilities that are included with SQL Server instead of the Windows Server 2003

Backup Utility. If your Windows Server 2003 computer is running cluster services

(Enterprise or Datacenter editions), you need to perform an ASR backup for each cluster node, back up the cluster disks in each node, and then back up individual applications that run on the nodes.

EXAM

70-292

OBJECTIVE

4.1.3

4.1.3 Backup Configuration Options

Although the Backup Utility includes a very capable Wizard for configuring backup jobs, the network administrator should be aware of the various configuration options that are available, some of which cannot be accessed when the wizard is used.To access the options examined in the following sections, you will need to launch the Backup Utility in

Advanced Mode as seen in Figure 5.5.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 290

290 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.5

The Backup Utility Allows for Advanced Configuration

To begin the process of configuring the backup options available, click Tools |

Options

to open the Options dialog box, as seen in Figure 5.6.

Configuring the General Options

From the General tab of the Options dialog box, as seen in Figure 5.6, you can configure several options that define how the backup operation will be performed.

Figure 5.6

Configuring the General Backup Options

Table 5.4 explains each of the options available on the General tab of the backup

Options dialog box.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 291

Managing and Implementing Disaster Recovery • Chapter 5 291

Table 5.4

Options Available on the General Tab of the Backup Options Dialog Box

Option Description

Compute selection information before backup and restore operations.

Use the catalogs on the media to speed up building restore catalogs on disk.

When selected, information will be displayed on the number of files and bytes that will be needed to perform the backup or restore job.

This information is shown prior to the start of a job.

Specifies whether to build an on-disk catalog from the on-media catalog when restoring data. This option is described in greater detail later in this chapter.

Verify data after the backup completes.

When the data is backed up, it is compared to the original data to ensure it is the same.

This option is described in greater detail later in this chapter.

Back up the contents of mounted drives.

Backs up the contents of a mounted drive, which is a folder on an NTFS volume that functions as a drive. If not selected, only the path information for the mounted drive is backed up.

Show alert message when I start the Backup Utility and Removable

Storage is not running.

Show alert message when I start the Backup Utility and there is recognizable media available.

Show alert message when new media is inserted.

Always allow use of recognizable media without prompting.

Displays an alert when the Removable

Storage service is not running, and will start this service automatically.

Displays an alert when the Removable

Storage service detects that new media is available to which files can be backed up.

Alerts you when the Removable Storage service detects that new media has been inserted into a device.

Allows the Removable Storage service to move any new media it detects to the

Backup media pool, which is a collection of media used by the Backup Utility.

When looking at these options, you may notice that several of them deal with

Removable Storage—a service that manages removable media such as tapes, and storage devices on Windows Server 2003. If this service is not running, backup will not be able to back up files to this media. Because of its importance, if you are backing up files to tape you should have the options relating to this service checked. As these options apply to backing up data to tape, you do not need to check these options if you are backing up data to files stored on a hard disk.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 292

292 Chapter 5 • Managing and Implementing Disaster Recovery

N

OTE

By default, all options are checked on the General tab except two: “Verify data after the backup completes” and “Always allow use of recognizable media without prompting.”

Configuring the Restore Options

From the Restore tab of the Options dialog box, as seen in Figure 5.7, you can configure several options that define how the restoration operation will be performed.

Figure 5.7

Configuring the Restore Backup Options

Selecting the Do not replace the file on my computer (recommended) option results in files being restored only when the file is not already present.This is the safest restoration option but leaves older files on the hard disk instead of replacing them with newer versions that may be contained in the backup file.

Selecting the Replace the file on disk only if the file on disk is older option results in files being restored only when the existing file is older than the file contained in the backup or is not present in the destination location.This option ensures that the most current files are restored.

Selecting the Always replace the file on my computer option results in files that already exist on the disk always being replaced, regardless of whether or not they are newer than the version contained in the backup file.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 293

Managing and Implementing Disaster Recovery • Chapter 5 293

Configuring the Backup Type Options

From the Backup Types tab of the Options dialog box, as seen in Figure 5.8, you can select which type of backup will be performed.You can select from the five types of backups previously examined in the “Backup Types” section of this chapter.

Figure 5.8

Configuring the Backup Type Option

Configuring the Backup Log Options

From the Backup Log tab of the Options dialog box, as seen in Figure 5.9, you can specify how log files dealing with the backup process should be created.There are three options on this tab:

Detailed

Summary

None (turns off logging of the backup job)

When the Summary option is selected, only key operations in the backup process are logged.The log shows when the backup process started and ended, errors, and other events.

When the Detailed option is selected, all information about the backup is included in the log.The log not only includes information displayed in a summary log, but also has entries showing which files were backed up and their locations on the server. Although this can be handy for referencing what was backed up and when, a detailed log is also larger and uses more disk space.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 294

294 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.9

Configuring the Backup Log Options

Configuring the Exclude File Options

From the Restore tab of the Options dialog box, as seen in Figure 5.10, you can identify the types of files you would like to exclude from your backup.This can be done for all users who own files on the machine, or only for the user currently logged in.

Figure 5.10

Configuring the Exclude File Backup Options

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 295

Managing and Implementing Disaster Recovery • Chapter 5 295

The top half of the Exclude Files tab shows files and file types that are excluded for all users.The bottom half of the Exclude Files tab shows files and file types that are excluded for the currently logged in user.You can click the Add new button to open the Add

Excluded Files

dialog box, as seen in Figure 5.11.

Figure 5.11

Configuring the Exclude File Backup Options

The file types listed in the Registered file type box are those that are tracked by

Windows Server 2003 and included in the file associations of installed software on the machine. A custom file type can be entered using the Custom file mask field below this list. In this textbox, enter a period (.) followed by the file extension to indicate the types of files that should not be included in the backup. If you only want to exclude file types in a certain folder, type the path to that folder in the Applies to path textbox that appears below the custom file mask field.When this is done, only the specified file types that are located under that path are excluded. For example, you might exclude all text files with the extension .TXT under C:\WINDOWS. Excluding file types makes your backup set smaller and thereby faster to restore, because unneeded data is not included.

EXAM

70-292

OBJECTIVE

4.1.3

Using the Backup Utility in Advanced Mode

When you open the Backup Utility in Advanced Mode, you will be presented with the

Welcome to the Backup Utility Advanced Mode

page, as seen previously in Figure 5.5.

There are three buttons, one to start the Backup Wizard (Advanced), one to start the Restore

Wizard (Advanced), and one to start the ASR Wizard.The Backup Utility provides four tabs that provide the controls needed to perform various tasks, including configuring and starting backups, performing restorations, and creating backup schedules. Restoring data and using

ASR are discussed in the “Using Automated System Recovery” section of this chapter.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 296

296 Chapter 5 • Managing and Implementing Disaster Recovery

When you switch to the Backup tab, the interface will look similar to that shown in

Figure 5.12. If you do not want to use a wizard to control your backup, the Backup tab should be used to back up data files. Using the wizard is discussed in the next section.

Figure 5.12

The Backup Tab of the Backup Utility

The Backup tab contains two panes that allow you to view the hierarchical listings of files and folders on the computer.The left tab allows you to navigate through the drives and can be expanded to show the various folders on those drives.When a drive or folder is selected, the right pane is used to view the files and folders within. In both panes, checkboxes appear beside the different drives, folders, and files.When these are checked or unchecked, the items are respectively selected or deselected for backup. As you can see, the

Backup Utility makes it easy and straightforward to choose the files, folders, or entire drives that are to be included in your backup job.

Below the two panes are other controls that are used to provide information and start the backup process.The Backup destination field provides a context list of where the

Backup Utility is to store the data (media type).You can choose to store the backup as a file, or back up to a tape device that is installed on the machine.

N

OTE

If you do not have a tape device installed, the Backup destination field will be grayed out.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 297

Managing and Implementing Disaster Recovery • Chapter 5 297

Underneath the Backup destination field is the Backup media or file name field where you can specify the path and filename of the location where the backup file will be stored, or (if you are backing up data to a tape) specify the tape you wish to use. If you plan to overwrite an existing backup file, you can click the Browse button to find the file. Finally, when you are ready to begin a backup job, simply click the Start Backup button to begin the process.

N

OTE

You can name the backup whatever you want and use any file extension, but

Microsoft recommends that you use the .BKF extension for backup files, as this will allow them to be recognized by the Backup Utility.

You can create a new backup job from the Backup tab by completing the steps discussed in Exercise 5.01. Using the Backup Wizard to create a backup job is examined in

Exercise 5.02.

E

XERCISE

5.01

C

ONFIGURING A

B

ACKUP

J

OB

U

SING THE

B

ACKUP

T

AB

1. Start the Backup Utility by clicking Start | Programs | Accessories |

System Tools | Backup or clicking Start | Run and typing ntbackup.

2. If the Backup or Restore Wizard opens, click the Advanced Mode link.

This closes the Wizard and opens the Backup Utility.

3. Click the tab labeled Backup.

4. Click Job | New to create a new backup job.

5. The left pane of the Backup tab shows a directory tree, which can be used to view the drives and folders on the computer. The right pane can be used to view files and folders within the drive or folder you have selected in the left pane. In the left pane of the Backup tab, click on Volume C. This will change the display in the right pane to show the contents of the C: drive, as seen in Figure 5.13.

6. Scroll through the contents of Volume C and select the files you wish to back up by clicking on the checkbox beside each file or folder. Once checked, a file or folder is selected for backup.

7. In the Backup Destination dropdown menu, select whether you want to back up to a file (which is selected by default), or another medium

(such as a tape device). For the purposes of this exercise, accept the

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 298

298 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.13

Locating Files to be Backed Up default choice of backing up to a file. (If you do not have a tape drive attached to your computer, this selection will be grayed out and your only choice is the default.)

8. In the Backup Media or File Name text box, enter the path and filename for the backup file. This is where the backup file will be saved.

Enter C:\backup.bkf.

9. Click Tools | Options to open the Options dialog box discussed previously in the “Backup Configuration Options” section of this chapter.

10. When the Options dialog appears, click the General tab. If the Verify

data after the backup completes option is not selected, click on it so that a checkmark appears in the box.

11. Click the Backup Type tab and select Normal as the type of backup to perform.

12. Click the Backup Log tab, and click the option labeled Detailed. This provides a detailed log of the files being backed up.

13. Click OK to exit the Options dialog box.

14. Click the Start Backup button to start the backup process. The Backup

Job Options dialog box opens, as seen in Figure 5.14.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 299

Managing and Implementing Disaster Recovery • Chapter 5 299

Figure 5.14

The Backup Job Information Dialog Box

15. You can enter a more useful backup description and label in the provided boxes—this will aid in identifying the backup later during a restore option. Also, you will need to select whether to append this backup to the existing backup data that is on the media, or to overwrite the existing data. In most cases, you will want to select the

Replace the data on the media with this backup option since you should already have your media rotation system in place.

16. You can configure additional options for the backup job by clicking the

Advanced button to open the Advanced Backup Options dialog box, as seen in Figure 5.15. The options available are explained immediately following Exercise 5.01 in Table 5.5. Click OK after making your configuration changes here.

Figure 5.15

Configuring Advanced Backup Options

17. If you want to configure this backup job to run later or on a schedule, click the Schedule button; if you want to run the backup job immediately, click the Start Backup button. If you are configuring a schedule, you will be prompted to save the backup configuration if you have not already done so. Click Yes when prompted by the warning dialog. By

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 300

300 Chapter 5 • Managing and Implementing Disaster Recovery

default, Windows saves your backup configuration in the \Local

Settings\Application Data\Microsoft\Windows NT\NTBackup\data

folder in the user profile for the currently logged in user. The Save As dialog box opens, as seen in Figure 5.16, allowing you to select the location and file name to save the backup configuration as. Click Save after entering the desired file name.

Figure 5.16

Saving the Backup Configuration

18. The Set Account Information dialog box opens, prompting you to enter the credentials of the user account that is to be used to run the scheduled back up. Enter the required information, as seen in Figure 5.17, and click OK.

Figure 5.17

Supplying a Set of Credentials with the Required

Permissions

19. The Scheduled Job Options dialog box opens, as seen in Figure 5.18, allowing you to configure the backup job schedule.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 301

Managing and Implementing Disaster Recovery • Chapter 5 301

Figure 5.18

The Scheduled Job Options Dialog Box

20. Enter a value for the job name and click the Properties button to begin the schedule configuration. The Schedule Job dialog box opens, allowing you to configure the backup schedule, as seen in Figure 5.19.

Figure 5.19

The Schedule Job Dialog to Configure the Backup

Schedule

21. You can configure advanced scheduling options, such as only starting the backup when the computer has been idle for a specified amount of time, by using the Settings tab of the Schedule Job dialog box.

22. After you have finished creating your schedule, click OK to close the

Schedule Job dialog box. You may be prompted to re-enter your network credentials again.

23. Click OK to close the Scheduled Job Options dialog box.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 302

302 Chapter 5 • Managing and Implementing Disaster Recovery

24. Your backup job will show up on the Schedule tab of the Backup Utility, as seen in Figure 5.20.

Figure 5.20

Examining the Backup Schedule

If you click the Advanced button on the Backup Job Information dialog box, the

Advanced Backup Options dialog box will open. From this location, you can configure additional options that further control the behavior of the backup job being configured. By default, none of the options are selected.You can also change the type of backup being performed from this location if desired.The options included on this dialog box are detailed in

Table 5.5.

Table 5.5

Advanced Backup Options

Option

Back up data that is in

Remote Storage.

Verify data after backup.

Description

If the “Back Up Data that is in Remote Storage” checkbox is checked, the job will also backup data that is included in Remote Storage. Remote Storage is a service that manages data that is infrequently used and migrates it from local storage to remote storage.

When the user opens the file, it is automatically recalled without the user realizing that Remote

Storage was used.

Verifies that backed up data is identical to the original data.

Continued www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 303

Managing and Implementing Disaster Recovery • Chapter 5 303

Table 5.5

Advanced Backup Options

Option Description

If possible, compress the backup data to save space.

If a tape backup is performed and compressed data is supported by the tape device, this option is enabled. Checking this box compresses the backed up data so that there is more room for storage on the tape. If no tape drive is installed, this box is grayed out.

Automatically backup

System Protected Files with the System State.

If this option is selected, system files located in the system root (e.g. C:\WINDOWS) and boot files included with the System State are backed up.

Disable Volume Shadow Copy.

When performing a backup, the Windows Server

2003 Backup Utility by default creates a Volume

Shadow Copy, which is a duplicate of the volume at the time the copy process began. This allows the

Backup Utility to back up all selected files, including those that are currently open by users or the operating system. Because the Backup Utility uses a

Volume Shadow Copy, it ensures that all selected data is backed up and any open files will not be corrupted during the process. If this checkbox is checked, files that are open or in use may be skipped when the backup is performed.

EXAM

70-292

OBJECTIVE

4.1.3

Using the Backup Utility in Wizard Mode

Should you decide that the Advanced Mode configuration is not what you need, or you simply want some guidance on getting the backup job configured correctly, you should consider using the Backup Wizard as discussed in Exercise 5.02.

E

XERCISE

5.02

C

ONFIGURING A

B

ACKUP

J

OB

U

SING THE

B

ACKUP

W

IZARD

1. Open the Backup Wizard by selecting Start | Programs | Accessories

| System Tools | Backup or clicking Start | Run and typing ntbackup.

2. If the Backup or Restore Wizard opens, click the Advanced Mode link.

This closes the wizard and opens the Backup Utility.

3. Click the Backup Wizard (Advanced) button to start the Backup

Wizard.

4. Dismiss the opening page of the Wizard by clicking Next.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 304

304 Chapter 5 • Managing and Implementing Disaster Recovery

5. On the What to Back Up dialog box, seen in Figure 5.21, you need to select the scope of the backup that you wish to configure.

Figure 5.21

You can Back Up the Entire Computer, Selected Files or the System State

6. On the Items To Back Up dialog box, as seen in Figure 5.22, you can select exactly which files and folders you want to back up. This dialog box only appears if you select the Back up selected files, drives or

network data option. Select the data that is to be backed up and click

Next to continue.

Figure 5.22

Selecting Items for Back Up

7. On the Backup Type, Destination and Name dialog box, as seen in

Figure 5.23, you need to select the location to save the backup file. You can use the Browse button to navigate to the location where the file will be saved and enter the file name for the backup file. Click Next to continue.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 305

Managing and Implementing Disaster Recovery • Chapter 5 305

Figure 5.23

You Will Need to Select the Location to Place the Backup

File

8. The Completing the Backup Wizard dialog box appears, as seen in

Figure 5.24, informing you that you have completed the basic configuration of the backup job. To configure advanced options, including scheduling, click the Advanced button and continue to Step 9. If you want to perform this backup immediately, click Finish.

Figure 5.24

You can Configure a Schedule by Clicking the Advanced

Button

9. On the Type of Backup dialog box, select the type of backup you want from the five available choices as previously discussed in the “Backup

Types” section; the default selection is Normal. Click Next after making your selection.

10. On the How to Back Up dialog box, as seen in Figure 5.25, you have the option to select other advanced options such as data verification,

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 306

306 Chapter 5 • Managing and Implementing Disaster Recovery

hardware compression (if supported by your backup devices) and disabling Volume Shadow Copy. Typically, you will opt to enable data verification and hardware compression. You should not, under normal circumstances, disable Volume Shadow Copy without a specific reason to do so. Note that the Volume Shadow Copy technology will be discussed later in this chapter. Click Next after making your selections.

Figure 5.25

Configuring Data Verification from the How to Back Up

Dialog Box

11. On the Backup Options dialog box, you will be given the option to overwrite existing backup data on your media or to append the backup job to the existing data on the media. In most cases, you will want to overwrite any existing data as you will be rotating backup media. Click

Next after making your selection.

12. On the When to Back Up dialog box, as seen in Figure 5.26, you are given the option to start the backup immediately by selecting Now and clicking Next. If you want to configure it on a schedule, select Later, enter a job name, and click the Set Schedule button to configure a schedule. After configuring your schedule, click Next to continue.

Figure 5.26

Starting the Backup Now or Scheduling it for Later

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 307

Managing and Implementing Disaster Recovery • Chapter 5 307

13. If you selected Now, clicking Finish will close the Backup Wizard and immediately start it. If you selected Later, you will be prompted again to supply your network credentials for an account authorized to perform backups. Click Finish to complete the Backup Wizard—you can find your backup job on the Schedule tab of the Backup Utility.

Backing up System State Data

The System State is a set of files that the system uses to function, and must be backed up as a single unit. Windows Server 2003 requires these files to be backed up together, because the files included in the System State have dependencies, in which two or more files rely on one another to function. Because of this, you cannot choose individual System State files when performing a backup.

System State files are specific to each computer running Windows Server

2003, and cannot generally be swapped between servers. Since servers can have different hardware and software installed, swapping these files can result in devices, programs, or the operating system itself not functioning properly. Thus, when backing up System State files it is important to label the backup as belonging to a specific server so that you will not accidentally restore the wrong System State files to a server.

As discussed earlier in this chapter, the System State can be backed up using the Windows Server 2003 Backup Utility. The files that this utility considers to be part of the System State can vary between computers. On Windows Server 2003, it always includes the following:

The Registry

The COM+ class registration database

System files

Boot files

In addition to these, the Backup Utility might also include other files if the server is configured for a special purpose or has certain services installed. A domain controller has the Active Directory and the SYSVOL directory included in the System

State, and a certificate server includes the Certificate Services database as part of the System State. If the server is part of a cluster, cluster service information is also included in the System State. If Windows Server 2003 is configured to be a Web server and has IIS installed, the IIS Metadirectory is also included. As can be seen, the role a server plays on a network and the services it has installed have a great impact on what is backed up as part of the System State.

Continued www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 308

308 Chapter 5 • Managing and Implementing Disaster Recovery

The System State data can be backed up by checking the System State checkbox in the hierarchical list of volumes and folders in the left pane of the

Backup tab with the Backup Utility running in Advanced Mode. Alternatively, you can use the command-line interface to back up the System State data by typing

ntbackup backup systemstate at a command prompt.

T

EST

D

AY

T

IP

There are a number of different items that can be included in a backup of System

State data, and questions might appear on the exam asking which of these will be backed up for a particular server. Remember that the System State always includes the Registry, COM+ class registration database, system files, and boot files. Other elements that can be included depend on the role a server plays, and that role can be used to cue your memory. Certificate servers are the only servers that have the

Certificate Services database included, just as domain controllers have elements exclusively relating to their role.

EXAM

70-292

OBJECTIVE

4.1.4

Configuring Security for Backup Operations

Being able to perform a backup requires the network administrator to have the proper permissions and rights. After all, if anyone could perform a backup, an unauthorized person could obtain a copy of the data stored on the computer. Note, however, that being able to back up data does not necessarily mean you are able to access and read it. Also note that a user who is authorized to back up data can back up and restore encrypted files without decrypting them.

The permissions and user rights needed to perform backup and restore operations in

Windows Server 2003 are dependent on what is being backed up or restored, the permissions set on the files and folders, and the account being used to perform the backup and its group memberships.

Backup and restoration of files and folders on the local computer requires the network administrator to be a member of the Administrators or Backup Operators local group. A local group is a group that is created on the computer (in contrast to a group that is created on the domain controller and used throughout the domain). A local group is assigned rights and permissions that apply only to that computer. Because the rights and permissions are limited to that machine, accounts that are a part of these groups cannot perform backup or restoration of data on other machines.

To back up or restore files and folders on any computer in a domain, the network administrator must be a member of the Administrators or Backup Operators group on a domain controller.This also enables group members to back up or restore computers that are in a domain with which the administrator’s domain has a two-way trust relationship.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 309

Managing and Implementing Disaster Recovery • Chapter 5 309

N

OTE

A two-way trust relationship allows authentication in one domain to be accepted in the other domain, so that the administrator does not have to create multiple accounts for a user in each domain. This allows an Administrator or Backup

Operator in one domain to back up or restore files in the other domain.

If you are neither an Administrator nor a Backup Operator, there is still a chance that you might have the necessary permissions to perform a backup.The owner of a file or folder can generally back up their own files. If the owner has one or more of the following permissions to a file or folder, they can perform a backup:

Read

Read and execute

Modify

Full Control

In addition to these rights and permissions, it is important that a user to whom you want to give the ability to back up and restore files does not have any disk quota restrictions. Such restrictions make it impossible to perform backups of data.

When planning who should be able to perform backup and restoration on your network, keep the following points in mind:

Files and folders can be backed from a local or remote computer as long as the user has the required access to the files and folders.

When performing backups remotely, System State data cannot be saved.

Members of the Administrators or Backup Operators groups do not explicitly need permissions to access the files being backed up—they have the ability to perform backups as a result of their group membership.

An administrator can also delegate the authority to perform backups to a user without placing that user in one of the authorized groups. Delegation of control can be done through the Delegation of Control Wizard or via Group Policy settings.

Restoring Backup Data

Should you ever need to put your backup plan to the ultimate test, its good to know how to perform a restoration. Performing a restoration should be a relatively smooth process, and

Windows Server 2003 makes the restoration process fairly automatic.The basic restoration process is outlined in Exercise 5.03.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 310

310 Chapter 5 • Managing and Implementing Disaster Recovery

Delegating Authority to Perform Backups via Group Policy

You can delegate the authority to perform backups by editing the Group Policy settings for a computer or a Windows Server 2003 domain. To do so, open the Group

Policy Object (for a local computer, this is done by clicking Start | All Programs |

Administrative Tools | Local Security Policy).

In a domain, it is done through the Active Directory Users and Computers administrative tool. Open the console and right-click the domain name, then select

Properties. Click the Group Policy tab and select the Default Domain Policy. In the left pane, expand the Computer Configuration | Windows Settings |

Security Settings nodes.

In either case, in the Group Policy Object Editor console, in the left pane under

Security Settings, expand Local Policies and click User Rights Assignment. In the right pane, double-click Back up files and directories. Check the Define these policy

settings checkbox if you are editing the domain policy. Click Add User or Group. You can select an individual user account or any group account to which you wish to delegate the authority to perform backups. The number of people who have the ability to back up and restore data varies from company to company. In some organizations, a higher level of security might be required, which limits the ability to perform backups to one person or group of Administrators. In other organizations, servers may be located in branch offices across the country. Since the Backup Utility can only be used to back up and restore the System State of the local computer, and cannot be used to back up another domain controller, this might require that people in each location be authorized to perform backups and restores. The choice of how security is configured will depend on the policies and needs of your organization.

E

XERCISE

5.03

R

ESTORING

B

ACKUP

D

ATA

1. Open the Restore Wizard by selecting Start | Programs | Accessories

| System Tools | Backup or clicking Start | Run and typing ntbackup.

2. If the Backup or Restore Wizard opens, click the Advanced Mode link.

This closes the wizard and opens the Backup Utility.

3. Click the Restore Wizard (Advanced) button to start the Restore

Wizard.

4. Dismiss the opening page of the Wizard by clicking Next.

5. On the What to Restore dialog box, as seen in Figure 5.27, you must locate and select the media containing the data that is to be backed up. Once you have located the correct backup set, expand the backup

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 311

Managing and Implementing Disaster Recovery • Chapter 5 311

file to enable selection of the files and folders you want to restore. If your backup file or backup media is not listed, you can use the Browse button to locate it. After you have selected the files and folders to be restored, click Next to continue with the restoration.

Figure 5.27

Selecting the Backup Set to Use and Files to be Restored

6. The Completing the Restore Wizard dialog box appears. If you need to configure additional advanced options, you can click the Advanced button to do so. If you are ready to start the restoration, click the

Finish button.

7. On the Where to Restore dialog box, you are given the option to select the location to which the files and folders should be restored to. You can choose from the following options: Original location, Alternate

location, or Single folder. After making your selection, click Next to continue.

8. On the How to Restore dialog box, you are given the option to determine what should occur if an existing file is found in the restoration location. You have options that are similar to those discussed previously in the “Backup Configuration Options” section of this chapter. After making your selection, click Next to continue.

9. On the Advanced Restore Options dialog box, as seen in Figure 5.28, you can select from several advanced restoration options that are available.

The available options are determined by the type of backup you are restoring from, the type of backup hardware being used, and the role of the server that is being restored, and may not look exactly as seen in

Figure 5.28. After making your selections, click Next to continue.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 312

312 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.28

Configuring Additional Advanced Restoration Options

10. The Completing the Restore Wizard dialog box appears again. Click

Finish to start the restoration process.

N

OTE

Yu can use the ntbackup.exe command to create backups from the command-line, but you cannot perform restorations from the command-line. This can become a serious limitation should you need to restore a Windows Server 2003 computer that cannot be started normally—thus the reason for using ASR.

EXAM

70-292

OBJECTIVE

4.1.1

Using Automated System Recovery

Automated System Recovery (ASR) is a new feature in Windows Server 2003 that can be used to start a computer that cannot be started using any other means, such as Windows

Backup, Safe Mode, the Recovery Console, and Last Known Good Configuration (LKGC).

While implementing and using a backup plan to perform regular backups is a critical task that must be accomplished, the backups will be of little use in the event the server suffers a critical failure that prevents it from being started normally. ASR allows the network administrator to restore the operating system back to a previous state (current as of the time the

ASR set was created), which then allows them to restart the Windows Server 2003 normally and continue repairing the computer as required.

The ASR process is actually made up of two key parts: a floppy disk that is used to start the Windows Server 2003 computer, and a backup file that contains the System State,

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 313

Managing and Implementing Disaster Recovery • Chapter 5 313

system services, and disks associated with the operating system components.The startup disk also contains information about the configuration of the computer’s disks, and information on how the ASR restoration is to be performed. Because an ASR set focuses on the files needed to restore the system, data files are not included in the backup.

An ASR set should be created each time a major hardware change or a change to the operating system is made on the computer running Windows Server 2003. For example, if the administrator installs a new hard disk or network card, or applies a security patch or

Service Pack, an ASR set should be created.Then if a problem occurs after upgrading the system in such a way, the ASR set can be used to restore the system to its previous state after other methods of system recovery have been attempted.

ASR sets are easily created by using the Windows Server 2003 Backup Utility, as discussed in Exercise 5.04.

E

XERCISE

5.04

C

REATING AN

ASR S

ET

1. Insert a blank 3-1/2 floppy disk into your server’s floppy drive.

2. Open the Backup Wizard by selecting Start | Programs | Accessories

| System Tools | Backup or clicking Start | Run and typing ntbackup.

3. If the Backup or Restore Wizard opens, click the Advanced Mode link.

This closes the wizard and opens the Backup Utility.

4. Click the Automated System Recovery Wizard button to start the ASR

Wizard.

5. Dismiss the opening page of the Wizard by clicking Next.

6. In the Backup Destination dialog box, enter the path and file name of the backup file to be used as part of the ASR set. Click Next to continue.

7. Click Finish to close the Wizard. This starts the ASR set creation process.

8. When prompted, click OK to confirm the floppy disk is inserted in the server’s floppy drive.

9. Place the ASR floppy disk in a safe location until needed.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 314

314 Chapter 5 • Managing and Implementing Disaster Recovery

N

OTE

You must have a floppy drive installed in the server that you will be performing the

ASR restoration on.

Should you need to perform an ASR recovery, you can do so by performing the steps detailed in Exercise 5.05. Before starting the ASR recovery process, ensure that you have the following items readily available:

The ASR floppy disk

The ASR backup file

The Windows Server 2003 CD

Any special drivers required, such as RAID hardware or other mass storage device drivers—these will need to be available on floppy disk as well

E

XERCISE

5.05

P

ERFORMING

ASR R

ECOVERY

1. Start the server that is to be recovered using ASR.

2. Place the Windows Server 2003 CD in the CD drive.

3. Start from the CD when prompted to do so.

4. If you need to install special drivers, press F6 when prompted to so.

5. Press F2 when prompted to initiate the ASR recovery process.

6. Inset the ASR floppy disk in the server’s floppy drive.

7. Follow the directions that are provided on screen.

EXAM

70-292

OBJECTIVE

4.1.2

Working with Volume Shadow Copy

Volume Shadow Copies are a new backup feature in Windows Server 2003 and are used to provide copies of data at a given point in time. Users can view the contents of shared folders and see previous versions of data.This allows them to use these copies as if they were restoring a backup of data from an earlier time.

When shadow copies are made of shared folders, there are a number of benefits. If a file was deleted or corrupted in some way, the network administrator can open the previous

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 315

Managing and Implementing Disaster Recovery • Chapter 5 315

version and copy it to the original location or another location.This also allows the administrator to use previous versions to compare changes that have occurred between the versions.

The previous versions of files included in a shadow copy are read-only, preventing users from modifying the older version in any way.This maintains the integrity of the previous version, so that it remains a duplicate of the file at the time it was initially shadow copied. If users wish to make modifications to it, the older version can be copied to another location.

N

OTE

Remember that by default, the Backup Utility makes shadow copies. In this section, we are talking about additional shadow copies that can be manually configured through the Computer Management console.

Making Shadow Copies of Shared Folders

Shadow copies are created and configured using the Computer Management console. From within the Computer Management console the network administrator can create multiple shadow copies for volumes and configure them individually. Configuration of shadow copies allows the administrator to control where they are stored, the amount of disk space they will take up, and schedule the frequency with which they will be created.You can control many details in making shadow copies of shared folders on a Windows Server 2003 computer.

Creating shadow copies has limitations, however. For example, an administrator cannot store an indefinite number of shadow copies on each volume that is enabled. For each volume that has shadow copies enabled, a maximum of 64 shadows copies can be created— this means the administrator can view up to 64 previous versions of data. Once this limit is reached, the oldest shadow copy is deleted and cannot be restored.

Enabling Shadow Copies on the Shared Resource

To enable shadow copies, open the Computer Management console by clicking Start |

Programs | Administrative Tools | Computer Management

. By default, the Volume

Shadow Copy service is disabled and must be set for automatic startup.You will need to locate the Volume Shadow Copy service in the Services node of the Computer

Management console, as seen in Figure 5.29, in order to configure it. Once you have located the Volume Shadow Copy service, double-click it to open its properties dialog box.

Set the startup type for Automatic and click the Start button to start the service. Click

OK

to close the properties dialog box.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 316

316 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.29

You Must Configure the Volume Shadow Copy Service

Locate the Shared Folders node of the Computer Management console and right-click on it, as seen in Figure 5.30. Select All Tasks | Configure Shadow Copies.The Shadow

Copies dialog box opens, as seen in Figure 5.31.

Figure 5.30

Configuring Volume Shadow Copies

The Shadow Copies dialog box contains two areas: the upper area allows the network administrator to select a volume on the computer and click the Enable button to enable shadow copies on the selected volume. Note that by default, shadow copies are disabled on all volumes.To prevent a particular volume from using shadow copies, click the Disable button.The bottom area of the Shadow Copies dialog box displays the shadow copies that exist on a selected volume.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 317

Managing and Implementing Disaster Recovery • Chapter 5 317

N

OTE

When shadow copies are enabled on a volume, Windows presents a warning box that advises that the default settings are not appropriate if the server has a high

Input/Output (I/O) load. If this is the case, you should manually configure the settings to put the storage area on a volume that will not be shadow copied. You must click OK to acknowledge the information presented in this dialog box before you can enable Volume Shadow Copies on that volume.

Figure 5.31

Shadow Copies are Disabled by Default

T

EST

D

AY

T

IP

To enable shadow copies, you must be a member of the Administrators group on the local machine. If you are not a member of this group, you will not be able to make the necessary changes to the computer to enable, disable, or make modifications.

When shadow copies are enabled,Windows configures the feature with a default schedule and settings, although these settings can be modified. It can take some time after clicking Enable for Windows to do its work and enable the feature, so the network administrator must be patient. After shadow copies are enabled on a volume, the Shadow Copies dialog box reflects the change, as seen in Figure 5.32.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 318

318 Chapter 5 • Managing and Implementing Disaster Recovery

Figure 5.32

Shadow Copies Will be Shown After They Have Been Enabled

Changing Settings for Shadow Copies

After shadow copies have been enabled, the network administrator can modify the configuration by using the Settings button on the Shadow Copies dialog box. Clicking this button displays the Settings dialog box, as seen in Figure 5.33. From here the administrator can modify the storage area used for shadow copies and the schedule that controls how often they are created.The settings specified will only apply to the selected volume.

Figure 5.33

Configuring Shadow Copy settings

www.syngress.com

271_70-292_05.qxd 8/20/03 4:19 PM Page 319

Managing and Implementing Disaster Recovery • Chapter 5 319

Defining Storage Options for Shadow Copies

The Storage Area frame of the Settings dialog box is used to modify where shadow copies are stored and how much space will be allocated to store them. Modifying these settings can improve system performance and allow shadow copies to be created more effectively.

The first field on this dialog box allows the network administrator to configure the volume on which shadow copies will be stored.The dropdown list allows the administrator to select different volumes on the server. However, if the computer only has one volume, the current volume will be the only choice and this dropdown list will be disabled. Even if there are additional volumes, by default the storage area will be on the same volume that is being shadow copied. Clicking the Details button beside the dropdown box allows the network administrator to view such information as available free space and total disk space.

The Maximum Size options below this dropdown list allows the network administrator to configure how much disk space will be used for storing shadow copies.The

options available are No Limit, and Use Limit. If No Limit is selected, the system can use as much hard disk space as necessary to create shadow copies. If Use Limit is selected, the administrator can specify the maximum number of megabytes to be used for storage.

The amount of available hard disk space is important when using shadow copies.There

must be a minimum of 100MB available for the system to create shadow copies. By default,

Windows Server 2003 uses 10 percent of the total disk space of the volume containing files to be shadow copied. If there is an insignificant amount of free disk space available, the network administrator should use another volume on the server for storage.

The network administrator should carefully calculate the amount of hard disk space needed for shadow copies. If a limit is set that is too small, they might prohibit the system from making an adequate number of shadow copies. If this happens, and a version of an older file is needed, it might be unavailable because Windows Server 2003 needed to delete it to make room for newer shadow copies. It is also important to remember that the number of files in a shadow copy and the frequency with which shadow copies are created affects the amount of space used. If a network administrator is creating a daily shadow copy of ten files that are approximately the same size, it will take less space than a few dozen similar files that are copied hourly. After viewing the size, number of files, and frequency of several shadow copies, the administrator should decide whether there is enough room for the number of copies they want.

E

XAM

W

ARNING

Shadow copies only retain up to 64 previous versions. Once this limit is reached, the oldest shadow copy is permanently deleted. The number of previous versions is also affected by the amount of space available for shadow copies. There must be a minimum of 100MB available for the system to create shadow copies, but if this is not enough for 64 individual copies, there will be fewer created.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 320

320 Chapter 5 • Managing and Implementing Disaster Recovery

Scheduling Shadow Copies

The Schedule button opens the Schedule dialog box, as seen in Figure 5.34, and allows the network administrator to control when shadow copies are created. Using this tab, the administrator can configure Windows Server 2003 to create shadow copies at any of the following intervals:

Daily

Weekly

Monthly

Once

At System startup

At logon

When idle

Figure 5.34

Configuring the Shadow Copy Schedule

As with scheduling backups, each of these options provides the same additional configurable settings when selected. For example, if Daily is selected, the network administrator can control whether shadow copies are performed every day, every second day, every third day, and so on.

The Settings dialog box for shadow copies differs from that of the Backup Utility in that the administrator can create multiple scheduled tasks from this dialog box. By clicking the New button, they can create multiple scheduled tasks for creating shadow copies.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 321

Managing and Implementing Disaster Recovery • Chapter 5 321

T

EST

D

AY

T

IP

By default, two shadow copies per day are made. Although a greater or lesser number can be scheduled for creation, Microsoft recommends that the frequency at which they are created should not be greater than two per hour. Exceeding this recommendation limits how far back a user can access older versions of data.

Shadow copies can be configured for a volume by completing the steps outlined in

Exercise 5.06.

E

XERCISE

5.06

E

NABLING AND

C

ONFIGURING

S

HADOW

C

OPIES

1. Click Start | Programs | Administrative Tools | Computer

Management to open the Computer Management console.

2. In the left pane of the Computer Management console, expand the

System Tools folder.

3. Right click Shared Folders. When the context menu appears, select All

Tasks | Configure Shadow Copies.

4. When the Shadow Copies dialog box appears, a list of available volumes will be shown. Select the volume on which you want to enable shadow copies, and click the Enable button.

5. A dialog box appears asking for confirmation that you want to enable shadow copies for this volume. Click Yes to acknowledge the warning provided.

6. You can now configure the storage space used for shadow copies. Click the Settings button.

7. When the Settings dialog box appears, click the Use limit option in the

Storage Area frame, and change the number of MB to 250.

8. Click the Schedule button.

9. When the dialog box appears, click the New button to configure a new schedule.

10. Select Daily from the Schedule Task dropdown list, and set the Start time to 11:00

P

.

M

.

11. Under Schedule Task Daily, change the number of days this is to run to Every 2 days.

12. Click OK to confirm these settings and exit the dialog box.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 322

322 Chapter 5 • Managing and Implementing Disaster Recovery

13. Click OK to exit the Shadow Copies dialog box, and confirm your changes.

Deploying the Client Software for Shadow Copies

To use shadow copies, client computers need special software installed.The Previous

Versions client can be installed through a Windows Installer Package that is located on the

Windows Server 2003 machine in \system32\clinets\twclient\ of the %systemroot% directory (typically named WINDOWS). After it is installed, this tool allows users to access previous versions of files that were included in a shadow copy.

Since the Previous Versions client is available as a Windows Installer Package, it can be deployed to client computers in a number of ways:

The network administrator can copy the installation package to a shared folder on the server, and then notify users that it is available for those who wish to install it.

Users can install it by right-clicking on the package, and then clicking Install on the menu that appears.

It can also be installed by double-clicking on the package.This starts a wizard that asks the user if they want to install the software.The user clicks Next to begin the installation.

The network administrator can also deploy the installation package through

Group Policy. Software deployment. Group Policy allows the network administrator to offer software for installation or force it to be installed, by either publishing or assigning the software. By using Group Policy-based software deployment, the administrator ensures that the computers or users selected will have access to the Previous Versions Client.

Restoring Previous Versions of a File

Older versions of files included in a shadow copy are retained for a limited period. As mentioned earlier, a maximum of 64 shadow copies are retained, and fewer than 64 if there is a limited amount of disk space available. Because these previous versions of files might be permanently removed after a time, users may wish to keep a copy of an older version for future reference. Also, if a user accidentally deletes or overwrites the current copy of a file, it must be restored. Using the Previous Versions client, users can restore previous versions without having to ask the network administrator to restore data on their behalf.

To view previous versions of a file, access the shared folder on a volume using My

Network Places

(or Network Neighborhood, depending on the client operating system), as seen in Figure 5.35.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 323

Managing and Implementing Disaster Recovery • Chapter 5 323

Figure 5.35

Locating a Shared Folder

You can examine the shadow copies for the folder by right-clicking on it and selecting

Properties

from the context menu. From the Properties dialog box, click the Previous

Versions

tab.This displays a listing of previous versions of the folder, as seen in Figure

5.36. Select the version you want, and click the View button to open a read-only version of the folder.

Figure 5.36

Examining Previous Versions

The entire previous version of a folder can be restored by selecting it and clicking

Restore

.When this button is clicked, a warning message appears, asking if you are sure you want to roll back the current version to the previous version of the file. If you click Yes, the current folder is overwritten with the older one.

Alternatively, the network administrator can restore specific individual files and subfolders by copying or dragging them to the desired location. Copying a previous version of a file is also done through the Previous Versions tab. After selecting the previous version

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 324

324 Chapter 5 • Managing and Implementing Disaster Recovery

you want to copy, click the Copy button on this tab.This opens a Copy Items dialog box, which allows you to specify where the older version of this file should be copied.

Sometimes when using the Previous Versions tab, the network administrator may find that no previous versions of files are listed, or the Previous Versions tab itself does not appear.When no previous versions are listed, it means that no changes have been made to the file. If the Previous Versions tab does not appear, it means that shadow copying has not been enabled on that server.

E

XAM

W

ARNING

The Previous Versions Client must be installed or the Previous Versions tab will not appear in the properties of a shared file. The Previous Versions tab only appears when viewing files across the network. It will not appear if files are viewed on the local hard disk (for example, by using Windows Explorer to access a local shared folder).

Shadow Copies Best Practices

While shadow copies provide a useful tool for users to view, copy, and restore older versions of files, they should not be considered a substitute for regular backups. Shadow copies make copies of files stored on shared folders, but do not provide a duplicate of every file on the system that can be restored after Windows Server 2003 fails. In addition to enabling shadow copies, the network administrator should also routinely back up their system.

Shadow copies should not be created on dual boot systems. If a computer has Windows

Server 2003 and Windows NT 4.0 installed on it in a dual boot configuration, shadow copies that persist when the older operating system is restarted might be corrupted.To avoid this, enable shadow copies only on computers that exclusively run Windows Server 2003.

Scheduling when shadow copies are created should be based on the work habits of users. If multiple shadow copies are created, the administrator does not want copies created when users have not made any changes. For example, if no one works on the weekend, there will not be any changes to files so there is no point in creating shadow copy files during that time. As mentioned earlier, more than two shadow copies per hour should not be scheduled, because a maximum of 64 shadow copies can be created on a volume.The

more frequently shadow copies are made, the faster the older shadow copies will be removed from the system.

If the server is heavily used and there are a large number of disk reads and writes on the current volume, the network administrator should consider changing the volume where shadow copies are stored to a volume on a different physical disk.This allows the system to write shadow copies to a different hard disk, and improves performance. However, this change needs to be made before shadow copies are created. If shadow copies are already present on the volume, the administrator needs to delete all of the shadow copies on the volume before making the change.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 325

Managing and Implementing Disaster Recovery • Chapter 5 325

Summary of Exam Objectives

Disasters can occur at any time, and can result from any number of causes.To prevent disasters from causing extensive damage, the network administrator needs to identify the types of disasters that can affect their business, and then implement plans and policies to deal with them effectively. Such plans include information on how to perform backups and restore data, recovering from server problems, and how to address other issues that can make the business unable to function.

Windows Server 2003 provides a number of tools that can be used when problems arise.The Backup Utility allows the network administrator to back up data, back up the system state, and create ASR sets. By implementing these measures, the network administrator can prevent data and system files from being permanently lost during a disaster.

ASR is a new feature in Windows Server 2003 that can be used to start a computer that cannot be started using any other means, such as Windows Backup, Safe Mode, the

Recovery Console, or LKGC.While implementing and using a backup plan to perform regular backups is a critical task, the backups will be of little use should the server suffer a critical failure that prevents it from being started normally. ASR allows the network administrator to restore the operating system back to a previous state (current as of the time the

ASR set was created), which then allows them to restart the Windows Server 2003 normally and continue repairing the computer as required.

The ASR process is made up of two key parts: a floppy disk that is used to start the

Windows Server 2003 computer and a backup file that contains the system state, system services, and disks associated with the operating system components.The startup disk also contains information about the configuration of the computer’s disks and information on how the ASR restoration is to be performed. Because an ASR set focuses on the files needed to restore the system, data files are not included in the backup.

Volume Shadow Copies are another new backup feature in Windows Server 2003 and are used to provide copies of data at a given point in time. Users can view the contents of shared folders and see previous versions of data.This allows them to use these copies as if they are restoring a backup of data from an earlier time.

When shadow copies are made of shared folders, there are a number of benefits. If a file was deleted or corrupted in some way, the network administrator can open the previous version and copy it to the original location or another location.This also allows the administrator to use previous versions to compare changes that have occurred between the versions.

The previous versions of files included in a shadow copy are read-only, preventing users from modifying the older version in any way.This maintains the integrity of the previous version, so that it remains a duplicate of the file at the time it was initially shadow copied. If users wish to make modifications to it, the older version can be copied to another location.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 326

326 Chapter 5 • Managing and Implementing Disaster Recovery

Exam Objectives Fast Track

Creating a Backup Plan

Backup plans are used to protect data on a computer.When data is backed up, it is copied to an area of the hard disk or other media that can be stored in a separate location. If a user accidentally deletes a file, data becomes corrupted, or a disaster occurs, the backup can be used to copy this data back to the server.

Windows Server 2003 provides a Backup Utility that allows the network administrator to back up files on the server, regardless of whether the hard disks are formatted as FAT, FAT32, or NTFS.This data can be backed up to a file or to a tape drive and kept until it needs to be restored.

The Backup Utility provides five different types of backups that can be performed: Normal, Incremental, Differential, Copy, and Daily.The type of backup chosen will determine how much data is backed up, and the storage space required for the backup job.

A good media rotation system should be part of every backup plan. By rotating the backup media in accordance with an approved procedure and schedule, the network administrator increases the reliability and lifetime of the backup media, thus enhancing their chances of performing a successful restoration. Having a solid media rotation system in place also provides an easy means to maintain a backup history.

Using the Windows Backup Utility

The System State is that critical data stored on each computer that contains information that is required for the proper startup and operation of the computer.

System State data includes these items:

Boot and system files (such as boot.ini, NTLDR, etc.)

The Registry

The COM+ class registration database

The system files that are protected by Windows File Protection (located in

%systemroot%\system32\dllcache)

The Active Directory service if the server is a domain controller

The SYSVOL directory if the server is a domain controller

■ The Cluster service information if the server is a member of a cluster

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 327

Managing and Implementing Disaster Recovery • Chapter 5 327

The IIS metadirectory if IIS is installed on the server

The Certificate Services database if the server is a CA

The Backup Utility in Windows Server 2003 uses the Volume Shadow Copy technique to create copies of data.This means that even files that are open and being used by users or the system can be backed up.

The Backup Utility has two modes of operation: Backup and Restore Wizard, and

Advanced Mode.

To back up or restore files and folders on any computer in a domain, a user needs to be a member of the Administrators or Backup Operators group on a domain controller.

Files and folders can be backed up from a local or remote computer as long as the user has the required access to the files and folders.

When performing backups remotely, system state data cannot be saved.

An administrator can also delegate the authority to perform backups to a user without placing that user in one of the authorized groups. Delegation of control can be done through the Delegation of Control Wizard or via Group Policy settings.

Using Automated System Recovery

The ASR process is made up of two key parts: a floppy disk that is used to start the Windows Server 2003 computer and a backup file that contains the system state, system services, and disks associated with the operating system components.

The startup disk also contains information about the configuration of the computer’s disks, and information on how the ASR restoration is to be performed. Because an ASR set focuses on the files needed to restore the system, data files are not included in the backup.

An ASR set should be created each time a major hardware change or a change to the operating system is made on the computer running Windows Server 2003.

The following items must be available when attempting to perform an ASR recovery:

The ASR floppy disk

The ASR backup file

The Windows Server 2003 CD

Any special drivers required, such as RAID hardware or other mass storage device drivers

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 328

328 Chapter 5 • Managing and Implementing Disaster Recovery

The target of an ASR recovery must have a working floppy drive installed.

Working with Volume Shadow Copy

Volume shadow copies are used to provide copies of data as it is at a given point in time. Users can benefit from shared copies by being able to view, copy, or restore previous versions of data.

The Previous Versions client allows users to access previous versions of files across the network.When the client software is installed, users can view, copy, and restore files from the Previous Versions tab of the file’s properties.

Shadow copies can be scheduled just as backups are scheduled.Windows Server

2003 can be scheduled to make shadow copies once, at system startup, at logon, when the computer is idle, or on a daily, weekly, or monthly basis.

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

I have developed a disaster recovery plan, but I am not completely certain that the plans and procedures will be effective during a disaster. How can I be sure?

A:

Perform “dry runs” of the disaster recovery plan to ensure that developed strategies work as expected, and revise any steps that are ineffective.

Q:

I want users to be able to back up the files that they own. I have given them Full

Control over the folders that belong to them on the server, but they still cannot back up files.What is the most likely reason for this?

A:

If a user is not an Administrator or Backup Operator, they need read, read and execute, modify, or full control permissions over a file for which they have ownership. Since the users have Full Control, this is not the problem.The problem might reside in the fact that disk quotas have been set. Disk quota restrictions prevent users from being able to perform a backup.

Q:

I have tried modifying a previous copy of a file included in shadow copy, but find I cannot.Why is this?

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 329

Managing and Implementing Disaster Recovery • Chapter 5 329

A:

Previous versions of files included in a shadow copy are read-only, preventing users from modifying the older version in any way.This maintains the integrity of the previous version, so it remains a duplicate of the file at the time it was initially shadow copied.To

modify a copy of the file, you would need to first copy it to another location.

Q:

Our organization is very small, do we really need a difficult to use and complicated backup plan?

A:

No, you certainly do not need to be using anything that is difficult or confusing. If your backup plan is difficult to use or confusing, then it is time for a new backup plan. Does this mean that you do not need any backup plan? Most definitely not. A backup plan is required for any size network that processes information that is important to it. A simple backup plan that says “We will backup using a five-tape rotation system with the tape from the previous night being taken offsite the next morning” might be a good solution for a small network.Tailor your backup plan to suit your needs, but whatever you do, have a backup plan of some kind!

Q:

If I implement Volume Shadow Copies on the network data shares for our network, is there any reason I still need to perform normal backups?

A:

Yes! Volume Shadow Copies were never intended to replace a normal, functional backup plan.The primary use for Volume Shadow Copies is to be able to quickly locate and use older versions of documents when required.You will still require a backup plan to ensure that all of your data is protected adequately in the event a disaster should occur.

Q:

I need to perform an ASR recovery on a server that does not have a floppy drive, what can I do?

A:

You must install a floppy drive into that server before you will be able to perform the

ASR recovery.There is no way to get around this requirement.

Self Test

Creating a Backup Plan

1. You are creating a backup plan for your organization’s network.Your plan calls for you to use the five-tape rotation system with all backup tapes being stored in the file cabinet in your office.You will be performing a differential backup Monday through

Thursday and a full backup on Fridays.Your network consists of two Windows Server

2003 file servers that are to be backed up.You also have 40 Windows XP Professional client computers located on your network.What potential problem exists with your backup plan?

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 330

330 Chapter 5 • Managing and Implementing Disaster Recovery

A. The five-tape rotation system is not adequate for this size network.

B. Differential backups should only be performed on Fridays, not daily.

C. Backup media should be kept offsite.

D. Full backups should not be performed once per week, they should occur monthly.

2. You are creating a backup plan for your organization’s network.Your CIO wants you to use four backup tapes, one for each week of the month.You disagree with his plan and argue that it is not an effective media rotation system.What benefits can you present to your CIO to persuade him to allow you to use a more effective media rotation system such as the five-tape rotation? (Choose all that apply.)

A. An effective media rotation system will increase the lifetime of the backup media in use.

B. An effective media rotation system will reduce the cost spent on each backup tape.

C. An effective media rotation system will provide a backup history.

D. An effective media rotation system will reduce the lifetime of the backup media in use.

Using the Windows Backup Utility

3. You are the network administrator for the CVB Company.Your primary duty is to maintain and manage the disaster recovery operations for the network. On Thursday morning, one of your file servers crashes.You place a replacement server on the network but need to restore all files from the old file server before making it available to users.You performed a daily backup on Monday, a normal backup on Tuesday, and a differential backup on Wednesday. In what order do you need to restore data to the new server?

A. Monday first,Tuesday second,Wednesday third

B. Monday first,Wednesday second,Tuesday third

C. Tuesday first,Wednesday second

D. Wednesday first,Tuesday second

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 331

Managing and Implementing Disaster Recovery • Chapter 5 331

4. You have added a new server running Windows Server 2003 to your network.

Although it is physically attached to the network, no one has access to the server yet, as you want to install some additional programs before making it available. Before installing third-party programs on the server, which will be needed by users of the network to perform certain jobs, you decide to back up the server. If there are any problems after installing the applications, you can then use the backup to restore the server to its previous state.When configuring the Backup Utility, you log in with the

Administrator account and find that the “Backup destination” field is disabled, indicating that you can only back up to a file.What is the likely cause of this?

A. A tape device is not installed on the server, so the only backup destination the

Backup Utility can use is a file.

B. The Windows Server 2003 computer is not available to network users yet, so nothing has changed on the server requiring a backup.The utility knows this, so this option is disabled.

C. You do not have the proper rights to perform a backup.

D. The “Backup destination” will always show that it is backing up to a file, regardless of where that file is stored.

5. Members of your organization store files on a Windows Server 2003 computer. Each department has its own folder, with subfolders inside for each employee within that department. A complaint has been made about an employee having non-work related files on the server that are considered offensive. Upon checking the contents of that person’s folder, you find it to be true.You want to back up the entire contents of this folder, without affecting the backups that are performed daily.What will you do?

A. Perform a normal backup

B. Perform an incremental backup

C. Perform a copy backup

D. You cannot back up the files without affecting other backups that are performed

6. You are developing a backup plan that will be used to routinely back up data each night.There is a considerable amount of data on the Windows Server 2003 servers on the network, so you want backups to occur as quickly as possible. Due to the missioncritical nature of much of this data, you also want data to be restored as quickly as possible following a disaster. Based on these needs, which of the following backup types will you use in your plan?

A. Perform a normal backup each night

B. Perform a daily backup each night

C. Perform a normal backup, followed by nightly incremental backups

D. Perform a normal backup, followed by nightly differential backups

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 332

332 Chapter 5 • Managing and Implementing Disaster Recovery

7. A user has ownership of files in a shared folder located on a Windows Server 2003 computer and wants to perform a backup of her files. She is a standard user, with no special rights or group memberships. Due to the amount of free disk space and the need of users to store sizable files, there are no restrictions on how much data a user can store on the server.The user has to temporarily perform the duties of another coworker who also uses this folder for his work. After modifying documents belonging to this person over the day, she tries to back up the files but finds she cannot. She calls and complains to you about the problem, hoping you can help.What

is most likely the reason for this problem? (Choose all that apply.)

A. She does not have the minimum permissions necessary to back up these files

B. She is not an Administrator or Backup Operator.

C. She does not have ownership of the files.

D. Disk quota restrictions are preventing the backup.

8. You schedule a backup to run monthly on the 30th of each month, when you are using the Backup Utility to back up the system state of a Windows Server 2003 computer.This server contains data files used by users of the network. It also acts as a Web server for the local intranet and allows users to view information in HTML format on the network.Which of the following files will be included when the system state is backed up? (Choose all that apply.)

A. IIS Metadirectory

B. COM+ class registration database

C. SYSVOL directory

D. Certificate Services database

9. You are the network administrator for the CVB Company.Your primary duty is to maintain and manage the disaster recovery operations for the network.You are configuring a new backup job that will be used to perform nightly backups of a new file server recently placed on the network.You need to ensure that should a restoration be required, all files and folders contained in the backup file will be restored regardless of their age.What option should you configure for the backup job?

A. Do not replace the file on my computer.

B. Verify data after the backup completes.

C. Back up the contents of mounted drives.

D. Always replace the file on my computer.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 333

Managing and Implementing Disaster Recovery • Chapter 5 333

10. You are the network administrator for the CVB Company.Your primary duty is to maintain and manage the disaster recovery operations for the network.You are configuring a new backup job that will be used to perform nightly backups of a new file server recently placed on the network.You need to ensure that only information such as loading a tape are included in the backup log.What option should you configure for the backup job?

A. Always allow use of recognizable media without prompting

B. Summary logging

C. Information logging

D. Show alert messages when new media is inserted

11. You are the network administrator for the CVB company.Your primary duty is to maintain and manage the disaster recovery operations for the network.You need to allow another user in your company, Catherine, to perform backup and restoration operations.You must not allow Catherine to have any more privileges than she requires.What two ways can you give Catherine only the required privileges?

(Choose two correct answers.)

A. Make Catherine a member of the Backup Operators group.

B. Make Catherine a member of the Server Operators group.

C. Make Catherine a member of the Domain Admins group.

D. Run the Delegation of Control Wizard, targeting Catherine’s user account.

Using Automated System Recovery

12. A disaster has occurred, requiring you to use an ASR set to restore the system.When

using the ASR set to restore the system, you notice that certain files are not restored to the computer.What files are not included in the ASR set, and how will you remedy the problem?

A. Data files are not included in the primary ASR set, and need to be restored from the data section of the ASR set. Information on the data set is found on the ASR floppy disk.

B. Data files are not included in the ASR set, and need to be restored from a separate backup.

C. System files are not included in an ASR set.They need to be restored from a system state backup.

D. System services are not included in an ASR set, and need to be reinstalled from the installation CD.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 334

334 Chapter 5 • Managing and Implementing Disaster Recovery

13. You are the network administrator for the CVB Company.Your primary duty is to maintain and manage the disaster recovery operations for the network.You are preparing to create an ASR set for one of your critical print servers. After the ASR backup process has been completed, what will you have created? (Choose two correct answers.)

A. A startup floppy disk that contains information about the ASR backup.

B. A backup file that contains the System State, system services, and the disks associated with the server.

C. A backup file that contains the System State, system services and data on the servers disks.

D. A startup floppy disk that contains all third-party drivers you have installed on the server.

14. You are the network administrator for the CVB Company.Your primary duty is to maintain and manage the disaster recovery operations for the network.You are currently preparing a company policy outlining how an ASR recovery is to be performed for one of your critical print servers.What items should you list as being required in order to perform the ASR restoration? (Choose two correct answers.)

A. The server that is being restored via ASR must have a DAT drive.

B. The server that is being restored via ASR must have a floppy drive.

C. You will need to have the Windows Server 2003 CD.

D. You will need to have a DOS boot disk.

Working with Volume Shadow Copy

15. You are performing a backup of data stored in a folder of your Windows Server 2003 computer, using Volume Shadow Copies. Network users store their work in this folder, so you start the backup after most employees have gone home for the day. During the backup, you discover that an employee is working overtime, and has a document open that is in the folder being backed up.What will result from this situation?

A. The backup will fail.

B. The backup will corrupt the file, but succeed in backing up other files that are not open.

C. The backup will back up the open file, and continue backing up any other files in the folder.

D. The backup will restart, and keep doing so until the document is closed.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 335

Managing and Implementing Disaster Recovery • Chapter 5 335

16. A user attempts to view the previous versions of a file that has been shadow copied on the server.When he tries to view the previous versions, he finds that he cannot although several other users can view the previous version.When he views the file’s properties, there is no tab for previous versions.What is most likely the cause of this problem?

A. Shadow copying is not enabled.

B. There have been no modifications to the file since shadow copying was enabled.

C. The Previous Versions client has not been installed on the server.

D. The Previous Versions client has not been installed on the user’s computer.

www.syngress.com

271_70-292_05.qxd 8/20/03 4:20 PM Page 336

336 Chapter 5 • Managing and Implementing Disaster Recovery

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. C

2. A, C

3. C

4. A

5. C

6. D

7. B, C

8. A, B

9. D

10. B

11. A, D

12. B

13. A, B

14. B, C

15. C

16. D

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 337

Chapter 6

MCSA/MCSE 70-292

Implementing,

Managing, and

Maintaining Name

Resolution

Exam Objectives in this Chapter:

5.1

Install and configure the DNS Server service

5.1.1

Configure DNS server options

5.1.2

Configure DNS zone options

5.1.3

Configure DNS forwarding

5.2

Manage DNS

5.2.1

Manage DNS zone settings

5.2.2

Manage DNS record settings

5.2.3

Manage DNS server options

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

337

271_70-292_06.qxd 8/20/03 5:29 PM Page 338

338 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Introduction

It was not too long ago that a network administrator could discuss networking computers on the same network segment and the words Domain Name System (DNS) would never surface during the conversation. It was also not so long ago that the NetBIOS Extended

User Interface (NetBEUI) was the king of networking protocols in Windows NT networks. If an administrator needed to connect to a NetWare server they relied on the

Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX) protocol.

One day, seemingly out of nowhere, the Internet happened. It had actually been around for quite some time courtesy of the Department of Defense and several large universities across the country, but organizations that wanted to connect their networks together either bought or leased dedicated lines between sites.This was not an altogether inexpensive proposition—especially before the wide spread use of fiber optics and satellite communications.With the introduction of the masses to the Internet, a crisis occurred:Transmission

Control Protocol/Internet Protocol (TCP/IP) was not only needed within Windows networks, but demanded by administrators who began to see the power and flexibility that it promised. Microsoft, along with a host of other vendors, heard the demand and seemingly overnight TCP/IP support appeared in all operating systems. It was not until the introduction of Windows 2000, however, that TCP/IP became the de facto networking protocol in the Windows network arena.When Windows 2000 came out,TCP/IP and DNS were integral parts of the most powerful and flexible operating system made. Active Directory changed the way that Windows network administrators did their jobs. No longer would they be crippled by hard-to-manage system policies or have to resort to third-party solutions such as Novell’s ZENWorks—Windows 2000 was a complete package, albeit with some problems, but a massive step in the right direction no less. But wait; how did DNS come into the picture all of a sudden?

DNS is a service that originated with the original Internet (Advanced Research

Projects Agency Network [ARPANET] at the time) and is used to resolve a Fully Qualified

Domain Name (FQDN) into an Internet Protocol (IP) address. It is important to remember that computers only care about two numbers: 0 and 1. Every operation any computer does is based solely on those two numbers. Everything else is added on to make things easier for the human beings that operate and interact with binary-speaking computers. Computers communicating with each other using TCP/IP do so by directing their traffic to an IP address, such as 216.238.8.44.This IP address is nothing more than a grouping of 32 0s or 1s in a specific order. For example, you are getting ready to take the latest Windows Server 2003 certification exam and you heard that Syngress Publishing has some study guides that might help you prepare for the exam.You want to check out the

Syngress Publishing Web site so you can see for yourself.Without DNS you would need to know that the IP address for Syngress Publishing’s Web site is 216.238.8.44.Thanks to

DNS, you can simply type www.syngress.com into the browser and be connected.Think of

DNS as a large phone book of sorts: you put in an easy-to-remember name and it returns a useful IP address that can be used to connect to a Web site.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 339

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 339

EXAM

70-292

OBJECTIVE

5.1

Introducing and Planning the DNS Service

DNS is at the heart of Windows Server 2003.Therefore, this chapter begins with a discussion of how DNS works and what exactly it does for networks. Subsequent sections cover the installation and configuration of a Windows Server 2003 DNS server.

Back in the early days of connected computing, the Internet was known as the

ARPANET.The total number of hosts on the entire ARPANET was less than 100, and a master list of server names and their respective IP addresses was maintained in a file called

HOSTS.TXT.This worked great until more and more servers and computers began to connect to the ARPANET. In a short period of time a change had to be made.That change was the introduction of the DNS.

DNS is a large hierarchical database that contains the names and IP addresses for IP networks and hosts. In today’s computing environment, DNS is used almost universally as the preferred means of name resolution.With Windows 2000, Microsoft migrated from their proprietary, less accepted Windows Internet Naming Service (WINS) to DNS, and has continued using DNS as the de facto standard for all Windows networks.

So what is a hierarchical database? In simple terms, it is a multilevel organization system. Consider the FQDN of mail.bigcorp.com.The MAIL portion of the FQDN represents the host (or computer).The BIGCORP portion of the FQDN represents what is known as a second level domain.The COM portion represents what is known as a toplevel domain (TLD). Figure 6.1 illustrates this concept.

Figure 6.1

DNS Hierarchical Database System

ROOT, “.”

BIGCORP

COM EDU GOV MIL NET ORG

MAIL

As seen in Figure 6.1, the top of the DNS hierarchy is called the root, which is symbolized by a single period “.”.The DNS system is a distributed database that allows the entire database to be broken up into smaller segments, while maintaining an overall logical architecture to help provide required name resolution services on the Internet and private local

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 340

340 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

networks.There are 13 root name servers that sit at the top of the hierarchical chain and perform top-level name resolution for Internet clients.These servers are located all over the globe, with the majority of them located in the United States.

DNS is designed to allow multiple name servers for redundancy and improved performance. For further performance improvement, the caching of resolution results is allowed on local DNS servers, thus preventing repetitive resolution requests. At each level of the

DNS hierarchy, parts of the overall namespace are located on many computers, thus the data storage and query loads are distributed throughout thousands of DNS servers around the

Internet.The hierarchical nature of DNS is designed in such a way that every computer on or off the Internet can be named as part of the DNS namespace.

The DNS Hierarchical Namespace

The simple and powerful DNS naming convention adds a layer of complexity to the planning process.The overall DNS namespace is a complex arrangement that consists of many different pieces, all arranged in a specific order. Similar to the way a file system is implemented on a computer to store files in folders, DNS names are created as part of a hierarchical database system. Hierarchies are very powerful storage systems because they can store large amounts of data while also making this data easily searchable.

Form of a Hierarchy…

Can you think of any other services in Windows Server 2003 that use a hierarchical arrangement? If you said Active Directory, you are correct! When Microsoft made the switch to DNS as the de facto name resolution standard for Windows networks, they designed Active Directory to mirror DNS. The Active Directory hierarchy is created directly on top of the existing rules that govern DNS hierarchies, thus the information in the DNS hierarchy of a Windows Server 2003 Active Directory network is directly related to that of the Active Directory hierarchy.

The Active Directory implementation is designed like a forest. At the top of the forest is a root domain; under this root domain are child domains. Each domain in the forest can have any number of child domains and any number of levels of domains below it, within the overall naming restrictions (discussed later in this chapter). Organizational units, containers, users, computers, and various other network objects are located within domains. Because Active Directory and DNS are so tightly interwoven, a TCP/IP network with DNS service is a requirement in order to create an Active Directory network.

H

The following list of key terms will be useful throughout the rest of this chapter.

FQDN

The domain name, which includes all domains at all levels between the host and root of DNS. As seen earlier, mail.bigcorp.com is a FQDN.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 341

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 341

Leaf

The very last item in a hierarchical tree structure. Leaves do not contain any other objects and are commonly referred to as nodes in DNS.

Node

The point where two or more connecting lines in a hierarchical tree structure intersect at a common point. Nodes in DNS commonly refer to hosts, subdomains or even TLDs.

TLD

The suffix that is attached to all FQDN, such as COM. Some of the most common TLDs are detailed in Table 6.1.

Tree

A hierarchical data structure where each piece of data is connected to one or more pieces directly below it in the hierarchy. In the case of DNS, it is an inverted tree because the root appears at the top.

Zone

A file stored on a DNS server containing a logical grouping of host names within the DNS system that is used to perform name resolution.

Some common TLDs are presented in Table 6.1.

Table 6.1

Common TLDs

Top Level Domain

COM

EDU

GOV

MIL

NET

ORG

Description

Originally intended for use by commercial entities, but has been used for many different reasons. An example of the

COM TLD is mcsaworld.com.

Created for use by higher education institutions such as four-year colleges and universities. An example of the EDU

TLD is stanford.edu.

Created for use by agencies of the United States federal government. An example of the GOV TLD is whitehouse.gov.

Created for use by agencies of the United States military. An example of the MIL TLD is army.mil.

Originally intended for use by computer network providers and organizations dedicated to the Internet, but has been used for many different reasons. An example of the NET TLD is ibm.net.

Originally intended for use by nonprofit or noncommercial organizations, such as professional groups, churches, and other organizations, but has been used for many different reasons. An example of the ORG TLD is pbs.org.

T

EST

D

AY

T

IP

There are over 100 country-specific TLDs currently in existence, such as CA for

Canada, UK for the United Kingdom, and JP for Japan. For a complete listing of all country-specific TLDs, see www.iana.org/cctld/cctld-whois.htm.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 342

342 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Determining Namespace Requirements

Before installing a DNS server, it is important to do some planning. Because of the extensive integration of DNS and Active Directory in Windows Server 2003, an administrator must take great care to get their DNS implementation correct the first time around.This

process can be started by realistically answering the following three questions.

1. Will the DNS namespace being created be used for internal purposes

only?

If the answer is no, the network administrator will need to ensure that they adhere to all requirements of RFC1123. If the answer is yes, they have much more flexibility.They might create a namespace such as mcsaworld.corp.This can be thought of as the internal namespace.

2. Will the DNS namespace also be used on the Internet? If yes, the network administrator should seriously consider registering a domain name for their organization with one of the many domain name registrars available.This will also impact their namespace naming system per the requirements of RFC1123.This

can be thought of as the external namespace.

3. Will the network administrator be implementing Active Directory on

their network?

If yes, the network administrator should consider creating Active

Directory integrated zones (discussed later in this chapter).The administrator will also need to ensure that any third-party DNS servers, such as Berkeley Internet

Name Domain (BIND), meet the requirements of Active Directory.

N

OTE

When planning DNS namespaces for an organization, it is important to pay particular attention to the internal and external namespaces. An internal namespace could be a Windows Server 2003 DNS infrastructure with the name mcsaworld.corp. Conversely, the external namespace could be reached via Internethosted DNS as mcsaworld.com so visitors could be directed to the Web server with that domain name. It is recommended that the internal namespace be kept private for security reasons.

Once these three questions are answered, the following three options need to be considered for creating the DNS namespace the network will be using.

Use an Existing DNS Namespace

This option is the easiest to start with, but requires additional administrative work (discussed later in this chapter).When a network administrator uses an existing DNS namespace, they are in effect using the same namespace for their external (Internet) and internal network segments.

This method is fairly simple and provides easy access to both internal and external resources.The downside of this method is that it can leave an internal network

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 343

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 343

■ wide open to attack and compromise. Administrators responsible for DNS must make sure that the appropriate records are stored on the internal and external

DNS servers to maintain the security of the internal network.

Use a Delegated Namespace

When an administrator uses a delegated namespace, they are opting to use a subdomain of their primary namespace. For example, suppose they are working for BigCorp Corporation and already own the bigcorp.com domain name.With a delegated namespace, the administrator might create the corp.bigcorp.com subdomain and use this as the root of their DNS and

Active Directory implementation. Internal clients can easily be allowed to resolve external IP addresses through forwarding, while preventing external clients from resolving internal IP addresses.This option maintains the overall namespace and allows the network administrator to protect and isolate all internal data in its own forest.The only drawback to this option is that it adds additional length to the

FQDN.

Use a Completely Unique Namespace

When an administrator uses a completely unique namespace, they are using a separate but related domain name for their internal namespace. So, if they were already using the bigcorp.com domain name for their Internet namespace, they might consider using the bigcorp.net

domain name for their internal namespace.This option is advantageous in two ways: no zone transfers are required between the internal and external namespaces, and the existing DNS namespace remains unchanged.This option also prevents internal clients from being exposed to the Internet by default.

N

OTE

The method used most often by administrators is a delegated namespace, such as corp.bigcorp.com, if they already own the domain name bigcorp.com. This allows for a fairly contiguous and easy-to-remember namespace for all internal users. The internal namespace can be completely isolated for security reasons from the external namespace, yet still retain the familiar look of the existing external namespace.

Now that the questions are answered and the various options have been examined for creating a Windows Server 2003 DNS namespace, consider the following example of how it all comes together. ACME Rockets is a major manufacturer of rockets.They already own the domain name acmerockets.com and their corporate headquarters are located in

Rockland, Massachusetts. ACME Rockets has field offices and manufacturing facilities located in the following countries: Canada, Mexico, England, France, Japan, and Australia.

The corporate structure of ACME Rockets has the following major departments:

Executive, Production, Sales, Information Technology, and Legal. Each department has

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 344

344 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

several child divisions within it. Given this information, how would a network administrator design a namespace for ACME Rockets?

Starting with the namespace of acmerockets.com, let’s delegate the namespace and create corp.acmerockets.com as the root of the internal DNS and Active Directory namespace. In this, corp becomes a third-level domain. From here, create fourth-level domains by country code. Each of these fourth-level domains can be subdivided further, if required, to create fifth-level domains for specific departments. In this example, we will stop at fourth level domains. Our solution is shown in Figure 6.2, but yours will vary depending on your methodology and specific requirements.

Figure 6.2

Delegated Namespace Configuration is Easily

Implemented and Understood

COM

ACMEROCKETS

CORP

External

Namespace

Internal

Namespace

FR

CA

US

UK JP

AU

MX

For example, if a server located in the United States is named ARDHCP0042, its

FQDN would be ARDHCP0042.us.corp.acmerockets.com. As discussed previously, there are finite limitations on the total length of a FQDN as well as the characters that are allowed in a FQDN.These restrictions are outlined in Table 6.2.

Table 6.2

DNS Name Restrictions in Windows Server 2003 (per RFC1123)

Restriction

Characters

FQDN length

Standard DNS

DNS in Windows Server 2003

(Including Windows 2000)

Per the requirements of Provides standard support as

RFC 1123, only the stanspecified in RFC1123. Also prodard characters are vides support for specifications supported: “A” to “Z,”

“a” to “z,” “0” to “9,”

RFC2181 and 2044.

and the hyphen, “-”.

The total length cannot The same restrictions apply with exceed 255 bytes. Each the exception that domain conlabel cannot exceed trollers are limited to a FQDN

63 bytes.

that does not exceed 155 bytes in length.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 345

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 345

Determining Zone Type Requirements

The next crucial pieces of the overall DNS puzzle are the concepts of zones of authority

(zones) and zone transfers.

A zone of authority (zone) is a file that contains the complete information on a portion of a domain namespace—it is a subset of a domain. One name server (or multiple servers when DNS is Active Directory-integrated) is authoritative for every zone and will respond to any request that a client makes for name resolution against that zone. So, in looking at the DNS name www.syngress.com, syngress.com is a DNS zone within the com hierarchy. Remember that www is just the name or alias of a host within the syngress.com

zone—typically that assigned to the Web server(s).

Zones store data in a zone database file (or zone file) located on the DNS server.

Windows Server 2003 keeps its DNS zone files in the following location:

%systemroot%\system32\dns. If Active Directory-integrated zones are implemented, the actual zone data is stored in the Active Directory database with the rest of the Active

Directory data. Following is a list of the different types of zones that can be created when using the Windows Server 2003 DNS service.

Standard

The standard zone is supported by all versions of DNS server software and has been used since the introduction of DNS.There are two different roles that can be assigned when standard DNS zones are being used:

Standard Primary

The standard primary zone holds the master copy of the zone file and will replicate it to all configured secondary zones using the standard zone file text format. All changes made to the zone file must be made by the primary zone server, as it holds the only writeable copy. Primary zones function similarly to the way Windows NT 4.0 Primary Domain Controllers

(PDCs) operated in that only one server can write to the data.

Standard Secondary

The standard secondary zone holds a read-only copy of the zone file in standard text format. Any number of secondary zone servers can be created to increase the performance and availability of the

DNS implementation. Secondary zones function similarly to the way

Windows NT 4.0 Backup Domain Controllers (BDCs) operated in that they possess a read-only copy of the data.

Active Directory-Integrated

All zone information is contained within the

Active Directory database to provide for increased security and availability.When

Active Directory-integrated zones are created, the DNS server runs on all domain controllers in the domain and any DNS server can modify the zone data. Active

Directory-integrated zones do not perform zone transfers among themselves— they replicate data with the rest of the Active Directory data. Active Directoryintegrated zones are only available on Windows 2000 Server and Windows Server

2003 DNS servers in an Active Directory domain.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 346

346 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Stub

Stub zones are new in Windows DNS, with support being introduced in

Windows Server 2003. A stub zone contains only the specific resource records necessary to identify the authoritative DNS servers for the zone.

E

XAM

W

ARNING

What is the difference between a zone and a domain? A domain is a portion of the overall DNS namespace. A zone, however, can contain multiple contiguous domains.

Look at the corp.bigcorp.com domain. Inside of it is all of the information that is specific to that portion of the overall DNS namespace.

us.corp.bigcorp.com is another example of a domain—one that is contiguous within the corp.bigcorp.com domain tree. While the two domains are related to each other and share a node, they are completely separate domains—each with their own resource records. A zone can be created on a DNS server that would contain records for both domains. A zone is a container that allows the network administrator to logically group and manage domains and their associated resource records as desired within their DNS implementation.

It is important not to overlook the importance of the zone type when planning a DNS implementation.The type of zone implemented will determine the placement and configuration of the DNS servers on the network. Consider the following points about standard zones and Active Directory-integrated zones:

■ When using standard zones, the following items are important to remember:

■ Only one single DNS server holds the master (writeable) copy of the DNS zone file.

Zone transfers may be conducted using either incremental or full zone transfer as needed.

Full compatibility is provided with BIND DNS servers.

■ When using Active Directory-integrated zones, the following items are important to remember:

■ DNS servers operate in a multimaster arrangement, allowing any DNS server to make changes to the zone data.

Zone transfers do not occur. Zone data is replicated with the Active Directory data.

DNS dynamic update has redundancy, as the failure of a single DNS server will not prevent updates from occurring.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 347

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 347

The Active Directory-integrated zones appear to BIND servers as standard primary zone servers.

The security of zone data is increased due to being protected by Active

Directory. Active Directory-integrated zones can be configured to use only secure dynamic updates, thus preventing rogue clients from populating the

DNS zone file with bad information. As well, DACLs are used to control access to DNS.

■ Zone data can be transferred to a standard secondary zone if desired for use in remote locations or DMZ environments.

Table 6.3 summarizes the key points to remember when choosing between standard and Active Directory-integrated zones.

Table 6.3

Standard and Active Directory-Integrated Zone Features

DNS Feature

Meets the IETF specifications for DNS servers?

Uses Active Directory for replication?

Provides increased reliability and security?

Zone updates can occur after the failure of the master server?

Standard DNS Zones

Yes

No

No

No

Active Directory

Integrated Zones

Yes

Yes

Yes

Provides support for incremental zone transfers?

Yes

Yes (all DNS servers operate in a multimaster arrangement)

Yes (only changed zone data is replicated during the

Active Directory replication cycle)

Standard secondary zones offer some very attractive benefits:

When using standard zones, secondary zone servers provide availability and redundancy of the zone in the event that the primary zone server becomes unresponsive. Also, multiple secondary zone servers reduce the loading on the primary zone server.

When using either standard or Active Directory-integrated zones, secondary zones can be used in remote offices to reduce wide area network (WAN) use and increase the speed of local name resolution at the remote site.

When using either standard or Active Directory-integrated zones, secondary zones can be used in DMZs to provide a read-only copy of the zone data as required.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 348

348 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

When using standard zones, it is important to ensure that only the desired DNS servers are allowed to perform zone transfers. Zone transfers conducted by attackers can provide a detailed “road map” of an entire network. Zone transfers occur only for standard zones.

Active Directory-integrated zones use zone replication as part of the regular Active

Directory replication schedule.

DNS, unlike WINS, always initiates zone transfers with the secondary zone server polling the primary server to determine what version the zone file is currently at.The zone version on the primary zone server is then compared to the version that the secondary zone server has to see if it has changed. If the zone version number has changed, the secondary zone server will initiate a zone transfer. Since a primary zone server will perform a zone transfer with any server requesting one, the network administrator must configure the servers that the primary zone server is authorized to perform zone transfers with.

Windows Server 2003 DNS supports both incremental (IXFR) and full (AXFR) zone transfers. If both DNS servers involved in a zone transfer support incremental zone transfers, the secondary zone server will pull from the primary zone server (standard or Active

Directory-integrated) and only those changes that have been made to resource records for each incremental zone transfer version number. Using IXFR, a single resource record could potentially be updated multiple times during a zone transfer. By using IXFR, however, network traffic is greatly reduced and the overall zone transfer speed is increased.

When only Active Directory-integrated zones are used, zone transfer does not occur.

Active Directory-integrated zones replicate data among all domain controllers, thus allowing all DNS servers (domain controllers) to change the zone data and have it replicated. Zone replication occurs on a per-property basis so that only the pertinent changes to a resource record are updated. Also, Active Directory-integrated zones only replicate the final result of multiple changes that are made to a resource record. Network administrators should always seek to implement Active Directory-integrated zones on their network.

Where do forward lookup zones and reverse lookup zones fit into the picture? A forward lookup zone is a specific zone file used to resolve an IP address from an FQDN. A reverse lookup zone does the exact opposite, resolving an FQDN from an IP address. Both types of lookup zones have their purposes, and for best results should always be configured and deployed within the DNS zones.While the DNS resolution process works perfectly without a reverse lookup zone configured, an administrator will not be able to get maximum power from the nslookup command, a command-line utility used to perform command-line name resolution and troubleshooting.The nslookup command is examined in more detail later in this chapter.

EXAM

70-292

OBJECTIVE

5.1.3

Determining Forwarding Requirements

To understand the operation of and need for DNS forwarding, it is important to understand how the name resolution sequence occurs. In a Windows TCP/IP network, all clients are DNS resolvers, meaning they have been configured with the IP address of one or more

DNS servers and can perform name resolution queries against these DNS servers.The DNS resolver is part of the DNS Client service, which is automatically installed when Windows

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 349

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 349

is installed.When a resolver performs a name resolution query against a DNS server, it is one of two types:

Recursive Query

A DNS query sent from the resolver or a DNS server to a

DNS server, asking that DNS server to provide a complete answer to that query or reply with an error stating that it cannot provide the required information.

Iterative Query

A DNS query sent from the resolver or another DNS server in an effort to perform name resolution.

For DNS servers configured properly as forwarders, any recursive queries that cannot be answered by that DNS server are forwarded to another DNS server. If the query is for name resolution outside of that DNS server’s zone of authority, it will perform an iterative query against a root DNS server and respond back to the resolver with the IP address of the DNS server responsible for the zone of authority, including the desired top-level name being queried.The DNS server then makes additional iterative queries as required to other

DNS servers until the requested name resolution has been accomplished and the results returned to the resolver.This process is illustrated in Figure 6.3.

Consider an example where a client computer located in the bigcorp.com zone wants to contact a File Transfer Protocol (FTP) server located in the syngress.com zone.The process by which the client (the DNS resolver) obtains the requested IP address is explained in the following steps:

1. The client computer performs a recursive query against its local DNS server

(hosting the bigcorp.com zone) for the IP address of the FTP server located in the syngress.com zone.

2. The local DNS server does not know this information, but is configured as a forwarder so it then issues an iterative query to one of the root DNS servers requesting the IP address of the FTP server located in the syngress.com zone.

3. The root DNS server does not know this IP address, but does know the IP address of the DNS server responsible for the syngress.com zone; therefore it provides this IP address to the bigcorp.com DNS server.

4. The local DNS server issues another iterative query, this time to the DNS server that is authoritative for the syngress.com zone, asking for the IP address of the

FTP server.

5. The syngress.com DNS server is the authoritative server for the syngress.com

zone so it can provide the requested name resolution service.Thus, it returns the requested IP address to the local DNS server.

6. The local DNS server passes this IP address information along to the client, completing the name resolution process.

7. The client uses this IP address to initiate a connection to FTP server ftp.syngress.com.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 350

350 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.3

The Name Resolution Process may Involve Multiple Iterative Queries

Client

(bigcorp.com)

1

6

DNS Server

(bigcorp.com)

7

2

3

Root DNS

Server

4

5

DNS Server

(syngress.com)

FTP Server

(syngress.com)

The local DNS server was able to provide the requested name resolution information to the client because it was configured as a forwarder—a DNS server allowed to take an incoming recursive query and pass it on to another DNS if it cannot answer the query. As seen in Figure 6.3, configuring forwarding can provide internal clients with an easy way to perform name resolution for computers not located on their internal network. Another application where DNS forwarders shine is when you have remote caching-only DNS servers (a DNS server that has no zone file, but instead only caches the results of queries in

RAM) that forward name resolution queries to a centrally located DNS server if they do not have the answer in their cache. If a DNS forwarder does not receive a valid name resolution response from the server that it has forwarded the query to, it will attempt to perform the name resolution itself.

There are two other types of forwarding supported in Windows Server 2003. A DNS

slave server is a DNS forwarder configured to not try to resolve a name resolution request if it does not receive a valid resolution response from its forwarded request. Slave servers are typically implemented in more secure situations where the network administrator wants to limit the number and types of connections crossing a specific connection. A new feature to DNS in

Windows Server 2003 is conditional forwarding, in which an administrator can configure that

DNS resolution requests should be forwarded to specific DNS servers based on the domain

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 351

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 351

that the resolution is being requested for. Prior to Windows Server 2003, all forwarded requests were sent only to a single server. Consider the example in Figure 6.4 where name resolution requests for the internal network can be forwarded to one DNS server that contains information about internal DNS zones, but all other name resolutions (for Internet domains) can be forwarded to the Internet using standard forwarding procedures.

Figure 6.4

Name Resolution Requests are Forwarded to Specific DNS Servers

Based on the Domain Name Being Requested

2

3

Root DNS

Server

1

Client

(bigcorp.com)

Forwarding

DNS Server

(bigcorp.com)

3

2

DNS Server

(bigcorp.com)

As seen in Figure 6.4, Step 1 remains the same; the client (DNS resolver) has issued a recursive query to a local DNS server.The local DNS server does not have authority for the requested zone information, but is configured as a conditional forwarder.The resolution request is forwarded to either an Internet DNS server or another local DNS server depending on the domain name contained in the name resolution request.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 352

352 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

E

XAM

W

ARNING

If recursion is disabled for a DNS server, forwarding will also be disabled for that DNS server. For a DNS server to act as a forwarder, it must be able to issue recursive queries.

Now that the initial planning is done and the network administrator has a good idea of their requirements for their DNS implementation, it is time to install and configure

Windows Server 2003 DNS server.

N

OTE

To be a masterful MCSA on Windows Server 2003, it is important to know that planning a DNS infrastructure is critical prior to rolling out an Active Directory implementation in any sized enterprise. Planning the Active Directory infrastructure starts first with designing, installing, and configuring DNS. Active Directory needs

DNS for implementation. Always install and lay out the DNS servers before setting up Active Directory.

Installing the DNS Service

Exercise 6.01 presents the process to install and perform the initial configuration for a DNS server and assumes that you already have an installed and functional Windows Server 2003 computer.

E

XERCISE

6.01

I

NSTALLING AND

C

ONFIGURING THE

W

INDOWS

S

ERVER

2003 DNS S

ERVICE

1. Launch the Configure Your Server Wizard by clicking Start | Programs

| Administrative Tools | Configure Your Server Wizard.

2. Click Next to dismiss the opening page of the Configure Your

Server Wizard.

3. Ensure that you have completed all of the preliminary steps displayed in the Preliminary Steps dialog box, as seen in Figure 6.5, and click

Next to continue.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 353

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 353

Figure 6.5

Ensure that the Preliminary Steps Have Been Completed

4. The Configure Your Server Wizard will briefly examine your network connections and operating system, as seen in Figure 6.6, before continuing. If necessary, you will be alerted to any problems that are found, such as misconfigured network adapters.

Figure 6.6

Configure Your Server Wizard will Briefly Examine your

Server Before Continuing

5. If no problems are found, you will be presented with the Server Role dialog box, as seen in Figure 6.7. Select the DNS server option and click Next to continue.

Figure 6.7

Preconfigured Server Roles Selection Options

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 354

354 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

6. On the Summary of Selections dialog box, as seen in Figure 6.8, you will have the opportunity to view the actions the Wizard will perform for you. Click Next to continue.

Figure 6.8

Verify that the Selected Actions are Correct

7. The Windows Component Wizard will briefly appear while it is installing the required files for the DNS service. You may be prompted to specify the location of your Windows Server 2003 CD-ROM or setup files during this step.

8. The Configure a DNS Server Wizard appears, as seen in Figure 6.9. You may wish to review the DNS server configuration checklist before continuing. When you are ready to start the configuration of your new

DNS server, click Next to continue.

Figure 6.9

The Configure a DNS Server Wizard Offers to Let You

Review Checklists Before Continuing

9. On the Select Configuration Action dialog box, as seen in Figure 6.10, select the type of lookup zones you want to configure. For the best performance in any size network select the Create forward and

reverse lookup zones option. Click Next to continue.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 355

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 355

Figure 6.10

Select the Type of Lookup Zones to be Created

10. On the Forward Lookup Zone dialog box, as seen in Figure 6.11, select whether or not you want to create a forward lookup zone at this time.

Select the Yes, create a forward lookup zone now (recommended) option. Click Next to continue.

Figure 6.11

Creating a Forward Lookup Zone

11. On the Zone Type dialog box, as seen in Figure 6.12, select the type of zone you are creating. As you can see, the Active Directory integrated option is not available—this DNS server is not a domain controller.

Select the Primary zone option. Click Next to continue. (We will examine the process to convert primary zones into Active Directory integrated zones later in this chapter.)

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 356

356 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.12

Selecting the Type of Zone to Create

12. In the Zone Name dialog box, as seen in Figure 6.13, enter the name of the new forward lookup zone you are creating. In most cases, this will be same as the domain name you are using—in this instance it is corp.mcsaworld.com. Note that the zone name is not the name of the

DNS server. Click Next to continue.

Figure 6.13

Selecting the Zone Name (Typically Synonymous with the Domain Name)

13. In the Zone File dialog box, as seen in Figure 6.14, enter the name of the zone file that is to be created. Note that you will only see this dialog box when you are not creating Active Directory-integrated zones. In the majority of cases, you should leave the default entry alone, as seen in Figure 6.14. Click Next to continue.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 357

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 357

Figure 6.14

There is Usually No Reason to Change the

Default Zone File Name

14. In the Dynamic Update dialog box, as seen in Figure 6.15, select whether or not you want to use dynamic update. Note that you cannot use secure dynamic updates unless you have created an Active

Directory-integrated zone. Even though not completely secure, we are going to configure this zone for secure and nonsecure dynamic updates by selecting the Allow both nonsecure and secure dynamic updates option. Click Next to continue.

Figure 6.15

You Will Not Be Able to Use Secure

Dynamic Update with a Standard Zone

15. In the Reverse Lookup Zone dialog box, as seen in Figure 6.16, you have the option to create a reverse lookup zone. For optimal DNS performance, you should always create a reverse lookup zone. Select the

Yes, create a reverse lookup zone now option. Click Next to continue.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 358

358 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.16

Reverse Lookup Zones Provide a Useful

Resolution Feature

16. In the Zone Type dialog box, select the type of zone to be created—this time for the reverse lookup zone. Select the Primary zone option. Click

Next to continue.

17. In the Reverse Lookup Zone Name dialog box, as seen in Figure 6.17, supply the name of the reverse lookup zone. In most cases, you would select the Network ID option and enter the first three octets of your IP subnet. Click Next to continue.

Figure 6.17

Creating the Reverse Lookup Zone Name using the First

Three Octets of the IP Subnet

18. In the Zone File dialog box, as seen in Figure 6.18, enter the name for the reverse lookup zone. Leave the default value as is. Click Next to continue.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 359

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 359

Figure 6.18

The Reverse Lookup Zone Name is a DNS Standard

19. In the Dynamic Update dialog box select whether or not you want to use dynamic update. Note that you cannot use only secure dynamic updates unless you have created an Active Directory-integrated zone.

Even though not completely secure, we are going to configure this zone for secure and nonsecure dynamic updates by selecting the Allow

both nonsecure and secure dynamic updates option. Click Next to continue.

20. In the Forwarders dialog box, as seen in Figure 6.19, configure forwarders if desired. We will configure forwarding later in this chapter.

Select the No, it should not forward queries option. Click Next to continue.

Figure 6.19

Configuring Forwarders (If Desired)

21. The Completing the Configure a DNS Server Wizard dialog box appears showing the results of your configuration. Click Finish to close the

Configure a DNS Server Wizard.

22. Click Finish to close the Configure Your Server Wizard.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 360

360 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

With the DNS server installed and basic configuration performed, it is time to configure the remaining DNS server options.

EXAM

70-292

OBJECTIVE

5.1.1

Configuring DNS Server Options

Once DNS is installed and configured, it is pretty much a “set-it and forget-it” service.

However, there will be times when a network administrator will want or need to change the configuration options of the DNS server. Options that are configured at the server level apply to the entire server and all zones that it hosts. Open the DNS server properties dialog box, right-click on the DNS server in the DNS management console and select Properties from the context menu.The dialog box opens to the Interfaces tab, as seen in Figure 6.20.

The Interfaces Tab

The Interfaces tab, as shown in Figure 6.20, allows the network administrator to configure which network adapters will be used for the DNS service. As can be seen in Figure 6.20, this DNS server has two network adapters installed and both are listening for DNS queries.

As many or as few of the properly installed and configure network adapters in the server for DNS can be configured.

Figure 6.20

The DNS Server Interfaces Tab

EXAM

70-292

OBJECTIVE

5.1.3

The Forwarders Tab

The default configuration of the Forwarders tab is seen in Figure 6.21. As discussed previously,Windows Server 2003 allows for the configuration of multiple forwarders. Each DNS domain entry can also have multiple forwarders.To create a new forwarder, perform the steps in Exercise 6.02.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 361

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 361

Figure 6.21

The DNS Server Forwarders Tab

E

XERCISE

6.02

C

REATING A

N

EW

DNS F

ORWARDER

1. Open the DNS Management console.

2. Open the DNS Server Properties dialog box and switch to the

Forwarders tab.

3. Click the New button to open the New Forwarder dialog box, as seen in Figure 6.22.

Figure 6.22

Adding a New DNS Forwarder

4. Enter the DNS domain name. For example, if you want to configure a forwarder for all name resolution queries against the mcsaworld.com

domain, you would enter that. Click OK to close the New Forwarder dialog box.

5. Click back to the Forwarders tab, and select the DNS domain you just entered.

6. In the Selected domain’s forwarder IP address list box, enter the IP address of the DNS server that the resolution query is to be forwarded to and click the Add button. The IP address moves to the list as seen in

Figure 6.23.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 362

362 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.23

The Newly Configured DNS Forwarder

7. Add additional DNS server IP addresses for this forwarder or configure additional forwarders as desired.

8. Do not select the “Do not use recursion for this domain” option as it will disable the ability to forward resolution requests.

Putting Forwarding to Work!

A great way to implement a DNS forwarder is to configure all internal DNS servers as forwarders pointing toward another specific DNS server. Thus, this one specific

DNS server is the only DNS server that will need to perform name resolution requests outside of the protected internal network—and the only DNS server that will need to initiate outbound DNS connections through the firewall.

By using this arrangement, a network administrator can configure the firewall to only allow outbound DNS traffic (TCP and User Datagram Protocol [UDP] port

53) from the IP address of the specified DNS server. Valid replies back to this DNS server will (in most cases) automatically be allowed back through the firewall in the inbound direction due to the firewall’s ability to dynamically control access. When using this type of approach on a network, all other DNS traffic—both inbound and outbound at the firewall—will be automatically and safely dropped. This solution enhances the security of the DNS servers and adds security to the entire network.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 363

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 363

The Advanced Tab

The Advanced tab, as seen in Figure 6.24, contains a collection of options that provide advanced configuration utilities.

Figure 6.24

The DNS Server Advanced Tab

The following options can be configured from this tab:

Disable Recursion

Configures the DNS server to not use recursion for any zones hosted on the server. By default, this option is unchecked allowing the

DNS server to use recursion.

BIND Secondaries

Configures the DNS server to not use fast zone transfer format when performing zone transfers to DNS servers using the BIND DNS service version 4.9.4 or earlier. All Windows-based DNS servers can take advantage of the fast zone transfer format, which uses compression and includes multiple records per TCP packet during a zone transfer. By default, this option is selected, disabling all fast zone transfers.The network administrator should deselect this option if they have only Windows DNS servers or have BIND DNS servers that are version 4.9.4 and later.

Fail On Load If Bad Zone Data

Configures the DNS service to fail to load the zone file if it contains records that have been determined to have errors. By default, this option is unchecked allowing the DNS service to log the data errors but otherwise ignore them and continue to load the zone file.

Enable Round Robin

Configures the DNS server to use a round robin rotation to rotate and reorder a list of resource records if multiple records are found of the same type during a query. By default, this option is selected, which enables round robin and increases overall network performance.

Enable Net Mask Ordering

Configures the DNS server to reorder its host (A) resource records in the response it sends to a resolution query, based on the IP

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 364

364 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

■ address of the DNS resolver that sent the resolution query. By default, this option is selected, which allows the DNS server to use local subnet priority and increases overall network performance.

Secure Cache Against Pollution

Configures the DNS server to use a secure response option that helps to prevent the adding of unrelated resource records that are included in a referral answer to their cache.The normal behavior of DNS is to cache all names in referral answers to speed up subsequent resolution requests. By using this feature,Windows Server 2003 DNS can determine if referred names are part of the exact related DNS domain name tree for which the original queried name was made. If not, they will not be cached. By default, this option is selected to protect the DNS server’s cache against pollution.

Name Checking

Configures the DNS server with one of three possible methods for checking the names it receives and processes during its operations. By default, the Multibyte (UTF8) option is enabled.

Strict RFC (ANSI)

Strictly enforces RFC-compliant naming rules for all

DNS names that are processed by the server. Any non-compliant names are treated as errors.

Non-RFC (ANSI)

Allows names that are not RFC-compliant to be used with the DNS server, such as names that use ASCII characters.

Multibyte (UTF8)

Allows names that use the Unicode 8-bit translation encoding scheme to be used with the DNS server.

Load Zone Data on Startup

Configures the DNS server with one of three possible means by which to load the zone data during startup. By default, the

From Active Directory and Registry

option is enabled.

From Registry

Configures the DNS service to load its data by reading parameters stored in the Registry.

From File

Configures the DNS service to load its data from an optional boot file, such as those used by BIND DNS servers.

From Active Directory and Registry

Configures the DNS service to load its data by reading parameters stored in the Active Directory database and the server Registry.

Enable Automatic Scavenging of Stale Records

Specifies the time period at which scavenging is to occur for all zones on the server that are configured for aging and scavenging. In order for scavenging to occur, it must be configured at both the server and zone level. Configuring scavenging at the zone level is discussed in detail in the “Configuring Zone Options” section later in this chapter.

Configuring scavenging at the server level is discussed in the “Configuring Aging

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 365

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 365

and Scavenging for All Zones” section later in this chapter. By default, scavenging is disabled.When enabled, the default time period for scavenging actions to occur is every 7 days.

N

OTE

In most cases, the default configuration options on the Advanced tab will be left as is. If there are no BIND DNS and all of the DNS servers support fast zone transfers, you will want to uncheck the BIND Secondaries option—this will increase the speed of the zone transfers.

The Root Hints Tab

The Root Hints tab, as seen in Figure 6.25, provides a list of the configured root DNS servers. By default, this information is provided during the installation of the DNS server for all 13 root DNS servers and should not be modified except for advanced configurations.

Figure 6.25

The Root Hints Tab

The Debug Logging Tab

The Debug Logging tab, as seen in Figure 6.26, provides advanced logging options that are disabled by default but can be used by a network administrator to troubleshoot and debug the DNS server’s operation.The default configuration once Debug Logging has been enabled is also seen in Figure 6.26.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 366

366 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.26

The Debug Logging Tab

When configuring Debug Logging, the following options are available:

Packet Direction

Configures Outgoing (packets that are sent by the DNS server), Incoming (packets are that received by the DNS server), or both to be logged. At least one option must be selected under Packet direction.

Transport Protocol

Configures packets sent and received using UDP or TCP or both to be logged. At least one option must be selected under Transport protocol.

Packet Contents

Configures Queries/Transfers (packets containing standard

RFC 1034 compliant queries), Updates (packets containing RFC 2136 compliant dynamic updates), Notifications (packets containing RFC 1996 compliant notifications), or any combination of the three to be logged. At least one option must be selected under Packet contents.

Packet Type

Configures Request packets or Response packets or both to be logged. At least one option must be selected under Packet type.

Details

Allows the network administrator to configure to have the entire packet contents logged.

Filter Packets by IP Address

Allows the network administrator to configure filtering for logging packets sent to or from a specific IP address to or from the

DNS server.

File Path and Name

Allows the network administrator to configure the path location and file name of the DNS server debug log file.The default path is %systemroot%\system32\dns.

Maximum Size

Allows the network administrator to configure the maximum file size in bytes of the DNS server debug log file.When the maximum file size has been reached, the DNS server will overwrite the oldest information with new information. If this value is left blank, the log file will grow as required, which can quickly consume large amounts of hard drive space.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 367

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 367

T

EST

D

AY

T

IP

Debug Logging can be very resource intensive on a DNS server, possibly affecting the overall server performance and rapidly consuming disk space. Debug logging, therefore, should only be used for short durations of time when specific information is required to troubleshoot the performance of the DNS server. By selectively enabling debug logging options, the network administrator can perform detailed logging of selected events and actions occurring on the DNS server.

The Event Logging Tab

The Event Logging tab, as seen in Figure 6.27, configures what type of logging is to occur in the DNS event log.The default configuration is All events and is usually the best option.The level of logging by selecting another option can be reduced for a specific reason, such as only wanting to log errors or errors and warnings.The Event Viewer or the

DNS management console can be used to view the DNS log.

Figure 6.27

The Event Logging Tab

The Monitoring Tab

The Monitoring tab, as seen in Figure 6.28, allows for configuring the DNS server to perform periodic routing testing of its capability to perform simple and recursive DNS queries.

By default, no tests are selected. For maximum reliability and performance, both types of tests should be configured to be performed by the DNS server on the desired schedule.The

selected tests can also be manually initiated by clicking the Test Now button.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 368

368 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.28

The Monitoring Tab

EXAM

70-292

OBJECTIVE

5.1.2

Configuring Zone Options

There are also configurable options available for both the forward and reverse lookup zones.The individual zones’ properties dialog boxes are where critical items are configured, such as how dynamic updates are to occur, aging and scavenging options, and name servers that are allowed to perform zone transfers with the DNS server. As shown in Figure 6.29, the nodes of the DNS Management console need to be expanded in order to locate the forward and reverse lookup zones.

Figure 6.29

Locating the Forward and Reverse Lookup Zones

Configuring Forward Lookup Zone Options

After locating the correct forward lookup zone, its Properties dialog box can be opened by right-clicking on the zone and selecting Properties from the context menu.The

forward_lookup_zone_name

Properties box opens to the General tab, as seen in

Figure 6.30.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 369

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 369

The General Tab

The General tab, as seen in Figure 6.30, contains an assortment of basic options that a network administrator may wish to configure for their zones.

Figure 6.30

The Forward Lookup Zone General Tab

The following actions can be performed from the General tab:

Change the Zone Status

current status.

The zone can be paused or started depending on its

Change the Zone Type

The Change Zone Type dialog box opens by clicking the Change button, as seen in Figure 6.31. If this zone were created on a domain controller, the network administrator would be able to change it to an Active

Directory-integrated zone.

Figure 6.31

Changing the Zone Type

Configure Replication Properties

If the zone is Active Directory-integrated, the network administrator can configure how it should be replicated from the following options:

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 370

370 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

All DNS Servers in the Active Directory Forest

Configures the zone data to be replicated to all DNS servers running on domain controllers in the forest.

All DNS Servers in the Active Directory Domain

Configures the zone data to be replicated to all DNS servers running on domain controllers in the domain.This is default replication configuration for Active Directoryintegrated zones.

All Domain Controllers in the Active Directory Domain

Configures the zone data to be replicated to all domain controllers in the domain.This

option must be selected if a Windows 2000 DNS server is needed to load an

Active Directory-integrated zone.

All Domain Controllers in a Specified Application Directory

Partition

Configures the zone data to be replicated per the replication scope of the specified application directory partition.

Change the Zone File Name

The name of the zone data file can be changed, although normally there is no reason to do so.

Configure Dynamic Updates

Dynamic updates can be configured from the following options: None, Non-secure and Secure, and Secure (for Active

Directory-integrated zones).

Set Zone Aging and Scavenging Options

Clicking the Aging button opens the Zone Aging/Scavenging Properties dialog box, as seen in Figure 6.32.

Figure 6.32

Configuring Zone Aging and Scavenging

Aging and scavenging are available in Windows Server 2003 DNS to provide a way to remove stale resource records. Although dynamic update accurately and efficiently adds records to the zone file, it does not always do as thorough a job in removing them from the zone when they are no longer accurate—for example, when computers leave the network after an improper disconnection. In today’s mobile computing world, this can be a huge

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 371

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 371

problem for networks with large numbers of portable computers and Personal Digital

Assistants (PDAs) that acquire DHCP leases and thus cause resource records to be created in the applicable DNS zones.The following problems can result from stale resource records that are left unattended over time:

Stale resource records build up over time, causing larger zone files and longer zone transfers—both of which can cause reduced DNS server performance.

Stale resource records might result in incorrect name resolution responses due to incorrect information in the zone file—this may potentially result in the inability to locate network resources.

Stale resource records may prevent valid dynamic updates from being performed due to the domain names already being used.

Windows Server 2003 DNS implements the following features to alleviate the problems caused by stale resource records:

Resource Record Time Stamping

Resource records are time stamped with the date and time on the DNS server when records are dynamically added to the zone data. Resource records that are manually created (discussed in the

“Managing DNS Record Settings” section later in this chapter), have their time stamp set to a zero value indicating that they are not subject to aging and scavenging.

Resource Record Aging

Resource records that are stored in local primary zones are aged depending on the configuring aging value and time stamp information.

Resource Record Scavenging

Resource records that remain in the zone data beyond the configured refresh period are scavenging from the zone data file. As mentioned previously, before scavenging can occur, it must be configured both at the server and the zone level. Also, only resource records that were added dynamically or manually and have a time stamp are subject to scavenging.

When referring to aging and scavenging, the following terms are important:

No-refresh Interval

The time interval configured for a zone that begins when the resource record was last refreshed (record refresh) and ends when the record next becomes eligible to have its time stamp refreshed again.This value is set to a default of seven days and should not be set unreasonably high as it will result in aging and scavenging not functioning properly.

Refresh Interval

The time interval configured for a zone that begins when the resource record first becomes eligible to have its time stamp reset during a record refresh and ends when the record becomes eligible to be scavenged from the zone data file.This value is set to a default of seven days and should not be set unreasonably high to avoid aging and scavenging from functioning improperly. Setting this value too low may prevent clients from being able to refresh their records.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 372

372 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Record Refresh

A dynamic update processed for a resource record that does not change any properties of the record other than the time stamp.

Record Update

A dynamic update processed for a resource record that changes other properties in the record in addition to the time stamp.

Scavenging Period

This value, configured at the server (using the Enable

automatic scavenging of stale records

option seen in Figure 6.24), specifies the time between scavenging actions for all zones that have scavenging configured.The default value is 7 days with the minimum allowed value being one hour to prevent server performance degradation.

T

EST

D

AY

T

IP

It is not critical to memorize the definitions of these aging and scavenging terms as much as it important that you understand how aging and scavenging works and how the different time periods (no-refresh interval and refresh interval) affect aging and scavenging.

Scavenging of a record can begin as soon as the configured refresh interval has passed from the time stamp on the resource record. Record refresh cannot occur during the norefresh interval period of time—any attempts to perform a refresh of a record are not accepted by the DNS server during this time period. Updates may be performed for resource records during the no-refresh interval, however, if the resource record has changed.

For example, if aging and scavenging are configured using the 7-day default value for both the no-refresh and refresh intervals as seen in Figure 6.32, a resource record would not be allowed to be refreshed during the first 7 days after its time stamp updates. However, it would be accepted by the DNS server. Over the next 7 days—days 8 through 14—the resource record is allowed to be both refreshed and updated if these updates are sent to the

DNS server. Starting on day 15, this resource record would become eligible for scavenging and would be scavenged from the zone data sometime within the next 7 days (by default) when scavenging occurred again per its configured schedule.

The Start of Authority (SOA) Tab

The Start of Authority (SOA) tab, as seen in Figure 6.33, allows the network administrator to make changes to the SOA record for the zone file.The SOA and Name Server (NS) records are used when a zone file is loaded to determine what name servers are authoritative for the zone.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 373

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 373

Figure 6.33

The Forward Lookup Zone SOA Tab

The SOA resource record is always the first record in any standard zone and indicates the server that is authoritative for the zone.The SOA record also contains other properties that provide information about the zone and affect how often zone transfers are conducted.

The following fields are present in the SOA record and can be configured using the SOA tab:

Serial number

This value denotes the version number of the zone data file.The

serial (zone version) number is incremented each time a resource record in that zone is changed, and is used to indicate to secondary servers that a zone transfer is required.The serial number can be manually incremented by clicking the

Increment

button.

Primary Server

This value indicates the DNS server that is authoritative for the zone.The primary server for the zone can be changed by clicking the Browse button and searching through the A and Canonical name (CNAME) records in the zone.

Responsible Person

The e-mail address of the administrator that is responsible for the zone. In DNS, periods “.” are used instead of the “@” symbol so the value hostmaster.corp.mcsaworld.com. represents [email protected]

Refresh Interval

Specifies the time interval that a secondary server is to wait before querying the primary server for the zone serial number.This value is configured for 15 minutes by default.

Retry Interval

Specifies the time interval that a secondary server is to wait before retrying a failed zone transfer.This value is configured for 10 minutes by default.

Expires After

Specifies the time before a secondary server will stop responding to queries after the refresh interval has passed and the zone has not been refreshed or updated. After this time period has passed, the secondary server no longer considers its local data to be reliable.This value is configured for 24 hours by default,

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 374

374 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

■ which in most cases is a reasonable value. In environments where the DNS zone experiences a large number of changes in a day, the network administrator may consider decreasing this value to prevent secondary zones from using stale data should they be unable to perform a zone transfer.

Minimum (Default) Time To Live (TTL)

Specifies the TTL for the zone data and the maximum length of time in which negative caching of answers to name queries is to occur.This value is configured for 60 minutes by default.

TTL for this Record

Species a TTL for this specific resource record.

N

OTE

Double-clicking the SOA or NS record from within the zone file itself opens the Zone

Properties dialog box to the appropriate tab, as seen in Figures 6.33 and 6.34.

E

XAM

W

ARNING

TTL values can also be configured manually on any resource record in the zone.

Any TTL that has been configured for a specific resource record will override the default TTL configured in the SOA resource record.

The Name Servers Tab

The Name Servers tab, as seen in Figure 6.34, lists all name servers that have been configured to be authoritative for a particular zone.The NS resource record causes the specified DNS server to be considered by other DNS servers and DNS resolvers to be authoritative for the zone, thus allowing it to provide definite answers to any name resolution queries made against that zone.

Figure 6.34

The Forward Lookup Zone Name Servers Tab

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 375

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 375

Additional NS records can be created by clicking the Add button to open the New

Resource Record dialog box, as seen in Figure 6.35.The network administrator must enter the FQDN and at least one IP address of the DNS server that the new NS record is being created for. After providing this information, the administrator clicks Add to add the new

NS record to the zone.They then click OK to close the New Resource Record dialog box when finished adding additional name servers to the domain.

Figure 6.35

Creating a New NS Resource Record

Looking back at the Name Servers tab, as seen in Figure 6.36, there are now two DNS servers that are authoritative for this zone, increasing resolution speed and reliability.

Figure 6.36

The New NS Resource Record is Displayed

T

EST

D

AY

T

IP

Although multiple NS records can be configured for a zone, there can only be one

SOA record per zone.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 376

376 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

The WINS Tab

The WINS tab, as seen in Figure 6.37, allows the network administrator to configure WINS integration with their DNS zones. Although not required in Windows networks that are purely Windows 2000 or later,WINS may be required in networks containing legacy

Windows client computers that are using NetBIOS over TCP/IP (NBT) and require

WINS for name resolution. If there are one or more WINS servers configured for a network, the network administrator can opt to enable WINS forward lookup for name resolution queries that are not located in the zone file. After enabling WINS forward lookups, they can then enter the IP addresses for their networks WINS servers.

Figure 6.37

The Forward Lookup Zone WINS Tab

A Tale of Two Resolution Methods

TCP/IP was not always king in Microsoft Windows networks. While UNIX operating systems have used TCP/IP since their inception, Microsoft (and IBM) for a long time used the proprietary NetBEUI network protocol, and for good reason: NetBEUI was a great protocol for the networks of the time. It required no configuration past enabling support for it and did not require any complex addressing schemes like

TCP/IP did. The only real downside—and the cause of the downfall of NetBEUI—was the fact that it relied on broadcasts for name resolution that in turn resulted in poor performance in larger networks and an inability to be used in routed environments.

The message was clear: Windows had to provide support for DNS if it was to be considered a serious network operating system.

DNS was then added to Windows, but Microsoft discovered a problem: the

NetBIOS names that Windows computers had been using did not function properly in a routed TCP/IP environment. NetBEUI relied heavily on broadcast messages to

Continued www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 377

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 377

advertise servers and network resources to clients. Routers, by default, do not forward broadcast messages, thus preventing NetBEUI from working in a large majority of the emerging corporate networks. (Note that one of the primary reasons for using routers within an internal network is to split up broadcast domains.) Microsoft needed to find a way to solve this problem so that TCP/IP could flourish in Windows networks. At first, the answer was thought to be an LMHOSTS file that would be used by each computer in a similar fashion to how the HOSTS file worked for DNS. In a short time, the difficulty of implementing this type of static solution became apparent to network administrators and Microsoft—a dynamic name resolution system was needed if Windows NetBEUI networks were to make use of TCP/IP. Thus WINS was born.

The Zone Transfers Tab

The Zone Transfers tab, as seen in Figure 6.38, allows the network administrator to configure to what other name servers zone transfers shall be performed. If zone transfers are enabled, the administrator can opt to perform them with any server that requests a zone transfer, with only those servers listed on the Name Servers tab (seen in Figure 6.36), or only to the name servers that they specify on the Zone Transfers tab.The default behavior is to conduct zone transfers only with servers listed on the Name Servers tab.This provides a fairly secure environment. However, for maximum DNS security, the administrator will want to configure zone transfers to occur only with those name servers they have configured on the Zone Transfers tab.

Figure 6.38

The Forward Lookup Zone Zone Transfers Tab

Administrator’s also have the option to configure which name servers will be notified when the zone file has changed, by clicking the Notify button.The default behavior is to perform notifications only with servers listed on the Name Servers tab that provides an

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 378

378 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

environment that is fairly secure. However, a network administrator can also configure only those servers specified on the Notify dialog box to be notified of changes to the zone file.

Figure 6.39

Configuring Name Servers to be Notified of Zone File Changes

Configuring Reverse Lookup Zone Options

After locating the reverse lookup zone in question, its Properties dialog box can be opened by selecting the zone, right-clicking on it, and selecting Properties from the context menu.The reverse_lookup_zone_name Properties box opens to the General tab, as seen in Figure 6.40.

The General Tab

The General tab, as seen in Figure 6.40, contains an assortment of basic options that the network administrator may wish to configure for their zones.These options are the same as those discussed previously for forward lookup zones.

Figure 6.40

The Reverse Lookup Zone General Tab

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 379

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 379

N

OTE

Allowing non-secure dynamic updates is a significant security risk because updates can be accepted from untrusted resources. Make sure this setting is configured correctly to increase security if needed.

The SOA Tab

The SOA tab, as seen in Figure 6.41, allows the network administrator to make changes to the SOA record for the zone file.The SOA and NS records are used when a zone file is loaded to determine what name servers are authoritative for the zone.These options are the same as those discussed previously for forward lookup zones.

Figure 6.41

The Reverse Lookup Zone SOA Tab

The Name Servers Tab

The SOA tab, as seen in Figure 6.42, allows the network administrator to make changes to the SOA record for the zone file.The SOA and NS records are used when a zone file is loaded to determine what name servers are authoritative for the zone.These options are the same as those discussed previously for forward lookup zones.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 380

380 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.42

The Reverse Lookup Zone Name Servers Tab

The WINS-R Tab

The WINS-R tab, as seen in Figure 6.43, allows the network administrator to configure

WINS integration with their DNS zones. After enabling WINS reverse lookups, they can also enter the domain name that should be appended to all names that are returned. For example, if the WINS-R query returned MCSAWXP042 and they had entered a domain name of corp.mcsaworld.com, the result that would be returned to the DNS resolver would be MCSAWXP042. corp.mcsaworld.com, just the same as if you had performed an actual reverse lookup using DNS.The WINS-R tab has no space to enter the IP addresses of

WINS servers, and will use the same WINS servers that have been configured in the forward lookup zone’s WINS tab.

Figure 6.43

The Reverse Lookup Zone WINS-R Tab

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 381

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 381

The Zone Transfers Tab

The Zone Transfers tab, as seen in Figure 6.38, allows the network administrator to configure to what other name servers zone transfers shall be performed.These options are the same as those discussed previously for forward lookup zones.

Figure 6.44

The Reverse Lookup Zone Zone Transfers Tab

The following sections examine some management and maintenance tasks that a network administrator will routinely perform for zones, records, and servers.

EXAM

70-292

OBJECTIVE

5.2

Managing the DNS Service

The hardest part of administering DNS is installing and configuring it correctly.When it comes to the daily management of the DNS service and the DNS servers, there is not much to do. Some of the more common items might include managing or starting a scavenging cycle; creating, modifying, or deleting resource records; or reloading zones.The next sections examine some of the more common management tasks that a network administrator might find themselves performing for the DNS service.

EXAM

70-292

OBJECTIVE

5.2.3

Managing DNS Server Options

The DNS management console is the primary means by which the network administrator will perform management tasks for their DNS servers.The console is divided into two panes following the standard Microsoft Management Console (MMC) design.The left-hand pane displays servers and zones, while the right-hand pane displays the details and objects for the currently selected item in the left-hand pane.The following management options can be performed at the DNS server level:

Connecting to remote DNS servers

Removing servers from the DNS Management console

Creating new DNS servers

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 382

382 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Creating new zones

Configuring aging and scavenging for all zones

Manually initiating record scavenging

Updating the DNS server zone file

Clearing the DNS server local cache

Launching the nslookup command

Starting, stopping, or pausing DNS servers

The process to create new DNS servers and new zones from the DNS Management console is functionally identical to the process outlined in Exercise 6.01. Each of the remaining management tasks are briefly examined in the following sections.

Connecting to Remote DNS Servers

As can be seen in Figure 6.45, there is only one management option available from the root of the DNS Management console: Connect to DNS Server.

Figure 6.45

Connecting to and Managing Multiple DNS

Servers from One Location

By selecting this option from the context menu the Connect to DNS Server dialog box opens, as seen in Figure 6.46, allowing the network administrator to enter the name of the DNS server that they wish to add to their DNS management console.To do this, the administrator should select the The following computer option, enter the DNS server name, select the Connect to the specified computer now option, and click OK to add the DNS server to their DNS Management console.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 383

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 383

Figure 6.46

Adding an Additional DNS Server to the Console

Removing Servers from the DNS Management Console

To remove to a DNS server from the DNS Management console, the network administrator needs only right-click on it and select Delete from the context menu, as seen in

Figure 6.47. Deleting the DNS server from the console only removes management capability—it does not change the configuration or operation of the DNS server in any way.

Figure 6.47

Removing a DNS Server from the Console

Configuring Aging and Scavenging for All Zones

As discussed previously, aging and scavenging must be enabled at both the server and the zone level for it to function.To configure aging and scavenging for the server, the administrator should right-click on the DNS server in the left-hand pane of the DNS management console and select Set Aging/Scavenging for All Zones from the context menu.The

Server Aging/Scavenging Properties dialog box opens, as seen in Figure 6.48, allowing the administrator to configure aging and scavenging at the server level.The default values are 7 days for both the no-refresh interval and the refresh interval.The settings configured in this dialog box act as the default settings for all Active Directory-integrated zones.The network administrator will need to manually configure these values on any standard zones they have on their DNS servers.They will also be prompted to accept the changes they have made before they are actually applied to their zones.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 384

384 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Figure 6.48

Configuring Aging and Scavenging at the Server and Zone Levels

Manually Initiating Record Scavenging

If an administrator does not want to wait for the regularly scheduled scavenging option to occur, they can manually initiate a scavenging sequence by right-clicking on the DNS server and selecting Scavenge Stale Resource Records from the context menu, as seen in Figure 6.49. Only records that are eligible for scavenging will be scavenged. After selecting this option, the administrator will be prompted to start the scavenging sequence.

Figure 6.49

Manually Initiating Resource Record Scavenging

Updating the DNS Server Zone File

Typically, standard DNS servers only write the record changes stored in memory when they are shut down or at predefined update intervals. A network administrator can manually force a

DNS server to commit all record changes in memory to the zone file by right-clicking the

DNS server in the right-pane of the DNS Management console and selecting Update

Server Data Files

from the context menu, as seen previously in Figure 6.49. Active

Directory-integrated zones cannot be updated using the DNS Management console and using the following command from the command-line: dnscmd ServerName /ZoneUpdateFromDs ZoneName

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 385

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 385

The full syntax of the dnscmd command is beyond the scope of this discussion, and is examined in more detail in Appendix A.

Clearing the DNS Server Local Cache

The DNS server’s local resolution cache can be cleared by right-clicking on the DNS server in the left-pane of the DNS management console and selecting Clear Cache from the context menu, as seen previously in Figure 6.49. Clearing the cache is useful as a routine maintenance task to get rid of stale data and may help in correcting name resolution difficulties due to stale data.

Launching the nslookup Command

The nslookup command is used to monitor and troubleshoot the performance of the DNS service. A new feature in Windows Server 2003 DNS provides a quick launch shortcut to start the nslookup command from within the DNS management console. Figure 6.50 shows the nslookup command being used to perform basic name resolution for an external and internal IP address.The full context and use of the nslookup command is discussed in

Appendix A.

Figure 6.50

Using nslookup for Name Resolution and Troubleshooting

As can be seen, the first name query for www.syngress.com was returned and marked as being a “Non-authoritative answer” indicating that this local DNS server is not authoritative for the zone containing the host www.syngress.com. In the second name query, the local DNS server is authoritative for the information that was queried.

Starting, Stopping, or Pausing DNS Servers

If needed, the network administrator can start, stop, or pause the DNS server by rightclicking on the DNS server in the left-hand pane of the DNS Management console. From there select All Tasks | Start, All Tasks | Stop, or All Tasks | Pause from the context menu, as seen previously in Figure 6.49.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 386

386 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

EXAM

70-292

OBJECTIVE

5.2.1

Managing DNS Zone Settings

The forward and reverse lookup zones also have a few management options available. From the context menu as seen in Figure 6.51, the network administrator can opt to update the server zone file for the specific zone, reload the zone from the zone file, create new zones, create new delegations, or create new records.They can also delete zones and refresh the window view.The creation of resource records is discussed in the next section “Managing

DNS Record Settings.”

Figure 6.51

Management of Zones is Fairly Limited

One of the ways that the DNS service provides for increased performance and reliability is through delegated zones. By dividing the total namespace that an organization is responsible for into multiple zones, they can be stored and replicated to other DNS servers, thereby increasing DNS availability. Delegating zones also provides an easy way to extend an existing namespace by adding subdomains to accommodate a new location or new requirements.When a delegated zone is created, the network administrator will need to create NS records in the parent zone pointing to the authoritative name servers for the newly created delegated zone.Without these NS records, the name servers in the delegated zone will not be considered authoritative for the zone and name resolution will not occur properly. Before the network administrator can delegate authority for a zone, they must first create the child zone in the parent zone.

EXAM

70-292

OBJECTIVE

5.2.2

Managing DNS Record Settings

A resource record is an entry in the DNS database that contains information that is used to process DNS queries received at the DNS server.

New resource records can be created in the forward or reverse lookup zones by selecting the record type from the context menu. If the record type the administrator wants to create is not listed on the context menus, they can create any of the supported types as listed in Table 6.4 by selecting the Other New Records option.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 387

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 387

Figure 6.52 shows the dialog box the administrator will see if they select the New

Alias (CNAME)

record.

Figure 6.52

Creating a New CNAME Record

The ping command can be used to test the new CNAME record, as seen in Figure 6.53.

Figure 6.53

Testing the New CNAME Record

Figure 6.54 shows the dialog box the network administrator will see if they select the

Other New Records

option.

Figure 6.54

Selecting a Resource Record Type

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 388

388 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Table 6.4 outlines the resource record types supported by Windows Server 2003 DNS.

The more commonly used records are denoted with an asterisk (*).

Table 6.4

Resource Record Types in Windows Server 2003 DNS

Record Type Description

*A (IPv4 host)

AAAA (IPv6 host)

Used to map a DNS domain name to an IP address for IPv4

32-bit IP addresses.

Used to map a DNS domain name to an IP address for IPv6

128-bit IP addresses.

AFSDB (Andrew File System Used to map a DNS domain name to the host name for a

Database) server computer of a server subtype.

ATMA (Asynchronous

Transfer Mode address)

Used to map a DNS domain name to an ATM address.

*CNAME (Canonical name) Used to map an alias or alternate DNS name to a specified

DNS domain name.

HINFO (Host information) Used to specify the type of CPU and operating system in use on the DNS server.

ISDN (Integrated Services Used to map a DNS domain name to an ITU-T E.163/E.164

Digital Network) ISDN telephone number.

KEY (Public key) Used to provide the public key associated with the zone for

(DNS Security) DNSSEC.

MB (Mailbox) Used to map a domain mailbox name to a mailbox host.

MG (Mail group)

MINFO (Mailbox mail list information)

MR (Mailbox renamed)

*MX (Mail exchanger)

Used to add the domain mailboxes specified by the MB resource record to the zone.

Used to specify the domain mailbox name for the owner of a mailbox or mailing list.

Used to specify the new name for an existing mailbox.

Used to provide proper message routing to a mail exchanger host for mail that is sent to the domain name configured in the MX record.

*NS (Name Server)

NXT (Next)

OPT (Option)

*PTR (Pointer)

*RP (Responsible Person)

RT (Route through)

Used to map a DNS domain name to the name of hosts operating DNS servers in the zone.

Used to indicate the nonexistence of a name in a zone.

Used to provide additional (optional) data in a DNS request or response.

Used to map an IP address to a DNS domain name.

Used to specify the mailbox name of the person responsible for that zone.

Used to specify an intermediate host binding for hosts that do not have a direct connection to the external network.

Continued www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 389

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 389

Table 6.4

Resource Record Types in Windows Server 2003 DNS

Record Type Description

SIG (Signature)

*SOA (Start of Authority) Used to specify the name server that is authoritative for the zone and set forth basic properties relating to the zone.

*SRV (Service locator)

Used to encrypt a signer’s resource record set when

DNSSEC is implemented.

Used to allow servers providing TCP/IP based network services to be located using standard DNS queries. SRV records are extensively used in Active Directory-integrated zones such as for locating domain controllers using the

Lightweight Directory Access Protocol (LDAP) service on

TCP port 389.

TXT (Text)

X25 (X.25)

Used to provide descriptive text about a resource record.

WKS (Well known service) Used to specify the well known TCP/IP services that are supported by a particular protocol for a specific IP address.

Used to map a DNS domain name to a Public Switched

Data Network (PSDN) address number.

E

XAM

W

ARNING

You should be able to list several of the more common resource record types and their properties.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 390

390 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Summary of Exam Objectives

This chapter covered the DNS service from start to finish.The discussion began with the concept of hierarchical databases. DNS is a large hierarchical database that contains the names and IP addresses for IP networks and hosts.The use of hierarchical databases allows many records to be stored in the database in a very complex arrangement, while still allowing fast and easy retrieval of information stored in that database.

The top of the DNS namespace is referred to as the root, and is denoted by a single period,“.”. Under the root are TLDs such as the familiar com and edu. Second-level domains, such as syngress.com and mcsaworld.com, are next in the hierarchy.The FQDN can contain as many child-level domains as desired provided that it does not exceed the maximum number of total characters in length or the allowable number of characters per label.

We next examined some of the planning requirements that a network administrator must fulfill to successfully implement the DNS service for their network.The three primary areas that they must carefully plan for include the namespace, the zone type, and the forwarding requirements.The namespace design will depend on whether the network administrator will be using a namespace for their internal network that is the same as, delegated from, or unique in comparison to the namespace used in their public network.They will need to determine what types of zones—standard or Active Directory-integrated—their implementation requires. In most cases, the network administrator should consider using

Active Directory-integrated zones with standard secondary zones in remote and secure locations where having a local or read-only copy of the zone data will improve network performance or security. Finally, configuring forwarders for their DNS implementation should be seriously considered. A new feature in Windows Server 2003 DNS allows the network administrator to configure multiple forwarders depending on the domain name contained in the DNS query sent from the DNS resolver.

Once the network administrator has completed their planning, they are ready to move forward with the installation, configuration, and management of the DNS service.The

DNS server service can be easily installed using the Configure Your Server wizard.

Administrators can also perform the installation by using the DNS Management console directly. During installation and initial configuration of a new DNS server, the administrator will have the ability to configure the zone type (primary, secondary, or stub), whether or not the zone is to be Active Directory-integrated, the type of lookup zones to configure

(forward, reverse, or both), and whether or not to configure the forwarders.They can create a reverse lookup zone after the server has been installed, if desired.They can also configure forwarding at a later time, which is usually more helpful due to the limited configuration allowed during the initial zone creation.

Managing DNS servers is a fairly simple task that can be accomplished from the DNS

Management console. A network administrator can connect to remote DNS servers from a local DNS management console, negating the need to travel to each DNS server and locally administer it. Aging and scavenging options must be enabled and configured at both the server and the zone levels—configuration performed on a server hosting an Active

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 391

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 391

Directory-integrated zone automatically updates the zone configuration. Standard zones need to have their aging and scavenging options configured manually.

Administration of zones typically includes adding or removing additional name servers that are to be considered authoritative for the zone. A network administrator can also manually add resource records to their zones which may be required should they need specially created resource records, such as CNAME records that are not automatically created by dynamic update.They can only configure secure dynamic updates for their zones if they are

Active Directory-integrated zones—non-secure dynamic updates are usually best avoided due to the strong potential for rogue clients to pollute the zone data.

Exam Objectives Fast Track

Introducing and Planning the DNS Service

DNS is a very large hierarchical database that contains the names and IP addresses for IP networks and hosts.

The top of the DNS hierarchy is actually called root, and is symbolized by a single period “.”.

The DNS system is actually a distributed database that allows the whole database to be broken up into smaller segments while maintaining an overall logical architecture to provide the required name resolution services anywhere on the

Internet or a private local network.

There are 13 root name servers that sit at the top of the hierarchical chain and perform top-level name resolution for all Internet clients.

Because of the extensive integration of DNS and Active Directory in Windows

Server 2003, the network administrator must take great care to get their DNS implementation correct the first time around.

The network administrator has three choices when creating a DNS namespace: use an existing DNS namespace, use a delegated namespace, or use a unique namespace.

Two types of name resolution queries can be performed: recursive and iterative.

Windows Server 2003 DNS supports three zone types: Standard, Active

Directory-integrated, and stub.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 392

392 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Installing the DNS Service

The DNS service can be installed and configured by using the Configure Your

Server Wizard or from within the DNS management console.

Active Directory-integrated zones can only be created on DNS servers that are on domain controllers.

Secure dynamic updates can only be configured for Active Directory-integrated zones.

Forward lookups provide IP addresses for DNS names.

Reverse lookups provide DNS names for IP addresses.

Configuring the DNS Server Options

A new feature to DNS in Windows Server 2003 is conditional forwarding, in which an administrator can configure that DNS resolution requests should be forwarded to specific DNS servers based on the domain that the resolution is being requested for.

Recursion must be enabled for forwarding to work.

Windows Server 2003 DNS provides support for fast zone transfers. If an administrator has BIND DNS servers version 4.9.4 or earlier (or other third-party

DNS servers), they can disable fast zone transfers by leaving the BIND

Secondaries

option selected. If all of their DNS servers support fast zone transfers, they should deselect this option.

Windows Server 2003 DNS can protect its cache against pollution by resource records returned in name resolution queries that are not directly related to the original name resolution request domain.

An administrator can use the options on the Debug Logging tab of the DNS server properties dialog box to monitor and troubleshoot a server that is not performing correctly. Debug logging can become resource intensive over time.

Configuring Zone Options

Scavenging of a record can begin as soon as the configured refresh interval has passed from the time stamp on the resource record. Record refresh cannot occur during the no-refresh interval period of time—attempts to perform a refresh of a record are not accepted by the DNS server during this time period. Updates may be performed for resource records during the no-refresh interval, however, if the resource record has changed.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 393

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 393

The SOA resource record is always the first record in any standard zone and indicates the server that is authoritative for the zone.The SOA record also contains other properties that provide information about the zone and affect how often zone transfers are conducted.

A network administrator can configure multiple NS records for a zone, however, they can have only one SOA record per zone.

If a network administrator has enabled zone transfers, they can opt to perform them with any server that requests a zone transfer, only those servers listed on the

Name Servers tab, or only to the name servers that you specify on the Zone

Transfers tab.

The zone serial number denotes the version number of the zone data file.The

serial (zone version) number is incremented each time a resource record in that zone is changed, and is used to indicate to secondary servers that a zone transfer is required.

The e-mail address of the administrator that is responsible for the zone

(responsible person) uses periods “.”instead of the “@” symbol.

The refresh interval is the time interval configured for a zone that begins when the resource record first becomes eligible to have its time stamp reset during a record refresh and ends when the record becomes eligible to be scavenged from the zone data file.

The no-refresh interval is the interval configured for a zone that begins when the resource record was last refreshed (record refresh) and ends when the record next becomes eligible to have its time stamp refreshed again.

Managing the DNS Service

Aging and scavenging must be configured at the server and zone level to work.

During the no-refresh interval, no refreshing is allowed for a resource record; however updates to the resource record are allowed.

During the refresh interval, refreshes and updates are allowed for a resource record.

Resource records become eligible for scavenging after the refresh interval has passed with no refresh or update to the record.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 394

394 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Selecting the BIND secondaries option for a DNS server configures the DNS server to not use fast zone transfer format when performing zone transfers to

DNS servers using the BIND DNS service version 4.9.4 or earlier.

Only one SOA record may exist per zone; however, multiple NS records can exist in each zone.

The SOA record contains the default properties for the zone and all records contained in the zone.

A network administrator can configure zone transfers to occur only with specified name servers for increased security.

A network administrator can connect to remote DNS servers from the DNS

Management console to manage multiple DNS servers from a single location.

The Windows Server 2003 DNS Management console now includes the ability to launch the nslookup command for command-line DNS verification and troubleshooting.

A records are used to map a DNS domain name to an IP address for IPv4 32-bit

IP addresses.

CNAME records are used to map an alias or alternate DNS name to a specified

DNS domain name.

PTR records are used to map an IP address to a DNS domain name.

SOA records are used to specify the name server that is authoritative for the zone and set forth basic properties relating to the zone.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 395

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 395

Exam Objectives

Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com.

Q:

Why do I need to use DNS? Why can’t I just assign IP addresses to all of my computers and have users remember them?

A:

Aside from the fact that humans do not do well remembering large quantities of numbers, DNS is widely implemented and even required by many applications. Active

Directory requires the DNS service to be available on the network. DNS is not perfect, but it is a good solution to the problem of locating network resources by using easy to remember and managable computer names.

Q:

I plan on using Active Directory for my network, but I already have an existing BIND

DNS server implementation.What do I need to do to ensure that I am ready for Active

Directory?

A:

To be fully compatible with Active Directory, your BIND servers should be version

8.2.2 or later.Version 4.9.6 provides support for Service Records (SRV), version 8.1.2

provides support for dynamic DNS (DDNS) and version 8.2.1 provides support for

IXFR zone transfers.

Q:

Why can’t I use secure dynamic updates with a standard primary zone?

A:

Secure dynamic updates can only be used with Active Directory-integrated zones where the identity of the DNS client can be absolutely confirmed.When Active

Directory-integrated zones are used, the overall security and availability of the DNS implementation is increased exponentially.

Q:

Why don’t Active Directory-integrated zones perform zone transfers amongst the servers hosting them?

A:

Active Directory-integrated zones replicate data during normal Active Directory replication events and thus do not need to perform zone transfers amongst the servers hosting them. Zone transfers can be performed to a secondary zone if it is in operation with Active Directory-integrated zones.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 396

396 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Q:

Why do I need to use secondary zones if I am implementing an Active Directoryintegrated zone solution?

A:

Secondary zones can provide a variety of useful functions including increasing name resolution speed at remote locations), providing a read-only copy of the zone file for locations that cannot be kept as secure as desired (such as a DMZ), and decreasing the load on the primary or Active Directory-integrated zones by performing name resolution.

Q:

Why don’t DNS zones use a push-pull arrangement like WINS servers?

A:

In a standard DNS implementation, only one server per zone maintains the master, writeable copy of the zone file—the primary zone server. All other secondary servers have a read-only copy of the zone data and thus will not have any reason to push their zone file to the primary zone server.

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

Introducing and Planning the DNS Service

1. You are the network administrator of the All Hands Life Rafts Company that is using an internal DNS namespace of corp.allhandsliferafts.com.You have a DHCP server located in the west domain of your internal network named DHCPSVR0442.What is the FQDN of this DHCP server?

A. dhcpsvr0442.corp.allhandsliferafts.com

B. dhcpsvr0442.west.corp.allhandsliferafts.com

C. dhcpsvr0442.west.allhandsliferafts.com

D. dhcpsvr0442.allhandsliferafts.com

2. You are interviewing Hannah for the position of assistant network administrator.You

have been making preparations for a new DNS rollout for your new Windows Server

2003 network and asked Hannah what type of zones Windows Server 2003 DNS supports.Which of the following answers are correct? (Choose two answers.)

A. Standard primary

B. Forwarder

C. Resolver

D. Active Directory-integrated

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 397

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 397

3. Andrea is planning out a new DNS implementation for her company’s network. Her company, Space Race Inc., is a major supplier of space travel-related items to several national governments and private organizations.The corporate network is extremely sensitive and all information contained within the network must be kept as secure as available without sacrificing availability.What type of zones should Andrea create in this new DNS implementation?

A. Active Directory-integrated

B. Standard primary

C. Standard secondary

D. Stub

4. You are creating a new standard primary forward lookup zone for your network. By default, what is the full path and file name of the zone file if it is being created for the domain sales.corp.mycompany.com?

A. %systemroot%\dns\dns.sales.corp.mycompany.com

B. %systemroot%\system32\dns\sales.corp.mycompany.com.dns

C. %systemroot%\system32\dns\sales.corp.mycompany.com

D. %systemroot%\system32\sales.corp.mycompany.com.dns

5. You have just completed the installation and initial configuration of a new Windows

Server 2003 DNS server.While talking with another administrator in your company, you were told that you need to have a reverse lookup zone configured on the DNS server in order for the nslookup command to function completely.You know that you will most likely need to use nslookup at some time in the future to monitor and/or troubleshoot your DNS server, so you have decided to configure a reverse lookup zone.What does a reverse lookup zone actually do for you?

A. A reverse lookup zone is used to provide resolution of host names to IP addresses.

B. A reverse lookup zone maintains a read-only copy of the zone data file.

C. A reverse lookup zone is used to provide increased security for DNS servers located in a DMZ.

D. A reverse lookup zone is used to provide resolution of IP addresses from host names.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 398

398 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Installing the DNS Service

6. Robert is creating a new Windows Server 2003 DNS server on a member server that is part of his network’s Active Directory domain. Robert is very concerned about the security of dynamic updates that are made to his zone file and wants to prevent rogue clients from being able to make entries via dynamic update.When Robert attempts to configure secure dynamic updates, he can only configure for nonsecure and secure dynamic updates.What has Robert done incorrectly that is preventing him from configuring only secure dynamic updates?

A. Robert has not installed this DNS server on a domain controller.

B. Robert has not logged into the network using an account that is a member of the

DNS Admins group.

C. Robert has not changed the domain functional mode to Windows Server 2003.

D. Robert has not selected to create both a forward and reverse lookup zone during the server creation process.

7. You are network administrator for the ACME Rockets corporate network.You have already successfully installed and configured a core DNS implementation at the corporate headquarters that is using Active Directory-integrated zones for increased security and reliability. Presently, your remote offices and manufacturing plants are performing name resolution over your WAN links, which are almost completely saturated.You have been directed to correct this problem with the least amount of cost to the company and the least amount of administrative effort on your part, while at the same time ensuring that all remote locations can still resolve names at all other locations.What solution should you propose to reduce the traffic being sent over your

WAN links due to name resolution?

A. You should create additional delegated namespaces for each location and then create new Active Directory-integrated zones at each location.You should configure these new DNS servers to perform no zone replication outside of their child domains.

B. You should create one or more standard secondary DNS servers in each remote location that is allowed to perform zone transfers with one or more of the Active

Directory-integrated DNS servers located in the corporate headquarters.

C. You should create one or more standard primary DNS servers in each remote location that is allowed to perform zone transfers with one or more of the Active

Directory-integrated DNS servers located in the corporate headquarters.

D. You should provision more WAN links to provide more bandwidth for your remote locations.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 399

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 399

8. You are configuring a new Windows Server 2003 DNS server for your organization’s internal network.This server will be authoritative for your internal namespace, but will not have any information configured in it for any part of the overall namespace outside of your internal network.What function will this DNS server be performing if it is allowed to assist in the resolution of IP addresses for computers that are located outside of your internal network?

A. Aging

B. Forwarding

C. Zone transfer

D. Scavenging

9. Chris is attempting to create a new primary zone for her network.When she runs the

New Zone Wizard and gets to the dialog box allowing her to select what type of zone to create, she is not able to select the Store the zone in Active Directory option.What is the most likely reason for this problem?

A. Chris is not a member of the Enterprise Admins group.

B. Chris is not performing the procedure on a domain controller.

C. Chris is not performing the procedure in the correct order.

D. Chris is not a member of the Server Operators group.

Configuring the DNS Server Options

10. You are configuring your Windows Server 2003 DNS and want to prevent it from caching referral answers that are not directly related to the original name query that was sent.What option do you need to enable to ensure that this protection is configured properly on your DNS server?

A. Enable round robin

B. Enable netmask ordering

C. Secure cache against pollution

D. BIND secondaries

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 400

400 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

11. You have just completed the installation and basic configuration of a new Windows

Server 2003 DNS server.You want to configure to which other name servers it will perform zone transfers to increase the security of your network and DNS infrastructure. By default, what other DNS servers will this new DNS server perform zone transfers with?

A. Any DNS server that requests a zone transfer.

B. Only the DNS servers that are listed on the Zone Transfers tab of the Zone

Properties dialog box.

C. Only the DNS servers that are listed on the Name Servers tab of the Zone

Properties dialog box.

D. Only the DNS servers that are listed on both the Zone Transfer and Name

Servers tabs of the Zone Properties dialog box.

Configuring Zone Options

12. You have configured the aging and scavenging properties for your server and zones as follows:

No-refresh interval: 5 days

Refresh interval: 3 days

Enable automatic scavenging of stale records: 6 days

After how many days from its time stamp date will a resource record be eligible to be scavenged from the zone data file if it does not receive a refresh or update?

A. 3 days

B. 5 days

C. 8 days

D. 11 days

13. Chris is the network administrator for Little Bots, Inc. She has recently completed the configuration of a new Windows Server 2003 DNS server using a standard primary forward lookup zone. After doing some additional reading, she has determined that it would be better to have this zone as an Active Directory- integrated zone using secure dynamic updates.Where will Chris need to make this configuration change from?

A. From the Zone Transfers tab of the forward lookup zone Properties dialog box.

B. From the General tab of the forward lookup zone Properties dialog box.

C. From the Advanced tab of the DNS server Properties dialog box.

D. From the root of the DNS Management console.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 401

Implementing, Managing, and Maintaining Name Resolution • Chapter 6 401

Managing the DNS Service

14. Jon wants to configure aging and scavenging for all of the zones located on his single

DNS server. His zones are all Active Directory-integrated.Where can Jon go to configure the aging and scavenging values for his server and use the least amount of administrative effort?

A. Jon will need to make his configuration on each zone hosted on the DNS server individually.

B. Jon will need to make his configuration only once for any one forward lookup zone and only once for any one reverse lookup zone—the values will then become the default for the rest of the zones on the server.

C. Jon will need to make his configuration during the initial installation of the DNS server and cannot change the values now.

D. Jon will need to make his configuration from the DNS server’s context menu, which will then become the default for all zones on the server.

15. You need to create a new resource record in your DNS zone file that will allow you to perform resolution of a host name given an IP address as input.Which of the following types of resource records do you need to create to allow this type of resolution to occur?

A. PTR

B. A

C. CNAME

D. SRV

16. You are attempting to verify basic network connectivity for one of your internal network servers.When you enter the ping corp command you get the following results:

Pinging w3svr44543.internal.bigcorp.com [192.168.1.233] with 32 bytes of data:

Why did the ping command not return the FQDN of corp.internal.bigcorp.com for the server?

A. The A record for this server is configured incorrectly.

B. The PTR record for this server is configured incorrectly.

C. A CNAME record exists for this server.

D. A NS record exists for this server.

www.syngress.com

271_70-292_06.qxd 8/20/03 5:29 PM Page 402

402 Chapter 6 • Implementing, Managing, and Maintaining Name Resolution

Self Test Quick Answer Key

For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1. B

2. A, D

3. A

4. B

5. A

6. A

7. B

8. B

9. B

10. C

11. C

12. C

13. B

14. D

15. A

16. C

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 403

Chapter 7

MCSA/MCSE 70-292

Implementing,

Managing, and

Maintaining Network

Security

Exam Objectives in this Chapter:

6.1 Implement secure network administration procedures

6.1.1 Implement security baseline settings and audit security settings by using security templates

6.1.2

Implement the principle of least privilege

Summary of Exam Objectives

Exam Objectives Fast Track

Exam Objectives Frequently Asked Questions

Self Test

Self Test Quick Answer Key

403

271_70-292_07.qxd 8/21/03 5:28 PM Page 404

404 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Introduction

Network security is a popular topic. It seems that everywhere you look there is something in the news about a new exploit or vulnerability that has been exposed. Unfortunately, network security is not a quick, easy fix.To truly have a secure network, security must be implemented at several different layers.This is known as defense-in-depth. But where should a network administrator start when working towards increasing the security level of a network? One approach is to initially focus on the center of the network—the servers and client workstations—and then work outward towards the public Internet connection. Alternatively, you can start with the public connection—the routers, switches, and firewalls—and work towards the center of the network.The direction in which a network security plan is implemented depends on an organization’s needs and requirements. However, in most cases, the network administrator will want to secure the Internet connection first and then focus on ensuring that the internal network is secure and, more importantly, stays secure.

A good security plan is one that realizes that network security is a daily, ongoing event that requires the administrator to not only implement an initial solution but also to monitor it and manage it over time to ensure that new threats and required changes are taken into account.

First and foremost, a network administrator should use the principle of least privilege for their user accounts. Next, they should configure and implement a solid security solution using security templates. After the security templates have been applied, the administrator should implement a well thought out auditing policy in order to track what users are doing on the network from a security standpoint.

EXAM

70-292

OBJECTIVE

6.1.2

Using the Principle of Least Privilege

The principle of least privilege is nothing more than a guideline for assigning user permissions to a network’s users.There are no definitive guidelines to adhere to—each situation is different, each network is different.The basic premise of the principle of least privilege is that the network administrator should only give users the minimum privileges required to effectively and efficiently perform their specific jobs. Using the principle of least privilege, a compromised user account will have less impact on the overall security of a network, than if the network administrator were in the habit of assigning permissions to users that they did not explicitly require. For example, a user whose primary function is to manage a network’s disaster recovery plan would typically only require Backup Operator privileges.

Assigning this user Administrative permissions would open a security hole in the network’s security plan. Should a user require additional privileges other than the privileges that their standard user account provides, they can have the administrator perform the task for them using their user account and the “Run As” command. Alternately, the user might have their own higher-level account that they can use with the Run As command or that can be used to log on to the network. Ideally, all normal user operations will be carried out in the context of a User account, not an Administrator account.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 405

Implementing, Managing, and Maintaining Network Security • Chapter 7 405

While it may seem that implementing the principle of least privilege is time consuming for the administrator, the opposite is true. By carefully planning and assigning groups the required privileges for each network function, the network administrator can quickly and accurately ensure that users have the privileges they require and nothing more. Users can be added to multiple groups where their privileges will be the cumulative total of the privileges applied to the groups they are members of. In all cases, the network administrator should avoid explicitly assigning permissions and user rights directly to users. By following the principle of least of privilege, the administrator will be able to make their network more secure.

E

XAM

W

ARNING

The principle of least privilege will be tested on the exam. As an administrator, you should know that you should only grant the permissions that are needed and nothing more. This means that you have to understand the following parts of access control: NT File System (NTFS) permissions, group assignments (default), and default permissions assigned to a user. Refer back to Chapter 1 for a refresher on using groups to assign permissions and user rights.

EXAM

70-292

OBJECTIVE

6.1

6.1.1

Implementing Security with Security Templates

In 2002, Microsoft stopped all new coding work on all products in order to find and correct security flaws in existing products. As a result of the Trustworthy Computing campaign, which also required all of Microsoft’s programmers to take classes on writing secure code,

Windows Server 2003 in its default installation is significantly more secure than any of its predecessors.This added security, however, does not relieve the network administrator of their administrative responsibilities to evaluate, implement, and monitor additional (customized) security configurations for their Windows Server 2003 computers and client workstations.The administrator also needs to understand how Windows XP,Windows 2000, and other legacy Windows clients interact with and affect the security of their Windows

Server 2003 computers.

Microsoft provides a complete set of preconfigured security templates in Windows

Server 2003 that the network administrator can use to quickly apply standardized security settings. Security templates can be used to apply a security configuration to a single computer, an organizational unit (OU), or a domain.While implementing the principle of least privilege is a policy-based action, using security templates is a hands-on activity requiring the attention and dedication of a very knowledgeable (and patient) network administrator.

The following sections examine the preconfigured security templates that are provided with

Windows Server 2003 as well as how they are used, customized, and implemented to increase security on a network.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 406

406 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Introduction to Security Templates

Although Windows Server 2003 is more secure than any previous version, network administrators are in no way relieved of the requirement to implement a security solution that is specific to the needs of and the threats faced by their network. Using security templates, the administrator can customize the security settings of their servers and workstations to meet these requirements.The preconfigured security templates provided with Windows Server

2003 can be thought of in one of two ways: they can either provide a great starting point for a customized security template solution, or they can be the final solution in and of themselves. Neither train of thought is more correct than the other—the choice made depends on the requirements of the network.

Security templates are nothing more than specially formatted text files that are coded to be read by the Security Configuration Manager tools. Security templates have the file extension *.INF and can be edited manually, if desired, in any standard text editing application.The preconfigured security templates can be found in the %systemroot%\secu-

rity\templates

folder on the Windows Server 2003 computer.

The Security Configuration Manager tools, discussed in more detail later in this section, consist of the following four items:

The Security Configuration and Analysis snap-in

The Security Templates snap-in

Group Policy security extensions

The secedit.exe command

Security templates can be broken down into two general categories: default and incremental.The default (or basic) templates are applied by the operating system when a clean install has been performed.They are not applied if an upgrade installation has been done.

The incremental templates should be applied after the default security templates have been applied as they add additional security configuration settings to the existing configuration.

If a template ends in ws, it is for a standalone computer or member server (not a domain controller). If a template ends in dc, it is for a domain controller.Table 7.1 describes the function of these provided templates.

Administrators can save time and effort during an initial rollout by applying these templates to workstations, domain controllers, and member servers.Then, as time allows, they can customize and fine-tune security settings for local computers, OUs, or an entire domain.

Table 7.1

Windows Server 2003 Security Templates

Template (Filename)

Default (Setup security.inf)

Description

The Default security template is created during the installation of Windows Server 2003; thus it will vary from one computer to the next, depending on whether the installation was performed as a clean

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 407

Implementing, Managing, and Maintaining Network Security • Chapter 7 407

Table 7.1

Windows Server 2003 Security Templates

Template (Filename) Description

Default DC (DC security.inf)

Compatible (compatws.inf) installation or an upgrade. This security template represents the default security settings for the computer, and therefore can be used to reset the security settings for the entire computer or portions of the computer to the initial settings required. This template is created for member servers and workstations, but not for domain controllers. The default security template should never be applied to any computer other than the one it was created on.

Additionally, this security template should never be applied via Group Policy due to the large amount of data it contains—it can result in performance degradation.

The Default DC template is created when a member server is promoted to a domain controller and represents the default file, Registry, and system service security settings for that DC at that time.

This security template can be used much like the

Default security template to reset all or a portion of the specific domain controller’s security settings at a later time if required.

The Compatible security template provides a way for members of a Users group to run those applications that may be in use on the network that are not Windows logo compliant. Applications that are not Windows logo compliant often require users to have elevated privileges commonly associated with the Power Users group. By applying the Compatible security template, the network administrator can change the default file and registry permissions that are granted to the Users group, thus allowing them to run these non-compliant applications.

Once the Compatible security template has been applied, all users will be removed from the Power

Users group as they will no longer require this level of privilege to run the non-compliant applications.

The Compatible template should never be applied to a domain controller, so the administrator must take care not to import it at the domain or domain controller level.

Secure (securews.inf, securedc.inf) The Secure security templates start to actually secure the computers to which they have been applied. Two different Secure security templates

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 408

408 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Table 7.1

Windows Server 2003 Security Templates

Template (Filename)

Highly Secure

(hisecws.inf, hisecdc.inf)

System Root (rootsec.inf)

Description

exist: securews.inf, which is for workstations and member servers, and securedc.inf, which is for domain controllers only.

Secure security templates prevent the LAN Manager

(LM) from being used on the network for authentication, thus preventing Windows 9x clients from being able to authenticate unless they have the

Active Directory Client Extensions installed to enable

NT LAN Manager (NTLMv2). The Secure security templates also implement Server Message Block

(SMB) packet signing for servers. SMB packet signing is enabled by default for clients.

The Highly Secure security templates continue to impose additional security restrictions on the computers that they have been applied to. The Highly

Secure security templates allow only NTLMv2 authentication. Additionally, SMB packet signing is required when using the Highly Secure security templates.

After applying the Highly Secure security templates, all members of the Power Users group are removed from this group. Additionally, only members of the

Domain Admins group and the local administrative account are allowed to be members of the local

Administrators group, further increasing security of the network by limiting who can have administrtive permissions on a computer.

When the Highly Secure security templates are used, there are no provisions in place for applications that are not Windows logo compliant. Users will only be able to use logo compliant applications.

Administrators will be able to use any application they desire.

The System Root security template is used to define the permissions for the root of the system volume.

Should these permissions have been changed, the network administrator can reapply them using this template. Should the administrator need to apply permissions, they can modify this template and use it to apply the same permissions to other volumes.

Any existing explicitly configured permissions will not be overwritten on child objects when this security template is applied.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 409

Implementing, Managing, and Maintaining Network Security • Chapter 7 409

Table 7.1

Windows Server 2003 Security Templates

Template (Filename)

No Terminal Server Use SID

(notssid.inf)

Description

The No Terminal Server Use SID security template is used to remove all unnecessary Terminal Services

SIDs from the file system and Registry. This does not affect the security of the Terminal Server server in any way.

E

XAM

W

ARNING

You must have a solid grasp on the purpose and role of each security template that ships with Windows Server 2003. Key points to keep in mind when working with security templates are which ones are default, which ones are incremental, and the basic purpose of each, including the type of computer that it is to be deployed on. Know those security templates!

The Security Configuration Manager Tools

This section examines the Security Configuration Manager tools that the network administrator uses to design, test, and implement a security template solution. As mentioned previously, the Security Configuration Manager is actually comprised of four different tools that are used in various ways to achieve a complete solution.Two user interfaces are available to configure system security settings: the graphical interface and the secedit.exe command-line interface.You will do most of your work from the graphical interface and thus will you need to create a customized security management console.These tools do not already come in a preconfigured management console ready for usage. Exercise 7.01 presents the process by which you can make your customized security management console—a requirement to progress through the rest of this section.

E

XERCISE

7.01

C

REATING THE

S

ECURITY

C

ONSOLE

1. Choose Start | Run, enter mmc into the text box, and click OK. An empty MMC shell opens as seen in Figure 7.1

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 410

410 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Figure 7.1

The Empty MMC Awaiting Customization

2. From the MMC menu, click File | Add/Remove snap-in, and then click the Add button.

3. Select and add the following snap-ins as seen in Figure 7.2:

■ Security Configuration and Analysis

■ Security Templates

Note that you will need to add these snap-ins one at a time by selecting the first one and clicking the Add button. Next select the second snap-in and click the Add button again.

Figure 7.2

Selecting the Security Management Tools

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 411

Implementing, Managing, and Maintaining Network Security • Chapter 7 411

4. Click Close in the Add Standalone Snap-in window.

5. Click OK in the Add/Remove Snap-in window.

6. Save your MMC by clicking File | Save As.

7. In the filename box, type Security Management Console or any other name you want. This will automatically save your MMC into the

Administrative Tools folder of the currently logged in user. Your custom

Security Management Console should look similar to the screen shown in Figure 7.3.

Figure 7.3

The Customized Console is Ready to Use

The Security Configuration and Analysis Snap-in

The Security Configuration and Analysis console snap-in can be used on a local computer to compare its current security configuration settings to those as defined by a template.The

template being used for the analysis can either be one of the preconfigured templates supplied with Windows Server 2003 or a custom created template.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 412

412 Chapter 7 • Implementing, Managing, and Maintaining Network Security

T

EST

D

AY

T

IP

The key to working with the Security Configuration and Analysis snap-in is to never forget that it is used only on the local computer—never on a domain or OU scale.

This limitation hampers its utility, but does not prevent developing and deploying robust security templates to an organization on a large scale. Importing templates into a domain or OU are discussed later in this chapter.

The Security Configuration and Analysis snap-in is used in one of two modes (as the name suggests): analysis or configuration.

When used in analysis mode, no changes are made to the existing security configuration of the computer.The administrator simply selects a security template to be used to compare the current computer security configuration against.The settings contained in this template are loaded into a temporary database and then compared to the settings in place on the computer. If desired, multiple templates can be loaded into the database, merging their settings and providing a conglomerate database. Additionally, the administrator can opt to clear the database settings before importing a security template to ensure that only the current security template is being used for the analysis. Once the database has been populated with the desired security template settings, the network administrator can perform any number of analysis routines using either the Security Configuration and Analysis snap-in or the secedit.exe command, which are discussed in more detail later.

When used in configuration mode, the current contents of the database are immediately applied to the local computer. It is always advisable to perform an analysis before performing a configuration operation using Security Configuration and Analysis snap-in, as there is no “undo” feature and thus no easy way to back out of changes just made without some preplanning having occurred.

After performing an analysis in Exercise 7.02, you will be presented with various icons identifying the result of the analysis as detailed in Table 7.2.

Table 7.2

The Windows Server 2003 Security Templates

Icon

Red X

Green check mark

Question mark

Exclamation point

Description

Indicates that this item was defined in both the database and on the computer, but that the settings do not match.

Indicates that this item was defined in both the database and on the computer and that the settings match.

Indicates that this was not defined in the database and therefore was not examined on the computer.

Indicates that this item was defined in the database but not on the computer and therefore was not examined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 413

Implementing, Managing, and Maintaining Network Security • Chapter 7 413

Table 7.2

The Windows Server 2003 Security Templates

Icon

No special icon

Description

Indicates that this item was not defined in the analysis database or the computer and therefore was not examined.

It is difficult to completely comprehend the Security Configuration and Analysis snapin, until you have used it at least once to perform an analysis and configuration of a computer. Exercise 7.02 discusses the process to perform an analysis of a Windows Server 2003 member server using the securews.inf template. Before doing that, however, it is important to discuss the database in more detail as well as the different areas that can be analyzed and configured using the Security Configuration and Analysis snap-in.

The database is central in the security analysis process.The administrator can initiate a security analysis after configuring the entries in the database to meet the organization’s needs.The security analysis compares the settings in the database with the actual settings implemented on the local computer. Individual security settings are flagged by an icon that changes depending on whether the actual security settings are the same or different from those included in the database.The administrator will also be informed if there are settings that have not been configured at all and thus might require attention.

Prior to the security analysis, the administrator will configure the preferred security settings in the database by importing one or more desired security templates. After the database is populated with an ideal security scenario, it is tested against the current machine settings. As mentioned previously, once the database has been populated with the desired settings, it can be used multiple times to perform the same analysis or configuration action.

E

XAM

W

ARNING

Knowing and understanding the configurable areas and what role they play in the overall security process is important for this exam. Don’t worry so much about memorizing each configurable item in these areas (we will discuss these items later in this chapter). You should just be aware that these different areas exist and what they are used for.

The following areas can be configured and analyzed using the Security Configuration and Analysis snap-in:

Account Policies

The Account Policies node includes those configuration variables that the network administrator formerly manipulated in the User Manager for

Domains applet in Windows NT 4.0.The two subnodes of the Account Policies node include the Password Policy node and the Account Lockout Policy node. In the Password Policy node, the administrator can set the minimum and maximum

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 414

414 Chapter 7 • Implementing, Managing, and Maintaining Network Security

■ password ages and password lengths.The Account Lockout Policy allows them to set lockout durations and reset options.

Local Policies

Local policies apply to the local machine. Subnodes of the Local

Polices node include Audit Policy, Users Right Policy, and Security Options.

Audit and User Rights policies look familiar to users of Windows NT 4.0.The

Security Options node offers the administrator many options that formerly were available only by manipulating the Windows NT 4.0 Registry or through the

Policy Editor (poledit). Examples include the ability to set the message text and message title during logon, restricting the use of floppy disks, and the Do not display last username at logon option.

Event Log

The Event Log node allows the administrator to configure security settings for the Event Log.These include maximum log sizes, configuring guest access to the Event Log, and whether or not the computer should shut down when the Security Log is full.

Restricted Groups

You can centrally control the members of groups. At times, an administrator will add someone temporarily to a group, such as the Backup

Operators group, and then neglect to remove that user when they no longer need to be a member of that group.These lapses represent a potential hole in network security.The network administrator can configure a group membership list in the

Restricted Groups node and then configure an approved list of members by reapplying the security template they created.

System Services

The network administrator can define the security parameters of all system services in the database via the System Services node.They can define whether a service startup should be automatic, manual, or disabled.The can also configure which user accounts have access to each service.

Registry

The Registry node allows you to set access restrictions on individual

Registry keys. Note that you cannot create or otherwise edit the Registry from here—these actions will require the use of the Registry Editor.

File System

The File System node allows the network administrator to set folder and file permissions.This is a great aid to the administrator who might have been experimenting with access permissions on a large number of files or folders and then later cannot recall the original settings.They can apply a security template to restore all file and folder permissions to their original settings.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 415

Implementing, Managing, and Maintaining Network Security • Chapter 7 415

N

OTE

The formulation of a well-planned security policy is a time-consuming process. To add a measure of fault tolerance, the database entries can be exported to a text file, which can be saved for later use on the same machine or applied to another machine, domain, or OU. The exported template is saved as an .INF file and can be imported to other computers, domains, and OUs. In this way, the security parameters can be reproduced exactly from one machine to another.

E

XERCISE

7.02

A

NALYZING

S

ECURITY

U

SING

S

ECURITY

C

ONFIGURATION AND

A

NALYIS

1. Open your custom security management console that was created in

Exercise 7.01.

2. Right-click Security Configuration and Analysis, and select Open

Database. The Open database dialog box, seen in Figure 7.4, opens.

Figure 7.4

The Open Database Dialog Box

3. If there is already an existing database, you can open that one. If no databases are currently defined, you can create a new one by entering the name of the database in the filename box. Click Open to continue.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 416

416 Chapter 7 • Implementing, Managing, and Maintaining Network Security

4. The Import Template dialog box appears, as seen in Figure 7.5. To populate the database with the security configuration entries you will need to select the security template that represents the level of security you are interested in. For this example, select the securews.inf template and click Open to continue.

Figure 7.5

The Import Template Dialog Box

5. In the right pane, you will see instructions on how to analyze or configure your computer. Right-click the Security Configuration and

Analysis node and select Analyze Computer Now. Be careful; if you select Configure Computer Now, it will apply the settings that you have imported into the database to the active security configuration of the computer.

6. You will next be prompted to give a location in which to store the log files. Use the Browse button to set the correct location. The default name for the log file is database_name.log (where database_name is the name of your database). Click OK to continue.

7. After you click OK, you will see the Analyzing System Security dialog box, as seen in Figure 7.6, which details the progress of the current security analysis. Once this process has finished running, you can see the differences between the template file and your local system.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 417

Implementing, Managing, and Maintaining Network Security • Chapter 7 417

Figure 7.6

Analyzing the System Security

N

OTE

Not all computers are created equal, thus it is perfectly normal (and expected) that some computers will have different initial security settings than are presented here.

Your results may vary depending on the initial state of the computer being used for the analysis.

After the analysis is performed, the time consuming and critically important next step of inspecting the differences comes into play.The network administrator will need to look through each node of the analysis results and determine if the results agree with their desired settings for the computer. If the results are not agreeable, they can change the database setting by double-clicking on the configuration item to open its Properties dialog box, as seen in Figure 7.7.The change will then be implemented into the database for further analysis and configuration usage.The Configure option must be used to actually make the change to the computer itself.

Figure 7.7

Changing Settings from Within the Database

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 418

418 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Once all of the database settings agree with how the administrator wants the computer to be configured, they can be applied by selecting Configure Computer Now.

Additionally, the template can be exported for easy application to other computers in the same role (discussed later in this chapter).The steps needed to configure the computer with the settings contained in the database are as follows:

1. If not done already, complete Exercise 7.02.

2. Right-click the Security Configuration and Analysis node and select

Configure Computer Now

.

3. You will be prompted to give a location in which to store the log files. Use the

Browse button to set the correct location.The default name for the log file is

database_name.log (where database_name is the name of your database). Click OK to continue.

4. After the configuration is complete, you will need to perform another analysis to verify that the settings have been applied.

Safety First!!

The Security Configuration and Analysis snap-in, the Security templates, the secedit.exe command-line tool, and the security extensions to the Group Policy

Editor are powerful and efficient tools that allow you to manage and control your organization’s security infrastructure. However, as with all the security configuration tools and capabilities of Windows Server 2003, you should use appropriate caution before employing these tools in a live environment. Before deployment, be sure to test your security configurations in a lab environment that resembles your live environment as closely as possible.

The secedit.exe command-line tool will allow you to schedule regular security audits of local policies on the machines in any domain and OU. By running scripts that call on the secedit.exe program, you can update each computer’s personal database with the results of your security analysis. You can then later use the

Security Configuration and Analysis snap-in to analyze the results of your automated analysis. Always watch for the effective policy, because this can differ from the policy that you applied to the local machine. Any existing domain or OU security policies that apply to the machine will overwrite local machine policy.

As mentioned previously, the weakness of the Security Configuration and Analysis snapin is that it cannot be used to remotely configure computers. So what does a network administrator do with a customized security template that they have created and now need to deploy to other computers in the network? They can very easily export the settings from the database into a standard security template file that can be transferred to any computer desired.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 419

Implementing, Managing, and Maintaining Network Security • Chapter 7 419

To export the template, right-click on the Security Configuration and Analysis node and select Export Template from the context menu. Importing a template to the local computer that you have created elsewhere is just as easy: simply right-click on Security

Configuration and Analysis

and select Import Template from the context menu.

The Security Templates Snap-in

When first looking at the Security Templates snap-in (Figure 7.8), it might seem like it has no real purpose. However, this snap-in provides an ideal place to modify existing security templates or create entirely new ones from scratch, without any danger or possibility of accidentally applying the security template to the local computer (as with Security

Configuration and Analysis) or to a larger range of computers (via Group Policy).

Figure 7.8

The Security Templates Snap-in

The network administrator can begin customizing an existing template simply by starting to make changes to it.When done editing an existing security template, the administrator should save it with a new name by right-clicking on it and selecting Save As from the context menu.This will prevent overwriting a preconfigured security template that may be needed at a later time.

If an administrator wants to start with a completely empty security template in which no settings have been preconfigured, they can do so by right-clicking on the template location node (such as E:\WINDOWS\security\templates) and selecting New Template from the context menu.The dialog box seen in Figure 7.9 will open prompting them to supply a name and description for the new template.The network administrator can now begin making security configurations in the new template.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 420

420 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Figure 7.9

Creating a New Security Template

After creating a customized security template, the network administrator can export it from the local computer, if required, by right-clicking on it and selecting Save As from the context menu. It is important to save the template with a descriptive name and in a location where it can be found later.To import a security template, right-click on the Security

Templates node

and select New Template Search Path from the context menu.

Group Policy Security Extensions

Security in Windows Server 2003 is ideally applied primarily by using Group Policies.

Group Policy can be applied in an organization at four distinctly different levels, each inheriting the settings from the level above. Group Policy is applied at the following levels

(and in this order):

Local

This is Group Policy applied directly to the local computer itself.

Site

Site level Group Policy objects (GPOs) are applied to all objects within that site. Site GPOs will overwrite the Local GPO. If there exists more than one Site level GPO, the administrator can specify the order in which they are applied, thus determining which GPOs will be overwritten should a conflict occur.

Domain

Domain level GPOs are applied to all objects within the domain and overwrite Site level GPOs. As with Site GPOs, the administrator can specify the order in which they are applied should more than one Domain level GPO exist.

OU

OU GPOs are processed last, with the GPO linked to the highest OU processed first, followed by the GPOs linked to each successive child OU. OU GPOs overwrite all GPOs that have come before them and therefore provide the most granular level of security configuration available out of all the levels of Group

Policy. Again, should more than one OU level GPO exist, they are processed in the order specified by the administrator.

T

EST

D

AY

T

IP

Make sure you have a complete understanding of the four levels at which Group

Policy is applied and in the order in which they are applied.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 421

Implementing, Managing, and Maintaining Network Security • Chapter 7 421

Applying security through Group Policy is done using different tools for each level. At the Local level, using the Local Security Settings console as seen in Figure 7.10 allows you to configure and implement the Local GPO. Any changes made here will be implemented in the Local GPO. Note that these same changes can be made using a Local GPO console from the Computer Configuration | Windows Settings | Security Settings node.

Figure 7.10

Using the Local Security Settings Console

Applying security configurations to the Site level GPO is done by using the Active

Directory Sites and Services console, as seen in Figure 7.11.The administrator can create or edit Group Policy to apply at the Site level by right-clicking on the site name, selecting

Properties

, and changing to the Group Policy tab of the Properties page. Security settings are not typically applied at the Site level, which may explain the lack of a tool specifically for this purpose.

Figure 7.11

Accessing Security Configuration Settings at the Site Level

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 422

422 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Applying security settings at the Domain level has been made fairly simple, thanks in part to the existence of the Domain Security Policy console seen in Figure 7.12.This console allows the network administrator to configure security settings for all objects in the domain, including child domains within that domain. Note that settings made using the

Domain Security Policy console will be configured in the Default Domain GPO. Applying security at the domain is the most common method of Group Policy security application and will be discussed later in this chapter in the “Deploying Security Templates via Group

Policy” section.

It is of interest that certain security configurations can only be made at the Domain level, such as those dealing with Account Policies and Registry security.This limitation is due to the fact that Active Directory only allows one domain account policy per domain.

For more information, see the knowledge base article located at http://support.

microsoft.com/default.aspx?scid=KB;en-us;255550.

Alternatively, the network administrator can work with domain level Group Policy from the Active Directory Users and Computers console by right-clicking the domain, selecting Properties, and then switching to the Group Policy tab.

Figure 7.12

Configuring the Domain Level Security Policy

Configuring OU Group Policy and security settings requires the administrator to use the Active Directory Users and Computers console, as seen in Figure 7.13.To configure settings for a specific OU, the administrator should right-click on it and select Properties from the context menu. When the OU Properties dialog box opens, they then change to the Group Policy tab to start the OU GPO configuration. As mentioned previously, the administrator can work with Domain level Group Policy security settings by right-clicking on the domain and selecting Properties from the context menu.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 423

Implementing, Managing, and Maintaining Network Security • Chapter 7 423

Figure 7.13

Using the Active Directory Users and Computers Console to Configure

Security Settings

By applying one of the preconfigured templates and then performing customization tasks using the tools outlined here, the network administrator can quickly create custom security template solutions that meet their needs without the burden of starting completely from scratch.The “Configuring Security Templates” section examines each of the major areas that make up a security template.

Group Policy Security versus Security Templates

It may seem by now that using Group Policy to configure security settings and using security templates are two ways to accomplish the same task. This is indeed a true fact. The key difference comes in when you consider what each was designed for.

Security templates are designed to allow you to quickly apply a preconfigured security solution to a specific computer (or group of computers). These templates were designed to be a starting location for further customization—this is where

Group Policy comes into play. Should you happen to apply a security template and then later decide you want to further enhance security in a specific area, you will most likely opt to use one of the aforementioned tools to edit the appropriate GPO.

In short, look at security templates as a well-defined starting point that can be customized to meet the requirements of the situation by using Group Policy settings.

One key point to remember: any settings you configure directly in Group

Policy cannot be exported into a template for use on another computer. By the same token, settings applied via templates can sometimes be very difficult to remove should you later change your mind about the template application.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 424

424 Chapter 7 • Implementing, Managing, and Maintaining Network Security

The secedit.exe Command

The secedit.exe command line tool offers much of the functionality of the Security

Configuration and Analysis snap-in from the command-line.This allows the administrator to script security analyses for many machines across the enterprise and save the results for later analysis.

The secedit.exe tool’s reporting capabilities are limited. Although administrators can perform a security analysis from the command line, they cannot view the results of the analysis with secedit.exe.They must view the analysis results from the graphic Security Configuration and Analysis snap-in interface. Additionally, the secedit.exe tool can be used to configure, refresh, and export security settings as well as validate security configuration files.

T

EST

D

AY

T

IP

For this exam, concentrate on understanding how secedit.exe can be used to analyze and configure system security.

The secedit.exe command has the following top-level syntax: secedit [/analyze] [/configure] [/export] [/import] [/validate] [/GenerateRollback]

The functions of each top-level option are detailed here:

/analyze

Allows the network administrator to analyze the local computer by comparing its security settings against those contained in the database.

/configure Allows the network administrator to configure the security settings of a local computer by applying the settings that are contained in the database.

/export

Allows the network administrator to export the security settings that are contained in the database into a security template .INF file.

/import

Allows the network administrator to import security templates into the database to be used for analysis and configuration of the local computer’s security settings.You can use the /import option to import multiple security templates into the database, if required.

/validate

Allows the network administrator to validate the syntax of a security template to ensure that it contains no errors before you import the security template into the database.

/GenerateRollback

Allows the network administrator to create a rollback security template that can be used to reset the security configuration to the state it was at before applying the security template.

The usage and specific switches that are associated with each top-level option of the secedit.exe command are explained in the following sections.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 425

Implementing, Managing, and Maintaining Network Security • Chapter 7 425

Viewing the Results of the secedit.exe Analysis

One of the primary weaknesses of the secedit.exe command is that it provides no means for you to view the results of the analysis directly. You will need to view the analysis results in the Security Configuration and Analysis snap-in by opening the database and log file that was created during the secedit.exe analysis. While you might at first be tempted to consider this method of analyzing the security settings, you will quickly see how the opposite is actually the case. By creating a script that runs the secedit.exe command on multiple computers, you can use the %comput-

ername% variable in the log file name to create a log file for each computer that has been scanned. Additionally, the log files can be saved to a centrally located file server to ensure they are all stored in one place. An administrator can then examine the log files from each computer’s analysis from their desktop computer and determine where changes need to be made.

secedit /analyze

The /analyze switch is used to initiate a security analysis and has the following syntax: secedit /analyze /db FileName /cfg FileName /overwrite /log FileName /quiet

Table 7.3 details the function of each of the /analyze switches.

Table 7.3

The secedit /analyze Parameters

Switch

/db FileName

/cfg FileName

/overwrite

/log FileName

/quiet

Description

Used to specify the path and file name of the database that is to be used to perform the analysis.

Used to specify the path and file name of the security template that is to be imported into the database before the analysis is performed.

Used to specify that the database should be emptied of its current contents before importing the selected security template.

Used to specify the path and file name of the log file that is to be used during the analysis.

Used to specify that the analysis process should occur with no further onscreen feedback.

As an example of how the secedit /analyze command is used, suppose that an administrator wanted to analyze the settings on a computer as compared to those contained in the securews.inf security template. Assuming that they are working from volume E, they would issue the following command (note that the sectest directory is one created especially for this purpose):

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 426

426 Chapter 7 • Implementing, Managing, and Maintaining Network Security

secedit /analyze /db e:\sectest\1.sdb /cfg e:\windows\security\templates\securews.inf /log e:\sectest\1.log

Figure 7.14 shows the process in action.

Figure 7.14

Using the secedit /analyze Command

secedit /configure

The configure switch is used to deploy a security template to the local computer and has the following syntax: secedit /configure /db FileName /cfg FileName /overwrite /areas Area1 Area2 ...

/log FileName /quiet

Table 7.4 details the function of each of the /analyze switches.

Table 7.4

The secedit /configure Parameters

Switch Description

/db FileName Used to specify the path and file name of the database that is to be used to perform the configuration.

/cfg FileName Used to specify the path and file name of the security template that is to be imported into the database before the configuration is performed.

/overwrite

/areas

Used to specify that the database should be emptied of its current contents before importing the selected security template.

Used to specify the security areas that are to be applied to the computer during the configuration process. If this parameter is not specified, all security areas are applied to the computer. The available options are:

GROUP_MGMT The Restricted Group settings

USER_RIGHTS The User Rights Assignment settings.

REGKEYS The Registry permissions settings.

www.syngress.com

Continued

271_70-292_07.qxd 8/21/03 5:28 PM Page 427

Implementing, Managing, and Maintaining Network Security • Chapter 7 427

Table 7.4

The secedit /configure Parameters

Switch Description

FILESTORE The File System permissions settings.

SERVICES The System Service settings.

/log FileName Used to specify the path and file name of the log file that is to be used during the configuration.

/quiet Used to specify that the configuration process should occur with no further onscreen feedback.

As an example of how the secedit /configure command is used, suppose a network administrator wanted to configure the settings on a computer with those contained in the securews.inf security template. Assuming they are working from volume E, they would issue the following command (note that the sectest directory is one created especially for this purpose: secedit /configure /db e:\sectest\1.sdb /cfg e:\windows\security\templates\securews.inf /log c:\sectest\1.log

Figure 7.15 shows the process in action.

Figure 7.15

Using the secedit /configure Command

N

OTE

The rest of the top-level options for the secedit.exe command are beyond the scope of the 70-292 exam and thus are not covered here. See Appendix A for a complete breakdown of the secedit.exe top-level options and their applicable switches.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 428

428 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Configuring Security Templates

The following sections look at using the security settings available in the security templates or the Group Policy security consoles.

Account Policies

Account policies define aspects of security relating primarily to passwords.The Password

Policy node contains entries related to password aging and password length. Account

Lockout Policy determines how many failed tries a person gets before the account is locked out. Kerberos Policy applies only to domain logons, since local logons do not use Kerberos.

Entries include maximum lifetimes for various tickets, such as user tickets and user renewal.

Figure 7.16 shows the Account Policies node expanded.Tables 7.5, 7.6, and 7.7 detail the configurable options available within the Account Policies node.

Figure 7.16

Account Policies

Table 7.5

Account Policies Options - Password Policy Node

Option

Enforce password history

Maximum password age

Description

Remembers users’ passwords. Requires that they cannot use the same password again until it has left the password history. Values range from 0 passwords remembered to 24 passwords remembered. The default is 0 passwords remembered.

Defines the maximum amount of time that a user can keep a password without having to change it. Values

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 429

Implementing, Managing, and Maintaining Network Security • Chapter 7 429

Table 7.5

Account Policies Options - Password Policy Node

Option Description

Minimum password age

Minimum password length

Passwords must meet complexity requirements range from “the password never expires” to the “password” expires every 999 days. The default is 42 days.

Defines the minimum amount of time that a user can keep a password without having to change it. Values range from the password can be changed immediately to the password can be changed after 998 days.

The default is 0 days.

Defines the minimum number of characters required for a user’s password. Value ranges from no password required to at least 14 characters required. The default is 0 characters.

Requires that the user’s password have a mix of uppercase, lowercase, and numbers. Value is either enabled or disabled. The default is disabled.

Store password using reversible Stores a copy of the user’s password in Active encryption for all users in Directory using reversible encryption. This is required the domain for the message digest authentication method to work. Value is either enabled or disabled. The default is disabled.

E

XAM

W

ARNING

Password policies can only be set at the domain level. Be attentive to questions that may suggest that they can be set at the Local, Site, or OU levels.

Password Age Policies

While setting a minimum password age is usually a good thing, there is at least one instance where it can actually provide a security breach in an organization.

For example, say that a system administrator configured the minimum password age to be five days (before a user is allowed to change the password). If that password were comprised, the only way the security breach could be rectified would be through administrator intervention by resetting the password for the user from Active Directory Users and Computers.

Likewise, setting the minimum password age to 0 days and also configuring

0 passwords remembered allows users to circumvent the password rotation process by allowing them to use the same password over and over. The key to configuring effective policies, password or any other type, is to first analyze the

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 430

430 Chapter 7 • Implementing, Managing, and Maintaining Network Security

needs, then test the configuration, and finally to apply it once it has proved in testing that it meets or exceeds the requirements.

Table 7.6

Account Policies Options - Account Lockout Policy Node

Option Description

Account lockout duration Defines the time in minutes that an account will remain locked out. Value ranges from “account is locked out until administrator unlocks it” to 99,999 minutes (69 days, 10 hours, and 39 minutes). The default is not defined.

Account lockout threshold Defines how many times a user can enter an incorrect password before the user’s account is locked. Value ranges from “the account will not lock out” to 999 invalid logon attempts. The default is five attempts.

Reset account lockout counter after

Defines how long to keep track of unsuccessful logons.

Value ranges from one minute to 99,999 minutes. The default is not defined.

Brute Force Hacking

One of the simplest means of gaining access to protected system resources is by

“brute force hacking.” Brute force hacking consists simply of trying to guess or crack passwords by trying all possible combinations. Brute force attacks can be performed by users themselves or by the use of specialized software utilities designed for this purpose. Brute force hacking differs from dictionary hacking in that dictionary hacking tries to guess passwords by comparing them to a large list of common words and phrases. By configuring for strong passwords, the network administrator can defeat dictionary hacking—protecting against brute force hacking is nearly impossible.

The only line of defense when it comes to brute force hacking (or even social hacking) comes down to configuring and implementing good auditing policies and also configuring account lockout policies with lockout durations that are appropriate for the sensitivity of the information contained within the network.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 431

Implementing, Managing, and Maintaining Network Security • Chapter 7 431

Table 7.7

Account Policies Options - Kerberos Policy Node

Option

Enforce user logon restrictions

Maximum lifetime for service ticket

Maximum lifetime for user ticket

Maximum lifetime for user ticket renewal

Maximum tolerance for computer clock synchronization

Description

This forces the Key Distribution Center (KDC) to validate every request for a session ticket by examining the user rights policy on the target computer to make sure that the user has the right to either log on locally or access the computer across the network. This additionally checks to see that the requesting account is still valid. These checks are optional and may result in slower network access to services when enabled. The default setting is Enabled.

Defines the maximum amount of time in minutes that a service ticket is valid. Value ranges from tickets don’t expire to 99,999 minutes. The default is 600 minutes (10 hours).

Defines the maximum amount of time in hours that a user ticket is valid. Value ranges from tickets don’t expire to

99,999 hours. The default is 10 hours.

Defines the maximum lifetime of a ticket (Ticket Granting

Ticket or session ticket). No ticket can be renewed after this lifetime has passed. The default is 7 days.

Specifies the amount of time in minutes that computer clocks can be skewed. Value ranges from 0 minutes to

99,999 minutes. The default is 5 minutes.

Local Policies

Local policies include the Audit Policy, User Rights Assignment, and Security Options.

Some Audit Policy selections include auditing log-on events, use of user privileges, systems events, and object access.The User Rights Assignment node includes the ability to grant or deny user rights such as the right to add workstations to the domain, change the system time, log on locally, and access the computer from the network.

The most profound improvements to the program are represented in the Security

Options node, where an administrator can make changes that could only be made via direct

Registry edits in Windows NT 4.0. Examples of such security options include clearing the pagefile when the system shuts down, messaging text during logon, keeping the number of previous logons in cache, and shutting down the system immediately if unable to log security audits.

Figure 7.17 shows the Local Policies node fully expanded.Tables 7.8, 7.9, and 7.10

detail the configurable options available within the Local Policies node.The improvements in local policy management are numerous with the addition of the configurable objects available in the Security Options node.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 432

432 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Figure 7.17

Account Policies

The audit policies outlined in Table 7.8 allow the network administrator to configure auditing to occur on their network as desired to assist in determining what exactly is occurring. Auditing is examined in more detail later in this chapter in the “Auditing

Security Events” section.

Table 7.8

Local Policies Options - Audit Policy Node

Option Description

Audit account logon events Audits when an account is authenticated to the database.

The default is not defined.

Audit account management Audits when a user account or group is created, deleted, or modified. The default is not defined.

Audit directory service access

Audit logon events

Audits when access is gained to an Active Directory object. The default is not defined.

Audits when a user logs on or off a local computer and when a user makes a network connection to a machine.

The default is not defined.

Audit object access

Audit policy change

Audits when files, folders, or printers are accessed. The default is not defined.

Audits when security options, user rights, or audit policies are modified. The default is not defined.

Audit privilege use

Audit process tracking

Audit system events

Audits when a user right is utilized. The default is not defined.

Audits when an application performs an action. The default is not defined.

Audits when a security-related event occurs, such as rebooting the computer. The default is not defined.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 433

Implementing, Managing, and Maintaining Network Security • Chapter 7 433

The user rights, as listed in Table 7.9, allow the network administrator to configure groups and users to have the ability to perform certain, specific actions on the network, or to be prevented from being able to perform specific actions. For example, configuring a group of users to connect to the Terminal Services servers with the “Allow logon through

Terminal Services” user right, or configuring another group of users responsible for the organization’s disaster recovery implementation using the “Back up files and directories” and “Restore files and directories” user rights.

Table 7.9

Local Policies Options - User Rights Assignments Node

Option Description

Access this computer from the network

Act as part of the operating system

Allows a user or group to connect to the computer over the network. The default is not defined.

Allows a process to gain access to the resources operating system under any user identity. The default is not defined.

Add workstations to the domain

Allows a user or group to add a computer to the domain.

The default is not defined.

Adjust memory quotas for Allows a user to change the maximum memory that can a process be consumed by a process. The default is not defined.

Allow logon locally Allows a user to log on interactively with the computer.

The default is not defined.

Allow logon through

Terminal Services

Back up files and directories Allows a user or group to bypass file and directory permissions to back up the system. The default is not defined.

Bypass traverse checking Allows a user or group to pass through directories without having access while navigating an object path in any Windows file system. The default is not defined.

Change the system time

Allows users or groups to log on through Terminal

Services. The default is not defined.

Create a pagefile

Allows a user or group to set the time for the computer’s internal clock. The default is not defined.

Allows a user or group to create and change the size of a pagefile. The default is not defined.

Create a token object

Create global objects

Allows a process to create a token to get access to any local resources. The default is not defined.

Allows a user to create a global object during a Terminal

Services session. The default is not defined.

Create permanent shared Allows a process to create a directory object in the object objects manager. The default is not defined.

Debug programs Allows a user or group to attach a debugger to any process. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 434

434 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Table 7.9

Local Policies Options - User Rights Assignments Node

Option Description

Deny access to this Denies the ability to connect to the computer over the computer from the network network. The default is not defined.

Deny logon as a batch job Denies the ability to log on using a batch-queue facility.

The default is not defined.

Deny logon as a service Denies the ability to log on as a service. The default is not defined.

Deny logon locally

Deny logon through

Terminal Services

Denies a user or group the ability to log on the local machine. The default is not defined.

Denies a user or group the ability to log on through

Terminal Services. The default is not defined.

Enable computer and user Allows a user or group to set the Trusted for Delegation accounts to be trusted setting on a user or computer object. The default is not for delegation defined.

Force shutdown from a remote system

Generate security audits

Allows a user or group to shut down a remote system computer remotely. The default is not defined.

Allows a process to make entries in the security log. The default is not defined.

Impersonate a client after Allows a program running on behalf of a client to imperauthentication sonate that client. The default is not defined.

Increase scheduling priority Allows a process to increase the execution priority for any processes to which it has Write property access. The default is not defined.

Load and unload device drivers

Lock pages in memory

Log on as a batch job

Log on as a service

Log on locally

Manage auditing and security log

Modify firmware environment values

Perform volume maintenance tasks

Allows a user or group to install and uninstall Plug-and-

Play device drivers. The default is not defined.

Allows a process to keep data in physical memory. The default is not defined.

Allows a user or group to log on using a batch-queue facility. The default is not defined.

Allows logging on as a service. The default is not defined.

Allows a user or group to log on the local machine. The default is not defined.

Allows a user or group to configure object access auditing. The default is not defined.

Allows changing the system environment values variables.

The default is not defined.

Allows a user or group to perform maintenance tasks on a volume, such as defragmentation. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 435

Implementing, Managing, and Maintaining Network Security • Chapter 7 435

Table 7.9

Local Policies Options - User Rights Assignments Node

Option Description

Profile single process Allows a user or group to use performance-monitoring tools to monitor the performance of nonsystem processes.

The default is not defined.

Profile system performance Allows a user or group to use performance-monitoring tools to monitor the performance of system processes.

The default is not defined.

Remove computer from docking station

Allows a user or group to undock a laptop within

Windows 2000. The default is not defined.

Replace a process level token

Allows a process to replace the default token associated with a subprocess that has been started. The default is not defined.

Restore files and directories Allows a user or group to bypass file and directory pemissions when restoring backed up files and directories.

The default is not defined.

Shut down the system

Synchronize directory service data

Take ownership of files or other objects

Allows a user or group to shut down the local computer.

The default is not defined.

Allows a process to provide directory synchronization services. The default is not defined.

Allows a user or group to take ownership of any securable system object. The default is not defined.

The security options, as detailed in Table 7.10, allow the network administrator to configure extra and very granular security settings for their network and its computers. In the vast majority of cases, these options are not defined by default, thus providing the administrator with a baseline security configuration that can be configured either directly or through the use of security templates to further lock down the network as required.

T

EST

D

AY

T

IP

While you should not be tested directly on your ability to remember all of these security options, you should at least be familiar with them and their general usage.

You should also know where they are located.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 436

436 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Table 7.10

Local Policies Options - Security Options Node

Option Description

Accounts: Administrator account status

Accounts: Guest account status

Determines whether the local Administrative account is enabled or disabled. The default is not defined.

Determines whether the local Guest account is enabled or disabled. The default is not defined.

Accounts: Limit local use of Determines whether accounts with no passwords can be blank passwords to console used to log on to the computer from any location other logon only than locally. The default is not defined.

Accounts: Rename administrator account

Accounts: Rename guest account

Renames the administrator account to the name specified here. The default is not defined.

Renames the guest account to the name specified here.

The default is not defined.

Audit: Audit the access of Audits when a system object is accessed. The default is global system objects not defined.

Audit: Audit use of Backup Audits when the Backup and Restore privileges are used. and Restore privilege The default is not defined.

Audit: Shut down system Shuts down the computer when the security log becomes immediately if unable to log security audits full. The default is not defined.

Devices: Allow undock without having to log on

Determines if a portable computer can be undocked without first having to log on. The default is not defined.

Devices: Allowed to format and eject removable media

Defines which groups are allowed to format and eject removable media. The default is not defined.

Devices: Prevent users from Keeps users from installing printers. The default is not installing printer drivers defined.

Devices: Restrict CD-ROM Restricts network access to the CD-ROM. The default is access to locally logged on user only not defined.

Devices: Restrict floppy access to locally loggedon user only

Devices: Unsigned driver installation behavior

Domain controller: Allow server operators to schedule tasks

Restricts network access to the floppy drive. The default is not defined.

Controls what happens when the installation of an unsigned driver is attempted. Choices include: Silently succeed, Warn but allow installation, and Do not allow installation. The default is not defined.

Gives members of the Server Operators group the right to schedule tasks. The default is not defined.

Domain controller: LDAP Determines whether the Lightweight Directory Access server signing requirements Protocol (LDAP) server requires signing to be negotiated with LDAP clients. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 437

Implementing, Managing, and Maintaining Network Security • Chapter 7 437

Table 7.10

Local Policies Options - Security Options Node

Option Description

Domain controller: Refuse Determines whether domain controllers will refuse machine account name requests from member computers to change computer changes account passwords. The default is not defined.

Domain member: Digitally Requires the machine to encrypt or sign secure channel encrypt or sign secure channel data (always) data. The default is not defined.

Domain member: Digitally Configures the machine to encrypt secure channel data encrypt secure channel data when communicating with a machine that supports

(when possible) digital encryption. The default is not defined.

Domain member: Digitally Configures the machine to sign secure channel data when sign secure channel data

(when possible) communicating with a machine that supports digital signing. The default is not defined.

Domain member:

Disable machine account name changes

Domain member:

Maximum machine account password age

Determines whether a domain member periodically changes its computer account password. The default is not defined.

Determines how often a domain member will attempt to change its computer account password. The default is not defined.

Domain member: Require Requires the use of a Windows 2000 session key. The strong (Windows 2000 default is not defined.

or later) session key

Interactive logon: Do Does not display the name of the last user to log on to not display last user name the system. The default is not defined.

Interactive logon: Do not require Ctrl+Alt+Del

Configures the computer to not require a user to press

Ctrl+Alt+Del to open the logon dialog box. The default is not defined.

Interactive logon:

Message text for users attempting to log on

The text to be displayed in a window presented to all users logging on. The default is not defined.

Interactive logon: Message The title of the window presented to all users logging on. title for users attempting to log on

The default is not defined.

Interactive logon: Number Determines how many times users can log on with their of previous logons to cache cached credentials. The default is not defined.

(in case domain controller is not available)

Interactive logon: Prompt Specifies how many days before password expiration the user to change password user is first prompted to change it. The default is not before expiration defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 438

438 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Table 7.10

Local Policies Options - Security Options Node

Option Description

Interactive logon: Require Specifies whether a domain controller must be contacted

Domain Controller to unlock domain workstations. The default is not authentication to unlock workstation defined.

Interactive logon: Require Specifies that users must use a smart card to log on to smart card the network. The default is not defined.

Interactive logon: Smart card removal behavior

Determines what will take place when a smart card is removed from the system. Choices include No Action,

Lock Workstation, and Force Logoff. The default is not defined.

Microsoft network client:

Digitally sign client communications (always)

Requires the computer to sign its communications when functioning as a client, whether or not the server supports signing. Unsigned communications are not allowed. The default is not defined.

Microsoft network client:

Digitally sign client communications (when server agrees)

Configures the computer to request signed communications when functioning as a client to a server that supports signing. Unsigned communications will be allowed, but they are not preferred. The default is

Enabled.

Microsoft network client: Sends a clear text to password to SMB servers that don’t

Send unencrypted password support SMB signing. The default is not defined.

to connect to third-party

SMB servers

Microsoft network server: Defines how long a user can be connected in an idle state

Amount of idle time before before the user’s session is suspended. The default is not suspending session.

Microsoft network server: Configures the server to require that all connecting clients

Digitally sign sign their communications. Unsigned communications are communications (always) not allowed. The default is not defined.

Microsoft network server: Configures the server to request signed communications

Digitally sign communications (if client agrees) when communicating with a client that supports signing.

Unsigned communications will be allowed, but they are not preferred. The default is not defined.

Microsoft network server: Determines whether to disconnect users connected to the

Disconnect clients when logon hours expire local computer outside their user account’s valid log-on hours. The default is not defined.

Network access: Allow anonymous SID/Name translation

Network access: Do not allow anonymous enumeration of SAM accounts

Determines if an anonymous user can request SID attributes for another user. The default is not defined.

Determines what additional permissions will be granted for anonymous connections to the computer. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 439

Implementing, Managing, and Maintaining Network Security • Chapter 7 439

Table 7.10

Local Policies Options - Security Options Node

Option Description

Network access: Do not allow anonymous enumeration of SAM accounts and shares

Determines whether anonymous enumeration of SAM accounts and shares is allowed. The default is not defined.

Network access: Do not Determines whether Stored User Names and Passwords allow storage of credentials will save passwords, credentials, or .NET Passports for or .NET Passports for network authentication later use. The default is not defined.

Network access: Let Determines what additional permissions are granted for

Everyone permissions apply anonymous connections to the computer. The default is to anonymous users not defined.

Network access: Named Determines which communication sessions will have

Pipes that can be accessed attributes and permissions that allow anonymous access. anonymously The default is not defined.

Network access: Remotely Determines which Registry paths can be accessed over the accessible Registry paths network. The default is not defined.

Network access: Remotely Determines which Registry paths and subpaths can be accessible Registry paths accessed over the network. The default is not defined.

and subpaths

Network access: Restrict anonymous access to

Named Pipes and Shares

Specifies that anonymous access to shares and pipes is controlled by these settings: Named pipes that can be

accessed anonymously and Shares that can be accessed

anonymously. The default is not defined.

Network access: Shares that can be accessed anonymously

Determines which network shares can accessed by anonymous users. The default is not defined.

Network access: Sharing and security model for local accounts

Network security: Do not store LM hash value on next password change

Determines how network logons using local accounts are authenticated. The default is not defined.

Determines if the LM hash value for the new password is stored upon the next password change. The default is not defined.

Network security: Force logoff when logon hours expire

Network security: LM authentication level

Determines whether to disconnect users who are connected to the local computer outside their user account’s valid log-on hours. The default is disabled.

Controls the level of authentication supported for downlevel clients. The default is not defined.

Network security: LDAP Determines the level of data signing that is requested on client signing requirements behalf of clients issuing LDAP Berkeley Internet Name

Domain (BIND) requests. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 440

440 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Table 7.10

Local Policies Options - Security Options Node

Option Description

Network security: Minimum Allows a client to require the negotiation of message consession security for NTLM fidentiality, message integrity, 128-bit encryption, or

SSP based (including secure RPC) clients

NTLMv2 session security. The default is not defined.

Network security: Minimum Allows a server to require the negotiation of message session security for NTLM confidentiality, message integrity, 128-bit encryption, or

SSP based (including secure RPC) servers

NTLMv2 session security. The default is not defined.

Recovery console: Allow automatic administrative logon

Automatically logs the administrator on with the recovery console administrator account when booting to recovery console. The default is not defined.

Recovery console: Allow Allows copying from a floppy when booted into recovery floppy copy and access to console. Also allows access to the entire hard drive in all drives and all folders recovery mode. The default is not defined.

Shutdown: Allow system to Allows a user to shut down the computer without be shut down without needing to be first logged in. The default is not defined.

having to log on

Shutdown: Clear virtual memory pagefile

Empties the pagefile on shutdown. The default is not defined.

System cryptography: Determines if users’ private keys require a password to be

Force strong key protection used. The default is not defined.

for user keys stored on the computer

System cryptography: Use Determines if the Transport Layer Security/Secure Sockets

FIPS compliant algorithms Layer Security Provider supports only the for encryption, hashing, TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. The and signing default is not defined.

System objects: Default Determines which users and groups have the authority to owner for objects created run volume maintenance tasks such as Disk by members of the Defragmenter. The default is not defined.

Administrators group

System objects: Require case insensitivity for non-Windows subsystems

Determines whether case insensitivity is enforced for all subsystems. The default is not defined.

System objects:

Strengthen default permissions of internal system objects (e.g.

Symbolic Links)

System settings:

Optional subsystems

Strengthens the default permissions of global system objects. The default is not defined.

Determines which subsystems are used to support your applications. The default is not defined.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 441

Implementing, Managing, and Maintaining Network Security • Chapter 7 441

Table 7.10

Local Policies Options - Security Options Node

Option

System settings: Use

Certificate Rules on

Windows Executables for

Software Restriction Policies

Description

Determines if digital certificates are processed when a user or process attempts to run software with an .exe file name extension. The default is not defined.

Hardening Windows Server 2003

There are several additional Security Options that are not defined by default in

Group Policy that can be used to perform system hardening. Chapter 10 of the

Threats and Countermeasures Guide, available for download from http://go.

microsoft.com/fwlink/?LinkId=15160, provides the procedure to modify the

Registry to add the following Security Options:

MSS: Number of connections to create when additional connections are necessary for Winsock applications

MSS: Enable dynamic backlog for Winsock applications

MSS: Maximum number of “quasi-free” connections for Winsock applications

MSS: Minimum number of free connections for Winsock applications

MSS: Allow automatic detection of dead network gateways

MSS: Allow automatic detection of MTU size

MSS: Allow ICMP redirects to override OSPF generated routes

MSS: Allow IRDP to detect and configure Default Gateway addresses

MSS: Allow the computer to ignore NetBIOS name release requests except from WINS servers

MSS: Disable autorun for all drives

MSS: Enable the computer to stop generating 8.3 style filenames

MSS: How many dropped connect requests to initiate SYN attack protection

MSS: How many times unacknowledged data is retransmitted

MSS: How often keep-alive packets are sent in milliseconds

MSS: IP source routing protection level

MSS: Percentage threshold for the security event log at which the system will generate a warning

MSS: SYN attack protection level

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 442

442 Chapter 7 • Implementing, Managing, and Maintaining Network Security

MSS: SYN-ACK retransmissions when a connection request is not acknowledged

MSS: The time in seconds before the screen saver grace period expires

MSS: Enable Safe DLL search mode

Event Log

The Event Log node allows the administrator to configure settings specifically for event logs, as shown in Figure 7.18. Event Log Configuration settings allow the administrator to configure the length of time logs are retained as well as the size of the event logs.The

administrator can also configure that the system should shut down if the security log becomes full.Table 7.11 presents the configurable options available within the Event Log

Policies node.

Figure 7.18

Event Log Policies

Table 7.11

Event Log Security Options

Option Description

Maximum application log size Controls how large the application log can grow. The default is 512 KB.

Maximum security log size Controls how large the security log can grow. The default is 512 KB.

Continued www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 443

Implementing, Managing, and Maintaining Network Security • Chapter 7 443

Table 7.11

Event Log Security Options

Option

Maximum system log size

Restrict guest access to application log

Restrict guest access to security log

Restrict guest access to system log

Retain application log

Retain security log

Retain system log

Retention method for application log

Retention method for security log

Description

Controls how large the system log can grow. The default is 512 KB.

Prevents guest access from reading the application log.

The default is Disabled.

Prevents guest access from reading the security log. The default is Disabled.

Prevents guest access from reading the system log. The default is Disabled.

Tells the event log not to overwrite events in the application log that are older than the number of days defined.

The default is 7 days.

Tells the event log not to overwrite events in the security log that are older than the number of days defined. The default is 7 days.

Tells the event log not to overwrite events in the system log that are older than the number of days defined. The default is 7 days.

Tells the event log what to do when the application log becomes full. Choices include “Overwrite events by days,” “Overwrite events as needed,” and “Do not overwrite events” (clear logs manually). The default is by days.

Tells the event log what to do when the security log becomes full. Choices include “Overwrite events by days,” “Overwrite events as needed,” and “Do not overwrite events (clear logs manually).” The default is by days.

Retention method for system log

Tells the event log what to do when the system log becomes full. Choices include “Overwrite events by days,” “Overwrite events as needed,” and “Do not overwrite events (clear logs manually).” The default is by days.

Restricted Groups

The Restricted Groups node lends something new to the security configuration options available in Windows Server 2003. A network administrator can define, as part of security policy, which users are allowed to be members of a group. At times, the administrator needs to temporarily add users to groups with a higher classification than the users’ typical group membership.This might be the case when an administrator goes on vacation and another member of the team is assigned full administrative rights.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 444

444 Chapter 7 • Implementing, Managing, and Maintaining Network Security

To Shutdown or Not To Shutdown…

If you want to start a heated discussion between a group of experienced network administrators, throw out the following question: “Is it better to shut down a server automatically once its security logs are full?” You’re likely to get quite a lively discussion after that. Let’s examine the two trains of thought—after that you can decide for yourself which solution is better for your network.

The first group might say that yes, you should definitely configure servers to shut down automatically if the security log has been filled up. The argument goes like this: “If you implement auditing and pay careful attention to the log files, clearing them out every day as required, you can benefit from having Windows automatically shut down a server when its security log is full. Common sources of full security logs (when carefully tended to by the administrator) usually come from attempts to gain access to the server unsuccessfully or gained access to the server that is followed up by privilege use and abuse. Odds are that you have probably got enough information about the nature and source of the attack by the time the server shuts down. Why leave it exposed any more than you need to? Of course, this requires careful pruning and the daily attention of the administrator. Do not configure this setting if you plan on leaving the server to run unattended.”

On the other hand, the second group might say that no, you should never configure a server to automatically shutdown if the security log is full. The argument is:

“All it takes is one user on your local network to either figure this out (that you have automatic shutdown configured when the security log is full) or to just screw up and continue attempting to login with an incorrect password. You have, in effect, provided a convenient Denial of Service (DoS) means for attackers to use to take down your servers. Remember that a DoS is any action that prevents users from being able to utilize the normal network services, whether intentional or not. You could conceivably start forcing servers to shut down in about 15 minutes or so…”

So, which answer is right for you? That is a decision that you will have to make after weighing the cost of losing a server from the network, as compared to the benefit of protecting it from further attacks.

However, often the “temporary” promotion ends up being an inadvertently permanent one, and the user remains in the Administrators group. Groups can also become members of other groups when this is not part of the company security plan. By defining Restricted

Group membership rules, an administrator can return group membership to that defined by security policy. Figure 7.19 shows the Restricted Groups node. Exercise 7.03 walks through configuring restricted groups.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 445

Implementing, Managing, and Maintaining Network Security • Chapter 7 445

Figure 7.19

The Restricted Groups Node

E

XERCISE

7.03

C

ONFIGURING

R

ESTRICTED

G

ROUPS

1. Navigate to the Restricted Groups node of your Security Configuration and Analysis snap-in or the Restricted Groups node in the Group Policy

Editor, Domain Security Policy console, or Local Security console.

2. Right-click Restricted Groups and choose Add Group from the context menu. The Add Groups dialog box opens, as seen in Figure 7.20.

Figure 7.20

The Add Groups Dialog Box

3. You can type the name of the group that you want to restrict, or click

Browse to pick the group from a list. In this case, click Browse. The

Select Groups dialog box opens, as seen in Figure 7.21.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 446

446 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Figure 7.21

The Select Groups Dialog Box

4. Enter the group name or click the Advanced button to search for all available groups. Clicking the Advanced button expands the Select

Groups dialog box, as seen in Figure 7.22. Select the group or groups that you want to restrict and click OK three times.

Figure 7.22

The Expanded Select Groups Dialog Box

5. The group Properties dialog box will appear, as seen in Figure 7.23.

Click the top Add button to add users and groups that are allowed to be a member of this group. Click the bottom Add button to add this group to other groups.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 447

Implementing, Managing, and Maintaining Network Security • Chapter 7 447

Figure 7.23

Adding Users to the Restricted Group

6. After you have added your allowed users, the group Properties dialog box will look similar to that seen in Figure 7.24.

Figure 7.24

The Completed Restricted Group

7. Click OK to close the group Properties dialog box and commit your changes.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 448

448 Chapter 7 • Implementing, Managing, and Maintaining Network Security

System Services

The System Services node allows the network administrator to control security and startup policy on all the services defined in the template. Controlling the startup behavior of system services can save the administrator many headaches over time. Consider the situation of users starting up their own Remote Access Service (RAS) or Dynamic Host Control

Protocol (DHCP) services haphazardly.This type of situation creates a large security risk for any network.

An administrator can set restrictive networking services startup properties and assign all computers that require certain services to an OU that has the right to start up particular networking services. Figure 7.25 shows some of the content of the Services node. Exercise

7.04 walks through configuring System Services Security.

Figure 7.25

The System Services Node

E

XERCISE

7.04

C

ONFIGURING

S

YSTEM

S

ERVICES

S

ECURITY

1. Navigate to the System Services node of your Security Configuration

and Analysis snap-in or the Restricted Groups node in the Group

Policy Editor, Domain Security Policy console, or Local Security console.

2. Right-click the service that you want to secure and choose Properties from the context menu. You will see the Security Policy Setting dialog box, as seen in Figure 7.26.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 449

Implementing, Managing, and Maintaining Network Security • Chapter 7 449

Figure 7.26

The Security Policy Settings Dialog Box

3. In the Security Policy Setting dialog box, check the box next to Define

this policy setting. Select to have the service startup automatically, require a manual start, or be disabled.

4. Click the Edit Security button to open the Security dialog box, as seen in Figure 7.27. Configure the NTFS permissions for the service you require. Click OK twice to close the service Properties dialog box.

Figure 7.27

Configuring Security for a Service

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 450

450 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Registry

Registry keys can also be protected by policy. A network administrator can define a security policy for a Registry key or value in the database and then customize the propagation of the setting using the Key Properties dialog box. Figure 7.28 shows the Registry node.

Exercise 7.05 walks through configuring Registry security.

Figure 7.28

The Registry Security Node

E

XERCISE

7.05

C

ONFIGURING

R

EGISTRY

S

ECURITY

1. Navigate to the Registry node of your Security Configuration and

Analysis snap-in or the Restricted Groups node in the Group Policy

Editor, Domain Security Policy console, or Local Security console.

2. Right-click Registry and choose Add Key from the context menu. You will see the Select Registry Key dialog box shown in Figure 7.29.

Figure 7.29

The Select Registry Key Dialog Box

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 451

Implementing, Managing, and Maintaining Network Security • Chapter 7 451

3. Navigate to the key that you want to secure. In this example, we are using the MACHINE\SOFTWARE key. Click OK to continue.

4. The Database Security dialog box, seen in Figure 7.30, opens. Use this window to choose the permissions that will be assigned to the secured

Registry key. After customizing the permissions, click OK.

Figure 7.30

The Database Security Dialog Box

5. The Add Object dialog box, seen in Figure 7.31, opens. Use this window to tell Windows what to do with the permissions you set in

Step 4. The choices are:

Configure this key then propagate inheritable permissions to all

subkeys This will set permissions at the selected key and all keys below it, merging these permissions with whatever permissions are already set at each subkey.

Configure this key then replace existing permissions on all sub-

keys with inheritable permissions This will replace the permissions on each subkey with the permissions set at the selected key.

Do not allow permissions on this key to be replaced

6. Choose one of the settings and click OK.

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 452

452 Chapter 7 • Implementing, Managing, and Maintaining Network Security

Figure 7.31

Configuring the Key Security Behavior

File System

The File System Security node allows the network administrator to configure NTFS permission for all local drives. It is common for a number of administrators to get into

Windows Explorer and customize the NTFS permissions on files and folders throughout the file system. File and folder security should be part of a well-planned and well-implemented security plan.

This security plan can be implemented by setting File System Policy, as seen in Figure

7.32.The network administrator can then periodically audit the status of the file system to look for inconsistencies between the plan and the actual state of NTFS permissions in the local environment. Exercise 7.06 walks through the process of using file system security.

Figure 7.32

The File System Node

www.syngress.com

271_70-292_07.qxd 8/21/03 5:28 PM Page 453

Implementing, Managing, and Maintaining Network Security • Chapter 7 453

E