MCSE 70-293 Planning and Maintaining a Windows Server 2003

MCSE 70-293 Planning and Maintaining a Windows Server 2003
255_70-293_FM.qxd
9/10/03
2:40 PM
Page i
Syngress knows what passing the exam means to
you and to your career. And we know that you
are often financing your own training and
certification; therefore, you need a system that is
comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality
instructor-led training, and Web-based exam simulation, the
Syngress Study Guide & DVD Training System guarantees 100% coverage of exam
objectives.
The Syngress Study Guide & DVD Training System includes:
■
Study Guide with 100% coverage of exam objectives By reading
this study guide and following the corresponding objective list, you
can be sure that you have studied 100% of the exam objectives.
■
Instructor-led DVD This DVD provides almost two hours of virtual
classroom instruction.
■
Web-based practice exams Just visit us at www.syngress.com/
certification to access a complete exam simulation.
Thank you for giving us the opportunity to serve your certification needs. And
be sure to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/certification
255_70-293_FM.qxd
9/10/03
2:40 PM
Page ii
255_70-293_FM.qxd
9/10/03
2:41 PM
Page iii
Planning and Maintaining a Windows Server
2003 Network Infrastructure: Exam 70-293
Martin Grasdal
Laura E. Hunter
Michael Cross
Laura Hunter Technical Reviewer
Debra Littlejohn Shinder Technical Editor
Dr. Thomas W. Shinder Technical Editor
255_70-293_FM.qxd
9/10/03
2:41 PM
Page iv
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or
production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results
to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work
is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state
to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or
other incidental or consequential damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for consequential or incidental damages, the
above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when
working with computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Mission
Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress
Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of
their respective companies.
KEY
001
002
003
004
005
006
007
008
009
010
SERIAL NUMBER
TH33SLUGGY
Q2T4J9T7VA
82LPD8R7FF
Z6TDAA3HVY
P33JEET8MS
3SHX6SN$RK
CH3W7E42AK
9EU6V4DER7
SUPACM4NFH
5BVF3MEV2Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Planning and Maintaining a Windows Server 2003 Network Infrastructure: Exam 70-293
Study Guide & DVD Training System
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-93-0
Technical Editors: Debra Littlejohn Shinder
Cover Designer: Michael Kavish
Dr.Thomas W. Shinder
Page Layout and Art by: John Vickers
Technical Reviewer: Laura E. Hunter
Copy Editor: Michelle Melani and Marilyn Smith
Acquisitions Editor: Jonathan Babcock
Indexer: Nara Wood
DVD Production: Michael Donovan
DVD Presenter: Laura Hunter
255_70-293_FM.qxd
9/10/03
2:41 PM
Page v
Acknowledgments
We would like to acknowledge the following people for their kindness and support in
making this book possible.
Will Schmied, the President of Area 51 Partners, Inc. and moderator of www.mcseworld.com
for sharing his considerable knowledge of Microsoft networking and certification.
Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent
Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty
Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Andrea Tetrick, Jennifer Pascal, Doug
Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing
their incredible marketing experience and expertise.
The incredibly hard working team at Elsevier Science, including Jonathan Bunkell,
AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert
Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision
remains worldwide in scope.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey
Gan, and Joseph Chan of Transquest Publishers for the enthusiasm with which they receive
our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow,
Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help
and enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar
Book Group for their help with distribution of Syngress books in Canada.
David Scott, Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis, and Tricia Herbert of
Woodslane for distributing our books throughout Australia, New Zealand, Papua New
Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with distribution of Syngress
books in the Philippines.
A special thanks to Deb and Tom Shinder for going the extra mile on our core four MCSE
2003 guides.Thank you both for all your work.
Another special thanks to Daniel Bendell from Assurance Technology Management for his
24x7 care and feeding of the Syngress network. Dan manages our book network in a highly
professional manner and under severe time constraints, but still keeps a good sense of humor.
v
255_70-293_FM.qxd
9/10/03
2:41 PM
Page vi
Contributors
Martin Grasdal (MCSE+I, MCSE/W2K MCT, CISSP, CTT+, A+) is an
independent consultant with over 10 years experience in the computer
industry. Martin has a wide range of networking and IT managerial experience. He has been an MCT since 1995 and an MCSE since 1996. His
training and networking experience covers a number of products, including
NetWare, Lotus Notes,Windows NT,Windows 2000,Windows 2003,
Exchange Server, IIS, and ISA Server. As a manager, he served as Director of
Web Sites and CTO for BrainBuzz.com, where he was also responsible for all
study guide and technical content on the CramSession.com Web sit. Martin
currently works actively as a consultant, author, and editor. His recent consulting experience includes contract work for Microsoft as a Technical
Contributor to the MCP Program on projects related to server technologies.
Martin lives in Edmonton, Alberta, Canada with his wife Cathy and their
two sons. Martin’s past authoring and editing work with Syngress has
included the following titles: Configuring and Troubleshooting Windows XP
Professional (ISBN: 1-928994-80-6), Configuring ISA Server 2000: Building
Firewalls for Windows 2000 (ISBN: 1-928994-29-6), and Dr.Tom Shinder’s ISA
Server & Beyond: Real World Security Solutions for Microsoft Enterprise Networks
(ISBN: 1-931836-66-3).
Van Varnell (Master CNE, MCSE, MCDBA) is a Senior Network Analyst
for Appleton, Inc. His areas of expertise are development and maintenance of
high-availability systems, storage area networks and storage platforms, performance monitoring systems, and data center operations.Van has held highlevel positions in the industry over the 15 years of his career including that of
Windows Systems Architect for Motorola and Senior Consultant for
Integrated Information Systems.Van holds a bachelor’s degree in Computer
Information Systems and currently resides in Wisconsin with his wife Lisa
and five children (Brennan, Kyle, Katelyn, Kelsey, and Kevin). He wishes to
thank his wife and kids for being his wife and kids, and Jon Babcock of
Syngress for his patience and assistance.
vi
255_70-293_FM.qxd
9/10/03
2:41 PM
Page vii
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist
/Computer Forensic Analyst with the Niagara Regional Police Service. He
performs computer forensic examinations on computers involved in criminal
investigations, and has consulted and assisted in cases dealing with computerrelated/Internet crimes. In addition to designing and maintaining their Web
site at www.nrps.com and Intranet, he has also provided support in the areas
of programming, hardware, and network administration. As part of an
Information Technology team that provides support to a user base of over
800 civilian and uniform users, his theory is that when the users carry guns,
you tend to be more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which provides
computer-related services like Web page design, and Bookworms
(www.bookworms.ca), where you can purchase collectibles and other interesting items online. He has been a freelance writer for several years, and has
been published over three dozen times in numerous books and anthologies.
He currently resides in St. Catharines, Ontario Canada with his lovely wife
Jennifer and his darling daughter Sara.
Paul M. Summitt (MCSE, CCNA, MCP+I, MCP) has a Masters degree in
Mass Communication. Currently the IT Director for the Missouri County
Employees’ Retirement Fund, Paul has served as network, exchange, and
database administrator as well as Web and application developer. Paul has
written previously on virtual reality and Web development and has served as
technical editor for several books on Microsoft technologies. Paul lives in
Columbia, Missouri with his life and writing partner Mary.To the Syngress
editorial staff, my thanks for letting me be a part of this project.To my kids,
adulthood is just the beginning of all the fun you can have.
Rob Amini (MCSE, MCDBA, MCT) is currently a systems manager for
Marriott International in Salt Lake City, Utah. He has a Bachelor’s degree in
computer science and has been breaking and fixing machines since the Atari
800 was considered state of the art. In 1993 he began his professional career
by fixing IBM mainframes and various unix-flavored boxes. After a long stint
as a technician and systems admin, he gained fabled notoriety as a
vii
255_70-293_FM.qxd
9/10/03
2:41 PM
Page viii
pun-wielding Microsoft trainer. Rob has continued as an instructor for more
than three years and although teaching is his first love, he tends to enjoy
technical writing more than a well-adjusted person should.When actually
not working with and programming a variety of electronic gizmos, Rob
enjoys spending every minute he can with his beautiful wife Amy and the
rest of his supportive family.
Dan Douglass (MCSE+I, MCDBA, MCSD, MCT) is a software developer
and trainer with a cutting edge medical software company in Dallas,Texas.
He currently provides software development skills, internal training and integration solutions, as well as peer guidance for technical skills development.
His specialties include enterprise application integration and design, HL7,
XML, XSL,Visual Basic, database design and administration, Back Office and
.NET Server platforms, network design, Microsoft operating systems, and
FreeBSD. Dan is a former US Navy Submariner and lives in Plano,TX with
his very supportive and understanding wife,Tavish.
Jada Brock-Soldavini is a MCSE and holds a degree in Computer
Information Systems. She has worked in the Information Technology
Industry for over 7 years. She is working on her Cisco certification track
currently and has contributed to over a dozen books and testing software for
the Microsoft exam curriculum. She works for the State of Georgia as a
Network Services Administrator.When she is not working on her technical
skills she enjoys playing the violin. Jada is married and lives in the suburbs of
Atlanta with her husband and children.
Michael Moncur is an MCSE and CNE. He is the author of several bestselling books about networking and the Internet, including MCSE In a
Nutshell:The Windows 2000 Exams (O’Reilly and Associates). Michael lives in
Salt Lake City with his wife, Laura.
viii
255_70-293_FM.qxd
9/10/03
2:41 PM
Page ix
Technical Reviewer, DVD Presenter,
and Contributor
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA,
A+, Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the
University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for various business units and schools
within the University. Her specialties include Microsoft Windows NT and
2000 design and implementation, troubleshooting and security topics. As an
“MCSE Early Achiever” on Windows 2000, Laura was one of the first in the
country to renew her Microsoft credentials under the Windows 2000 certification structure. Laura’s previous experience includes a position as the
Director of Computer Services for the Salvation Army and as the LAN
administrator for a medical supply firm. She also operates as an independent
consultant for small businesses in the Philadelphia metropolitan area and is a
regular contributor to the TechTarget family of websites.
Laura has previously contributed to the Syngress Publishing’s Configuring
Symantec Antivirus, Corporate Edition (ISBN 1-931836-81-7). She has also contributed to several other exam guides in the Syngress Windows Server 2003
MCSE/MCSA DVD Guide and Training System series as a DVD presenter,
contributing author, and technical reviewer.
Laura holds a bachelor’s degree from the University of Pennsylvania and
is a member of the Network of Women in Computer Technology, the
Information Systems Security Association, and InfraGard, a cooperative
undertaking between the U.S. Government and other participants dedicated
to increasing the security of United States critical infrastructures.
ix
255_70-293_FM.qxd
9/10/03
2:41 PM
Page x
Technical Editors
Debra Littlejohn Shinder (MCSE) is a technology consultant, trainer, and
writer who has authored a number of books on networking, including Scene
of the Cybercrime: Computer Forensics Handbook published by Syngress
Publishing (ISBN: 1-931836-65-5), and Computer Networking Essentials, published by Cisco Press. She is co-author, with her husband Dr.Thomas
Shinder, of Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3),
the best-selling Configuring ISA Server 2000 (ISBN: 1-928994-29-6), and ISA
Server and Beyond (ISBN: 1-931836-66-3). Deb is also a technical editor and
contributor to books on subjects such as the Windows 2000 MCSE exams,
the CompTIA Security+ exam, and TruSecure’s ICSA certification. She edits
the Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP News and
is regularly published in TechRepublic’s TechProGuild and
Windowsecurity.com. Deb specializes in security issues and Microsoft products. She lives and works in the Dallas-Fort Worth area and can be contacted
at [email protected] or via the website at www.shinder.net.
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry veteran
who has worked as a trainer, writer, and a consultant for Fortune 500 companies including FINA Oil, Lucent Technologies, and Sealand Container
Corporation.Tom was a Series Editor of the Syngress/Osborne Series of
Windows 2000 Certification Study Guides and is author of the best selling
books Configuring ISA Server 2000: Building Firewalls with Windows 2000
(Syngress Publishing, ISBN: 1-928994-29-6) and Dr.Tom Shinder’s ISA Server
and Beyond (ISBN: 1-931836-66-3).Tom is the editor of the Brainbuzz.com
Win2k News newsletter and is a regular contributor to TechProGuild. He is
also content editor, contributor, and moderator for the World’s leading site on
ISA Server 2000, www.isaserver.org. Microsoft recognized Tom’s leadership
in the ISA Server community and awarded him their Most Valued
Professional (MVP) award in December of 2001.
Jeffery A. Martin (MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP,
CCI, CCA, CTT, A+, Network+, I-Net+, Project+, Linux+, CIW, ADPM)
has been working with computers and computer networks for over 15 years.
Jeffery spends most of his time managing several companies that he owns and
consulting for large multinational media companies. He also enjoys working
as a technical instructor and training others in the use of technology.
x
255_70-293_Obj.qxd
9/10/03
6:28 PM
Page xi
MCSE 70-293 Exam Objectives Map and
Table of Contents
All of Microsoft’s published objectives for the MCSE 70293 Exam are covered in this book. To help you easily
find the sections that directly support particular
objectives, we’ve listed all of the exam objectives
below, and mapped them to the Chapter number in
which they are covered. We’ve also assigned numbers to each objective, which we use in the subsequent Table of Contents and again throughout the
book to identify objective coverage. In some chapters,
we’ve made the judgment that it is probably easier for the
student to cover objectives in a slightly different sequence than
the order of the published Microsoft objectives. By reading this study guide and following the corresponding objective list, you can be sure that you have studied 100%
of Microsoft’s MCSE 70-293 Exam objectives.
Exam Objective Map
Objective
Number
1
1.1
1.2
1.2.1
1.2.2
1.2.3
1.3
1.3.1
Objective
Planning and Implementing Server Roles and
Server Security
Configure security for servers that are assigned
specific roles.
Plan a secure baseline installation.
Plan a strategy to enforce system default security
settings on new systems.
Identify client operating system default
security settings.
Identify all server operating system default
security settings.
Plan security for servers that are assigned specific
roles. Roles might include domain controllers,
Web servers, database servers, and mail servers.
Deploy the security configuration for servers that
are assigned specific roles.
Chapter
Number
2
2
2
2
2
2
2
2
xi
255_70-293_Obj.qxd
xii
9/10/03
6:28 PM
Page xii
Exam Objective Map
Objective
Number
1.3.2
1.4
1.4.1
2
2.1
2.1.1
2.1.2
2.1.3
2.2
2.2.1
2.2.2
2.3
2.4
2.5
2.5.1
2.5.2
2.5.3
2.6
2.6.1
2.6.2
2.7
2.7.1
2.7.2
2.7.3
Objective
Create custom security templates based on
server roles.
Evaluate and select the operating system to
install on computers in an enterprise.
Identify the minimum configuration to satisfy
security requirements.
Planning, Implementing, and Maintaining a
Network Infrastructure
Plan a TCP/IP network infrastructure strategy.
Analyze IP addressing requirements.
Plan an IP routing solution.
Create an IP subnet scheme.
Plan and modify a network topology.
Plan the physical placement of network
resources.
Identify network protocols to be used.
Plan an Internet connectivity strategy.
Plan network traffic monitoring. Tools might
include Network Monitor and System Monitor.
Troubleshoot connectivity to the Internet.
Diagnose and resolve issues related to Network
Address Translation (NAT).
Diagnose and resolve issues related to name
resolution cache information.
Diagnose and resolve issues related to client
configuration.
Troubleshoot TCP/IP addressing.
Diagnose and resolve issues related to client
computer configuration.
Diagnose and resolve issues related to DHCP
server address assignment.
Plan a host name resolution strategy.
Plan a DNS namespace design.
Plan zone replication requirements.
Plan a forwarding configuration.
Chapter
Number
2
2
2
3, 4, 5
3
3
3, 4
3
3
3
3
5
3
5
5
6
4
3
3
3
6
6
6
6
255_70-293_Obj.qxd
9/10/03
6:28 PM
Page xiii
Exam Objective Map
Objective
Number
2.7.4
2.7.5
2.8
2.8.1
2.8.2
2.9
2.9.1
2.9.2
3
3.1
3.1.1
3.1.2
3.2
3.2.1
3.2.2
3.2.3
3.3
3.3.1
3.4
4
4.1
4.1.1
Objective
Plan for DNS security.
Examine the interoperability of DNS with thirdparty DNS solutions.
Plan a NetBIOS name resolution strategy.
Plan a WINS replication strategy.
Plan NetBIOS name resolution by using the
Lmhosts file.
Troubleshoot host name resolution.
Diagnose and resolve issues related to DNS
services.
Diagnose and resolve issues related to client
computer configuration.
Planning, Implementing, and Maintaining
Routing and Remote Access
Plan a routing strategy.
Identify routing protocols to use in a
specified environment.
Plan routing for IP multicast traffic.
Plan security for remote access users.
Plan remote access policies.
Analyze protocol security requirements.
Plan authentication methods for remote
access clients.
Implement secure access between private
networks.
Create and implement an IPSec policy.
Troubleshoot TCP/IP routing. Tools might include
the route, tracert, ping, pathping, and netsh
commands and Network Monitor.
Planning, Implementing, and Maintaining
Server Availability
Plan services for high availability.
Plan a high availability solution that uses
clustering services.
Chapter
Number
6
6
6
6
6
6
6
6
4, 7
4
4
4
7
7
7
7
7
10
4
8
8
9
xiii
255_70-293_Obj.qxd
xiv
9/10/03
6:28 PM
Page xiv
Exam Objective Map
Objective
Number
4.1.2
4.2
4.2.1
4.3
4.3.1
4.4
4.5
4.5.1
4.5.2
4.5.3
5
5.1
5.1.1
5.1.2
5.2
5.2.1
5.3
5.3.1
5.3.2
5.4
5.4.1
Objective
Plan a high availability solution that uses
Network Load Balancing.
Identify system bottlenecks, including memory,
processor, disk, and network related bottlenecks.
Identify system bottlenecks by using
System Monitor.
Implement a cluster server.
Recover from cluster node failure.
Manage Network Load Balancing. Tools might
include the Network Load Balancing Monitor
Microsoft Management Console (MMC) snap-in
and the WLBS cluster control utility.
Plan a backup and recovery strategy.
Identify appropriate backup types. Methods
include full, incremental, and differential.
Plan a backup strategy that uses volume
shadow copy.
Plan system recovery that uses Automated
System Recovery (ASR).
Planning and Maintaining Network Security
Configure network protocol security.
Configure protocol security in a heterogeneous
client computer environment.
Configure protocol security by using IPSec
policies.
Configure security for data transmission.
Configure IPSec policy settings.
Plan for network protocol security.
Specify the required ports and protocols for
specified services.
Plan an IPSec policy for secure network
communications.
Plan secure network administration methods.
Create a plan to offer Remote Assistance to
client computers.
Chapter
Number
9
8
8
9
9
9
8
8
8
8
10, 11
10
10
10
10
10
10
4
10
11
7
255_70-293_Obj.qxd
9/10/03
6:28 PM
Page xv
Exam Objective Map
Objective
Number
5.4.2
5.5
5.6
5.6.1
5.6.2
5.7
6
6.1
6.2
6.2.1
6.2.2
6.2.3
6.3
6.3.1
6.3.2
6.4
Objective
Plan for remote administration by using
Terminal Services.
Plan security for wireless networks.
Plan security for data transmission.
Secure data transmission between client
computers to meet security requirements.
Secure data transmission by using IPSec.
Troubleshoot security for data transmission.
Tools might include the IP Security Monitor
MMC snap-in and the Resultant Set of Policy
(RSoP) MMC snap-in.
Planning, Implementing, and Maintaining
Security Infrastructure.
Configure Active Directory directory service for
certificate publication.
Plan a public key infrastructure (PKI) that uses
Certificate Services.
Identify the appropriate type of certificate
authority to support certificate issuance
requirements.
Plan the enrollment and distribution of
certificates.
Plan for the use of smart cards for
authentication.
Plan a framework for planning and
implementing security.
Plan for security monitoring.
Plan a change and configuration management
framework for security.
Plan a security update infrastructure. Tools might
include Microsoft Baseline Security Analyzer and
Microsoft Software Update Services.
Chapter
Number
7
11
10
10
10
10
11, 12
12
12
12
12
12
11
11
11
11
xv
255_70-293_Obj.qxd
9/10/03
6:28 PM
Page xvi
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xvii
Contents
Foreword
xxxvii
Chapter 1 Using Windows Server 2003 Planning Tools
and Documentation
1
Introduction …………………………………………………………2
Overview of Network Infrastructure Planning ………………………2
Planning Strategies ………………………………………………3
Using Planning Tools ……………………………………………3
Fundamentals of Network Design ………………………………9
Analyzing Organizational Needs ……………………………………11
Information Flow Factors ………………………………………11
Management Model and Organizational Structure ………………12
Centralization versus Decentralization …………………………13
Management Priorities …………………………………………14
Availability/Fault Tolerance …………………………………15
Security ………………………………………………………15
Scalability ……………………………………………………16
Performance …………………………………………………16
Cost …………………………………………………………16
User Priorities ……………………………………………………17
Electronic Communications …………………………………17
Scheduling/Task Management ………………………………18
Project Collaboration …………………………………………19
Data Storage and Retrieval …………………………………21
Internet Research ……………………………………………23
Application Services …………………………………………23
Print Services …………………………………………………24
Graphics/Audio/Video Services ……………………………26
Reviewing Legal and Regulatory Considerations ………………26
Calculating TCO …………………………………………………27
xvii
255_70-293_TOC.qxd
xviii
9/10/03
8:53 PM
Page xviii
Contents
Planning for Growth ……………………………………………28
Developing a Test Network Environment ……………………………29
Planning the Test Network ………………………………………30
Implementing the Test Network …………………………………34
Documenting the Planning and Network Design Process …………36
Importance of Documentation …………………………………37
Creating the Planning and Design Document …………………37
Summary of Exam Objectives ………………………………………39
Exam Objectives Fast Track …………………………………………40
Exam Objectives Frequently Asked Questions ………………………41
Self Test ………………………………………………………………43
Self Test Quick Answer Key …………………………………………51
Chapter 2 Planning Server Roles and Server Security
53
Introduction …………………………………………………………54
1.1.1 Understanding Server Roles …………………………………………54
Domain Controllers (Authentication Servers) …………………58
Active Directory ……………………………………………58
Operations Master Roles ……………………………………59
File and Print Servers ……………………………………………62
Print Servers …………………………………………………62
File Servers ……………………………………………………62
DHCP, DNS, and WINS Servers ………………………………63
DHCP Servers ………………………………………………63
DNS Servers …………………………………………………64
WINS Servers ………………………………………………65
Web Servers ……………………………………………………65
Web Server Protocols …………………………………………66
Web Server Configuration ……………………………………67
Database Servers …………………………………………………68
Mail Servers ……………………………………………………68
Certificate Authorities ……………………………………………69
PKI ……………………………………………………………69
Certificates ……………………………………………………70
Certificate Services …………………………………………71
Application Servers and Terminal Servers ………………………75
Application Servers …………………………………………75
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xix
Contents
xix
Terminal Servers ……………………………………………78
1.1
Planning a Server Security Strategy …………………………………78
1.4
Choosing the Operating System …………………………………79
Security Features ……………………………………………81
Functional Levels ……………………………………………83
1.4.1
Identifying Minimum Security Requirements
for Your Organization …………………………………………91
Identifying Configurations
to Satisfy Security Requirements ………………………………93
1/1.2 Planning Baseline Security …………………………………………94
Security Templates and Tools ……………………………………94
Predefined Templates …………………………………………95
Security Configuration and Analysis …………………………98
Group Policy Object Editor …………………………………99
Secedit ………………………………………………………100
Planning Secure Baseline Installation Parameters ………………103
Using Security Configuration and Analysis
to Analyze a Computer …………………………………103
1.2.1/1.2.2 Enforcing Default Security Settings on New Computers ……109
1.2.3
Using Security Configuration and Analysis
to Apply Templates a Local Computer ……………………109
Using Group Policy Object Editor to Apply Templates ……109
1
Customizing Server Security ………………………………………113
1.3/1.3.1 Securing Servers According to Server Roles …………………113
Security Issues Related to All Server Roles …………………113
Securing Domain Controllers ………………………………121
Securing File and Print Servers ……………………………122
Securing DHCP, DNS, and WINS Servers …………………125
Securing Web Servers ………………………………………126
Securing Database Servers …………………………………127
Securing Mail Servers ………………………………………128
Securing CAs ………………………………………………129
Securing Application and Terminal Servers …………………130
1.3.2
Creating Custom Security Templates …………………………131
Deploying Security Configurations ……………………………134
255_70-293_TOC.qxd
xx
9/10/03
8:53 PM
Page xx
Contents
Summary of Exam Objectives ………………………………………137
Exam Objectives Fast Track …………………………………………137
Exam Objectives Frequently Asked Questions ……………………139
Self Test ……………………………………………………………140
Self Test Quick Answer Key ………………………………………146
Chapter 3 Planning, Implementing, and Maintaining the
TCP/IP Infrastructure
147
2/2.1/2.1.2 Introduction ………………………………………………………148
Understanding Windows 2003 Server Network Protocols …………148
2.2.2
Identifying Protocols to Be Used …………………………149
Advantages of the TCP/IP Protocol Suite …………………151
The Multiprotocol Network Environment …………………153
Reviewing TCP/IP Basics ……………………………………160
What’s New in TCP/IP for Windows Server 2003 ……………164
IGMPv3 ……………………………………………………165
IPv6 …………………………………………………………165
Alternate Configuration ……………………………………166
Automatic Determination of Interface Metric ……………167
2/2.1/2.1.2 Planning an IP Addressing Strategy …………………………………171
2.1.1
Analyzing Addressing Requirements ……………………………171
2.1.3
Creating a Subnetting Scheme …………………………………173
Classful Addressing …………………………………………173
Understanding ANDing and Binary Numbering …………175
Subnetting Networks ………………………………………177
Classless Inter-Domain Routing (CIDR) …………………180
2.6
Troubleshooting IP Addressing …………………………………181
2.6.1
Client Configuration Issues …………………………………181
2.6.2
DHCP Issues ………………………………………………182
Transitioning to IPv6 …………………………………………183
IPv6 Utilities ………………………………………………184
6to4 Tunneling ………………………………………………192
IPv6 Helper Service …………………………………………192
The 6bone …………………………………………………193
Teredo (IPv6 with NAT) ……………………………………193
2/2.1
Planning the Network Topology ……………………………………193
2.1.2/2.2
2.2.1
Analyzing Hardware Requirements ……………………………193
Planning the Placement of Physical Resources …………………194
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxi
Contents
xxi
2/2.1/2.1.1/ Planning Network Traffic Management ……………………………194
2.4
Monitoring Network Traffic and Network Devices ……………195
Using Network Monitor ……………………………………195
Using System Monitor ………………………………………196
Determining Bandwidth Requirements ………………………198
Optimizing Network Performance ……………………………198
Summary of Exam Objectives ………………………………………200
Exam Objectives Fast Track …………………………………………200
Exam Objectives Frequently Asked Questions ……………………202
Self Test ……………………………………………………………204
Self Test Quick Answer Key ………………………………………209
Chapter 4 Planning, Implementing, and Maintaining a
Routing Strategy
211
Introduction ………………………………………………………212
2/2.1.2/3 Understanding IP Routing …………………………………………212
Reviewing Routing Basics ……………………………………213
Routing Tables ………………………………………………216
Static versus Dynamic Routing ……………………………220
Gateways ……………………………………………………222
3.1.2
Planning a Routing Strategy for IP Multicast Traffic ………223
Routing Protocols …………………………………………225
Using Netsh Commands ……………………………………233
Evaluating Routing Options ……………………………………236
Selecting Connectivity Devices ……………………………236
Switches ……………………………………………………242
Routers ……………………………………………………245
Windows Server 2003 As a Router ……………………………245
2/2.1.2/3/ Security Considerations for Routing ………………………………257
3.1/5.3.1
Analyzing Requirements for Routing Components …………259
Simplifying Network Topology to Provide Fewer
Attack Points …………………………………………………259
Minimizing the Number of Network Interfaces and
Routes ……………………………………………………260
Minimizing the Number of Routing Protocols ……………260
Router-to-Router VPNs ………………………………………263
Packet Filtering and Firewalls …………………………………268
Logging Level …………………………………………………269
255_70-293_TOC.qxd
xxii
9/10/03
8:53 PM
Page xxii
Contents
2/2.1.2/3
3.4
Troubleshooting IP Routing ………………………………………270
Identifying Troubleshooting Tools ………………………………271
Common Routing Problems …………………………………274
Interface Configuration Problems …………………………274
RRAS Configuration Problems ……………………………274
Routing Protocol Problems …………………………………275
2.5.3
TCP/IP Configuration Problems …………………………276
Routing Table Configuration Problems ……………………276
Summary of Exam Objectives ………………………………………277
Exam Objectives Fast Track …………………………………………277
Exam Objectives Frequently Asked Questions ……………………279
Self Test ……………………………………………………………280
Self Test Quick Answer Key ………………………………………285
Chapter 5 Planning, Implementing, and Maintaining an
Internet Connectivity Strategy
287
Introduction ………………………………………………………288
2/2.3/2.5 Connecting the LAN to the Internet ………………………………289
Routed Connections ……………………………………………289
Advantages of Routed Connections ………………………289
Hardware and Software Routers ……………………………289
IP Addressing for Routed Connections ……………………290
Translated Connections …………………………………………290
2.5
Network Address Translation (NAT) ………………………291
Internet Connection Sharing (ICS) …………………………297
2/2.3 Implementing Virtual Private Networks (VPNs) …………………300
Internet-based VPNs ……………………………………………301
How Internet-based VPNs Work …………………………301
Configuring Internet-based VPNs …………………………302
Router-to-Router VPNs ………………………………………303
On Demand/Demand-Dial Connections …………………304
One-Way versus Two-Way Initiation ………………………306
Persistent Connections ………………………………………306
Remote-Access Policies ……………………………………306
VPN Protocols …………………………………………………306
PPTP ………………………………………………………307
L2TP ………………………………………………………307
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxiii
Contents
xxiii
VPN Security …………………………………………………307
MPPE ………………………………………………………307
IPSec ………………………………………………………307
2/2.3 Using Internet Authentication Service (IAS) ………………………308
Advantages of IAS ………………………………………………308
Centralized User Authentication and Authorization ………308
Centralized Auditing and Accounting ………………………309
RRAS Integration …………………………………………309
Control via Remote-Access Policies ………………………309
Extensibility and Scalability …………………………………309
IAS Management ………………………………………………309
Activating IAS Authentication ………………………………310
Using the IAS MMC Snap-in ………………………………312
IAS Monitoring ……………………………………………313
IAS SDK ……………………………………………………313
Authentication Methods ………………………………………314
PPP-based Protocols ………………………………………314
EAP …………………………………………………………314
Authorization Methods …………………………………………317
Dialed Number Identification Service (DNIS) ……………317
Automatic Number Identification (ANI) and
Calling Line Identification (CLI) …………………………317
Guest Authorization …………………………………………317
Access Server Support …………………………………………318
Outsourced Dialing ……………………………………………318
2/2.3 Using Connection Manager ………………………………………318
Using CMAK …………………………………………………319
Installing and Running CMAK ……………………………319
Service Profiles ………………………………………………323
Custom Actions ……………………………………………323
Custom Help ………………………………………………324
VPN Support ………………………………………………324
Connection Manager Security Issues …………………………324
Preventing Editing of Service Profile Files …………………324
Client Operating System, File System, and Configuration …324
Preventing Users from Saving Passwords ……………………325
255_70-293_TOC.qxd
xxiv
9/10/03
8:53 PM
Page xxiv
Contents
Secure Distribution of Service Profiles ……………………325
Summary of Exam Objectives ………………………………………326
Exam Objectives Fast Track …………………………………………326
Exam Objectives Frequently Asked Questions ……………………328
Self Test ……………………………………………………………330
Self Test Quick Answer Key ………………………………………334
Chapter 6 Planning, Implementing, and Maintaining a
Name Resolution Strategy
335
Introduction ………………………………………………………336
2.7
Planning for Host Name Resolution ………………………………337
Understanding Host Naming …………………………………337
NetBIOS over TCP/IP ……………………………………338
Host Names …………………………………………………338
Understanding the Hosts File ………………………………339
Understanding DNS ………………………………………341
2.7.1
Designing a DNS Namespace …………………………………357
Choosing the Parent Domain Name ………………………358
Host Naming Conventions and Limitations ………………359
DNS and Active Directory (AD) ……………………………361
Supporting Multiple Namespaces …………………………363
Planning DNS Server Deployment ……………………………369
Planning the Number of DNS Servers ……………………369
Planning for DNS Server Capacity …………………………371
Planning DNS Server Placement ……………………………372
Planning DNS Server Roles ………………………………373
2.7.2
Planning for Zone Replication …………………………………377
Active Directory-integrated Zone Replication Scope ………379
Security for Zone Replication ………………………………382
General Guidelines for Planning for Zone Replication ……382
2.7.3
Planning for Forwarding ………………………………………383
Conditional Forwarding ……………………………………384
General Guidelines for Using Forwarders …………………386
DNS/DHCP Interaction ………………………………………387
Security Considerations for DDNS and DHCP ……………389
Aging and Scavenging of DNS Records ……………………391
2.7.5
Windows Server 2003 DNS Interoperability …………………392
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxv
Contents
xxv
BIND and Other DNS Server Implementations ……………393
Zone Transfers with BIND …………………………………395
Supporting AD with BIND …………………………………397
Split DNS Configuration ……………………………………398
Interoperability with WINS …………………………………399
2.7.4
DNS Security Issues ……………………………………………404
Common DNS Threats ……………………………………406
Securing DNS Deployment …………………………………407
DNS Security Levels ………………………………………408
General DNS Security Guidelines …………………………410
Monitoring DNS Servers ………………………………………412
Testing DNS Server Configuration with the DNS
Console Monitoring Tab …………………………………413
Debug Logging ……………………………………………414
Event Logging ………………………………………………415
Monitoring DNS Server Using the Performance Console …415
Command-line Tools for Maintaining and
Monitoring DNS Servers …………………………………416
2.8
Planning for NetBIOS Name Resolution …………………………417
Understanding NETBIOS Naming ……………………………418
NetBIOS Name Resolution Process ………………………418
2.8.2
Understanding the LMHOSTS File ………………………420
Understanding WINS ………………………………………421
What’s New for WINS in Windows Server 2003 …………424
Planning WINS Server Deployment ……………………………424
Server Number and Placement ……………………………424
2.8.1
Planning for WINS Replication ………………………………427
Replication Partnership Configuration ……………………428
Replication Models …………………………………………434
WINS Issues ……………………………………………………437
Static WINS Entries ………………………………………438
Multihomed WINS Servers …………………………………439
Client Configuration ………………………………………440
Preventing Split WINS Registrations ………………………444
Performance Issues …………………………………………444
Security Issues ………………………………………………449
255_70-293_TOC.qxd
xxvi
9/10/03
8:53 PM
Page xxvi
Contents
Planning for WINS Database Backup and Restoration ……451
2.5.2 Troubleshooting Name Resolution Issues …………………………452
2.9
Troubleshooting Host Name Resolution ………………………453
Issues Related to Client Computer Configuration …………454
2.9.1
Issues Related to DNS Services ……………………………455
Troubleshooting NetBIOS Name Resolution …………………457
Issues Related to Client Computer Configuration …………457
Issues Related to WINS Servers ……………………………458
Summary of Exam Objectives ………………………………………461
Exam Objectives Fast Track …………………………………………469
Exam Objectives Frequently Asked Questions ……………………472
Self Test ……………………………………………………………474
Self Test Quick Answer Key ………………………………………483
Chapter 7 Planning, Implementing, and Maintaining a
Remote Access Strategy
485
Introduction ………………………………………………………486
3
Planning the Remote Access Strategy ………………………………486
Analyzing Organizational Needs ………………………………487
Analyzing User Needs …………………………………………487
Selecting Remote Access Types To Allow ………………………487
Dial-In ………………………………………………………488
VPN …………………………………………………………488
Wireless Remote Access ……………………………………489
3
Addressing Dial-In Access Design Considerations …………………489
Allocating IP Addresses …………………………………………490
Static Address Pools …………………………………………490
Using DHCP for Addressing ………………………………490
Using APIPA ………………………………………………491
Determining Incoming Port Needs ……………………………491
Multilink and BAP …………………………………………491
Selecting an Administrative Model ……………………………492
Access by User ……………………………………………493.
Access by Policy ……………………………………………494
3/3.3 Addressing VPN Design Considerations ……………………………495
Selecting VPN Protocols ………………………………………496
Client Support ………………………………………………496
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxvii
Contents
xxvii
Data Integrity and Sender Authentication …………………496
PKI Requirements …………………………………………497
Installing Machine Certificates …………………………………497
Configuring Firewall Filters ……………………………………499
Creating Access Policies ………………………………………500
3
Addressing Wireless Remote Access Design Considerations ………500
The 802.11 Wireless Standards …………………………………501
Using IAS for Wireless Connections …………………………501
Configuring Remote Access Policies for Wireless
Connections …………………………………………………502
Multiple Wireless Access Points ………………………………503
Placing CA on VLAN for New Wireless Clients ………………503
Configuring WAPs as RADIUS Clients ………………………503
Wireless Encryption and Security ………………………………504
WEP (Wired Equivalent Privacy) …………………………504
802.1X ………………………………………………………504
WPA ………………………………………………………505
3.2.2/3/3.2/ Planning Remote Access Security …………………………………505
3.2.1
Domain Functional Level ………………………………………505
Determining the Function Level ……………………………506
Raising the Domain Functional Level ………………………507
3.2.3
Selecting Authentication Methods ……………………………508
Disallowing Password-Based Connections
(PAP, SPAP, CHAP, MS-CHAP v1) ………………………509
Using MS-CHAP v2 ………………………………………511
Using EAP …………………………………………………511
Using RADIUS/IAS vs. Windows Authentication …………512
Selecting the Data Encryption Level …………………………512
Using Callback Security ………………………………………513
Managed Connections …………………………………………513
Mandating Operating System/File System ……………………514
Using Smart Cards for Remote Access …………………………514
3
Creating Remote Access Policies …………………………………515
Policies and Profiles ……………………………………………515
Authorizing Remote Access ……………………………………516
Authorizing Access By User ………………………………516
255_70-293_TOC.qxd
xxviii
9/10/03
8:53 PM
Page xxviii
Contents
Authorizing Access By Group ………………………………518
Restricting Remote Access ……………………………………520
Restricting by User/Group Membership …………………521
Restricting by Type of Connection …………………………521
Restricting by Time …………………………………………523
Restricting by Client Configuration ………………………524
Restricting Authenication Methods …………………………524
Restricting by Phone Numbers of MAC Addresses …………525
Controlling Remote Connections ………………………………525
Controlling Idle Timeout ……………………………………525
Controlling Maximum Session Time ………………………525
Controlling Encryption Strength ……………………………527
Controlling IP packet Filters…………………………………528
Controlling IP addresses for PPP Connections………………528
3/5.4 Creating a Plan to Offer Remote Assistance to Client Computers …529
How Remote Assistance Works ………………………………529
Using Remote Assistance ………………………………………530
Configuring Remote Assistance for Use ……………………530
Asking for Assistance ………………………………………532
Completing the Connection ………………………………537
Managing Open Invitations …………………………………540
Offering Remote Assistance to your Clients …………………542
Remote Assistance Security Issues …………………………543
3/5.4.2 Planning for Remote Administration by Using Terminal Services …545
Using Remote Desktop for Administration ……………………545
Configuring RDA …………………………………………545
Setting Up Authentication …………………………………546
Advantages of RDA Over Other Remote
Administration Methods …………………………………546
Remote Desktop Security Issues ……………………………547
Summary of Exam Objectives ………………………………………549
Exam Objectives Fast Track …………………………………………550
Exam Objectives Frequently Asked Questions ……………………552
Self Test ……………………………………………………………553
Self Test Quick Answer Key ………………………………………558
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxix
Contents
xxix
Chapter 8 Planning, Implementing, and Maintaining
a High-Availability Strategy
559
Introduction ………………………………………………………560
4/4.1/4.2 Understanding Performance Bottlenecks …………………………560
Identifying System Bottlenecks …………………………………561
Memory ……………………………………………………561
Processor ……………………………………………………563
Disk …………………………………………………………564
Network Components ………………………………………568
4.2.1
Using the System Monitor Tool to Monitor Servers …………570
Using Event Viewer to Monitor Servers ………………………584
Using Service Logs to Monitor Servers ………………………593
4/4.1/4.5 Planning a Backup and Recovery Strategy …………………………593
4.5.1
Understanding Windows Backup ………………………………594
Types of Backups ……………………………………………596
Determining What to Back Up ……………………………600
Using Backup Tools ……………………………………………602
Using the Windows Backup Utility ………………………602
Using the Command-Line Tools ……………………………604
Selecting Backup Media ………………………………………604
Scheduling Backups ……………………………………………605
Restoring from Backup ………………………………………606
4.5.3/4/4.1 Planning System Recovery with ASR ……………………………612
What Is ASR? …………………………………………………613
How ASR Works ………………………………………………613
Alternatives to ASR ……………………………………………614
Safe Mode Boot ……………………………………………614
Last Known Good Boot Mode ……………………………614
ASR As a Last Resort ………………………………………615
Using the ASR Wizard …………………………………………615
Performing an ASR Restore ……………………………………617
Planning for Fault Tolerance ………………………………………618
Network Fault-Tolerance Solutions ……………………………619
Internet Fault-Tolerance Solutions ……………………………619
Disk Fault-Tolerance Solutions …………………………………620
RAID ………………………………………………………620
Hot Spare Drives ……………………………………………624
Server Fault-Tolerance Solutions ………………………………624
255_70-293_TOC.qxd
xxx
9/10/03
8:53 PM
Page xxx
Contents
Summary of Exam Objectives ………………………………………626
Exam Objectives Fast Track …………………………………………627
Exam Objectives Frequently Asked Questions ……………………630
Self Test ……………………………………………………………631
Self Test Quick Answer Key ………………………………………638
Chapter 9 Implementing Windows Cluster Services
and Network Load Balancing
639
Introduction ………………………………………………………640
4.1.1 Making Server Clustering Part of Your High-Availability Plan ……641
Terminology and Concepts ……………………………………641
Cluster Nodes ………………………………………………641
Cluster Groups ………………………………………………642
Failover and Failback ………………………………………643
Cluster Services and Name Resolution ……………………643
How Clustering Works ……………………………………643
Cluster Models …………………………………………………644
Single Node …………………………………………………644
Single Quorum Device ……………………………………645
Majority Node Set …………………………………………646
4.3
Server Cluster Deployment Options ……………………………647
N-Node Failover Pairs ………………………………………648
Hot-Standby Server/N+I …………………………………649
Failover Ring ………………………………………………651
Random ……………………………………………………652
Server Cluster Administration …………………………………653
Using the Cluster Administrator Tool ………………………653
Using Command-Line Tools ………………………………654
4.3.2
Recovering from Cluster Node Failure ………………………657
Server Clustering Best Practices ………………………………657
Hardware Issues ……………………………………………658
4.3
Cluster Network Configuration ……………………………662
Security ……………………………………………………667
4.1.2 Making Network Load Balancing Part of Your
High-Availability Plan ……………………………………………678
Terminology and Concepts ……………………………………678
Hosts/Default Host …………………………………………678
Load Weight …………………………………………………679
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxxi
Contents
4.4
xxxi
Traffic Distribution …………………………………………679
Convergence and Heartbeats ………………………………680
How NLB Works ……………………………………………681
Relationship of NLB to Clustering ……………………………681
Managing NLB Clusters ………………………………………682
Using the NLB Manager Tool ………………………………682
Remote Management ………………………………………683
Command-Line Tools ………………………………………684
NLB Error Detection and Handling ………………………687
Summary of Exam Objectives ………………………………………699
Exam Objectives Fast Track …………………………………………699
Exam Objectives Frequently Asked Questions ……………………701
Self Test ……………………………………………………………702
Self Test Quick Answer Key ………………………………………708
Chapter 10 Planning, Implementing, and
Maintaining Internet Protocol Security
709
Introduction ………………………………………………………710
3.3.1/5/5.3 Understanding IP Security (IPSec) …………………………………710
5.6/5.6.1/5.6.2
Terminology and Concepts ……………………………………712
How IPSec Works ………………………………………………713
Securing Data in Transit ……………………………………714
Purposes of Encryption ……………………………………715
IPSec Modes ……………………………………………………717
Tunnel Mode ………………………………………………717
Transport Mode ……………………………………………718
IPSec Protocols …………………………………………………718
Primary IPSec Protocols ……………………………………719
Additional Protocols ………………………………………722
IPSec Components ……………………………………………724
IPSec Policy Agent …………………………………………724
IPSec Driver ………………………………………………725
IPSec and IPv6 …………………………………………………726
3.3.1/5/5.3 Deploying IPSec ……………………………………………………726
5.6/5.6.1/5.6.2/5.1
Determining Organizational Needs ……………………………727
255_70-293_TOC.qxd
xxxii
9/10/03
8:53 PM
Page xxxii
Contents
Security Levels …………………………………………………727
3.3.1/5/5.6.2 Managing IPSec ……………………………………………………728
Using the IP Security Policy Management MMC Snap-in ……728
Using the netsh Command-line Utility ………………………731
Default IPSec Policies …………………………………………732
Client (Respond Only) ……………………………………732
Server (Request Security) …………………………………733
Secure Server (Require Security) …………………………733
Custom Policies …………………………………………………734
Using the IP Security Policy Wizard ………………………735
Defining Key Exchange Settings ……………………………743
Managing Filter Lists and Filter Actions ……………………744
Assigning and Applying Policies in Group Policy ………………746
Active Directory Based IPSec Policies …………………………747
IPSec Monitoring ………………………………………………749
Using the netsh Utility for Monitoring ……………………749
Using the IP Security Monitor MMC Snap-in ……………750
5.7
Troubleshooting IPSec …………………………………………751
Using netdiag for Troubleshooting Windows Server
2003 IPSec ………………………………………………751
Viewing Policy Assignment Information …………………752
Viewing IPSec Statistics ……………………………………753
Using Packet Event Logging to Troubleshoot IPSec ………755
Using IKE Detailed Tracing to Troubleshoot IPSec ………757
Using the Network Monitor to Troubleshoot IPSec ………759
Disabling TCP/IP and IPSec Hardware Acceleration to
Solve IPSec Problems ……………………………………760
3.3.1/5/
Addressing IPSec Security Considerations …………………………761
5.2/5.7
Strong Encryption Algorithm (3DES) …………………………761
Firewall Packet Filtering ………………………………………762
Diffie-Hellman Groups …………………………………………762
Pre-shared Keys …………………………………………………763
Advantages and Disadvantages of Pre-shared Keys …………764
Considerations when Choosing a Pre-shared Key …………764
Soft Associations ………………………………………………764
3.3.1/5/5.7 Using RSoP for IPSec Planning ……………………………………765
Using the RSoP Wizard ………………………………………766
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxxiii
Contents
xxxiii
Security and RSoP …………………………………………766
Selecting the RSoP Mode for IPSec-related Queries …………766
Logging Mode Queries ……………………………………767
Planning Mode Queries ……………………………………768
Summary ……………………………………………………………769
Exam Objectives Fast Track …………………………………………770
Exam Objectives Frequently Asked Questions ……………………772
Self Test ……………………………………………………………772
Self Test Quick Answer Key ………………………………………779
Chapter 11 Planning, Implementing, and
Maintaining a Security Framework
781
Introduction ………………………………………………………782
5/5.4/6/6.3 Planning and Implementing Active Directory Security ……………782
Understanding Permission Types ………………………………787
Active Directory Permissions ………………………………787
NTFS Permissions …………………………………………788
Share Permissions ……………………………………………789
Physically Securing Domain Controllers ………………………790
Securing the Schema ……………………………………………790
Managing Cross-domain and Cross-forest Security
Relationships …………………………………………………791
Cross-domain Relationships ………………………………791
Cross-forest Relationships …………………………………793
Account Security ………………………………………………795
5/5.4/5.5/ Planning and Implementing Wireless Security ……………………801
6/6.3
Understanding Wireless Networking …………………………803
Wireless Network Types ……………………………………803
EAP Authentication …………………………………………804
How Wireless Networking Works …………………………806
Authentication for Wireless Networks …………………………806
Authentication Protocols ……………………………………810
Wireless Security Issues …………………………………………812
Default Settings ……………………………………………813
WEP Weaknesses ……………………………………………815
Making Wireless More Secure ………………………………815
255_70-293_TOC.qxd
xxxiv
9/10/03
8:53 PM
Page xxxiv
Contents
5/6/6.3/6.3.1Monitoring and Optimizing Security ………………………………817
Wireless Monitor ………………………………………………817
Object-based Access Control …………………………………818
Auditing ………………………………………………………818
Auditing Registry Keys ……………………………………821
Auditing Files or Folders ……………………………………822
Viewing the Results of Auditing ……………………………823
Security Log Settings ………………………………………823
Security Policies ………………………………………………823
Password Policies ……………………………………………824
Kerberos Policies ……………………………………………825
Account Lockout Policies …………………………………826
User Rights …………………………………………………826
Security Templates …………………………………………827
5/6/6.3/6.3.1Planning a Change and Configuration Management Framework …830
5.4
5/6/6.3/6.3.1Planning a Security Update Infrastructure …………………………830
5.4
Understanding the Importance of Regular
Security Updates …………………………………………831
Using Microsoft Baseline Security Analyzer (MBSA) …………831
Installing the Microsoft Baseline Security Analyzer …………832
Using Microsoft Software Update Services (SUS) ……………837
Summary of Exam Objectives ………………………………………848
Exam Objectives Fast Track …………………………………………851
Exam Objectives Frequently Asked Questions ……………………852
Self Test ……………………………………………………………853
Self Test Quick Answer Key ………………………………………859
Chapter 12 Planning, Implementing, and Maintaining
a Public Key Infrastructure
861
Introduction ………………………………………………………862
6/6.2 Planning a Windows Server 2003 Certificate-Based PKI …………862
Understanding Public Key Infrastructure ………………………863
Public Key Cryptography …………………………………864
The Function of the PKI ……………………………………867
Components of the PKI ……………………………………867
Understanding Digital Certificates ……………………………868
User Certificates ……………………………………………870
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxxv
Contents
6.2.1
6.2.1
6/6.1/6.2.1
6/6.1/6.2.2
6/6.2.3
xxxv
Machine Certificates ………………………………………870
Application Certificates ……………………………………870
Understanding Certification Authorities ………………………870
CA Hierarchy ………………………………………………871
How Microsoft Certificate Services Works …………………872
Implementing Certification Authorities ……………………………875
Analyzing Certificate Needs within the Organization …………881
Determining Appropriate CA Type(s) …………………………881
Enterprise CAs ………………………………………………882
Stand-Alone CAs ……………………………………………882
Planning the CA Hierarchy …………………………………883
Planning CA Security ………………………………………885
Certificate Revocation ………………………………………886
Planning Enrollment and Distribution of Certificates ………………887
Certificate Templates ……………………………………………887
Certificate Requests ……………………………………………892
Auto-Enrollment Deployment …………………………………895
Role-Based Administration ……………………………………896
Implementing Smart Card Authentication in the PKI ……………897
What Are Smart Cards? …………………………………………897
How Smart Card Authentication Works ………………………898
Deploying Smart Card Logon …………………………………898
Smart Card Readers …………………………………………899
Smart Card Enrollment Station ……………………………899
Using Smart Cards To Log On to Windows ……………………899
Using Smart Cards for Remote Access VPNs …………………903
Using Smart Cards To Log On to a Terminal Server …………906
Summary of Exam Objectives ………………………………………907
Exam Objectives Fast Track …………………………………………908
Exam Objectives Frequently Asked Questions ……………………910
Self Test ……………………………………………………………912
Self Test Quick Answer Key ………………………………………918
Self Test Appendix
Index
919
1025
255_70-293_TOC.qxd
9/10/03
8:53 PM
Page xxxvi
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xxxvii
Foreword
This book’s primary goal is to help you prepare to take and pass Microsoft’s exam number
70-293, Planning and Maintaining a Microsoft Windows Server 2003 Network Infrastructure. Our
secondary purpose in writing this book is to provide exam candidates with knowledge and
skills that go beyond the minimum requirements for passing the exam, and help to prepare
them to work in the real world of Microsoft computer networking in an Active Directory
domain environment.
What is Exam 70-293?
Exam 70-293 is one of the four core requirements for the Microsoft Certified Systems
Engineer (MCSE) certification. Microsoft’s stated target audience consists of IT professionals
with at least one year of work experience on a medium or large company network.This
means a multi-site network with at least three domain controllers, running typical network
services such as file and print services, database, firewall services, proxy services, remote access
services and Internet connectivity.
However, not everyone who takes Exam 70-293 will have this ideal background. Many
people will take this exam after classroom instruction or self-study as an entry into the networking field. Many of those who do have job experience in IT will not have had the
opportunity to work with all of the technologies covered by the exam. In this book, our goal
is to provide background information that will help you to understand the concepts and procedures described even if you don’t have the requisite experience, while keeping our focus
on the exam objectives.
Exam 70-293 covers the basics of managing and maintaining the network infrastructure
in a network environment that is built around Microsoft’s Windows Server 2003. Objectives
are task-oriented, and include the following:
■
Planning a secure baseline installation, including planning a strategy to
enforce system default security settings on new systems, identifying client operating
system default security settings, and identifying all server operating system default
security settings.
xxxvii
255_70-293_Fore.qxd
xxxviii
9/10/03
6:55 PM
Page xxxviii
Foreword
■
Planning and configuring security for servers that are assigned specific
roles, including domain controllers,Web servers, database servers, and mail servers.
This includes deploying the security configuration for servers assigned to these specific roles and creating custom security templates based on server roles.
■
Evaluating and selecting the operating system to install on computers in
an enterprise, including identifying the minimum configuration to satisfy security
requirements.
■
Planning a TCP/IP network infrastructure strategy, including analyzing IP
addressing requirements, planning an IP routing solution, and creating an IP subnetting scheme.
■
Planning and modifying a network topology, including planning the physical
placement of network resources and identifying network protocols to be used.
■
Planning an Internet connectivity strategy.
■
Planning network traffic monitoring, using tools such as Network Monitor
and System Monitor.
■
Troubleshooting connectivity to the Internet, including diagnosing and
resolving issues related to Network Address Translation (NAT), name resolution
cache information, and client configuration.
■
Troubleshooting TCP/IP addressing, including diagnosing and resolving issues
related to client computer configuration and DHCP server address assignment.
■
Planning a host name resolution strategy, including planning the DNS
namespace design, planning zone replication requirements, planning a forwarding
configuration, planning for DNS security, and examining the interoperability of
DNS with third-party DNS solutions.
■
Planning a NetBIOS name resolution strategy, including planning a WINS
replication strategy and planning NetBIOS name resolution by using the Lmhosts
file.
■
Troubleshooting host name resolution, including diagnosing and resolving
issues related to DNS services and client computer configuration.
■
Planning a routing strategy, including identifying routing protocols to use in a
specified environment and planning routing for IP multicast traffic.
■
Planning security for remote access users, including planning remote access
policies, analyzing protocol security requirements and planning authentication
methods for remote access clients, offering remote assistance to client computer,
and performing remote administration using terminal services.
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xxxix
Foreword
xxxix
■
Implementing secure access between private networks, including creating
and implementing an IPSec policy.
■
Troubleshooting TCP/IP routing, using tools such as ROUTE,TRACERT,
PING, PATHPING, and NETSH, as well as the Network Monitor.
■
Planning services for high availability, including planning high availability
solutions that use clustering services and Network Load Balancing (NLB).
■
Identifying system bottlenecks, including memory, processor, disk and network
related bottlenecks, using System Monitor.
■
Implementing a cluster server and recovering from cluster node failure.
■
Monitoring Network Load Balancing, using tools such as the NLB Monitor
MMC snap-in and the WLBS cluster control utility.
■
Monitoring servers that provide network services, using tools such as System
Monitor, Event Viewer, and service logs.
■
Planning a backup and recovery strategy, including identifying appropriate
backup types such as full, incremental and differential, planning a backup strategy
that uses volume shadow copies, and planning system recovery that uses Automated
System Recovery (ASR).
■
Configuring network protocol security, including configuring protocol security in a heterogeneous client computer environment and configuring protocol
security by using IPSec policies.
■
Configuring security for data transmission, including configuring IPSec
policy settings.
■
Planning for network protocol security, including specifying the required
ports and protocols for specified services and planning an IPSec policy for secure
network communications.
■
Planning secure network administration methods, including creating a plan
to offer Remote Assistance to client computers and planning for remote administration by using terminal services.
■
Planning security for wireless networks.
■
Planning security for data transmission, including securing data transmissions
between client computers to meet security requirements and securing data transmissions by using IPSec.
■
Troubleshooting security for data transmission, using tools such as the IPSec
Monitor MMC snap-in and the Resultant Set of Policies (RSoP) MMC snap-in.
www.syngress.com
255_70-293_Fore.qxd
xl
9/10/03
6:55 PM
Page xl
Foreword
■
Configuring the Active Directory directory service for certificate publication.
■
Planning a public key infrastructure (PKI) that uses Certificate Services,
including identifying the appropriate type of certificate authority to support certificate issuance requirements, planning the enrollment and distribution of certificates,
and planning for the use of smart cards for authentication.
■
Planning a framework for planning and implementing security, including
planning for security monitoring and planning a change and configuration management framework for security.
■
Planning a security update infrastructure, using tools such as the Microsoft
Baseline Security Analyzer and Microsoft Software Update Services.
Microsoft reserves the right to change the objectives and/or the exam at any time, so
you should check the web site at http://www.microsoft.com/traincert/exams/70-293.asp for
the most up-to-date version of the objectives.
Path to MCP/MCSA/MCSE
Microsoft certification is recognized throughout the IT industry as a way to demonstrate mastery of basic concepts and skills required to perform the tasks involved in implementing and
maintaining Windows-based networks.The certification program is constantly evaluated and
improved; the nature of information technology is changing rapidly and this means requirements and specifications for certification can also change rapidly.This book is based on the
exam objectives as stated by Microsoft at the time of writing; however, Microsoft reserves the
right to make changes to the objectives and to the exam itself at any time. Exam candidates
should regularly visit the Certification and Training web site at http://www.microsoft.com/
traincert/ for the most updated information on each Microsoft exam.
Microsoft presently offers three basic levels of certification:
■
Microsoft Certified Professional (MCP): to obtain the MCP certification, you
must pass one current Microsoft certification exam. For more information on
exams that qualify, see http://www.microsoft.com/traincert/mcp/mcp/requirements.asp.
■
Microsoft Certified Systems Administrator (MCSA): to obtain the MCSA
certification, you must pass three core exams and one elective exam, for a total of
four exams. For more information, see
http://www.microsoft.com/TrainCert/mcp/mcsa/requirements.asp.
■
Microsoft Certified Systems Engineer (MCSE): to obtain the MCSE certification on Windows Server 2003, you must pass six core exams (including four network operating system exams, one client operating system exam and one design
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xli
Foreword
xli
exam) and one elective. For more information, see http://www.microsoft.com/
traincert/mcp/mcse/windows2003/.
Passing Exam 70-293 will earn you the MCP certification (if it is the first Microsoft
exam you’ve passed). Exam 70-293 also counts toward the MCSE. Exam 70-293 is not a
requirement or elective for the MCSA.
TIP
Those who already hold the MCSA in Windows 2000 can upgrade their certifications
to MCSA 2003 by passing one upgrade exam (70-292). Those who already hold the
MCSE in Windows 2000 can upgrade their certifications to MCSE 2003 by passing
two upgrade exams (70-292 and 70-296).
Microsoft also offers a number of specialty certifications for networking professionals and
certifications for software developers, including the following:
■
Microsoft Certified Database Administrator (MCDBA)
■
Microsoft Certified Solution Developer (MCSD)
■
Microsoft Certified Application Developer (MCAD)
Exam 70-293 does not apply to any of these specialty and developer certifications.
Prerequisites and Preparation
There are no mandatory prerequisites for taking Exam 70-293, although Microsoft recommends that you meet the target audience profile described earlier, and many candidates will
first take Exams 70-290 and 70-291 in sequence before taking Exam 70-294 in their pursuit
of the MCSE certification.
Preparation for this exam should include the following:
■
Visit the web site at http://www.microsoft.com/traincert/exams/70-293.asp to
review the updated exam objectives. Remember that Microsoft reserves the right
to change or add to the objectives at any time, so new objectives might have been
added since the printing of this book.
■
Work your way through this book, studying the material thoroughly and marking
any items you don’t understand.
■
Answer all practice exam questions at the end of each chapter.
■
Complete all hands-on exercises in each chapter.
■
Review any topics that you don’t thoroughly understand
www.syngress.com
255_70-293_Fore.qxd
xlii
9/10/03
6:55 PM
Page xlii
Foreword
■
Consult Microsoft online resources such as TechNet (http://www.microsoft.com/
technet/), white papers on the Microsoft web site, and so forth, for better understanding of difficult topics.
■
Participate in Microsoft’s product-specific and training and certification newsgroups
if you have specific questions that you still need answered.
■
Take one or more practice exams, such as the one included on the CD with this
book.
Exam Overview
In this book, we have tried to follow Microsoft’s exam objectives as closely as possible.
However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the
objectives. Following is a brief synopsis of the exam topics covered in the book:
■
Planning tools and documentation We begin with an overview of network
infrastructure planning, introducing you to planning strategies and how to use planning tools.We will review the fundamentals of network design, including analysis of
organizational needs.This includes such factors as information flow, management
model and organizational structure, and centralization vs. decentralization issues.We
discuss management priorities, including availability and fault tolerance, security,
scalability, performance and cost. Next, we address user priorities, which include
email communications, scheduling and task management, project collaboration, data
storage and retrieval, Internet research, application services, print services and
graphics/audio/video services.This chapter also looks at legal and regulatory considerations, how to calculate Total Cost of Ownership (TCO) and how to plan for
future growth.We discuss how to develop a test network environment, and how to
document the planning and network design process.
■
Planning server roles and server security You will first review server roles
and ensure that you have an understanding of the many roles a Windows Server
2003 server can play on the network.We discuss domain controllers, file and print
servers, DHCP, DNS and WINS servers,Web servers, database servers, mail servers,
certification authorities and terminal services application servers.Then we delve
into how to plan a server security strategy. Here we examine how to choose the
right operating system according to security needs, how to identify minimum security requirements for your organization and how to identify the correct configurations to satisfy those security requirements.You will learn how to plan baseline
security, first planning the secure baseline installation parameters and then enforcing
default security settings on new computers, both client and server machines.We’ll
show you how to customize server security, securing your servers according to
their roles.Then we’ll walk you through the process of creating custom security
templates and show you how to deploy security configurations.
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xliii
Foreword
xliii
■
Planning, Implementing and Maintaining the TCP/IP infrastructure We
then examine the TCP/IP infrastructure, and you will learn all about the network
protocols supported by Windows Server 2003 and how to identify the protocols to
be used in your network environment.We discuss the advantages of the TCP/IP
protocol suite and we also address the multi-protocol environment that is increasingly common in today’s business organizations.We will review TCP/IP basics, and
then get into what’s new in TCP/IP for Server 2003. Specifically, we’ll discuss
IGMP v3, IPv6 support, the alternate configuration feature, and automatic determination of interface metric.You’ll find out how to plan an IP addressing strategy,
including how to analyze your addressing requirements and how to create an effective subnetting scheme.Then we will address methods for troubleshooting IP
addressing problems, both those related to client configuration and those related to
DHCP server issues.You’ll learn about transitioning to the next generation of IP,
IPv6, and we’ll introduce IPv6 utilities such as Netsh commands, Ipsec6.exe, and
the IPv6 PING and TRACERT parameters.We discuss 6to4 tunneling, the IPv6
Helper service, and connecting to the 6bone. Next, we’ll discuss the planning of
the network topology.This includes analysis of hardware requirements and how to
plan for the placement of physical resources.You’ll learn to plan network traffic
management, and how to monitor network traffic and devices using Network
Monitor and System Monitor.We’ll show you how to determine bandwidth
requirements and how to optimize your network’s performance.
■
Planning, implementing and maintaining a routing strategy We first
review the basics of IP routing, including the role of routing tables, static and
dynamic routing, and routing protocols such as RIP and OSPF.You’ll learn to use
the netsh commands related to routing, and then we’ll show you how to evaluate
routing options.This includes selecting the proper connectivity devices, and we’ll
discuss hubs, bridges, switches (layer 2, 3 and 4 varieties), and routers.We will look
at how you can use a Windows Server 2003 machine as a router, and how to configure the Routing and Remote Access Service (RRAS) to do so. Next, we look at
security considerations related to routing.We’ll show you how to analyze requirements for routing components from a security-conscious point of view, and discuss
methods of simplifying the network topology to provide fewer attack points.This
includes minimizing the number of network interfaces, the number of routes, and
the number of routing protocols.We will also discuss router to router VPNs and
packet filtering and firewalls, as well as setting the logging level. Finally, we cover
how to troubleshoot IP routing issues.We’ll identify troubleshooting tools and take
a look at some common routing problems, including those related to interface configuration, to RRAS configuration, to routing protocols, to TCP/IP configuration
and to routing table configuration.
www.syngress.com
255_70-293_Fore.qxd
xliv
9/10/03
6:55 PM
Page xliv
Foreword
■
Planning, implementing and maintaining an Internet connectivity
strategy We then turn to how to develop the best strategy for connecting your
company’s Windows Server 2003 network to the Internet.We discuss connecting
the LAN to the Internet using routed connections or translated connections (via
Internet Connection Sharing or the RRAS Network Address Translation component).You’ll learn about virtual private networking, and how to use both Internetbased VPNs and router-to-router VPNs to provide connectivity to the company’s
LAN from remote locations or connect two branch offices.We discuss the intricacies of demand-dial/on-demand connections and persistent connections, and
explain the difference between one-way and two-way initiation.We also show you
how to use remote access policies to control VPN connections, and we discuss VPN
protocols supported by Windows Server 2003 and how to make VPN connections
using either the Point to Point Tunneling Protocol (PPTP) or the Layer 2
Tunneling Protocol (L2TP).You’ll learn about VPN security and the authentication
and encryption protocols that make your virtual network private. Next, we take a
look at the Internet Authentication Service (IAS), and how it can provide centralized user authentication and authorization, centralized auditing and accounting, and
extensibility and scalability.You’ll learn about IAS integration with Server 2003
RRAS and how to control authentication via remote access policies.We show you
how to use the IAS MMC snap-in and how to implement monitoring of IAS, and
we discuss the use of the IAS Software Developers’ Kit (SDK).Then we delve a
little deeper into the IAS authentication methods, and discuss RADIUS access
server support, wireless access points and authenticating switches. In the next section, we walk you through the process of using the Connection Manager
Administration Kit (CMAK) to create service profiles, custom actions and custom
Help, as well as VPN support, to make it easier for non-technical users to connect
remotely without having to do complex configuration.We’ll talk about security
issues pertaining to Connection Manager, and show you how to prevent editing of
service profile files, how to prevent users from saving their passwords, and how to
distribute service profiles securely.
■
Planning, implementing and maintaining a name resolution strategy You
will learn how to plan for the best way of resolving host names on your network.
We’ll present an overview of host naming, and how host names are resolved using
the hosts file and using DNS.We’ll discuss issues involved in designing a DNS
namespace, such as choosing the parent domain name, the conventions and limitations that govern host names, the relationship of DNS and the Active Directory,
and how to support multiple namespaces.Then we move on to planning DNS
server deployment.You’ll find out how to factor in such things as number of
servers, server roles, server capacity and server placement.We’ll also show you how
to plan for zone replication between your DNS servers, and we’ll address planning
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xlv
Foreword
xlv
for forwarding and how DNS interacts with DHCP on a Server 2003 network.
We’ll discuss Server 2003 DNS server interoperability with BIND and other nonWindows DNS implementations.You’ll learn about zone transfers between Server
2003 DNS servers and BIND servers, and we’ll discuss supporting Active Directory
with BIND.You’ll learn about split DNS configurations and how interoperability
relates to other services such as WINS and DHCP. Next, we address DNS security
issues, including common DNS threats such as footprinting, redirection and DNS
DoS attacks.You’ll learn how to best secure your DNS deployment, using a split
namespace and using packet filtering.We’ll discuss how to determine the best DNS
security level for your network. Next, we look at DNS performance issues.We
show you how to monitor DNS server performance and how to analyze DNS
server tests. In the next section, we’ll address NetBIOS name resolution and provide an overview of how NetBIOS names are resolved using lmhosts files and
NetBIOS Name Servers such as WINS servers.You’ll find out what’s new for
WINS in Server 2003, and we’ll show you how to plan WINS server deployment
and how to plan for WINS replication.We’ll walk you through the process of configuring WINS replication partnerships, including Push Only, Pull Only and
Push/Pull configurations.We’ll also discuss common WINS issues, including configuration issues, performance issues and security issues.We’ll show you how to
plan for WINS database backup, and how to troubleshoot name resolution problems related to both host names and NetBIOS names.
■
Planning, implementing and maintaining a remote access strategy We
examine the issues and procedures involved in devising a remote access strategy,
including planning tasks such as analyzing organizational needs, analyzing user
needs, and selecting the remote access types that will be allowed (dial-in,VPN,
and/or wireless).We’ll discuss design considerations related to dial-in access, such as
the allocation of IP addresses, how to determine incoming port needs, and how to
select the best administrative model based on your organizational needs and the
functional level of your domain. Next, we’ll talk about design considerations related
to VPN access.You’ll learn how to select the VPN protocols to be allowed, based
on client support, PKI requirements and the need for data integrity and sender
authentication.You’ll learn how to install machine certificates, how to configure
firewall filters, and how to create access policies governing VPN connections. In the
next section, you’ll learn about the design considerations that relate to wireless
remote access.We’ll discuss the use of IAS for wireless connections, and how to
configure remote access policies for wireless connections.We’ll address the use of
multiple wireless access points, and the advantages of placing a certification
authority on a Virtual LAN (VLAN) for new wireless clients.We’ll also show you
how to configure wire access points (WAPs) as RADIUS clients. Next, we move
on to planning overall security strategies for remote access connections.We’ll dis-
www.syngress.com
255_70-293_Fore.qxd
xlvi
9/10/03
6:55 PM
Page xlvi
Foreword
cuss the best practices in selecting authentication methods that will be allowed, and
the benefits of disallowing insecure password based connections such as PAP, SPAP,
CHAP and MS-CHAPv1).We’ll then look at the more secure methods such as
MS-CHAPv2 and EAP, and discuss the advantages of using RADIUS/IAS rather
than Windows authentication.We’ll also address the selection of the data encryption
level, and other security measures such as requiring callback, mandating operating
system and file system choices, using managed connections and using smart cards
for remote access.We’ll delve deeply into the subject of remote access policies, and
show you how to authorize remote access by user or group, how to restrict remote
access in various ways, and how to control remote connections.
■
Planning, implementing and maintaining a high availability strategy We
then look at the concept of high availability and how it can be attained.We’ll provide
an overview of performance bottlenecks and what causes them, and show you how
to identify such common system bottlenecks as memory, processor, disk and network
components.We’ll walk you through the steps of using the System Monitor to monitor server performance, and show you how to use Event Viewer and service logs to
monitor server issues, as well. Next, we show you how to plan a backup and recovery
strategy.We’ll introduce you to the Windows Backup utility, and ensure that you
understand the differences between full, incremental and differential backups.We’ll
also discuss the use of volume shadow copies as a backup option.You’ll learn how to
decide what information should be backed up, and we’ll show you how to back up
user data, system state data, the DHCP,WINS and DNS databases and cluster disk
signatures and partition layouts.We’ll walk you through the process of using the
Windows Backup administrative tool, including the Backup and Restore Wizard feature and the Advanced Mode feature.We’ll also discuss the use of command line
tools. Next, we’ll talk about how to select your backup media, and you’ll learn about
scheduling backups and how to restore data from backup when necessary. In the next
section, we’ll address how to plan for system recovery using the Automated System
Recovery (ASR).You’ll learn about system services, how to make an ASR backup
and how to do an ASR restore.We’ll explain how ASR works, and discuss alternatives
to ASR such as Safe Mode boot and Last Known Good. Finally, we’ll discuss the
importance of planning for fault tolerance, including solutions aimed at providing
fault tolerance for local network connectivity, for Internet connectivity, for data on
disk, and for mission-critical servers.
■
Windows Cluster Services and Network Load Balancing We will look at
the ultimate in fault tolerance: server clustering, and shows you how you can make
clustering services part of your enterprise-level organization’s high availability plan.
We’ll start by introducing you to the terminology and concepts involved in understanding clustering; you’ll learn about cluster nodes, cluster groups, failover and failback, name resolution as it pertains to cluster services, and how server clustering
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xlvii
Foreword
xlvii
works.We’ll discuss three cluster models: single node, single quorum device and
majority node set.Then we’ll talk about cluster deployment options, including Nnode failover pairs, hot standby server/N+1, failover ring and random.You’ll learn
about cluster administration and we’ll show you how to use the cluster administrator tool as well as provided command line tools. Next, we’ll discuss best practices
for deploying server clusters.You’ll learn about hardware issues, especially those
related to network interface controllers, storage devices, power saving features and
general compatibility issues.We’ll discuss cluster network configuration and you’ll
learn about multiple interconnections and node-to-node communication.We’ll talk
about the importance of binding order, adapter settings, and TCP/IP settings, and
we’ll discuss the default cluster group. Next, we’ll move on to the subject of security for server clusters.This includes physical security, public/mixed networks, private networks, secure remote administration of cluster nodes, security issues
involving the cluster service account and how to limit client access.We’ll also talk
about how to secure data in a cluster, how to secure disk resources, and how to
secure cluster configuration log files.The next section addresses how to make
Network Load Balancing (NLB) part of your high availability plan.We introduce
you to NLB concepts such as hosts/default host, load weight, traffic distribution
and convergence and heartbeats.You’ll learn how NLB works, and the relationship
of NLB to clustering.We’ll show you how to manage NLB clusters using the NLB
Manager tool, remote management and the command line tools.We’ll also discuss
NLB error detection and handling. Next, we’ll move on to monitoring NLB using
the NLB Monitor MMC snap-in or using the Windows Load Balancing Service
(WLBS) cluster control utility.We discuss best practices for implementing and managing NLB, including issues such as multiple network adapters, protocols and IP
addressing, and NLB Manager logging. Finally, we address NLB security.
■
Planning, implementing and maintaining Internet Protocol Security We
then turn to Windows Server 2003’s implementation of the Internet Protocol
Security protocol (IPSec).We start by introducing IPSec terminology and concepts
and explaining how IPSec works “under the hood” to secure data in transit over
the network.We discuss the purposes of IPSec encryption: authentication, integrity
and confidentiality.You’ll learn about how IPSec operates in either of two modes:
tunnel or transport.You’ll also learn about the protocols used by IPSec.These
include the two primary protocols: the Authentication Header (AH) protocol and
the Encapsulating Security Payload (ESP) protocol.We’ll also discuss the roles of
additional protocols used by IPSec, including the Internet Security and Key
Management Protocol (ISAKMP), Internet Key Exchange (IKE), the Oakley key
determination protocol and the Diffie-Hellman key agreement protocol.You’ll also
learn about Server 2003’s IPSec components such as the IPSec driver and we’ll discuss the relationship of IPSec to IPv6. Next, we’ll show you how to deploy IPSec
www.syngress.com
255_70-293_Fore.qxd
xlviii
9/10/03
6:55 PM
Page xlviii
Foreword
on your network, taking into consideration organizational needs and security levels,
and help you determine the appropriate authentication methods.You’ll learn about
managing IPSec and we’ll walk you through the process of using the IPSec MMC
snap-in as well as the command line tools.We’ll discuss the role of IPSec policies,
including default and custom policies, and we’ll show you how to assign and apply
policies.We’ll also talk about IPSec security considerations and issues, including the
use of a strong encryption algorithm (3DES), authentication methods, firewall
packet filtering, unprotected traffic, Diffie-Hellman groups and the use of preshared keys.We’ll show you how to use RSoP and the RSoP MMC snap-in to
view policy assignments and to simulate policy assignments for deployment planning.
■
Planning, implementing and maintaining a security framework We look
at several aspects of creating an effective security framework for your organization’s
network. First, we look at how to plan and implement Active Directory security.
This includes such measures as physically securing domain controllers, securing the
schema, managing cross-forest security relationships, account security and implementing Active Directory access controls. Next, we discuss the issues and procedures involved in planning and implementing wireless security.We’ll provide an
overview of the terminology and concepts relating to 802.11 wireless technologies
and you’ll learn about authenticators and supplicants, as well as how wireless networking works “under the hood.”We’ll discuss authentication methods for wireless
networks, including such authentication subtypes as open system and shared key.
You’ll learn about the protocols generally used for wireless authentication,
including the Extensible Authentication Protocol (EAP), EAP-Transport Layer
Security (EAP-TLS), EAP-MS-CHAPv2, and the Protected Extensible
Authentication Protocol (PEAP).We’ll also talk about using IAS with wireless.
We’ll address wireless security issues such as common insecure default settings
(administrative password, SSID, and WEP settings) and the weaknesses of Wired
Equivalent Privacy protocol (WEP) encryption, as well as how WEP can be made
more secure. Next, we’ll move on to discuss security monitoring, and we’ll address
object based access control and security policies, including password policies,
Kerberos policies, account lockout policies, user rights and the use of security templates.We’ll also talk about security auditing, and you’ll learn to set the auditing
policy, modify the security log settings and audit objects such as files or folders. In
the next section, you’ll learn about planning a Change and Configuration
Management framework.We’ll walk you through the steps of using the Security
Configuration Manager tool as well as command line tools included with Windows
Server 2003.We’ll also discuss Security Analysis and Configuration best practices.
Finally, we take you through the process of planning a security update infrastructure.You’ll understand the importance of regular security updates and you’ll learn
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page xlix
Foreword
xlix
to use the Microsoft Baseline Security Analyzer (MBSA) and the Microsoft
Software Update Services to ensure that your Server 2003’s security features are
always current.
■
Planning, implementing and maintaining a public key infrastructure We
will examine the complex issues involved in planning a certificate based PKI.We’ll
provide an overview of the basic terminology and concepts relating to the public
key infrastructure, and you’ll learn about public key cryptography and how it is
used to authenticate the identity of users, computers, and applications/services.
We’ll discuss the role of digital certificates and the different types of certificates
(user, machine and application certificates).You’ll learn about certification authorities (CAs), the servers that issue certificates, including both public CAs and private
CAs such as the ones you can implement on your own network using Server
2003’s certificate services. Next, we’ll discuss the CA hierarchy, and how root CAs
and subordinate CAs act together to provide for your organization’s certificate
needs.You’ll find out how the Microsoft certificate services work, and we’ll walk
you through the steps involved in implementing one or more certification authorities based on the needs of the organization.You’ll learn to determine the appropriate CA type—enterprise or standalone CA—for a given situation, and how to
plan the CA hierarchy and provide for security of your CAs.We’ll show you how
to plan for enrollment and distribution of certificates, including the use of certificate requests, role based administration and autoenrollment deployment. Next, we’ll
discuss how to implement the use of smart cards for authentication within the PKI.
You’ll learn what smart cards are and how smart card authentication works, and
we’ll show you how to deploy smart card logon on your network.We’ll discuss
smart card readers and show you how to set up a smart card enrollment station.
Finally, we’ll discuss the procedures for using smart cards to log onto Windows, for
remote access and VPNs and to log onto a terminal server.
Exam Day Experience
Taking the exam is a relatively straightforward process. Both Vue and Prometric testing centers administer the Microsoft 70-293 exam.You can register for, reschedule or cancel an
exam through the Vue web site at http://www.vue.com/ or the Prometric web site at
http://www.2test.com/index.jsp.You’ll find listings of testing center locations on these sites.
Accommodations are made for those with disabilities; contact the individual testing center
for more information.
Exam price varies depending on the country in which you take the exam.
www.syngress.com
255_70-293_Fore.qxd
l
9/10/03
6:55 PM
Page l
Foreword
Exam Format
Exams are timed. At the end of the exam, you will find out your score and whether you
passed or failed.You will not be allowed to take any notes or other written materials with
you into the exam room.You will be provided with a pencil and paper, however, for making
notes during the exam or doing calculations.
In addition to the traditional multiple choice questions and the select and drag, simulation and case study questions introduced in the Windows 2000 exams, Microsoft has developed a number of innovative question types for the Windows Server 2003 exams.You might
see some or all of the following types of questions:
■
Hot area questions, in which you are asked to select an element or elements in a
graphic to indicate the correct answer.You click an element to select or deselect it.
■
Active screen questions, in which you change elements in a dialog box (for example,
by dragging the appropriate text element into a text box or selecting an option
button or checkbox in a dialog box).
■
Drag and drop questions, in which you arrange various elements in a target area.
You can download a demo sampler of test question types from the Microsoft web site at
http://www.microsoft.com/traincert/mcpexams/faq/innovations.asp#H.
Test Taking Tips
Different people work best using different methods. However, there are some common
methods of preparation and approach to the exam that are helpful to many test-takers. In this
section, we provide some tips that other exam candidates have found useful in preparing for
and actually taking the exam.
■
Exam preparation begins before exam day. Ensure that you know the concepts and
terms well and feel confident about each of the exam objectives. Many test-takers
find it helpful to make flash cards or review notes to study on the way to the
testing center. A sheet listing acronyms and abbreviations can be helpful, as the
number of acronyms (and the similarity of different acronyms) when studying IT
topics can be overwhelming.The process of writing the material down, rather than
just reading it, will help to reinforce your knowledge.
■
Many test-takers find it especially helpful to take practice exams that are available
on the Internet and with books such as this one.Taking the practice exams not
only gets you used to the computerized exam-taking experience, but also can be
used as a learning tool.The best practice tests include detailed explanations of why
the correct answer is correct and why the incorrect answers are wrong.
■
When preparing and studying, you should try to identify the main points of each
objective section. Set aside enough time to focus on the material and lodge it into
your memory. On the day of the exam, you be at the point where you don’t have
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page li
Foreword
li
to learn any new facts or concepts, but need simply to review the information
already learned.
■
The value of hands-on experience cannot be stressed enough. Exam questions are
based on test-writers’ experiences in the field. Working with the products on a
regular basis, whether in your job environment or in a test network that you’ve set
up at home, will make you much more comfortable with these questions.
■
Know your own learning style and use study methods that take advantage of it. If
you’re primarily a visual learner, reading, making diagrams, watching video files on
CD, etc. may be your best study methods. If you’re primarily auditory, classroom
lectures, audiotapes you can play in the car as you drive, and repeating key concepts
to yourself aloud may be more effective. If you’re a kinesthetic learner, you’ll need
to actually do the exercises, implement the security measures on your own systems,
and otherwise perform hands-on tasks to best absorb the information. Most of us
can learn from all of these methods, but have a primary style that works best for us.
■
Although it might seem obvious, many exam-takers ignore the physical aspects of
exam preparation.You are likely to score better if you’ve had sufficient sleep the night
before the exam, and if you are not hungry, thirsty, hot/cold or otherwise distracted
by physical discomfort. Eat prior to going to the testing center (but don’t indulge in a
huge meal that will leave you uncomfortable), stay away from alcohol for 24 hours
prior to the test, and dress appropriately for the temperature in the testing center (if
you don’t know how hot/cold the testing environment tends to be, you may want to
wear light clothes with a sweater or jacket that can be taken off).
■
Before you go to the testing center to take the exam, be sure to allow time to
arrive on time, take care of any physical needs, and step back to take a deep breath
and relax.Try to arrive slightly early, but not so far in advance that you spend a lot
of time worrying and getting nervous about the testing process.You may want to
do a quick last minute review of notes, but don’t try to “cram” everything the
morning of the exam. Many test-takers find it helpful to take a short walk or do a
few calisthenics shortly before the exam, as this gets oxygen flowing to the brain.
■
Before beginning to answer questions, use the pencil and paper provided to you to
write down terms, concepts and other items that you think you may have difficulty
remembering as the exam goes on.Then you can refer back to these notes as you
progress through the test.You won’t have to worry about forgetting the concepts
and terms you have trouble with later in the exam.
■
Sometimes the information in a question will remind you of another concept or
term that you might need in a later question. Use your pen and paper to make
note of this in case it comes up later on the exam.
■
It is often easier to discern the answer to scenario questions if you can visualize the
situation. Use your pen and paper to draw a diagram of the network that is
www.syngress.com
255_70-293_Fore.qxd
lii
9/10/03
6:55 PM
Page lii
Foreword
described to help you see the relationships between devices, IP addressing schemes,
and so forth.
■
When appropriate, review the answers you weren’t sure of. However, you should
only change your answer if you’re sure that your original answer was incorrect.
Experience has shown that more often than not, when test-takers start secondguessing their answers, they end up changing correct answers to the incorrect.
Don’t “read into” the question (that is, don’t fill in or assume information that isn’t
there); this is a frequent cause of incorrect responses.
■
As you go through this book, pay special attention to the Exam Warnings, as these
highlight concepts that are likely to be tested.You may find it useful to go through
and copy these into a notebook (remembering that writing something down reinforces your ability to remember it) and/or go through and review the Exam
Warnings in each chapter just prior to taking the exam.
■
Use as many little mnemonic tricks as possible to help you remember facts and
concepts. For example, to remember which of the two IPSec protocols (AH and
ESP) encrypts data for confidentiality, you can associate the “E” in encryption with
the “E” in ESP.
Pedagogical Elements
In this book, you’ll find a number of different types of sidebars and other elements designed
to supplement the main text.These include the following:
■
Exam Warning These focus on specific elements on which the reader needs to
focus in order to pass the exam (for example, “Be sure you know the difference
between symmetric and asymmetric encryption”).
■
Test Day Tip These are short tips that will help you in organizing and remembering information for the exam (for example, “When preparing for the exam on
test day, it may be helpful to have a sheet with definitions of these abbreviations
and acronyms handy for a quick last-minute review”).
■
Configuring & Implementing These are sidebars that contain background
information that goes beyond what you need to know from the exam, but provide
a “deep” foundation for understanding the concepts discussed in the text.
■
New & Noteworthy These are sidebars that point out changes in W2003 Server
from the old Windows 2000/NT family, as they will apply to readers taking the
exam.These may be elements that users of W2K/NT would be very familiar with
that have changed significantly in W2003 Server, or totally new features that they
would not be familiar with at all.
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page liii
Foreword
■
liii
Head of the Class These are discussions of concepts and facts as they might be
presented in the classroom, regarding issues and questions that most commonly are
raised by students during study of a particular topic.
The book also includes, in each chapter, hands-on exercises in planning and configuring
the features discussed. It is essential that you read through and, if possible, perform the steps
of these exercises to familiarize yourself with the processes they cover.
You will find a number of helpful elements at the end of each chapter. For example, each
chapter contains a Summary of Exam Objectives that ties the topics discussed in that chapter to
the published objectives. Each chapter also contains an Exam Objectives Fast Track, which boils
all exam objectives down to manageable summaries that are perfect for last minute review. The
Exam Objectives Frequently Asked Questions answers those questions that most often arise from
readers and students regarding the topics covered in the chapter. Finally, in the Self Test section,
you will find a set of practice questions written in a multiple-choice form that will assist you in
your exam preparation These questions are designed to assess your mastery of the exam objectives and provide thorough remediation, as opposed to simulating the variety of question formats you may encounter in the actual exam.You can use the Self Test Quick Answer Key that
follows the Self Test questions to quickly determine what information you need to review
again.The Self Test Appendix at the end of the book provides detailed explanations of both the
correct and incorrect answers.
Additional Resources
There are two other important exam preparation tools included with this Study Guide. One
is the DVD included in the back of this book.The other is the practice exam available from
our Web site.
■
Instructor-led training DVD provides you with almost two hours of virtual classroom instruction. Sit back and watch as an author and trainer reviews
all the key exam concepts from the perspective of someone taking the exam for the
first time. Here, you’ll cut through all of the noise to prepare you for exactly what
to expect when you take the exam for the first time.You will want to watch this
DVD just before you head out to the testing center!
■
Web based practice exams. Just visit us at www.syngress.com/certification
to access a complete Windows Server 2003 concept multiple choice review.These
remediation tools are written to test you on all of the published certification objectives.The exam runs in both “live” and “practice” mode. Use “live” mode first to
get an accurate gauge of your knowledge and skills, and then use practice mode to
launch an extensive review of the questions that gave you trouble.
www.syngress.com
255_70-293_Fore.qxd
9/10/03
6:55 PM
Page liv
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 1
Chapter 1
MCSE 70-293
Using Windows
Server 2003 Planning Tools
and Documentation
Solutions in this chapter:
Overview of Network Infrastructure Planning
Analyzing Organizational Needs
Developing a Test Network Environment
Documenting the Planning and Network Design Process
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
1
255_70_293_ch01.qxd
2
9/10/03
1:42 PM
Page 2
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Introduction
Planning is the first step in building a reliable, secure, high-performance and highly available
Windows Server 2003-based network. In this chapter, we begin with an overview of network
infrastructure planning, introducing you to planning strategies and how to use planning tools.
We will review the fundamentals of network design, including analysis of organizational
needs.These include factors such as information flow, management model, organizational
structure, and issues of centralization versus decentralization.We discuss management priorities, including availability and fault tolerance, security, scalability, performance, and cost.
Next, we address user priorities, which include e-mail communications, scheduling and task
management, project collaboration, data storage and retrieval, Internet research, application
services, print services, and graphics/audio/video services.
This chapter also looks at legal and regulatory considerations, how to calculate total
cost of ownership (TCO), and how to plan for future growth.We discuss how to develop a
test network environment, and how to document the planning and network design process.
Overview of Network
Infrastructure Planning
Proper planning of a network infrastructure is essential to ensuring high performance, availability, and overall user satisfaction with your network operations. In order to create a viable
network design, you’ll need an understanding of both the business requirements of your
organization as well as current and emerging networking technologies. Accurate network
planning will allow your organization to maximize the efficiency of its computer operations, lower costs, and enhance your overall business processes.
When planning for a new infrastructure or upgrading an existing network, you should
take some or all of the following steps:
■
Document the business requirements of your client or organization.
■
Create a baseline of the performance of any existing hardware and network utilization.
■
Determine the necessary capacity for the physical network installation, including
client and server hardware, as well as allocating network and Internet bandwidth
for network services and applications.
■
Select an appropriate network protocol and create an addressing scheme that will
provide for the existing size of the network and that will allocate room for any
foreseeable expansions, mergers, or acquisitions.
■
Specify and implement technologies that will meet the existing needs of your
network, while allowing room for future growth.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 3
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
■
Plan to upgrade and/or migrate any existing technologies, including server operating systems and routing protocols.
In this section, we’ll discuss best practices and strategies for planning your network
implementation.We’ll then look at the various tools that you can use for network planning,
both from Microsoft and from other vendors.We’ll conclude with some fundamentals of
network design that will provide you with a good starting point for designing a network
that will best meet the needs of your organization and its users.
Planning Strategies
When designing a new network, you should first use the business requirements of your
organization as the primary source of planning information.You’ll need to create a network
infrastructure that addresses the needs of your management structure, such as fault tolerance, security, scalability, performance, and cost.You’ll need to balance these requirements
with the types of services that your users and clients will expect from a modern network,
including e-mail, calendaring, project collaboration, Internet access, file, print, and application services.
After you’ve determined the business requirements of your network, you should then
analyze the technical requirements of your organization.These requirements may apply to
any applications that are already in use or that you plan to implement, as well as to the
associated hardware and operating system.You should carefully note all of these requirements so that you won’t create any difficulties later on during the implementation process.
Be sure to analyze and document the existing network, including any hardware, software,
and network services that are already in place.This will make it easier to take the existing
configuration into account when planning the new or upgraded network.
Finally, any well-formed network plan should make allowances for future changes to
the organization, including support for new technologies and operating systems, as well as
additional hardware and users.Your organization’s business requirements can change—
through a merger, an acquisition, or simple growth and expansion. Although it is impossible
to foresee all possible changes of this nature, a good network design will be flexible enough
to accommodate as many adjustments as possible.
Using Planning Tools
There are a number of tools available to assist you in developing a plan for your network
infrastructure.The first and best of these, however, might be the simplest: pencil and paper.
As we discussed in the previous section, you should begin your planning by determining
the requirements of the business that will be using the network.The best way to do this is
through face-to-face interactions, by interviewing relevant managers and staff members of
each department, branch, or business unit. Not only does this allow you to construct a
complete picture of your network requirements, but it also involves stakeholders from the
various departments.This sort of involvement is critical in ensuring the successful deployment of any new or upgraded technology.
www.syngress.com
3
255_70_293_ch01.qxd
4
9/10/03
1:42 PM
Page 4
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
After you have a high-level understanding of your company’s organizational structure
and computing needs, you should inventory the hardware and software that is already in
place. In a small office environment, you can accomplish this by simply taking a walk to
determine the physical layout of network cables, routers, and the like. In a medium- to
large-sized enterprise network, you will probably want to rely on automated inventory
tools such as Microsoft’s Systems Management Server (SMS) or a third-party equivalent.
Take as detailed of an inventory as possible, including the hardware configuration of server
and workstation machines as well as vendor names and the version numbers of the operating system and business applications the systems are running.
You can use a network analyzer, such as the Network Monitor utility built into the
Windows Server 2003 operating system or the more full-featured version of Network
Monitor included in SMS, to create a baseline of the current utilization of your network
bandwidth. If this utilization is already near capacity, you can use this baseline to justify and
plan upgrades to your network infrastructure (moving from 10MB Ethernet to 100MB
Ethernet, for example).
EXAM WARNING
The version of Network Monitor that ships with Windows Server 2003 can analyze
only traffic addressed to the network interface card (NIC) on the server itself or
that is sent by the server on which it is running. The SMS version of Network
Monitor operates in promiscuous mode, enabling it to capture all network traffic
on a given segment, even if the traffic isn’t addressed to or from the local server.
Windows Server 2003 has introduced new management features that will assist you in
planning your network configuration, especially in the areas of user and computer management.The Resultant Set of Policy (RSoP) Microsoft Management Console (MMC) snap-in
contains a Group Policy modeling function that will allow you to simulate changes to
Group Policy Objects (GPOs) in an Active Directory (AD) environment before actually
applying them to a production network. For example, if you want to apply a new GPO to
a departmental Organizational Unit (OU), the modeling report will indicate how the new
GPO will affect the objects within the OU to which it’s being applied.The Group Policy
Management Console (GPMC) can also provide detailed configuration reports on existing
GPO settings in place on a Windows 2000 or Windows Server 2003 AD installation.
EXERCISE 1.01
GENERATING A GROUP POLICY MODELING REPORT
In this exercise, we’ll take a look at a GPMC modeling report for a Windows
Server 2003 domain.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 5
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
1. Click Start | Run, type mmc, and click OK.
2. Click File | Add/Remove Snap-in, and then select the Resultant Set of
Policy snap-in. Click Add, and then click Close.
3. Right-click Resultant Set of Policy, and then click Generate RSoP
Data. Click Next to bypass the initial Welcome screen.
4. On the Mode Selection page, select Planning mode as shown in
Figure 1.1, and then click Next.
Figure 1.1 Selecting the RSoP Report Mode
5. On the User and Computer Selection page, shown in Figure 1.2,
specify the name of the user and computer that you wish to analyze,
and then click Next. Alternatively, you can select an entire user and/or
computer container (such as a site, domain, or OU) to analyze.
www.syngress.com
5
255_70_293_ch01.qxd
6
9/10/03
1:42 PM
Page 6
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Figure 1.2 Specifying the User and Computer Information
6. From the Advanced Simulation Options page, shown in Figure 1.3,
you can choose to modify a number of reporting options, such as simulating a slow network connection or the use of loopback processing.
Click Next when you’re ready to continue.
Figure 1.3 Advanced Simulation Options
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 7
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
7. On the User Security Groups page, shown in Figure 1.4, you’ll see the
security groups to which the specified user belongs. You can use the
Add or Remove buttons to specify different security group memberships to simulate. (If you make a mistake, you can click Restore
Defaults to return to the user’s actual group membership.) Click Next
when you’re ready to continue.
Figure 1.4 Simulating User Security Group Membership
8. The next page lists the security groups to which the specified computer
belongs. As in Step 7, you can use the Add or Remove buttons to
change the contents of the RSoP report. Click Next to continue.
9. By default, the report will include all possible Windows Management
Instrumentation (WMI) filters, as shown in Figure 1.5. (WMI filters allow
you to apply GPOs to users or computers based on hardware and software attributes such as operating system, free hard drive space, and
the like.) If you’ve created any WMI filters that would cause the computer you’ve specified to not be subject to Group Policy, you should
remove them by clicking the Only these filters radio button and
selecting Remove. Click Next to repeat the process for any computerspecific WMI filters.
www.syngress.com
7
255_70_293_ch01.qxd
8
9/10/03
1:42 PM
Page 8
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Figure 1.5 Selecting WMI Filters
10. Click Next again. You’ll see a summary of your choices, as shown in
Figure 1.6. If you are satisfied with the selections you’ve made, click
Next again to run the simulation.
Figure 1.6 RSoP Summary Screen
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 9
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
11. When the simulation has completed, click Finish. In the console tree,
click the RSoP query to view the data. You’ll see the output in a screen
similar to the one shown in Figure 1.7.
Figure 1.7 A Completed RSoP Simulation
As you can see, Group Policy modeling will allow you to perform “whatif?” analyses to simulate the creation of new security groups or OUs. You can
also use simulated WMI filters to see how GPO settings and inheritance would
change if you upgraded a workstation from Windows NT to Windows XP
Professional, for example. GPMC modeling is definitely a useful tool to have in
your arsenal as you begin developing your Windows 2003 Server network
design.
Fundamentals of Network Design
When you design a network, the most important question is unfortunately the most often
overlooked:Why are you building the network to begin with? It’s easy to become so
excited about the new technologies available to you that you can overlook the business
requirements of your organization. Even if you eventually configure the resultant network
to meet your needs, it can become a far more complicated (and expensive) process than if
you had begun by fully detailing business requirements in the first place.This can be even
more hazardous when you are working as a consultant for an independent company,
because you need to be very specific in obtaining the appropriate information from your
clients.Too often, you’ll hear, “We need a Frame Relay network” or, “We need you to
install a Check Point firewall.”These statements give you a solution without telling you
about the problem or need that the company is attempting to address. (Imagine walking
into your doctor’s office for the first time and telling her that you need your foot amputated, rather than simply reporting that you have an ingrown toenail.) It is important to use
available technologies to meet business requirements, rather than implementing them for
their own sake.
www.syngress.com
9
255_70_293_ch01.qxd
1:42 PM
Page 10
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
A company’s business requirements can include a number of factors that you need to
keep in mind. An obvious issue is that of cost, whether you are interested in improving user
efficiency to save money, or pumping cash into high-powered server farms to increase sales
revenue on an e-commerce site.You need to decide how much money your company is
willing to spend, or how much money you expect a new technology to save the company.
Either way, if your network design costs more than it ends up making (or saving) for a
company, you’ve failed to meet this critical requirement.This will come up later in this
chapter in the “Calculating TCO” section.
After you’ve determined the budget for your new network, you should take stock of
the current state of your company’s computing technology. Ask the following questions:
Configuring & Implementing...
10
9/10/03
■
What resources are already in place?
■
How much needs to be upgraded or replaced?
■
What can be reused in the new or upgraded network?
Plan Now or Pay Later
Although completely new network installations are becoming a rarity except when
dealing with new construction, they do present their own unique challenges. When
planning a new network installation, don’t take even the most basic configuration
items for granted. Here’s a real-world example: A medical supply firm was moving
from an environment consisting exclusively of mainframes and dumb terminals to
an installation of networked PCs and servers. Part of the physical installation
included running pipes under the flooring to allow the network cabling to run
throughout the building. Unfortunately, the construction manager received his
specifications from the mainframe administrator, who was relatively unfamiliar
with PC technology.
The mainframe manager assumed that the PCs would use the same type of
cable to connect to the routers and hubs that was used by the existing dumb terminals. He did not consult with the new LAN administrator, or he would have
known that the new networked PCs would be using Category 5 (CAT5) Ethernet
cabling, which proved to be roughly three times the diameter of the mainframe
access terminal cabling. This error wasn’t discovered until after the subfloor piping
had already been laid; the LAN administrator quickly discovered that there wasn’t
enough physical room to run all the necessary cable drops through the too-small
piping.
Rather than incur the increased cost of running the piping all over again, management tasked the LAN administrator with installing network connectors that
would use the smaller network cabling. This created an excess of performance bottlenecks until the subfloor piping was rerun two years later. Remember this true tale
of how a seemingly insignificant detail can escalate into a much larger problem
when you’re establishing the particulars of your network design plan.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 11
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
There might be existing technologies that will need to be maintained and supported
even after the new design is in place. Be sure to include budget information for performing
all necessary upgrades and providing ongoing support for your legacy systems.
The next step in designing your network is to understand where your users are located.
Understanding the physical geography of your company and its employees is critical in
designing a cost-effective local area network (LAN) or wide area network (WAN).You’ll
not only need to determine where your users are located, but also the location of the services that they need to access. A geographically diverse user base can easily necessitate the
installation of dedicated WAN links or a virtual private network (VPN). Understanding
where your users and resources are located will also help you to determine the amount of
network bandwidth that your design will require. Network planning tools such as a network traffic analyzer will help you to determine the amount of traffic generated by your
users and clients.To determine bandwidth requirements, you must consider current traffic
levels while always leaving room for growth.
Analyzing Organizational Needs
Understanding the needs of a business or other organization is a fundamental step in creating
a well-designed network. In this section, we’ll take a look at information flow—recognizing
where data originates in your network and how it should be disseminated to the users and
customers who require it. Next, we’ll discuss the importance of understanding an organization’s management structure and how you can use that information to design appropriate network services.We’ll also discuss some common priorities for an organization’s management
group, as well as its more task- and project-oriented users.These range from factors such as
performance and availability that affect an entire network, to more specific services and applications such as e-mail, file sharing, and audio/video services. All of these issues should be
taken into account to ensure the overall success of your network design.
Information Flow Factors
If the “Information Age” moniker is to be believed, it only stands to reason that access to a
company’s information needs to be a top priority of any network design.This means that
all necessary personnel need on-demand access to their critical data in order to understand
how their company’s profits and losses are occurring, to call up a customer’s account information at a moment’s notice, and to collate information from multiple sources to allow for
effective decision making.The most successful organizations are those whose front-line
employees have instant access to the information they need, rather than waiting for managers or central “gatekeepers” to disseminate scheduled or ad hoc reports.
Understanding information flow requires you to determine where your users are
located, what data they need to access, when they need it, and how they need to access it to
best perform their jobs—whether that job is running a quarterly sales report or a highschool fundraiser. Providing appropriate information flow can involve physical considerations such as sufficient bandwidth allocation, along with logical controls within the
www.syngress.com
11
255_70_293_ch01.qxd
12
9/10/03
1:42 PM
Page 12
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
computer operating system. Remote and traveling users introduce their own unique challenges, because you will likely need to provide data access from varied and ever-changing
locations around the globe.Whatever steps end up being necessary for your own network
implementation, information flow can make or break a modern organization.
Management Model and Organizational Structure
Understanding a company’s organizational structure is imperative in designing a network to
meet its needs.You should begin by becoming familiar with the high-level divisions within
an enterprise and how they related to one another. Large divisions usually have their own
organizational structure, and they might be broken into several smaller departments or
workgroups. For example, the Division of Finance might encompass separate Payroll,
Accounts Payable, and Collections departments. Most companies have developed an organizational chart to provide a graphical illustration of this overall structure.
Once you have an understanding of the organizational structure, you can take a closer
look at the individual departments themselves. Does the management structure of your
organization have many levels, with Assistant Directors reporting to Directors, who report
to Senior Directors, and so forth? (You can see an example of this sort of structure in
Figure 1.8.) Or is the management model more flat in design, with a single manager taking
responsibility for an entire department? This information will greatly benefit you when
designing network functions such as user groups and AD OUs, as well as when you are
determining appropriate delegation of network management responsibilities.
Figure 1.8 A Departmental Organizational Chart
Joe CEO
CEO
Jane Manager
Development
Manager
Jodi Plebe
Software Developer
www.syngress.com
John Serf
Software Developer
Kevin Dewey
Chief Counsel
Andrea Cheatem
Associate Counsel
Brian Howe
Associate Counsel
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 13
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Centralization versus Decentralization
Once you’ve determined the organizational structure of your client or company, you should
also recognize whether that structure is a centralized or decentralized one. Some companies
adhere to a strictly hierarchical reporting structure in which the organizational chart resembles a family tree, with each sublevel reporting to a subsequently higher level and a single
individual or group at the top of the hierarchy. In an AD environment, this type of structure lends itself to a system of nested OUs like the ones shown in Figure 1.9.
Figure 1.9 A Centralized Organizational Structure
airplanes.com
Finance
Accounting
Payroll
Collections
Marketing
R&D
Training
Other organizational structures allow for greater autonomy within their business units,
where various departments or project teams can function more independently.You might
create an AD environment consisting of multiple domains, allowing each to maintain its
own security requirements. And you can certainly mix-and-match these models to meet the
unique requirements of your organization, as illustrated in Figure 1.10.
www.syngress.com
13
255_70_293_ch01.qxd
14
9/10/03
1:42 PM
Page 14
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Figure 1.10 A Combination of Centralization and Decentralization
airplanes.com
finance.airplanes.com
Accounting
marketing.airplanes.com
Accounts Payable
Training
R&D
payroll.finance.airplanes.com
Your network design should also consider the Information Technology (IT) management structure of the organization. A company with a decentralized management structure
can still handle network management centrally and vice versa.The transitive trust relationships built into Windows Server 2003 can allow centralized management of a multidomain
or multiforest environment, or for tasks to be split among departmental IT administrators.
The IT management structure of your organization can help you to decide how tasks such
as user and group management should be structured and delegated.
Management Priorities
The management perspective of network design can be more conceptual, or high level,
than the end-user priorities that we’ll discuss in the next section. Rather than focusing on
specific tasks and applications, a company’s management structure should focus on design
attributes that are common to and can benefit the entire organization, not just specific
departments or workers.These include network availability, security, scalability, performance,
and cost.When designing a network for an enterprise organization, be sure to address as
many of these concerns as possible.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 15
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Availability/Fault Tolerance
As people and companies have become more reliant on computer technology to function
and perform personal and business tasks, network designers have needed to contend with
increasing expectations for “always on” availability. A sales manager traveling in Europe or
Asia will not be pleased to find that although she can access her e-mail client, the data on
the server itself is available only during business hours in the Eastern Standard time zone, or
that a hardware failure will prevent her from accessing sales figures for eight hours while
the server is being repaired.To avoid such difficulties, business-critical applications such as
database and e-mail servers should be placed on systems that are designed for high availability whenever possible.This rationale applies even more to retail Web sites (e-commerce
sites) and other Web-based businesses. Planning for high availability and fault tolerance will
help you to minimize the downtime experienced by your end users and customers.
Windows Server 2003 offers two separate but related clustering technologies—server clustering and Network Load Balancing—that can provide the high availability required by
most enterprises.
Fault tolerance specifically refers to the ability of a piece of hardware or software to
withstand the failure of a key component.This can be implemented at the hardware level
using redundant power supplies or a Redundant Array of Inexpensive Disks (RAID) hard
drive array. Advanced fault-tolerance technologies will even allow an administrator to
replace individual components within a server without powering down the server.
Clustering provides the ultimate in fault tolerance: completely redundant systems.
TEST DAY TIP
The ability to replace hardware on the fly, without powering down or rebooting
the server, is referred to as hot-swapping.
Security
To create an effective network design, you must perform a juggling act between providing
easy access to data for those who require it and, at the same time, protecting the data
against unauthorized or illicit access. Accessibility and security are always at opposite ends of
a continuum—more of one results in less of the other. Establishing an information security
strategy is critical in ensuring that your network design is prepared to address security concerns when, not if, they arise.
A well-developed network security policy is as much a business concern as a technological one; consequently, you should involve key decision-makers from all parts of an organization, including Risk Management, Legal, Human Resources, and so on.Your security
policy will provide a common baseline of security procedures based on your company’s
security requirements.
www.syngress.com
15
255_70_293_ch01.qxd
16
9/10/03
1:42 PM
Page 16
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
When addressing security concerns within your network design, your three primary
concerns are the confidentiality, integrity, and availability of your data.These three security
objectives answer the following key questions:
■
Who has access to your data?
■
Has the data been corrupted or altered in any way?
■
Will your users be able to access their data when they need to?
All technologies and practices within information security will ultimately address one
or more of these key concepts.
Scalability
When planning a network design, scalability refers to how well a service or application can
grow to meet client performance demands that will inevitably increase over time. It can
refer to increasing system resources such as processors, memory, disk drives, and network
adapters to an existing piece of hardware, or being able to seamlessly replace existing hardware with more powerful equipment. It can also refer to adding new servers to meet
increased demands.
A scalable network is one that can expand over time to address network growth and
improve (or at least maintain) client response time. Server clustering, mentioned earlier as a
technology to ensure availability, can also be used to address scalability issues by allowing
you to add nodes to a cluster when your network encounters a period of growth.
Performance
Network performance—good or bad—is one of the most noticeable outcomes of any network design plan. Performance has a direct impact on all aspects of end-user productivity
and customer satisfaction. If your e-commerce Web servers are overloaded, you will probably lose customers who abandon their shopping carts out of impatience.This translates
directly into lost customers and lost income for your company. Likewise, providing adequate
performance on a corporate LAN will allow your corporate employees to focus less on
waiting for their workstations to reboot and more on productivity, thus creating revenue for
the company.
Cost
There is an old joke among software developers that goes something like this: “Cheap, fast,
right… pick two.” Monetary considerations can make or break a network design. An
improperly budgeted network installation can create any number of long-term difficulties
and end up costing even more money to correct problems that cropped up during the initial
installation. Almost everyone embraces the goal of cutting costs, but remember that it is
almost always less expensive to do something right the first time than it is to correct or
upgrade an insufficient installation.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 17
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
User Priorities
No matter what network infrastructure your organization uses, you can be certain that it
won’t be deployed in a vacuum.Whether your users are internal employees of your corporation or external customers paying for the services that your company provides, your network installation must provide for their needs if it is to be cost-effective and successful.You
must create an environment that provides for the current needs of your users, as well as
allowing room for future growth and changing requirements.We’ll describe some of the
more common network services in use today: e-mail and other communications, scheduling
and task management, project collaboration, data storage and retrieval, Internet research,
application services, print services, and graphics/video/audio services. (Of course, a complete list of network services is limited only by the imaginations of your customers, clients,
and users.)
Electronic Communications
Electronic communication, specifically e-mail, has become the de facto means of communication in the modern business world.Whether a company manages its own e-mail storage,
using a technology like Lotus Notes or Microsoft Exchange, or outsources its e-mail to an
external Internet Service Provider (ISP), modern computer users have come to expect a
great deal from their e-mail service in terms of performance and availability.The outage of
an e-mail server is now perceived to be just as disruptive as the loss of telephone service. In
designing e-mail services for your network, you should make allowances for high performance and availability to meet the expectations of your network users.
You can provide high availability and performance for your e-mail services by making
sure that you’ve allocated enough server resources to support all of your current clients, as
well as planning for the growth of your user base. As with most other network services,
fault tolerance can be achieved through the use of redundant hardware within an individual
server, like redundant power supplies and NICs, as well as RAID arrays for your hard
drives. Also, you can use server clustering to create two or more physical e-mail servers that
your clients will see as one logical server; if one physical node of the cluster fails, the other
will take over, usually without your clients noticing more than a few seconds’ outage.
Another common issue with e-mail servers relates more to how e-mail is used within
your organization. Unsolicited commercial e-mail, commonly referred to as spam, can clog
the inboxes of your client workstations, decreasing productivity as users sift through pages
of junk mail looking for relevant messages.This can also lead to sexual harassment questions
if the spam includes messages with adult content or graphics. As an e-mail administrator,
you can implement spam-filtering centrally at the server level or install client-level tools for
your users to configure according to their own tastes. Spam-filtering uses a number of different technologies, including blocking e-mail from lists of known spammers and filtering
messages based on keywords such as “get rich.”
Along with deciding how to address unsolicited e-mail, you should create a policy
describing how e-mail and other computing resources can and cannot be used within your
www.syngress.com
17
255_70_293_ch01.qxd
18
9/10/03
1:42 PM
Page 18
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
environment.You’ll often hear this referred to as an Acceptable Use Policy (AUP). An AUP
essentially provides a road map for your users to make decisions about what is and is not
appropriate to do with their office computers.
Some organizations have a strict zero-tolerance policy, where there can be no personal
use of any company resource, including e-mail. More often, though, you’ll see a phrase in
an AUP that allows for “reasonable personal use” of computing resources.The purely financial argument might say, “If we can keep each of our 80,000 employees from spending one
minute a day sending a personal e-mail, then we’ve saved the company X number of dollars.” But at the same time, you need to consider the potential for added productivity for the
account manager who is happier being able to send a quick note to his daughter who lives
halfway across the country.You need to carefully consider what type of policy will best suit
your organization.
Scheduling/Task Management
Fully featured e-mail clients such as Microsoft Outlook and Lotus Notes can extend e-mail
functionality to include a wide range of calendaring and task-management functions. Users
can manage appointments for anything from small project teams to entire departments and
offices.This can improve the efficiency of users’ time management by providing automatic
meeting and resource scheduling, including notifications of appointments and time conflicts. Supervisors can manage schedules for an entire group of individuals, tracking meeting
attendance, scheduled appointments, and vacations. Administrative assistants can even create,
move, and delete appointments on their managers’ behalf.
Centralized task management can also assist managers or team leaders in directing the
projects under their supervision. Managers can assign specific tasks and track their progress
and completion date from a single location. As you can see in Figure 1.11, you can keep
copies of tasks you’ve assigned on your personal task list, as well as receive status reports
when an assigned task has been marked as complete.When integrated with e-mail and calendaring functionality, task-management functions can greatly streamline work processes for
project teams and departments of any size.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 19
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Figure 1.11 Assigning Tasks in Microsoft Outlook 2002
Along with using network resources to schedule and assign tasks for users and
employees, you’ll also want to allow for scheduling of computer-based tasks.This can
include scheduling recurring events such as nightly backups of user data, or the ability to
run tasks on an as-needed basis to create user accounts, reset a forgotten password, and the
like.Windows Server 2003 has a graphical Task Scheduler interface that allows you to
schedule tasks on a daily, weekly, or custom basis.You can also integrate many Windows
commands and utilities into scripted batch files or custom applications. For example, the
administrator for a university department might want to automate the process of creating
user accounts for incoming freshmen every year, rather than spending time creating each
individual account manually.Well-developed scheduling and task-management functions
will allow the administrator to accomplish this in an efficient and timesaving manner.
Project Collaboration
No matter the size of an organization, sharing information within an organization and with
outside parties is vital to increasing productivity and creativity on projects of all kinds. In
this case, a “project” can refer to any situation where people need to share information,
from a formal business research project to a high school marching band. Project collaboration technologies must provide an intuitive and easy-to-use means of sharing documents,
www.syngress.com
19
255_70_293_ch01.qxd
20
9/10/03
1:42 PM
Page 20
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
deadlines, and other key pieces of information among people working from multiple locations.
Packages such as Microsoft SharePoint offer users the ability to organize and access
information through a Web browser or another familiar Microsoft Office environment.
Figure 1.12 (from the SharePoint homepage on www.microsoft.com) illustrates the kind of
information that a project collaboration technology can gather at a user’s fingertips.
Microsoft SharePoint comes in two varieties: SharePoint Team Services, and the more
Figure 1.12 A Microsoft SharePoint Project Collaboration Web Page
full-featured SharePoint Portal Server. SharePoint Team Services is actually integrated
directly into the Windows Server 2003 operating system, and provides the ability for small
or ad hoc project teams to share information.The full-blown SharePoint Portal Server is
designed to work in an enterprise installation, allowing users to share and manage documents among multiple servers.The key differences between the two versions of SharePoint
are listed in Table 1.1.
Table 1.1 Comparing SharePoint Portal Server and SharePoint Team Services
Feature
Team Services
Portal Server
Core function
Ad hoc team collaboration
Search capabilities
Documents within team Web site
and subsites
Discussions, notifications, and surveys
Enterprise
portal and search
Across multiple
servers and data types
Discussions and
notifications
Discussion
and notifications
Continued
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 21
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Table 1.1 Comparing SharePoint Portal Server and SharePoint Team Services
Feature
Team Services
Customization
Browser-based, Microsoft
FrontPage 2002, and SDK
Document manage- Publishing
ment options
Client applications Browser, Microsoft Office XP,
and FrontPage 2002
Security options
Customizable roles:
Administrator, Advanced
Author, Author, Contributor,
and Browser
Licensing
One FrontPage 2002 server
requirements
license, no separate client
access license (CAL)
Portal Server
Web Parts and SDK
Check-in and check-out,
versioning,routing, and publishing
Browser, Microsoft Windows
Explorer, Office 2000, and Office XP
Administrator, Coordinator,
Author, and Reader roles
Server license and CALs
Data Storage and Retrieval
Providing a central location for users to store and access files is one of the oldest and most
common uses for a network file server.This provides your users with the ability to access
shared data within a department, an organization, or an enterprise.The Windows operating
system has provided the means to share files and folders since the release of Windows 95.
The Windows Server operating systems allow an administrator to add management, security, and scalability functions to their users’ ability to share information.When planning file
services for your network, you should keep the following objectives in mind:
■
Simplify user access to files in a large organization, especially when those
resources are located on multiple servers and shares.This can include the ability to
retrieve data stored on multiple servers from a single access point.
■
Provide efficient data access for users accessing information from multiple locations. For example, if a sales manager in Chicago needs frequent access to
reporting data from remote servers, he should be able to access that data without
using an expensive leased line to do so.
■
You should be able to migrate data to various servers without affecting the way
that users access that data. If you must visit each user’s workstation whenever you
reconfigure a share or a server, it will greatly restrict the flexibility of your network infrastructure.
■
Minimize any delays that can occur when accessing a frequently used file or
folder.
www.syngress.com
21
255_70_293_ch01.qxd
22
9/10/03
1:42 PM
Page 22
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Windows Server 2003 has introduced new features (and improved on existing Windows
Server functions) to improve file sharing services, including the following:
■
Volume Shadow Copy This allows network backups to take place while users
are still accessing files and folders, increasing the availability of shared documents
on the network.
■
Distributed File Service (DFS) Like its predecessor in Windows 2000, DFS
allows you to take shared folders located on multiple physical servers and group
them using a single namespace.With this feature, you can add or remove physical
folders, drives, and even entire servers without affecting how your users access the
resources they need. DFS can also be used to provide fault tolerance and load balancing for the file sharing services on your network.
■
NTFS permissions As in previous versions of Windows, file permissions prevent unauthorized access to the resources on your network.Windows Server 2003
also has continued support for file compression to save space used by infrequently
accessed files on your hard drives.
■
Disk quotas As with Windows 2000, you can use the disk quota function of
Windows Server 2003 to passively monitor or actively control disk usage on your
file servers. Disk quotas can be enabled on a per-user basis on any of your server
volumes. Properly implemented disk quotas will increase the availability of your
file sharing services by preventing drive space from filling up without warning.
■
Removable storage Windows Server 2003 provides enhanced support for
removable storage devices such as Zip drives, FireWire devices, and Universal
Serial Bus (USB) storage devices.
■
Offline files Like Windows 2000,Windows Server 2003 will allow users to
“check out” a network file and make changes to it on their local machine before
the file is checked back into the network storage location.You can use this to
improve performance, especially when accessing files over a WAN link or when
you’re dealing with remote and traveling users who may need to work on network files while they are disconnected from the network.
■
Encrypted File System (EFS) This feature uses Public Key Infrastructure
(PKI) certificates to digitally encrypt user files stored on a server or a local hard
drive.This feature is largely unchanged from Windows 2000. It relies on users’ private keys to provide encryption for their stored files.
■
Indexing Service Another feature found in previous versions of Windows, the
Indexing Service in Windows Server 2003 creates indexes of the contents of a
server or workstation hard drive, as well as indexing the properties, or metadata,
for various document files.This allows you to index files not only by name and
location, but also by such properties as author, category, timestamp, and so on.You
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 23
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
can create multiple indexes on a single machine to exert granular control over
how the Indexing Service operates.
Internet Research
The Internet and the World Wide Web have created instant access to a wealth of information on countless topics for both personal and business use.This instant access to information has become crucial to the modern workplace, allowing access to a wide variety of
resources (some of which we’ve already discussed), including e-mail, file transfers, business
and personal collaboration, access to multimedia information, and more.The various
resources available on the Internet allow users to research vast amounts of material and
information.
Internet research differs greatly from traditional “paper” library research because information is not centrally catalogued in a single location, and it can move and change from
day to day and week to week. Addresses of Internet sites can change and sometimes disappear altogether, creating a fluid and somewhat volatile environment. Information found on
the Internet can also vary widely in terms of accuracy, credibility, and attention to detail,
making it crucial to evaluate not only the information, but also the source of that information.
When designing a network for any setting, whether for corporate, educational, or personal use, it’s almost a given that you will be making some allowance for access to the
Internet and the World Wide Web.Whether this access is universal to all users or restricted
to only those who need to perform Internet research as part of their job functions, a good
network design will provide secure access that will permit access to necessary resources
while protecting the security of the internal network resources.You can accomplish this
through the use of firewalls, proxy servers, and other hardware and software-based technologies.
Application Services
A well-designed network can allow you to host client applications from a central location,
thus reducing deployment time and management costs as well as providing for centralized
security. Centralized application management addresses some of the following user needs:
■
Central storage of application data so that users can access needed files from anywhere on the network
■
Centralized deployment, upgrading, and patching of applications without
requiring user intervention (or sometimes even user knowledge)
■
Enabling offline access to network applications so that users can perform their
tasks while disconnected from the network
Using a central application server such as Windows Terminal Services can enable you to
deploy an application one time only to the server itself, rather than installing it on each
www.syngress.com
23
255_70_293_ch01.qxd
24
9/10/03
1:42 PM
Page 24
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
user’s desktop.This can greatly improve both user and administrator efficiency in the case of
custom applications that require frequent updates or applications that need to be deployed
to users in geographically remote locations. Centralized application hosting can also
increase security by maintaining sensitive data in a centralized location, rather than allowing
it to traverse insecure network connections.
NOTE
When considering deployment costs of Terminal Services, remember to take into
account Terminal Services licensing fees. Each client must have not only a CAL for
the client operating system it is running, but also a Terminal Services license. See
www.microsoft.com/windowsserver2003/techinfo/overview/termservlic.mspx for a
white paper that discusses all the intricacies of the Terminal Services licensing
structure in Windows Server 2003.
Print Services
Almost every environment relies on highly available printing services to produce all forms
of paper output. A properly designed network will create shared printing resources across
the network, allowing workstations to submit print jobs to printers that are attached to
local servers or that are accessed across the Internet. Network operating systems such as
Windows Server 2003 allow you to cluster network printers for high availability, and to
automatically deploy printer drivers to clients of many different operating systems.Welldesigned print services will also enable users to easily locate the printers they require.
Administrators should be able to centrally manage and configure printers from any location.
The Windows printing architecture consists of two components:
■
Physical printer The printer is exactly what you think it is: the physical print
device that is attached to a workstation or server’s parallel or USB port, or
plugged directly into the network.
■
Logical print queue The print queue is the software piece that translates
between the physical printer and the software application from which that the
user is printing.
To improve printing efficiency, you can have a single print queue submit jobs to multiple
printers, referred to as a printer pool. In the example shown in Figure 1.13, the Finance queue
feeds to three separate printers.This is useful if a department produces a large amount of
paper output, since you can manage the three physical printers as a single logical unit.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 25
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Figure 1.13 Printer Pools and Prioritized Queues
Finance Printer 3
Finance Printer 2
Finance Printer 1
V
P
Graphics Design
Staff
Color Laser Printer
Finance Queue
NOTE
You should implement a printer pool only if the printers themselves are physically
close to one another; otherwise, your users will be running from printer to printer
looking for their output.
On the opposite end of the spectrum, you can have multiple logical print queues feed
to a single physical printer in order to prioritize your users’ print jobs.You can assign a priority to a print queue between 1 and 99. Print jobs from higher-priority print queues will
be processed before jobs submitted from lower-priority print queues.
You can also establish schedules in which printing to a certain queue may not be available at all. In Figure 1.13, there are three print queues set up for a single color laser printer.
Let’s say that you want your graphics designers to have first priority when printing to this
device, followed by any of your vice presidents.You can assign a priority of 99 to the
Graphics Design print queue and a priority of 1 to the VP queue. Furthermore, you’ve
recently discovered that some staff members have stayed after business hours to print personal material to the color laser printer. In order to keep from wasting the expensive color
laser toner, you can establish a third Staff queue that can only be printed to between the
hours of 9:00 A.M. to 5:00 P.M., Monday through Friday.
www.syngress.com
25
255_70_293_ch01.qxd
26
9/10/03
1:42 PM
Page 26
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Graphics/Audio/Video Services
The increasing prevalence of high-speed Internet connectivity has created a market for
high-quality streaming media services, ranging from streaming audio services offered by
online radio stations to full-fledged audio/video streams used for training and conferences.
Windows Server 2003 includes the latest version of Windows Media Services, allowing
companies of any size to create and host powerful streaming media capabilities.
As a network manager, you need to be aware of the hardware, software, and network
bandwidth considerations created by your organization’s current and potential future use of
streaming media capabilities. Planning for the requirements of this technology is essential in
creating an efficient network design.
Reviewing Legal and Regulatory Considerations
Depending on the business in which you are involved, your network design plan should
address the legal issues associated with your industry, geographic location, and so on.
Backup schedules and offsite data availability have become federally regulated matters, especially in the financial arena. Consult your Legal department during the design process,
because like everything else in this venture, it’s certainly best to get it right the first time.
Don’t forget to include your client workstations when making allowances for legal and
regulatory matters. For example, if your corporate data-retention policy calls for maintaining e-mail data for twelve months, but some users have copies of every item they’ve
sent or received in the last five years, that fact could come back to haunt you in a legal proceeding.
Some fields of business are subject to very detailed governmental regulations regarding
data security. For example, healthcare providers now fall under strict laws regarding electronic patient information since the Health Insurance Portability and Accountability Act
(HIPAA) went into effect in 2003. Regardless of your field, if you work on government
projects, your network might be required to meet specified security criteria.
Network communications can also subject your company to legal liability when
employees misuse the network. For example, pornographic material on the company network can subject the company to charges of the “hostile workplace” definition of sexual
harassment under Title VII of the federal Civil Rights Act of 1964 and various state laws.
You should also consider intellectual property (copyright, trademark, and patent) laws in
establishing your network policies.
Common factors that also need to be reviewed for legal compliance are any Service
Level Agreements (SLAs) in place on your network. An SLA attempts to define the scope
of a service provider’s responsibilities in maintaining applications or services on a network.
This provider can be an external vendor to whom you’ve outsourced a critical service
(your ISP, for example), or the SLA can be an internal document detailing the IT department’s duties in maintaining network availability.The following are the major components
of an external SLA, using an ISP as a real-world example:
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 27
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
■
Scope of services This spells out exactly which service or application that an
SLA is referring to and the level of responsibility that the internal IT department
will have in maintaining this service versus the external vendor.This includes outlining the hardware, software, and resources that comprise the particular service,
such as the modems, network connectivity equipment, ISP help desk, and engineering personnel in the case of an ISP.
■
Roles and responsibilities Your ISP should establish a coverage schedule so
that at least one primary and one backup support avenue is available to report any
service outages.You’ll also need to establish a system to escalate support calls if the
scheduled support person is unavailable or cannot correct the problem.You can
use this information to inform your users of the turnaround time they can anticipate in responding to and resolving any problems.
These are only a few of the legal considerations that are important in a corporate network environment.You should always include a legal advisor as a member of your network
planning team.
Calculating TCO
“These upgrade proposals look interesting, but how will they impact our company’s TCO?”
TCO is a calculation that was designed to assist consumers and corporate managers in
assessing the direct and indirect costs and benefits associated with the implementation of
new or upgraded computer technology.The purpose of TCO is to quantify the financial
bottom line associated with a computer or technology purchase decision.
TCO calculations do not rely on a single formula. For example, a high-end computer
will have a higher initial purchase price, but will probably incur fewer repair bills during its
active life cycle.TCO is balanced against the benefits created by the technology purchase,
such as improved user efficiency or perceived happiness with improved performance, in
attempting to make a final purchase decision.
The first part of calculating TCO is relatively simple:What is the initial purchase price
of the new technology? Include the cost of hardware, software licensing, networking equipment, installation charges, and so on. Don’t forget to factor in the necessary time to train
your end users and IT staff in the use and administration of the new technology. Next,
determine the ongoing costs for maintenance and support.These costs can include charges
for vendor support, as well as in-house labor expended on interoperability issues with thirdparty and legacy software support.Try to estimate the total costs for the full anticipated life
cycle of the proposed technology.
Determining the soft costs associated with a new technology is a bit more complicated.
How much money will your company save by reducing the number of times your users are
forced to reboot their computers each day? Conversely, how much money is lost when an
account manager cannot access the order-entry application for 20 minutes, for an hour, and
for a day? These costs are fairly difficult to quantify, but they can be critical when deter-
www.syngress.com
27
255_70_293_ch01.qxd
28
9/10/03
1:42 PM
Page 28
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
mining the total benefits afforded by a network upgrade.You can start investigating soft
costs by talking to your users and reviewing TCO models from network analysts.
Your users can certainly tell you how much it aggravates them when their e-mail or
order database is “running too slowly,” even if they can’t tell you what “too slowly” means
in terms of actual response time.This can also point out performance bottlenecks that you
may not have known about before. For example, a real estate lending office for a wellknown bank shared a T1 line with the bank branch in the lobby of the office building.The
real estate lenders encountered severe network performance degradation every day at
around 4:30 P.M. Further investigation revealed that this time frame coincided with the
bank tellers transmitting their daily totals to the bank’s main headquarters when the branch
closed each day.
Preconfigured TCO models from organizations like the Gartner Group, IDC, or other
independent network analysts can walk you step-by-step through plugging in various
budget figures to arrive at the TCO of a specific technology, hardware, or software package.
However, remember that these models are not set in stone, and they should be modified as
needed to meet the specific needs of your organization.These models will rely more on
actual calculations, such as dividing a help desk analyst’s salary by the number of support
calls he or she is able to process in a day, or determining the “cost per e-mail message” of
an e-mail server upgrade that increases the number of messages it can transmit in a day,
week, or hour.You can then take these numbers and factor in the soft costs already mentioned. Using a combination of calculations and judgment calls will typically lead you to
the most accurate assessment of TCO within your organization.
Planning for Growth
If there is one nearly universal truth to network design, it is that networks and their
resource requirements always eventually grow.Your network design needs to account for
not only what your users require today, but also what they are likely to require in the
future. Even if your users or clients have not thought about future growth, you should provision your network design to accommodate for a reasonable increase in user population
and bandwidth usage as time goes on.
One of the best ways to ensure that your design will support the future needs of your
network is to implement well-known, standards-based technologies, rather than those that
are proprietary or experimental. Expanding your network’s router core, for example, will be
much simpler if the new hardware you purchase is compatible with the initial installation.
(Otherwise, you might need to scrap the initial installation entirely and install all new hardware, greatly increasing your costs and overall headaches.) You should also deploy hardware
and software in as consistent and well-documented a manner as possible, so that you can
perform maintenance and upgrades as quickly as possible.
Examine the feasibility of allocating items like high-capacity network cabling and other
infrastructure components at the initial installation of your network. For example, it may
cost an extra 25 cents per foot to run 100MB Ethernet cable instead of 10MB Ethernet
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 29
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
cable when you’re initially wiring your building, but it will cost significantly more if you
find you need to rip out the cabling and redo it later.
In planning for network growth, you should again consult with your users, especially
those in strategic planning and decision-making capacities. Although no one can accurately
predict what will or will not happen to a company over months and years, these decisionmakers will be able to give you some idea of the overall vision of the company. Are they
hoping to expand dramatically through mergers and acquisitions? Or are they satisfied with
their specific market niche and anticipate adding personnel and equipment in only smaller
increments as production increases?
Finally, when considering desktop computers, laptops, and servers, keep in mind that
most current hardware will come with a one- to three-year warranty, sometimes with an
option to purchase an extended warranty at the time that you buy the equipment. It’s not
necessarily true that your computer hardware will immediately break down the day after
the warranty expires; however, the length of your warranty and/or service contract should
factor into your projections regarding how often you plan to replace your equipment. For
this reason, many organizations adopt a three- to four-year replacement cycle, budgeting
sufficient funds to replace one-third or one-quarter of the installed computer base every
year, or setting aside money to replace all of the equipment en masse when it reaches the
end of its warranty cycle.
Developing a Test Network Environment
When implementing a new network or computer solution, you should perform a thorough
battery of testing before deploying it into production.You’ll begin the test process in an
isolated lab where new technologies will have no chance of adversely affecting the existing
computing environment. After you are satisfied with the new technology’s performance in
the test lab, you can expand testing into a pilot deployment involving a few actual users,
analyzing their input and reactions to make any necessary adjustments to your design. Only
after you are satisfied with the pilot deployment should you perform a full-scale deployment in your production environment.
TEST DAY TIP
Depending on the total number of users you have, you might want to split your
full-scale deployment schedule into stages. After each stage, you can verify that
your system is accommodating the increased processing load from the additional
users as expected before you begin deploying the next group of users.
The success of any network deployment depends heavily on your ability to develop an
effective test environment.This test lab can consist of a single lab or several labs, each of
which can test various pieces of the overall design without risking the integrity of your
production environment.Working in the test lab will allow you to verify the effectiveness
www.syngress.com
29
255_70_293_ch01.qxd
30
9/10/03
1:42 PM
Page 30
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
of your design, discover any potential deployment problems, and increase your staff ’s familiarity with the new technology before it “goes live.” In short, a well-developed test environment will reduce the risk of errors during the deployment of a new technology, thus
minimizing any potential downtime for your clients and users.
Planning the Test Network
Before you begin testing your network design, you need to plan the test network itself.The
first step is to determine the hardware resources required to set up the lab.This involves
identifying the standard configurations of your existing or new client computers. (If you
support diverse workstations, do your best to include a representative workstation from each
supported configuration.) Be sure to include all components and peripherals, including the
following:
■
BIOS versions
■
USB adapters
■
CD and DVD drives
■
Sound cards
■
Video cards
■
Network adapters
■
Smart card readers
■
Removable storage devices, such as Zip drives or external hard drives
■
Small Computer System Interface (SCSI) adapters
■
Removable storage devices
■
Mouse or trackball devices
■
Keyboards
Although using separate hardware devices for your test lab is the ideal, many small and
medium-sized businesses simply cannot afford to buy dozens of computers for the test lab.
Using a third-party product such as VMware (www.vmware.com) will allow you to simulate a multiple server/domain environment, as well as multiple desktop operations systems,
without the expense of multiple individual machines.VMware can run multiple operating
systems—such as Microsoft Windows, Linux, and Novell NetWare—simultaneously on a
single PC, including all networking and connectivity that you would need to perform your
testing.
In addition to purchasing hardware or virtual PC environments for the test lab, you
need to secure appropriate licensing for all necessary software, including operating systems,
service packs, management utilities, and business applications. Make sure that you can
obtain or duplicate the following configuration and information when creating a test lab
for Windows Server 2003:
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 31
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
■
Network services Install the same services on a test server that will be used in
the actual deployment.This can include Domain Name System (DNS), Dynamic
Host Configuration Protocol (DHCP),Windows Internet Name Service (WINS),
or any other Windows service.
■
User accounts Create a domain controller in your test environment to effectively simulate any upgrade procedures.
TEST DAY TIP
You can use the Clone Principal tool (Clonepr.dll) utility, included in the Windows
Server 2003 Resource Kit, to copy production users into a test domain.
■
Domain structure Simulate the domain hierarchy of your proposed environment, including forests, trees, parent and child domains, and all necessary trust
relationships. Configure sites as necessary to simulate any WAN testing considerations.
■
Network protocols and topology Re-create the network technologies that
will be used in your production environment as completely as possible. For
example, if your production environment will be using 100MB cabling, using
Gigabit Ethernet when doing performance testing will provide erroneous results.
You should also include routers to test for performance latency as well as replication across WAN links.
■
Domain authentication Use the appropriate authentication to mimic the
desired production environment, including mixed mode versus native mode, and
NTLM versus Kerberos client authentication. Selecting the appropriate authentication model will allow you to compare apples to apples during testing and avoid
any unexpected behavior later.
EXAM WARNING
Remember that Windows NT 4.0 workstations or servers cannot use Kerberos
authentication. You will need to rely on either NTLM authentication or its stronger
successor, NTLM version 2.
■
Group Policy Object (GPO) settings Create GPOs with the settings that you
wish to deploy in your production environment.You can use the GPMC (discussed earlier) to test the potential behavior of any policy objects on user and
group objects.
www.syngress.com
31
255_70_293_ch01.qxd
1:42 PM
Page 32
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Head of the Class...
32
9/10/03
Test Lab Domain Structure
Although you usually want your test lab to mimic your production environment as
closely as possible, there are exceptions to every rule. Some tests that you might
wish to perform will affect an entire domain or forest, rather than a single machine.
If you are testing this type of functionality, you might wish to create a separate
domain within the test lab so that the remainder of the lab environment will not
be adversely affected.
Some of the tests for which you might wish to create a separate, isolated
domain or forest are as follows:
■
Switching from mixed mode to native mode Changing from mixed
mode to native mode will allow for much tighter security in a Windows
2000 or Windows Server 2003 environment, but it assumes that you
have no Windows NT 4.0 backup domain controllers (BDCs) remaining
in your domain. (After the switch to native mode, Windows NT 4.0
BDCs will no longer be able to replicate with Windows 2000 or
Windows Server 2003 domain controllers.) This change will affect an
entire domain and cannot be reversed.
■
Upgrading the domain or forest functional level This feature was
introduced in Windows 2000, where you had the ability to run a
domain in mixed mode for backward compatibility or native mode for
increased security and functionality. Windows Server 2003 expands on
this by creating several levels of both forest and domain functionality
that can expose different features of the operating system for your use.
For example, raising the functional level of a domain to Windows
Server 2003 native will prevent any existing Windows NT 4.0 or
Windows 2000 Server domain controllers from participating in domain
replication. Like the switch from mixed to native mode, this will affect
the entire domain and/or forest in question and cannot be undone.
■
DNS settings Changes to a DNS server will affect all clients who use
that server for name resolution. Although this does not involve the
kinds of one-way changes described above, you should still proceed
with caution before making changes that can affect other tests that
might be running simultaneously in the lab environment.
One important (but often overlooked) step in the planning process is that of carefully
selecting a location for your test lab.Too often, the test lab is relegated to a corner of a
server room or whatever room is available in a file or storage area. However, if you will be
performing tests for an extended period of time, you should consider allocating a permanent or semipermanent location for the lab. Be sure to locate the test lab in an area with
enough space for all necessary equipment and personnel. If you will be testing network
equipment that will be deployed to multiple locations, you should consider deploying a test
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 33
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Configuring and Implementing…
lab at each site to test WAN links, replication, and site configurations. Also, identify the personnel you’ll need to perform testing, as well as whatever training they will need.
Finally, be sure to provide both physical and technological security measures for the
equipment and resources of the test lab.This includes isolating the test lab topology from
your corporate network using routers, switches, or firewalls, as appropriate. If you need to
provide a connection from the test lab to the corporate network, decide in advance how
you will control and monitor that connection, and be sure to devise a way to quickly terminate the connection if something unexpected or adverse occurs.
Building a Test Lab
How you create your test lab depends on your specific requirements. Here, we present the basic steps for building a test lab, which you can alter as necessary to meet
the needs of your organization:
1. Begin by acquiring the necessary hardware and software, including the
following:
■
Routers, switches, cabling, and other network infrastructure devices
■
Computer hardware for servers and workstations
■
Operating system software and any administrative tools
■
Line-of-business software applications
2. Install and configure the necessary routers and switches to provide network connectivity for the test lab. Label all devices and network cables.
3. Install and configure server hardware. Try to use the same random
access memory (RAM) and central processing unit (CPU) configuration
that you plan to deploy in your production environment. Configure the
hard drive arrays, partitions, and drive letters to match the intended
production environment.
4. Defragment all hard drives and install up-to-date antivirus software.
5. Install the appropriate operating system for the test environment.
6. If you will be deploying new Windows Server 2003 servers, perform a
clean installation of Windows Server 2003.
7. If you will be upgrading an existing server, install a copy of your
existing network operating system (NOS) to test the upgrade process.
8. If you will be repeating the test process several times, consider using a
disk-imaging utility to save time when re-creating the test environment.
9. Test the network connectivity in the lab environment. Testing the network connectivity first allows you to isolate any problems more easily.
Continued
www.syngress.com
33
255_70_293_ch01.qxd
34
9/10/03
1:42 PM
Page 34
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
10. Install all application software that will be present in the production
environment. Include all server-based applications and administrative
tools such as SMS. If you are using Terminal Services in your production
environment, install all applications that will be present in the production environment.
11. Install and configure all client computers.
12. Secure the test lab using physical measures, such as a card-reader on
the entrance door, and technical measures, such as a dual-homed
router to segregate network traffic originating in the test lab from
traffic passing on the production network.
Implementing the Test Network
After you’ve finished designing your test lab, you can finally get down to the actual business
of testing.The steps needed to create test procedures can be broken down into two conceptual halves: What do we want to test and how should the tests be performed? You’ll often
hear the former referred to as a feature test description, which lists all features or aspects of a
technology that need to be tested. For example, the feature test description when assessing
how trust relationships behave during an operating system upgrade might read something
like this:
“All trust relationships between the Windows NT 4.0 domain PRODUCTION and
the Windows NT 4.0 domain SALES should continue to function normally when the
SALES domain is upgraded to Windows Server 2003.”
You should design tests that will measure the functionality of each feature included in
your design plan. Additionally, you need to test how your new network will function in
conjunction with any existing systems in the production environment. For Windows systems, you need to test hardware, driver, and application compatibility on every hardware
configuration that will be running a Windows operating system.
TEST DAY TIP
Be sure to test functionality with existing technologies even if they are going to be
upgraded or replaced as part of the new installation. Although the new technology
may need to coexist with the old technology for only a short period of time, you
need to know in advance how the interoperability will behave.
Another key factor in using a test lab is creating a schedule of when testing should be
performed. Especially if you have many different individuals or teams performing various
tests, this scheduling should be formalized, rather than handled on an ad hoc basis. Ideally,
you should designate someone to act as a lab manager to maintain and upgrade the lab
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 35
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
New & Noteworthy…
schedule, as well as review testing plans to ensure that all necessary equipment and software
can be made available at the requested time. Even if the lab manager is not dedicated solely
to this function, he or she should be responsible for the following:
■
Establish and enforce test lab policies, procedures, budget, and inventory control.
■
Oversee scheduling of required configuration changes and communicate these
changes to other test lab users.
■
Develop and manage an incident reporting and tracking system.
■
Monitor the change-control process.
■
Maintain test lab documentation (we’ll discuss documentation in the next section).
■
Manage hardware and software configurations, updates, and preventative maintenance.
■
Establish and maintain physical security.
Exploring the Group Policy Management Console (GMPC)
A prominent new feature of Windows Server 2003 is the GPMC, which allows
administrators to monitor, troubleshoot, and plan Group Policy settings across an
entire enterprise from a single management console. Along with a console window
that provides a graphical representation of GPO settings, the GPMC also includes a
collection of scripts that you can run from the command line to streamline administration and planning tasks. You can download and install the GPMC from
Microsoft’s Web site. Once it’s installed, you’ll have a shortcut to it in the
Administrative Tools folder, and it will be available as an MMC snap-in.
The scripts that are included with GPMC can greatly simplify your life when
you attempt to take stock of an existing network environment (for example, when
you begin to plan for an upgrade). Using GPMC, you can quickly perform the following tasks using its automated scripting function:
■
List all GPOs that are present in a given domain
■
List any disabled GPOs
■
List GPOs at a backup location
■
List GPOs by policy extension or security group
■
List any orphaned GPOs (GPOs that are no longer linked to any AD
object) that are still present in the SYSVOL directory
■
List unlinked GPOs in a domain
Continued
www.syngress.com
35
255_70_293_ch01.qxd
36
9/10/03
1:42 PM
Page 36
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
■
List GPOs with duplicate names
■
List GPOs without security filtering
GPMC’s reporting functions will also generate HTML-formatted reports in an
easy-to-read format, which is always a hit when you’re presenting the upgrade proposal to management or a budget committee. Additionally, the GPMC includes the
Resultant Set of Policy Planning function to allow you to simulate changes to GPO
settings for a user, computer, or container object. Both of these functions will
greatly assist you with the administrative and technical aspects of a network design
project.
Documenting the Planning and
Network Design Process
After you’ve determined what needs to be tested to ensure that your network design is
working correctly, you need to create detailed descriptions of how each test should be performed.This is crucial in order to ensure that all necessary functions have been properly
tested. Documenting the test process becomes even more vital when multiple individuals or
teams are using the test lab resources, because you need to keep track of how one test may
have affected others being run concurrently or later. For each test that you wish to perform
in the lab, be sure to identify the following:
■
The prerequisites for the test to function: how to prepare the lab for the specific
test
■
The specific action or change that you will be testing
■
The individual steps required to implement the installation, change, or troubleshooting step
■
The expected result of the test
■
What rollback actions to take (if any) if the test fails
■
What subsequent actions to take if the test succeeds
You should document the layout and initial configuration of the test lab itself, using
both text documents and diagrams where applicable. Both of these, but especially the diagrams, should be posted in a prominent location so that users of the lab will be aware of
any design changes that you have implemented.This information will also improve the efficiency of the test process itself, since the testers will know where to locate each component
or server to which they require access.
Finally, remember to periodically test your lab equipment to determine what effects
testing has had on it. A computer that has undergone many changes and upgrades
throughout the course of the testing process will certainly behave differently than a comwww.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 37
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
puter that has been newly installed, even with an identical configuration.You should refresh
the disk images on your lab machines periodically using disk-imaging software such as
Symantec Ghost or Microsoft’s Remote Installation Services (RIS) to be certain that your
test machines are offering a fair representation of the systems that you are attempting to
analyze.
Importance of Documentation
The importance of documenting your computing environment after you have deployed a
new network design such as Windows Server 2003 cannot be overemphasized. As you move
through the network design and testing processes, you should also keep detailed documentation of each design, product, or vendor decision that you make, including your reasons for
choosing one alternative over another. Personnel changes can occur without warning, and a
well-maintained design document will quickly answer the question of “Why did we choose
Vendor X over Vendor Y?” when it is posed by the new Vice President of IT who just
started last week. Knowing that Vendor Y’s product proved incompatible after several hours
of troubleshooting will save you from needing to waste time by repeating portions of the
design process.
Because of the effects that ongoing changes can have in a production environment,
many organizations use test equipment to test every patch and service pack that is released
by their product vendors, so that any potential problems or bugs can be intercepted before
the patch is applied globally.Whatever method you use to roll out ongoing updates and
changes, you should include detailed documentation, not only of what update was rolled
out on a given date, but also of how the change was applied to client machines or other
devices on your network.
Creating the Planning and Design Document
When documenting both your test lab and your overall network design, there are a number
of items that need to be discussed. Although maintaining network documentation is often
relegated to a backseat behind the numerous fires that we must put out on a daily basis as
network administrators, comprehensive records in this area will actually help you in whatever troubleshooting issues come up after the new network is placed into production.
Include configuration information about the following components of your final network
design (although a complete list is limited only by the amount of time you have in the
day!):
■
Windows Server 2003 domain structure information, including DNS hierarchy
and replication information, AD hierarchy information (site configuration, forest,
domains, and OUs), and GPO settings and where they are applied within the AD
hierarchy
www.syngress.com
37
255_70_293_ch01.qxd
38
9/10/03
1:42 PM
Page 38
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
EXAM WARNING
Be sure to include information about Enforce and Block Inheritance flags in
Group Policy implementation. These affect how GPOs are inherited throughout the
AD infrastructure.
■
Trust relationships, both transitive and explicitly defined
■
Network connectivity hardware (switches, routers, firewalls, and other LAN and
WAN connectivity devices)
■
Client computer configuration, both hardware and software
■
Line-of-business application inventory and configuration
■
Backup, restore, and disaster recovery procedures
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 39
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Summary of Exam Objectives
The 70-293 MCSE exam measures skills related to the planning and maintenance of a
Windows Server 2003 infrastructure.This exam covers tasks relating to all aspects of network design and planning, including making provisions for network security, performance,
and availability.This chapter has introduced you to these topics; subsequent chapters will
examine the tasks introduced here in far greater detail.The upcoming chapters in this guide
will take you through all the necessary steps to prepare for the 70-293 exam.
The first skill set measured by this exam involves the ability to plan roles for installed
servers in your network.We’ll discuss how to evaluate existing technologies and hardware
to select the appropriate function for each machine in your network, including Web servers,
database servers, and domain controllers.You’ll also learn how to plan and configure your
physical network infrastructure, including TCP/IP addressing schemes, traffic monitoring,
and planning for Internet connectivity.
Windows Server 2003 includes features to provide fault tolerance and increased availability for your network environment. Network Load Balancing and server clustering will
enable you to configure logical groups of servers that will function as a single entity,
allowing you to continue providing network services to your users and clients in the event
of a hardware or another type of system failure.We’ll also examine the steps needed to set
up an effective security infrastructure, including the use of Internet Protocol Security
(IPSec) and PKI.
To begin our look at the exam objectives here, we started with an overview of the network design process. As you can tell, this process is as much interpersonal as it is technical;
in order to develop a useful network, you need to understand what your users, clients, and
their managers are expecting the network to do in the first place. Before you can get down
to the specifics of choosing server operating systems, software, and hardware, it’s critical to
develop a high-level perspective on your organization’s overall makeup, managerial structure, and business requirements.This can include specific functions like e-mail, Internet
availability, and printer sharing, along with overall organizational requirements like fault tolerance, growth capacity, and information security.You’ll use this information to design a
network that will meet the needs of all members of the organization and make their work
as smooth and efficient as possible.
Once you’ve developed a design that you’re satisfied with, you should test the design
plan rather than immediately implementing it in a production environment.This will allow
you to work out any quirks in the design or to spot something that doesn’t work in reality
quite as well as it seemed to on paper.We covered the various options available in creating a
test lab, including using temporary equipment, creating a permanent site for testing, and
using third-party tools to simulate multiple operating systems when time, space, or money
are too tight for a full-blown test lab.We also talked about design considerations for the test
lab itself and how best to secure the test lab so that any changes you make there won’t
affect your production equipment and environment. Finally, we looked at the importance of
network documentation, during the planning stages as well as throughout the life of your
network.
www.syngress.com
39
255_70_293_ch01.qxd
40
9/10/03
1:42 PM
Page 40
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Exam Objectives Fast Track
Overview of Network Infrastructure Planning
Proper planning of a new or upgraded network infrastructure must provide high
performance, availability, and fault tolerance, as well as security and user
satisfaction in as economically efficient a manner as possible.
Creating a workable network design requires an understanding of both the
business requirements of your organization and the new and existing technologies
that can help to fulfill those goals.
An effective network plan balances overall network concerns such as security and
fault tolerance with the ability to provide specific applications and services that
will improve the efficiency of your users’ daily lives.
Analyzing Organizational Needs
Identifying management priorities such as security, fault tolerance, and capacity for
growth will help you in addressing high-level network considerations to adhere to
management priorities that apply to an entire enterprise.
Information flow involves an understanding of where your users are located in
relation to the data that they need in order to perform their job functions and
designing your network to ease their access to that information.
Total cost of ownership (TCO) is a useful but elusive figure that includes the
actual cost of purchasing new equipment, combined with less tangible items such
as money saved by increasing user efficiency, improving customer accessibility, and
reducing downtime.
Developing a Test Network Environment
Your test network should mimic as closely as possible your existing or proposed
production environment.This includes client and server hardware configurations,
network services, and network connectivity hardware such as routers, hubs, and
cabling.
When performing testing, you should try to isolate the test environment from
your production equipment so that nothing that occurs during the testing process
will create downtime or unexpected results for the users and computers on your
working network.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 41
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Create well-defined procedures for each test you wish to perform, including
detailed instructions for how to perform each test, the expected results of each
test, and what steps you should take to recover the test network if the testing fails.
Documenting the Planning and Network Design Process
Comprehensive documentation of the network design and testing process, while it
involves an upfront time commitment, can save an administrator or help desk
countless hours of frustration during later upgrades or troubleshooting.
Document the initial configuration of all hardware and software that is
implemented in a new network, and keep detailed records of all configuration
changes, patches, and updates that are performed throughout the lifetime of the
equipment.
Network documentation should include a diagram and inventory of all network
equipment, along with procedural instructions for backup and recovery
procedures, security policies, any internal or external Service Level Agreements
(SLAs), and any other legal or regulatory documentation.
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I support a very small network with only a handful of PCs and a single server. Do I still
need to set up a test lab to upgrade from Windows NT to Windows Server 2003?
A: Yes, even small environments will benefit greatly from testing any new technologies
before they are implemented into the production environment. In some respects, thorough testing is even more critical for a small network. Consider that if one node in your
four-way SQL Server cluster fails during the upgrade process, you have three more
servers in the cluster to handle user requests until you correct the failed upgrade. If you
have only one server to provide file and print shares, applications, database, and e-mail,
and that server fails, you can imagine the kind of chaos that would commence.
www.syngress.com
41
255_70_293_ch01.qxd
42
9/10/03
1:42 PM
Page 42
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
Q: What are the advantages of deploying an AD structure consisting of multiple domains,
rather than a single domain with a separate OU for each department?
A: The chief difference between these two deployments is that of security requirements.
Some security settings—such as auditing, password complexity requirements, and
account lockout policies—can be implemented only at the domain level. If you have a
group of users who require a substantially different set of security mechanisms than the
rest of your network, you might wish to create a child domain for that group. Features
such as two-way transitive trusts will still enable you to manage multiple domains centrally.
Q: I have recently begun a new position as a network administrator for a Windows Server
2003 forest containing many domains and child domains.The previous administrator
created a number of GPOs, and it seems as if each network user has different policy
settings applied to their accounts. I would like to simplify the GPO implementation on
the network and wish to begin by creating a “baseline” report of exactly which GPOs
are in effect for the various users on the network.What is the most efficient means of
accomplishing this?
A: You can use the GPResult command-line utility in the Windows Server 2003
Resource Kit. GPResult provides the same functionality as the Resultant Set of Policy
Logging mode, but you can run it from the command line, during each user’s logon
script.
Q: What happens to Windows NT trust relationships when you upgrade to Windows
Server 2003?
A: When you upgrade a Windows NT domain to a Windows Server 2003 domain, all of
your existing Windows NT trusts will be preserved as-is. Remember that trust relationships between Windows Server 2003 domains and Windows NT domains are nontransitive.
Q: My company is working on a limited budget for its Windows Server 2003 upgrade. Do
I need to provide separate licenses for the equipment in my training lab?
A: If the training lab machines will be either decommissioned or transferred from the test
environment into production, you should not need a separate license than what you’ve
budgeted for the machine upgrades. If, however, the test lab will be a permanent or
semipermanent installed base of equipment, you do need to provide separate licensing
for the software in the test lab.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 43
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Overview of Network Infrastructure Planning
1. You are proposing the purchase of a new e-mail server for your corporate network.
You have specified a new server from a major OEM manufacturer that is configured
with a powerful quad-processor configuration, hot-swappable hard drives, and redundant power supplies and network adapters, with a three-year onsite warranty. Due to a
budget crunch, the chairperson of the budget committee has suggested that the company can make do with a less powerful workgroup server from a local computer store.
This server has only a single processor and no redundancy features, and a one-year
onsite warranty.What reasons can you provide the budget committee members that
might convince them to authorize the purchase of the server that you specified, even
though it has a higher price tag?
A. A more powerful server will provide better performance and scalability as the
company’s needs grow over time.
B. Redundant hardware components will increase the server’s availability to service
the needs of the company’s users and customers.
C. The extended warranty on the more powerful server will increase support costs
over time, since you’re paying to cover the machine under warranty for three
times as long.
D. Windows Server 2003 requires at least a dual-processor configuration.
2. You are the network administrator of a Windows NT 4 domain for a shipping warehouse that operates 24 hours a day, 6 days a week.You perform a full nightly backup
of all user files at 3:00 A.M. Users on the overnight shift are complaining that they are
often locked out of files that they need access to while the backup process is running.
You are proposing a network upgrade to Windows Server 2003 in the near future.
What Windows Server 2003 feature will assist you in addressing this problem?
A. Disk quotas
B. NTFS file security
C. Volume Shadow Copy
D. Network Load Balancing
www.syngress.com
43
255_70_293_ch01.qxd
44
9/10/03
1:42 PM
Page 44
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
3. A portion of your company’s organizational structure is shown in Figure 1.14.Thirdlevel department managers report to the second-level department managers directly
above them in the organizational chart. Second-level managers report to their corresponding vice presidents, who then report to the company CEO.Your company CEO
would like a consistent security policy to be implemented across the entire network,
but each subdepartment has specific desktop and application installation settings that
you would like to be able to control and deploy centrally.What is the most efficient
AD structure to design for this company?
Figure 1.14 Organizational Structure
Jon Smith
CEO
Accounting
Jane Doe
Mgr.
Payroll
Mary Noxon
Mgr.
Collections
Peter White
Mgr.
Accounts Payable
A.J. Tierney
Mgr.
A. Configure a single domain for the organization, and configure a series of nested
OUs for each second-level and third-level department. Configure the domain
with a single security policy, and link a GPO to each OU to enable each specific
department’s desired settings.
B. Configure a parent domain for each second-level department, and configure a
child domain for each third-level department. Create and link a separate GPO to
each domain to control security and application settings.
C. Configure a single domain for the organization, and configure a global security
group for each department. Configure the domain with a single security policy,
and link a GPO to each global group to enable each specific department’s desired
settings.
D. Create a separate forest for each second-level department, and create a child
domain for each third-level department. Configure a security policy for each
forest, and configure a domain GPO for each third-level department.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 45
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
4. You are the administrator for a network that supports a mixture of Windows NT 4
Workstation,Windows 2000, and Windows XP Professional.You are preparing to
upgrade your network servers from Windows NT Server to Windows Server 2003.
What is the strongest level of network authentication that you can configure your
Windows domain to use in its current configuration (without installing third-party
software)?
A. Kerberos
B. LM
C. NTLM
D. NTLM version 2
Analyzing Organizational Needs
5. You are the administrator of a Windows 2000 network and are planning an upgrade
to Windows Server 2003. As part of the upgrade process, you are attempting to determine whether you need to upgrade your network cabling from Token Ring cabling to
100MB Ethernet.What is the best way to go about making this determination?
A. Use Performance Monitor to capture a baseline of network utilization at several
points during the day over the course of several weeks.
B. Use Network Monitor to capture network frames being sent to and from your
domain controller’s network adapter.
C. Use the IPSec Monitoring utility to view network traffic being sent between
your domain controllers and your Windows 2000 Professional clients.
D. Use Performance Monitor to capture a single snapshot of network utilization
when most users are in the office, such as mid-morning.
6. After returning from a two-day technology management seminar, your CEO tells you
that he would like to create a fault-tolerant configuration for the company’s heavily
trafficked Web and database servers.Your network is currently running the Standard
Edition of Windows NT 4.0.You have recently proposed an upgrade to Windows
Server 2003.What features offered by this proposed upgrade would provide an attractive option to meet your CEO’s request?
A. SMP processing
B. Volume Shadow Copy
C. Network Load Balancing
D. Server clustering
www.syngress.com
45
255_70_293_ch01.qxd
46
9/10/03
1:42 PM
Page 46
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
7. You are the network administrator for a medium-sized company that consists of Sales,
Customer Service, Accounting, Human Resources, and Data Entry departments.You
have been receiving complaints that your company’s e-mail server has been performing more slowly than usual over the past several weeks. Several users have mentioned that their e-mail clients have “frozen” in the middle of sending an e-mail
message, forcing them to reboot their machines. Upon investigating, you find that one
user’s mailbox is roughly ten times the size of the second largest mailbox on the
server, and this user is receiving approximately 1,000 messages per day, compared to a
company average of 46.The user in question is a data-entry clerk who does not use
e-mail for sales inquiries or other business-related contacts.When you ask the user
about her e-mail usage, she reports that she has been surfing the Web signing up for
Internet coupons and contests, and she has been deluged with spam as a result. Since
the user does not require e-mail access to perform her job function, you disable her email account, and server performance slowly returns to normal.What measures can
you implement to prevent this sort of incident from recurring? (Select all that apply.)
A. Implement disk quotas on the e-mail server so that users’ inboxes cannot exceed a
certain size.
B. Increase the level of authentication security so that only Kerberos-authenticated
users can access the e-mail server.
C. Distribute an Acceptable Use Policy to your user base so that they understand
what they can and cannot do while using their office PCs.
D. Use NTFS file permissions to restrict network access to personnel in your Sales
and Customer Service department only.
Developing a Test Network Environment
8. You are the network administrator for a law firm that has multiple locations
throughout the United States.Your firm has purchased a customer relationship management (CRM) application that will be hosted in the firm’s main office in Key
Biscayne, Florida, and accessed by other offices using dedicated WAN links.You would
like to test the performance of this software over a WAN link before deploying it to
the other offices in the firm. Unfortunately, you only have access to test equipment in
the Key Biscayne office location.What is the best way to test the performance of this
application?
A. Use the average network bandwidth utilization in each office to estimate the performance of the application over the WAN.
B. Install routers within the test lab to simulate the latency of the dedicated WAN
links between offices.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 47
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
C. Access the CRM application from your home computer using your high-speed
Internet connection.
D. Test the application using production systems in each of the remote offices.
9. You are in the process of building a lab environment to test a new network application.You would like to isolate the test environment from your production equipment
as much as possible to prevent any test changes from affecting your users’ daily tasks.
What can you do to protect your production environment from changes performed in
your test lab? (Select all that apply.)
A. Place a router or firewall between the network infrastructures connecting the test
lab to your production machines.
B. Keep the network cabling for the test lab physically separated from the network
hardware that provides connectivity to your production environment.
C. Contain the test lab in a separate OU.
D. Use 100MB Ethernet for your production machines, but only 10MB Ethernet for
the test lab.
10. You are designing a lab environment to test a proposed upgrade to Windows Server
2003.You are in the process of creating a domain structure in the test lab to assess various features and functions of the upgrade process, including switching the domain
from mixed mode to native mode and moving from a standard DNS zone to ADintegrated DNS. At the same time that the Windows Server 2003 testing is taking
place, you would also like to use the test lab to evaluate a new accounting package
that will be implemented on the production network before the Windows Server
2003 upgrade takes place.You do not want the two batteries of tests to interfere with
each other.Which of the following would be good design choices for the domain
structure of the test lab? (Select all that apply.)
A. Create two separate domains: one to test the accounting software and one to test
the domain mode and DNS functionality of Windows Server 2003.
B. Create a single domain in the test lab to encompass the entire test environment.
C. Create a separate OU to test the accounting software so that it will not be
affected by the switch in domain mode.
D. Create two separate forests: one to test the DNS configuration and the switch
from mixed mode to native mode and one to perform the tests on the accounting
software package.
www.syngress.com
47
255_70_293_ch01.qxd
48
9/10/03
1:42 PM
Page 48
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
11. You have received a critical software update from the vendor of your accounting software suite.The software vendor has indicated that you should apply this patch as
quickly as possible to correct a potential security breach. As the administrator for your
network, what should you do when you receive this notice?
A. Install the patch on all production systems as quickly as possible.
B. Install the patch in your network’s test lab to ensure that it functions properly and
without any adverse side effects, and then apply it to all of your production systems as soon as possible.
C. Install the patch on a single workstation on your production environment to see if
there are any bugs or malfunctions.When you are satisfied, apply the patch to the
remainder of your workstations.
D. Send the software patch to Microsoft Product Support Services for testing before
applying it to your network computers.
12. You are the network administrator for a small company that is considering purchasing
a Windows Server 2003 machine to replace an aging Windows NT 4 Server machine.
The client workstations run a mix of Windows 98,Windows NT Workstation, and
Windows XP Professional. Each network client needs to be able to access the network server after it is upgraded, since the client workstations will be upgraded on a
one-by-one basis over the course of several months.You have been informed that you
will need to use the production server itself for testing, and that there is only sufficient
budget to allot one representative workstation PC for test purposes.What is the best
way for you to test client connectivity to Windows Server 2003?
A. Configure the test workstation with Windows Server 2003. Connect a production
Windows 98,Windows NT 4, and Windows XP Professional workstation to the
test server.
B. Use a utility like VMware to simulate how each operating system on your network will function with the new Windows Server 2003 server.
C. Check each client operating system one at a time, reformatting the test PC after
you’ve finished testing each operating system.
D. Connect a production Windows 98 and Windows NT 4 Workstation to the
Windows Server 2003 . Configure the test workstation to use Windows XP
Professional.
Documenting the Planning and Network Design Process
13. You have recently started working as a network administrator for a company whose
network consists of multiple Windows Server 2003 domains.The previous network
administrator left you with little documentation detailing how the network is configwww.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 49
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
ured, and you’ve discovered that many client workstations are behaving inconsistently—sometimes the Run line is unavailable, sometimes a user cannot access the
Control Panel, and so on.You suspect that this is the result of Group Policy settings,
and want to put together a list of all GPOs that are present within each domain on
your network.What is the most efficient way of accomplishing this task?
A. View each domain’s settings within the Group Policy Management Console
(GPMC) and take note of the values listed under the Group Policy node in each
domain.
B. Use a GPMC script to list all GPO objects within each domain.
C. Load the Resultant Set of Policies (RSoP) snap-in to view the various GPOs that
are causing client settings to be applied.
D. Examine the Group Policy tab of each domain’s Properties sheet in Active
Directory Users & Computers.
14. A portion of your network is shown in the Figure 1.15.You are using Network
Monitor from WorkstationB to capture network traffic for analysis.You suspect that
there is an Internet Relay Chat (IRC) connection between WorkstationA and
WorkstationC, but the Network Monitor trace does not show any sign of that connection.What is the most likely reason for this?
Figure 1.15 Network Portion
Ethernet
Workstation A
Workstation B
Workstation C
A. Network Monitor captures broadcast traffic only on a Windows network.
B. Windows workstations do not support IRC connections.
C. The version of Network Monitor that ships with Windows Server 2003 products
does not operate in promiscuous mode.
D. You need to use Performance Monitor to capture and analyze network traffic
between machines on a Windows network.
www.syngress.com
49
255_70_293_ch01.qxd
50
9/10/03
1:42 PM
Page 50
Chapter 1 • Using Windows Server 2003 Planning Tools and Documentation
15. Your company, airplanes.com, has recently undergone a merger with southern-airplanes.com, and you have taken over the network management of both halves of the
newly formed company. Airplanes.com has a strict policy of desktop and software
installation restrictions, while southern-airplanes.com has historically been more
lenient with allowing users to customize their computers and install personal software.
Several of the users from southern-airplanes.com have complained about the policy
restrictions that have been placed on their desktops.You have been asked to present a
report to the management group detailing which restrictions are in place on various
OUs.What is the most efficient way to present this information to the management
group in an easily readable format?
A. Capture a screen shot of the Properties sheet of the various OUs’ Group Policy
settings and save the screen shot using a desktop publishing software package.
B. Export the GPO settings to a text file, then import the text file into an Excel
spreadsheet.
C. Demonstrate the use of the Group Policy Editor to apply GPO settings during
the meeting with the management group.
D. Use the Group Policy Management Console (GPMC) to present the various
GPO settings in an organized HTML-formatted report.
www.syngress.com
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 51
Using Windows Server 2003 Planning Tools and Documentation • Chapter 1
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. A, B
9. A, B
2. C
10. A, D
3. A
11. B
4. D
12. B
5. A
13. B
6. C, D
14. C
7. A, C
15. D
8. B
www.syngress.com
51
255_70_293_ch01.qxd
9/10/03
1:42 PM
Page 52
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 53
Chapter 2
MCSE 70-293
Planning Server Roles
and Server Security
Exam Objectives in this Chapter:
1
Planning and Implementing Server Roles and Server
Security
1.1
Configure security for servers that are assigned specific
roles.
1.4
Evaluate and select the operating system to install on
computers in an enterprise.
1.4.1
Identify the minimum configuration to satisfy security
requirements.
1.2
Plan a secure baseline installation.
1.2.1
Plan a strategy to enforce system default security settings
on new systems.
1.2.2
Identify client operating system default security settings.
1.2.3
Identify all server operating system default security
settings.
1.3
Plan security for servers that are assigned specific roles.
Roles might include domain controllers, Web servers,
database servers, and mail servers.
1.3.1
Deploy the security configuration for servers that are
assigned specific roles.
1.3.2
Create custom security templates based on server roles.
53
255_70_293_ch02.qxd
54
9/10/03
10:58 AM
Page 54
Chapter 2 • Planning Server Roles and Server Security
Introduction
Planning an effective security strategy for Windows Server 2003 requires an understanding
of the roles that different servers play on the network and the security needs of different
types of servers based on the security requirements of your organization. Securing the
servers is an important part of any network administrator’s job.
In this chapter, we will first review server roles and ensure that you have an understanding of the many roles Windows Server 2003 can play on the network.We will discuss
domain controllers; file and print servers; DHCP, DNS, and WINS servers;Web servers;
database servers; mail servers; certification authorities; and terminal servers.Then we will
delve into how to plan a server security strategy.We will examine how to choose the right
operating system according to security needs, how to identify minimum security requirements for your organization, and how to identify the correct configurations to satisfy those
security requirements.
Next, you will learn how to plan baseline security on both client and server machines.
We will cover planning the secure baseline installation parameters and enforcing default
security settings on new computers.We will show you how to customize server security,
securing your servers according to their roles.Then we will walk you through the process
of creating custom security templates and show you how to deploy security configurations.
EXAM
70-293
OBJECTIVE
1
Understanding Server Roles
When Windows Server 2003 is installed on a computer, it provides a wide variety of tools
and functionality. However, additional features may still need to be installed on the server to
bring clients the services they need.The server may need to supply file and print services,
authenticate users, or support a local intranet Web site. Until Windows Server 2003 is configured to supply these services, clients will be unable to use the server in a manner that is
required by the organization.
Server roles are profiles that are used to configure Windows Server 2003 to provide
specific functionality to the network.When you set up a server to use a specific role, various services and tools are enabled or installed, and the server is configured to provide additional services and resources to network clients. Roles are applied to machines using the
Configure Your Server Wizard and managed using the Manage Your Server tool.
As shown in Figure 2.1, Manage Your Server provides information about the roles that
are currently configured for a server, and it provides the ability to add and remove roles
from a server. Depending on your server’s settings, this tool will start automatically upon
logon. If you’ve checked the Don’t display this page at logon check box at the bottom
of this window, Manage Your Server will not start automatically.You can start it manually by
selecting Start | Administrative Tools | Manage Your Server.
As shown in Figure 2.1, there are a variety of items in Manage Your Server’s main
window.The left side of the window lists the roles currently configured for the server.
Beside each entry, there are buttons that relate to the corresponding role.These buttons
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 55
Planning Server Roles and Server Security • Chapter 2
differ from role to role, and they are used to invoke other tools for managing the role or to
view information on additional steps that can be taken to configure, administer, and maintain the role.
Figure 2.1 The Main Manage Your Server Window
Near the top of the Manage Your Server window are three buttons.Two of these are
used to obtain additional information about roles and remote administration.The other
button, labeled Add or remove a role, is used to invoke the Configure Your Server
Wizard.You can also start the Wizard by selecting Start | Administrative Tools |
Configure Your Server.
When the Configure Your Server Wizard starts, it informs you of possible preliminary
steps that need to be taken before a new role is added. As shown in Figure 2.2, these steps
include ensuring that network and Internet connections have been set up and are active for
the server, peripherals are turned on, and your Windows Server 2003 installation CD is
available.When you finish reading this information, click the Next button to have the
Wizard test network connections and continue to the next step.
www.syngress.com
55
255_70_293_ch02.qxd
56
9/10/03
10:58 AM
Page 56
Chapter 2 • Planning Server Roles and Server Security
Figure 2.2 Preliminary Steps of the Configure Your Server Wizard
In the next window, shown in Figure 2.3, roles that are available to add and remove
through the Wizard are listed in the Server Role column; the Configured column indicates whether the role has been previously installed. If you want to install a role that isn’t
listed here, click the Add or Remove Programs link to open the Add or Remove Programs applet (in the Windows Control Panel), where you can configure additional services.
Figure 2.3 Configuring Server Roles
In Figure 2.3, you can see that there are 11 different roles that can be applied to
Windows Server 2003 through the Configure Your Server Wizard.These roles are as follows:
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 57
Planning Server Roles and Server Security • Chapter 2
■
Domain controller This role is used for authentication and installs Active
Directory on the server.
■
File server This role is used to provide access to files stored on the server.
■
Print server This role is used to provide network printing functionality.
■
DHCP server This role allocates IP addresses and provides configuration information to clients.
■
DNS server This role resolves IP addresses to domain names (and vice versa).
■
WINS server This role resolves IP addresses to NetBIOS names (and vice versa).
■
Mail server This role provides e-mail services.
■
Application server This role makes distributed applications and Web applications available to clients.
■
Terminal server This role provides Terminal Services for clients to access applications running on the server.
■
Remote access/VPN server This role provides remote access to machines
through dial-up connections and virtual private networks (VPNs).
■
Streaming media server This role provides Windows Media Services so that
clients can access streaming audio and video.
New & Noteworthy...
After you select the role to add to the server, click Next to step through the process of
setting up that role. Each set of configuration windows is different for each server role. Also,
although multiple roles can be installed on Windows Server 2003, only one role at a time
can be configured using the Configure Your Server Wizard.To install additional roles, you
need to run the Wizard again.
Manage Your Server
The Manage Your Server tool is new to Windows Server 2003. It is similar to the
Configure Your Server utility in Windows 2000 and provides a centralized location
for administrators to access tools, view information, and launch programs used to
maintain specific roles. In addition, servers with Internet access can benefit from
this tool, because it can be used to invoke Windows Update to apply security
patches, service packs, new drivers, and other updates. Manage Your Server also
provides links to Web pages located on Microsoft’s site, which can assist administrators in understanding how to deal with specific problems and obtaining the
latest information.
Manage Your Server also provides a way to launch the Configure Your Server
Wizard, where you can add roles to a server or remove existing ones. Because the
roles installed on a server can be modified at any time, administrators are able to
change a server’s role on the network as needs within the organization change.
www.syngress.com
57
255_70_293_ch02.qxd
58
9/10/03
10:58 AM
Page 58
Chapter 2 • Planning Server Roles and Server Security
Before setting up a server role (as we will do in Exercise 2.1, later in this chapter), it is
important to understand each of the roles that can be applied to Windows Server 2003. In
the sections that follow, we will discuss these roles in greater detail and examine how they
are installed with the Configure Your Server Wizard and other tools.
Domain Controllers (Authentication Servers)
Domain controllers are a fundamental part of a Microsoft network because they are used to
manage domains. A domain is a logical grouping of network elements, including computers,
users, printers, and other components that make up the network and allow people to perform their jobs.When a server is configured to be a domain controller (DC), it can be used
to manage these objects and provide other capabilities for configuring and controlling your
network.
An important function of a domain controller is user authentication and access control.
Authentication is used to verify the identity of an object such as a user, application, or computer. For example, when a user logs on to a domain, he or she will enter a username and
password, which is compared to information that is stored on the domain controller. If the
information provided by the user matches data in the user account, the domain controller
considers the person to be authentic.The process continues by giving an appropriate level
of access, so the user can utilize resources on the network. Access control manages which services and resources users (or other objects) are permitted to use and how they can use
them. By combining authentication and access control, a user is permitted or denied access
to network services and resources.
Active Directory
To perform these functions, the domain controller must have information about users and
other objects in a domain. In Windows 2000 and Windows Server 2003, this data is stored
in Active Directory (AD), which is a directory service that runs on domain controllers. A
directory serves as a structured source of information, containing data on objects and their
attributes. Objects in the directory represent elements of your network (including users,
groups, and computers). Attributes are values that define an object (such as its name, location, security rights, and other features). Using tools that access AD, an administrator can
manage an object’s attributes to provide information that is accessible to users and control
security at a granular level. By serving as a data store of information about a domain, AD is
the means by which administrators achieve greater and more flexible control over a network.
When AD is installed, the server becomes a domain controller. Until this time, it is a
member server that cannot be used for domain authentication and management of domain
users or other domain-based objects.This does not mean, however, that AD can be installed
on every version of Windows Server 2003. It can be installed on Standard Edition,
Enterprise Edition, and Datacenter Edition, but servers running the Web Edition of
Windows Server 2003 cannot be domain controllers.Web Edition servers can be only
stand-alone or member servers that provide resources and services to the network.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 59
Planning Server Roles and Server Security • Chapter 2
EXAM WARNING
A server without AD installed on it can still deliver a variety of services, file storage,
and access to other resources. However, until AD is installed, the server cannot
authenticate domain users or provide the other functions of a domain controller.
Once AD is installed, the member server ceases to be a member server and
becomes a domain controller.
A Windows Server 2003 computer can be changed into a domain controller by using
the Configure Your Server Wizard or by using the Active Directory Installation Wizard
(DCPROMO). DCPROMO is a tool that promotes a member server to domain controller
status. During the installation, a writable copy of the AD database is placed on the server’s
hard disk.The file used to store directory information is called NTDS.dit and, by default, is
located in %systemroot%\NTDS.When changes are made to the directory, they are saved to
this file.
Each domain controller retains its own copy of the directory, containing information
about the domain in which it is located. If one domain controller becomes unavailable,
users and computers can still access the AD data store on another domain controller in that
domain.This allows users to continue logging on to the network, even though the domain
controller that is normally used is unavailable. It also allows computers and applications that
require directory information to continue functioning while one of these servers is down.
Because a domain can have more than one domain controller, changes made to the
directory on one domain controller must be updated on others.The process of copying
these updates is called replication, which is used to synchronize information in the directory.
Without replication, features in AD would fail to function properly. For example, if you
added a user on one domain controller, the new account would be added to the directory
store on that server.This would allow the user to log on to that domain controller, but he
or she still could not log on to other domain controllers until the account was replicated.
When a change is made on one domain controller, the changes need to be replicated, so
that every domain controller continues to have an accurate copy of AD.This type of replication is called multi-master, because each domain controller contains a full read/write copy
of the AD database.
Operations Master Roles
By default, all domain controllers are relatively equal. However, there are still some operations that need to be performed by a single domain controller in the domain or forest.To
address these, Microsoft created the concept of operations masters. Operations masters serve
many purposes. Some control where components of AD can be modified; others store specific information that is key to the healthy function of AD at the domain level. Because
only one domain controller in a domain or forest fulfills a given role, these roles are also
referred to as Flexible Single Master of Operations (FSMO) roles.
www.syngress.com
59
255_70_293_ch02.qxd
60
9/10/03
10:58 AM
Page 60
Chapter 2 • Planning Server Roles and Server Security
Some FSMO roles are unique to each domain; others are unique to the forest. A forest
is one or more domain trees that share a common schema, Global Catalog, and configuration information.The schema is used to define which types of objects (classes) and attributes
can be used in AD.Without it, AD would have no way of knowing what objects can exist
in the directory or what attributes apply to each object.The Global Catalog is a subset of
information from AD. It stores a copy of all objects in its host domain, as well as a partial
copy of objects in all of the other domains in the forest.
There are five different types of master roles, each serving a specific purpose.Two of
these master roles are applied at the forest level (forest-wide roles), and the others are
applied at the domain level (domain-wide roles).The following are the forest-wide operations master roles:
■
Schema master A domain controller that is in charge of all changes to the AD
schema. As mentioned, the schema determines which object classes and attributes
are used within the forest. If additional object classes or attributes need to be
added, the schema is modified to accommodate these changes.The schema master
is used to write to the directory’s schema, which is then replicated to other
domain controllers in the forest. Updates to the schema can be performed only
on the domain controller acting in this role.
■
Domain naming master A domain controller that is in charge of adding new
domains and removing unneeded ones from the forest. It is responsible for any
changes to the domain namespace.This role prevents naming conflicts, because
such changes can be performed only if the domain naming master is online.
In addition to the two forest-wide master roles, there are three domain-wide master
roles: relative ID (RID) master, primary domain controller (PDC) emulator, and infrastructure master.These roles are described in the following sections.
Relative ID Master
The relative ID master is responsible for allocating sequences of numbers (called relative IDs,
or RIDs) that are used in creating new security principles in the domain. Security principles are user, group, and computer accounts.These numbers are issued to all domain controllers in the domain.When an object is created, a number that uniquely identifies the
object is assigned to it.This number consists of two parts: a domain security ID (or computer SID if a local user or group account is being created) and an RID.Together, the
domain SID and RID combine to form the object’s unique SID.The domain security ID is
the same for all objects in that domain.The RID is unique to each object. Instead of using
the name of a user, computer, or group,Windows uses the SID to identify and reference
security principles.To avoid potential conflicts of domain controllers issuing the same
number to an object, only one RID master exists in a domain.This controls the allocation
of RID numbers to each domain controller.The domain controller can then assign the
RIDs to objects when they are created.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 61
Planning Server Roles and Server Security • Chapter 2
PDC Emulator
The primary domain Controller (PDC) emulator is designed to act like a Windows NT PDC
when the domain is in Windows 2000 mixed mode.This is necessary if Windows NT
backup domain controllers (BDCs) still exist on the network. Clients earlier than Windows
2000 also use the PDC emulator for processing password changes, though installation of the
AD client software on these systems enables them to change their password on any domain
controller in the domain to which they authenticate.The PDC emulator also synchronizes
the time on all domain controllers the domain. For replication accuracy, it is critical for all
domain controllers to have synchronized time.
Even if you do not have any servers running as BDCs on the network, the PDC emulator still serves a critical purpose in each domain.The PDC emulator receives preferred
replication of all password changes performed on other domain controllers within the
domain.When a password is changed on a domain controller, it is sent to the PDC emulator. If a user changes his or her password on one domain controller, and then attempts to
log on to another, the second domain controller may still have old password information.
Because this domain controller considers it a bad password, it forwards the authentication
request to the PDC emulator to determine whether the password is actually valid. In addition, the PDC emulator initiates urgent replication so that the password change can propagate as soon as possible. Urgent replication is also used for other security-sensitive
replication traffic, such as account lockouts.
This operations master is by far the most critical at the domain level. Because of this,
you should ensure that it is carefully placed on your network and housed on a high-availability, high-capacity server.
Infrastructure Master
The infrastructure master is in charge of updating changes that are made to group memberships.When a user moves to a different domain and his or her group membership changes,
it may take time for these changes to be reflected in the group.To remedy this, the infrastructure master is used to update such changes in its domain.The domain controller in the
infrastructure master role compares its data to the Global Catalog, which is a subset of
directory information for all domains in the forest and contains information on groups.The
Global Catalog stores information on universal group memberships, in which users from
any domain can be added and allowed access to any domain, and maps the memberships
users have to specific groups.When changes occur to group membership, the infrastructure
master updates its group-to-user references and replicates these changes to other domain
controllers in the domain.
www.syngress.com
61
255_70_293_ch02.qxd
62
9/10/03
10:58 AM
Page 62
Chapter 2 • Planning Server Roles and Server Security
TEST DAY TIP
FSMO roles are an important part of a domain controller’s function on a network.
FSMO roles that are unique to a forest affect all domains within that forest. FSMO
roles that are unique to a domain apply only to that domain. There is only one
schema master and one domain naming master in a forest. There is only one RID
master, PDC emulator, and infrastructure master in a domain.
File and Print Servers
Two of the basic functions in a network are saving files in a central location on the network and printing the contents of files to shared printers. Each of these functions is vital to
most environments. Most organizations require users to be able to save their work to a
shared location on the network and to print hard copies of it for others to review and/or
retain.When file server or print server roles are configured in Windows Server 2003, additional functions become available that make using and managing the server more effective.
Print Servers
Print servers are used provide access to printers across the network. A benefit of print servers
for administrators is that they provide an added level of manageability for network printing.
Print servers allow you to control when print devices can be used by allowing you to
schedule the availability of printers, set priority for print jobs, and configure printer properties. Using a browser, an administrator can also view, pause, resume, and/or delete print jobs.
By configuring Windows Server 2003 in the role of a print server, you can manage
printers remotely through the GUI and by using Windows Management Instrumentation
(WMI).WMI is a management application program interface (API) that allows you to
monitor and control printing. Using WMI, an administrator can manage components like
print servers and print devices from a command line.
Print servers also provide alternative methods of printing to specific print devices. Users
working at machines running Windows XP can print to specific printers by using a Uniform
Resource Locator (URL). If you’ve used the Internet, you’re probably already familiar with
URLs. A URL is the address that is entered to access a Web site. Using URLs, other
resources can also be accessed from remote locations, such as printers offered by Windows
Server 2003 print servers.
File Servers
File servers are used to provide access to files that are stored on the server’s hard disks. Users
are able to store files in a centralized location, rather than to their local hard disks, and share
them with other users.When a file is saved to a volume on a file server, clients who have
access to the directory in which the file was saved can access it remotely from the server.
This type of server is also important when multiple employees use network-accessible
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 63
Planning Server Roles and Server Security • Chapter 2
applications. In such cases, data may need to be saved from the application to a shared
database, spreadsheet, or other type of file.
Administrators benefit from file servers by being able to manage disk space, control
access, and limit the amount of space that is made available to individual users. If NTFS
volumes are used, disk quotas can be set to limit the amount of space available to each user.
This prevents users from filling the hard disk with superfluous data or older information
that may no longer be needed.
In addition to these features, a file server also provides other functionality that offers
security and availability of data. File servers with NTFS volumes have the Encrypted File
System (EFS) enabled, so that any data can be encrypted using a public key system.This
makes it difficult for unauthorized users to access data, while being transparent to authorized users.To make it easier for users to access shared files, the Distributed File Service (DFS)
can be used, which allows data that is located on servers throughout the enterprise to be
accessible from a single shared folder.When DFS is used, files stored on different volumes,
shares, or servers appear as if they reside in the same location.This makes it easier for users
to find the data they need, because they do not need to search through multiple locations
to access the files they are permitted to use.
DHCP, DNS, and WINS Servers
The roles of DHCP, DNS, and WINS servers are used for uniquely identifying computers
and finding them on the network. A DHCP server issues a unique number called an IP
address to a computer. DNS and WINS servers resolve this number to and from userfriendly names that are easier for users to deal with.With Windows Server 2003 acting as a
DHCP, DNS, and/or WINS server, clients can be automatically issued a number that distinguishes them on the network, and find other machines and devices more effectively.
DHCP Servers
DHCP is the Dynamic Host Configuration Protocol, and it is used to issue IP addresses to
clients on networks using the Transmission Control Protocol/Internet Protocol (TCP/IP).
An IP address is a number that uniquely identifies a client when sending or receiving
packets of data.When information is sent across the network, the data is broken up into
smaller packets, which are reassembled by the receiver. Each packet contains the IP address
of who is sending the data and who should receive it.This is similar to a letter with an
address of who should receive the message and a return address of who sent it.
Because no two computers on a network can have the same IP address at the same
time, assigning these addresses to clients is an important responsibility. IP addresses can be
assigned statically, so that each computer always uses the same IP address. Allocating
addresses in this way can result in mistakes and is difficult to consistently track. Many enterprises use static IP addresses only for their servers and network infrastructure equipment
(switches, routers, and so on). Dynamic addresses are used for all clients. Dynamic addresses
are assigned using DHCP.When an IP address is dynamically assigned, the client contacts
www.syngress.com
63
255_70_293_ch02.qxd
64
9/10/03
10:58 AM
Page 64
Chapter 2 • Planning Server Roles and Server Security
the DHCP server for an IP address.The DHCP server responds by issuing an IP address
from a pool of available addresses stored in a database, as well as any configuration information (such as the IP addresses of the default gateway, DNS server, and WINS server) that is
needed by the client.
When a DHCP server allocates an IP address to the client, it is for a limited amount of
time. Because there are only so many IP addresses available in a pool, they are often recycled between computers.This can happen if a client is shut off for an extended period of
time, or if it is a laptop that is assigned to a user who is typically on the road and away from
the office. For this reason, when a DHCP lease expires, the DHCP server is free to issue
the IP address to other clients.
DNS Servers
Because remembering a series of numbers can be difficult, methods have been created to
resolve IP addresses to user-friendly names and vice versa. Imagine trying to remember
what Web site or computer the IP address 192.168.10.250 represented on a network, in
addition to all the other IP addresses you would need to remember for other sites and
computers.To remedy this situation, name resolution is used, so users can enter a name that is
translated to a corresponding IP address.
The Domain Name System (DNS) is a popular method of name resolution that is used
on the Internet and other TCP/IP networks. AD is integrated with DNS, and it uses DNS
servers to allow users, computers, applications, and other elements of the network to easily
find domain controllers and other resources on the network. DNS is a hierarchical, distributed database that maps user-friendly domain names (like syngress.com) to IP addresses.
When a user enters a DNS name into a browser or other application, it is sent to a DNS
server, which looks up the IP address for that domain.This IP address is sent back to the
client, which uses the numeric address to locate and communicate with the computer at
this address.
Figure 2.4 illustrates name resolution using DNS. In this example, a user wants to connect with the syngress.com domain. As shown in step 1 of this figure, because machines use
IP addresses to locate and communicate with each other on a TCP/IP network, the client
contacts the DNS server and requests the IP address of syngress.com. In step 2, the DNS
server checks its database to find the IP address that maps to this particular domain name.
After finding it, step 3 is performed, and the DNS server sends the information back to the
client, informing it that the IP address of syngress.com is 209.164.15.58. Now that the
client has this information, the client performs step 4, by connecting to syngress.com using
the numeric address.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 65
Planning Server Roles and Server Security • Chapter 2
Figure 2.4 Name Resolution Using DNS
Data
Step 1:
Client requests IP
address of
syngress.com
Client
DNS Server
Step 3 :
DNS Server returns
that syngress.com =
209.164.15.58
Step 2 :
DNS Server checks its
database of IP
addresses, and finds
an IP address that
maps to syngress.com
Step 4 :
Client establishes
communication with the
IP address
209.164.15.58
syngress.com
WINS Servers
The Windows Internet Name Service (WINS) is another method of name resolution that
resolves IP addresses to NetBIOS names, and vice versa. NetBIOS names are used by preWindows 2000 servers and clients, and they allow users of those operating systems to log
on to Windows Server 2003 domains.They are supported in Windows Server 2003 for
backward-compatibility with these older systems. By implementing a WINS server, you
allow clients to search for computers and other resources by computer name, rather than by
IP address.
WINS is similar to DNS in that user-friendly names are mapped to IP addresses within
a database.When clients attempt to connect to a computer or resource using its NetBIOS
name, they can send a request to a WINS server to provide the IP address of that resource.
The WINS server searches its database for the name-to-address mapping and returns the IP
address to the requesting client. Once the client has this address, it can connect to and
communicate with the computer or resource.
Web Servers
Web servers allow organizations to host their own Web sites on the Internet or a local
intranet. An intranet is a local area Network (LAN) that uses the same technologies that are
used on the Internet, so that users can access Web pages and other resources using Web
www.syngress.com
65
255_70_293_ch02.qxd
66
9/10/03
10:58 AM
Page 66
Chapter 2 • Planning Server Roles and Server Security
browsers and other Web-enabled applications. Implementing a Web server in an organization allows users to benefit by accessing information, downloading files, and using Webbased applications.
Web Server Protocols
Microsoft’s Windows Server 2003 Web server product is Internet Information Services (IIS) 6.0,
which is included with Windows Server 2003. IIS allows users to access information using a
number of protocols that are part of the TCP/IP suite, including the following:
■
Hypertext Transfer Protocol (HTTP) Used by the World Wide Web
Publishing service in IIS. Allows users to access Web pages using a Web browser
like Internet Explorer or other Web-enabled applications. By connecting to sites
created on your Web server, users can view and work with Web pages written in
the Hypertext Markup Language (HTML), Active Server Pages (ASP), and
Extensible Markup Language (XML).This allows users to not only view static
information, but also to benefit from Web-based programs.
■
File Transfer Protocol (FTP) Used for transferring files between clients and
servers. Using this service, clients can copy files to and from FTP sites using a Web
browser like Internet Explorer or other FTP client software. By using such software, clients can browse through any folders they have access to on the FTP site,
and they can access any files they have permissions to use.
■
Network News Transfer Protocol (NNTP) Used for newsgroups, which are
also called discussion groups.The NNTP service in IIS allows users to post news
messages. Other users can browse through messages stored on the server, respond
to existing messages, and post new ones using a newsreader program. For
example, a group of users could have a discussion group that deals with a certain
project, so that members of the team can exchange ideas and discuss problems in a
forum that can be viewed by all members of the group. Another group could also
be created that allows employees to post messages regarding items for sale, charitable events, or other things that you might see on a typical bulletin board. NNTP
allows organizations to incorporate such message groups into the way that
employees exchange information with one another.
■
Simple Mail Transfer Protocol (SMTP) Used to provides e-mail capabilities
(as described in the discussion of the mail server role later in this chapter).The
SMTP service that is installed with IIS isn’t a full e-mail service, but provides limited services for transferring e-mail messages. Using this service,Web developers
can collect information from users of a Web site, such as having them fill out a
form online. Rather than storing the results of the form locally in a file, the information can be e-mailed using this service.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 67
Planning Server Roles and Server Security • Chapter 2
Web Server Configuration
Although a Web server can facilitate a company’s ability to disseminate information, it isn’t
an actual role that is configured using the Configure Your Server Wizard. It is installed as
part of the application server role, which we’ll discuss later in this chapter.The Configure
Your Server Wizard provides an easy, step-by-step method of configuring Web servers
through the application server role; however, it isn’t the only way to install IIS.You can also
install IIS through the Add or Remove Programs applet in the Windows Control Panel.
Using Add or Remove Programs to install IIS takes a few extra steps, but it allows you
to perform the installation without installing other services and features available through
the application server role.To use Add or Remove Programs to install IIS, follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Click the Add/Remove Windows Components icon to display the Windows
Components Wizard, which provides a listing of available components to install.
3. In the list, select Application Server and click the Details button to view the
Application Server dialog box, shown in Figure 2.5.
Figure 2.5 Installing IIS through the Application Server Dialog Box
in the Windows Components Wizard
4. The Application Server dialog box contains a number of subcomponents.To
install IIS, select the check box for Internet Information Services (IIS), and
either click OK to install the default components or click Details to view even
more subcomponents that can be installed within IIS.
5. When you’ve made your selections, click OK to return to the Windows
Components Wizard.
www.syngress.com
67
255_70_293_ch02.qxd
68
9/10/03
10:58 AM
Page 68
Chapter 2 • Planning Server Roles and Server Security
6. Click Next to have Windows make the configuration changes you requested from
your selection.
7. Once the Wizard has finished copying the necessary files and changing system settings, click Finish to complete the installation process and exit the Wizard.
Database Servers
Database servers are used to store and manage databases that are stored on the server and to
provide data access for authorized users.This type of server keeps the data in a central location that can be regularly backed up. It also allows users and applications to centrally access
the data across the network. A large number of the databases used in your organization can
be kept on one server or a group of servers that are specifically configured to protect data
and service client requests.
The Configure Your Server Wizard does not include a configurable role for database
servers. A database server is any server that runs a network database application and maintains database files, such as Microsoft SQL Server or Oracle. SQL Server is a high-performance database management system. It is used for data storage and analysis, and it provides
users with the ability to access vast amounts of data quickly over the network. Because SQL
Server provides additional measures of security that would not otherwise be available (as
discussed in the “Securing Database Servers” section later in this chapter) and processing
occurs on the server, transactions can occur securely and rapidly.
Data stored in database management systems is generally accessed through user interfaces that are developed by an organization or third parties. For example, a company might
create custom applications in Visual Basic (or some other programming language), or use
ASP on the Web server to display information that is stored in a database.While the user
interacts with the data through the user interface, the data is actually stored in the SQL
Server or Oracle database located on a database server.
Mail Servers
Mail servers enable users to send and receive e-mail messages. Users send e-mail to other
users through at least one mail server.When the message arrives, the destination mail server
stores the message until it is retrieved by the user. If the mail server does not handle the email account for an intended recipient, it will transfer the message to a mail server that
does. In this way, mail servers will work together to ensure a message reaches its intended
audience.
When a server is configured to be a mail server, two protocols are enabled: SMTP and
Post Office Protocol (POP3). As shown in Figure 2.6, SMTP is used by clients and mail
servers to send e-mail. POP3 is used by clients when retrieving e-mail from their mail
server. Each of these protocols is part of the TCP/IP protocol suite and installed when
TCP/IP is installed on a computer. However, even if TCP/IP is installed on Windows
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 69
Planning Server Roles and Server Security • Chapter 2
Server 2003, the services provided by mail servers still need to be enabled by configuring
the machine to take the role of a mail server.
Figure 2.6 How E-mail Is Transmitted and Retrieved
Client retrieves mail from
mail server using POP3
Client sends mail to mail
server using SMTP
Client sending email
Client retrieving email
mailto:
[email protected]
Mail is sent between mail
servers using SMTP
mailto:
[email protected]
Internet
mail.knightware.ca
mail.bookworms.ca
E-mail addresses determine which mail server and client the e-mail should go to. Each
e-mail address uses the format of [email protected] first part of the address specifies the
account the e-mail is destined to reach, and the second part specifies the domain in which
this account resides. In the example in Figure 2.6, a message destined for [email protected] is sent from the knightware.ca domain. Because the mail server in knightware.ca
recognizes that the message is being sent to a user in another domain, it uses the SMTP
protocol to send it to the mail server in the bookworms.ca domain.When the bookworms.ca mail server receives this e-mail, it will see it is for the account named sales and
put it in the mailbox for that user.The client that uses the sales account can then use the
POP3 protocol to retrieve his or her e-mail from the mail server.
Certificate Authorities
Certificate authorities (CAs) are servers that issue and manage certificates. Certificates can be
used for a variety of purposes, including encryption, integrity, and verifying the identity of
an entity, such as a user, machine, or application. Certificates can be used to prove an entity
is who (or what) they claim to be, in much the same way that your birth certificate is used
to prove your identity.They are digitally signed files that contain data a wide range of information, often including a cryptographic key, information about whom or what the key is
issued to, an expiration date, where the validity of the certificate can be checked, and which
CA signed the certificate. Certificates are typically part of a larger security process known as
a Public Key Infrastructure (PKI).
PKI
PKI is a method that uses unique identifiers called keys, which are mathematical algorithms
used for cryptography and authentication.There are two different kinds of keys used in
PKI: public keys and private keys.
www.syngress.com
69
255_70_293_ch02.qxd
70
9/10/03
10:58 AM
Page 70
Chapter 2 • Planning Server Roles and Server Security
For data confidentiality, the public key is used to encrypt session keys and data; the private key is used for decryption.The public key is openly available to the public.The private
key is secret and known only to the person for whom it is created.The members of a key
pair are mathematically related, but you cannot extrapolate the private key by knowing the
public key. Using the two keys together, messages can be encrypted and decrypted using PKI.
For authentication, the roles of the public and private keys are reversed.The private key
is used for encryption, and the public key is used for decryption.The private key is unique
to the person being identified, so each user has his or her own private key for authentication purposes. Because each private key has a corresponding public key, the public key is
used to decrypt information used for authenticating the user.
The public and private keys are generated at the same time by a CA.The CA creates
and manages keys, binding public and private keys to create certificates, and vouching for the
validity of public keys belonging to users, computers, services, applications, and other CAs.
In addition to a CA, a registration Authority (RA) can also be used to request and
acquire certificates for others.The RA acts as a proxy between the user and the CA, and it
relieves the CA of some of the burden of verification.When a user makes a request to a
CA, the RA can intercept the request, authenticate it, and pass it on to the CA.When the
CA responds to the request, it sends it to the RA, which forwards it to the user.
Private and public keys are created when someone or something needs to establish the
validity of his, her, or its identity.When the public and private keys are created, the private
key is given to the person or entity who wants to establish the credentials, and a public key
is stored so that anyone who wants to verify these credentials has access to it.When a
person wants to send a message using PKI with the data encrypted so that it cannot be read
by anyone but the holder of the private key, the public key is acquired from the CA and
used to encrypt the message.When a person who holds the private key receives this message, the public key is validated with the CA. Since the CA is trusted, this validates the
authenticity of the message. After this is done, the private key is used to decrypt the message.
Conversely, if a person wants to send a message and validate that he or she is the actual
sender, that person can encrypt the message with his or her private key.Then the recipient
decrypts it with the sender’s public key, thereby proving that the message really did come
from that sender.
Certificates
Certificates use PKI by binding the value of a public key to the person or thing that holds
the private key.The certificate stores information that identifies its holder and contains a
copy of the key value.When communicating with another party that has a corresponding
key, data exchanged between the two can be securely transmitted using encryption.
Certificates may be used for a number of different purposes.Windows 2003 Server
computers acting in the role of a Web server may use certificates to authenticate users or to
authenticate Web servers themselves. In doing so, the certificate provides proof of the identity of a particular user or machine. Mail servers can also benefit from certificates, because
they are used to allow e-mail to be digitally signed.This provides proof of the integrity and
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 71
Planning Server Roles and Server Security • Chapter 2
origin of a message. In sending secure mail, certificates are used with Secure/Multipurpose
Internet Mail Extensions (S/MIME), which allows the e-mail to be sent encrypted across a
network.
Certificates may also be used by different protocols to ensure secure communication, as
in the case of Internet Protocol Security (IPSec) or Transport Layer Security (TLS).
Encrypting communication between clients and servers with these protocols allows data to
be transmitted and users to be authenticated with little (or no) chance of others intercepting and viewing the information. By using certificates for authentication,
encryption/decryption of data, and secure communication,Windows 2003 Servers
Certificate Services can provide enhanced security to a network.
Certificates can contain a variety of facts about a user’s or machine’s identity and about
the certificate itself. Data included in a certificate may include the following:
■
The value of a key issued by a CA
■
Information about the person, machine, or other entity that was issued the certificate, which may include their name, e-mail address, or other data
■
Information about who issued the certificate
■
The digital signature of the issuer, which ensures the certificate is valid
■
How long the certificate is valid
Because different systems must be able to understand the format of a certificate, specific
standards are used in the generation of a certificate.Windows 2003 Server supports X.509,
which is a standard that specifies the syntax and format of digital certificates. X.509 is a
popular standard for digital certificates, published by the International Organization for
Standardization (ISO). It dictates how information is organized in the certificate and what
information is included. An X.509 certificate includes facts about the user to whom the
certificate was issued, information about the certificate itself, and can also include information about the issuer of the certificate (who is referred to as the CA).To prevent the certificate from being used indefinitely, it also contains information about the period for which
the certificate is valid.
Certificate Services
Certificate Services is used to create a CA on Windows Server 2003 servers in your organization.With Certificate Services, you can create a CA, format and modify the contents of
certificates, verify information provided by those requesting certificates, issue and revoke
certificates, and publish a Certificate Revocation List (CRL).The CRL is a list of certificates that are expired or invalid, and it is made available so that network users can identify
whether certificates they receive are valid.
Certificate Services supports implementing a hierarchy of CAs, so that a single CA isn’t
responsible for providing certificates to the entire network or authenticating the entire
intranet or Internet.This isn’t to say that multiple CAs must be used in an organization, but
www.syngress.com
71
255_70_293_ch02.qxd
72
9/10/03
10:58 AM
Page 72
Chapter 2 • Planning Server Roles and Server Security
it is one possibility. Using a hierarchy of CAs is called chaining, where one CA certifies
others. In this hierarchy, there is a single root authority and any number of subordinate CAs.
A root authority (or root CA) resides at the top of the hierarchy. Because the hierarchy
uses a parent-child relationship, all subordinate CAs reside beneath the root authority.The
root CA is the most trusted CA in the hierarchy—any clients that trust the root CA will
also trust certificates issued by any CA below it.This makes securing a CA vital (as discussed in the “Securing CAs section later in this chapter).
Subordinate CAs are child CAs in the hierarchy.They are certified by the root authority
and bind its public key to its identity. Just as the root CA can issue and manage certificates
and certify child CAs, a subordinate CA can also perform these actions and certify CAs that
are subordinate to it in the hierarchy.
In addition to having different levels of CAs in an organization, there are also different
types of root and subordinate CAs that can be used. Enterprise CAs use AD to verify information that is provided when requesting a certificate and to store certificates within AD.
When the certificate is needed, it is retrieved from directory services. Stand-alone CAs can
be used in environments that do not use AD (CAs do not require AD).
As with IIS, Certificate Services isn’t an actual role that can be set up with the
Configure Your Server Wizard. Instead, you must follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Click Add/Remove Windows Components to display the Windows
Components Wizard, which provides a listing of available components to install.
3. In the list of available components, click the check box beside the Certificate
Services item so it is checked. A warning message will appear, stating that after
Certificate Services is installed, the name of the machine cannot be changed.This
is because the server’s name is bound to the CA information stored in AD, and
any changes to the name or domain membership would invalidate certificates
issued by this CA.
4. Click Yes to continue with the installation. (Clicking No will cancel it.)
5. You are presented with the window shown in Figure 2.7, which allows you to
specify the type of CA that will be set up. As mentioned earlier, you have the
option of creating an enterprise root CA, an enterprise subordinate CA, a standalone root CA, or a stand-alone subordinate CA.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 73
Planning Server Roles and Server Security • Chapter 2
Figure 2.7 Choosing a CA Type in the Windows Components Wizard
6. For this example, we will assume that this is the first CA being created and AD is
used. Select Enterprise root CA and click Next
7. You are then presented with a window shown in Figure 2.8, which allows you to
provide information to identify the CA you’re creating. Enter a common name
and distinguished name suffix for the CA. Distinguished names are used to provide each object in AD with a unique name. A distinguished name represents the
exact location of an object within the directory.This is comparable to a file being
represented by the full path, showing where it is located on the hard disk.With an
object in the directory, several components are used to create this name:
■
CN, which is the common name of the object, and includes such things as
user accounts, printers, and other network elements represented in the directory.
■
OU, which is the Organizational Unit. OUs are containers in the directory,
which are used to hold objects.To continue with our example of files on a
hard disk, this would be comparable to a folder within the directory structure.
DC, which is a domain component.This is used to identify the name of the
domain or server, and the DNS suffix (for example .com, .net, .edu, .gov, and
so forth).
When combined, these components of a distinguished name are used to show
the location of an object. In the case of the CA being created here, the common
name is CertServer, and the distinguished name suffix is the domain components.
This makes the distinguished name CN=CertServer,DC=knightware,DC=ca,
which you can see in the preview in Figure 2.8.
■
www.syngress.com
73
255_70_293_ch02.qxd
74
9/10/03
10:58 AM
Page 74
Chapter 2 • Planning Server Roles and Server Security
Figure 2.8 Entering CA Identifying Information
in the Windows Components Wizard
8. Optionally, you can change the Validity period of certificates issued by the CA.
As shown in Figure 2.8, the default validity period is five years.You can modify
this by specifying a different number and whether the period is in Years,
Months, Weeks, or Days.
9. Click Next when you are finished entering CA identifying information.
10. This will bring you to the Certificate Database Settings window, shown in
Figure 2.9, where you can specify the location of the certificate database and log
file. By default, the database and log are named after the common name you specified for the CA, and each is stored in the System32 folder of the %systemroot%
(for example, C:\Windows\System32). Click Next to continue.
Figure 2.9 Choosing Certificate Database Settings
in the Windows Components Wizard
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 75
Planning Server Roles and Server Security • Chapter 2
11. A message box will appear informing you that IIS must be stopped before installation can continue. Clicking No will return you to the previous window.
Clicking Yes will stop the service and cause Windows to make the configuration
changes you requested from your selection. If ASP is not enabled on the machine,
a message box will interrupt the process, asking if you want to enable ASP.
Clicking Yes will enable ASP and continue the installation.
12. After the Wizard has finished copying the necessary files and changing system settings, click Finish to complete the installation process.
Application Servers and Terminal Servers
Application servers and terminal servers provide the ability for users to access applications
over the network. Rather than running solely on the client’s machine, all or parts of these
programs run on the server.This frees resources on the client machine and enables users to
benefit from newer application technologies.
Application Servers
Application servers allow users to run Web applications and distributed programs from the
server.Web applications are programs that use Internet technologies to provide functionality
and are accessible across networks and the Internet using Web browsers like Internet
Explorer.These programs are often created using ASP or XML. Applications can be created
in a wider variety of programming languages (such as Perl,Visual Basic, and Visual C++).
Distributed applications divide the program so that part of it runs on the client while the
rest runs on one or more servers. For example, a distributed program might have a user
interface that is installed on the client’s machine, which allows the user to access a SQL
Server database. In reality, the program might access a number of other network-aware programs, which correlate data from a number of different database systems and return it to the
client. By using the application server role, the server is configured to provide greater reliability and performance to these applications.
Because Web applications require Internet technologies, when Windows Server 2003 is
set up as an application server, IIS subcomponents such as ASP can be installed. As
explained earlier in this chapter, IIS is a Web server that comes with Windows Server 2003
and can be used to make Web applications available to users on the network. If IIS has been
installed, the application server role will appear as a configured role in the Manage Your
Server tool.This is despite the fact that only some components for the application server
role have been installed.To modify the installed components, you can either use the
Windows Components Wizard or the Configure Your Server Wizard.
As an example of configuring a server role, in Exercise 2.1, we will set up an application server in Windows Server 2003.
www.syngress.com
75
255_70_293_ch02.qxd
76
9/10/03
10:58 AM
Page 76
Chapter 2 • Planning Server Roles and Server Security
EXERCISE 2.01
ADDING AN APPLICATION SERVER ROLE
TO WINDOWS SERVER 2003
1. Select Start | Administrative Tools | Manage Your Server.
2. When Manage Your Server starts, click the Add or remove a role
button.
3. When the Configure Your Server Wizard starts, read through the
information on the Preliminary Steps window, and then click Next.
4. After the Wizard checks your network settings and operating system
version, the Server Role window will appear. From the list, select
Application server (IIS, ASP.NET), as shown in Figure 2.10. Then click
Next to continue.
Figure 2.10 Choose the Application Server Role
5. The Application Server Options window appears, as shown in Figure
2.11. Here, you can add components that are used with IIS. Note that
IIS will be installed regardless of what you select on this page. Select
the FrontPage Server Extensions check box to add Web server extensions that allow content created with FrontPage, Visual Studio, and
Web Folders to be published to the IIS Web site. Select Enable ASP.NET
to allow Web-based applications created using ASP.NET to be used on
the site. After selecting the options you wish to add, click Next to
continue.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 77
Planning Server Roles and Server Security • Chapter 2
Figure 2.11 Select Application Server Options
6. The Summary of Selections window, shown in Figure 2.12, provides a
list of components that will be installed as part of the application
server configuration. Review these settings, and then click Next to
begin installing these components.
Figure 2.12 Review the Summary of Selections
7. After copying files, the Windows Components Wizard will open and
continue the installation. Once it has completed, you will be returned
to the Configure Your Server Wizard. Click Finish to complete the
installation.
www.syngress.com
77
255_70_293_ch02.qxd
78
9/10/03
10:58 AM
Page 78
Chapter 2 • Planning Server Roles and Server Security
Terminal Servers
Terminal servers allow remote access to applications using thin-client technology.This makes
the user’s machine act as a terminal emulator (similar to the concept of a dumb terminal).
The user connects to the terminal server using client software installed on their machine,
logs on to the Terminal Services session, and is presented with a user interface (normally a
Windows Server 2003 desktop). Keystrokes and mouse clicks generated by the user at the
client are sent to the terminal server. Updated screen images are sent back from terminal
server to the client system.When working in a session, the user is essentially working at the
server. All processing is occurring at the server, which is being interacted with through the
client software.
A benefit of Terminal Services is that users can run programs that they might otherwise
be unable to use. For example, a user running an older version of Windows might need to
use Office XP, but she doesn’t have the minimal requirements install it.Through Terminal
Services, she can connect and be presented with a Windows Server 2003 desktop. If Office
XP is installed on the terminal server, the user can open and use the application. Because all
processing is actually occurring on the server, the user can run applications that are impossible to install on her local system.
There are a wide variety of clients that can use Terminal Services. Client software is
available for Windows 3.11 and later, as well as Macintosh and UNIX. Internet Explorer
can also be used to access a terminal server, using the Web client software.
EXAM
70-293
OBJECTIVE
1
1.1
Planning a Server Security Strategy
The only truly secure network is one that is totally inaccessible. No one would be able to
misuse applications, damage equipment, delete data, or mistakenly modify information. In
providing this level of security, however, the network would also become useless, because it
could not provide the services and resources needed by users. Security is always a trade-off
between usability and protection.When planning security, you need to find an acceptable
balance between the need to secure your network and the need for users to be able to perform their jobs.
In creating a security plan, it is important to realize that the network environment will
never be completely secure. If people are willing to invest enough time, effort, and money
into hacking a system, they will probably find a way in.The goal is to make it difficult for
intruders to obtain unauthorized access, so it isn’t worth their time to try or continue
attempting to gain access. It is also critical to protect servers from potential disasters and to
have methods to restore systems if they become compromised.
A good security plan considers the needs of a company and tries to balance it with
their capabilities and current technology. As you’ll see in the sections that follow, this means
identifying the minimum security requirements for an organization, choosing an operating
system, and identifying the configurations necessary to meet these needs.To develop a security plan, you must identify the risks that potentially threaten a network, determine what
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 79
Planning Server Roles and Server Security • Chapter 2
countermeasures are available to deal with them, figure out what you can afford financially,
and implement the countermeasures that are feasible.
EXAM
70-293
OBJECTIVE
1.4
Choosing the Operating System
In planning a strategy for server security, you will need to determine which operating systems will be used in the organization. Different network operating systems provide diverse
features that can be used as part of your security strategy. If you’re setting up a new network and need to choose a server operating system, or you’re unfamiliar with what operating systems are used on an existing network, you will not know what features can be used
for managing and maintaining security.
Of course, there are non-Microsoft network operating systems available to use on your
server, but we will consider only the following Windows server systems here:
■
Windows NT Server 4
■
Windows 2000 Server
■
Windows 2000 Advanced Server
■
Windows 2000 Datacenter
■
Windows Server 2003 Standard Edition
■
Windows Server 2003 Enterprise Edition
■
Windows Server 2003 Datacenter Edition
■
Windows Server 2003 Web Edition
One of the first considerations for the operating system you choose will be the minimum system requirements for installing the operating system. Obviously, if your existing
server cannot handle a particular version of Windows, you will not be able to install it. If
this is the case, you will need to upgrade the hardware, purchase a new server to support
the operating system you want, or choose an operating system that does match the current
server’s hardware.The minimum system requirements for Windows server operating systems
are shown in Table 2.1.
NOTE
All of the Windows server operating systems also require a CD-ROM or DVD drive
(except Window NT Server 4, which does not use a DVD drive), VGA or higher resolution monitor, keyboard, and mouse.
www.syngress.com
79
CPU Support
Windows NT
Server 4
486/33 MHz or
higher/Pentium, or
Pentium Pro
processor
16MB;
32MB recommended
Intel and compatible systems:
125MB available hard disk space
minimum. RISC-based systems:
160MB available hard disk space
Up to 4 CPUs (retail
version); Up to 32
CPUs available from
hardware vendors
Windows 2000
Server
133 MHz or higher
Pentium-compatible
CPU
133 MHz or higher
Pentium-compatible
CPU
Pentium III Xeon
processors or higher
At least 128MB:
256MB recommended;
4GB maximum
At least 128MB;
256MB recommended;
8GB maximum
256MB
Up to 4 CPUs
133 MHz
128MB
2GB with 1GB free space;
additional free space required
for installing over a network
2GB with 1GB free space;
additional free space required
for installing over a network
2GB with 1GB free space;
additional free space required
for installing over a network
1.5GB
1.5GB for x86-based computers;
2GB for Itanium-based
computers
Up to 8 CPUs
1.5GB for x86-based computers;
2GB for Itanium-based
computers
Minimum 8-way
capable machine
required; maximum
64
Up to 2 CPUs
Windows 2000
Advanced
Server
Windows 2000
Datacenter
Windows
Server 2003
Standard Edition
Windows
Server 2003
Enterprise
Edition
Windows
Server 2003
Datacenter
Edition
Windows
Server 2003
Web Edition
133 MHz for
128MB
x86-based computers;
733 MHz for Itaniumbased computers
400 MHz for
512MB
x86-based computers;
733 MHz for Itaniumbased computers
133 MHz
128MB
1.5GB
Up to 8 CPUs
8-way capable or
higher server (supports up to 32-way)
Up to 4 CPUs
Page 80
Hard Disk
10:58 AM
Memory (RAM)
9/10/03
Computer/Processor
Chapter 2 • Planning Server Roles and Server Security
Server
255_70_293_ch02.qxd
80
www.syngress.com
Table 2.1 Minimum System Requirements for Windows Server Operating Systems
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 81
Planning Server Roles and Server Security • Chapter 2
Beyond the minimum requirements, you will need to look at the features available in
different versions and editions of Windows, and how they can be used to enhance network
security.The progression from one version to another has offered improvements and additions to security, with Windows Server 2003 offering the most security features. By identifying which features are necessary for your organization, you can create a network that
provides the necessary functionality and security.
Security Features
Windows 2000 offers a number of new security features that were not previously available
in Windows NT. Many of the features we’ll discuss next were implemented in Windows
2000 and have been updated in Windows Server 2003. In addition, new features have been
added that make Windows Server 2003 the most secure Windows server product Microsoft
has ever marketed.
Windows 2000 Server was the first version to provide encryption of data over the network and in the file system. IPSec allows encryption of data across the network. EFS uses a
public key system to encrypt data on hard disks. Encryption ensures that unauthorized parties are unable to view the data if they gain access to it.
Windows 2000 was also the first version to provide built-in support for smart cards.
Smart cards are generally the size of a credit card and have the ability to store data.When a
smart card is inserted into a smart card device, it provides information that can be used for
authentication and other purposes.With smart cards, the security of a network can be
greatly enhanced because it is necessary to physically possess the card to log on.
A major advance that first appeared in Windows 2000 was Kerberos authentication.
Kerberos version 5 is an industry-standard security protocol that uses mutual authentication
to verify the identity of a user or computer, as well as the network service that is being
accessed. In Windows 2000 Server and later, Kerberos is the default authentication service.
With Kerberos, each party to a transaction proves that they are who they claim to be
through the use of tickets. A Kerberos ticket is encrypted data that is issued for authentication.Tickets are issued by a Key Distribution Center (KDC), which is a service that runs on
every domain controller.When a user logs on, the user authenticates to AD using a password or smart card. Because the KDC is part of AD, the user also authenticates to the KDC
and is issued a session key called a ticket granting ticket (TGT).The TGT is generally good
for as long as the user is logged on and is used to access a ticket-granting service that provides another type of ticket: service tickets. A service ticket is used to authenticate to individual services by providing a ticket when a particular service is needed.
As mentioned earlier in this chapter, AD is a directory service that was first introduced
in Windows 2000 Server. Because AD was not available when Windows NT 4 was released,
it cannot be installed on a Windows NT server. Once AD is installed on Windows 2000
Server or Windows Server 2003, the server becomes a domain controller that can be used
for authentication and management of user accounts and other objects in AD.
When AD is installed, a number of features and tools become available.There are three
graphical tools that can be used with Windows 2000 Server or Windows Server 2003:
www.syngress.com
81
255_70_293_ch02.qxd
82
9/10/03
10:58 AM
Page 82
Chapter 2 • Planning Server Roles and Server Security
■
Active Directory Users and Computers This utility allows you to administer
user and computer accounts, groups, printers, OUs, contacts, and other objects
stored in AD. Using this tool, you can create, delete, modify, move, organize, and
set permissions on these objects.
■
Active Directory Domains and Trusts This utility allows you to manage
domains and the trust relationships between them. Using this tool, you can create,
modify, and delete trust relationships; create and remove user principal name
(UPN) suffixes; raise the domain mode (Windows 2000 Server only); and raise
domain and forest functional levels (Windows Server 2003 only).
■
Active Directory Sites and Services This utility allows you to create and
manage sites, and control how the directory is replicated within a site and
between sites. Using this tool, you can specify connections between sites and how
they are to be used for replication.
EXAM WARNING
Active Directory Users and Computers, Active Directory Domains and Trusts, and
Active Directory Sites and Services are tools that are installed with AD. These tools
are not available on servers that have not been configured as domain controllers.
They are the primary tools for interacting with AD, and they allow you to configure
different aspects of the directory.
A new feature in Windows Server 2003 is that AD allows you to select multiple user
objects, so that you can change the attributes of more than one object at a time. After
selecting two or more user objects in Active Directory Users and Computers, you can bring
up the properties and modify some of the attributes that are common to each of these
objects.This makes it faster to manage users, because you do not need to make changes to
one account at a time.
Windows Server 2003 AD also provides the ability to drag and drop objects into containers.To use this feature, select an object with your mouse, hold down your left mouse
button to drag the object to another location (such as an OU), and release the button to
drop the object into the container.This ability also makes it easy to add user and group
objects to groups. Dragging and dropping a security principle’s object (user, computer, or
group) into a group adds it to the group membership.
In addition to these graphical tools,Windows Server 2003 also provides a number of
command-line utilities for managing AD. Using these tools, you can perform management
tasks through the textual interface of the command prompt.These tools allow administrators to manually enter commands to run operations from a command prompt or use the
commands in batch files and scripts that can be scheduled to run at specific times.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 83
Planning Server Roles and Server Security • Chapter 2
Another new Windows Server 2003 feature is that domain controllers can be created
from backups. Backups are used to copy data to other media, such as tapes, and can be used
to restore lost data if problems arise. For example, if the hard drive on a server fails, you can
use the backup to restore the data to a new drive and have the server up and running
again.This same process can be used to restore AD to a new domain controller, so you do
not need to replicate the entire directory across the network. Allowing domain controllers
to be added to an existing domain through the use of backups is of great benefit when you
are setting up a new domain controller across a slow WAN link from the nearest existing
domain controller.
Functional Levels
When a Windows Server 2003 domain controller is created on a network, AD is installed
with a basic set of features. Additional features can be enabled, depending on the operating
systems running as domain controllers and the functional level that is configured for the
domain or forest.
NOTE
Windows 2000 contained two modes: mixed and native. In Windows Server 2003,
these are now called functional levels, but they remain unchanged. Just as
Windows 2000 installed in mixed mode, Windows Server 2003 installs in the
Windows 2000 mixed functional level. In Windows 2000, there was only one level
of forest operation. Modes existed only at the domain level. With Windows Server
2003, there are domain functional levels and separate forest functional levels. In
order to raise the forest functional level, the functional level of all domains in the
forest must be set to the appropriate level.
Domain Functional Levels
The domain functional level determines which servers are supported in a domain and the
features that are available in AD.When one or more Windows 2003 Server computers are
installed on a domain, the domain functional level can be set for AD. At lower levels, older
versions of Windows servers can still be used in the domain, but more advanced features for
AD are sacrificed. At the highest level, only Windows 2003 Server machines can be used in
the domain, and a full set of these advanced features become available. By not setting the
domain functionality to an appropriate level, you may be forfeiting a number of the features
you need for your network.
There are four different levels of functionality for AD:
■
Windows 2000 mixed Allows domains to contain Windows NT Backup
domain Controllers (BDCs) that can interact with the PDC emulator in a
Windows Server 2003 AD domain. In this level, the basic features of AD are availwww.syngress.com
83
255_70_293_ch02.qxd
84
9/10/03
10:58 AM
Page 84
Chapter 2 • Planning Server Roles and Server Security
able. However, you cannot use additional group nesting, universal security groups,
or security ID histories (SIDHistory) when moving accounts between domains.
Because it accommodates the widest variety of domain controllers on your network, this is the default level of functionality when a Windows Server 2003
domain controller is installed.
■
Windows 2000 native The highest mode available for Windows 2000 and the
next highest level for Windows Server 2003 domain controllers.This functional
level removes support for replication to Windows NT BDCs, so these older
servers are unable to function as domain controllers. In this level, only Windows
2000 and Windows Server 2003 domain controllers can be used, and support for
universal security groups, SIDHistory, and group nesting becomes available.
■
Windows Server 2003 interim New in Windows Server 2003, this level is
used when your domain consists of Windows NT and Windows Server 2003
domain controllers. It provides the same functionality as Windows 2000 mixed
mode, but is used when you are upgrading Windows NT domains directly to
Windows Server 2003. If a domain has never had (and will not have) Windows
2000 domain controllers, this is the level used for performing an upgrade.
■
Windows Server 2003 The highest functionality level for AD, this level is used
when there are only Windows Server 2003 domain controllers in the domain.
When this level is set for the domain, a number of additional features are enabled,
which we’ll discuss shortly.
If you’re upgrading from Windows 2000 Server on your network, you’re probably
familiar with the first two levels. Each of these appeared in Windows 2000 and allowed
control of which operating systems were supported and the features that were available in
AD.Windows 2000 mixed mode provides backward-compatibility with older operating systems like Windows NT 4, allowing Windows NT BDCs to still be used in a domain.
Windows 2000 native mode restricted the domain to using only Windows 2000 Server
machines on the network, and it provided an expanded feature set for AD. In Windows
2003 Server, these modes are now referred to as functional levels, and they allow Windows
2003 Server to provide backward-compatibility to domain controllers using these operating
systems. In addition to these functional levels,Windows 2003 also introduces two new
domain functional levels that were not available in the previous versions:Windows Server
2003 interim and Windows Server 2003.
The tool used to raise domain and forest functional levels is Active Directory
Domains and Trusts.To raise a domain level, right-click the domain in the left console
pane and click Raise Domain Functional Level in the context menu.The Raise
Domain Functional Level dialog box appears, as shown in Figure 2.13. Select the functional level that you want, and then click Raise.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 85
Planning Server Roles and Server Security • Chapter 2
Figure 2.13 Raising the Domain Functional Level
When raising the domain functional level, it is important to remember that it is a oneway change. After raising the level, you cannot lower it. For example, if you raise the
domain from Windows 2000 mixed to Windows Server 2003, you cannot return the level
to Windows 2000 mixed again.This means that you cannot add Windows NT BDCs or
Windows 2000 domain controllers to the domain after the upgrade. If you attempt to
change the domain functional level after raising it to Windows Server 2003, a dialog box
similar to the one shown in Figure 2.14 will be displayed.
Figure 2.14 Attempting to Change a Domain Functional Level
After Raising the Functional Level
After all domain controllers are running Windows Server 2003 and the domain functional level has been raised to Windows Server 2003, new features are automatically available. One such feature is the domain controller renaming tool, which allows you to rename
a domain controller without needing to demote it first.This can be useful when you need
to restructure the network or simply wish to use a more meaningful name for a particular
www.syngress.com
85
255_70_293_ch02.qxd
86
9/10/03
10:58 AM
Page 86
Chapter 2 • Planning Server Roles and Server Security
domain controller.When you use this tool, AD and DNS entries for the renamed domain
controller are automatically updated.
NOTE
You can also rename domains using the domain rename utility (rendom.exe). Using
this tool, you can change the NetBIOS and DNS names of a domain, including any
child, parent, domain tree, or forest root domains. By renaming domains, you can
move them in the DNS hierarchy. For example, you can change the name of
dev.web.syngress.com to dev.syngress.com, placing the web.syngress.com and
dev.syngress.com domains on the same level of the hierarchy. You can even rename
a domain so that it becomes part of a completely different domain tree. The only
domain that you cannot reposition in this manner is the forest root domain.
The Windows Server 2003 domain functional level also provides a new attribute for
user and computer accounts.The lastLogonTimestamp is added to user and computer
objects, and it is replicated within the domain to all domain controllers, so that the last time
these accounts were used to log on to the domain can be recorded.This way, a history of
the user or computer account is created.
Another feature that becomes enabled when the domain functional level is raised is the
ability to add a password to InetOrgPerson accounts. InetOrgPerson is an object class in AD
that is used to create accounts that represent users in non-Microsoft directory services, and
it is used in the same way as a user object. Other network operating systems, such as Novell
NetWare, use their own implementations of a directory service, which are not always compatible with AD. InetOrgPerson is used to assist applications written for other directories or
when migrating from these directory services to AD. Object classes are sets of attributes
used to determine which attributes an object may have when it is created. Using the
InetOrgPerson class, you can create a type of user account that is compatible with accounts
from other directory services.
The features we’ve covered so for are only available in the Windows Server 2003 functional level. However, other features for the Windows Server 2003 level may also be available when lower functional levels are implemented.Windows 2000 native and Windows
Server 2003 functional levels provide the ability to nest security and distribution groups in
one another. Security groups are used to assign permissions and rights to groups of
accounts, rather than modifying each account individually. Distribution groups are used to
send bulk e-mail to large groups of users as a single entity. By nesting groups, one group
can be added as a member of another group, saving the need to repeatedly add the same
accounts to the membership of various groups.
Limited group nesting is available for domains running in Windows 2000 mixed mode.
When this functional level is used, group nesting for distribution groups is allowed, but
there is limited support for security groups.You can nest security groups only if you are
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 87
New & Noteworthy...
Planning Server Roles and Server Security • Chapter 2
InetOrgPerson Object Class
The InetOrgPerson object class and the attributes it contains originate from RFC
2798. RFC is an acronym for Requests for Comments, and is a document that is
used to specify information and/or technical specifications. RFC 2798 was created
by the Internet Engineering Task Force (IETF) to address the need for a class of user
that accessed directory services over the intranet or Internet. This class of user was
designed to hold attributes about people who accessed the directory using the
Lightweight Directory Access Protocol (LDAP) in this way.
Because of the need for this type of user class, Microsoft provided a kit that
added an InetOrgPerson object class to the schema in Windows 2000. The schema
is part of AD and defines the classes of objects and the attributes that can be used
in AD. In Windows Server 2003, an InetOrgPerson object class is included in the AD
schema as a type of user class that can be used by LDAP applications that require
this type of object and when migrating to AD from other directory services. This
saves administrators from needing to extend the schema to create a new
InetOrgPerson object class.
adding global groups to the membership of domain local security groups. Aside from this,
nesting isn’t permitted.
Another benefit of the Windows 2000 native or Windows Server 2003 functional level
is that universal security groups can be used. (Domains that have the functional level set to
Windows 2000 mixed do not allow universal security groups to be created.) Universal
security groups can contain accounts and groups from any domain in the forest, and they
can also be assigned permissions to resources in any domain in the forest. In this situation,
the group can contain user accounts, global groups, and universal groups from any domain
in the forest, and it can be assigned permissions to resources in any domain. Universal distribution groups can be used at any functional level, including Windows 2000 mixed.
In summary, some features are available but limited in the Windows 2000 mixed functional level. In other cases, however, support for a particular feature isn’t available at all.
Windows 2000 native or Windows Server 2003 functional levels provide the ability to convert groups. Each of these higher functional levels allows conversion between security
groups and distribution groups. In addition, the Windows 2000 mixed functional level does
not support SIDHistory, which allows user and computer accounts to be moved from one
domain to another without affecting existing permissions. By failing to raise the functional
level of a domain, you make several features unavailable to it.
Forest Functional Levels
In addition to the domain functional level, you can also set the functional level of a forest.
A domain functional level is individually set for each domain.The forest functional level is
set for the entire forest and thereby affects all domains within that forest.There are three
different forest functional levels:
www.syngress.com
87
255_70_293_ch02.qxd
88
9/10/03
10:58 AM
Page 88
Chapter 2 • Planning Server Roles and Server Security
■
Windows 2000
■
Windows Server 2003 interim
■
Windows Server 2003
By default, the functional level of a forest is set to Windows 2000.The Windows 2000
forest functional level allows Windows NT,Windows 2000, and Windows Server 2003
domain controllers on the network. However, it also provides fewer features than the higher
functional levels. Elevating the functional level of a forest enables additional features. At the
Windows Server 2003 interim level, domain controllers running Windows NT Server 4
and Windows Server 2003 can exist within the forest.This level is used when directly
upgrading from Windows NT 4 to Windows Server 2003.When the default level is raised
to Windows Server 2003, additional features in AD become available.
To raise the forest functional level, all domains in the forest must consist only of
domain controllers running Windows Server 2003. In addition, the functional level of all
domains must be set to Windows 2000 native or higher. After the functional level has been
raised, all domains will have their functional level set at Windows Server 2003, even if it was
set at Windows 2000 native prior to the forest level being elevated.
Like domain functional levels, forest functional levels are raised using Active
Directory Domains and Trusts. As shown in Figure 2.15, this tool has an Active
Directory Domains and Trusts node in the left pane. Right-click this node and click
Raise Forest Functional Level in the context menu.You will see a dialog box that is
similar to the one for raising the domain functional level (see Figure 2.14). Select the new
functional level from the drop-down list, and then click Raise to complete the task.
Figure 2.15 Using Active Directory Domains and Trusts
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 89
Planning Server Roles and Server Security • Chapter 2
As with domain functional levels, raising the forest functional level is a one-way
change. After raising the level, you cannot lower it.Therefore, it is important that you
decide which domain controllers exist on your network or may be added in the future
prior to raising the level. If older operating systems are used for domain controllers in the
forest, you will need to upgrade them before raising the level, and you will not be able to
add these older systems after you make this change.
By raising the functional level to Windows Server 2003, new features become available
to the forest. One such feature is the ability to create forest trusts. Forest trusts are one or
two-way transitive trust relationships between two different forests. A trust relationship
allows pass-through authentication, so users who are authenticated in a trusted domain can
use resources in a trusting domain. Because the trust between a parent and child domain is
bidirectional, meaning that both domains trust one another, users in each domain can access
resources in the other domain.This expands the network, so users are able to use services
and resources in both forests.
NOTE
Forest trusts are new in Windows Server 2003. They involve a great deal of complexity that does not exist in other trust relationships. It is important to note that
when a forest trust exists, the Global Catalog for each forest remains separate.
Much of the additional complexity stems from this fact. When a user who is
logged on to a domain in one forest attempts to access resources in a domain
located in the other forest, special pointers in the local forest’s Global Catalog
must be present. The default settings often allow for a free exchange of users in
each direction the trust allows. For maximum security, these pointers should be
manually configured by an administrator, so that only specific domains or
resources on each side of the trust are accessible from across the trust.
To improve the performance of replication across the network, the Windows Server
2003 level allows linked value replication.To ensure that all domain controllers have a duplicate copy of AD, directory data is replicated between them. Linked value replication improves
replication by having less information copied between domain controllers. Rather than
treating the entire membership of a group as a single unit of replication, linked value replication allows individual members of groups to be replicated (instead of the entire group).
When the functional level is raised to Windows Server 2003, you can make additional
modifications to the schema by disabling classes and attributes.When a particular type of
object or an attribute is no longer needed in an object, the class or attributes within it can
be deactivated.The ability to disable schema objects was available in Windows 2000, but
Windows Server 2003 provides the ability to reactivate them again when needed. If schema
objects are no longer required, you can deactivate them, and then reactivate them later if
the situation changes. (Although classes and attributes can be disabled, they cannot be
deleted.)
www.syngress.com
89
255_70_293_ch02.qxd
90
9/10/03
10:58 AM
Page 90
Chapter 2 • Planning Server Roles and Server Security
Now that we’ve discussed raising the domain and forest functional levels, let’s look at
the procedure for doing it. Exercise 2.2 will walk you through the process of raising both of
these functional levels, so that all of the features discussed earlier are available for use.
EXERCISE 2.02
RAISING DOMAIN
AND
FOREST FUNCTIONALITY
The following steps should not be performed on a production network. This
exercise assumes that all domain controllers in the domain are running
Windows Server 2003. After raising the functional levels, you will not be able
to roll back to a previous level.
1. Select Start | Administrative Tools | Active Directory Domains and
Trusts.
2. When Active Directory Domains and Trusts opens, expand the Active
Directory Domains and Trusts node and select your domain.
3. Select Action | Raise Domain Functional Level.
4. In the Raise Domain Functional Level dialog box, select Windows
Server 2003 from the drop-down list, and then click the Raise button.
5. A warning message will appear, informing you that this action will
affect the entire domain and cannot be reversed. Click OK.
6. After you raise the level, a message box will inform you that the action
was successful. Click OK to continue.
7. Select the Active Directory Domains and Trusts node.
8. Select Action | Raise Forest Functional Level.
9. In the Raise Forest Functional Level dialog box, select Windows
Server 2003 from the drop-down list, and then click the Raise button.
10. A warning message will appear, informing you that this action will
affect the entire forest and cannot be reversed. Click OK.
11. After you raise the level, a message box will inform you that the action
was successful. Click OK, and then exit the utility.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 91
Planning Server Roles and Server Security • Chapter 2
EXAM
70-293
OBJECTIVE
1.4.1
Identifying Minimum Security Requirements
for Your Organization
Before you can begin implementing security measures, you need to know what needs protecting. Different organizations have different needs, so the systems and data that are essential to one company may be superfluous to another. For this reason, the security planning
process involves considerable analysis.You need to determine which risks could threaten a
company, what impact these threats would have on the company, the assets that the company needs to function, and what can be done to minimize or remove a potential threat.
Risk is the possibility of experiencing some form of loss.This isn’t to say that a risk will
become a real problem, only that it has the potential of happening.To address risks, you
need to determine which events and factors in an organization are potential threats, and
then devise ways to deal with them before they become actual problems.There are many
different risks that can affect an organization, and the types of risks will often vary from
business to business.The following are the main types of threats:
■
Environmental threats, such as natural and man-made disasters
■
Deliberate threats, where a threat was intentionally caused
■
Accidental threats, where a threat was unintentionally caused
Environmental threats can be natural disasters, such as storms, floods, fires, earthquakes,
tornadoes, and other acts of nature.The types of disasters that can occur generally vary from
one geographical region to another. For example, a business in California might be more
prone to earthquakes, while an organization in Canada might be at risk of severe snowstorms.When dealing with this type of disaster, it is important to analyze the entire company’s risks, considering any branch offices located in different areas that may be prone to
different natural disasters.
Human intervention can create problems as devastating as any natural disaster. Manmade disasters can also occur when someone creates an event that has an adverse impact on
the company’s environment. For example, faulty wiring can cause a fire or power outage. In
the same way, a company could be impacted by equipment failures, such as the air conditioning breaking down in the server room, a critical system failing, or any number of other
problems.
The deliberate threat type is one that has appeared numerous times in the news over
the last number of years.These types of threats result from malicious persons or programs,
and they can include potential risks such as hackers, viruses,Trojan horses, and various other
attacks that can damage data and equipment or disrupt services.This type of threat can also
include disgruntled employees who have authorized access to such assets and have the
ability to harm the company from within.
Many times, internal risks are not malicious in nature, but accidental. Employees can
accidentally delete a file, modify information with erroneous data, or make other mistakes
www.syngress.com
91
255_70_293_ch02.qxd
92
9/10/03
10:58 AM
Page 92
Chapter 2 • Planning Server Roles and Server Security
that cause some form of loss. Because people are fallible by nature, this type of risk is one
of the most common.
Each business must identify the risks it may be in danger of confronting and determine
what assets will be affected by a potential problem. Assets are property and resources that
have value to the company, and they can include the following:
■
Hardware Servers, workstations, hubs, printers, and other equipment.
■
Software Including commercial software (which is purchased off the shelf) and
in-house software (which is developed by programmers working for the company).
■
Data Including documents, databases, and other files needed by the business.
■
Personnel Employees who perform necessary tasks in the company (for
example, the network administrator who knows how to restore damaged systems
from a backup).
■
Sundry equipment Office supplies, furniture, tools, and other assets needed for
the business to function properly.
■
Facilities The physical building and its components.
As you can see, any number of risks could result in the loss of a wide variety of assets.
For example, a fire could destroy a building, including the facilities containing servers that
store critical software and data. It might also injure key personnel who are necessary for the
business to function.With one disaster, an entire company can be crippled.
When identifying minimum security requirements, it is important to determine the
value and importance of assets, so you know which are vital to the company’s ability to
function.You can then prioritize risk, so that you can protect the most important assets of
the company and implement security measures to prevent or minimize potential threats.
TEST DAY TIP
Questions dealing with identifying the minimum security requirements will be
mixed with issues directly related to Windows Server 2003. They will test your
knowledge by matching the minimum requirements shown in a scenario against
the features and functionality of Windows Server 2003.
Determining the value and importance of assets can be achieved in a number of ways.
Keeping an inventory of assets owned by the company will allow you to identify the equipment, software, and other property owned by the company. By referring to this list, you can
see the possessions of the business, and you can update this list to reflect the current monetary value. For example, you could see that a new server has specific software and hardware
installed on it, and it would cost a specific amount to replace. In the same light, an older
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 93
Planning Server Roles and Server Security • Chapter 2
server may cost less to replace, but contain sensitive data that makes it valuable to the
company.
To determine the importance of data and other assets, and thereby determine what is
vital to secure, you can meet with department heads. Doing so will help you to identify the
data and resources that are necessary for people in each department to perform their jobs.
For example, a Human Resources department might specify that a particular database is
used for critical information and that specific software is needed. At the same time, you
could find that a folder on the server contains a Web site used by employees to advertise
items for sale, upcoming events, and other material that is not work-related. By discovering
this information, you make great strides in being able to protect the work-related material
while expending little to no effort in preserving non-work-related files.You will also probably find that you need the assistance of the Accounting department to determine appropriate values.
In addition to interviewing different members of an organization, review the corporate
policies for specifications of minimum security requirements. For example, a company may
have a security policy stating that all data is to be stored in specific folders on the server,
and that the IT staff is required to back up this data nightly. Such policies may not only
provide insight on what is to be protected, but also what procedures must be followed to
provide this protection.
Organizational policies are not the only method of acquiring information on security
requirements. Companies may be required to protect specific assets by law or to adhere to
certain certification standards. For example, hospitals are required to provide a reasonable
level of security to protect patient records.This may include implementing firewalls to prevent hackers from accessing these files through the Internet. If such requirements are not
met, an organization can be subject to legal action.
Identifying Configurations
to Satisfy Security Requirements
To protect assets from risks that were identified as possible threats to a business, countermeasures must be implemented. Servers will need certain configurations to provide security,
and plans must be put into practice. By applying methods to protect assets, the potential loss
can be minimized or removed, and the security requirements of a business can be met.
Compare the risks faced by an organization with an operating system’s features to find
support that will address certain threats. Configuring the server to use these services or
tools can assist in dealing with potential problems. For example, installing AD and using
domain controllers on a network can heighten security and provide the ability to control
user access and security across the network. In the same way, configuring a file server to use
EFS so that data on the server’s hard disk is encrypted can augment file security. Using
security features in an operating system allows you to minimize many potential threats.
The same technique should be used when determining which roles will be configured
on servers. As described earlier in this chapter, different server roles provide different ser-
www.syngress.com
93
255_70_293_ch02.qxd
94
9/10/03
10:58 AM
Page 94
Chapter 2 • Planning Server Roles and Server Security
vices to a network. By comparing the functionality of a server role to the needs of a company, you can identify which roles are required. For example, if you need secure communication and transmission of data on a network, configuring IPSec will be a viable solution.
Similarly, configuring servers to be DNS or WINS servers will provide name resolution.
Domain controllers allow you to benefit from AD. By understanding what people need in
your organization, you can determine which server roles must be configured.
Although it may be tempting to configure a server with every possible role, this can
cause problems.When a server is configured to play a certain role in an organization, a
number of different services, tools, and technologies may be installed and enabled. Because
there is a possibility these may be exploited, you should avoid this risk by never installing
more roles than are needed. Always disable any unneeded services on the server.
Although roles are helpful, running a wizard to configure servers in a particular role
isn’t enough to create a secure environment. Additional steps should be followed to protect
these servers and the data, applications, and other resources they provide. By customizing
servers in this manner, you can ensure that the company will be able to benefit from
Windows Server 2003 without compromising security.We’ll discuss these steps in the
“Customizing Server Security” section later in this chapter.
EXAM
70-293
OBJECTIVE
1
1.2
Planning Baseline Security
Security templates allow you to apply security settings to machines.These templates provide
a baseline for analyzing security.Templates are .inf files that can be applied to computers
manually or by using Group Policy Objects (GPOs).
Security Templates and Tools
There are numerous settings, or customizable security policies, that you can apply through
security templates, including the following:
■
Account Policies Include password policies, Kerberos policies, and account
lockout policies.
■
Local Policies Include user rights, audit policies, and other security options.
■
Event Log Include configuration options for the Application, System, and
Security event logs that can be viewed through Event Viewer.
■
Restricted Groups Used to specify group memberships.
■
System Services Used to configure permissions and startup options for services.
■
Registry Used to specify permissions and for auditing Registry objects.
■
File System Used to specify permissions and for auditing files and folders.
You can create and edit security templates using the Security Templates snap-in for the
Microsoft Management Console (MMC), as explained in the “Creating Custom Security
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 95
Planning Server Roles and Server Security • Chapter 2
Templates” section later in this chapter.This tool allows you to manage your own templates,
but you can also use predefined templates that come with Windows Server 2003.The next
sections describe the predefined templates and the tools for working with security settings.
Predefined Templates
The Windows Server 2003 predefined templates are located in the
%systemroot%/Security\Templates directory.The following templates are available:
■
compatws.inf Relaxes security settings on a workstation or server, so that otherwise incompatible applications have a chance of working.
■
DC security.inf Contains the default security settings for a domain controller.
■
hisecdc.inf Contains high-level security settings for domain controllers.
■
hisecws.inf Contains high-level security settings for workstations.
■
rootsec.inf Contains the default security settings for the system volume
(%systemdrive%).
■
iesacls.inf Contains settings to lock down Internet Explorer.
■
securedc.inf Contains enhanced security settings for domain controllers.
■
securews.inf Contains enhanced security settings for workstations.
■
setup security.inf Contains the default security settings for a default installation
of Windows Server 2003.
These templates are described in more detail in the following sections.
Compatws Template
The compatws template is used to provide users with access to applications that do not
function properly with full system security in place.The compatws template relaxes user
permissions so that programs are more likely to run without errors. It also removes any
members of the Power Users group. Many administrators solve their application problems
by adding users to the Power Users group. However, members of this group also have the
ability to create users, groups, shares, and printers. Overall, this template erodes system security and should be used with caution.
DC Security Template
The DC security template is created when a server is first promoted to being a domain
controller. It contains a number of default settings, including settings for the file system,
Registry, and system services.This template allows you to reapply these default security settings. Registry keys and system services that have been added or modified since the initial
installation may be overwritten, as may permissions on new files.Therefore, considerable
planning should be done before applying this template to a domain controller in your
network.
www.syngress.com
95
255_70_293_ch02.qxd
96
9/10/03
10:58 AM
Page 96
Chapter 2 • Planning Server Roles and Server Security
Hisecdc Template
The hisecdc template is used to apply high-level security settings to a domain controller.
Using this template will cause the domain controller to require encrypted authentication.
Using this setting will also prevent most pre-Windows 2000 computers from being able to
communicate with the server, because the domain controller will require clients to communicate using NTLM version 2 (NTLMv2). Finally, this template will cause many applications to malfunction.
Hisecws Template
The hisecws template applies settings similar to those in the hisecdc template, but it is
designed for use with workstations and servers that are not configured as domain controllers.When this template is applied to a computer, all of the domain controllers that have
accounts for users that can log on to the client must be running Windows NT 4.0 Server
with Service Pack 4 installed,Windows 2000 Server, or Windows Server 2003. Also, any
domain controllers in domains that the client is a member of must be running Windows
2000 Server or Windows Server 2003.
Clients are also are unable to connect to computers using LAN Manager for authentication or from machines running operating systems earlier than Windows NT 4.0 Service
Pack 4 using an account on the local machine. In addition, attempts to connect to a server
running Windows NT 4 where the time on each machine has a difference of 30 minutes or
more will fail. If the client connects to a computer running Windows XP, the time difference between them cannot exceed 36 hours.
The hisecws template also modifies settings to control memberships in security-sensitive groups. Once applied, all users are removed from the Power Users group, and only
members of the Domain Admins group and the Administrator account are kept as members
of the computer’s local Administrators group.
As with the hisecdc template, applying the hisecws template will cause many applications to malfunction because of the enhanced security.This template should be very carefully tested before deployment.
Rootsec Template
The rootsec template is used to define security settings for the system volume. It is used to
set permissions at the root of the system drive, so that original settings can be reapplied.
This can be particularly useful if the permissions on the system drive are inadvertently
modified.This template can also be modified to apply the same root permissions on other
volumes. In doing so, it will overwrite inherited permissions on child objects, but will not
overwrite any explicit permissions on child objects.
Iesacls Template
The iesacls template is used to lock down security settings used by Internet Explorer (IE),
which can be used to access data on the Internet or on a corporate intranet. Using this
template, you can enhance security by enforcing stricter settings on Internet Explorer.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 97
Planning Server Roles and Server Security • Chapter 2
Securedc Template
The securedc template is used on domain controllers to enhance security while minimizing
the impact on applications.This template also configures servers to refuse LAN Manager
responses. Computers running operating systems such as Windows for Workgroups,
Windows 95, and Windows 98 use LAN Manager to authenticate to servers. For these
clients to be able to connect to a domain controller with the securedc template applied, the
clients will need to have a patch or the Active Directory Client Extensions Pack installed
on them.
Securews Template
The securews template provides the same settings as the securedc template, but it applies to
workstations or servers that are not configured as domain controllers. It is designed to
enhance security without impacting on applications that are running on the computer.This
template also affects authentication, because it limits the use of NTLM by configuring
clients accessing the machine to respond with NTLMv2 responses.
When this template is applied, the domain controllers that contain user accounts for
those who will log on to the client must run Windows NT 4.0 with Service Pack 4 or
higher,Windows 2000, or Windows Server 2003. Additionally, there are requirements
dealing with time. If the domain contains Windows NT 4 domain controllers, the clocks
between the domain controllers running this operating system must have their time synchronized within 30 minutes of one another. Computers also will not be able to connect to
servers running Windows 2000 or Windows NT 4 if their clocks are off by more than 30
minutes from the server. Computers will not be able to connect to a Windows XP machine
if their clocks are off by more than 20 hours.
Servers that have this template applied to it also have limitations.The server won’t be
able to connect to clients running LAN Manager and will need to be authenticated using
NTLMv2. However, NTLMv2 can be used to authenticate to Windows 2000 or Windows
Server 2003 servers if the clocks on the client and server are within 30 minutes of one
another. If the server is running Windows XP, the two machines must be synchronized
within 20 hours of one another.
Setup Security Template
The setup security template is created when a computer is installed, and it varies from one
machine to another, depending on whether its operating system was upgraded or a clean
installation. Because of this, it should never be applied to a group of computers using
Group Policy or manually to other systems, unless you have carefully reviewed its settings.
This template allows you to reapply a system’s default security settings. Use the DC security
template for domain controllers, not the setup security template.
www.syngress.com
97
255_70_293_ch02.qxd
98
9/10/03
10:58 AM
Page 98
Chapter 2 • Planning Server Roles and Server Security
Security Configuration and Analysis
A tool that makes significant use of security templates is the Security Configuration and
Analysis tool.This tool is an MMC snap-in that allows you to analyze and configure system
settings. Using it, you can perform the following tasks:
■
Analyze security settings for local and group policies.
■
Apply security templates to the local Windows Server 2003 computer.
■
Export settings to template files, so they can be applied later either manually or by
using Group Policy.
The Security Configuration and Analysis tool assists you in determining whether a
computer has an adequate security configuration by comparing the current settings to those
in a security template. One or more templates are applied to a database, which is used to
analyze the difference between the database settings and the current computer configuration. In viewing the results, you are able to determine what changes will be made to the
machine if the template is applied.You can alter the settings to ensure that the desired configuration results are obtained, and apply them to the computer individually or to a range
of computers using a GPO.
When the Security Configuration and Analysis snap-in is loaded into MMC, the console tree in the left pane shows the Security Configuration and Analysis node, as shown in
Figure 2.16.When you initially select this node, it will provide information in the details
pane (right pane) on how to open or create a database that can be used to analyze or configure the computer. After you have opened or created a database, the left pane is populated
with a log or nodes containing settings that can be configured.You can then select any of
these nodes and modify settings that can be applied to the local machine or multiple
machines using Group Policy.
Figure 2.16 Initial Information Provided by the Security
Configuration and Analysis Tool
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 99
Planning Server Roles and Server Security • Chapter 2
Group Policy Object Editor
The Group Policy Object Editor is another tool that allows you to view and modify security settings. Because this tool is also loaded into the MMC, it has the same basic appearance as the Security Configuration and Analysis snap-in. A tree of information appears in
the left pane, and details on selected items appear in the right pane. GPOs can be applied to
manage security settings at the OU, site, and domain level.
As shown in Figure 2.17, security settings are available under Computer
Configuration and User Configuration.The settings under Computer Configuration
apply to settings that affect the computer, and those under User Configuration apply to
users.The policies that appear in this snap-in are those that have already been configured in
the GPO.
Figure 2.17 Configured Policies in the Group Policy Object Editor
Using the Group Policy Object Editor, you can import policies stored in templates or
export current settings to a template file that can then be used to configure other computers.These are topics we’ll discuss later in this chapter, in the “Enforcing Default Security
Settings on New Computers” section.
Secedit
Secedit is a command-line tool that allows you to analyze and configure computers using
templates, and to automate security configurations. Commands are entered from the textual
interface of the command prompt, which means that these commands can be added to
scripts and batch files to automatically configure a machine. Unlike the other tools we’ve
discussed so far, Secedit cannot be used to modify or export a template.
www.syngress.com
99
255_70_293_ch02.qxd
100
9/10/03
10:58 AM
Page 100
Chapter 2 • Planning Server Roles and Server Security
There are several commands that can be used with Secedit to specify which actions to
perform.The different parameters for Secedit include the following:
■
secedit /analyze Used to analyze the security settings of a computer.
■
secedit /configure Used to apply the security settings in a template to a computer.
■
secedit /export Allows you to export the security settings in the database to a
template.
■
secedit /import Used to import a template into the database so that its settings
can be used to analyze the machine or to configure its security settings.
■
secedit /validate Used to validate the syntax of a template before importing it
into the database.
■
secedit /GenerateRollback Used to create a rollback template that can be
used to restore the computer’s security settings to the way they were before
applying a configuration template.
EXAM WARNING
The Secedit command-line tool and Security Configuration and Analysis snap-in are
the only tools that allow you to analyze security settings by having them compared
to a security template. No other tools in Windows Server 2003 have this ability.
The following sections describe each of these commands and their parameters in more
detail.
Analyze
The secedit /analyze command provides the ability to compare the security settings in a
template to those of a computer.The syntax for this command is as follows:
secedit /analyze /db FileName.sdb [/cfg FileName] [/overwrite] [/log
FileName] [/quiet]
As is the case with each of the Secedit commands, the command’s parameters allow you
to specify additional options.The parameters for secedit /analyze are shown in Table 2.2.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 101
Planning Server Roles and Server Security • Chapter 2
Table 2.2 Parameters for the secedit /analyze Command
Parameter
Description
/db FileName.sdb Used to specify the database that is used in performing the operation.
/cfg FileName
Used to specify the security template that is to be imported into the
database and used for the operation.
/overwrite
Used to specify that the database is to be emptied before the security
template is imported into it. When this setting isn’t used, security
templates are accumulated in the database, so that multiple
templates can be used in the process. Any conflicting settings existing
in the database are overwritten as the next template is imported.
/log FileName
Specifies the log file used to record events related to the command.
By default, if this parameter isn’t specified, events will be logged to
%windir%\Security\Logs\scesrv.log.
/quiet
Ensures that the user is not prompted for input during the process.
Configure
The secedit /configure command is used for configuring security settings on a computer,
by applying the settings in a database to the machine.With this command, the template can
be imported into a database and applied to the local machine.The syntax for this command
is as follows.
secedit /configure /db FileName.sdb [/cfg FileName ] [/overwrite][/areas
Area1 Area2 ...] [/log FileName] [/quiet]
The command’s parameters are the same as those listed in Table 2.2, with the addition
of /areas Area1 Area2.This parameter is used to specify what security settings are exported
to the template.When this parameter is used, security areas can be specified.When it isn’t
used, all settings are exported.The following security areas can be specified:
■
SECURITYPOLICY Includes account and audit policies, event log settings,
and security options.
■
GROUP_MGMT Includes settings for restricted groups.
■
USER_RIGHTS Includes settings for user rights assignments.
■
REGKEYS Sets Registry permissions.
■
FILESTORE Sets file system permissions.
■
SERVICES Includes system service settings.
www.syngress.com
101
255_70_293_ch02.qxd
102
9/10/03
10:58 AM
Page 102
Chapter 2 • Planning Server Roles and Server Security
Export
The secedit /export command allows you to export settings to a template. Using this command, you can take the settings from a computer, export it to a template, and then import
it to another machine or GPO so that multiple computers now share the same configuration.The syntax for this command is as follows:
secedit /export /db FileName.sdb [/mergedpolicy] [/cfg FileName ]
[/areas Area1 Area2 ...] [/log FileName] [/quiet]
The command’s parameters are the same as those listed in Table 2.2, with the addition
of /areas Area1 Area2, explained in the previous section, and /mergedpolicy, which is
used to merge the security settings of the domain and local computer into a single template
file.
Import
The secedit /import command is used to import a security template into a database, so it
can be applied to the computer or used in analysis.The syntax for this command is as follows:
secedit /import /db FileName.sdb /cfg FileName [/overwrite]
[/areas Area1 Area2 ...] [/log FileName] [/quiet]
The command’s parameters are the same as those listed in Table 2.2, with the addition
of /areas Area1 Area2, described earlier in the “Configure” section.
Validate
The secedit /validate command is used to validate the syntax of a template before
importing it into the database.This command is particularly useful when you’ve created a
new security template and want to ensure that it does not have errors before using it for
configuration or analysis.The syntax for this command is as follows:
secedit /validate FileName
Unlike the other commands we’ve discussed, this command has only one parameter:
FileName.The FileName parameter is used to specify the name of the template to be validated.
GenerateRollback
When applying a configuration template to a machine, the secedit /GenerateRollback
command provides the option of creating a template that can be used to roll back settings
on the machine. Before a security template is applied, the current settings of the computer
are exported into a template file. If you wish to restore the old settings of the computer
after the security template is applied, you can use the rollback template.The syntax for this
command is as follows:
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 103
Planning Server Roles and Server Security • Chapter 2
secedit /GenerateRollback /cfg FileName.inf /rbk FileName.inf [/log
FileName] [/quiet]
Table 2.3 describes these parameters.
Table 2.3 Parameters for the secedit /GenerateRollback Command
Parameter
Description
/cfg FileName.inf
Used to specify the security template that will be used in creating
the rollback template.
Used to specify the name of the rollback template to be created.
Specifies the log file used to record events related to the command.
By default, if this parameter isn’t specified, events will
be logged to %windir%\Security\Logs\scesrv.log.
Ensures that the user is not prompted for input during the process.
/rbk FileName.inf
/log FileName
/quiet
Planning Secure Baseline Installation Parameters
Because applying a security template can have a major impact on a computer, it is important that you take preliminary steps to ensure that the template can be applied correctly and
will not make unwanted changes. By reviewing information about the template and performing an analysis of changes that will be made after the template is applied, you can
ensure the computer will be configured correctly.
Before applying a security template, you should review its settings. Each of the templates addresses different levels of security and/or different settings that will be applied to
the computer. Although template settings can be customized, you should determine
whether a particular template configures the computer the way you want. If the wrong settings are applied, you need to either manually correct them or use a rollback template that
was created before you applied this template.
The only predefined templates that will return a computer to an original state are the
setup security and DC security templates. As we discussed earlier, the setup security template contains settings from when the computer was installed, and it is specifically created
for each computer.This template can be used on workstations, stand-alone servers, and
member servers, but domain controllers should not have this template applied to them.To
return a domain controller to the state it was in when it was first promoted, use the DC
security template. In both cases, any changes that have been made to settings since the template was initially created are not applied.
Using Security Configuration and Analysis
to Analyze a Computer
By analyzing a computer with Security Configuration and Analysis, you can determine
whether a machine has adequate security settings or if additional configuration is required.
www.syngress.com
103
255_70_293_ch02.qxd
104
9/10/03
10:58 AM
Page 104
Chapter 2 • Planning Server Roles and Server Security
The analysis is performed by adding one or more security templates to a database, which is
used for comparison against the computer’s current settings. In comparing this information,
you can see where possible problems exist between your current configuration and the ones
stored in the template.
Analyzing a computer begins by opening the MMC with the Security Configuration
and Analysis snap-in installed.Then you can analyze a computer by performing the following steps:
1. In the left pane of the console, right-click Security Configuration and
Analysis (see Figure 2.16) and select Open Database from the context menu.
(Note that the context menu options also appear on the Action menu when
Security Configuration and Analysis is selected.)
2. The Open database dialog box, shown in Figure 2.18, lists all the existing
databases.To open an existing database, select the database from the list and click
Open.To create a new database instead, enter the name of the new database in
the File name text box, and then click Open. If you are opening an existing
database, you will then be returned to the Security Configuration and
Analysis tool, and you can skip to step 4. If you are creating a new one, the
Import Template dialog box appears.
Figure 2.18 Opening an Existing Database or Creating a New One
3. As shown in Figure 2.19, the Import Template dialog box displays a list of the
security templates stored in the %systemroot%\Security\Templates folder.This
folder contains predefined security templates, but you can browse the hard disk
for other security templates that you’ve created or downloaded and stored else-
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 105
Planning Server Roles and Server Security • Chapter 2
where. Select a template from the list and click Open.The template is imported
into the database, and you’re returned to the Security Configuration and
Analysis tool.
Figure 2.19 Importing a Template
You can add more templates by right-clicking the Security Configuration
and Analysis node again and selecting Import Template from the context
menu.When multiple templates are added to the database used for analysis, the
templates are merged together so that all settings are used for comparison.These
templates are added one at a time, and any conflicts between them are resolved by
the order in which they are imported. For example, if you added the compatws
template and then the securews template to the database, the settings in the
securews template would take precedence because it was the last one to be
imported. If another template is then added and conflicts with the current composite template in the database, this new template’s settings would take precedence
over the previous settings.To import a template into the database without having
it appended to existing settings, check the Clear this database before
importing check box in the Import Template dialog box. Any existing settings
in the database will be purged, and only the settings in the template being
imported will be used.
4. After you’ve opened or created a database and added the necessary templates, you
are ready to begin taking steps to analyze the existing security settings. Select the
Security Configuration and Analysis node, right-click it, and click Analyze
Computer Now.
5. As shown in Figure 2.20, the Perform Analysis dialog box appears. Here, you
can enter the name and path of a log file that will be used to record errors in the
process. After clicking OK, another dialog box informs you that analysis of the
computer is being performed.
www.syngress.com
105
255_70_293_ch02.qxd
106
9/10/03
10:58 AM
Page 106
Chapter 2 • Planning Server Roles and Server Security
Figure 2.20 Entering the Analysis Log File Path
6. When the analysis is complete, the left pane of the Security Configuration and
Analysis tool is populated with information about the settings that have been
analyzed. As shown in Figure 2.21, the left pane shows different areas of security.
When selected, these display results of the analysis for that area in the right pane.
A side-by-side comparison is offered, showing database settings used for analysis
and the computer’s current settings.This allows you to quickly determine if
changes need to be made to the current settings or if they provide the level of
security desired for your organization.
Figure 2.21 Viewing the Results of a Security Analysis
When an analysis is performed, the results are organized into areas of security, and
visual flags are used to indicate discrepancies.The following flags may appear beside entries
in the results:
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 107
Planning Server Roles and Server Security • Chapter 2
■
A red X indicates that the entry does not match the corresponding setting in the
database.
■
A green check mark indicates that the entry in the database and the computer’s
setting match.
■
An exclamation mark indicates that an entry in the database does not correspond
to any setting on the computer.This may appear if a security setting for a group
or other object is in a template added to the database, but the group or object
isn’t one that is used on the computer being analyzed.
■
A question mark indicates that although the setting is on the computer, there is
no corresponding entry in the database.This may indicate that the account you
are using when performing the analysis does not have the appropriate permissions
to analyze a security area or object, or that the entry was not used in any of the
templates added to the database.
■
No highlight indicates that the entry isn’t defined in the database and isn’t used
on the system.
To modify settings in the database, double-click an entry. For example, double-clicking
the Maximum password age entry brings up a corresponding dialog box, which allows
you to change the number of days before a password will expire. Once you’re finished
making the modifications, you can save these changes to a new template file by selecting
the Security Configuration and Analysis node and clicking Action | Export
Template. In the Export Template To dialog box, shown in Figure 2.22, you can specify
the name of the new template and where it should be saved. As you’ll see in the next section, you can then use your new template to apply the settings to the computer and other
machines on your network.
Figure 2.22 Exporting a Template
www.syngress.com
107
255_70_293_ch02.qxd
108
9/10/03
10:58 AM
Page 108
Chapter 2 • Planning Server Roles and Server Security
EXERCISE 2.03
ANALYZING SECURITY USING SECURITY
CONFIGURATION AND ANALYSIS
1. Select Start | Run, type MMC, and click OK.
2. In the blank console that appears, click File | Add/Remove Snap-in.
3. When the Add/Remove Snap-in dialog box appears, click the
Standalone tab, and then click the Add button.
4. In the Add Standalone Snap-in dialog box, select Security
Configuration and Analysis from the list and click Add.
5. Click Close to return to the previous screen. The Security
Configuration and Analysis entry should appear in the Add/Remove
snap-in dialog box. Click OK to close the dialog box.
6. The console tree in MMC should now contain a Security Configuration
and Analysis node. Select this node and click Action | Open
Database.
7. When the Open database dialog box appears, type the name of a new
database in the File name text box and click Open.
8. When the Import Template dialog box appears, select hisecdc if you
are working on a domain controller, or select hisecws if you are
working on a workstation or server that isn’t configured as a domain
controller. Then click Open.
9. When the Security Configuration and Analysis console appears, select
the Security Configuration and Analysis node in the left pane and
click Action | Analyze Computer Now.
10. When the Perform Analysis dialog box appears, click OK to accept the
default path and filename for the error log to be created.
11. When the analysis is complete, browse through the settings and identify differences between the security settings in the database and the
machine.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 109
Planning Server Roles and Server Security • Chapter 2
EXAM
70-293
OBJECTIVE
Enforcing Default Security Settings
on New Computers
1.2.1
1.2.2
1.2.3 Security settings can be enforced on local computers or through AD. By using security
templates in conjunction with the Security Configuration and Analysis snap-in, you can
configure a local computer’s security settings. Security templates can also be imported into
the group policy of a domain, site, or OU in AD, so that the settings can be applied to multiple computers.
Using Security Configuration and Analysis
to Apply Templates a Local Computer
The Security Configuration and Analysis tool allows you to configure local computers by
applying the settings in a security template to the local policy.The settings will apply only
to the computer on which Security Configuration and Analysis is being run.They will not
affect other machines in the domain.
The initial steps for configuring a local computer are similar to the steps involved in
running an analysis. In the Security Configuration and Analysis console, select the Security
Configuration and Analysis node in the left pane and click Action | Open Database.
As described earlier in the “Using Security Configuration and Analysis to Analyze a
Computer” section, use the Open database dialog box (see Figure 2.18) to either open an
existing database or create a new one. If you are opening an existing database, you will be
returned to the Security Configuration and Analysis tool. If you are creating a new
database, the Import Template dialog box (see Figure 2.19) appears. In the Import
Template dialog box, select the security template that will be applied to the local machine
and click Open.The template is imported into the database, and you’re returned to the
Security Configuration and Analysis tool.You can add other templates by selecting the
Security Configuration and Analysis node again and clicking Action | Import
Template. Check the Clear this database before importing check box if you want
only the settings in the template being imported to be used in the database.
After you’ve added the templates to the database, you return to the Security
Configuration and Analysis tool.You can apply the template by selecting the Security
Configuration and Analysis node again and clicking Action | Configure Computer
Now. In the dialog box that appears (see Figure 2.20), specify the filename and path of the
error log file created for this process. Clicking OK in this dialog box will begin the configuration of the computer.
Using Group Policy Object Editor to Apply Templates
AD allows security templates to be applied at the domain, site, and OU level by using
GPOs.When a security template is imported into a GPO, any computers that have the
GPO applied to them will automatically receive the configured settings.The Group Policy
Object Editor tool allows you to view and modify settings in a GPO.
www.syngress.com
109
255_70_293_ch02.qxd
110
9/10/03
10:58 AM
Page 110
Chapter 2 • Planning Server Roles and Server Security
You can view and modify the group policies of domains, sites, and OUs using tools that
are installed on domain controllers.You can access the group policy configuration of a site
through Active Directory Sites and Services.To access domain and OU settings, use Active
Directory Users and Computers. By selecting a site in Active Directory Sites and
Services and clicking Action | Properties, you can access the group policy configuration of that site.To see the group policy settings of a domain or OU, select it in Active
Directory Users and Computers, and then click Action | Properties.
As shown in Figure 2.23, the Group Policy tab of a domain, site, or OU Properties
dialog box allows you to view linked group policies.This tab includes a list of the group
policies that are currently linked to this domain. Beneath the list are the following buttons
for working with the GPO:
■
New Allows you to create a new GPO.
■
Add Allows you to link an existing group policy to the domain, site, or OU.
■
Edit Displays the Group Policy Object Editor, which can be used to configure
the GPO.
■
Options Displays a dialog box containing two options for the GPO.The No
Override option specifies that group policies lower in the hierarchy cannot override the settings in this policy.The Disable option specifies that settings in this
group policy are not to be applied.
■
Delete Removes a selected group policy from the domain, site, or OU.There are
two options.The Remove the link from the list option removes the link so it
no longer appears in the listing.The Remove the link and delete the Group
Policy Object permanently option removes the link so it no longer appears in
the listing and also deletes it so it cannot be used in the future.
■
Properties Displays properties of the group policy.You can configure permissions associated with a selected GPO and see where else it may be linked.
Figure 2.23 Viewing Group Policy Properties of a Domain
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 111
Planning Server Roles and Server Security • Chapter 2
To open the Group Policy Object Editor, click the Edit button on the Group Policy
tab.You can also open this tool using the MMC, by adding the Group Policy Object Editor
snap-in. After you’ve added this snap-in, you are prompted to choose whether you want to
open the local computer policy or browse for a group policy in AD, as shown in Figure
2.24. If the default choice of opening the local computer policy is used, any modifications
you make will apply only to the computer on which you are working. Remember any
local policy settings you configure can be overridden by a group policy applied at the site,
domain, or OU level.
Figure 2.24 Selecting a Group Policy
As shown in Figure 2.25, the Group Policy Object Editor has two panes.The left pane
contains a tree view that allows you to browse through various policy settings.This tree is
divided into two separate sections: Computer Configuration (which applies to computer
accounts) and User Configuration (which applies to user accounts). Located beneath each
of these is a Windows Settings | Security Settings node, which contains groups of settings that you can view and modify.When you select a node in the left pane, policy settings
appear in the right pane.When you double-click one of these policy settings, you’ll see a
dialog box that allows you to modify the entry. Each entry has different values that you can
set.
www.syngress.com
111
255_70_293_ch02.qxd
112
9/10/03
10:58 AM
Page 112
Chapter 2 • Planning Server Roles and Server Security
Figure 2.25 Group Policy Object Editor
Figure 2.26 shows the Minimum password length Properties dialog box. Notice
the Define this policy setting check box, which is common to all of the policies in the
Group Policy Object Editor tool. If you check this option, you can then modify the value
associated with that policy.
Figure 2.26 Viewing Minimum Password Length Properties
You can also import security templates into policies that are viewed through the Group
Policy Object Editor. Right-click the Security Settings node and select Import Policy
in the context menu.You will see a dialog box that displays the default directory for predefined templates. If necessary, browse to and select a template, and then click Open to
import the template into the policy.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 113
Planning Server Roles and Server Security • Chapter 2
EXAM
70-293
OBJECTIVE
1
EXAM
70-293
Customizing Server Security
Security templates contain predefined configurations, which are a great starting point, but
usually, they do not fulfill the needs of many organizations.You may need to make some
changes to match the organizational policies of your company. Similarly, configuring roles
for servers requires additional steps to make the servers secure from attacks, accidents, and
other possible problems. By customizing server security, you can implement security measures that will fulfill the unique needs of your organization.
Because every organization is different, the security needs of one company may vary
from those of another. Before making security changes, you should consult corporate policies, as well as any requirements pertaining to organizational certifications or relevant laws.
You should also use the other methods of identifying the security requirements of an organization that were discussed earlier in the chapter. Once you have an understanding of the
organization’s needs, you can determine what customization needs to be done to enhance
security.
Securing Servers According to Server Roles
OBJECTIVE
As you saw earlier in this chapter, servers can be configured in any number of different
1.3
1.3.1 roles.You can use the Configure Your Server Wizard to configure the server for that role.
Although this procedure may install and enable a number of different services, tools, and
technologies, additional steps usually are required to ensure the server’s security. Some tasks
are unique to the server’s role, but others should be applied to all servers on your network.
Security Issues Related to All Server Roles
Any server used by members of an organization might be at risk of attacks by hackers and
malicious programs, as well as accidents or other disasters.You will want to consider taking
a number of countermeasures to ensure that any server is well protected.
Physical Security
As the term suggests, physical security addresses the need to protect servers from physical
threats. Such threats may affect any number of assets in an organization and can result in
widespread damage.These types of threats always involve some level of tangible risk.Taking
steps to prevent physical interaction with equipment and implementing methods to ensure
that equipment is safe from environmental threats will help promote physical security.
A large part of physical security involves protecting systems from unauthorized physical
access. Even if you’ve implemented strong security that prevents or limits access across a
network, it will do little good if a person can sit at the server and make changes or (even
worse) pick up the server and walk away with it. If people have physical access to a server,
any number of events could occur.They could knock out network cables, bump the server
over, spill a drink on electrical components, or unplug it. Physical security controls access to
hardware and software, so that people are unable to damage or steal devices and the data
www.syngress.com
113
255_70_293_ch02.qxd
10:58 AM
Page 114
Chapter 2 • Planning Server Roles and Server Security
they may contain. If people do not have physical access to systems, the chances of unauthorized data access are reduced.
To prevent physical contact, all servers in an organization should be locked in a secure
area. If it can be justified, a dedicated server room should restrict access. If a company’s
facilities are limited and there is only a single server involved, it should be kept in a locked
closet to prevent anyone from touching it. In addition to the server itself, all installation
CDs and backup tapes used by the server should be kept under lock and key.
Physical security also involves protecting servers and other assets from environmental
disasters. Natural disasters can occur at any time, and they are largely dependent on the
geographical location of an office. For example, a branch office in Tornado Alley would
need to be able to withstand twisters, and a California branch office might need to withstand earthquakes and mudslides. In both areas, however, Uninterruptible Power Supplies
(UPSs) should be installed to provide electricity during power outages, and systems to
extinguish fires need to be in place. By considering natural risk sources within an area, you
can determine which measures need to be taken to reduce or remove risks.
Physical security not only includes natural disasters, but also those caused by the workplace environment. If a server room isn’t properly ventilated with temperature control, the
server could overheat or experience issues with electrostatic discharge. In wireless networks,
poor environmental conditions could also cause sensitive data to be accessed by other parties who pick up the signals. As data is transmitted, unauthorized parties using special
equipment could intercept the packets of data sent over the wireless network. In addition,
servers need to be stored in stable areas that adhere to the environmental requirements of
the equipment.
Head of the Class...
114
9/10/03
Knowing When to Stop Securing Systems
Security is an ongoing process, but there comes a time when you need to decide
that enough is enough. No system can be absolutely secure, and every level of security you add restricts access and functionality. For this reason, security is a trade-off,
and you need to decide when you’ve reached an acceptable level.
A major consideration for security is cost versus benefit. At no time should the
cost of securing an asset exceed the value of that asset. For example, a server may
be configured as a file server and contain sensitive data, which means a higher level
of security is needed than for other resources. In providing this security, you don’t
want to pay more for security than the equipment or data is worth. If the server
cost $7,000, and it would cost the company $5,000 to replace the data, any security costs over this collective amount would negate any benefits from securing the
server. Once it approaches the point where the company is spending an unreasonable amount of money to protect data or equipment, you’ve exceeded the optimal
level of security. Keep in mind that you may need to work with your company’s
Accounting department to come up with the appropriate numbers.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 115
Planning Server Roles and Server Security • Chapter 2
Service Packs and Hotfixes
At times, software vendors may release applications or operating systems with known vulnerabilities or bugs, or these problems may be discovered after the software has been
released. Vulnerabilities are weaknesses in programming code that can be exploited. Bugs are
defects that may cause the software to function incorrectly.To remedy these issues, manufacturers will release service packs, patches, or bug fixes after they have brought their
product to market. Service packs contain updates that may improve the reliability, security,
and software compatibility of a program or operating system. Patches and bug fixes are used
to repair errors in code or security issues. Failing to install these may cause certain features
to behave improperly, make improvements or new features unavailable, or leave your system
open to attacks from hackers or viruses. In most cases, the service packs, patches, or bug
fixes can be acquired from the manufacturer’s Web site.
Updates for Windows operating systems are made available on the Windows Update Web
site, which can be accessed through an Internet browser by visiting http://windowsupdate
.microsoft.com.The Windows Update Web site determines what software is recommended
to secure your system, and then allows you to download and install it from the site.
Windows Update provides updates for only Windows operating systems, certain other
Microsoft software (such as Internet Explorer), and some additional third-party software,
such as drivers.To update most third-party programs installed on the computer, you will
need to visit the manufacturer’s Web site, download the update, and then install it.
Windows 2000,Windows XP, and Windows Server 2003 also provide an automated
update and notification tool that allows critical updates to be downloaded and installed
without user intervention.When enabled, this tool regularly checks Microsoft’s Web site for
updates, and if one or more are found, automatically downloads and installs the update.You
can also just have it notify you that updates that are available. Because this tool requires
connecting to Microsoft over the Internet, it can be used only if the servers or workstations
have Internet access.
In some situations, administrators may not want Windows Server 2003 to automatically
download and install software without their approval, or they may not want computers to
connect to the Microsoft Web site in this manner. In these cases, the Automatic Updates
service should be disabled or configured so that it is used for notification only.These settings can be accessed by selecting Start | Control Panel | System and clicking the
Automatic Updates tab in the System Properties dialog box. As shown in Figure 2.27,
the Automatic Updates tab provides a number of settings that allow you to configure
whether updates are automatically acquired and installed on the computer, when updates
occur, and whether intervention is required.These settings include the following:
■
Keep my computer up to date Enables Automatic Updates on the machine.
When this selected, the other settings in this list may be configured.
■
Notify me before downloading any updates and notify me again before
installing them on my computer Informs users that an update is available and
asks them if they would like to download it. If the user chooses to have the
www.syngress.com
115
255_70_293_ch02.qxd
10:58 AM
Page 116
Chapter 2 • Planning Server Roles and Server Security
update downloaded, Automatic Updates will prompt the user when the download
is complete, asking if the update should be installed.
■
Download the updates automatically and notify me when they are ready
to be installed Causes any updates to be downloaded from the Microsoft Web
site without any notification. Once the update has completed downloading, the
user is asked if the update should be installed.
■
Automatically download the updates, and install them on the schedule
that I specify Causes any updates to be downloaded from the Microsoft Web
site without any notification.When this option is chosen, you can specify the time
when the update can be installed without user intervention.
Figure 2.27 Choosing Automatic Updates Options
Head of the Class...
116
9/10/03
Deciding Whether to Apply an Update
Even though service packs, bug fixes, and patches are designed to fix problems
with an operating system or application, you cannot be sure that they will not
cause problems themselves. An example of this is Windows NT 4.0 Service Pack 6,
which caused major problems after being applied. This service pack was removed
from the Microsoft Web site and soon replaced with Service Pack 6a. It’s usually a
good idea to wait a few days or a week to see if other customers of the manufacturer experience any issues before installing an update.
Continued
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 117
Planning Server Roles and Server Security • Chapter 2
To ensure an update works properly and does not cause major problems with
computers on your network, it is wise to apply the update to a test machine or
computer in a lab environment before applying it to computers on the production
network. A test machine has the same configuration and programs installed as
other network machines, but it isn’t actually used for business purposes. Testing
updates on such a computer is especially important when applying updates to
servers, because server changes can affect large numbers of users if problems arise.
Although new versions of Windows provide a method of automatically
applying updates from Microsoft’s Web site, you can configure this service to either
notify you before applying an update or disable the service so that Windows will
not regularly check for updates. If this service is disabled, you must regularly check
for updates manually by visiting Microsoft’s site, downloading the updates, and
applying them. You should never merely install Windows and leave it without
applying critical updates. Failing to apply certain updates may leave your system
vulnerable to attack or cause elements of the system to function unexpectedly.
Antivirus Software
Viruses,Trojan horses, and other malicious programs are a threat to any organization, especially if the organization is connected to the Internet. If these programs infect a network,
data and systems can be damaged or destroyed.Worse, infection might cause critical information (such as passwords or files) to be transmitted to other sources.To prevent these malicious programs from causing problems, antivirus software should be installed on servers and
workstations throughout the network.
When antivirus software is installed, it will scan for viruses and clean them using information stored in signature files. Signature files are used to identify viruses and let the software know how to remove them. Because new viruses appear every month, signature files
need to be updated regularly by downloading them from the vendor’s Web site.
Unnecessary Accounts and Services
Hackers and malicious programs can use insecure elements of a system to acquire greater
access and cause more damage.To keep these entities from exploiting elements of your
system, you should disable any services that are not needed. If a service has a weakness for
which a security patch has not been developed, it could be exploited. By disabling
unneeded services, you are cutting off possible avenues of attack. In doing so, you will not
affect any functionality used by computers and users, and you can avoid any security issues
that may be related to them.
Certain accounts in Windows Server 2003 should also be disabled or deleted. If an
account is no longer being used, it should be removed to avoid a person or program using
it to obtain unauthorized access. Even if an account will not be used temporarily (for
example, during an employee’s leave or vacation), the account should be disabled during the
www.syngress.com
117
255_70_293_ch02.qxd
118
9/10/03
10:58 AM
Page 118
Chapter 2 • Planning Server Roles and Server Security
user’s absence. If an employee has left permanently or a computer has been removed from
the network, these accounts should be deleted.
There are other accounts that you should consider disabling due to their access level.
The Administrator account has full access to a system and is a well-known account.
Windows Server 2003 and previous versions of Windows all have an account named
Administrator that has the ability to do anything on a server. Because hackers already know
the username of this account, they only need to obtain password to achieve this level of
access. Although the Administrator account cannot be deleted, it can be disabled and
renamed. If you create new user accounts and add them to the Administrators group, and
disable the Administrator account, attackers will find it more difficult to determine which
account to target.
Another account that is disabled by default, and should remain so, is the Guest account.
This account is used to provide anonymous access to users who do not have their own
account. Like the Administrator account, the Guest account is created when Windows
Server 2003 is installed. Because there is the possibility that this account could accidentally
be given improper levels of access and could be exploited to gain even greater access, it is a
good idea to leave this account disabled. By giving users their own accounts, you can provide the access they need and audit their actions when necessary.
For any user, group, or computer account, it is important to grant only the minimum
level of access needed. Employees can accidentally or maliciously modify data or use systems inappropriately.To prevent users from causing such problems, you should never give
them more access than they require.You want users to be unable to access anything beyond
the scope of their role within the organization.This will assist in keeping other data and
systems on the network protected. Determining what level of security a user needs to perform his or her job usually requires some investigation. All users often have their own personal directories for storing files, but they also typically need additional access to databases,
programs, and files stored on various servers.To determine how much access a user or
group needs, you should begin by discussing the user’s duties with management. By understanding the job a user performs, you will be able to determine which resources the user
needs to access.
Strong Passwords
Passwords are a key component of the default method of authentication for Windows and
other software (such as database management systems).They are used to prevent unauthorized access to computers, networks, and other technologies by forcing anyone who wants
access to provide a specific piece information, which should be known only to the authorized user.
Strong passwords are more difficult to crack than simple ones.These types of passwords
use a combination of keyboard characters from each of the following categories:
■
Lowercase letters (a–z)
■
Uppercase letters (A–Z)
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 119
Planning Server Roles and Server Security • Chapter 2
■
Numbers (0–9)
■
Special characters (` ~ ! @ # $ % ^ & * ( ) _ + - = { } | [ ] \ : “ ; ‘ < > ? , . /)
The length of a password also affects how easy it is to crack.The more characters used,
the more variations of letters, numbers, and special characters the password can contain.You
can use security templates and group policies to control how long a password is valid, the
length of a password, and other aspects of password management. If you specify a minimum
password length of at least seven characters, it will be harder to exploit the account accessed
with this password.
In addition, you should avoid using passwords that contain your username, real names,
or company name, because these make passwords easier to guess.You should also avoid
using passwords that contain actual words that appear in the dictionary, because hacking
programs can be used to crack such passwords.
Another requirement that is important to having secure passwords is making sure that
each time users change their passwords, they use passwords that are different from previous
passwords. All too often, users will use the same password over and over, modifying it
slightly. For example, they might have the password “pass1” one month, and then change it
to “pass2” the next. In other cases, they might simply change the password each month to
the name of the current month (January, February, and so on). Again, ensuring each new
password is different from previous passwords will make it more difficult for unauthorized
persons to determine current passwords.
To ensure domain controllers are secure, there are a number of password requirements
that are enforced by default on Windows 2003 domain controllers:
■
The password cannot contain any part of the user’s account name.
■
It must be a minimum of six characters in length.
■
It must contain characters from three of the four categories: lowercase letters,
uppercase letters, numbers, and special characters.
NTFS
Windows Server 2003 supports the FAT, FAT32, and NTFS file systems. Of these, NTFS
provides the highest level of security. Using NTFS, you can do the following:
■
Set permissions on individual files and folders.
■
Control which accounts have access to file system resources.
■
Implement file encryption, which prevents unauthorized users from accessing files
and folders.
■
Implement disk quotas, which allows you to control how much hard disk space
users may use.
Using NTFS greatly enhances the security and management of files.
www.syngress.com
119
255_70_293_ch02.qxd
120
9/10/03
10:58 AM
Page 120
Chapter 2 • Planning Server Roles and Server Security
Disk partitions can be formatted with NTFS when a server is initially installed. If a
volume is formatted as FAT or FAT32, you can convert it to NTFS.You can convert partitions to NTFS by using the command-line tool convert.exe.This tool changes existing partitions into NTFS partitions, without adversely affecting any files on the hard disk.
EXAM WARNING
NTFS is an important part of security on Windows NT, Windows 2000, and
Windows Server 2003 systems. Without NTFS, permissions cannot be set on individual files or folders. In Windows Server 2003, other features such as disk quotas
and EFS are not available without NTFS.
Regular Backups
It is also important to perform regular data backups.When backups are performed, the data
on a computer is copied to other media (such as tape), which can then be stored in another
location. If a problem occurs with the source data, you can restore any files that were damaged or lost. For example, if a user accidentally deletes a file or a server’s hard drive crashes,
a backup can be restored and all files returned to their previous state.
Windows Server 2003 also provides Automated System Recovery and the Recovery
Console for restoring systems that have failed.
Recovery Console is a text-mode command interpreter that can be used without starting
Windows Server 2003. It allows you to access the hard disk and use commands to troubleshoot and manage problems that prevent the operating system from starting properly.
With this tool, you can do the following:
■
Enable and disable services.
■
Format hard disks.
■
Repair the master boot record and boot sector.
■
Read and write data on FAT16, FAT32, and NTFS drives.
■
Perform other tasks necessary to repairing the system.
You can start Recovery Console from the installation CD for Windows Server 2003, or
you can install it on an x86-based computer.When installed on the computer, Recovery
Console can be run from a multiple-boot menu that appears when the computer is first
started. Either method will start the same program and allow you to enter different commands to repair the system.
Automated System Recovery (ASR) allows you to back up and restore the Registry, boot
files, and other system state data, as well as other data used by the operating system. An ASR
set consists of files that are needed to restore Windows Server 2003 if the system cannot be
started.When you create an ASR set, the following items are backed up:
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 121
Planning Server Roles and Server Security • Chapter 2
■
System state data
■
System services
■
Disks that hold operating system components
In addition, ASR creates a floppy disk that contains system settings. Because an ASR set
focuses on the files needed to restore the system, data files are not included in the backup.
You should create an ASR set each time a major hardware change or a change to the
operating system is made on the computer running Windows Server 2003. For example, if
you install a new hard disk or network card, or apply a security patch or service pack, you
should create an ASR set.Then, if a problem occurs after upgrading the system, you can use
the ASR set to restore the system to its previous state (but only after you’ve attempted
other methods of system recovery).
ASR should not be used as the first step in recovering an operating system. In fact,
Microsoft recommends that it be the last possible option for system recovery and be used
only after you’ve attempted other methods. In many cases, you’ll be able to get back into
the system using Safe Mode, the Last Known Good Configuration or other options.
To create an ASR set, use the Windows Server 2003 Backup utility. On the Welcome
tab of the Backup utility, click the Automated System Recovery Wizard button.This
starts the Automated System Recovery Preparation Wizard, which takes you through
the steps of backing up the system files needed to recover Windows Server 2003 and creating a floppy disk containing the information needed to restore the system.
Securing Domain Controllers
The methods described in the previous sections can improve the security of a server in any
role, but they are particularly important for domain controllers. Physical security and strong
passwords are needed to prevent unauthorized parties from modifying accounts or other
aspects of the domain. In addition, methods to protect the server from malicious programs
and tampering should be implemented. Examples include applying updates, installing
antivirus software, and formatting all partitions as NTFS.
The effects of an insecure domain controller can be far-reaching. Information in AD is
replicated to other domain controllers, so changes on one domain controller can affect all
of them.This means that if an unauthorized entity accessed the directory and made
changes, every domain controller would be updated with these changes.This includes disabled or deleted accounts, modifications to groups, and changes to other objects in the
directory. Because all Windows 2000 Server domain controllers store a writable copy of AD,
additional steps must be taken to secure the directory.
It is important that group membership is controlled, so that the likelihood of accidental
or malicious changes being made to AD is minimized.This especially applies to the
Enterprise Admins, Domain Admins, Account Operators, Server Operators, and
Administrators groups.
www.syngress.com
121
255_70_293_ch02.qxd
122
9/10/03
10:58 AM
Page 122
Chapter 2 • Planning Server Roles and Server Security
Because anyone who has physical access to the domain controller can make changes to
the domain controller and AD, it is important that these servers have heightened security.
Consider using smart cards to control authentication at the server console.
Encryption should also be used to protect data and authenticate users. As mentioned,
NTFS partitions allow file encryption, and Kerberos provides strong authentication security.
In Windows Server 2003, Kerberos is the default authentication protocol for domain members running Windows 2000 or later.
Securing File and Print Servers
File and print servers also need additional security. In addition to setting permissions on
files and folders, regularly performing backups, and using antivirus software, organizations
may also need to implement greater levels of protection such as encryption. Similarly, print
servers need to be protected from improper use and must be configured to prevent unauthorized users from wasting print resources.
File Servers
Because file servers are used to store data in a central location, it is important that they are
kept secure. Although file servers allow the data to be accessed by other users, you need to
ensure that only those who are authorized are able to use the files. For this reason, it is
especially important that volumes on a file server are formatted as NTFS and appropriate
permissions are set on files and folders. As an added measure of security, these disks should
also use EFS.
EFS is used to encrypt data on NTFS volumes.When EFS is used, unauthorized users
and malicious programs are prevented from accessing the content of files, regardless of their
permissions. Although the process involved in the encryption and decryption of data can be
quite complex, EFS file encryption is completely transparent to the user.
When a user specifies that a file is to be encrypted using EFS, parts of the file are individually encrypted with file encryption keys.These keys are stored in the file header and
encrypted using a public key that corresponds to the user who encrypted the file.When the
user accesses the file, the file encryption keys are decrypted using the private key that corresponds to the public key that was used to encrypt them. Because this key is held privately
by the user who encrypted the file, no one else can access it.The decrypted file is stored in
memory, and the original file remains stored in the file system remains encrypted.
When a folder is encrypted with EFS, you have the option of encrypting all files and
subfolders inside it. If this option is used, any files that are created in or copied to folder or
subfolders are automatically encrypted. If encryption is not specified at the folder level, only
the files and subfolders that a user explicitly specifies will be encrypted.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 123
Configuring & Implementing...
Planning Server Roles and Server Security • Chapter 2
Ensuring That Data Is Encrypted
EFS is an important part of keeping data secure on a file server because it prevents
unauthorized parties from viewing and modifying data. When folders are
encrypted with EFS, you can have all files and subfolders encrypted as well. If this
option isn’t used, files on the hard disk will not be encrypted. This is an important
issue when users are working with applications that create temporary files.
Temporary files are used to store information while the person is working on
a document, spreadsheet, or other file. These files are created by the application
and may contain a duplicate working copy of a file. Although applications that use
temporary files are supposed to remove them when the files are closed or the program shuts down, this isn’t always the case. If an authorized user opens an
encrypted file using a program that creates temporary files, an unencrypted temporary file may be created. Potentially, a hacker who could not access the data in
the encrypted file might be able to open the temporary file and view the data inside
it.
To ensure that temporary work files are not accessible, you should encrypt the
temporary folder you specify in the application. In this way, when the application
creates a temporary file, it will automatically be encrypted, eliminating a potential
target for hackers.
Although EFS is an important part of securing a file server, this does not mean that
every file on the network is a candidate for being encrypted with EFS. As mentioned, only
files on NTFS volumes can be encrypted with EFS. If a volume is formatted as NTFS, files
that have the System attribute or are located in %systemroot% (for example, C:\Windows)
cannot be encrypted. Also, if the file or folder you want to encrypt is compressed, you
cannot use encryption.The opposite is also true: if a file or folder is encrypted with EFS, it
cannot be compressed.
NOTE
In Windows 2000, there was no visual indication of which files and folders were
encrypted. This made management of EFS difficult because you needed to examine
file and folder properties when attempting to ascertain which ones were
encrypted. In Windows Server 2003, Microsoft developers included an option that
colors encrypted files and folders green, so that they can be easily spotted in
Windows Explorer and other applications.
www.syngress.com
123
255_70_293_ch02.qxd
124
9/10/03
10:58 AM
Page 124
Chapter 2 • Planning Server Roles and Server Security
Another important limitation of EFS is that it encrypts data only on NTFS volumes.
When a file is accessed remotely on a file server,Windows Server 2003 decrypts it and
sends it across the network in unencrypted form. For data to be encrypted during transmission, other technologies like IPSec must be used.
IPSec ensures that data is sent securely over the network by encrypting packets and
authenticating the identity of the sender and receiver.When using IPSec, a policy is applied
to both the sender’s and receiver’s computer, so the systems agree on how data will be
encrypted. Other computers that intercept traffic between the machines will be unable to
decipher the information contained in the packets.
Print Servers
Files that are being printed may also require protection. IPSec can be implemented to protect the transmission of data being sent to printers. After all, if a document can be captured
while being sent to a printer, a hacker can view its information just as if it were being
accessed directly from a server.
Physical security issues can be very important for printers. Anyone with access to a
printer can remove printed documents from it.This is especially critical for printers that are
routinely used to print sensitive documents or financial instruments like checks. A sensitive
document may reside on a highly secure file server, but once it is printed, anyone standing
by the printer could simply pick it up and walk away.To prevent this from happening, such
printers should be located in secure areas that are not accessible to the public and other
unauthorized users.
Just as files can have permissions assigned to them, so can printers. Printer permissions
are used to control who can print and manage network printing. As shown in Figure 2.28,
they are set on the Security tab of a printer’s properties. Using printer permissions, you
can allow or deny the following permissions for users:
■
Print Allows users to print documents.
■
Manage Printers Allows users to perform administrative tasks on a printer,
including starting, pausing, and stopping the printer; changing spooler settings;
sharing the printer; modifying permissions; and changing property settings.
■
Manage Documents Allows users to perform administrative tasks relating to
documents being printed. It allows users to start, pause, resume, reorder, and
cancel documents.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 125
Planning Server Roles and Server Security • Chapter 2
Figure 2.28 Setting Permissions for a Printer
Although different permissions exist for printing, only the Print permission gives the
ability to print a document. For example, when only the Manage Documents permission is
given, the user has the ability to manage other people’s documents but cannot send documents to the printer for printing. Because those who manage printers may need to print
test pages to determine if the printer is working properly, the Manage Printers permission
can be set only if the Print permission is given.
Because the Print permission is assigned to the Everyone group, all users have access to
print to a printer once it is shared on the network. For most printers, it’s usually a good
idea to remove this permission and add the specific groups within your organization that
should have access to the printer.
Securing DHCP, DNS, and WINS Servers
DHCP, DNS, and WINS servers often provide the ability to connect to the network and
find other computers. DHCP is used to provide IP address and configuration information
to clients. DNS and WINS servers are used to resolve names to IP addresses (and vice
versa). If you do not secure these servers, malicious persons and programs may be able to
prohibit users from connecting to the network, redirect traffic to other locations, and
impact the ability to use network resources.
DHCP servers do not require authentication when providing a lease. Any client that
contacts the DHCP server can obtain a lease and connect to the network. In addition to
receiving an IP address as part of the lease, clients may also be automatically configured
with WINS or DNS server information.To avoid this, it is important that you restrict physical and wireless access to your network.This helps to prevent unauthorized persons from
successfully connecting to your network and obtaining a valid DHCP lease. In addition,
www.syngress.com
125
255_70_293_ch02.qxd
126
9/10/03
10:58 AM
Page 126
Chapter 2 • Planning Server Roles and Server Security
auditing should be enabled on the DHCP server so that you can review requests for leased
addresses. By reviewing the logs, you may be able to identify possible problems.
Just as DHCP is an unauthenticated protocol, so is the NetBIOS naming protocol used
by WINS.WINS was designed to work with NetBIOS over TCP/IP (NetBT), which does
not require any authentication. Because a user does not need to provide credentials to use
WINS, it should be regarded as available to unauthorized persons or programs.These entities could request a massive number of names to be registered or resolved by the WINS
server, so that the server becomes bogged down and unable to process other requests.This
type of attack is called a denial of service (DoS) and is designed to overload systems and
prevent access for legitimate users.
Rogue servers can also be a problem on the network.When a client requests a DHCP
lease, it does so by broadcast. If an unauthorized person puts a DHCP server on the network, the incorrect IP address and configuration information could be provided to clients.
This isn’t the case if the rogue DHCP server is running Windows 2000 or Windows Server
2003, because these must be authorized in AD. If the server determines that it is not authorized, the DHCP service will not start. However, pre-Windows 2000 and non-Windows
DHCP servers require no authorization and can be effectively used as rogue DHCP servers
in a Windows Server 2003 environment. Handing out bogus DHCP leases that do not
expire can be a very effective DoS technique. Because of this, it is important to monitor
network traffic for DHCP server traffic that does not come from your network’s authorized
DHCP servers.
Restricting access to DHCP tools and limiting membership in groups that can modify
DHCP settings are other important steps in securing a DHCP server.To administer DHCP
servers remotely using the DHCP console or Netsh utility, you need to be a member of the
Administrators group or the DHCP Administrators group. By restricting membership in
these groups, you limit the number of people who can authorize a DHCP server to service
client requests.
TEST DAY TIP
Many people get DHCP, DNS, and WINS confused with one another. Remember
that DHCP is used to assign IP addresses to clients, while DNS and WINS are used
for name resolution. To avoid confusing DNS and WINS, remember that DNS is the
Domain Name System. Remembering its name will help you associate that DNS is
used to resolve DNS names to IP addresses and vice versa. Through the process of
elimination, this will make it easier to remember that WINS is used to resolve
NetBIOS names to IP addresses and vice versa.
Securing Web Servers
Because IIS provides a variety of services that allow users to access information from the
Web server service, it provides potential avenues of attack for unauthorized users, malicious
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 127
Planning Server Roles and Server Security • Chapter 2
programs, and other sources. For this reason, it is not installed by default. If you do not need
a Web server on your network, IIS should remain uninstalled. If it has been installed on
servers that do not need it, make sure to uninstall it.
Once IIS is installed on Windows Server 2003, it is locked down to prevent any
unneeded services from being exploited. By default, IIS will provide only static content to
users. If dynamic content is used on the server, you will need to enable the necessary features. For example, if you your site is going to use ASP, ASP.NET, Common Gateway
Interface (CGI), Internet Server Application Programming Interface (ISAPI) or Web
Distributed Authoring and Versioning (WebDAV), each of these will need to be enabled
before they can be used. As with Windows Server 2003 itself, any components that are not
needed should be disabled.
Another default setting of IIS is that it will not compile, execute, or serve files with
dynamic extensions. For example, if you have Web pages written as ASPs with the extension .asp, IIS won’t provide users with this content.These are not allowed by default
because of Microsoft’s new security initiatives. Dynamic content can contain malicious code
or have weaknesses that can be exploited. If files that provide dynamic content need to be
used on the Web server, you must add the file extensions to the Web service extensions list.
Any file types that are not needed should not be added.
An important part of protecting Web servers is using firewalls. Firewalls prevent direct
access between a network and clients by having traffic pass through the firewall, which
determines if the traffic should be blocked or allowed. In other words, it acts as a buffer
between the Web server and clients using it or between the internal network and other networks like the Internet. Rules can be set up on the firewall controlling what kinds of traffic
may pass and who can perform certain actions. For example, the firewall might prevent AVI
files from being transmitted from the Internet for general users but not administrators. Or,
it might prohibit executable downloads to prevent virus-infected files or Trojan horses from
being installed on clients.
Securing Database Servers
When securing databases, you should take advantage of security features offered by the
database software. Microsoft SQL Server, for example, provides two methods of authenticating clients to access data:Windows Authentication Mode and Mixed Mode.When
Windows Authentication Mode is used, the SQL Server administrator has the ability to
grant logon access to Windows user accounts and groups. If Mixed Mode is used, users can
be authenticated through either Windows authentication or separate accounts created
within SQL Server.
Regardless of the authentication mode used, like many database applications, SQL
Server allows you to control access to data at a granular level. Permissions can be set to
determine the operations that a user can perform on the data contained in the database. In
many database applications, you can set permissions at the server, database, or table level.
While one account might have the ability to create tables and delete data in all databases,
another may only be able to view data in a single database.These permissions are different
www.syngress.com
127
255_70_293_ch02.qxd
128
9/10/03
10:58 AM
Page 128
Chapter 2 • Planning Server Roles and Server Security
from those that can be set through AD and NTFS, and they apply only within the database
program.
Database servers may also need to be secured through other roles that are used to access
the database. For example, IIS is set up through the application role, and Web pages on the
server can be used to access data stored in a database. Similarly, applications that are developed and made accessible from a terminal server may be used to view and manipulate
database information.
To control access to the database server, you can use settings configured through a data
source name (DSN). A DSN is commonly used by compiled and Web-based programs to
gain access to data that is stored in data management systems and data files. A DSN contains
information on the database name, the server it resides on, and the directory in which it’s
stored (if a data file is used). It also holds the username, password, and driver to use when
making the connection. Programs use information in the DSN to connect to the data
source, make queries, and manipulate data.To create or modify a DSN, use the Data
Sources (ODBC) applet (select Start | Administrative Tools | Data Sources
(ODBC)).
Because a DSN provides the username and password to use when connecting to the
data source, a number of security-related issues arise from its use. Any passwords that are
used should follow the recommendations for strong passwords that were discussed earlier in
this chapter. In cases where a DSN is being used to connect to a SQL Server database, you
also have the option of using Windows authentication or SQL Server authentication. If
SQL Server authentication is used, you can enter the username and password of an account
created in SQL Server. However, you should avoid entering the name of any accounts with
access higher than the user will need. For example, entering the system administrator
account (sa) would provide a DSN with full access to SQL Server and could maliciously or
accidentally cause problems.To avoid possible damage to data or access violations, you
should provide the username and password of a SQL Server account that has restricted
access.
Securing Mail Servers
When Windows Server 2003 is configured with the mail server role, it should be set up to
require secure authentication from e-mail clients. As mentioned earlier, clients retrieve their
e-mail from mail servers using the POP3 protocol. Client software and the mail server’s
POP3 service can be configured to accept only passwords that are encrypted in order to
prevent them from being intercepted by unauthorized parties.
In Windows Server 2003, the Microsoft POP3 Service uses Secure Password
Authentication (SPA) to ensure that authentication between the mail server and clients is
encrypted. SPA is integrated with AD, which is used to authenticate users as they log on to
retrieve their e-mail. In cases where domain controllers are not used, SPA can authenticate
to local accounts on the mail server.When the POP3 service is configured to accept only
authentication using SPA, clients must also be configured to use encrypted authentication.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 129
Planning Server Roles and Server Security • Chapter 2
If they are not, clients will attempt to authenticate using cleartext (which is plaintext, or
unencrypted data) and will be rejected by the mail server.
To prevent mail servers from filling up with undeleted or unchecked e-mail, disk
quotas should also be implemented. E-mail can include attachments, which are files that are
sent with messages. Over time, mail left on the server can fill up hard disk space and affect
server performance. By using disk quotas, users can be limited to a specific amount of hard
disk space. Disk quotas can be used only on NTFS partitions.When NTFS is used, permissions can also be set on the directories that store e-mail, preventing unauthorized parties
from accessing it on the server.
Securing CAs
In addition to the basic server hardening techniques mentioned earlier in this chapter, a CA
needs additional levels of security applied it. Recall that a root CA resides at the top of the
hierarchy, with subordinate CAs existing below it. Because the root CA is the most trusted
one in a hierarchy, any CAs below it automatically trust it.These subordinate CAs use the
root CA’s public key and bind it to its own identity. In doing so, the subordinate can also
issue certificates to users and computers.
Because of the trust between root and subordinate CAs, if the root CA is compromised, subordinate CAs continue trusting it.This compromises all certificates issued by the
CAs in the hierarchy. As a security measure, you should disable the root CA’s ability to issue
certificates online and allow only child CAs to perform this function. An offline root CA is
more difficult to compromise, since physical access to it is required.
Additional benefits can be derived from the use of enterprise CAs.When a user
requests a certificate from an enterprise CA, that CA is able to validate the information
provided by the user through AD.This can provide an extra measure of security. Standalone CAs require manual inspection and approval of requests by a CA administrator.
Manual processes are typically much more error-prone than automated ones.
When certificates are found to be invalid, they should immediately be revoked. After a
certificate is revoked, the CRL should be immediately updated and published.The CRL is
used to inform the world of certificates that are no longer valid. If the certificate is invalid,
the software used to check it often allows the user to decide whether or not to trust the
certificate holder.
NOTE
Although you can publish a CRL immediately, that does not necessarily mean that
all hosts will begin to use the new list. CRLs are cached on local hosts and will not
be refreshed until the update period is reached. As a result, the old list that allows
invalid certificates will continue to be used until a host checks back in for an
update. As an administrator, you can determine how frequently the CRL is updated
at the host level. You’ll need to balance your security needs against the network
traffic requirements of a CRL update and choose an appropriate interval for your
organization.
www.syngress.com
129
255_70_293_ch02.qxd
130
9/10/03
10:58 AM
Page 130
Chapter 2 • Planning Server Roles and Server Security
Securing Application and Terminal Servers
Application and terminal servers are also configurable server roles that need additional steps
to ensure that they are secure. Users are able to access applications across the network and
execute them on servers using each of these roles. Because of the importance of many network-accessed applications, and the damage that can be done if they are exploited, it is
essential that these roles are protected.
Application Servers
Application servers provide access to a wide variety of data on the network, and they need
to be hardened using the methods discussed earlier.The tasks users perform on a network
often rely on their ability to use specific software and to be assured that all data is secure.To
achieve these goals, hard disks storing these applications and the files they generate should
be formatted with NTFS.
There is also a need for in-house applications, which are developed by programmers
working for the company, to use the latest development tools. Older application development tools may have vulnerabilities that can be exploited. For example, a program developed using an older version of Visual Basic could be decompiled, allowing a hacker to view
the code used to create the program. Code generated for in-house applications often contains sensitive information such as server names and authentication information. In addition, older development software is often not able to take advantage of the latest advances
in security.
Application servers need to use the general security methods discussed for other
servers.They may need to connect to other servers to acquire information or provide services. For example, an application hosted on an application server may use a database server
to acquire and process data before returning it to end users. Because the two work in conjunction, the database server must also be secured. Even though the application server
might be exceptionally secure, if there are security issues on the database server, the data
might be compromised, which can potentially affect the ability of the application to do its
job.
Servers configured in the application server role also have IIS 6.0 installed by default.
IIS lets the application server provide Web-based applications to users of the network.
Because the application server may have a Web server installed on it, steps need to be taken
to ensure the Web server is also secure, as discussed earlier in this chapter.
Terminal Servers
Because terminal servers provide access to applications and data, they also need to be configured to ensure that users and hosts do not achieve unauthorized access. By setting permissions on connections, you can control who can access a server and perform specific
tasks.This is in addition to the permissions that can be set on files accessed by users in a
terminal server session. By limiting access in these ways, you can control who is able to use
files and applications and what actions they are able to perform.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 131
Planning Server Roles and Server Security • Chapter 2
Terminal servers can also be configured to use specific levels of encryption.When a
communications link is established between a client and the terminal server, the data transmitted between them can be encrypted to prevent others from being able to view and use
it.The following encryption levels can be set:
EXAM
70-293
■
High This is the default level. It uses 128-bit encryption, which may not be supported by all clients. If clients do not support this level of encryption, they will be
unable to connect to the terminal server.
■
Low This level provides only one-way encryption. Clients send data to the
server using 56-bit encryption, but any data sent from the server to the client is
unencrypted.
■
FIPS compliant This level encrypts data using Federal Information Processing
Standard (FIPS) encryption algorithms and is mandated for use by portions of the
U.S government.
■
Client compliant This level encrypts data using the strongest possible key
strength supported by the client. Because the level of encryption depends on the
client, it may be a good idea to use it if legacy clients or a mix of clients are used
on the network. However, if you have strong security requirements, this level does
not allow you to specify the encryption level clients will use, so it should not be
used.
Creating Custom Security Templates
OBJECTIVE
1.3.2 Earlier in this chapter, we discussed how you can use predefined security templates to
modify security settings. Although these templates contain settings that can be used for a
number of purposes, they may not have the settings you specifically need for your organization. In such cases, you may want to create custom security templates.
You can create custom security templates in a number of ways. As described earlier,
modifying the results of an analysis using Security Configuration and Analysis, and then
exporting the changes to a new template file, is one way to create a custom security template. In addition, you can create custom security templates using the Security Templates
snap-in.The Security Templates snap-in allows you to modify existing templates and create
new ones from scratch.
As shown in Figure 2.29, Security Templates consists of two panes.The left pane contains the Security Templates node.When expanded, this node reveals the default template
location (%systemroot%\Security\Templates) and the child nodes that contain policy templates. Each policy node contains groups of settings that, when selected, appear in the right
pane of the utility.
www.syngress.com
131
255_70_293_ch02.qxd
132
9/10/03
10:58 AM
Page 132
Chapter 2 • Planning Server Roles and Server Security
Figure 2.29 The Security Templates console
To define the settings for a particular policy in the group, right-click the policy in the
right pane and selecting Properties. Each dialog box contains different options that are relevant only for that setting. For example, the Properties dialog box for the Maximum password age policy is shown in Figure 2.30.The Define this policy setting in the
template check box enables the configurable settings in this dialog box. In the case of the
Maximum password age policy, the settings in the Properties dialog box allow you to
control the number of days until the password expires. Clicking OK applies any changes
you have made to the policy.
Figure 2.30 Setting Maximum Password Age Properties
In addition to modifying existing templates, you can create new templates with
Security Templates. Right-click the folder in which you want to store the new template
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 133
Planning Server Roles and Server Security • Chapter 2
and click New Template. In the dialog box that appears, shown in Figure 2.31, enter a
name for the template in the Template name text box. Optionally, you can enter a
description in the Description text box. After you click OK, the new template will appear
in the list.
Figure 2.31 Adding a New Security Template
When a new template is created, all of the settings in it are undefined. In other words,
there are no restrictions set within the template, because all settings are bypassed.To configure security settings for the template, you must go through each node and make the necessary changes to the policy settings, as discussed earlier. Exercise 2.04 guides you through
the process of creating a new template and modifying a setting in it.
EXERCISE 2.04
CREATING A NEW TEMPLATE USING SECURITY TEMPLATES
1. Select Start | Run, type MMC, and click OK.
2. When MMC opens, click File | Add/Remove Snap-in.
3. In the Add/Remove Snap-in dialog box, click the Standalone tab to
select it (if necessary).
4. Click the Add button. When the Add Standalone Snap-in dialog box
appears, select Security Templates from the list and click Add.
5. Click Close to return to the previous window. A Security Templates
entry should appear in the Add/Remove snap-in dialog box. Click OK
to close the dialog box.
6. The console tree in the MMC should now contain a Security Templates
node in the left pane. Expand this node to display the %systemroot%\
Security\Templates node. (Note that %systemroot% will be replaced
with your actual Windows directory location, such as C:\Windows.)
www.syngress.com
133
255_70_293_ch02.qxd
134
9/10/03
10:58 AM
Page 134
Chapter 2 • Planning Server Roles and Server Security
Expand this node to display all of the security templates that are stored
in this directory.
7. Right-click the %systemroot%\Security\Templates node and select
New Template from the context menu.
8. In the dialog box that appears, type TestTemplate in the Template
name text box, and then click OK to continue. The new template
should now appear in the left pane of Security Templates.
9. Expand the TestTemplate node to view the child nodes within it.
10. Expand Account Policies.
11. Click the Password Policy node to display the policy settings it contains.
12. In the right pane, double-click the Maximum password age policy to
display the Properties dialog box.
13. Select the check box next to Define this policy setting in the template.
14. Change the value in the Password will expire in box to 90.
15. Click OK. The Suggested Value Changes dialog box will appear.
Because the Minimum Password Age value hasn’t been set, this policy
will automatically be adjusted to 30 days.
16. Click OK to accept the change, and then exit the Properties dialog box.
17. Select File | Save As.
18. When the Save As dialog box appears, enter a name for this template
in the File name text box, and then click Save to save this new template.
Deploying Security Configurations
As mentioned earlier in this chapter, security configurations can be deployed either manually on the local computer or to multiple systems using AD.You learned how to use
Security Configuration and Analysis and Secedit tools to apply a security template to a
single computer. Also, when you use GPOs to deploy security templates, you must use
Active Directory Users and Computers (for GPOs at the domain and OU levels) or Active
Directory Sites and Services (for GPOs at the site level).
Computers have local security policies, which reside on the machine and affect only
that particular computer. A user who logs on to the computer is subject to the policy settings that have been configured.The security policy can control a wide range of settings,
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 135
Planning Server Roles and Server Security • Chapter 2
including whether the user’s actions are audited, the resources the user is allowed to use,
and whether the user can even access the computer.
GPOs can be applied to any Windows 2000 or later computer that has joined a
domain.They can also be applied to user accounts. Security settings configured in GPOs
override those made at the local computer level. Because policies can be set at the site,
domain, and OU levels in AD, a computer or user may be subject to a wide combination of
security settings. Policy settings are cumulative and applied in the following order:
1. Site-level GPOs that affect the computer account
2. Domain-level GPOs that affect the computer account
3. OU- and sub-OU level GPOs that affect the computer account
4. Site-level GPOs that affect the user account
5. Domain-level GPOs that affect the user account
6. OU- and sub-OU level GPOs that affect the user account
By default, all settings applied will be in effect for the user and computer. However, it is
also possible that some settings may conflict between GPOs. For example, a site-level policy
that applies to the computer may specify a different setting (such as a user right) than an
OU setting (the same right, but configured differently) that is applied later. By default, the
last setting applied is the effective setting.This means that the OU-level setting would be in
effect. Administrators can modify this behavior.
When security settings are applied using GPOs, they do not immediately affect the
computer, as local computer policies do. Local computer policies are stored on the computer and take effect immediately. GPO settings are stored in AD and need to be downloaded to the machine.The Group Policy settings are refreshed on computers at regular
intervals.Workstations and member servers have group policy settings refreshed every 90
minutes, with a random 30-minute offset (so that all clients do not refresh at the same time
and overload the domain controllers). Domain controllers are refreshed every 5 minutes
because of their additional security needs. In addition, security settings in GPOs are
refreshed every 16 hours, regardless of whether changes have been made to the policy.
If you do not want to wait for an automatic refresh of group policy settings to take
place, you can use the gpupdate command to force a refresh.This command replaces the
secedit /refresh command that was used in Windows 2000.This command has the following syntax:
gpupdate [/target:{computer | user}] [/force] [/wait:Value]
[/logoff] [/boot]
The gpupdate parameters are defined in Table 2.4.
www.syngress.com
135
255_70_293_ch02.qxd
136
9/10/03
10:58 AM
Page 136
Chapter 2 • Planning Server Roles and Server Security
Table 2.4 Parameters for the gpupdate Command
Parameter
Description
/target:{computer | user} Used to specify that just the computer or the user settings
should be processed. By default, both are processed.
/force
Used to reapply all settings. By default, only changed
settings are applied.
/wait:Value
Used to specify when the command prompt should become
available during the processing of group policy settings.
When the timeout is reached, processing continues in the
background, but the command prompt is made available.
Status messages will not be displayed in the console if
control of it has been returned by the application. By
default, it will wait 600 seconds for policy processing to
finish. If 0 is used, the program won’t wait. If –1 is used, it
will wait indefinitely.
/logoff
Specifies that the computer should log off the current user if
client-side extensions are used in the Group Policy settings
that are refreshed only at logon. An example of such an
extension would be those dealing with user-targeted
software installation and folder redirection. Some policies,
like these, cannot be applied with a background refresh.
/boot
Specifies that the computer should restart if client-side
extensions are used in Group Policy settings that are only
applied at bootup. An example is a software installation
policy that is applied to the computer. Some policies, like
this one, cannot be applied with a background refresh.
/sync
Specifies that the next foreground policy application is to be
done synchronously. This type of policy is applied when the
computer boots up and when the user logs on.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 137
Planning Server Roles and Server Security • Chapter 2
Summary of Exam Objectives
When Windows Server 2003 is installed on a machine, additional configuration is needed
to ensure it provides the necessary functionality and is secure.Windows Server 2003 can be
configured to perform up to 11 different roles. Each role provides additional tools, services,
and features that can be used to enhance your network and (in a number of cases) improve
security.
Part of creating a secure environment involves choosing the right operating system. In
this chapter, we compared the minimum requirements for various versions of Windows.We
also saw that Windows Server 2003 offers a number of new features that were not available
in previous versions, while still providing backward-compatibility to older systems. By using
features like Kerberos authentication, functional levels, smart card support, and the ability to
create domain controllers from backups, you can create secure environments and perform
tasks more easily.
You can configure server roles using security templates, applying specific settings to a
machine to make it more secure.These templates can be applied to member servers, workstations, and domain controllers, by using Local Security Policy or GPOs in AD. Because
not all templates will contain the settings you want for your domain, you can modify them
using the Security Configuration and Analysis tool or Security Template tool.Then you can
use the Security Configuration and Analysis tool or the Secedit command-line utility to
configure the server with the settings stored in the template.
In addition to customizing templates, you can perform other steps to provide security
to your systems.These include implementing physical security, using antivirus programs,
using NTFS on hard disks, using strong passwords, and other initiatives related to the role a
server plays on the network. By using these methods, you can help protect the systems in a
domain and forest from various threats.
Exam Objectives Fast Track
Understanding Server Roles
There are 11 different server roles available for Windows Server 2003.These
include domain controller, file server, print server, mail server, application server,
terminal server, remote access/VPN server, streaming media server, DHCP server,
DNS server, and WINS server.
Manage Your Server is a tool in Windows Server 2003 that allows you to view
information about installed server roles, view additional information, and invoke
other tools used for administering a server.
The Configure Your Server Wizard steps you through the process of installing or
removing server roles on Windows Server 2003 servers.The domain controller
role is the only one that can be added but not removed with the Wizard.
www.syngress.com
137
255_70_293_ch02.qxd
138
9/10/03
10:58 AM
Page 138
Chapter 2 • Planning Server Roles and Server Security
Planning a Server Security Strategy
Windows Server 2003 is available in Standard, Enterprise, Datacenter, and Web
Editions.This version provides a number of features that were not available in
previous versions. Of the different editions, the Web Edition is the only one that
cannot be used as a domain controller.
Not all editions of Windows Server 2003 can be installed on every computer. Just
as there are different minimum requirements for the various versions of Windows,
there are also different minimum requirements for the different editions of
Windows Server 2003.
Windows
Windows
Windows
Windows
Server 2003 provides four different levels of domain functionality:
2000 mixed,Windows 2000 native,Windows Server 2003 interim, and
Server 2003. It also supports three levels of forest functionality:
2000,Windows Server 2003 interim, and Windows Server 2003.
Planning Baseline Security
Security templates contain settings that can be applied using Local Security Policy
or Group Policy.
Security Configuration and Analysis is an MMC snap-in that allows you to
analyze security settings by comparing them to entries in a database. It also allows
you to apply template settings.
The Secedit command-line tool is similar to Security Configuration and Analysis.
It also allows you to analyze and apply security settings using templates.
Customizing Server Security
Automatic Updates can be configured to automatically download and install
critical updates for the Windows operating system.
NTFS is important to the security and availability of files on a hard disk. Using
NTFS, you can set permissions on files and folders, implement EFS to encrypt
files, use DFS to allow users to access files from a central location, and have disk
quotas control how much disk space users can use.
Security templates can be applied to computers individually using Local Security
Policy or to many computers at once using GPOs.To import security templates
into a GPO, you can use the Group Policy Object Editor.To link a configured
GPO to the domain or OU level, use Active Directory Users and Computers.To
link a configured GPO to the site level, use Active Directory Sites and Services.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 139
Planning Server Roles and Server Security • Chapter 2
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: I want to set up Windows Server 2003 in the role of a Web server, but when I use the
Configure Your Server Wizard, there isn’t a Web server role offered in the list.What
should I do?
A: The Configure Your Server Wizard doesn’t offer a Web server role, but it can be set up
through the application server role.You can also set up Internet Information Services
(IIS) 6.0 through Add or Remove Programs in Control Panel. Adding IIS installs all of
the basic features needed to implement a Web server.
Q: My network consists of servers running Windows 2000 Advanced Server. It was my
understanding that multiple objects could be modified in Active Directory, but I find
that I’m unable to do so.Why is this?
A: Different versions of Windows offer different features.Windows Server 2003 allows you
to select multiple objects and change some of their common attributes at the same
time.This ability wasn’t available in previous versions.
Q: Why do Windows Server 2003 domain controllers use NetBIOS names in addition to
DNS names?
A: NetBIOS names are used to provide backward-compatibility.They are used by preWindows 2000 computers and allow users of those operating systems to log on to
Windows Server 2003 domains.
Q: I want to apply security settings to computers after regular business hours so I don’t
disrupt work being performed during the day.What tool should I use?
A: Secedit is a command-line tool that allows you to configure machines using security
templates. Because it is a command-line tool, it can be invoked through batch files and
scripts, which you can schedule to run after regular business hours.
Q: I want to create a custom security template.Which programs could I use to create this
file?
www.syngress.com
139
255_70_293_ch02.qxd
140
9/10/03
10:58 AM
Page 140
Chapter 2 • Planning Server Roles and Server Security
A: Security Configuration and Analysis, Security Templates, Secedit, and Group Policy
Object Editor are tools that come with Windows Server 2003 that can be used to
create template files.You can use Security Configuration and Analysis to view an
existing template and customize it to your needs.The Security Templates snap-in can
be used to create new templates and modify existing ones.The Group Policy Object
Editor allows you to review a GPO’s current settings and export them to a template
file. Finally, Secedit can export settings to a template file from the command line.
Q: I have created a custom security template and applied it to the Local Security Policy of
workstations in a Windows Server 2003 domain.When users log on to the domain, the
settings I changed in the Local Security Policy don’t take effect.Why is this?
A: Settings in a GPO take precedence over those in the Local Security Policy. Any setting
obtained from a GPO will override those on the local computer.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Understanding Server Roles
1. Your network consists of two machines running Windows Server 2003 Standard
Edition, one machine running Windows Server 2003 Datacenter Edition, one
machine running Windows Server 2003 Web Edition, and two machines running
Windows Server 2003 Enterprise Edition.You want two of these machines to be
domain controllers on the network.Which machines will you promote to domain
controllers and how will you configure them in this role?
A. Configure the two machines running Windows Server 2003 Enterprise Edition to
be domain controllers using the secedit /configure tool.
B. Promote the Windows Server 2003 Datacenter Edition and Windows Server 2003
Web Edition using the DCPROMO tool.
C. Configure a machine running Windows Server 2003 Standard Edition and a
machine running Windows Server 2003 Enterprise Edition to be domain controllers using the Configure Your Server Wizard.
D. Configure machines running Windows Server 2003 Standard Edition and
Windows Server 2003 Web Edition using the Manage Your Server tool.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 141
Planning Server Roles and Server Security • Chapter 2
2. Your network is upgrading from Windows NT 4 to Windows Server 2003 and will
consist of two domains in a single forest. One domain is a child of the other domain
and dedicated to the Sales departments in the organization. During the upgrade, all
workstations will be upgraded to Windows XP and Windows 2000 Professional.When
the last BDC is removed from the network, what role will the PDC emulator play on
the network?
A. The PDC emulator will be used to modify object classes and attributes.
B. The PDC emulator will receive preferred replication of password changes performed by other domain controllers in the domain.
C. The PDC emulator in the child domain will be used to synchronize the time on
all domain controllers in the forest.
D. The PDC emulator will be used to add new domains and remove unneeded ones
from the forest.
3. The only protocol used by your network is TCP/IP, despite the fact that workstations
in the organization do not have access to the Internet. A user has been accessing files
on server on your network and now wants to connect to a Web server that is used as
part of the company’s intranet.The user enters the URL of the Web site into Internet
Explorer.Which of the following servers will be used to provide information needed
to connect to the Web server?
A. DHCP server
B. DNS server
C. WINS server
D. File server
4. You want to set up a discussion group that can be accessed over the corporate
intranet, so that users can view and post messages in a forum that can be viewed by
other employees.Which of the following services would you use to implement this
functionality?
A. HTTP
B. FTP
C. NNTP
D. SMTP
www.syngress.com
141
255_70_293_ch02.qxd
142
9/10/03
10:58 AM
Page 142
Chapter 2 • Planning Server Roles and Server Security
Planning a Server Security Strategy
5. You are planning to use a server on your network as a Windows Server 2003 domain
controller.The server has 128MB of RAM, 2GB of hard disk space, and four processors.Which of the following editions of Windows Server 2003 can you install on this
server? (Select all that apply.)
A. Windows Server 2003 Standard Edition
B. Windows Server 2003 Enterprise Edition
C. Windows Server 2003 Datacenter Edition
D. Windows Server 2003 Web Edition
6. You are concerned about insecure methods of authentication being used on a network.You are currently upgrading your network to Windows Server 2003, but some
servers are still running Windows NT 4 and Windows 2000 Server. Even after the
upgrade, some Windows 2000 Server computers will exist in the domain.You want to
implement Kerberos authentication within the domain.Which of the following operating systems will be able to use it? (Select all that apply.)
A. Windows NT 4
B. Windows 2000 Server
C. Windows Server 2003
D. None of the above
7. Your network consists of two Windows Server 2003 domain controllers, a Windows
2000 server that is used as a Web server, and a Windows NT 4 server that runs an
older version of SQL Server.Your company does not have the budget to immediately
replace these servers, but you want to raise the domain functional level of your
domain to the highest possible level.What functional level will you raise this domain
to?
A. Windows 2000 mixed
B. Windows 2000 native
C. Windows Server 2003 interim
D. Windows Server 2003
Planning Baseline Security
8. You have just promoted a Windows Server 2003 computer to be a domain controller.
After the promotion, you accidentally apply the wrong security template to it. It now
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 143
Planning Server Roles and Server Security • Chapter 2
has security settings than that are too high.You can automatically change the security
settings back to their previous configuration using which of the following security
templates?
A. Setup security
B. Rootsec
C. Iesacls
D. DC security
9. You want to apply an existing security template to the local computer policy of a
Windows Server 2003 computer.Which of the following tools would allow you to do
this from the command line?
A. Security Configuration and Analysis
B. secedit /configure
C. secedit /import
D. gpupdate
10. You have performed an analysis of a Windows Server 2003 domain controller using
Security Configuration and Analysis. Once the analysis is complete, a red X appears
beside the Enforce Password History policy.What does this mean?
A. The policy does not match a corresponding setting for the associated entry in the
database.
B. The entry in the database and the policy’s setting match.
C. An entry exists in the database that does not correspond to any setting on the
computer.
D. A setting exists on the computer that does not correspond to any entry in the
database.
11. You have created a security template and now want to apply its settings to a GPO
that can be linked to containers in Active Directory.Which containers can you link a
GPO to in Active Directory? (Select all that apply.)
A. Domains
B. Trusts
C. Sites
D. Local computer policy
www.syngress.com
143
255_70_293_ch02.qxd
144
9/10/03
10:58 AM
Page 144
Chapter 2 • Planning Server Roles and Server Security
Customizing Server Security
12. You have installed a new file server on the network and formatted it to use NTFS.
After formatting is complete, you use EFS to encrypt a folder containing files
belonging to users. If a user accesses a file belonging to him in this folder, and then
copies it across the network for another user to access, which of the following will
occur?
A. The file on the hard disk and the data sent over the network will remain
encrypted.
B. The file on the hard disk and the data sent over the network will be decrypted
and remain that way.
C. The file on the hard disk will be decrypted, so EFS can send it encrypted over
the network.
D. The file on the hard disk will remain encrypted, but data sent over the network
will be unencrypted.
13. You have created a custom security template that you now want to import into a
GPO that is linked to the domain level.Which of the following tools will you use to
invoke the Group Policy Object Editor to view and modify the GPO at this level?
A. Active Directory Users and Computers
B. Active Directory Sites and Services
C. gpupdate
D. Securedc
14. Your network consists of servers running Windows 2003 Server and workstations running Windows 2000 Professional.You have applied several custom security templates
to GPOs linked to the OU, domain, and site levels in Active Directory. In addition to
this, there are security settings that have also been applied at the local computer level
of all machines that are on the network. Because several policies now affect the computer accounts within the domain, site, and OU, which of the following will occur
when the user logs on to the domain?
A. The policy setting at the local computer level will be overwritten by the OUlevel GPO, which will be overwritten by the domain-level GPO, which will
finally be overwritten by the site-level GPO. For this reason, major security settings must be made at the site-level GPO; all others will be overwritten.
B. Security settings in the GPOs will not be applied to machines running Windows
2000 that have joined the domain.
C. The security settings at the local computer level will override those of the GPOs.
www.syngress.com
255_70_293_ch02.qxd
9/10/03
10:58 AM
Page 145
Planning Server Roles and Server Security • Chapter 2
D. The policy settings will be cumulative and applied in the order of policies at the
site level, domain level, and finally OU level.
15. You apply custom security templates to the local computer policy on a member
server and to a GPO linked to an OU in Active Directory. All servers on the network
are running Windows Server 2003. After performing these actions, you find that the
local computer policy has taken effect, but the group policy has not taken effect on
member servers within the domain.Which of the following is the reason for this, and
how can you fix it?
A. Group policy settings take effect immediately.The problem must be that the security policy was not applied properly.
B. Group policy settings are refreshed on member servers every 90 minutes.To force
the server to refresh the group policy, use the secedit /refresh command.
C. Group policy settings are refreshed on servers every 5 minutes.To force the server
to refresh the group policy, use the gpupdate command.
D. Group policy settings are refreshed on servers every 90 minutes.To force the
server to refresh the group policy, use the gpupdate command.
www.syngress.com
145
255_70_293_ch02.qxd
146
9/10/03
10:58 AM
Page 146
Chapter 2 • Planning Server Roles and Server Security
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C
9. B
2. B
10. A
3. B
11. A, C
4. C
12. D
5. A, B
13. A
6. B, C
14. D
7. D
15. D
8. D
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 147
Chapter 3
MCSE 70-293
Planning, Implementing,
and Maintaining the
TCP/IP Infrastructure
Exam Objectives in this chapter:
2
Planning, Implementing, and Maintaining a Network
Infrastructure
2.1.2
Plan an IP routing solution.
2.2.2
Identify network protocols to be used.
2.1
Planning Network Traffic Management
2.1.1
Plan a TCP/IP network infrastructure strategy.
2.1.3
Create an IP subnet scheme.
2.6
Troubleshoot TCP/IP addressing.
2.6.1
Diagnose and resolve issues related to client computer
configuration.
2.6.2
Diagnose and resolve issues related to DHCP server address
assignment.
2.2
Plan and modify a network topology.
2.2.1
Plan the physical placement of network resources.
2.4
Plan network traffic monitoring. Tools might include
Network Monitor and System Monitor.
147
255_70_293_ch03.qxd
148
9/10/03
11:56 AM
Page 148
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Introduction
The Transmission Control Protocol/Internet Protocol (TCP/IP) protocol suite is the foundation upon which the Internet runs, and it is the protocol suite of choice for most large,
enterprise-level networks today.TCP/IP is the default network and transport protocol stack
for a Windows Server 2003 network, and it is important for all network administrators to
be intimately familiar with the TCP/IP protocols, IP addressing, and how to plan an IP
infrastructure.
This chapter deals with the TCP/IP infrastructure.You will learn about the network
protocols supported by Windows Server 2003 and how to identify the protocols to be used
in your network environment.We discuss the advantages of the TCP/IP protocol suite, and
we also address the multiprotocol environment that is increasingly common in today’s business organizations.We will review TCP/IP basics, and then get into what’s new in TCP/IP
for Windows Server 2003. Specifically, we’ll discuss Internet Group Management Protocol
version 3 (IGMPv3), IP version 6 (IPv6) support, the alternate configuration feature, and
automatic determination of interface metrics.
You’ll find out how to plan an IP addressing strategy, including how to analyze your
addressing requirements and how to create an effective subnetting scheme.Then we will
address methods for troubleshooting IP addressing problems, both those related to client
configuration and those related to Dynamic Host Configuration Protocol (DHCP) server
issues.You’ll learn about transitioning to the next generation of IP, IPv6, and we’ll introduce
IPv6 utilities such as Netsh, IPsec, PING, and Tracert.We’ll discuss 6to4 tunneling, the IPv6
Helper service, and connecting to the 6bone.
Next, we’ll discuss the planning of the network topology.This includes analyzing hardware requirements and planning for the placement of physical resources.You’ll learn how to
plan network traffic management, as well as how to monitor network traffic and devices
using Network Monitor and System Monitor.We’ll show you how to determine bandwidth requirements and how to optimize your network’s performance.
EXAM
70-293
OBJECTIVE
Understanding Windows
Server 2003 Network Protocols
2
2.1.2 In order for computers to communicate with other computers and hardware resources, they
must use a common messaging structure, much like a language used to speak to other network devices.There are many message structures that are standardized and designed to provide reliable, continuous, high-speed data transfer and remain independent of the device or
computer’s hardware and operating system.When planning a network, you need to understand how the computers will share and access information and resources on the network
so that you can decide which network protocol is best suited for the task.
The networking architecture of Windows Server 2003 uses the Network Driver
Interface Specification (NDIS). NDIS provides a kind of wrapper in the I/O Manager layer
of Windows that allows the hardware driver to be independent of the protocols used to
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 149
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
communicate on your network. Additionally, this allows for multiple network adapters with
virtually any device driver, without having any effect on the transport protocols used. Let’s
take a look at some of the details involved with networking.
EXAM
70-293
OBJECTIVE
2.2.2
Identifying Protocols to Be Used
Network protocols are composed of software components designed specifically for communication with other networked machines. A variety of protocols are used for different functions. In order to be able to select protocols for particular tasks, it is important to
understand how protocols facilitate network communication.
The first concept to understand is the standard model for network communications,
known as the Open Systems Interconnection (OSI) reference model.The International
Organization for Standardization (ISO) developed the OSI reference model. One of this
organization’s responsibilities is to provide a standard by which computers can communicate worldwide, and the OSI reference model was designed to accomplish this goal.
The OSI model is based on a concept of a stack of protocols that work together to
provide the means for transmitting data.The OSI model is composed of seven layers of protocols responsible for different tasks related to data transmission. Each layer of the OSI
model describes a function:
■
Application layer Defines how applications work together over the network.
■
Presentation layer Provides a common data format for the data transmitted.
■
Session layer Coordinates the establishment of the connection and maintains
the open connection.
■
Transport layer Provides the mechanism for ensuring error-free delivery of
data.
■
Network layer Provides the addressing for messages for all networks.
■
Data Link layer Defines the methods for the software drivers to access the
hardware that is the physical medium, such as the network jack and the cable that
plugs into it.
■
Physical layer Puts the data on the physical medium that is carrying the data.
The data that you transmit is broken up in manageable chunks called packets, which will
be transmitted as a single unit via the OSI layers. As the packet is passed down through each
layer, information is added to aid the delivery of the packet to the corresponding layers on the
destination machine.The protocols that work together to provide the packaging, delivery and
receipt of the data at each of these layers are known collectively as a protocol stack.
The size of your network and the topology—how it is physically laid out—have a
bearing on which protocol stack will be suitable for your needs. If you have a large network, the volume of traffic may need to be managed. One of the most common solutions
www.syngress.com
149
255_70_293_ch03.qxd
150
9/10/03
11:56 AM
Page 150
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
to traffic problems is to break up the network into smaller, more manageable networks
known as segments. In order for you to combine these smaller networks together, the data
must be able to travel from one network to the other along one or more physical paths.
This transmission of data across network segments is called routing. In this situation, you
would need to select a protocol stack that provides routable protocols.The two most
common routable protocols are TCP/IP and Internetwork Packet Exchange/Sequenced
Packet Exchange (IPX/SPX).
Some protocol stacks are composed of nonroutable transport protocols such as
NetBIOS Extended User Interface (NetBEUI).These protocol stacks are simple to configure and implement, but they are suitable only for small networks that are not segmented.
Nonroutable protocols limit your capabilities to expand your network.Your network might
be required to interact with another existing network. In that case, the ability of protocols
in the stack to route traffic becomes an issue.
There are other factors to consider when deciding which protocol to use. One consideration is reliability. Is it necessary to ensure the transmission of data? Some protocols just
broadcast data and don’t ensure that the data is received by the targeted machine.You
should also consider the number of machines you have on your network. If you have a lot
of devices, you may need to consider a more scalable, enterprise-capable protocol suite that
includes transport protocols that provide guaranteed delivery and data integrity.
Another issue is the security of the data.You may have applications that transmit sensitive data over the network.You would not want anyone to be able to monitor that traffic
and view the data.This would lead to selecting a protocol stack that provides protocols that
allow you to encrypt the data and potentially validate the source and authenticity of the
data. An example of this would be Internet Protocol Security (IPSec).
You may need to provide network services to the clients.These network services
should be easy for the clients to access. In addition, the network services may provide a
variety of functions, including data access, license services, printing services, and remoteaccess services over modem dial-up. Network services may also provide special communication features related to the medium, such as Infrared Data Association (IrDA), Asynchronous
Transfer Mode (ATM), and other features that are used to remotely access networks using
existing network connections called virtual private networks (VPNs). In order to leverage
these services, the protocol stack should provide protocols that support the required features. For instance,VPNs use Point-to-Point Tunneling (PPTP) or Layer Two Tunneling
Protocol (L2TP) to establish connections, both of which require TCP/IP to connect over
the Internet. Once connected, PPTP and L2TP provide a channel to encapsulate and
transmit other protocols such TCP/IP, IPX/SPX, and NetBEUI as if you were on the same
physical segment as other machines on the physical local area network (LAN).
Additionally, accessing the Internet is rapidly becoming a necessity for most businesses
today. In order to access the Internet, you must have TCP/IP.You may provide other means
to transmit data on your network, but Internet resources support only the TCP/IP protocol
stack.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 151
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Configuring & Implementing...
On the Windows Server 2003 platform, there are two basic choices of protocol stacks:
TCP/IP and IPX/SPX.There are other protocol stacks; however,TCP/IP and IPX/SPX
are the most prevalent, and they support such a robust suite of protocols that it is not usually necessary to use any others.
Considerations for Selecting Appropriate Network Protocols
There are many factors to consider when you decide which protocol or protocols
to implement on your network:
■
Security Do you transmit sensitive data between machines?
■
Reliability Will you use applications that ensure delivery and integrity
of the data you transmit?
■
Ease of implementation and maintenance What is the total cost of
ownership (TCO) to implement and maintain the selected protocols?
Consider the cost of equipment, training, management, implementation, and future growth of the organization.
■
Traffic Routable network protocols allow for better management of
traffic and isolate broadcast traffic, which, in turn, reduces the amount
of unnecessary data that must be handled by the network hardware.
■
Number of devices How many machines will communicate on your
network segments? Too many machines on one segment could overload your network and cause slower and more unreliable data transfer.
How scalable is the protocol? Does it work well on a small network and
does it allow for growth?
■
Physical topology Are you implementing or integrating with a LAN,
metropolitan area network (MAN), or wide area network (WAN)? What
protocols are you currently using? Where are the machines physically
located in relation to other machines on your network?
■
Function Will you need to provide access to the Internet for users or
systems on your network? Do you want to prevent access to the
Internet? Will there be an intranet? Will you need to provide a stream
of data to multiple destinations?
■
Existing protocols Do you have a requirement to access resources on
your network using existing protocols?
Advantages of the TCP/IP Protocol Suite
The TCP/IP protocol suite has many advantages over other protocol suites like IPX/SPX
and NetBEUI.These advantages are due to TCP/IP’s robust, stable, extensive feature set,
combined with its scalability.The suite of protocols and services that are part of the TCP/IP
www.syngress.com
151
255_70_293_ch03.qxd
152
9/10/03
11:56 AM
Page 152
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
standards provide valuable and prevalent services, so it is no wonder that it is the default
protocol for virtually every client and network operating system in use today!
One of TCP/IP’s key advantages is that it is an open, industry-standard set of protocols,
which implies that there is not one single organization that controls the standards. Novell
provides IPX/SPX, which makes it a vendor-specific protocol.This implies that it was
developed specifically to support NetWare’s architecture and may not be as robust, or even
supported, on other platforms.
TCP/IP contains applications that aid in connecting different operating systems, which
ensures that you will be able to communicate in prescribed methods with any system that is
using TCP/IP.The architecture of TCP/IP provides scalability—the means for sizing the
network so that you can expand or shrink the network as your needs change.
Another advantage of TCP/IP is that it is routable. Routable protocols can reduce network traffic by isolating logical and physical networks. Isolating the networks allows you to
better manage network traffic, direct transmissions, and restrict the distribution of broadcast
traffic.You can also leverage the information about the routes from one point to another to
troubleshoot and isolate problems with connections.You can use dynamic routing features
to reroute traffic to prevent interruption of communications.The U.S. Department of
Defense Advanced Research Projects Agency (DARPA) intended for TCP/IP WANs to
provide a means for ensuring reliable communications in the event that portions of the network become unavailable. Routable protocols provide forms of addressing, such as an IP
address, that define mechanisms for determining how to transmit data across network segments.
Nonroutable protocols do not use addressing, so there must be a means for determining
the destination for data transmitted. An example is NetBIOS naming, which provides the
architecture for defining the destination resource and the methods for sending the data to
one or multiple destinations. NetBIOS naming provides for two types of names: a unique
name and a group name.The unique name defines the station on a network, enabling you
to connect to and communicate with the server. Group names are used to provide a means
to send messages to multiple machines at once, but only those machines that are part of that
group will listen to the messages.
TCP/IP was designed to be platform-independent.This allows you to connect and
integrate different operating system platforms and hardware, and they will be able to communicate effectively, regardless of the platform. In addition, the suite of protocols includes
methods for accessing data and resources on the various platforms, such as Line Printer
Daemon (LPD) for printing, File Transfer Protocol (FTP) for file exchange, and Hypertext
Transfer Protocol (HTTP) for sharing platform-independent documents, images, and other
media.
The Internet and the World Wide Web are accessible only via TCP/IP.There is a vast
amount of educational, research, and entertainment resources available to the world on the
Internet. It is also possible to use the Internet to interconnect networks around the world.
You can log on a network in London from an office in Dallas and function as if you were
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 153
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
in the London office.You can imagine how scalable the protocol is if it can service both a
small office and the whole world.
Microsoft adds the ability to develop applications that leverage these advantages by providing the Windows Sockets API (WinSock).WinSock makes it possible for developers to
design scalable TCP/IP client/server applications that can interoperate with any machines
that use TCP/IP on any operating system platform. Since virtually every modern operating
system uses TCP/IP, this makes WinSock a very viable framework.
EXAM WARNING
There are many different protocols that make up the Microsoft TCP/IP protocol
suite. Don’t forget that it is a suite of protocols, which includes many different features that all leverage the TCP/IP protocol stack. The Microsoft TCP/IP protocol suite
provides applications and protocol functions that are designed specifically for
Windows enterprise networking and the Windows operating system platform. The
TCP/IP protocol stack is the industry-standard, platform-independent set of protocols that work at various layers to communicate over networks.
The Multiprotocol Network Environment
Microsoft Windows Server 2003, like its predecessors, uses a layered network architecture.
Since it is layered, it makes it possible to extend the functionality of networking Windows
Server 2003 with third-party software components.The layered structure also provides the
Windows Server 2003 platform with the ability to allow different protocols to communicate using the same structure and methods, so users can access data in the same fashion,
regardless of what networking protocol is used.
For instance, it is possible for a Novell NetWare server using the IPX/SPX network
protocol stack to be accessible to a Windows Server 2003 machine using IPX/SPX.You can
also use Windows Explorer on the Windows Server 2003 computer to access files on the
NetWare file server without requiring any special features. If you need to run Novell
Directory Services (NDS) utilities on Windows, you must also install the NetWare Client
Software, which uses the IPX/SPX protocol to access those services.This type of multiprotocol configuration makes integration of other systems possible using third-party software.
Windows Server 2003 products use the TCP/IP protocol stack by default.The following network protocols are supported on Windows Server 2003:
■
TCP/IP version 4 The default protocol for Windows Server 2003.
■
TCP/IP version 6 The next generation of TCP/IP.
■
IPX/SPX Used by many networks running Novell NetWare.
■
AppleTalk Provides the basis for Services for Macintosh and AppleTalk routing
and seed routing support.
www.syngress.com
153
255_70_293_ch03.qxd
154
9/10/03
11:56 AM
Page 154
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
The Windows Server 2003 architecture that supports multiple protocols also allows
multiple network adapters. Each adapter can use any combination of protocols or networking components, known as binding. It is also possible for you to change the order in
which protocols are bound to the adapter.You can choose to move the most commonly
used protocols on the client up to the top of the binding order to provide faster performance. For example, your LAN may access NetWare services using IPX/SPX and Windows
networking services using TCP/IP. In this example, let’s assume that the NetWare services
are not used very often, so your primary network communications use TCP/IP.You can
change the protocol binding order as follows:
1. Select Start | Control Panel | Network Connections.
2. From the menu bar, select Advanced | Advanced Settings.
3. On the Adapters and Bindings tab, move the primary connection (if there is
more than one) to the top of the list.
4. Select a connection, and the bindings will be displayed for that adapter.
5. Under File and Printer Sharing for Microsoft Networks, select Internet
Protocol (TCP/IP) and move it up to the top of the list using the arrows in the
dialog box.
6. Under Client for Microsoft Networks, select Internet Protocol (TCP/IP)
and move it up to the top of the list using the arrows in the dialog box.
7. On the Provider Order tab, move Microsoft Windows Network to the top of
the Network Providers list.
8. Click OK.
TEST DAY TIP
Understand how to add different adapters, protocols, services, and clients. You
should be able to differentiate between a client as a service and a protocol, as well
as how to change the bindings and their order for each.
Using multiple protocols on your network might provide a degree of flexibility, but it
can also make your job more difficult. If you use a protocol that generates a lot of unnecessary broadcast traffic, it could harm your overall network performance. From the client’s
perspective, network problems could be more challenging, because each protocol bound to
the adapter will be attempted in the event that some network connections are unavailable.
When configuring protocols on your computer, it is always desirable to make the
fewest possible changes on the client in order to simplify the administration of the network.
On a TCP/IP network with more than 25 hosts, it is a good idea to implement a DHCP
server. A DHCP server will allow you to define certain settings related to host name resolu-
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 155
New & Noteworthy...
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Windows Server 2003 Networking Features
Windows 2003 Server products offer several networking features and protocols.
There have been several changes to the protocols and services available. While
some of the support for older protocols is no longer available, new support is available for the latest technologies. The following are some of the changes made to
networking features:
■
Wireless networking functionality supports the 802.11 standard and
reduces the hassles associated with configuring wireless networking.
■
802.1x authentication is enabled by default. This enables tighter wireless security than is possible with Wired Equivalent Privacy (WEP)
encrypted connections. 802.1x authentication also supports Extensible
Authentication Protocol (EAP), which allows third-party security
enhancements like smart cards and certificates.
■
The NetBEUI and Data Link Control (DLC) protocols are no longer available on any Windows Server 2003 products.
■
The 64-bit versions of Windows Server 2003 products do not include
IPX/SPX or any of the IPX-related services, nor the routing protocol,
Open Shortest Path First (OSPF).
■
The infrared (IR) networking feature is supported only on Windows
Server 2003 Standard Edition.
■
Gateway Services for NetWare (GSNW) is not included in Windows
Server 2003 products.
■
Windows Server 2003 products cannot act as IPX routers.
■
It is not possible to uninstall the TCP/IP protocol on Windows Server
2003. Since you cannot uninstall and reinstall, there is a new netsh
command that is used to reset the TCP/IP stack. To use this command,
from the command line, type netsh ip interface reset.
tion and topology, and automatically provide the proper address for the hosts that are configured to use DHCP. By default, all Windows XP and Windows Server 2003 machines are
configured to use DHCP.
Occasionally, you might need to manually configure the IP address of your machine.
The following are some servers or services that may require a static (manually configured)
IP address:
■
A DHCP server
■
Windows Routing and Remote Access Services (RRAS)
www.syngress.com
155
255_70_293_ch03.qxd
156
9/10/03
11:56 AM
Page 156
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
■
Domain Name System (DNS) and Windows Internet Name Service (WINS)
servers
■
Any other service that provides IP functionality on your servers
If you do configure the address manually, pay close attention to the information you
provide in the dialog box. Errors in the configuration will hinder network communication
for that machine, and in some cases, cause problems that could prevent other machines from
functioning properly.
EXERCISE 3.01
CONFIGURING THE TCP/IP PROTOCOL MANUALLY
In the following exercise, you will learn how to configure an IP address manually on a Windows Server 2003 computer.
1. Open the Local Area Connection Status dialog box by clicking Start |
Control Panel | Network Connections and double-clicking the appropriate local area connection. You will see the dialog box shown in
Figure 3.1.
Figure 3.1 Local Area Connection Status
2. Click Properties to open the Local Area Connection Properties dialog
box, shown in Figure 3.2.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 157
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Figure 3.2 Local Area Connection Properties
3. Click Internet Protocol (TCP/IP), and then click Properties to open the
Internet Protocol (TCP/IP) Properties dialog box, shown in Figure 3.3.
Figure 3.3 Internet Protocol (TCP/IP) Properties
www.syngress.com
157
255_70_293_ch03.qxd
158
9/10/03
11:56 AM
Page 158
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
4. Click the Use the following IP address radio button and provide the IP
address, Subnet mask, and Default gateway, as shown in Figure 3.4.
Figure 3.4 Internet Protocol (TCP/IP) Properties after
Manual Configuration
5. Click the Use the following DNS server addresses radio button in the
Internet Protocol (TCP/IP) Properties dialog box and provide at least
one DNS server IP address (see Figure 3.4).
6. Click Advanced to open the Advanced TCP/IP Settings dialog box, as
shown in Figure 3.5.
7. Notice the new Automatic metric option. Note that it is the default for
all Default gateways.
8. Click OK.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 159
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
New & Noteworthy...
Figure 3.5 Advanced TCP/IP Settings
Internet Control Message Protocol (ICMP) Router Discovery
ICMP is a maintenance protocol that is part of the IP layer in the Microsoft TCP/IP
stack. Its functions include providing diagnostics, leveraging the use of the PING
utility, and managing flow control of data to prevent traffic from saturating network links or routers. It also provides the facility that builds and maintains the
routing tables, as well as determines the size of the packets that will be sent to a
destination.
RRAS on Windows Server 2003 supports a new feature called ICMP router discovery. ICMP router discovery uses ICMP messages to “discover” the routers on the
current subnet and select one to act as the default gateway. This allows DHCP
clients to find a default gateway when one is not specified by the DHCP server.
This feature is disabled by default on Windows Server 2003 and Windows XP
machines. In order to enable a DHCP client to perform router discovery, the client
must receive a “perform router discovery” option from a DHCP server. This will
enable the host to broadcast the request to all available routers. You must also set
the option to Enable router discovery announcements on the General tab of the
Windows Server 2003 RRAS Properties dialog box in order for the router to send
the router advertisements.
www.syngress.com
159
255_70_293_ch03.qxd
160
9/10/03
11:56 AM
Page 160
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
To view your current IP configuration, you can run ipconfig from the command line.
For more detailed information, use ipconfig /all. If you want to release your DHCPassigned IP addresses from all adapters, use ipconfig /release. You can obtain a new lease
with ipconfig /renew. For the release and renew commands, you can also specify the
name of a specific adapter.
Reviewing TCP/IP Basics
TCP/IP on Windows Server 2003 provides a scalable, robust client/server platform that is
built on industry-standard, routable, and full-featured protocols.Virtually every network
operating system supports the TCP/IP protocol stack, and this allows Windows Server 2003
to integrate dissimilar systems on the network.The various protocols that make up the
TCP/IP stack work together to provide network communications.These network communications provide the architecture that the Windows Server 2003 TCP/IP suite uses to
leverage services such name resolution, file transfers, and Internet access.
Every implementation of TCP/IP must follow the guidelines that are governed and
managed by several agencies such as the Internet Architecture Board (IAB) and the Internet
Engineering Task Force (IETF).The IAB is also responsible for managing several other
groups, such as the Internet Society (ISOC), Internet Assigned Numbers Authority
(IANA), and Internet Corporation for Assigned Names and Numbers (ICANN).These
agencies work together to maintain an open standard using a process known as Request for
Comments (RFCs) and provide the maintenance, distribution, and administrative handling
of the RFCs. For information on RFCs, access the IETF Web site at www.ietf.org.
Virtually all network protocols can be mapped to the ISO’s OSI reference model.The
OSI model is intended to provide a general direction for developers for designing network
drivers and protocols.The design intends for different components involved with network
communication to be managed in a series of layers, with each layer built on top of another,
having a specific set of functionality, and communicating with the adjacent layers.The layers
allow for a hardware manufacturer to design a network card without regard to the operating system or applications that will be using the network card to communicate. A developer can design a client/server network application without concern for the protocols used
to communicate with other machines.
EXAM WARNING
ISO is the organization that defines the standards for the OSI model. The IAB is
responsible for facilitating the rules and the processes for the standards that define
the Internet. The standards for the Internet are maintained by the IETF and are
called RFCs.
TCP/IP uses a slightly less complex networking model that was developed by DARPA.
Since the model is less complex than the OSI model, it is easier to implement and has
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 161
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
better performance characteristics.The DARPA model and the TCP/IP suite of protocols
were designed by DARPA before the development of the OSI model.The Windows implementation of the TCP/IP protocol stack relates to the seven layers of the OSI model.
The layers in the TCP/IP model span several layers of the OSI model. As shown in
Figure 3.6, the Application, Presentation, and Session layers of the OSI model are incorporated into the Application layer of the TCP/IP model. Some of the components of the
TCP/IP protocol suite that operate in this layer are FTP,Telnet, HTTP, and DNS.The
Application layer provides the access to the network for many applications, such as
Microsoft Internet Explorer. At this layer, presentation issues such as compression and
encryption are handled, and sessions are established (if applicable).Then the sending computer passes the data down to next layer, the Transport layer.
Figure 3.6 OSI Model versus TCP/IP model
Application
Presentation
Session
Transport
Network
Data Link
Application
Transport
Internet
Network Interface
Physical
OSI Model
TCP/IP Model
The Transport layer coordinates the applications’ communication sessions with other
interconnected machines.The key protocols that operate at this layer are TCP and User
Datagram Protocol (UDP).TCP differs from UDP in two key ways.The first distinguishing
difference is that TCP is connection-oriented and UDP is connectionless.TCP expects
acknowledgment from the other host for each packet of data transmitted.This is ideal for
large data transfers over very large networks. FTP uses TCP ports 20 and 21 to transfer
data. Because UDP is connectionless, it doesn’t guarantee the delivery of the data; it just
makes its best effort to deliver the packets intact.This type of data transfer is ideal for
lightweight, small data transfers on a well-connected network.Trivial File Transfer Protocol
(TFTP) uses UDP port 69 to initiate a connection, and the server will then dynamically
www.syngress.com
161
255_70_293_ch03.qxd
162
9/10/03
11:56 AM
Page 162
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
select a port number to return data from.Then the two machines continue to communicate
using the new port numbers. Since TFTP uses UDP, it is well-suited for small files, such as
short text files, and is faster than using FTP over TCP, since there is less overhead.
TEST DAY TIP
UDP and TCP both use the IP protocol. TCP is directed to the destination and
ensures the delivery of packets by receiving acknowledgments of data delivery. UDP
attempts a best-effort delivery of the datagram and does not guarantee delivery.
UDP has less overhead, so it is much faster, but it is not as reliable as TCP. Both TCP
and UDP use ports to differentiate between communications to and from different
applications.
On a sending computer, the Transport layer passes the data down to the Internet layer.
The Internet layer, which maps to the OSI model’s Network layer, is responsible for
addressing and routing communications over the network. IP operates here, and it is
responsible for determining whether the address of the destination computer is on the same
subnet as the address of the sending computer. In order to physically locate another host on
the network, Address Resolution Protocol (ARP) is used for IP address-to-Media Access
Control (MAC) address resolution. Other protocols that operate at this layer are ICMP,
IGMP, and IPSec.The Internet layer continues the communication process by passing data
to the Network Interface layer.
EXAM WARNING
ICMP provides diagnostics and error reporting. The PING utility uses ICMP to send
and receive a standard packet to determine if the data delivery was timely and successful. ARP determines the physical address, or MAC address, of the destination
host. IP determines whether the address is local or remote. If the address is local, it
will direct ARP either to refer to its local cache or broadcast on the local subnet to
resolve the MAC address. If it is determined by IP that the address is not local, ARP
will resolve the MAC address of the default gateway to allow the traffic to be
routed to the appropriate network.
If you are using Internet Connection Firewall (ICF) or any other firewall software, you may prevent PING from functioning if you have defined any settings
or filters that block ICMP traffic. By default, ICMP traffic is disabled when you
enable ICF.
The last layer (when data is being sent) is the Network Interface layer.This layer maps
to the Physical and Data Link layers of the OSI model. It is responsible for the software
driver-to-hardware translation and complying with the hardware communication standards
such as Ethernet, ATM, and Token Ring.The Network Interface layer is isolated from the
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 163
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
hardware on Windows 2003 Servers by NDIS, which is a boundary layer implemented in
the Microsoft networking model.This allows the protocols to function independently of
the network hardware.The MAC address is part of this layer.
The Microsoft networking model corresponds to different services in the Windows
architecture, to provide similar ways to access data independently of the mechanism. For
instance, using Windows Explorer to access files using IPX/SPX does not seem any different to the user than accessing files using TCP/IP. Network-aware applications and network service providers operate as User mode services at the Application layer and the top
of the Presentation layer.
The Presentation layer transitions data back and forth from User mode to Kernel
mode.The Executive services provide Session support and transition data to the I/O
Manager.The Server and Redirector (Workstation) services operate at the Session layer and
are separated from the transport protocols by the Transport Driver Interface (TDI)
boundary layer, which traverses the Session and Transport layers.
The transport protocols, such as TCP/IP and IPX/SPX, transition from the Transport
layer, over the Network layer and down to the Network Interface or Data Link layer.The
Data Link layer is where NDIS accesses the network adapter drivers before passing the data
to the Physical layer, which allows the different protocols to be bound to different network
adapters, using different physical connections.
Figure 3.7 illustrates the TCP/IP protocol suite in the TCP/IP model.
NOTE
Although we started “at the top” in describing the layers of the TCP/IP (DoD)
model, it is important to remember that when they are numbered, they are
referred to in reverse order (as in the OSI model). The Network Interface layer is
layer 1, the Internetwork layer is layer 2, and so forth.
www.syngress.com
163
255_70_293_ch03.qxd
164
9/10/03
11:56 AM
Page 164
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Figure 3.7 TCP/IP Protocol Suite and the TCP/IP Network Model
Application Layer
DNS
FTP
HTTP
RIP
SNMP
SMTP
Telnet
Transport Layer
TCP
UDP
Internet Layer
IP
ARP
ICMP
IGMP
IPSEC
X.25
Frame Relay
Network Interface Layer
Ethernet
Token Ring
FDDI
Each layer in the protocol stack provides a translation or some form of communication
with the next layer. As data is passed down through the stack, each layer adds its necessary
headers and protocol-specific data, and encapsulates the data from the previous layer. In
some instances, the layer will establish a session with the destination host at the same layer.
Once the data reaches the destination, each layer in the protocol stack will validate the
header that was added by its corresponding layer, and then strip the protocol-specific information from the packet and pass it up to the next layer until it reaches the destination
application.
What’s New in TCP/IP for Windows Server 2003
There are many enhancements to the networking and communications components of
Windows Server 2003.The TCP/IP protocol suite has been enhanced with some of the
latest technologies, as well as improvements on existing functionality. For more information
about other networking and communication feature enhancements, see the white paper
titled “Microsoft Windows Server 2003- Technical Overview of Networking and
Communication” (www.microsoft.com/windowsserver2003/techinfo/overview/netcomm.mspx).
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 165
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
IGMPv3
Typical communications over an IP-based network are directed unicast communications.
Unicast is basically a single, direct request sent from one host to another, and only the two
hosts interact over the established route. For example, when you click a hyperlink in a Web
browser, you are requesting HTTP data from the host defined in the link, which, in turn,
delivers the data to your browser.This is useful in the Web-browsing environments we have
grown accustomed to, where there is a demand for a personal, user-controlled experience.
Unicast is not useful for delivering streams of audio or video to large audiences, since a
single stream of audio/video data is very costly for only one user.This is where multicast
communications are effective. Multicast provides a single stream for multiple hosts.The
hosts select the data by requesting the local routers to forward those packets of data from
the host providing the multicast data to the subnet of the listening host.When the host
decides to stop listening to the multicast traffic, IGMP is responsible for notifying the
router that the host is no longer participating.
TEST DAY TIP
It is not necessary to know the differences between different versions of IGMP. It is
important to be familiar with the purpose of IGMP, what its functions are, and
where it fits in the OSI model.
A set of listening hosts is called a multicast group. IGMP is responsible for providing the
functionality necessary for hosts to join and leave those groups that receive IP multicast traffic.
Each of the versions of IGMP—versions 1, 2, and 3—is automatically supported by Windows
Server 2003. IGMPv3 adds functionality to distribute multiple multicast sources regionally
and allow the host to select the multicast source that is located closest to the host.
An example of this would be a situation in which you send a video stream broadcasting
a speech from the president of your company and have several machines scattered across the
United States providing the feed.Then IGMPv3 allows the hosts to provide an include list
or an exclude list of those servers.The multicast routers would be responsible for forwarding
the multicast traffic from the include list of servers and for preventing the forwarding of
traffic from the excluded sources. As you can see, this feature can be very useful to help
reduce network bandwidth utilization.
IPv6
The next generation of TCP/IP is here! Previously, it was possible to experiment with
IPv6, but under the covers, the protocol stack was still dependent on IPv4 calls for
WinSock functions.With the release of Windows Server 2003, the IPv6 protocol stack is
designed for production use.
www.syngress.com
165
255_70_293_ch03.qxd
11:56 AM
Page 166
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
IPv4 has a limited number of host addresses available (232, or about 4 billion hosts).That
might sound like a lot, but over the past 30 years, the pool of available addresses has been
exhausted due to the popularity and growth of the Internet.With IPv6, the host address is
128 bits instead of 32, which means that we will have 2128 (about
340,000,000,000,000,000,000,000,000,000,000,000,000) host addresses available.That
means we could have about 296 (about 75 trillion trillion, or 75,000,000,000,000,
000,000,000,000,000) addresses of our very own.That should last for at least a couple of
years.We will discuss transitioning to IPv6 and its features in more detail in the
“Transitioning to IPv6” section later in this chapter.
Alternate Configuration
Automatic alternate configuration is an enhancement to TCP/IP that allows for a valid
static IP address configuration on a DHCP-configured machine.Without an alternate configuration defined, a computer that is unable to obtain an IP address lease from a DHCP
server will automatically receive an Automatic Private IP Addressing (APIPA) address from
the 169.254.0.0/16 pool.
Configuring & Implementing...
166
9/10/03
Using APIPA to Your Advantage
APIPA can be a valuable aid in assisting you with network configuration. With no
effort at all, you can provide IP addressing for a TCP/IP network of Windows Server
2003 and Windows 98/2000/XP computers. APIPA is service that uses a reserved
class B IP address pool (169.254.0.0/16 or a subnet mask of 255.255.0.0) to automatically provide valid IP addresses to DHCP clients in the event the computer
cannot obtain a DHCP lease. This scheme is intended for smaller networks where
there is no DHCP server deployed, but think of the potential use this has, not only
as a way to assist your LAN users, but also to help you troubleshoot network problems and configure new servers.
One way you can help LAN users is to provide an intranet Web server that has
been assigned an APIPA address. That way, if a client is unable to obtain an IP
address, the user will be able to connect to this Web server. The Web server’s
default home page should contain a series of simple troubleshooting procedures
that the client could use, such as the following:
■
Did you receive an error message on startup? Provide a list of common
errors and probable solutions.
■
Wait 5 minutes to see if the next DCHP request is acknowledged.
■
Contact technical support at extension 5555.
Continued
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 167
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Additionally, you could provide users with some basic information about what
is happening or maintain a server status page to let them know that you are aware
of the problem and what actions they should take. It might also be beneficial to the
Information Technology (IT) staff to maintain documentation on the Web server to
aid in configuring new servers, maintaining static address pools, or initiating service requests to add new equipment to the network.
Automatic Determination of Interface Metric
As noted in Exercise 3.01, “Configuring the TCP/IP Protocol Manually” and shown earlier
in Figure 3.5, the automatic metric feature is enabled by default.The purpose of the automatic metric feature is to determine the speed of the interface for each default gateway and
to assign the metric, which is the cost of using a particular route.
The metric is weighted by the number of hops to the destination.The number of hops
to any host on the local subnet is one. Every router that must be used to reach the destination is another hop.When it is determined that there are multiple routes to the same destination, the metric is evaluated to determine which is the lowest metric and this the fastest
route to the destination.
EXERCISE 3.02
DETERMINING THE METRIC
FOR THE
DEFAULT GATEWAY
In the following exercise, you will learn how to use the route print command
to determine the metric for the default gateway on your network.
1. Open a command prompt window.
2. Type route print. You will see a route table, as shown in Figure 3.8.
www.syngress.com
167
255_70_293_ch03.qxd
168
9/10/03
11:56 AM
Page 168
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Figure 3.8 Results of the route print Command
3. Examine the route table.
4. Notice the Network Destination list. The destinations are described in
Table 3.1.
The metric for the loopback adapter and the limited broadcast is always 1.The other
addresses have a metric based on the cost of using that route for that network adapter.With
multiple network adapters, a multihomed computer, the route table would indicate a different metric for each default route, but only one would be used.Table 3.2 shows a configuration with identical network adapters: one adapter on the 192.168.69.0/24 network and
the other on the 192.168.70.0/24 network.
www.syngress.com
Interface
Metric
Default route
Loopback network
Local network
Local IP address
Subnet broadcast
Multicast address
Limited broadcast
0.0.0.0
127.0.0.1
192.168.69.0
192.168.69.111
192.168.69.255
224.0.0.0
255.255.255.255
192.168.69.111
127.0.0.1
192.168.69.111
127.0.0.1
192.168.69.111
192.168.69.111
192.168.69.111
192.168.69.111
127.0.0.1
192.168.69.111
127.0.0.1
192.168.69.111
192.168.69.111
192.168.69.111
20
1
20
20
20
20
1
0.0.0.0
255.0.0.0
255.255.255.0
255.255.255.255
255.255.255.255
240.0.0.0
255.255.255.255
Table 3.2 Description of Routes with a Multihomed Computer
www.syngress.com
Description
Network Destination
Netmask
Gateway
Interface
Metric
Default route
Default route
Loopback network
Local network
Local IP address
Local network
Local IP address
Subnet broadcast
Multicast address
Multicast address
Limited broadcast
Limited broadcast
0.0.0.0
0.0.0.0
127.0.0.1
192.168.69.0
192.168.69.111
192.168.70.0
192.168.70.111
192.168.69.255
224.0.0.0
224.0.0.0
255.255.255.255
255.255.255.255
0.0.0.0
0.0.0.0
255.0.0.0
255.255.255.0
255.255.255.255
255.255.255.0
255.255.255.255
255.255.255.255
240.0.0.0
240.0.0.0
255.255.255.255
255.255.255.255
192.168.69.111
192.168.70.100
127.0.0.1
192.168.69.111
127.0.0.1
192.168.70.100
127.0.0.1
192.168.69.111
192.168.69.111
192.168.70.100
192.168.69.111
192.168.70.100
192.168.69.111
192.168.70.100
127.0.0.1
192.168.69.111
127.0.0.1
192.168.70.100
127.0.0.1
192.168.69.111
192.168.69.111
192.168.70.100
192.168.69.111
192.168.70.100
20
30
1
20
20
30
30
20
20
20
1
1
Page 169
Gateway
11:56 AM
Network Destination Netmask
9/10/03
Description
255_70_293_ch03.qxd
Table 3.1 Description of Routes in the Route Table
255_70_293_ch03.qxd
170
9/10/03
11:56 AM
Page 170
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Note that the metric for the default route for the second network, on the adapter for
the 192.168.70.100 interface, is higher than the metric for the default route on the
192.168.69.111 interface.This indicates that the 192.168.69.111 network adapter is first in
the binding order. Since the metric for the default gateway for the second adapter is higher
than the first network adapter, the second gateway is never used and is not necessary.
You can use the route command to add routes and change metrics.The command is
route add –p Destination Mask Gateway IF Metric, where:
■
Destination is the network destination address.
■
Mask is the appropriate subnet mask defined for the destination network.
■
Gateway is the address of the router interface used to interface with the network.
■
IF is the interface you want to associate this route to.
■
Metric is the metric for this gateway.
The –p parameter specifies that you want to make this route persistent, so that it will
be there if you reset the adapter or restart the machine. If you do not specify –p, the route
is temporary and will not be saved.
If you want to delete a route, use the route delete Destination command to remove
the destination route from the route table.
You can disable the automatic metric feature by accessing the properties for the desired
connection, as follows:
1. Select Internet Protocol (TCP/IP) and click Properties.
2. In the Internet Protocol (TCP/IP) Properties dialog box, click the
Advanced button.
3. Uncheck Automatic metric.
4. Provide an Interface metric. The minimum value is 1.
5. Click OK.
6. Run the route print command.What changed? You will notice that all of the
metric values are now 1.
You can change the values manually, which can allow you to redirect traffic over a
slower interface that would normally have a higher metric.
TEST DAY TIP
You should be familiar with the route table, know how to use the route print command, and understand how to use the information in this table to troubleshoot
TCP/IP connectivity problems. More details are provided in the “Creating a
Subnetting Scheme” and “Troubleshooting IP Addressing” sections later in this
chapter.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 171
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
EXAM
70-293
OBJECTIVE
Planning an IP Addressing Strategy
Before you can implement an IP network infrastructure, there are many details that you
2
2.1 must consider. Here, we will take a look at how to plan your network by identifying the
2.1.2 appropriate addressing requirements and limitations that will shape the network.
Understanding subnetting is a requirement to implement your addressing scheme.You will
need to identify hardware requirements, decide what class of address you will need, and
determine if access to the Internet is necessary for all or just some of your hosts.
Subnetting will allow you to create logical segments on your network that will overlay
the physical topology. By using a well-planned subnetting scheme, you can handle your
current needs and plan for expansion for future needs.You can also make use of these segments to isolate and distribute heavy traffic, without having a major impact on other segments of your network.
EXAM
70-293
Analyzing Addressing Requirements
OBJECTIVE
Every device on a TCP/IP-based network that has a network interface is referred to as a
2.1.1 host. Each host must have a unique IP address.The most common analogy used to describe
an IP addressing scheme is that of a street (subnetwork) with many houses (hosts). Each
house (host) must have a unique address (IP address) on its street.Visualize a situation in
which you are a city planner. In this analogy, the city is the entire corporate network, each
street is a subnetwork, and each house is a host.
Our city, illustrated in Figure 3.9, needs streets for all of the houses for the current residents. Additionally, we might require more houses to be built for new residents.We must
design the streets in such a way that will allow for traffic flow to be regulated and to minimize congestion. Also, we do not want to have so many streets that we can build only a few
houses on each street before we run out of room in our city.We know that it might not be
an effective use of our resources if we build a major thoroughfare and a lot of apartments in
an area of the city that will have only a few residents. Some parts of our city need access to
the “super highway”—the Internet or WAN—so the residents can get to other cities.We
can use this example to get a concept of how to design and plan for a TCP/IP network.
www.syngress.com
171
255_70_293_ch03.qxd
172
9/10/03
11:56 AM
Page 172
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Figure 3.9 IP City
City
192.168.4.0/24
192.168.3.1
192.168.3.2
192.168.3.3
192.168.3.0/24
35
192.168.2.1
192.168.2.2
192.168.2.3
192.168.2.0/24
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.0/24
Since the host IP address must be unique, the simple rule to calculate the number of
hosts for our network is one IP address per host, plus one IP address for each additional network adapter in a host machine.We have a concept of one network in the corporate sense,
but when determining address requirements, there are a few more details we must consider.
You can define IP addresses using one of the three classes available for standard IP
communications: Classes A, B, and C. Before we decide which class to use, we need to
determine the type of network we are implementing and how many hosts there are per
segment.
EXAM WARNING
You should know the IP address classes and their ranges, the default mask for each
class, and the number of hosts each class can support.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 173
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
EXAM
70-293
OBJECTIVE
Creating a Subnetting Scheme
2.1.3 IP addresses are 32-bit values, often referred to as dotted quads. Each bit is a binary value of
either 0 or 1. Since there are 8 bits, there are 28 combinations of 0 and 1, which equals 256
combinations, allowing for a range of 0 to 255. An address is broken down into octets consisting of four 8-bit sections. An address is usually represented by a decimal number such as
141.59.115.7, which is equal to the binary number of 10001101.00111011.
01110011.00000111. Computers process only binary information, but we convert it to decimal because that is easier for us human beings to work with.
Classful Addressing
As mentioned, host addresses can belong to one of three classes of IP address, and each has
a range of addresses.The range is defined by the value of the first octet.Table 3.3 shows the
classes and their ranges, as well as the binary representations of the ranges. Classes D and E
are also classes of IP addresses, but Class D is restricted to multicasting and Class E addresses
are reserved for future use. 127.0.0.0 is reserved for connectivity testing. 127.0.0.1 is a special address that represents the local loopback adapter that resolves as localhost.We can ping
the local host to troubleshoot the protocol stack.We will discuss this in more detail in the
“Troubleshooting IP Addressing” section later in this chapter. Each class also has a default
subnet mask.
Table 3.3 IP Address Classes and Their Ranges
Class
Range of Values
Default Mask
Networks
Hosts
Binary
A
0 to 126
255.0.0.0
126
16,777,214
B
128 to 191
255.255.0.0
16,384
65,534
C
192 to 223
255.255.255.0
2,097,152
254
D
224 to 239
Not applicable
00000001 to
01111110
10000000 to
10111111
11000000 to
11011111
Not applicable
TEST DAY TIP
In Table 3.3, notice that the first two bits of the first octet in each class also define
the top of the range of network IDs for that class. If you take the first two bits of
Class A, 01, and add the remaining six digits as ones you get 01111111, or 127.
Remember that 127 is reserved, so 126 is the highest value for the network ID of a
Class A network. Class B is 10 (101111111 = 191), and Class C is 11 (11011111 =
223).
www.syngress.com
173
255_70_293_ch03.qxd
174
9/10/03
11:56 AM
Page 174
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
The default mask for each class defines the number of networks and the number of
hosts for each network. An IP address contains information about the network on which
the host resides, and the address of the host.The network ID is the reference to the logical
subnet, and it refers to the octets that are predefined as the network ID and implemented
with the default mask.The remaining octets are for the hosts. Figure 3.10 illustrates the network and host IDs.
Figure 3.10 Network ID and Host ID
Network
Host ID
IP Address
179.86
2.172
Subnet mask
255.255
0.0
The first address in each network refers to “this network” (itself), such as 24.0.0.0/8 or
204.79.26.0/24.The last address in each network or subnetwork is the broadcast address for
that segment, such as 179.54.255.255 or 204.79.26.255.We can derive the formula for
determining the number of hosts per network as 2n – 2, where n is the number of bits
available for host IDs. In Figure 3.10, we are using a subnet mask of 255.255.0.0, so the last
two octets, or 16 bits, are available. If we plug that into the formula, we get 216 – 2 =
65,534 hosts per network.
Class A addresses are used for networks that have a large number of hosts. Based on the
default mask, we have the first octet for networks and the last three for hosts. So, we have
126 networks and 224 – 2 hosts, or 16,777,214. Likewise, with class B, the default mask is
255.255.0.0, so the first two octets are for the network IDs, for a total of 16,384, and the
last two are for the hosts. So, class B networks have 216 – 2 hosts, or 65,534. Class C networks have more networks but are smaller, with 28 – 2 hosts, or 254.
We could implement our network now very simply. Determine the number of hosts
and the number of networks, and pick the class that fits. If you do not wish to assign a
public IP address to all your machines, there is another solution.There are three banks of IP
addresses that are called private IP address ranges.They are listed in Table 3.4.Typically, a network will need only one or two public addresses for the Internet interfaces, and everything
internal to the company can use the private IP addresses internally.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 175
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Table 3.4 Private IP Addresses
Network ID
Subnet Mask
Range
10.0.0.0
172.16.0.0
192.168.0.0
255.0.0.0
255.240.0.0
255.255.0.0
10.0.0.1 to 10.255.255.254
172.16.0.1 to 172.31.255.254
192.168.0.1 to 192.168.255.254
Understanding ANDing and Binary Numbering
Once we define our subnetworks, the machines will need to communicate with other
machines on the network.The determination of the host as a local or remote destination is
derived by applying the subnet mask of the source host to the IP address of the destination.
This process involves applying a Boolean logic method called ANDing. By ANDing the
binary representation of an address and a subnet mask, the IP layer can determine if the
address is on the same logical network or a different one.
In Table 3.5, we have a source and a destination host address. First, the subnet mask is
applied to the source address using Boolean AND logic.To perform the AND operation,
start from the left and compare each bit in the binary numbers representing the IP address
and the subnet mask. If both are 1 (1 AND 1), then the result is 1; otherwise, the result is 0.
After the comparison is performed with each address, if the resulting binary values are
equal, then the addresses are on the same network; if they are not equal, then they are on
different logical networks.
Table 3.5 Applying the Subnet Mask to IP Addresses
Source IP Address 172.16.5.16
Subnet Mask 255.255.254.0
Destination IP Address 172.16.2.251
Subnet Mask 255.255.254.0
10101100.00010000.00000101.00010000
11111111.11111111.11111110.00000000
10101100.00010000.00000100.00000000
10101100.00010000.00000010.11111011
11111111.11111111.11111110.00000000
10101100.00010000.00000010.00000000
We can use the default subnet masks to define our network, or we can use a custom
subnet mask.The ability to define the subnet mask allows us to take the default network
definition and “borrow” bits from the available hosts on that network in order to create
smaller logical networks, or subnets.
www.syngress.com
175
255_70_293_ch03.qxd
176
9/10/03
11:56 AM
Page 176
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
EXERCISE 3.03
FUN WITH BINARY NUMBERS
In this exercise, you will use the scientific mode of Windows Calculator to convert binary numbers to decimal numbers and vice versa.
1. Select Start | Run and type calc to launch Windows Calculator.
2. Select View | Scientific.
3. Make sure the Dec radio button is selected.
4. Using the keypad, enter the number 175.
5. Click the Bin radio button. You should see 10101111.
6. In the edit box, type 11000111.
7. Click the Dec radio button. You should see 199.
8. Type 75 in the edit box, and then click the Bin radio button.
9. Notice the binary number is 1001011. Count the number of bits. There
are only 7 bits in the result. Calculator will strip leading zeros from
binary values, so it is important to always “pad” the binary numbers to
8 bits when using them for IP address functions. The correct representation for 75 as an IP address octet is 01001011.
10. Use Windows Calculator to convert the binary representation of the following IP addresses to decimal IP addresses.
Binary
Decimal
11001010.01000101.01001111.00110101
10001001.00001101.10101010.11111001
11000111.01011111.01000000.10000001
11000011.11011101.11101111.00000101
00000111.11100010.00100000.11111101
10000001.00100101.00001111.10110001
10000011.01000100.00100000.00010110
11. Use Windows Calculator to convert the following decimal IP addresses
to a binary representation of IP addresses.
Decimal
Binary
192.178.44.121
204.18.1.179
10.2.2.76
Continued
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 177
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Decimal
Binary
141.22.94.107
55.87.191.11
187.34.59.199
99.107.253.224
You might begin to notice patterns with binary numbers.The values of each placeholder are similar to the decimal format, except that decimal is base 10.The first digit in a
decimal number is 100, or 1; the second is 101, or 10; the third is 103, or 100; and so on. 111
in decimal is equal to 100 + 10 + 1.
In binary representation, each placeholder is base 2, so the first digit in a binary number
is 20, or 1; the second is 21, or 2; the third is 22, or 4; and so on.Thus, 111 in binary is equal
to 4 + 2 + 1, or 7.Table 3.6 shows a quick summary of one octet in binary.
Table 3.6 Binary Notation
128
64
32
16
8
4
2
1
2
2
2
2
2
2
2
20
7
6
5
4
3
2
1
TEST DAY TIP
Binary math got you down? Never fear, the standard Windows Calculator will be
available for you to use during the exam. It is a good idea to be proficient with the
use of the Calculator program in scientific mode, so that you don’t have any
doubts during the exam. Be very careful to count your digits in binary results.
There are no leading zeros, so 1111111 is actually 011111111, 111111 is actually
00111111, and so on. Despite the convenience of using the Calculator program,
you should still understand how to convert binary to decimal manually.
Subnetting Networks
Subnetting networks is necessary to efficiently manage network resources and control traffic
on your network.When your network has grown beyond the capacity of your current
infrastructure, you must change your configurations to support those changes. It is relatively
simple to identify limitations that are obvious, such as the number of networks and hosts.
You can determine the number of networks by counting the number of physical locations that will need a router to connect them to other locations, such as another building or
another floor in the same building.You can estimate the number of hosts needed per net-
www.syngress.com
177
255_70_293_ch03.qxd
178
9/10/03
11:56 AM
Page 178
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
work by counting all the IP-based resources in each physical location, including printers,
desktops, servers, and other routers. Once you have that information, you can decide which
class of network to use and how to break down that network into logical subnets that will
be used to implement each physical or logical location.To summarize, there are three steps
to subnetting:
1. Identify the number of hosts.
2. Identify the number of networks.
3. Use an assigned IP network ID or choose a private IP address, and then determine how to subnet your network.
As an example, suppose that we have 55 employees in one location, with 12 IP-based
network printers, 6 servers, and 1 Internet refrigerator that orders the groceries in the break
area when the stock is depleted. Our IP address block assignment provided by our Internet
Service Provider (ISP) is 204.74.9.0/24. All the employees are currently located in one
large, central area on the same floor. Since we have no physical boundaries to overcome, we
use the default subnet mask.This would provide us with one network and 8 bits in the host
portion of our address.The 8 bits give us 256 hosts, but the first host is 0, which refers to
our network, and the last host is the broadcast address for the network, 255. Remember the
formula is 2n – 2, where n is the number of bits available for host IDs. So, 28 – 2 = 256 – 2
= 254 hosts per network. Since we have 74 hosts and one router, that is a total of 75 host
IDs.We have plenty of room for growth, and the scheme is simple.
The first address on our network starts at 204.74.9.1 (remember 0 is “this network”)
and continues to 204.74.9.254 with a subnet mask of 255.255.255.0.Table 3.7 shows an
example of the network portion of our address, 204.74.9, and the host portion in the last
octet, from 1 to 254.
Table 3.7 Breakdown of the Mask for IP Addresses Using a Standard Subnet Mask
Source IP Address 204.74.9.21
Subnet Mask 255.255.255.0
Destination IP Address 204.74.9.209
Subnet Mask 255.255.255.0
|--—— Network ID ——--|.
|— Host —|
11001100.01001010.00001001.00010000
11111111.11111111.11111111.00000000
11001100.01001010.00001001.00000000
|——— Network ID ——|.
|— Host —|
11001100.01001010.00001001.11010001
11111111.11111111.11111111.00000000
11001100.01001010.00001001.00000000
Notice how the results of the subnet mask are equal? Of course, this is a simple
example, and we can see just by the address and subnet mask that they are both on the
same network.
Now we move into the new building where everyone gets his or her very own office.
The office has three stories, so we need to break up our simple network into three segments to route between floors.We must use the same IP address block provided. One
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 179
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
option is to borrow bits from the host IDs and create more subnetworks.The number of
subnets is determined by the value of the bits that we borrow from the host IDs. In the
example in Table 3.8, we have used 2 bits, shown in bold.The last octet of the subnet mask
is now 11000000, or 192.The number of hosts per network is 26 – 2, or 62.That should be
more than sufficient, so our limitation is the number of networks.
Table 3.8 Breakdown of the Mask for IP Addresses Using a Custom Subnet Mask
Source IP Address 204.74.9.21
Subnet Mask 255.255.255.192
Destination IP Address 204.74.9.209
Subnet Mask 255.255.255.192
|———— Network ID ———|. |—Host —| |———— Network ID ———|. |—Host —|
11001100.01001010.00001001.00010000 11001100.01001010.00001001.11010001
11111111.11111111.11111111 .11000000 11111111.11111111.11111111.11000000
11001100.01001010.00001001.00000000
11001100.01001010.00001001.11000000
To determine the number of networks we have, we take the bits 11 and use the formula 2n – 22, which is 4, so we can have up to four networks.We can create a list of the
networks, convert them to decimal, and get the hosts for each network, as shown in Table
3.9. Remember that the first and last hosts for each network are not assignable.
Table 3.9 Determining the Address Blocks
Subnet
Range
Hosts
1
00000001 to 00111110
2
01000001 to 01111110
3
10000001 to 10111110
4
11000001 to 11111110
204.74.9.1 to 204.74.9.62
(204.74.9.0/26)
204.74.9.65 to 204.74.9.126
(204.74.9.64/26)
204.74.9.129 to 204.74.9.190
(204.74.9.128/26)
204.74.9.193 to 204.74.9.254
(204.74.9.192/26)
Each network has 62 hosts, and there are 4 networks, so we still have 248 hosts to grow
into.
We could expand this example by adding satellite offices.Without redesigning the
entire subnet, we could use one of the networks that was not used in the example and
subnet it further.This is called variable-length subnetting. One of the networks would be
broken down into two smaller networks with 30 hosts by borrowing another bit.The networks would have the notation 204.74.9.0/27 and 204.74.9.33/27.The hosts for
204.74.9.0/27 are 204.74.9.1 to 204.74.9.30, and the hosts for 204.74.9.33/27 are
204.74.9.34 to 204.74.9.63.
www.syngress.com
179
255_70_293_ch03.qxd
180
9/10/03
11:56 AM
Page 180
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
TEST DAY TIP
If you want to use the first and last networks in this scenario, you must use
Classless Inter-Domain Routing (CIDR) notation and use routing services that support CIDR. In traditional subnetting, the first network ID is all zeros, so it is “this
network,” and the last network ID is all ones, which signifies the broadcast for that
network.
Classless Inter-Domain Routing (CIDR)
You should see now that there are limits to the size of the network you can implement
using classful IP address assignment. It has become necessary to provide more options to
create larger segments to reduce the size of routing tables and overcome the depleted public
IP address pool.The solution is known as Classless Inter-Domain Routing (CIDR). CIDR
uses a binary format to provide the definition of network addresses.
Use the matrix in Table 3.10 to quickly identify routing and subnet information based
on your requirements for the number of hosts and networks.The column of binary masks
should help you calculate the networks for each subnet, and the table shows how the
classful addressing scheme relates to the CIDR notation.
Table 3.10 Quick Matrix for Determining Routing and Subnet Information
Required
Networks CIDR Binary Mask
Hosts per
Subnet (2n–2) Subnet Mask
256 Class B
128 Class B
64 Class B
32 Class B
16 Class B
8 Class B
4 Class B
2 Class B
1 Class B
256 Class C
128 Class C
16,777,212
8,388,606
4,194,302
2,097,150
1,048,574
524,286
262,142
131,070
65,534
65,534
32,766
/8
/9
/10
/11
/12
/13
/14
/15
/16
/16
/17
11111111.00000000.00000000.00000000
11111111.10000000.00000000.00000000
11111111.11000000.00000000.00000000
11111111.11100000.00000000.00000000
11111111.11110000.00000000.00000000
11111111.11111000.00000000.00000000
11111111.11111100.00000000.00000000
11111111.11111110.00000000.00000000
11111111.11111111.00000000.00000000
11111111.11111111.00000000.00000000
11111111.11111111.10000000.00000000
255.0.0.0
255.128.0.0
255.192.0.0
255.224.0.0
255.240.0.0
255.248.0.0
255.252.0.0
255.254.0.0
255.255.0.0
255.255.0.0
255.255.128.0
Continued
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 181
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Table 3.10 Quick Matrix for Determining Routing and Subnet Information
EXAM
70-293
OBJECTIVE
2.6
EXAM
70-293
OBJECTIVE
2.6.1
Required
Networks CIDR Binary Mask
Hosts per
Subnet (2n–2) Subnet Mask
64 Class C
32 Class C
16 Class C
8 Class C
4 Class C
2 Class C
1 Class C
1/2 Class C
1/4 Class C
1/8 Class C
16,382
8190
4094
2046
1022
510
254
126
62
30
/18
/19
/20
/21
/22
/23
/24
/25
/26
/27
11111111.11111111.11000000.00000000
11111111.11111111.11100000.00000000
11111111.11111111.11110000.00000000
11111111.11111111.11111000.00000000
11111111.11111111.11111100.00000000
11111111.11111111.11111110.00000000
11111111.11111111.11111111.00000000
11111111.11111111.11111111.10000000
11111111.11111111.11111111.11000000
11111111.11111111.11111111.11100000
255.255.192.0
255.255.224.0
255.255.240.0
255.255.248.0
255.255.252.0
255.255.254.0
255.255.255.0
255.255.255.128
255.255.255.192
255.255.255.224
Troubleshooting IP Addressing
The flexibility of TCP/IP also contributes to the complexity of troubleshooting addresses
and connections.There are several tools that can help isolate and identify issues with
addressing, but it is also imperative that you understand IP addressing rules and subnetting.
The ipconfig, ping, and tracert commands are the most useful tools for identifying
addressing problems with client configurations and connections to other hosts on the
Internet.
Client Configuration Issues
Some of the issues that occur with manual configuration of IP addresses include duplicate
addresses, invalid subnet masks, invalid default gateways, and invalid or missing host name
resolution settings (such as DNS and WINS).To help identify the problem, start by typing
ipconfig /all at a command prompt.Verify the information that is output by the command is correct, and then continue by using ping to help isolate the problem.
1. Ping the loopback address (127.0.0.1) to verify that the TCP/IP protocol stack is
configured correctly on the local computer.
2. Ping the external IP address of the local computer to ensure the host is on the
network and using a valid IP address; that is, there are no address conflicts.
3. Ping the IP address of the default gateway to verify that the default gateway is
accessible and your local network configuration contains the correct subnet mask.
4. Ping the IP address of a remote host to verify that you can transmit data over the
default gateway.
www.syngress.com
181
255_70_293_ch03.qxd
182
9/10/03
11:56 AM
Page 182
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
If you are not able to get traffic through to a site, but you are making it through the
default gateway, you should use tracert to identify the break in the route to the destination.
EXAM
70-293
OBJECTIVE
2.6.2
DHCP Issues
DHCP is an easy way to manage IP addressing schemes for larger networks. DHCP makes
it possible to boot a machine and access the network without configuring any protocol
information.This eliminates many of the manual configuration issues, such as using the
wrong subnet mask, duplicate IP addresses, and limited or no host name resolution. Some
of the items to consider when you implement and use DHCP are lease time, number of
hosts in a scope, network traffic, scope options, and topology.
When a machine acquires an IP address from a DHCP server, it acquires a lease.The
request for the lease is a message called a DHCPREQUEST, which is broadcast by the
DHCP client looking for DHCPOFFERs of a lease from a DHCP server.The lease duration
for a DCHP address is specified in the scope set on the server and defaults to eight days. At
50 percent of the lease duration, the DCHP client sends a directed request to the DHCP
server that issued the lease and requests a renewal of the lease. If no DHCPACK (acknowledgment) is received from the server, the DHCP client waits until 87.5 percent of the lease
time, and then makes a final request to renew the IP address. If no DHCPACK is received
at this point, the client waits until the lease is expired and starts the process over. If a
DHCP client is unable to receive an IP address lease, it will use an alternate configuration,
if one is specified. If there is no alternate configuration, the client will use APIPA to start
the TCP/IP services and assign itself an address from the APIPA pool (169.254.0.0/16).
To determine the appropriate lease time for your network, you should consider the following:
■
Number of hosts If the number of hosts is close to the number of total IP
addresses in your DHCP server’s scope, the lease should be shorter—about three
days. If there are a great deal more IP addresses than hosts, a longer lease can be
assigned.
■
Mobile users If you have a small number of mobile users and the client
machines do not frequently move from one network to the other, a longer lease
duration is recommended. Conversely, if you have more mobile users, a shorter
lease will be preferred, so that the IP addresses will be released sooner and
returned to the available pool of addresses.
■
Unlimited It is possible to set the lease duration to unlimited, but it presents a
challenge if you wish to change the DHCP settings, since this setting requires the
client to initiate the DHCPREQUEST.
Because they are broadcast, the DHCPREQUEST messages do not cross router
boundaries, unless the router is capable of forwarding DHCP broadcast messages, in com-
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 183
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
pliance with RFC 2131.You can also configure a DHCP relay to forward the requests to a
DHCP server.
Using DHCP can reduce IP address conflicts by preventing the need for static IP
address. It also can eliminate invalid subnet masks, since they are also assigned by the
DHCP server. Another advantage is the use of scope properties. By assigning scope properties, you can define default gateways, DNS servers,WINS servers, and the type of name resolution that is preferred. By managing name resolution settings, you can help eliminate
broadcast traffic.
Transitioning to IPv6
IPv6, defined in RFC 2460, is now production-ready to use on most operating system platforms. At this point, it is still early in the transition from IPv4.The change to IPv6 will take
some time, but with each day, it becomes more necessary due to the growing shortage of
IPv4 addresses. Although the larger address space is the most immediate need, IPv6 offers
other advantages over IPv4, including the following:
■
Better security (built in support for IPSec)
■
Support for both stateful and stateless address configuration
■
An efficient hierarchical routing infrastructure
■
A new header format that provides lower overhead
■
Neighbor Discovery (ND) for managing nodes on the same link, replacing ARP,
ICMPv4 router discovery, and ICMPv4 redirect messages
■
Virtually unlimited extension headers (in comparison to IPv4’s limit of 40 bytes)
■
Quality of service (QoS) related header fields
The utilities and concepts associated with IPv6 are similar to IPv4, but not identical. In
the following sections, we’ll take a look at how to install IPv6 and start to familiarize ourselves with the new utilities used to manage it.
IPv6 on Windows Server 2003 provides a new header format that is streamlined to
minimize overhead and provide more efficient processing while crossing intermediate
routers. All the option fields and any other fields in the header that are not required for
routing are placed after the IPv6 header.The IPv6 header also added more QoS support by
adding Flow Label fields that provide special handling for a series of packets that travel
between a source and destination.
ND is a set of process and messages that are used in an IPv6 environment to identify
relationships between neighboring nodes.This allows hosts to discover routers on the same
segment, addresses, and address prefixes.With ND, hosts can also resolve neighboring nodes
and determine when the MAC address of a neighbor changes (similar to ARP in IPv4).
ND also provides the process for address autoconfiguration, also referred to as stateless
address configuration. In the absence of a stateful address configuration server, such as a
www.syngress.com
183
255_70_293_ch03.qxd
184
9/10/03
11:56 AM
Page 184
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
DHCP version 6 (DHCPv6) protocol server, ND provides a complex process that allows
each interface to use router advertisement messages to define an IPv6 address, and then
subsequently ensure the uniqueness of the selected address. Currently, the standards for
DHCPv6 and IPv6 stateful addressing are still under development, so neither feature is supported on Windows XP/Server 2003 products at this time.
The new routing structure provides a hierarchical addressing and routing structure that
includes a global addressing scheme. Global addresses are the equivalent of public IPv4
addresses and are accessible over the Internet.The global addressing scheme defines new
ways to summarize global addresses to facilitate smaller routing tables on the Internet backbone, thus improving the efficiency and performance on the Internet.
NOTE
For detailed information and links to white papers about IPv6 in Windows Server
2003, see Microsoft’s IPv6 Web site at
www.microsoft.com/windowsserver2003/technologies/ipv6/default.mspx.
IPv6 Utilities
The traditional IPv4 utilities are still very useful for IPv4, but new utilities and features have
been added to accommodate IPv6 functionality.To gain access to the new tools or functionality, you need to install the TCP/IP version 6 protocol.
EXERCISE 3.04
INSTALLING TCP/IP VERSION 6
In the following exercise, you will learn how to install IPv6 on your Windows
Server 2003 computer.
NOTE
You can also install or uninstall IPv6 from the command line, using the netsh
interface ipv6 context (discussed later in the “Netsh Commands” section).
1. Open Network Connections and double-click the Local Area Network
icon. You will see the Local Area Connection Status dialog box, as
shown in Figure 3.11.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 185
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Figure 3.11 Local Area Connection Status
2. Click Properties.
3. In the Local Area Network Connection Properties dialog box, shown
in Figure 3.12, click Install.
Figure 3.12 Local Area Connection Properties
www.syngress.com
185
255_70_293_ch03.qxd
186
9/10/03
11:56 AM
Page 186
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
4. In the Select Network Component Type dialog box, select Protocol,
as shown in Figure 3.13, and click Add.
Figure 3.13 Select Network Component Type
5. In the Select Network Protocol dialog box, select Microsoft TCP/IP
version 6, as shown in Figure 3.14, and click OK.
Figure 3.14 Select Network Protocol
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 187
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
6. You should return to the Local Area Connection Properties dialog box
and see that Microsoft TCP/IP version 6 is installed, as shown in Figure
3.15.
Figure 3.15 Local Area Connection Properties with TCP/IP
Version 6 Installed
7. Click Close.
8. Test the TCP/IP version 6 installation by opening Internet Explorer and
navigating to www.ipv6.org. You should see a line under the line
“Welcome to the IPv6 Information Page!” that states, “You are using
IPv6 from <your IPv6 address>,” as shown in Figure 3.16. If you are
behind a firewall or using 6to4 tunneling, you may not see the message that indicates you have an IPv6 address. If you are able to access
the site described in step 9, then you are successfully using IPv6.
NOTE
You might need to reboot after installing IPv6.
www.syngress.com
187
255_70_293_ch03.qxd
188
9/10/03
11:56 AM
Page 188
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Figure 3.16 Test the IPv6 Configuration
9. You can also navigate to an IPv6-only site from Microsoft Research. In
Internet Explorer, navigate to http://ipv6.research.microsoft.com, as
shown in Figure 3.17.
Figure 3.17 IPv6 Pilot Page at Microsoft Research
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 189
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
NOTE
You will not be able to browse IPv6-only Web sites with Microsoft Internet Explorer
if you use a proxy server (unless the proxy server is IPv6-enabled).
Another way to test whether your IPv6 installation was successful is to run the
ipconfig command. If IPv6 is installed, your IP address will be shown in IPv6 format, as
shown in Figure 3.18.
Figure 3.18 ipconfig Results after Installing IPv6
Now that TCP/IP version 6 is installed, additional utilities are available with the IPv6
functionality. Other than the utilities to manage, monitor, and troubleshoot IPv6, only
Telnet, FTP, and Internet Explorer actually use the IPv6 protocol stack.
netsh Commands
netsh is an interactive command-line utility that allows you to manage local or remote network configurations of active machines. netsh also supports scripting, so you can create
batch configurations that run against the local machine or a specified host on the network.
You can also use the Netsh utility to generate a configuration script to use as a backup
configuration or as an aid to configure new machines in an identical fashion.
netsh works with the existing components installed with the operating system by using
helper dynamic link libraries (DLLs). Each helper DLL contains the information necessary
to execute the commands for the component to which it applies.The set of commands and
features supported by the DLLs is called a context, and each context is unique to the networking component.
The IPv6 interface has its own context with commands to manage and display information pertaining to the routes, interfaces, addresses, and caches specific to IPv6.There are
currently no graphical user interface (GUI) applications to configure IPv6, so netsh is necwww.syngress.com
189
255_70_293_ch03.qxd
190
9/10/03
11:56 AM
Page 190
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
essary for configuring IPv6 and its associated components.The component called 6to4 has
a subcontext within the IPv6 context, for configuring and managing 6to4 routers and
hosts. For more information about Netsh, see the Windows Help and Support Center topic
titled “Netsh Overview.”
To put the netsh command into IPv6 context, type netsh at the command prompt,
then at the netsh> prompt, type interface ipv6. Then you can use the IPv6 context
commands, which include the following:
■
6to4 Changes to 6to4 context.
■
Add Adds a configuration entry.
■
Delete Deletes a configuration entry.
■
Dump Shows a configuration script.
■
Install Installs IPv6.
■
Isatap Changes to isatap subcontext within IPv6 context.
■
Renew Restarts IPv6 interfaces.
■
Reset Resets IPv6 configuration.
■
Set Sets configuration information.
■
Show Displays information.
■
Uninstall Uninstalls IPv6.
Ipsec6.exe
Ipsec6.exe is used to configure and implement IPSec security policies (SPs) and security
associations (SAs) for IPv6. Using this utility, you can save and load security policies and
security associations to a file that can be edited in a text editor.This can be a real timesaver
when you implement IPSec for IPv6 on multiple machines.The command to save a configuration is ipsec6 s FilenameWithNoExtension.The filename specified from the command line will be appended with the extension automatically.The extension .spd is added
to security policy files, and the extension .sad is added to security association files. If you
are executing this command for the first time, and there are no current policies and no current security associations, the files created can act as templates to help you get started.
Other ipsec6 commands are available to works with security policies and security associations:
■
To load the configuration from these files, type ipsec6 l
FilenameWithNoExtension. The security policies will be loaded from
Filename.spd and the security associations from Filename.sad.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 191
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
■
To delete security policies and security associations, type ipsec6 d [{sp | sa}]
[Index] from a command line. Use the sp parameter with the Index of the policy
you wish to delete, or the sa parameter to delete all of the security associations.
■
To determine what the current security policies are, type ipsec6 sp [Interface]
from the command line, where Interface is optional and applies to the security
policies for the specified network interface.
■
To view the current security associations, type ipsec6 sa from the command line.
Note that the output from the commands to view the security policies and security associations is not formatted well for a command line, so you might prefer to
save the configuration and view the files in Notepad.
TEST DAY TIP
According to Microsoft Help and Support Center documentation, the current version of IPSec for IPv6 is not recommended for use in a production environment, so
you should not be concerned about anything more than being familiar with it for
the exam.
IPv6 PING and Tracert Parameters
Use the following steps to use IPv6 PING to verify connectivity:
1. From a command prompt, type netsh interface ipv6 show interface.
2. Find the Idx value for Local Area Connection.
3. Type netsh interface ipv6 show interface Idx, where Idx is the number from
the previous step.The Local Area Connection index number is usually 4.
4. Right-click in the command window and select Mark.Then highlight the
address. Once it is highlighted, right-click in the command prompt window.
When you release the mouse button, the address will be copied to the Clipboard.
Take note of your Zone ID for Link, which should match the Idx number in
step 3.
5. Exit the netsh command. At a regular command prompt, type ping, and then
right-click in the command prompt window and select Paste.
6. Without adding any spaces, add %<ZoneID>, where ZoneID is the number
noted in step 4, so the command looks like this:
Ping fe80::204:5aff:fe08:fb4b%4
7. Press Enter.You should see four successful replies.
www.syngress.com
191
255_70_293_ch03.qxd
192
9/10/03
11:56 AM
Page 192
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
8. Continue by pinging another address on the same local network.
9. To test external hosts, ping the global address of another node.
10. To test name resolution with DNS or a hosts file, ping a node with ping 6 Name, where Name is the site name.The -6 parameter tells PING to use
IPv6 only.
You can use Tracert to trace the path taken by IPv6 data packets from this host to the
destination host. From a command prompt, type tracert IPv6Address%ZoneID, where
IPv6 is a valid IPv6 address and ZoneID is the destination address. Alternatively, type tracert
–d -6 Hostname, where Hostname is the name of the remote machine.
NOTE
Windows XP Professional includes three utilities not included with Windows Server
2003: ipv6.exe, ping6.exe, and tracert6.exe.
6to4 Tunneling
6to4 tunneling is used to encapsulate IPv6 data packets in IPv4 headers before they are
transmitted to the destination host. 6to4 tunneling uses a 6to4 host and 6to4 routers to
deliver the IPv6 data. It is an Internet standard, defined in RFC 3056, and is used for interoperability between IPv4 and IPv6 networks. 6to4 hosts and routers are defined as follows:
■
6to4 host Any IPv6 host that is configured with at least one 6to4 address. 6to4
can be configured with the netsh interface ipv6 6to4 commands. As you might
have noticed when you ran the show interface command, by default, your IPv6enabled host will have a 6to4 pseudo-interface, as well as an automatic tunneling
pseudo-interface.
■
6to4 router Uses IPv4 and IPv6 to forward 6to4 traffic to the destination 6to4
hosts. It is also possible to implement a 6to4 relay router to forward 6to4 router
traffic on the IPv6 Internet.
With 6to4 tunneling, it is not necessary for IPv6 hosts (such as the computer on which
you installed IPv6 in Exercise 3.4) to get an IPv6 global address prefix from their ISPs.The
host can create a 6to4 address automatically.
IPv6 Helper Service
The IPv6 Helper service is responsible for automatically configuring itself with the appropriate 6to4 addresses, but it uses a specific 6to4 router on the Internet.You can test functionality with the ping -6 command.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 193
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
The 6bone
The 6bone is a dedicated IPv6 network that exists on the Internet. It began as a virtual
network using IPv6 over IPv4 encapsulation. It contains links to many sites and includes a
great deal of IPv6 data, testing plans, news, current events, and implementation instructions.
It will be a valuable resource for managing IPv6 on your network. For more information
about the 6bone, see www.6bone.net. For instructions on how to connect to the 6bone, see
www.opus1.com/ipv6/whatisthe6bone.html.
Teredo (IPv6 with NAT)
Teredo is the name for IPv4 network address translator (NAT) traversal for IPv6. It provides
an IPv6/IPv4 translation over NAT and address assignment.Teredo also provides the mechanism for host-to-host automatic tunneling for unicast IPv6 connectivity when IPv6/IPv4
hosts are located behind one or more NAT servers.
Currently, to provide IPv6 connectivity over the Internet, you must have a 6to4 router
with a public IPv4 address, which is not always feasible.Teredo provides a mechanism for
IPv6 traffic to traverse NAT and access the Internet using IPv6. Basically, IPv6 packets are
sent as IPv4-based UDP messages, and this allows the IPv6 packets to pass through the
IPv4 NAT server. For more information about Teredo, see the Teredo Overview document
located at www.microsoft.com/windowsxp/pro/techinfo/administration/p2p/overview.asp.
EXAM
70-293
OBJECTIVE
2
2.1
2.1.2
2.2
Planning the Network Topology
The next phase in planning your TCP/IP infrastructure is planning the IP routing solution
to manage the traffic on your network.This will depend on the physical location of your
equipment and users, as well as on how you want to distribute the addresses.When your
implement your strategy, you will also need to determine how the hosts on your network
will resolve host names and implement the necessary services to provide that functionality.
You will need to identify where the services such as DHCP,WINS, DNS, and so on must
exist in your network to function properly and reduce the network bandwidth utilization.
Analyzing Hardware Requirements
Before you implement your network topology, you should identify the hardware needs. For
each physical location, you will need to provide some sort of routing.You might need to
implement a WAN solution using a T1 line, which also requires special hardware.You will
need DHCP servers at each location or a DHCP relay agent.You will need to provide
some form of name resolution, most likely DNS and possibly WINS. Depending on traffic
and if you have a large number of users, you may decide to install switches to help manage
network traffic.
www.syngress.com
193
255_70_293_ch03.qxd
194
9/10/03
11:56 AM
Page 194
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
For a DHCP server, the two major factors that affect performance are the amount of
physical random access memory (RAM) and the speed of the disk input/output (I/O).You
should always provide the largest amount of RAM possible and the fastest disk I/O for the
best performance on a DHCP server.The same rules apply for WINS and DNS servers,
although DNS is more dependent on network bandwidth. In any case, frequent zone
updates require more RAM for better performance.
If you are using Active Directory (AD) DNS, there are other considerations related to
AD, such as:
EXAM
70-293
■
Increased network utilization due to dynamic DNS updates related to DCHP
integration and WINS reverse lookups
■
Increased RAM requirements due the increased data volume
Planning the Placement of Physical Resources
OBJECTIVE
2.2.1 The quantity of data and the type of network traffic will affect the location of IP resource
servers in your enterprise. If the WAN link is slow, you might want to place DNS caching
servers at each location to reduce WAN traffic related to DNS resolution.You might also
consider providing a DNS server at each location to provide redundancy. In addition, by
creating an AD integrated primary zone, you will allow clients to update their resource
records locally. Defining which DNS servers can act as forwarders and perform iterative
queries will help manage the Internet traffic.
You should also provide a DHCP server at each location.When you have multiple
DHCP servers on your network, use the 80/20 rule to balance the load on the subnet: 80
percent of the scope will be on the primary server, with 20 percent on the other server.
The DHCP server must have an interface on each network for which it has a scope
defined, or you must locate a DHCP relay server on the same subnet as the DHCP clients.
If you implement WINS, you will need to examine the quantity of data replicated
between WINS servers and the cost of WINS reverse lookups from DNS servers.You
should minimize the number of WINS servers you implement in order to minimize the
impact of WINS replication traffic on your network.
Use the Help and Support Center on Windows Server 2003 to see examples of performance statistics in a high traffic environment to help you gauge your enterprise needs.
EXAM
70-293
OBJECTIVE
Planning Network Traffic Management
After you decide where to place your physical equipment, users will begin accessing the
2
2.1 services supplied by DHCP, DNS, and WINS. Other traffic comes from accessing the
2.1.1 Internet, file sharing, and the many other network resources that will be used.You can estimate the amount of traffic at peak times by using some of the utilities provided with the
operating system.The tools can be used to create baselines, identify the peak network usage
areas, and identify the traffic sources.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 195
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
You will also need to monitor network traffic and analyze the usage.You might be able
to identify illicit network access from external sites, find Trojan horse viruses that generate
broadcast storms, or just discover who is actually hogging all that Internet bandwidth.You
can also determine whether your server-to-server traffic is managed well, or if it is necessary to modify the physical location of equipment.
EXAM
70-293
OBJECTIVE
2.4
Monitoring Network Traffic and Network Devices
Every network administrator should be familiar with two key utilities:
■
Network Monitor Allows you to capture data, identify the source, and analyze
the content and format of the message.
■
System Monitor Allows you to monitor other resources and determine the performance of those resources.
Using Network Monitor
There are two versions of Network Monitor: one is part of the Windows Server 2003
operating system, and the other is part of Microsoft Systems Management Server (SMS).
The version that ships with Windows Server 2003 can monitor only traffic inbound and
outbound to the machine on which the utility is being run.The SMS version can monitor
most network traffic from any machine to any other machine on the network, by placing
the network card on the machine where it is running in promiscuous mode to capture all
traffic.
Network Monitor is not installed by default.You can install it by following these steps:
1. From Control Panel, select Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Click Management and Monitoring Tools.
4. Click Details.
5. Click the check box next to Network Monitor Tools.
6. Click OK.
7. Click Finish.
After Network Monitor is installed, you can use the interface to monitor traffic, as
shown Figure 3.19.When you want to view the results, you can view each frame of captured data.You can save the trace to a file, or you can start the trace over.You could then
use the traces to find and filter traffic in order to analyze the data.You can also capture
fragments into files for later analysis.You can even see some of the unencrypted data being
transmitted on your network.
www.syngress.com
195
255_70_293_ch03.qxd
196
9/10/03
11:56 AM
Page 196
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Figure 3.19 Network Monitor
Network Monitor should be run during low-usage times or for short intervals to minimize the impact on performance of capturing all that data on your machine. It is also useful
to identify the type of traffic you are concerned with and use the filters to capture only the
data you need.
Using System Monitor
System Monitor is a Microsoft Management Console (MMC) snap-in tool that allows you
to use counters to monitor the performance of hardware, applications, and operating system
components on Windows Server 2003 machines.
A counter is basically a hook into a driver or application component that allows System
Monitor to gather statistics. System Monitor can capture these statistics and display them in
a graph, as shown in Figure 3.20, or in a report. It can also send administrative alerts when
specified conditions are met, and even launch an application to allow you to correct the situation or send an e-mail or a page to an administrator.You can save the logs to different file
formats to allow you to analyze them in other applications or tools.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 197
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Figure 3.20 System Monitor
NOTE
Windows Server 2003 includes command-line tools to help control the scheduling
of performance counter and event trace logs. System Monitor is no longer required
to gather performance data from remote computers (although it can still be used
for that purpose). Typeperf allows you to write performance counter data directly
to the command window.
System Monitor also allows you to view more than one log file at the same time, so
that you can compare baseline logs with the current data.The Performance Logs and Alerts
service can gather data and store it in a Microsoft SQL Server database that can be viewed
by System Monitor.You can also save portions of log files or SQL Server data to a new file.
This can help save space, simplify comparisons of data, and reduce analysis time.
www.syngress.com
197
255_70_293_ch03.qxd
198
9/10/03
11:56 AM
Page 198
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Determining Bandwidth Requirements
When you have captured performance statistics and viewed the network traffic during various times of the day, you can identify the different sources of traffic on your network.You
will need to analyze how name resolution occurs, where the requests for name resolution
initiate, and the server-to-server traffic when replicating the information.
You will need to identify the following:
■
Any slow connections and the quantity of data transmitted over those connections.This will help you to identify how often servers transmit replicated data to
other servers.
■
The cost of one client obtaining information from these servers.You can then use
that information to calculate the cost of many users.
■
Broadcast traffic, so that you can isolate that to certain networks.You will be able
to identify areas where clients communicate heavily with other clients, such as file
servers, and locate those resources on the same segment as the heavy users.
Optimizing Network Performance
TCP traffic uses a sliding window method of transmitting data. As data is successful transmitted to the destination, the window slides over the remaining data and transmits the next
packets of data.Window size is basically the maximum number of packets that can be sent
without waiting for positive acknowledgment. If you transmit large amounts of TCP data,
then larger TCP windows will improve TCP/IP performance.The maximum window size
is limited to 64 kilobytes by default and is determined by the windows size setting of the
destination host machine. It is possible to increase the size of the TCP window dynamically
on Windows Server 2003 to accommodate this by enabling large TCP window support.
Client computers can be set to request large windows by editing their Registries.These are
then called TCP1323Opts-enabled computers.The window size is negotiated during the
TCP three-way handshake process.TCP1323 is a TCP extension defined in RFC 1323.
With Windows Server 2003, it is possible to disable NetBIOS encapsulation over
TCP/IP (disable NetBT).This can significantly reduce the overhead of data transfer and
eliminate the need for WINS and any other NetBIOS name resolution. It will also reduce
the browser master traffic.The drawback to disabling NetBIOS encapsulation is that you
can no longer browse network resources. In addition, some applications depend on
NetBIOS and will not work without it. If you are using NetBIOS name resolution, you
should have WINS servers to allow for directed send requests for name resolution, rather
than broadcasting for that information.WINS servers share data with each other at a regular
intervals.You might wish to reduce that traffic by modifying the replication intervals to
increase the time between synchronizations.You should minimize the number of WINS
servers used on your network. It is not necessary to have a WINS server on every LAN.
The more WINS servers you implement, the more network traffic is generated by WINS
database replication.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 199
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
The placement of other servers that provide network services is also important. DHCP
servers must have an interface on the same segment as the clients that will use the DHCP
server, or you must provide a means for DHCP requests to cross routers (such as a DHCP
relay or using routers that allow DHCP and BOOTP requests). Place DNS servers on each
LAN to minimize the amount of traffic generated when performing host name resolution.
You can also designate which DNS servers can act as forwarders to control which machines
can perform iterative DNS queries over the Internet.
www.syngress.com
199
255_70_293_ch03.qxd
200
9/10/03
11:56 AM
Page 200
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Summary of Exam Objectives
In this chapter, we examined the factors associated with how to identify network protocols
that are best suited to your needs. After we identified the different factors, we evaluated the
advantages of using the TCP/IP protocol suite over other protocols, as well as how the
Window Server 2003 platform allows the flexibility to use multiple protocols to communicate on your network, and when it might be necessary to do so.We reviewed how to configure TCP/IP manually and summarized some of the new features and enhancements of
the Windows Server 2003 networking components.
We reviewed how the TCP/IP network model (actually the DoD model) maps to the
OSI reference model and leverages each layer of the TCP/IP model to provide a robust and
stable platform for network communications.We took a more in-depth look at the new
TCP/IP enhancements in Windows Server 2003, including many of the improvements that
will reduce administrative workload such as the new alternate configuration feature for
TCP/IP.You also discovered that TCP/IP can now determine the routing metric for the
default gateway dynamically, which will help improve the performance of TCP/IP connections to other subnets.
We defined the criteria for addressing TCP/IP networks and how subnetting works.
You learned how to subnet networks and convert binary numbers to decimal and back to
help implement the addressing schemes you design.We reviewed how to troubleshoot
TCP/IP connections and the issues with manual configuration of clients versus automatic
configurations using DHCP.We identified your options for DHCP lease duration and how
to decide how the duration is set.
After explaining how to install IPv6, we provided you with an overview of the utilities
and software that uses IPv6, and how to configure and troubleshoot IPv6 using netsh,
ipsec6, ping, and tracert commands.We also looked at the 6to4 router and hosts and how
they can assist you in making the transition from IPv4 to IPv6 by encapsulation of IPv6
data in IPv4 packets.
Finally, we examined the tools that are included in Windows Server 2003 to help you
monitor, maintain, and plan your network infrastructure. Using those tools, you can identify
areas for performance tuning and improving resource availability to minimize network
bandwidth utilization and improve network performance.
Exam Objectives Fast Track
Understanding Windows 2003 Server Network Protocols
Windows Server 2003 supports multiple protocols at the same time using NDIS,
allowing better integration and flexibility for network operations.
Considerations for choosing the best protocol also help define why TCP/IP is
best suited to enterprise environments.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 201
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
TCP/IP is a suite of protocols that includes applications and network protocols
that can be used to access and share information with the world or to use the
Internet as a means for implementing WANs.
There are many enhancements to the TCP/IP protocol suite included in
Windows Server 2003 that will improve your overall experience and reduce
network load.
Planning an IP Addressing Strategy
The number of hosts and the number of networks required define the basis for
your addressing strategy.
Planning for growth is critical for your networking address structure, but it is also
beneficial to implement the addressing scheme in an efficient manner.
CIDR can reduce the number of static routes and simplify your network
implementation.
Planning the Network Topology
Servers should be placed close to the clients that will be using the resources
provided.
DHCP provides automatic addressing and other IP address configuration settings
to network machines, which prevents errors typically encountered when manually
configuring IP address settings.
DHCP servers must have an interface on the same segment as the DHCP clients,
or you must implement a DHCP relay.
DNS is used for host name resolution.
You should have one DNS server for each LAN and define which DNS servers
are forwarders and perform iterative queries over the Internet.
WINS is used for NetBIOS name resolution, and it is not necessary if you do not
use NetBIOS to access network resources and have only Windows
2000/XP/2003 machines on the network.
You should minimize the number of WINS servers on your network.WINS
replication uses a lot of network bandwidth.
www.syngress.com
201
255_70_293_ch03.qxd
202
9/10/03
11:56 AM
Page 202
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Planning Network Traffic Management
Network Monitor can be used to examine data transmissions sent over the
network. It provides a means for tracking down network issues.
System Monitor is a local or remote performance utility that you can use to
identify bottlenecks and issue alerts when undesirable situations occur.
Bandwidth requirements vary, but by using the tools provided, you can allocate
resources appropriately and optimize your system’s performance by reducing and
perfecting data delivery.
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: Will I need to learn how to subnet networks as a LAN administrator?
A: Yes, the ability to design and implement and support networks using TCP/IP depends
on your ability to understand IP addressing practices. It is also important to understand
subnetting for troubleshooting problems and expanding your network.
Q: Is it necessary to memorize all the options for Netsh to manage my network effectively?
A: You should be familiar with the various functions provided by Netsh and understand its
importance in configuring IPv6 and other networking components.You may find
useful functionality that can simplify repetitive tasks, since netsh is a command-line tool
and provides you with a means to automate tasks.You can even use it to back up configurations for services such as DHCP and DNS to simplify building similar machines
on your network.
Q: Is everything I need to know about TCP/IP to do my job in this chapter?
A: No, volumes of data exist on TCP/IP, including many valuable Internet resources such
as IPv6.org and IETF.org. Every day, new information about the development of
TCP/IP protocols is available. In addition, there are books dedicated solely to TCP/IP
and still others that talk about security on networks that use TCP/IP.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 203
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Q: Do I need to know all the port numbers for the different protocols to manage my network?
A: You should be familiar with the common port numbers, such as those for FTP, HTTP,
and SMTP, but it is not necessary to memorize every single one. Understanding how to
determine which port does what can help you identify which services are in use on
machine, as well as provide better security for your network.You can learn to use and
identify different ports to do other tasks, such as testing SMTP on port 25 using
telnet.exe (the Telnet port defaults to 22).
Q: Can I use IPv6 exclusively on my network?
A: Yes, however, due to the limited application support, it would be very difficult at this
point to eliminate IPv4 and still function efficiently. For instance, there is no IPv6
implementation of DHCPv6, so it is difficult to manage configuration settings for networks that have many clients. Other common protocols such as SMTP, POP, and
NNTP do not currently support IPv6. In addition, the majority of Internet resources
are using IPv4, and you would require some implementation of IPv4 on your network
to access those resources.
Q: Can I use CIDR notation on any router?
A: No, only certain versions of the routing protocols RIPv2 and OSPF support CIDR
notation. Routers using RIPv1 do not support CIDR notation, and thus require the
full routing information to be provided.This could present issues if you are using
CIDR notation for routers that will interface with RIPv1 routers and router discovery.
Most hardware routers can use CIDR notation to define routes. CIDR notation can
help reduce the number of route entries that must be added to the routing table.
Q: Do I need a public class IP address block for my network if I have 200 hosts that need
Internet access?
A: No, it would be very costly and difficult to obtain an entire block of class C addresses.
You should implement a firewall.Then you will be provided with either a single IP
address or a small subnet of six or fewer public addresses that will provide the external
interface to the world. Intead, y\ou should use a private IP addressing scheme internally to allow for outbound traffic to the Internet via NAT. Public addresses would be
necessary for Web servers,VPN over the Internet, and other interfaces that need to be
accessible over the Internet. E-mail servers must have a public IP address to allow
delivery of Internet messages.You may be hosting a DNS server that provides host
name resolution for your public Web servers.The DNS server would require a public
interface to allow other clients to perform lookups, to update and receive updates for a
zone, and so on.
www.syngress.com
203
255_70_293_ch03.qxd
204
9/10/03
11:56 AM
Page 204
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Understanding Windows 2003 Server Network Protocols
1. You are implementing a network that will include UNIX workstations that will share
files and information with the Windows users.What protocols will you need to implement to provide integration with UNIX machines?
A. IPX/SPX
B. NetBEUI
C. TCP/IP
D. NetBIOS over TCP/IP
2. You purchased a new desktop computer running Windows XP for your small office
and a server running Windows Server 2003.Your old desktop is running Windows 95.
It has a network adapter and can access files on another Windows 95 machine.The
Windows XP machine has not arrived, but you want to back up the data from the
Windows 95 computer to the Windows Server 2003 machine. However, from the
Windows Server 2003 computer, you are unable to see the shares on the Windows 95
computer.What should you do to allow the Windows Server 2003 machine to access
the Windows 95 machine?
A. Install NetBEUI on Windows Server 2003 computer.
B. Install NWLink on the Windows 95 client.
C. Install TCP/IP on the Windows 95 client.
D. Ensure the server has a valid IP address and implement a DHCP server on the
Windows Server 2003 machine with a valid scope.
Planning an IP Addressing Strategy
3. You are implementing a test lab that contains three Windows Server 2003 machines,
twenty Windows XP Professional machines, and two IP-based printers.You have been
given the network address of 155.1.50.0 and a subnet mask of 255.255.255.224.What
is the CIDR notation for your subnet?
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 205
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
A. 155.1.50.0/27
B. 155.1.50.0/5
C. 155.1.50.0/24
D. 155.1.50.0/3
4. You are given a task to create eight subnets on your LAN, and you have been assigned
the address space 172.16.128.0/23. How many hosts will you have and what is the
CIDR notation for the new subnet’s address space?
A. 2032 hosts on 172.16.128.0/24
B. 240 hosts on 172.16.128.0/27
C. 496 hosts on 172.16.128.0/26
D. 48 hosts on 172.16.128.0/29
5. Which of the following addresses is suitable for dividing into at least nine subnets,
each with the ability to support 200 hosts per network?
A. 10.1.1.0/24
B. 10.1.1.0/20
C. 10.1.1.0/19
D. 10.1.1.0/22
6. You are having trouble accessing Microsoft’s Web site.When you ping
www.microsoft.com, the request times out. How should you proceed in troubleshooting this problem?
A. Ping the loopback adapter, the IP address of this machine, then the default
gateway and determine if your connectivity is valid. If there are no issues, run
tracert and identify where the communications stop.
B. Ping the default gateway, the IP address of a remote host other than Microsoft,
such as Yahoo, then ping the IP address of this machine and then the loopback
adapter.
C. Use Network Monitor to analyze the traffic to www.microsoft.com.
D. Use System Monitor to look at counters on the local machine to determine the
error.
7. You implement a Windows Server 2003 machine that is functioning as a file server on
your LAN.The server name is FileServer01. Users attempting to browse the shares on
\\FileServer01\ are unable to see any of the shares you created.What is likely the
problem?
www.syngress.com
205
255_70_293_ch03.qxd
206
9/10/03
11:56 AM
Page 206
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
A. You do not have DNS installed on the LAN.
B. DCHP is unavailable.
C. NetBIOS encapsulation is not enabled on the Windows Server 2003 machine.
D. FileServer01 FTP service is stopped.
8. A client computer configured as a DCHP client was unable to obtain an address from
the DCHP server. Upon investigation, you discovered that the DCHP scope was not
activated, so you activated it.The client computer has an APIPA address of
169.254.0.1.What actions are required for the client to obtain an IP address from the
DHCP server?
A. Run ipconfig /all from a command prompt.
B. Use Netsh to assign an address to the network adapter.
C. Log off Windows XP and log on again.
D. Take no action.
Planning the Network Topology
9. Your company is merging with another organization, and you have been tasked with
merging the corporate networks.You have determined that the other company has
between 50 and 125 hosts on 7 networks.Your company has 25 to 50 hosts on 12
networks.You want the integration to provide room for five percent growth over the
next two years.Your routers do not support variable-length subnet masks.You decide
to use the private address 192.168.0.0.What is the best subnet mask for your new
corporate LAN?
A. 255.255.0.0
B. 255.255.255.0
C. 255.255.255.192
D. 255.255.224.0
10. You want to simplify the configuration and management of TCP/IP clients on your
network, which consists of 300 Windows XP Professional machines, 12 Windows
Server 2003 machines, and 23 printers on four subnets.Which of the following solutions best suits your needs?
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 207
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
A. Implement WINS using APIPA. Provide at least one DNS server for each WINS
server.
B. Implement DHCP to provide assigned IP address leases and scope properties that
contain the necessary host resolution methods, the IP address of the default
gateway, and the DNS servers.
C. Implement AD integrated DNS and WINS and configure WINS to do reverse
lookups.
D. Provide thorough documentation for each client to manually configure its IP
address with a valid subnet mask and DNS server.
11. All of the clients on your network are configured to use DHCP for their TCP/IP
configuration.You upgrade Internet access to use a T1 line that is connected to a different router than the current router that is being used by the Digital Subscriber Line
(DSL) connection.What actions are required to allow the executive staff to access the
Internet using the new default gateway, by configuring each executive’s machine only
one time, while not allowing the other company employees to use the T1?
A. Create a logon script for the Executives Group that uses the route add –d command to add the new router information. Set the script to run every time members of the Executive Group log on.
B. Create a logon script for the Executives Group that uses the route add –p command to add the new router information. Set the script to run once the next time
members of the Executive Group log on.
C. Create a new property for the router in the DCHP scope options. Set up reservations for each of the executive’s machines.
D. Run the command route add with the information for the new router on each
executive’s machine.
12. You have integrated a smaller LAN into your network that contains a Novell
NetWare server using IPX/SPX.You want to be able to access it from a Windows
Server 2003 machine, so you install NWLink.You notice that after you installed
NWLink, the Windows XP client machines that connect to Windows Server 2003 are
taking longer to connect and read information.What can you do to ensure the best
performance for the Windows XP clients?
A. Install NWLink on the Windows XP machines.
B. Install the Novell NetWare Client on the Windows XP machines.
C. Move TCP/IP up in the binding order on the Windows Server 2003 machine.
D. Install the Novel NetWare Client on the Windows Server 2003 machine.
www.syngress.com
207
255_70_293_ch03.qxd
208
9/10/03
11:56 AM
Page 208
Chapter 3 • Planning, Implementing, and Maintaining the TCP/IP Infrastructure
13. You are network administrator for a new company.Your LAN is connected to the
Internet by a single T1 line.You obtain a single public IP address from your ISP.Your
firewall services are outsourced to the ISP.The LAN includes five Windows XP
Professional computers and one Windows Server 2003 computer named Server01. All
Windows XP client computers are configured to use DHCP to obtain their IP configurations. Server01 is configured as a DHCP server and contains two network
adapters.You connect one network adapter to the hardware for the ISP connection
and connect the other network adapter to the LAN.You want client computers to
access the Internet, including browsing the Web and file transfers via FTP.Which of
the following configuration tasks must you complete?
A. Install the DNS Server service.
B. Install WINS Services.
C. Install Routing and Remote Access Services (RRAS).
D. Assign the public IP address to the external adapter.
Planning Network Traffic Management
14. Users are complaining about slow network performance. Using Network Monitor,
you have identified the source of the excessive traffic is inbound and outbound traffic
from your DNS server. How would you identify the source of the excessive DNS
traffic?
A. Using the host IP addresses from Network Monitor, perform a tracert command
to each host and determine the time it takes to get to each requested destination.
B. Use System Monitor to watch performance counters on the DNS server and
identify the cause of the slow performance.
C. Use System Monitor to watch performance counters on the client machines to
identify the machine that is using the DNS server heavily.
D. Ping the DNS server using the –t option from different host machines to identify
the subnet that is causing the increase in network traffic.
15. You are using Network Monitor to analyze traffic on your Windows Server 2003
machine.You have a lot of data that has been captured, but you are looking for specific information. How do you accomplish this?
A. Define a filter for the captured data.
B. Open the trace in Notepad and do a global search for the information you are
seeking.
C. Export the data to a .cap file and view the reports in Excel.
D. Set up the counters for the appropriate data.
www.syngress.com
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 209
Planning, Implementing, and Maintaining the TCP/IP Infrastructure • Chapter 3
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C
9. B
2. C, D
10. B
3. A
11. B
4. C
12. C
5. B, C
13. A, C, D
6. A
14. B
7. C
15. A
8. D
www.syngress.com
209
255_70_293_ch03.qxd
9/10/03
11:56 AM
Page 210
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 211
Chapter 4
MCSE 70-293
Planning, Implementing,
and Maintaining a
Routing Strategy
Exam Objectives in this chapter:
2
Planning, Implementing, and Maintaining a Network
Infrastructure
2.1.2
Plan an IP routing solution.
3
Planning, Implementing, and Maintaining Routing and
Remote Access
3.1.1
Identify routing protocols to use in a specified
environment.
3.1.2
Plan routing for IP multicast traffic.
3.1
Plan a routing strategy.
5.3.1
Specify the required ports and protocols for specified
services.
3.4
Troubleshoot TCP/IP routing. Tools might include the route,
tracert, ping, pathping, and netsh commands and Network
Monitor.
2.5.3
Diagnose and resolve issues related to client configuration.
211
255_70_293_ch04.qxd
212
9/9/03
5:17 PM
Page 212
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Introduction
In the preceding chapter, you learned about the TCP/IP protocols and how to set up a
TCP/IP infrastructure. One of the biggest advantages of TCP/IP as a network and transport protocol stack is its capability to route packets between different networks or subnets.
Dealing with routing issues is an important part of the job of a Windows Server 2003 network administrator for a typical medium-to-large size network. In this chapter, we first
review the basics of IP routing, including the role of routing tables, static and dynamic
routing, and routing protocols such as Routing Information Protocol (RIP) and Open
Shortest Path First (OSPF).
You’ll learn to use the netsh commands related to routing, and then we’ll show you
how to evaluate routing options.This includes selecting the proper connectivity devices;
we’ll discuss hubs, bridges, switches (Layer 2, 3, and 4 varieties), and routers.We’ll look at
how you can use a Windows Server 2003 machine as a router, and how to configure the
Routing and Remote Access Service (RRAS) to do so.
Next, we look at security considerations related to routing.We’ll show you how to analyze requirements for routing components from a security-conscious point of view, and
we’ll discuss methods of simplifying the network topology to provide fewer attack points.
This includes minimizing the number of network interfaces, the number of routes, and the
number of routing protocols.We will also discuss router-to-router virtual private networks
(VPNs), packet filtering, firewalls, and logging levels.
Finally, we cover how to troubleshoot IP routing issues.We’ll identify troubleshooting
tools and take a look at some common routing problems, including those related to interface configuration, RRAS configuration, routing protocols,TCP/IP configuration, and
routing table configuration.
EXAM
70-293
OBJECTIVE
Understanding IP Routing
The basic concept of routing is that each packet on a network has a source address and a
2
2.1.2 destination address.These two addresses are stored in the packet’s header information.That
3
means that any device on the network that receives this packet can inspect the header to
find out where the packet came from and where it’s going. If we provide our device with a
little more information, such as details concerning the network’s design and implementation, that device can also change the routing for the packet in an intelligent manner to help
lower the total cost of the traffic.
So that we’re all on the same page, we need to start by reviewing the basics of routing.
Keep in mind as we go through the following material that it is mainly review and not
intended as the final word on these topics.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 213
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Reviewing Routing Basics
Understanding the concepts concerning IP addressing is critical to understanding how IP
routing works. A good understanding of IP addressing, and subsequently the art of subnetting, requires that you be comfortable with binary notation and math.
You already know that an IP address is a numeric identifier assigned to every
machine on a network.This address tells where the device is located on the specific network.
EXAM WARNING
Keep in mind that an IP address is a software address. Don’t confuse it with a
hardware address. The hardware address is hard-coded into the machine itself or
in the network interface card (NIC). Also keep in mind that starting with Windows
2000, Microsoft began listing IP address ranges in the same manner that Cisco
does. This method, Classless Interdomain Routing (CIDR), lists the IP address followed by the number of ones in the subnet mask. For instance, 192.168.1.0 with a
subnet of 255.255.255.0 is written as 192.168.1.0/24.
As a quick review, IP addresses are currently made up of 32 bits of information.These
bits are divided into four sections (octets) that each contains 1 byte (6 bits).You will see IP
addresses specified in three basic formats:
■
Binary such as in 11000000.10101000.00000000.00000001
■
Dotted-decimal such as in 192.168.0.1
■
Hexadecimal such as in C0 A8 00 01
All three of these examples represent the same IP address. In reality, the computer can
use only the binary version.The other two formats are provided because they are easier for
people to understand and use.
There are three basic types of IP addresses:
■
Unicast addresses IP addresses assigned to a single network interface that is
attached on the network. Unicast IP addresses are used for one-to-one communications between hosts.
■
Broadcast addresses IP addresses designed to be received and processed by
every IP address located on a given network.They’re basically one-to-many communications.
■
Multicast addresses IP addresses where one or more IP nodes can listen in on
the same network segment. Multicast IP addresses are also one-to-many communications.
www.syngress.com
213
255_70_293_ch04.qxd
214
9/9/03
5:17 PM
Page 214
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Next, you should also understand the differences between routed and Network Address
Translation (NAT) connections. NAT is the process of switching back and forth between
the IP addresses used on an internal network, sometimes referred to as private addresses, and
Internet IP addresses, sometimes known as public addresses.
There are three address blocks set aside and defined as private address space:
■
10.0.0.0 with a subnet mask of 255.0.0.0, or 10.0.0.0/8 This network is a
private address space that has 24 host bits that can be used.
■
172.16.0.0 with a subnet mask of 255.240.0.0, or 172.16.0.0/12 This network is a private address space that has 20 host bits that can be used.This provides
a range of 16 class B network IDs from 172.0.0.0/16 through 172.31.0.0./16.
■
192.168.0.0 with a subnet mask of 255.255.0.0, 192.168.0.0./16 This network is a private address space that has 16 host bits that can be used.This provides
a range of 256 class C network IDs from 192.168.0.0/24 through
192.168.255.0/24.
Remember that private and public spaces do not overlap. Machines on an intranet with
a private IP address cannot directly connect to the Internet. Instead, they must be connected indirectly via either a proxy server of NAT. Essentially, all of the computers on your
intranet are masquerading behind a single public IP address.
EXAM WARNING
Understand the ranges and subnet masks used with private addressing. Know how
NAT translates and connects for them.
Routed connections require a single public IP address for each connection to the
Internet. Using NAT allows you to connect multiple private addresses to a single public IP
address.This is done by translating and modifying packets to reflect the changed addressing
information.
There are three basic components that make up NAT:
■
Translation This component maintains the NAT table for inbound and outbound connections.
■
Addressing This component is handled by a stripped-down version of a
Dynamic Host Configuration Protocol (DHCP) server that assigns the IP address,
subnet mask, default gateway, and IP address of the Domain Name System (DNS)
server.
■
Name resolution This component forwards all name-resolution requests to the
DNS server defined on the Internet-connected adapter, and then returns the
reply. It can be thought of as a DNS proxy.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 215
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
EXAM WARNING
Understand the three components of NAT and how they interact with other
Windows Server 2003 components such as DNS and DHCP.
Keep in mind that NAT is not always the solution. It is extremely limited when it
comes to security.You cannot encrypt anything that is carrying or that has been derived
from an IP address.Tracking hackers and other problems is also extremely difficult, because
the source IP address is stripped away in the NAT process. Another problem arises when
you try to use NAT with large networks that have many hosts attempting to communicate
with the Internet at the same time.The size of the mapping tables in this kind of environment is overwhelming and can cause performance problems.
Another basic concept related to IP routing is how the Internet Control Message
Protocol (ICMP) works. ICMP is a maintenance protocol used to create and maintain
routing tables. It supports router discovery and advertisements to hosts on a network.Very
simply, its designed to pass control and status information between TCP/IP devices.When a
client computer starts up on your network, it usually has only a few entries in its routing
table.When that host sends data out to a specific destination on a network, the host first
checks its routing table to see if there is already an entry matching the destination’s IP
address. If no match is found, the packet is sent to the default gateway.When the default
gateway receives the packet, it will check to see if it has a matching entry in its routing
table. If it does, it forwards the packet to the destination. At the same time, it sends an
ICMP message back to the originating host, telling that host about the better route available. ICMP can also let hosts on a network know if a specific router is still active by
sending out periodic messages with this kind of information.
Head of the Class...
IP version 6
The Internet that we have all come to know and love uses IP version 4 (IPv4) and is
based on 32-bit addressing. Because of the numerous disadvantages of IPv4,
including the problem of limited address space that NAT addresses, a new proposal
was put forth in 1995. Originally called Internet Protocol Next Generation (IPng), this
proposal offered several improvements, including 128-bit addressing, global
addressing, automatic configuration, built-in security, improved quality of service
(QoS) support, and built-in mobility. The new version of IP became known as IP version 6 (IPv6). IP version 5 was reserved for a different proposal that was never
adopted or implemented.
Because of the differences between IPv4 and IPv6, IPv6 is not backward-compatible with IPv4. The address syntax is just one example. IPv4 addresses can be
expressed in the traditional 192.168.0.0/20 format. IPv6 has been forced to settle
Continued
www.syngress.com
215
255_70_293_ch04.qxd
216
9/9/03
5:17 PM
Page 216
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
on the colon-hexadecimal notation. The 128-bit block is divided into eight 16-bit
blocks and delimited by colons. The 32-bit block of IPv4 is divided into four 8-bit
blocks.
An example of an IPv6 unicast address is 3FFE:FFFF:2A:41CD:2AA:
FF:FE5F:47D1. Leading zeros within a block are suppressed, but each block must
contain at least one hexadecimal digit. Another example is FE80:0:0:0:2AA:
FF:FE5F:47D1. Notice the 0 blocks. IPv6 allows for the compression of IPv5
addresses using double colons. The above address then becomes
FE80::2AA:FF:FE5F:47D1. A multicast address such as FF02:0:0:0:0:0:0:1 would
then become FF02::1.
IPv6 doesn’t use subnet masks, but rather continues to use the CIDR notation.
Using this notation, 3FFE:FFFF:2A:41CD::/64 would be a subnet identifier;
3FFE:FFFF:2A::/48 would be a route; and FF::/8 would be an address range.
Just remember that IPv6 is actually a suite of protocols. It replaces IP, ICMP,
Internet Group Management Protocol (IGMP), and Address Resolution Protocol
(ARP) in the TCP/IP protocol suite.
Routing Tables
A routing table is basically a list, a huge list sometimes, that is used to direct traffic on a network.The table includes information about what other networks are reachable from a given
network by providing the network address and subnet mask, as well as the metric, or cost,
for that specific network route. Another way to think of it is as a database of routes to other
locations.
The way this works is simple.When a packet arrives at the routing device (which could
be a dedicated router or a Windows Server 2003 computer), the routing table is queried to
discover the lowest cost route to the intended destination. Sometimes when there is no specific information concerning that network in the routing table, the packet will be forwarded to the default gateway, assuming that the default gateway will get the packet where
it needs to go.
The level of detail, or the number of routes in the table, depends on whether the IP
node is a host or a router. Usually, a host will have fewer entries in this table than a router
has in its table. For instance, it would be normal to find an IP host configured with a
default gateway. Creating a default route in the table allows for the effective summarization
of all destinations. Routing tables on a router, on the other hand, will normally contain an
entry for each and every reachable network on the IP network system.
Let’s turn our attention back to the table itself. Each of the rows in this list, or entries
in this database, is commonly referred to as a route.There are three basic types of routes:
■
Host route A route to a specific IP address in the network. A host is a particular
computer, or more specifically, an interface on a computer or device. In these
cases, the network mask is always 255.255.255.255 (/32). Host routes are typically
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 217
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
used for custom routes to specific hosts.This helps in the optimization and control of a network.
■
Network ID route A route for classful, classless, subnet, and supernetted destinations.The network mask in these cases will be somewhere between 129.0.0.0
(/1) and 255.255.255.254 (/31).
■
Default route A route to all other destinations.This route is used when the
routing table cannot find a host or network ID route that matches the destination
in the packet’s header.The default route has a destination of 0.0.0.0 and a network mask of 0.0.0.0 (/0), and it is sometimes expressed as 0/0. All destinations
not found in the routing table are simply forwarded to this destination, where the
specific destination address will be found.
Each route in the routing table contains the necessary forwarding information for a
range of destination IP addresses.This information includes two values for the destination
IP address: the next-hop interface and the next-hop IP address.The next-hop interface is just
a representation of the next physical or logical device over which the IP packet will be forwarded.The next-hop IP address is the IP address of the node to which the IP packet is
being forwarded. In an indirect delivery, the next-hop IP address is the IP address of a
directly reachable intermediate router to which the packet is being forwarded.
So, from this discussion, we glean that there is enough information contained in the
route entry of a routing table to identify the destination, the next-hop interface, and the
next-hop IP address, and to determine which route is the best when there is more than one
route available to the intended destination. Let’s break down the route entry into its component parts:
■
Destination Sometimes referred to as the network destination, this value is usually
a representation of the IP address that is reachable with this route. It is usually
used in conjunction with the Network Mask field.This can be a network ID
(classful, subnet, or supernet) or an IP address. Other terms that are sometimes
used to represent the destination include destination host, subnet address, network
address, and default route.The destination for a default route is 0.0.0.0.The destination for a limited broadcast is 255.255.255.255.
■
Network Mask Sometimes referred to as the netmask, this value is a bit mask
that is used to determine the significant bits in the Destination field.The 1 bit in
a network mask identifies those bits that must match the Destination field for this
route.The 0 bit indicates the bits that don’t need to match the Destination field.
This field is usually a string of contiguous 1 bits followed by a string of contiguous 0 bits.The combination of the destination and the network mask defines
a range of IP addresses. A host route has a network mask of 255.255.255.255.
With this mask, only an exact match with the destination would be able to use
this route. On the other end of the spectrum, a default route has a network mask
of 0.0.0.0. A mask of 0.0.0.0 allows any destination to use this route. A subnet or
network route has a mask that exists somewhere between these two extremes.
www.syngress.com
217
255_70_293_ch04.qxd
218
9/9/03
5:17 PM
Page 218
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Next-hop IP Address This points to the IP address where the packet is to be
forwarded using this route. It’s sometimes also referred to as the forwarding address
and most often called the gateway.This gateway must be directly reachable by this
router by using the interface defined in the Interface field.This can be a hardware
address, a network address, or sometimes even the address of the interface attached
to the network.
NOTE
When working with routes of directly attached network segments, the Next-hop IP
Address field can be set to the IP address of the network segment’s interface. This
is the default behavior of the IP routing table for the Windows 2003 Server family.
■
Interface This is the logical or physical interface used when forwarding the
packet using this specific route. It indicates the local area network (LAN) or
demand-dial interface needed to reach the next router.The value here can be
either a logical name or the IP address assigned to the interface.This can be the
port number or some other logical identifier.
NOTE
Windows Server 2003 family uses the IP address assigned to the interface.
■
Metric This field is where the route’s cost is maintained. It’s commonly used to
store the hop count, or the number of routers between the host and the destination. It is also used by the route-determination process to choose among the
many routes to the same location that might be possible.When there are multiple
routes with the same destination and network mask, the route with the lowest
metric value is used. Anything on the local subnet is always considered one hop.
Each router crossed is counted as an additional hop.The lowest metric is usually
the preferred one.
■
Protocol This field shows how the route was learned.This column will normally list RIP, OSPF, or other routing protocols. If it lists Local, the router is not
receiving routes.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 219
Configuring & Implementing...
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Viewing Routing Tables
Viewing your routing tables in Windows Server 2003 is a simple procedure, but you
must be logged on as an Administrator or, as a security best practice, using the Run
As command. Follow these steps:
1. Select Start | Control Panel | Administrative Tools | Routing and
Remote Access.
2. In the console tree on the left side of the Routing and Remote Access
window, click the plus sign to the left of Routing and Remote Access.
3. Under that, you will see the name of the server. Click the plus sign
there, and you’ll see IP Routing.
4. Click the plus sign next to IP Routing, and you should see Static
Routes.
5. Right-click Static Routes and choose Show IP Routing Table from the
context menu.
You can also use a command-line utility to view the routing table. (Speed is
one of the most important reasons for choosing to use the command line over a
GUI tool.) To view the routing table from the command prompt, click Start | All
Programs | Accessories | Command Prompt. This opens the command prompt
window. At the prompt, type route print and press the Enter key. You’ll now see
a screen resembling the one shown in Figure 4.1.
Figure 4.1 Viewing the Routing Table from the Command Prompt
The routing table shown in Figure 4.2 (viewed from the Windows Server 2003
Routing and Remote Access utility) is for a computer running Windows Server 2003
Enterprise Edition with one 10MB network adapter, an IP address of 192.168.0.13, a
subnet mask of 255.255.255.0, and a default gateway of 192.168.0.1.
www.syngress.com
219
255_70_293_ch04.qxd
220
9/9/03
5:17 PM
Page 220
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Let’s look at the individual rows more closely:
■
The first row in the table, beginning with 0.0.0.0, is the default route.
■
The second and third rows, beginning with 127.0.0.0 and 127.0.0.1, are the loopback network.
■
The fourth row, beginning with 192.168.0.0, is the local network.
■
The fifth row, beginning with 192.168.0.13, is the local IP address.
■
The second-to-last row, beginning with 224.0.0.0, is the multicast address.
■
The final row, beginning with 255.255.255.255, is the limited broadcast address.
We’ll now turn our attention to the upkeep of these tables.You can perform the main-
Figure 4.2 IP Routing Table
tenance of the routing tables manually or automatically. If you do it manually, you’ll be
using static routing. If you do it automatically, you’ll be using dynamic routing. Let’s take a
closer look at these two concepts.
Static versus Dynamic Routing
Remember that the basic idea of routing is that each packet you find on your network has
a source and a destination.That means that any device that receives the packet inspects the
packet’s headers to determine where it came from and where it’s going.When the device
has information about the network, such as how long it would take a packet to go from
one point to another, that device can change the routing intelligently to improve the performance of the network.
Static routing uses manually configured routes. Here, there is no attempt to discover
other routers or systems on a network. All entries into the routing table are entered by
hand, and the routing table is used to get information to other networks.This type of
routing works well with classless routing, because each route must be added with a network
mask. It works well for small networks, but it doesn’t scale well. Static routes are often used
to connect to the Internet. Static routing is, however, not fault tolerant. Figure 4.3 shows a
simple network using static routing.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 221
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.3 Simple Network Using Static Routing
Workstation
Workstation
Workstation
Workstation
Monitor
Workstation
Server
Workstation
Workstation
Workstation
Dynamic routing doesn’t depend on fixed, unchangeable routes to remote networks
being added to the routing tables. In other words, you don’t need to enter the routes by hand.
Dynamic routing uses routing protocols to maintain the routing tables. Dynamic routing
allows for the discovery of the networks surrounding the router by finding and communicating with other nearby routers in the network. Routes are discovered using routing protocol
traffic and are then added or removed from IP routing tables as required. Dynamic routing
can provide fault tolerance.When a route is unreachable, the route is removed from the
routing table. Figure 4.4 shows a more complex network using dynamic routing.
Figure 4.4 A More Complex Network Using Dynamic Routing
Workstation
Workstation
Workstation
Workstation
Monitor
Workstation
Server
Monitor
Server
Workstation
Workstation
Workstation
IBM Compatible IBM Compatible
IBM Compatible
www.syngress.com
221
255_70_293_ch04.qxd
222
9/9/03
5:17 PM
Page 222
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
In summary, static routing has two main advantages:
■
It works well with classless routing.
■
It works well with small networks.
Static routing also has two main disadvantages:
■
It doesn’t scale well.
■
It is not fault tolerant.
For more complex networks, dynamic routing offers several advantages:
■
It scales well with larger organizations.
■
It is fault tolerant.
■
It requires less administration than static routing.
Gateways
Although we’ve mentioned the term default gateway earlier in this chapter, we have not really
gone into much detail about what a gateway is. Basically, a gateway is a device that connects
networks using different communication protocols in a way that allows for information to
pass from one network to the other. It both transfers and converts the information into a
form that can be used by the protocols on the receiving network.Think of it as a TCP/IP
node that has routing capabilities. In other words, a gateway is a kind of router. A router, by
definition, is a device or computer that sends packets between two or more network segments
as necessary, using logical network addresses, most often IP addresses.The default gateway is
the path used to pass information when the device doesn’t know where the destination is.
More directly, a default gateway is a router that connects your host to remote network segments. It’s the exit point for all the packets in your network that have destinations outside
your network.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 223
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
3.1.2
Planning a Routing Strategy for IP Multicast Traffic
Multicast traffic involves sending a message to multiple devices using a single (multicast) IP address. Multicasting is referred to as point-to-multipoint communication
because the sender only has to send the message to one address to a group of
computers that share a multicast group ID, which is an address from the Class D
range.
Planning a Windows Server 2003 routing strategy in which multicast messages are sent involves the following steps:
1. Planning for the deployment of MADCAP servers (Multicast Address
Dynamic Client Allocation Protocol). MADCAP is part of the Windows
Server 2003 DHCP service, but works independently of DHCP.
2. Planning for deployment of routers that support IP multicasting. The
routers need to be configured to use multicast routing protocols.
Windows Server 2003 does not include multicast routing protocols, but
RRAS supports multicast routing protocols such as Protocol
Independent Multicast (PIM), Multicast Extensions to OSPF (MOSPF)
and Distance Vector Multicast Routing Protocol (DVMRP).
3. Configuring the Internet Group Management Protocol (IGMP).
4. Configuring Multicast scopes on the MADCAP server, using administrative scoping for multicast addresses that are used on the internal network and global scoping for multicast addresses that are used on the
Internet.
5. Configuring client computers to be MADCAP clients.
New & Noteworthy...
OBJECTIVE
Configuring & Implementing…
EXAM
70-291
Multiple IP Addresses
Computers running Windows Server 2003 can have multiple IP addresses, even if
the computer has only one NIC. In this case, if your network is divided into multiple
logical IP network subnets, you can set up the single NIC to have multiple IP
addresses. Then the address 192.168.0.10 could be used to communicate with the
workstations and computers you have on the 192.168.0.0 subnet, and the address
192.168.1.10 could be used to communicate with the workstations and computers
you have on the 192.168.1.0 subnet.
Keep in mind that if you are using a single NIC, the IP addresses must be
assigned to either the same network segment or to segments that are part of the
same single logical network. If your network is divided into multiple physical networks, you will need to use multiple NICs, with each card assigned an IP address
from the different physical network segments.
www.syngress.com
223
255_70_293_ch04.qxd
5:17 PM
Page 224
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Configuring & Implementing...
224
9/9/03
Configuring Multiple Gateways
To install multiple gateways, follow these steps:
1. Select Start | Control Panel | Network Connections, and then select
the connection you want to configure.
2. Click Properties and double-click Internet Protocol (TCP/IP) to open
the Internet Protocol (TCP/IP) Properties dialog box, shown in Figure
4.5.
3. Click the Advanced button to open the Advanced TCP/IP Settings
dialog box, shown in Figure 4.6.
4. On the IP Settings tab, you can add default gateways as you deem
necessary. Click the Add button, and then type the gateway address in
the Gateway text box, as shown in Figure 4.7.
5. The metric, as we have discussed previously, provides a relative cost of
using this gateway, or route. When multiple gateways are available for
a particular IP address, the gateway with the lowest metric will be
used. If for some reason the Windows Server 2003 computer cannot
communicate with the first gateway, it will try to use the gateway with
the next lowest metric. By default, Windows Server 2003 assigns the
metric to the gateway automatically. If you want to do so manually,
uncheck the Automatic metric check box and enter a metric in the
text box.
Figure 4.5 Internet Protocol (TCP/IP) Properties
Continued
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 225
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.6 The IP Settings Tab of the Advanced TCP/IP Settings
Figure 4.7 Enter the Gateway Address
EXAM
70-291
OBJECTIVE
Routing Protocols
3.1.1 Router discovery enables new, or rebooted, routers to configure themselves automatically.
The two major and most common dynamic-routing protocols are RIP and OSPF. Both of
these protocols are supported by the Windows Server 2003 family. Both are interior
gateway protocols (IGPs) that use routers to communicate (not to be confused with the
proprietary Cisco IGRP). But before we discuss these two protocols, we need to explore
how protocols make routing decisions.
In general, routing protocols can use one of two different approaches to making routing
decisions:
■
Distance vectors A distance-vector protocol makes its decision based on a measurement of the distance between the source and the destination addresses.
■
Link states A link-state protocol bases its decisions on various states of the links
that connect the source and the destination addresses.
Distance-vector algorithms, also known as Bellman-Ford algorithms, periodically pass
copies of their routing tables to their immediate network neighbors.The recipient adds
what is called a distance vector, which is little more than a distance value, to the routing
table it has just received, and then forwards it on to its immediate neighbors.The process
www.syngress.com
225
255_70_293_ch04.qxd
226
9/9/03
5:17 PM
Page 226
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
results in each router learning about the other routers and thereby developing a cumulative
table of network distances to other routers.This table is then used to update the router’s
own routing table. Keep in mind that the only thing the router learns about is distance.
The main drawback to distance-vector routing is that it requires time for the changes
in a network to propagate across the network.This makes distance-vector routing inappropriate for larger, more complex networks.The advantages of distance-vector routing are its
ease of configuration, use, and maintenance. As we will discuss shortly, RIP is the epitome
of distance-vector routing.
Link-state routing algorithms are usually known cumulatively as shortest path first
(SPF) protocols. OSPF, which will be discussed shortly, is an example of this protocol group.
These protocols maintain a complex database that describes the network’s topology. Linkstate protocols develop and maintain extensive information concerning the network’s
routers and how they interconnect.They do this by exchanging link-state advertisements
(LSAs) with each other. Any change in the network will trigger the exchange of LSAs.
Each router then constructs an extensive database using these received LSAs, so it can compute different routes and determine how reachable the networked destinations really are.
This information is then used to update the routing table. Component failures and growth
of the network are easily documented.
The main drawbacks to using link-state protocols involve the heavy use of bandwidth,
memory, and processor time. Especially during the initial discovery process, link-state protocols flood the network with messages, thereby lowering the overall network efficiency. Also,
overall, link-state protocols require more memory and higher processor speeds than distance-vector protocols need for efficient operation.
The main advantage of link-state protocols comes into play with large and complicated
networks. A well-designed network will be more able to withstand the effects of unexpected changes using link-state protocols. Overhead caused by the frequent, time-driven
updates required for distance-vector protocols can be avoided. Networks using a link-state
protocol are also more scalable. For most large networks, the advantages of using link-state
protocols will outweigh the disadvantages.
RIP
RIP is simple and easy to configure and is used widely in small and medium-sized networks. RIP is an IGP used to route data within autonomous networks. RIP does have performance limitations, however, that restrict its usefulness on medium-sized to large
networks. RIP is a distance-vector routing protocol.This means that it distributes routing
information in the form of a network ID and the number of hops (or the distance) from
the destination. RIP has a maximum distance of 15 hops. Anything over that is considered
unreachable.
There are two versions of RIP: version 1 described in RFC 1058 and version 2
described in RFC 1723.Windows Server 2003 supports both RIP versions.
RIP version 1 is a class-based routing protocol. Only the network ID is announced
here.The message format for RIP version 1 is shown in Figure 4.8.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 227
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.8 RIP Version 1 Message Format
Command
Version
01
Must be
Zero
1 byte
1 byte
2 byte
Family Must be
Identifier
Zero
00x02
2 byte
2 byte
IP
Address
Must be
Zero
Must be
Zero
Metric
4 byte
4 byte
4 byte
4 byte
RIP version 2 is a classless routing protocol.This version includes both a network ID
and a subnet mask in its announcement. It also provides more information, allowing for
both authentication and a measure of security.The message format for RIP version 2 is
shown in Figure 4.9.
Figure 4.9 RIP Version 2 Message Format
Command Version
02
1 byte
1 byte
Must be
zero
2 byte
Family
IP
Identifier Route Tag
Address
00x02
2 byte 2 byte
4 byte
Subnet
Mask
Next Hop
Metric
4 byte
4 byte
4 byte
There are several shortcomings to RIP version 1:
■
RIP version 1 uses MAC-level broadcasting, requiring all hosts on a network to
process all packets.
■
RIP version 1 doesn’t support sending a subnet address with the route announcement.This can be a problem when there is a shortage of available IP addresses.
■
Because RIP version 1 route announcements are being addressed to the IP subnet
and MAC-level broadcast, non-RIP hosts may also be receiving the RIP
announcements, contributing to the broadcast clutter and possibly lowering the
efficiency and performance of your network.
■
By default, every 30 seconds, RIP routers broadcast lists of networks they can
reach to every other adjacent router. Again, this can contribute to lower network
performance.
■
RIP version 1 does not handle subnetted addresses well, since it doesn’t send the
subnet address along with the broadcast.
■
RIP version 1 provides no defense from a rogue router. A rogue router is an RIP
router that advertises false or erroneous route information.
■
RIP version 1 is difficult to troubleshoot. In general, most problems in RIP
routing stem from incorrect configuration or from the propagation of bad routing
information.
So, what does RIP version 2 do to attempt to correct the problems with RIP version 1?
www.syngress.com
227
255_70_293_ch04.qxd
228
9/9/03
5:17 PM
Page 228
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
RIP version 2 advertisements include the subnet mask with the network ID.
■
RIP version 2 sends multicast announcements to the multicast IP address
224.0.0.9 with a time to live (TTL) of 1 instead of broadcasting announcements,
so it does not require IGMP.
■
RIP version 2 allows for authentication to substantiate the source of the incoming
routing announcements.
■
RIP version 2 is compatible with RIP version 1.
RIP routers begin with a basically empty routing table and start sending out announcements to the networks to which they’re connected.These announcements include the
appropriate routes listed for all interfaces in the router’s routing table.The router also sends
out a RIP General Request message asking for information from any router receiving the
message.These announcements can be broadcast or multicast. Other routers on other networks hear these announcements and add the original router and its information to their
own routing tables.They then respond to the new router’s request for information.The
new router hears the announcements from these other routers on the network and adds
them and their information to its own routing table.
After the initial setup, the RIP router will send out information based on its routing
table.The default time period is 30 seconds. Over time, the routers of the network develop
a consensus of what the network looks like.The process of developing this consensual perspective of the network’s topology is known as convergence. Basically, this means that the network’s routers individually agree on what the network looks like as a group. It is this very
process of convergence, however, that can sometimes lead to problems. A typical network
using convergence is shown in Figure 4.10. One of the occasional problems that occurs is
called counting to infinity. Let’s look at how that happens.
Figure 4.10 Typical Network Using Convergence
Router D
Router C
Router B
Router A
In our example, we will assume that Router A has failed.With its failure, all the hosts on
the A network will no longer be accessible from the other three networks. After missing six
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 229
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
updates from Router A, Router B will invalidate its B–A route and advertise its unavailability.
Routers C and D remain ignorant of the failure of Router A until notified by Router B. At
this point, both Router B and Router D still think they can get to Router A through Router
C, and they raise the metric of this route accordingly. So, Routers B and D send their next
updates to Router C. Router C, having timed out its route to Router A, still thinks it has
access through Router B or Router D.Thus, a loop is formed between Routers B, C, and D,
based on the mistaken belief that both Routers B and C can still access Router A.With each
iteration of updates, the metrics are incremented an extra hop for each route.This count
speeds up the process by which the router approaches its definition of infinity—the point
where the router says the destination is unreachable.
There are two methods of preventing this counting to infinity loop: split horizon and
triggered updates. If the router is implementing split horizon, routes will not be announced
back over the interfaces by which they were learned.The limitation of the split-horizon
approach is that a route will not timeout until it has been unreachable for six tries, so each
router has five opportunities to transmit incorrect information to the neighboring routers. If
the router is implementing split horizon with poison reverse, routes learned on interfaces are
announced back as unreachable. Split horizon with poison reverse is much more dependable
than simple split horizon. However, although split horizon with poison reverse will stop loops
in small networks, loops are still possible on larger, multipath networks.
Fault tolerance in RIP networks is based on the timeout of RIP-learned routes.When
changes happen in the network, RIP routers send out triggered updates, rather than waiting
for a scheduled time for routing announcements.These triggered updates contain the
routing update and are sent immediately.Triggered updates are nothing more than a
method of speeding up split horizon with poison reverse. However, triggered updates are
not foolproof.While the triggered updates are being propagated around the network,
routers that have not received the triggered update are still sending out the incorrect information. It’s possible that a router could receive the triggered update and then receive an
update from another router reintroducing the incorrect information, so the count-toinfinity problem, though not as likely, is still possible.
OSPF
Because OSPF is designed to work inside the network area, it belongs to a group of protocols called IGRPs. OSPF is defined in RFC 2328 and its purpose is to overcome the shortcomings of both versions of RIP when they are used for large organizations. OSPF is
designed for use on large or very large networks. OSPF is much more efficient than RIP,
and it also requires much more knowledge and experience to set up and administer.
There are many reasons why OSPF is a better choice for large networks than either
version of RIP, including the following:
■
Faster detection and changes of the network topology.This means less chance of
encountering the count-to-infinity problem.
■
OSPF routes are loop-free.
www.syngress.com
229
255_70_293_ch04.qxd
230
9/9/03
5:17 PM
Page 230
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
In OSPF, large networks can be broken down into smaller contiguous groups of
networks, called areas. (RIP does not allow for the subdivision of a network into
smaller components.) Routing table entries can then be minimized by using the
technique called summarizing. Summarizing allows for the creation of default
routes for routes outside the area.
■
The subnet mask is advertised with OSPF.This provides support for disjointed
subnets and supernetting.
■
Route exchanges between OSPF routers can be authenticated.
■
Because external routes can be advertised internally, OSPF routers can calculate
least-cost routes to external destinations.
The packet header structure for OSPF is shown in Figure 4.11.
Figure 4.11 The OSPF Packet Header Structure
Version
Number
Type
Packet
Length
Router ID
Area ID
Checksum
1 byte
1 byte
2 byte
4 byte
4 byte
2 byte
Authentication
Authentication
Type
2 byte
8 byte
There are five basic messages that are attached to this header structure:
■
Hello packet Used to discover and maintain information about neighboring
routers.
■
Database Description packet Used to summarize database contents.
■
Link-State Request packet Used to initialize the database download from
another router.
■
Link-State Update packet Used to update other routers with the information
contained in the local router’s database.
■
Link-State Acknowledgment packet Used to acknowledge flooding of information from other routers.
OSPF is a link-state routing protocol that uses LSAs to send information to other
routers in the same area, known as adjacencies. Included in the LSA is information about
interfaces, gateways, and metrics. OSPF routers collect this information into a link-state
database (LSDB) that is shared and synchronized among the various routers. Using this
database, the various routers are able to calculate the shortest path to other routers using the
SPF algorithm.The cost of each router interface is assigned by the network administrator.
This number can include the delay, the bandwidth, and any monetary cost factors.The
accumulated cost of any OSPF network can never be more than 65,535. So, the way OSPF
works can be divided into three main phases:
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 231
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
■
The LSDB is put together from neighboring routers.
■
The shortest path to each node is then calculated.
■
The router creates the routing table entries containing the information about the
routes.
When the router initializes, it sends out an LSA that contains only its own configuration.
Each router has its own unique ID that it sends out with the LSA.This ID is not, however, the
destination address of that router. Usually, it is the highest IP address assigned to that router,
thereby ensuring that each router ID is unique. Over time, the router receives LSAs from other
routers.The original router includes these routes in its own LSA and eventually will again send
out its LSA, now containing the information it received.This process is called flooding. Every
router in the area will soon have the information from all other routers in the area.
After the LSDB is compiled, the router determines the lowest cost path to each destination using the Dijkstra algorithm. Now, every other router and network reachable from
that router will have a shortest, least-cost path calculated.The resulting data structure is
called the SPF tree.The SPF tree is different for each router in the network, because the
routes are calculated based on each router as the root of the tree. After the SPF tree is calculated, the routing table is created from the information it contains. An entry will be created for each network in the area of the router.The routing table will contain the network
ID, the subnet mask, the IP address of the appropriate router for traffic to be directed to for
that network, the interface over which the router is reachable, and the OSPF-calculated
cost to that network.This cost is the metric unit, not the hop count as it would be in an
RIP-routed network.
NOTE
The Dijkstra algorithm is part of a branch of mathematics called graph theory. This
algorithm was developed to ascertain the least-cost path between a single vertex
and the other vertices in a graph. If you’re interested in the computations that go
into to working with Dijkstra’s algorithm, you can find more information at
www-b2.is.tokushima-u.ac.jp/~ikeda/suuri/dijkstra/Dijkstra.shtml and
http://ciips.ee.uwa.edu.au/~morris/Year2/PLDS210/dijkstra.html.
OSPF router interfaces must be configured for an appropriate network type because
the OSPF message address will be set for the network type specified.There are three network types supported by OSPF:
■
Broadcast This type of network is connected by two or more routers and
broadcast traffic is passed between them. Examples of broadcast networks include
Ethernet and FDDI.
■
Non-broadcast multiple access (NBMA) Broadcast traffic doesn’t pass on
this network, even though it is connected by two or more routers. OSPF must be
configured to use IP unicasting instead of multicasting. Examples of this type of
network include Asynchronous Transfer Mode (ATM) and Frame Relay.
www.syngress.com
231
255_70_293_ch04.qxd
232
9/9/03
5:17 PM
Page 232
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Point-to-Point Only two routers can be connected using this type of network.
Examples of Point-to-Point networks include WAN links like Digital Subscriber
Line (DSL) or Integrated Services Digital Network (ISDN).
Your network is divided into areas by placing routers in specific locations to join or
divide the network in the manner you want.What the router does and what designation it
is given are determined by its location and role in the network area.The roles that an
OSPF router might file include the following:
■
Internal router All interfaces of the router are connected to the same area, as
illustrated in Figure 4.12. An internal router will have only one LSDB because it
is connected to only one area.
Figure 4.12 An Internal Router
Internal Router
Workstation
■
Workstation
Workstation
Area border router (ABR) When a router’s interfaces are connected to different areas, that router is an ABR. An ABR has one LSDB for each area it’s connected to, as illustrated in Figure 4.13.
Figure 4.13 An Area Border Router
Workstation
Area Border Router
Area Border Router
Workstation
Workstation
Workstation
Workstation
Workstation
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 233
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
■
Backbone router If one of a router’s interfaces is on the backbone area, that
router is considered a backbone router.This applies to both ABRs and internal
routers.
■
Autonomous system boundary router (ASBR) If a router exchanges routes
with sources outside the network area, it is known as an ASBR.These special
routers announce external routes throughout the area network.
Using netsh Commands
Administering your routing server through the Routing and Remote Access console is easy,
but in order to pass the exam, as well as get by in the real world, you need to know how to
use the command-line utility netsh, introduced in Chapter 3.You might wonder why
anyone would want to use the command line when a perfectly acceptable and easy-to-use
console is available.There are two main reasons:
■
You can administer a routing server much more quickly from the command line.
This might be especially important over slow network links.
■
You can administer multiple routing servers more efficiently and consistently by
creating scripts using these commands, which can then be run on many servers.
The Netsh utility is available in the Windows 2000 Resource Kit and is a standard
command in Windows XP and Windows Server 2003.This utility displays and allows you
to manage the configuration of your network, including both local and remote computers.
It is designed to simplify the process of creating command-line scripts such as batch files.
The utility itself is little more than a command interpreter that connects and interfaces with
a number of services and protocols through the aid of a number of dynamic link libraries
(DLLs). Each of these DLLs provides the utility with an extensive set of commands that
applies specifically to that DLL’s service or protocol.These DLLs are referred to as helper
files, and sometimes helper files are used to extend other helper files.
You can use the Netsh utility to perform the following tasks:
■
Configure interfaces
■
Configure routing protocols
■
Configure filters
■
Configure routes
■
Configure remote access behavior for Windows 2000 and Windows Server 2003based remote access routers that are running RRAS
■
Display the configuration of a currently running router on any computer
■
Use the scripting feature to run a collection of commands in batch mode against
a specific router
www.syngress.com
233
255_70_293_ch04.qxd
234
9/9/03
5:17 PM
Page 234
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
The syntax for the Netsh utility is as follows:
netsh [-r router name] [-a AliasFile] [-c Context] [Command |
–f ScriptFile]
Context strings are appended to a command and passed to the associated helper file.
The helper file can have one or more entry points that are mapped to contexts.The context can be any of the following: DHCP, ip, ipx, netbeui, ras, routing, autodhcp,
dnsproxy, igmp, mib, nat, ospf, relay, rip, and wins. Under Windows XP, the available
contexts include AAAA, DHCP, DIAG, IP, RAS, ROUTING, and WINS. Appending a
specific context to the input string makes a whole different set of commands available that
are specific to that context.
The easiest way to learn how the Netsh utility works is by viewing its help information. Open a command prompt window on your Windows Server 2003 computer and
enter the netsh command at the prompt.The command prompt changes to the netsh
prompt. Enter a ? to display a list of available commands, as shown in Figure 4.14.To see
the subcontexts and commands that are available to use with the routing context, type
routing ? at the netsh prompt (or simply type netsh routing ? at the command prompt),
and then press Enter.You can get command-line help for each command by typing netsh,
followed by the command, followed by ?.
Figure 4.14 Type ? at the netsh Command Prompt to View Available Commands
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 235
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Rather than entering commands through the netsh utility as shown in Figure 4.14, it is
more efficient to use the DLLs without needing to load the Netsh shell.This reduces the
amount of coding time required, and you can use multiple DLLs within a single script.To
use Netsh commands this way, follow the netsh command with the name of the DLL and
the command string. For example, to use the show helper command to see a complete list
of the available DLLs, type netsh show helper, as shown in Figure 4.15.
Figure 4.15 Type netsh show helper at the Command Prompt
to View Available DLLs
As you can see in Figure 4.15, when the script is processed, you see the results of the
script and then are returned to the command prompt, from which you can execute your
next script.
www.syngress.com
235
255_70_293_ch04.qxd
5:17 PM
Page 236
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Configuring & Implementing...
236
9/9/03
Using Netsh with Nested Contexts
There are times when using Netsh with simple commands is not sufficient for the
tasks you want to accomplish. Sometimes, you will need to create scripts with
nested contexts. Let’s take look at an example to add an interface to the network.
The syntax of the command is as follows:
Add interface [InterfaceName=][InterfaceName=]InterfaceName
[[IgmpPrototype=]{igmprtrv1 | igmprtrv2 | igmprtrv3 |
igmpproxy}]
[[IfEnabled=]{enable | disable}] [[RobustVar=]Integer]
[[GenQueryInterval=]Integer] [[GenQueryRespTime=]Integer]
[[StartUpQueryCount=]Integer]
[[StartUpQueryInterval=]Integer]
[[LastMemQueryCount=]Integer]
[[LastMemQueryInterval=]Integer] [[AccNonRtrAlertPkts=]{yes
| no}]
For our example, we’ll use this command to configure IGMP on a specified
device. We type in the following command:
netsh routing ip igmp add interface "Local Area Connection"
startupqueryinterval = 21
This command modifies a default startup query interval to 21 seconds with
IGMP configuration of the interface named Local Area Connection.
EXAM
70-293
OBJECTIVE
3.1
Evaluating Routing Options
In order to make good decisions about routing in your network, you need to evaluate
potential network traffic, as well as the number and types of hardware devices and applications used in your environment. For the most part, the heavier the routing demand, the
higher the need for dedicated hardware routers. Lighter routing demands can be met sufficiently by less expensive software routers.Your routing decisions should be based on your
knowledge and understanding of both options.
Selecting Connectivity Devices
For small, segmented networks with relatively light traffic between subnets, a software-based
routing solution such as the Windows Server 2003 RRAS might be ideal. On the other
hand, a large number of network segments with a wide range of performance requirements
would probably necessitate some kind of hardware-based routing solution. Evaluating your
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 237
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
routing options includes selecting the proper connectivity devices: hubs, bridges, switches,
or routers.You also should understand where these devices fit in the OSI reference model.
Head of the Class...
A Review of the OSI Model
The Open System Interconnection (OSI) reference model is an International
Organization for Standardization (ISO) standard for worldwide communications. OSI
defines a network framework for implementing an agreed-upon format for communicating between vendors. The model identifies and defines all the functionality
required to establish, use, define, and dismantle a communication session between
two network devices, no matter what the device is or who manufactured it.
All communication processes are defined in seven distinct layers with specific
functionality. Microsoft and other proprietary systems may combine multiple-layer
functionality into one layer in their particular version, but most, if not all, of the
functionality of the original OSI model layers are incorporated. It is for this reason
that most discussions of computer-to-computer communication begin with a discussion of this model. Table 4.1 shows the layers in the OSI reference model.
Table 4.1 The OSI Reference Model Layers
Layer
Description
7
6
5
4
3
2
1
Application
Presentation
Session
Transport
Network
Data Link
Physical
Layer 1 of the OSI reference model is often referred to as the bottom layer.
This is the Physical layer, which is actually responsible for the transmission of the
data. As a result, the Physical layer operates with only ones and zeros. It receives
incoming streams of data, one bit at a time, and passes them up to the Data Link
layer. Examples of transmission media associated with Layer 1 include coaxial
cabling, twisted-pair wiring, and fiber-optic cabling.
Layer 2 is the Data Link layer, which is responsible for providing end-to-end
validity of the data being transmitted. This layer deals with frames. The frame contains the data and local destination instructions. This means that the Physical and
Data Link layers provide all the information required for communication on the
local LAN. Figure 4.16 illustrates a Data Link layer domain.
At Layer 3, the Network layer, internetworking is enabled and the route to be
used between the source and the destination is determined. There is, however, no
Continued
www.syngress.com
237
255_70_293_ch04.qxd
238
9/9/03
5:17 PM
Page 238
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
native transmission error detection/correction method. Some manufacturers’ Data
Link layer technologies support reliable delivery, but the OSI reference model does
not make this assumption. For this reason, Layer 3 protocols such as IP assume that
Layer 4 protocols such as TCP will provide this functionality. Figure 4.17 illustrates
a network similar to the one shown in Figure 4.16, but with a second, identical network connected via a router. The router effectively isolates the two Data Link layer
domains. The only way the two domains can communicate is via the use of
Network layer addressing.
The Network layer implements a protocol that can transport data across the
LAN segments or even across the Internet. These protocols are known as routable
protocols because their data can be forwarded by routers beyond the local network. These protocols include IP, Novell’s Internetwork Packet Exchange (IPX), and
AppleTalk. Each of these protocols has its own Layer 3 addressing architecture. IP
has emerged as the dominant routable protocol. Unlike the first two layers, which
are required for all applications, the use of the Network layer is required only if the
two communicating systems reside on different networks or if the two communicating applications require its service.
As with the Data Link layer, the fourth layer, the Transport layer, is responsible
for the end-to-end integrity of data transmissions. The main difference is that the
Transport layer can provide this function beyond the local LAN. The layer detects if
packets are damaged or lost in transmission and automatically requests the data to
be retransmitted. This layer is also responsible for resequencing any data packets
that arrived out of order.
Layer 5 of the OSI model is the Session layer. Many protocols handle the functionality of this layer in the same layer they handle the functionality of the Transport
layer. Examples of Session layer services include Remote Procedure Calls (RPCs) and
quality of service (QoS) protocols such as RSVP, the bandwidth reservation protocol.
Layer 6, the Presentation layer, is responsible for how the data is encoded. Not
every computer uses the same data-encoding scheme. This layer is responsible for
translating data between otherwise incompatible encoding schemes. This layer can
also be used to provide encryption and decryption services.
Layer 7 is the Application layer. This layer provides the interface between user
applications and network services.
Figure 4.16 The Physical and Data Link Layers
Ethernet
Workstation
Workstation
Workstation
Workstation
Server
www.syngress.com
Continued
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 239
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.17 This Network Requires Network Layer Addressing
Ethernet
Server
Workstation
Workstation
Workstation
Router
Ethernet
Server
Workstation
Workstation
Workstation
Hubs
Hubs, sometimes referred to as repeaters, are devices used to connect communication lines in
a central location and help provide common connections to all other devices on the network. A hub usually has one input and several outputs.These outputs are known as ports,
but don’t confuse them with TCP/IP ports (as in port 80, the one used for HTTP traffic).
These ports are just connections and nothing more.They generally accept RJ-45 connectors.Think of a hub as like the center of an old wagon wheel with all the spokes radiating
out to the other part of the wheel.
A hub simply takes the data that comes into its ports and sends it out on the other
ports of the hub. For this reason, it is sometimes referred to as a repeater. It doesn’t provide
www.syngress.com
239
255_70_293_ch04.qxd
240
9/9/03
5:17 PM
Page 240
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
or perform any filtering or redirection of the data from the various sources plugged into it.
Hubs are commonly used to connect various network segments of a LAN.
Hubs generally come in three flavors:
■
Passive Serves simply as a pipeline allowing data to move from one device, or
network segment, to another.
■
Intelligent Sometimes referred to as an active, managed, or manageable hub, it
includes additional features that allow you to monitor the traffic passing through
the hub and configure each port for specific purposes.
■
Switching Reads the destination address of each packet and forwards that
packet to the correct port. Most hubs of this variety also support load balancing.
Bridges
There are several definitions for a bridge, each carrying a specific meaning when used in a
particular context. In one context, a bridge can be thought of as a gateway, connecting one
network to another using the same communication protocols and allowing the information
to be passed from one to the other. In another context, a bridge can be used to connect
two networks with dissimilar communication protocols at the Data Link layer (Layer 2), in
much the same manner as a router itself.There is also a bridge called a bridge router, which
supports the functions of both the bridge and the router using Layer 2 addresses for
routing.
Here, we’ll look at the traditional bridge and the context that is most often associated
with this device. Bridges work at both the Physical (Layer 1) and Data Link (Layer 2) layers
of the OSI reference model.That means that a bridge knows nothing about protocols but
forwards data depending on the destination address found in the data packet.This destination address is not an IP address, but rather a Media Access Control (MAC) address that is
unique to each network adapter card. For this reason, bridges are often referred to as MAC
bridges.
Basically, all bridges work by building and maintaining an address table.This table
includes information such as an up-to-date listing of every MAC address on the LAN, as
well as the physical bridge port connected to the segment on which that address is located.
There are three basic types of bridges:
■
Transparent bridge Links together segments of the same type of LAN. A transparent bridge effectively isolates the traffic from one LAN segment from the
traffic of another LAN segment, as shown in Figure 4.18.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 241
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.18 Transparent Bridge
MAC Broadcast Domain
MAC Broadcast Domain
Printer
Workstation
Bridge
Workstation
Hub
Workstation
Hub
Server
Workstation
Workstation
Server
■
Translating (or translational) bridge Like a transparent bridge, links together
segments of the same type of LAN, but also can provide conversion processes
needed between different LAN architectures.This allows you to connect a Token
Ring LAN to an Ethernet LAN, as shown in Figure 4.19.
Figure 4.19 Translating Bridge
Workstation
Token-ring
Workstation
IBM Compatible
Laptop Computer
Ethernet
Server
Workstation
Workstation
Printer
www.syngress.com
241
255_70_293_ch04.qxd
242
9/9/03
5:17 PM
Page 242
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Speed-buffering bridge Used to connect LANs that have similar architectures
but different transmission rates. Figure 4.20 shows how you might use a speedbuffering bridge to connect a 10-Mbps Ethernet network to a 100-Mbps
Ethernet network.
Figure 4.20 Speed-buffering Bridge
10 Mbps Ethernet
Ethernet
Workstation
Workstation
Workstation
Server
Bridge
100 Mbps Ethernet
Ethernet
Workstation
Workstation
Workstation
Server
Bridges are self-learning, so the administrative overhead is small.The functionality of
bridges has been built into routers, hubs, and switches.
Switches
Switches are like bridges, except that they have multiple ports with the same type of connection (bridges generally have only two ports) and have been described as nothing more
than fast bridges. Switches are used on heavily loaded networks to isolate data flow and
improve the network performance. In most cases, most users get little, if any, advantage from
using a switch rather than a hub.
That’s not to oversimplify and suggest that a switch doesn’t have many benefits.
Switches can be used to connect both hubs and individual devices.These approaches are
known as segment switching and port switching, respectively.
Segment switching implies that each port on the switch functions as its own segment.
This process tends to increase the available bandwidth, while decreasing the number of
devices sharing each segment’s bandwidth, but at the same time maintaining the Layer 2
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 243
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
connectivity. Each shared hub and the devices that are connected to it make up their own
media access domain, while all devices in both domains remain part of the same MAC
broadcast domain. Figure 4.21 illustrates how a segment-switched LAN can be divided to
improve performance.
Figure 4.21 Segment Switching
Workstation
Workstation
MAC Broadcast Domain
Shared Hub
Shared Hub
Server
Server
Workstation
Switching Hub
Workstation
Media Access Domain
Media Access Domain
Port switching implies that each port on the switching hub is directly connected to an
individual device.This makes the port and the device their own self-contained media access
domain. All of the devices in the network still remain part of the same MAC broadcast
domain. Figure 4.22 illustrates how the media access and MAC broadcast domains are configured in a port-switched LAN.
Figure 4.22 A Port-switched LAN
MAC Broadcast Domain
Workstation
Media Access Domain
Server
Media Access Domain
Workstation
Media Access Domain
Workstation
Media Access Domain
Switching Hub
Workstation
Media Access Domain
www.syngress.com
243
255_70_293_ch04.qxd
244
9/9/03
5:17 PM
Page 244
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Layer 2 Switches
Layer 2 switches, operating at the Data Link layer, can be programmed to respond automatically to a wide range of circuit conditions. By monitoring control and data events, these
switches automatically reroute circuits or switch to backup equipment, as the need requires.
These switches operate using physical network, or MAC, addresses.These switches will be
fast but not terribly smart.They only look at the data packet to find out where it’s headed.
Layer 3 Switches
Layer 3 switches, operating at the Network layer, are designed for disaster recovery service
(or, more importantly, for disaster avoidance).These network backup units are usually
designed specifically to provide high levels of automation, intelligence, and security. Layer 3
switches use routing protocols such as RIP or OSPF to calculate routes and build their own
routing tables.
Layer 3 switches use network or IP addresses to identify locations on the network,
identifying the network location as well as the physical device.These switches are smarter
than Layer 2 switches.They incorporate routing functions to actively calculate the best way
to get a packet to its destination. Unless their algorithms and processor support high speeds,
though, these switches are slower.
Layer 4 Switches
Layer 4 switches, operating at the Transport layer, allow network managers to choose the
best method of communicating for each switching application. Because Layer 4 coordinates
communication between systems, these switches are able to identify which application protocols (HTTP, SMTP, FTP, and so forth) are included in the packets, and they use this
information to hand off the packet to the appropriate higher layer software.This means that
Layer 4 switches make their packet-forwarding decisions based not just on the MAC and IP
addresses, but also on the application to which the packet belongs.
Because these devices allow you to set up priorities for your network traffic based on
applications, you can assign a high priority for your vital in-house applications and use different forwarding rules for low-priority packets, such as generic HTTP-based traffic. Layer
4 switches can also provide security, because company protocols can be confined to only
authorized switched ports or users.This feature can be reinforced using traffic filtering and
forwarding features.
All these devices can be used to segment your network, but segmentation does not
create separate LANs. LANs exist at only the first two layers of the OSI reference model.
There’s another way to segment your network into separate LANs: use a router.
Routers
Routers are Layer 3 devices that forward data depending on the network address, not the
MAC address. Since we are dealing with TCP/IP here, this means they use the IP address.
Routers read the header information from each packet and determine the most efficient
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 245
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
route by which to send that packet on its way.Think of the router as providing the link
between the various networks that make up the Internet, or any other network that consists
of multiple subnets. Routers isolate each LAN into separate subnets.
Like bridges, routers control bandwidth by keeping data out of subnets where it doesn’t
belong. Routers, however, need to be set up before they can be used. Once they are set up,
they can communicate with other routers and learn the topology of the network.
Windows Server 2003 As a Router
So, can Windows Server 2003 be used to provide routing services within your network?
The answer is yes. Any computer running a member of the Windows Server 2003 family
can act as a dynamic router supporting RIP, OSPF, or both.To have Windows Server 2003
provide routing services, you install multiple network interface adapters, and then enable
and configure RRAS. Each network interface adapter is assigned its own IP address and
subnet mask to define the directly attached network ID routes. Because you will probably
use dynamic routing, default routes won’t be used, so you do not need to configure a
default gateway for either network adapter.
Static IP routing will be enabled by default when the RRAS is enabled.Your next step
should be to use the Routing and Remote Access administration tool to install RIP for IP
or OSPF routing protocols. Next, enable the protocols on your installed network adapters
by adding them to the appropriate routing protocol.
But we’re getting ahead of ourselves. Let’s start by building a checklist to follow when
setting up Windows Server 2003 as a router:
■
Install and configure any necessary network adapters.
■
Install RRAS.
■
Configure RIP or OSPF.
■
Configure the remote access devices.
■
Install and configure the DHCP Relay Agent.
■
Install a WINS or DNS name server.
Because you’re setting up this Windows Server 2003 machine as a router, you’ll need to
install two network adapters in it.You’ll also need to make sure that the necessary drivers
are installed, that the TCP/IP protocol is installed, and that IP addresses have been configured on both of the network adapters.Table 4.2 shows how you might set up the IP
addresses for this router.
Table 4.2 Typical Network Adapter Setup
Network Card
Connected to
IP Address
1
Backbone
192.168.0.1
2
Subnet
192.168.1.1
www.syngress.com
245
255_70_293_ch04.qxd
246
9/9/03
5:17 PM
Page 246
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Your next step will be to enable RRAS on your Windows Server 2003 machine.The
following exercise will walk you through this process.
EXERCISE 4.01
CONFIGURING WINDOWS SERVER 2003
AS A
STATIC ROUTER
Configuring a Windows Server 2003 as a static router is simple. To follow these
steps, you’ll need to be a member of the Administrators group. For security,
you may want to consider using the Run As command rather than logging in
with Administrator credentials.
1. If this server is a member of an Active Directory (AD) domain and
you’re not a domain administrator, you’ll need to get your domain
administrator to add the computer account of this server to the RAS
and IAS Servers security group in the domain that this server is a
member of. There’s two ways this can be accomplished.
■
Add the computer account to the RAS and IAS Servers security
group using Active Directory Users and Computers.
■
Use the netsh ras add registeredserver command.
2. Select Start | Administrative Tools | Routing and Remote Access.
The Welcome window appears, as shown in Figure 4.23.
Figure 4.23 Routing and Remote Access Welcome
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 247
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
3. The default is that the local computer will be listed as a server. If you
want to add another server, right-click Server Status in the console
tree on the left, and then click Add Server.
4. Click the appropriate option in the Add Server dialog box, as shown in
Figure 4.24, and then click OK.
Figure 4.24 Add a Server
5. In the console tree on the left side of the Routing and Remote Access
window, right-click the server you want to enable, as shown in Figure
4.25, and then click Configure and Enable Routing and Remote
Access.
Figure 4.25 Click Configure and Enable Routing and Remote Access
www.syngress.com
247
255_70_293_ch04.qxd
248
9/9/03
5:17 PM
Page 248
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
6. You’ve now started the Routing and Remote Access Server Setup
Wizard, as shown in Figure 4.26. Click the Next button.
Figure 4.26 The RRAS Setup Wizard
7. In the next window, choose the Custom configuration option, as
shown in Figure 4.27. Then click the Next button.
Figure 4.27 Choose Custom Configuration
8. In the Custom Configuration window, choose LAN routing, as shown
in Figure 4.28, and click the Next button.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 249
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.28 Choose the LAN Routing Option
9. A summary of your selections will now be presented, as shown in
Figure 4.29. Verify that the selections you made are correct, and then
click the Finish button.
Figure 4.29 Finish the RRAS Setup Wizard
10. A dialog box will appear, telling you that the Routing and Remote
Access Service has been installed and asking you if you want to start
the service, as shown in Figure 4.30. Click Yes.
www.syngress.com
249
255_70_293_ch04.qxd
250
9/9/03
5:17 PM
Page 250
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Figure 4.30 Start the Routing and Remote Access Service
11. You should still have the Routing and Remote Access window open,
and it should now look something like Figure 4.31. To add a static
default route to the server, right-click Static Routes and then click New
Static Route.
Figure 4.31 Routing and Remote Access Window after
RRAS Installation
12. Choose the interface you want to use for the default route, as shown in
Figure 4.32. In the Destination text box, type 0.0.0.0. Do the same in
the Network mask text box.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 251
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.32 Choose Your Interface
13. If this is a demand-dial interface, the Gateway text box will be unavailable. Select the Use this route to initiate demand-dial connections
check box. This will initiate a demand-dial connection when any traffic
matching this route occurs.
14. If this interface is an Ethernet or Token Ring LAN connection, in the
Gateway text box, type the IP address of the interface that is on the
same network segment as the LAN interface.
15. In the Metric box, type 1. Then click OK. You’ve now added a default
static IP route to your router. Follow the same process (steps 11
through 15) for any other route that you want to add to the router.
After you’ve enabled RRAS, you can also add a static IP route from the command
prompt using the route add command, which has the following form:
route add destination mask subnet-mask gateway metric costmetric if interface
Where:
■
Destination Specifies either an IP address or host name for the network or the
host.
■
Subnet-mask Specifies the subnet mask that is to be associated with this route
entry.This entry defaults to 255.255.255.255.
■
Gateway Specifies either an IP address or host name for the gateway or router to
use when forwarding.
■
Costmetric Assigns a metric cost ranging from 1 to 9,999 to use in calculating the
fastest, most reliable route.This defaults to 1.
www.syngress.com
251
255_70_293_ch04.qxd
252
9/9/03
5:17 PM
Page 252
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Interface Specifies the interface you want used for the route. If you don’t specify
the interface, it will be determined from the gateway IP address.
For example, to add a static route to the 192.168.1.0 network that uses a subnet mask
of 255.255.255.0, a gateway of 192.168.0.1, and a cost metric of 2, type this command at
the command prompt:
route add 192.168.1.0 mask 255.255.255.0 192.168.0.1 metric 2
EXERCISE 4.02
CONFIGURING RIP VERSION 2
After you have enabled RRAS and configured a default static route, you need
to enable and configure RIP on your router. This is an easy process using the
Routing and Remote Access console. Follow these steps:
1. Open the Routing and Remote Access window.
2. In the console tree on the left side of the window, right-click General,
and then select New Routing Protocol, as shown in Figure 4.33.
Figure 4.33 Add a New Routing Protocol
3. From the New Routing Protocol dialog box, choose RIP Version 2 for
Internet Protocol, as shown in Figure 4.34, and then click the OK
button.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 253
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.34 Choose RIP Version 2 for Internet Protocol
4. RIP now appears under your server and IP Routing. Right-click RIP and
choose Properties from the context menu, as shown in Figure 4.35.
Figure 4.35 Choose RIP Properties
5. On the General tab of the RIP Properties dialog box, shown in Figure
4.36, you can set the maximum amount of time you want this router to
wait before it sends out triggered updates, as well as the level of logging you wish to have performed. Remember that triggered updates
www.syngress.com
253
255_70_293_ch04.qxd
254
9/9/03
5:17 PM
Page 254
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
occur when the network topology changes. Updated routing information is sent out immediately reflecting that change. The General tab of
the RIP Properties dialog box lets you set an interval that these triggered updates will wait before being sent. The default is five seconds.
There are four levels of logging you can choose from:
■
Log errors only
■
Log errors and warnings (the default)
■
Log the maximum amount of information
■
Disable event logging
NOTE
Keep in mind that logging consumes system resources so use it sparingly when you
are not having network problems. When you are having a problem and you are in
the process of identifying and correcting the problem, you’ll want to use the Log
the maximum amount of information option, but after the problem is cleared,
immediately reset logging to the default level.
Figure 4.36 The General Tab of the RIP Properties
6. Choose the Security tab, shown in Figure 4.37. On this tab, you can
designate if this router will process announcements from routers. You
can accept all announcements from all routers; you can accept
announcements from the listed routers only; or you can ignore
announcements from those routers listed.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 255
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
7. After you’ve made your choice, click OK.
Figure 4.37 The Security Tab of the RIP Properties
EXERCISE 4.03
CONFIGURING OSPF
You can also configure your RRAS for OSPF. Again, using the Routing and
Remote Access console to configure this protocol is easy.
1. Open the Routing and Remote Access window.
2. In the console tree on the left side of the window, right-click General,
as shown in Figure 4.38, and then click New Routing Protocol.
www.syngress.com
255
255_70_293_ch04.qxd
256
9/9/03
5:17 PM
Page 256
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Figure 4.38 Add a New Routing Protocol
3. In the New Routing Protocol dialog box, choose the Open Shortest
Path First (OSPF) option, as shown in Figure 4.39, and then click the
OK button.
Figure 4.39 Choose Open Shortest Path First (OSPF)
4. As with RIP, this action has now added OSPF under your server and IP
Routing. Right-click OSPF and choose Properties.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 257
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
5. You’re offered similar choices to those that are available when you configure RIP (see Exercise 4.2). After you’ve made your choices, click OK.
EXAM
70-293
Security Considerations for Routing
Keep in mind that IPv4 has no default security mechanism. Unless you take security into
2
2.1.2 consideration, your network will be susceptible to unauthorized monitoring and access.To
prevent this, develop a strategy for your IP deployment.The following are two methods that
3
3.1 you can use to help you enhance security when deploying IP:
5.3.1
■
Secure your IP packets End-to-end security requires that you not use address
translation (NAT). Internet Protocol Security (IPSec) is the most efficient method
of providing for a secure data stream.
OBJECTIVE
■
Set up a perimeter network Use perimeter networks to help secure your
internal network.
Let’s talk first about using IPSec to secure your data stream.The Windows Server 2003
IPSec protocol provides end-to-end security of your data stream using encryption, digital
signatures, and hashing algorithms. IPSec resides at the Transport layer of the OSI reference
model and protects the individual packets before they reach your network, removing the
protection on receipt. Even data passed through from applications not having any security
features can be protected using IPSec.
Keep in mind that IPSec protects the actual packets of data, not the link. Because of
this, IPSec provides security even on insecure networks, and only the computers actually
involved in the communication are even aware of it. IPSec provides a number of security
features, including the following:
■
Authentication by using digital signatures to identify the sender
■
Integrity through the use of hash algorithms ensuring that the data has not been
altered
■
Privacy through encryption that protects the data from being read
■
Anti-replay prevents unauthorized access by an attacker who resends packets
■
Nonrepudiation through the use of public-key digital signatures that prove the
message’s origin
■
Dynamic rekeying to allow keys to be generated during communication, so that
the different transmissions are protected with different keys
■
Key generation using the Diffie-Hellman key agreement algorithm, allowing
computers to agree on a key without exposing it
www.syngress.com
257
255_70_293_ch04.qxd
258
9/9/03
5:17 PM
Page 258
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Configurable key lengths, allowing for export restrictions or highly sensitive transmissions
The way that IPSec works is relatively simple. In order for data to be transmitted and
protected between two IPSec-enabled computers, the computers must agree on which
keys, mechanisms, and security policies will be used to protect the data.This agreement, or
negotiation, produces a security association (SA).
The first SA established between the two computers, called Internet Security
Association and Key Management Protocol (ISAKMP), provides the method of key
exchange. Using ISAKMP to provide protection, the two computers negotiate the production of a pair of IPSec SAs and keys: one for inbound transmissions and one for outbound
transmissions.These SAs include the agreed-upon algorithm for encryption and integrity
and the agreed-upon IPSec protocol to use.Two IPSec protocols can be used:
■
Authentication Header (AH) Provides data authentication, integrity, and antireplay to IP packets.
■
Encapsulating Security Payload (ESP) Provides confidentiality, along with
data authentication, integrity, and anti-replay to IP packets.
Using the IPSec SAs and keys, the two computers protect the data during transmissions.
The second method that you can use to enhance security is a perimeter network.These
are also sometimes called a demilitarized zone (DMZ) or a screened subnet.This type of network is generally an additional network between the protected network and the unprotected network.These types of networks are usually small LANs connecting border routers
with internal routers. Servers that are required to be exposed to the Internet, like your Web
server or mail server, can be placed in the DMZ and be protected by a firewall.Then additional firewalls are placed between the DMZ and your network. Figure 4.40 demonstrates
how this type of configuration might look.
Figure 4.40 A Perimeter Network or DMZ
DMZ
Workstation
Workstation
Workstation
www.syngress.com
Interior
Router
Internet
Border Router
Ethernet
Internal
Network
Application Mail
Server
Server
Web
Server
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 259
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Analyzing Requirements for Routing Components
A router is nothing more than a very specialized computer. It’s made up of the following
elements:
■
A central processing unit (CPU)
■
Random access memory (RAM)
■
Input/output system (BIOS)
■
Operating system (OS)
■
A motherboard
■
Input/output (I/O) ports
■
A power supply
■
A case to hold all of this
Most of these parts remain hidden, but that’s okay because these components are generally extremely reliable. Most of the time, you won’t need to worry about them at all.The
components that you will have the most interaction with are the operating system and the
I/O ports.
As you know, the operating system is the software that controls the various hardware
components and makes the computer usable.The router usually has a configuration file that
includes the number, location, and type of each I/O port, as well as details about bandwidth, addressing, and security.
The I/O ports are the one component that you will get to know on a personal basis.
These ports function like NICs, in that they define the medium and framing mechanisms
and provide the appropriate physical interfaces.
Simplifying Network Topology
to Provide Fewer Attack Points
Attacks on your network can come in a variety of ways, in both active and passive forms.
An active form of attack is launched with the purpose of damaging or destroying your data
and/or your network infrastructure. Passive attacks, on the other hand, can be thought of
more along the lines of “fishing expeditions.” In these situations, the attackers are mostly
snooping—just looking around.
One of the best defensive postures against both forms of attacks is to limit the paths to
your network an attack can take.You can accomplish this by implementing three simple
tactics:
■
Minimize the number of network interfaces through which the attack may come
■
Minimize the number of routes over which the attack may come
www.syngress.com
259
255_70_293_ch04.qxd
260
9/9/03
5:17 PM
Page 260
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Minimize the number of routing protocols through which the attack may come
Most router attacks involve the manipulation of the routing table entries so that service
to legitimate systems or networks is denied. RIP version 1 and Border Gateway Protocol
(BGP) offer no or little authentication, and what little they do offer usually isn’t implemented.This offers the perfect target for attackers to alter legitimate routes, often by
spoofing their source IP address and creating a denial-of-service (DoS) condition.The easiest remedy is to use whatever tools you have available: if your routing protocol offers
authentication, implement it. If it doesn’t, consider changing to one that does.
Minimizing the Number of
Network Interfaces and Routes
You want to limit the number of network interfaces through which an attacker could gain
entrance. Every NIC you have exposed to the Internet is a potential doorway through
which someone could enter.The fewer interfaces exposed, the less work for you in preventing someone coming through an open port and wrecking havoc on your network.
Minimizing the number of routes an attacker might take to your network is similar to
minimizing the interfaces.You are restricting the paths through which an attack may come.
Minimizing the Number of Routing Protocols
You also want to limit the options of attackers if they do manage to gain access to your
network. By reducing the number of routing protocols, you reduce the options available to
the attacker.
Demand-dial routing allows you to use impermanent, dial-up WAN lines to exchange
data between two networks. It allows for the effective use of these impermanent connection
methods, such as analog modems and ISDN, to mimic dedicated Internet connections.
Demand-dial routing brings up the connection only when outbound traffic is addressed to
an associated link.With a demand-dial connection, you can use additional leased lines to
add needed bandwidth at peak use times. However, you should check all the potential costs
before you choose this alternative, to avoid any unexpected and unpleasant surprises when
the telephone bill arrives.
Demand-dial routing concepts are relatively simple. A link is created when needed, and
the connection is dropped when it’s no longer needed.There are three basic phases of
demand-dial connection setup:
■
Configure the first router to initiate and receive demand-dial connections from
the second router.
■
Configure the second router to initiate and receive demand-dial connections from
the first router.
■
Initiate the demand-dial connection from the first router to the second router.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 261
Configuring & Implementing...
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Adding a Demand-Dial Interface
Although the three phases for setting up a demand-dial connection are relatively
straightforward, actually setting up a demand-dial interface can be a complex and
lengthy process. Make sure you double-check your work as you go along, because
troubleshooting at a later phase could be extremely difficult and complicated. To
set up the interface, follow these instructions:
1. Select Start | Administrative Tools | Routing and Remote Access.
2. In the console tree on the left side of the window, click the appropriate
server or router.
3. Right-click Network Interfaces, as shown in Figure 4.41, and choose
New Demand-dial Interface from the context menu.
4. The Demand-Dial Interface Wizard starts. Click Next in the Wizard’s
first window.
5. The next window asks for a name for this demand-dial interface. The
default name is Remote Router, as shown in Figure 4.42. You might
want to use a more descriptive name, such as the name of the branch
office or the name of the network to which you are connecting. When
you’ve named the interface, click Next again.
6. You’re now confronted with three choices of connection type. For our
purposes of adding a demand-dial interface, the first two choices are
the only ones we will deal with. If your computer doesn’t have one of
these, that specific option will be grayed out and unavailable.
■
Connect using a modem, ISDN adapter, or other physical device
Choose this option, and then click the Next button. Choose which
modem you want to use, and then enter the telephone number you
want to be dialed. Notice that in addition to the primary number,
you can also click Alternatives and enter other numbers to be tried
automatically if the primary number cannot be reached.
■
Connect using virtual private networking (VPN) If you select this
option and click Next, the VPN Type window opens. Choose the
tunneling protocol you want to use, and click Next again. Finally, in
the Destination Address window, provide either the host name or
the IP address for the remote router and click Next again.
7. Under Protocols And Security, choose all the conditions that will
apply to the connections. If you have chosen to connect using a
modem, ISDN device, or other physical device, you will have two
options here. This second option will not be available if you have
chosen the VPN option earlier. If you choose both options, the wizard
will present you with a window to configure each of the items.
Continued
www.syngress.com
261
255_70_293_ch04.qxd
262
9/9/03
5:17 PM
Page 262
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Add a User Account So A Remote Router Can Dial In
■
Use Scripting to Complete The Connection With The Remote
Router
8. In the next window, fill in the IP address of the network or networks
you want to access.
9. The next window asks you to provide the user account and password
as your Dial Out Credentials. This will complete the Wizard, and a new
routing interface will be added in the Routing and Remote Access
window.
Figure 4.41 Choose New Demand-dial Interface
Figure 4.42 Choose an Appropriate Interface Name
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 263
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Router-to-Router VPNs
Take two separate networks and put the Internet between them. Now, connect them using
a tunnel through the Internet.You create this tunnel using the Point-to-Point Tunneling
Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP), so that the data being
exchanged between the two networks is encrypted. But what’s the difference between a
normal client VPN connection and this type of VPN? What can you use to connect the
two networks together? You can use routers.
You can use a router-to-router VPN to connect two separate networks together over
the Internet and still maintain security. Before we get into the specifics of setting up a
router-to-router VPN, let’s look briefly at how to set up a client VPN connection first.That
way, you will understand the difference between the two and why you might want to use
one over the other.The first step is to turn on the Windows Server 2003 VPN Server.
EXERCISE 4.04
INSTALLING AND ENABLING
WINDOWS SERVER 2003 VPN SERVER
Installing and setting up a Windows Server 2003 VPN Server is simple. Just
follow these steps:
1. Select Start | Administrative Tools | Routing and Remote Access. If
you have not set up RRAS, you’ll see a red circle in the server icon. If
you have set up your server to be a VPN server when you were
installing the Windows Server 2003 software, you will see a green
arrow, as shown in Figure 4.43.
Figure 4.43 RRAS Has Already Been Turned On
www.syngress.com
263
255_70_293_ch04.qxd
264
9/9/03
5:17 PM
Page 264
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
2. If the service has already been turned on, you may want to reconfigure
your server. You can reconfigure it by right-clicking the server icon and
choosing Disable Routing and Remote Access. Click Yes to continue
when you are prompted. Your server icon should now have the red
circle rather than the green arrow.
3. Right-click your server’s icon and choose Configure and Enable
Routing and Remote Access to start the Setup Wizard. Click Next to
continue.
4. Select the Remote Access (dial-up or VPN) option, as shown in Figure
4.44, and then click the Next button.
Figure 4.44 Choose Remote Access
5. Check the VPN check box, and then click the Next button.
6. In the VPN Connection window, shown in Figure 4.45, select the network interface that is connected to the Internet, and then click the
Next button.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 265
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Figure 4.45 Choose the Interface Connected to the Internet
7. In the IP Address Assignment window, you have two choices:
■
Automatically Choose this option if you have a DHCP server you
can use to automatically assign IP addresses to the remote clients.
This setup will be easier to administer than assigning addresses
manually. (However, if you do not have a DHCP server, you must
specify a range of static addresses.) Click Next to continue.
■
From a specified range of addresses Choose the option if the
remote clients can only be given an address from a specified pool
of addresses. Click Next to continue. In the Address Range
Assignment window, click the New button. In the Start IP address
box, type the first IP address in the range of addresses you want to
use. Then type in the last IP address in the range you’ve chosen.
Windows Server 2003 will automatically calculate the number of
addresses for you. Click the OK button to return to the Address
Range Assignment window, and then click the Next button to
continue.
8. In the next window, accept the default value of No, use Routing and
Remote Access to authenticate connection requests, and click the
Next button to continue.
9. Click Finish to turn on RRAS and to configure the server as a remoteaccess server.
www.syngress.com
265
255_70_293_ch04.qxd
5:17 PM
Page 266
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Once you have your server set up to provide VPN service (completed Exercise 4.04),
you can allow client machines to connect to it over the Internet.
Configuring & Implementing...
266
9/9/03
Configuring a VPN Connection from a Client Computer
To configure a VPN connection from a client computer, you must first be logged on
as the Administrator or as a member of the Administrators group. The following
steps will vary depending on which version of Windows the client computer has
installed.
1. Make sure that you have a correctly configured Internet connection on
the client computer.
2. Select Start | Control Panel | Network Connections | Create a New
Connection. This opens the New Connection Wizard. Click the Next
button to continue.
3. Click the Connect To The Network At My Workplace option, and then
click the Next button.
4. Choose Virtual Private Network Connection, and then click Next.
5. Type in a description name in the Company Name text box and click
Next.
6. Choose Do Not Dial The Initial Connection. If the computer isn’t
always connected to the Internet, you should probably choose
Automatically Dial This Initial Connection, click the name of the connection to the ISP, and click Next.
7. Type in the IP address or the host name of the VPN server computer to
which you are connecting.
8. Depending on if you want anyone to be able to have access to this VPN
connection of just yourself, choose Anyone’s Use or My Use Only, and
then click Next.
9. Click the Finish button and save the connection information.
10. Choose Start | Control Panel | Network Connections again and
double-click the new connection you just created.
11. Go to Properties and configure the options for this connection you
want. If you’re connecting to a domain, click the Options tab and
select the Include Windows Logon Domain check box, so you can
specify that you want to request Windows Server 2003 logon domain
information before trying to connect. Another option you’ll probably
want to select is the Redial If Line Is Dropped check box on the
Options tab.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 267
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Using your new VPN connection is simple: click Start | Connect To and choose
your new connection. If you don’t already have a current connection to the Internet, you’ll
be offered the opportunity to connect.When the connection is made, the VPN server will
prompt you for your name and password. Enter the necessary information and click the
Connect button. All of the same resources available when you are directly connected to
the network are available now.When you’re ready to disconnect, simply right-click the connection and choose Disconnect.
Now that you know how to create and use a client VPN connection, what are the differences in setting up a router-to-router VPN? There are actually not very many differences.
EXERCISE 4.05
SETTING UP WINDOWS SERVER 2003
VPN SERVER
AS A
ROUTER-TO-ROUTER
The differences in the setup of Windows Server 2003 as a router-to-router VPN
server and as a static router (Exercise 4.1) are minimal. Follow these steps:
1. Select Start | Administrative Tools | Routing and Remote Access.
2. Right-click your server’s icon and choose Configure and Enable
Routing and Remote Access to start the Setup Wizard. Click Next to
continue.
3. Select the Secure connection between two private networks option,
as shown in Figure 4.46, and then click the Next button.
Figure 4.46 Choose Secure Connection between
Two Private Networks
www.syngress.com
267
255_70_293_ch04.qxd
268
9/9/03
5:17 PM
Page 268
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
4. Choose the No option when you are asked if you want to use demanddial connections, unless you need to use them, and then click the Next
button again. If you choose Yes to use demand-dial connections, you’ll
have the opportunity to set up the demand-dial connections when this
Wizard is finished. If you are using a full-time connection, you don’t
need the demand-dial connection.
5. Click Finish to turn on RRAS and to configure the server as a router-torouter VPN server.
Make sure you have addresses assigned to all the installed interfaces and that you’ve
installed and set up your routing protocols on each interface.Then you should be able to
use this router.
Packet Filtering and Firewalls
One of the best features available in RRAS is the ability to filter TCP/IP packets traveling
in either direction. For all practical purposes, enabling packet filtering creates a firewall on
your server.You can build filters that can either allow or deny packet traffic into or out of
your network.You do this by specifying rules that designate source and destination addresses
and ports.
Normally, you set up these filters to block information that the machines in your network should not receive.The filters are set up on a specific interface.This means that the
filters on one interface are completely independent of the filters on another. Incoming and
outgoing filters are independent of one another also.
Simply put, you have two choices with input filters: accept all traffic over the interface
except the traffic you specify, or drop all traffic except the traffic you specify. Output filters
are configured in the same manner.Which choice you should make most often depends on
the context and purpose of the filter.The second option is the most secure. If you are
attempting to keep all but very specific traffic out of your network, this would be the correct choice.The first choice is appropriate if you are just trying to stop specific traffic.
For instance, say you have a Web server and the only traffic you want to allow on this
server is traffic traveling to and from the Web server service. All you need to do is configure
an input filter for the destination IP address of the Web server and the TCP destination port
80. At the same time, you will want to configure an output filter for the source IP address
of the Web server and the TCP source port 80. If these two filters are the only two filters
operational on this server, the only traffic that will be allowed across the interface is TCP
traffic to and from the Web server service on your Windows Server 2003 machine.
You need to be careful about how you implement these filters, so that you don’t make
them too restrictive, which would impair the functionality of the other protocols operating
on the server. For instance, given our example of a Web server, we can’t use PING or any
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 269
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
other basic IP troubleshooting tool on that computer now, because we’ve restricted it to
only Web traffic on port 80.We’ll talk more about troubleshooting shortly.
TEST DAY TIP
Know how to set up both inbound and outbound TCP/IP packet filters. Understand
that you can accept all but those IP addresses you want to reject, or you can deny
all except those IP addresses you wish to accept.
It’s a good idea to use packet filtering to block unwanted traffic from your VPN
servers.There are two basic sets of rules for this process: PPTP packet filters and L2TP
packet filters.
For PPTP, there are at least two filters that are required to block non-PPTP traffic.You
need to allow Generic Routing Encapsulation (GRE) packets to pass.You also need to
allow inbound traffic on TCP port 1723. If the PPTP server is also acting as a PPTP client,
you can add a third filter to allow outbound traffic on TCP port 1723 also. After these
packets are established, choose the Drop All Packets Except Those That Meet The
Criteria Below radio button.Then close the dialog box. Repeat the process on the output
side.
For L2TP packet filters, you will need four filters: two for input and two for output, as
follows:
■
A filter with the VPN interface address and a network mask of 255.255.255.255,
filtering the User Datagram Protocol (UDP) with a source and destination port of
500
■
An input filter with a destination of the VPN address and a network mask of
255.255.255.255, filtering UDP traffic with a source and destination port of 1701
■
An output filter with a source of the VPN interface address and a network mask
of 255.255.255.255, filtering UDP traffic with a source destination of 500
■
An output filter with a source of the VPN interface address and a network mask
of 255.255.255.255 filtering UDP with a source and destination port of 1701
TEST DAY TIP
Make sure you know how to filter all packets except VPN traffic on a PPTP or L2TP
server. Make sure you understand the process and the number of filters each protocol requires.
Logging Level
Coming up with a good logging strategy is important for the proper maintenance of your
network and the devices that are used on it. Deciding what to log is probably one of the
www.syngress.com
269
255_70_293_ch04.qxd
270
9/9/03
5:17 PM
Page 270
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
most important questions you will consider. If you have too much logging, the performance of your server and the network will decline sharply. If you have too little logging,
when you have a problem, you won’t have the information you need to determine the
source and cause.The best choice is to log only those options you really need, and when
you don’t need a particular type of log data anymore, stop recording it.
In order to set the logging levels, open the RRAS module, right-click the server you
wish to administer, choose Properties, and then click the Logging tab. As shown in
Figure 4.47, the Logging tab contains several options for the various types of events that
you can log.The default is to log all errors and warnings.You can also check the Log
additional Routing and Remote Access information (used for debugging) check
box, which, as its name implies, will assist you in debugging.
Figure 4.47 Set the Logging Level
EXAM
70-293
OBJECTIVE
Troubleshooting IP Routing
2
2.1.2
3
Here, we will look at the two main tools you might use in troubleshooting IP routing and
3.4 the common problems that occur with IP routing, which you will be expected to know
how to deal with in the exam.
NOTE
There are entire books devoted to troubleshooting IP routing. Also, Microsoft’s
online help system is fairly good at suggesting probable causes and solutions for
many common routing problems.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 271
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Identifying Troubleshooting Tools
Configuring & Implementing...
Your best troubleshooting tools are those tools you should be using on a daily basis for network management and monitoring.Windows Server 2003 ships with the Network Monitor
tool (NETMON.exe), which is an excellent protocol analyzer that you can use to monitor
your network. As discussed in Chapter 3, this tool captures and displays information about
the IP packets moving in your network and can tell you about traffic patterns, broadcast
rates, how the network is being used, what kinds of errors you might be experiencing, and
many other aspects concerning the behavior of your network.
The Routing and Remote Access console is another excellent troubleshooting tool.
Using this tool, you can show your network’s TCP/IP information, your IP routing table,
the router’s RIP neighbors, its OSPF area, the LSDB, the router’s OSPF neighbors, and the
OSPF virtual interface.
Other familiar tools that you can use for troubleshooting include PING, pathping,
tracert, mrinfo, and netsh. Let’s take a look at how you can these tools to verify and troubleshoot your connections.
Testing your TCP/IP Connections with PING
To use PING to test your TCP/IP connections, follow these steps:
1. Click Start | Run, type cmd, and press the Enter key to bring up the
command prompt.
2. Using the ipconfig command, discussed in Chapter 3, determine the IP
addresses of your computer and your default gateway.
3. Making sure that TCP/IP is installed and working on your local computer. Then type ping 127.0.0.1 at the command prompt and press
the Enter key. You should receive a response in the command prompt
window displaying four replies from the 127.0.0.1 loopback address. If
not, you will need to reset the TCP/IP configuration on your machine.
4. If you received the proper replies, test the IP address of your local
machine that you obtained from the ipconfig command by pinging it.
If you receive the correct four replies, you know that your computer
was added to the network correctly.
5. Ping the default gateway address to verify that it is up and running.
This also lets you know if you are able to connect to a local host on
your local network.
6. Ping the IP address or hostname of another remote host. You can ping
a hostname by typing ping www.microsoft.com. This will let you
know that you are able to communicate through a router.
www.syngress.com
271
255_70_293_ch04.qxd
272
9/9/03
5:17 PM
Page 272
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Another useful troubleshooting tool is the pathping command.This command combines aspects of PING and tracert, and adds in some additional features that make it an
excellent troubleshooting tool.This tool works by measuring the packet loss across each
router between the source machine and the destination.This information can help you
determine where your network reliability problems may be coming from.The syntax for
the pathping command is as follows:
pathping [-n] [-h maximum_hops value] [-g host-list] [-p value]
[-q value] [-w value] final_destination
Where:
■
-n Tells pathping not to resolve addresses to host names.
■
-h maximum_hops value Sets the maximum number of hops you want the
command to search for the target.The default is 30 hops.
■
-g host-list Provides a loose source route along the host list.
■
-p period Sets the wait period in milliseconds between pings.The default is 250
milliseconds.
■
-q num_queries Sets the number of queries per hop.The default is 100 queries.
■
-w timeout Sets the time length in milliseconds for each reply before the command times out on that hop.The default is 3000 milliseconds.
■
-T Tests the connectivity to each hop with Layer-2 priority tags.
■
-R Tests to see if each hop is RSVP-aware.
■
final_destination The host name or IP address of the network, domain, or
machine that you are testing the route to.
The tool will first trace the route to the destination, and then analyze the traffic running through each hop. Keep in mind that one test is not sufficient to give you a good idea
about what is going on.There is no specific number of lost packets that signify that a link is
causing you problems. If the number is in double digits, though, you should probably
examine that route carefully.To get a realistic picture of what is going on in your network,
test a router over time and test in both peak and off-peak usage.
If you’re using multicast routing, another useful troubleshooting command is mrinfo.
This command displays multicast router configuration information.The syntax is as follows:
mrinfo [-n] [-?] [-i address] [-t secs] [-r retries] destination
Where:
■
-n Displays the IP addresses in numeric format.
■
-? Prints usage information.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 273
Head of the Class…
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Using Tracert to Test TCP/IP Connections
You can also use Tracert to test your TCP/IP connections. Just follow these steps:
1. Click Start | Run, type cmd, and press the Enter key to bring up the
command prompt window.
2. At the prompt, type tracert target-ipaddress and press the Enter key.
Replace target-ipaddress with the IP address of the remote network
host you are attempting to connect with. This can also be a host name.
The display will now include a list of the routers the packets have successfully
crossed, along with the length of time the packet took to reach that network
segment.
■
-i Specifies the IP address of the local interface from which the query was sent.
■
-r Specifies how many times an SNMP query is to be resent.The default value is
0.
■
-t Specifies how long to wait for an IGMP neighbor query reply.The default is
three seconds.
The mrinfo command displays the interfaces for both the multicast router and its
neighbors on each interface. It also provides the names of the neighboring domains, the
multicast routing metric, and the TTL.
Also, the netsh utility, discussed in the “Using netsh Commands” section earlier in this
chapter, can display the configurations of protocols, filters, and routes. It also allows you to
reconfigure interfaces. Don’t overlook this valuable tool as an option for troubleshooting IP
routing.
www.syngress.com
273
255_70_293_ch04.qxd
274
9/9/03
5:17 PM
Page 274
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Common Routing Problems
If you suspect that your RRAS server isn’t functioning properly, start by making sure the
RRAS server is running.You might be surprised how many times the cause of the problem
turns out in fact the that RRAS is not turned on.
Most TCP/IP administrators spend much of their time troubleshooting the hardware.
Connectors go bad, NICs die, and cables break or are cut.You need to troubleshoot and
repair these elements before you start looking at the software. Consider these potential
trouble spots first:
■
Check for basic communication between systems first. Broken cables, loose connections, and so on can cause what might look like much more complex problems.
■
Make sure that your systems are in compliance with the standards you’ve chosen.
This means you need to verify all devices on your Ethernet are broadcasting
Ethernet and not something else. Make sure you have the correct types of cables.
An example of this is the common mistake beginners sometimes make using
RG59A/U cable instead of RG58A/U.The former cable type is used in broadcasting specifically with video; the latter is used with IEEE 802.3 10Base2 networks.
■
Carefully isolate your problem to a single LAN, MAN, or WAN segment by going
through each individually. Keep in mind it is extremely rare for two segments to
go down at the same time.
Interface Configuration Problems
Make sure that the RRAS server is configured to perform as an IP router. Open the
RRAS Microsoft Management Console (MMC) and verify all your settings. Make sure that
you have enabled RRAS on the Windows Server 2003 machine you are expecting to perform as a router. It could be that you have the wrong server configured. Also, keep in mind
that the system must first make the physical connection to the network. After that, it must
make the logical connections.
The router also might not be receiving routed data from other routers.Take a look at
the routing table to see that the router is receiving routes from the other routers. If there is
anything there other than Local in the Protocol column, the router is receiving routes via
the routing protocols. If not, double-click the rest of the settings in this section and pay
particular attention to the appropriate protocol.
RRAS Configuration Problems
Routing for the correct LAN protocol may not be enabled. If you’re using IP routing,
make sure that IP routing is enabled on the IP tab of the server’s property sheet. Also, make
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 275
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
sure that you have IP routing protocols attached to each of the interfaces where they are
needed.
The wrong protocol could be installed, or the right protocol could have been installed
on the wrong interface.The correct protocol must be installed on the appropriate interface
for this to work correctly.
Routing Protocol Problems
One of the most common problems you’ll face with RIP for IP is incorrect routing table
entries. If you’re seeing wrong or inconsistent routes in the routing tables, or if routes are
totally missing, you should look at the following possibilities:
■
The wrong version of RIP could be in use.
■
Silent RIP hosts might not be receiving updates.
■
The subnetting scheme on your network could be incompatible with your
routing infrastructure.
■
A router might be using the wrong password.
■
Routing filters might be too restrictive.
■
Packet filters might be too restrictive.
■
Neighbors might be incorrectly configured.
■
Default routes might not be being propagated.
If your router is using OSPF, make sure that the Enable OSPF on this interface
check box is selected.This option is in the interface’s OSPF Properties dialog box.
Also make sure that your router is receiving routing information from the other routers
on the network. Do this by opening the routing table and looking at the Protocol
column. One of the following might be the problem with OSPF:
■
OSPF might not be enabled on the desired interface.
■
The neighboring router might be unreachable.
■
The OSPF settings may not match on each of the neighboring routers.
■
The stub area configuration or area ID on neighboring routers may not match.
■
Interfaces may not be configured with OSPF neighbor IP addresses.
■
There may not be a designated router (DR) for the network.
■
Packet filtering may be too restrictive.
■
Summarized routes may be configured improperly.
■
ASBR source or route filtering may be too restrictive.
■
Virtual links may be incorrectly configured.
www.syngress.com
275
255_70_293_ch04.qxd
276
9/9/03
5:17 PM
Page 276
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
If a routing table entry is marked as being either OSPF or RIP, then information from
some of the other routers on your network is getting through. If you do not see any OSPF
or RIP entries in the table, you have a problem.
EXAM
70-293
TCP/IP Configuration Problems
Verifying that the router’s TCP/IP configuration is correct first may save you a lot of time.
2.5.3 You must use the correct IP address and subnet mask.
OBJECTIVE
Routing Table Configuration Problems
You’ll need to have a static default route defined and enabled so that your router will forward any packets when there is no specific route designated for them. If the default route is
incorrect or missing, you will have problems. If you’re using default routing, the default
route must be learned through the routing protocols or statically configured on the router
over the correct interface.
TEST DAY TIP
You will need to know extremely basic problems and their solutions for the exam.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 277
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Summary of Exam Objectives
In this chapter, we discussed three main topics: understanding IP routing, security considerations for routing, and troubleshooting IP routing.We’ve looked at routing basics, including
how devices are identified on the network, how NAT works, and the differences between
IPv4 and IPv6.We’ve also looked at creating, viewing, and updating routing tables and the
differences between static and dynamic routing.
The chapter continued with a discussion of the various routing protocols and the differences between distance-vector and link-state routing algorithms.This naturally led to a
discussion of the two primary examples of both algorithms, RIP and OSPF.This discussion
also examined the differences between RIP version 1 and RIP version 2 and what sample
networks using these protocols might look like.We also examined OSPF and how sample
networks might work using this protocol.
Later in the chapter, we looked at the OSI reference model and routing devices, as well
as how to use utilities such as Netsh, PING, pingpath, and Tracert for troubleshooting.The
chapter continued by looking at how to use Windows Server 2003 as a router and as a VPN
server.
Exam Objectives Fast Track
Understanding IP Routing
You must understand the concepts underlying IP addressing in order to
understand how IP routing works. Understand the three IP address formats:
hexadecimal, binary, and dotted-decimal. Have a firm grasp of how IP addresses
are structured and how the network and node information is contained in the
various address classes.
Know that an IP address is a software address, not a hardware address.
Know how to view the routing tables of your servers.
Understand the differences between static and dynamic routing. Make sure you
are familiar with the various configurations that enable and disable both static and
dynamic routing, as well as which protocols are associated with each type of
routing.
Know the differences between RIP and OSPF. Understand why RIP is best used
for smaller networks and OSPF is best for large networks.
Know how to use the netsh utility and why.
www.syngress.com
277
255_70_293_ch04.qxd
278
9/9/03
5:17 PM
Page 278
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
Security Considerations for Routing
Remember that IP has no default security mechanisms. In order to add security,
you must add other protocols.
Secure your IP packets with IPSec or other encryption protocols, depending on
the routing strategy you choose.
Set up a perimeter network to defend your inner network.
Minimize the number of network interfaces.
Minimize the number of routes.
Minimize the number of routing protocols.
Troubleshooting IP Routing
Understand how to use the available troubleshooting tools, including Network
Monitor, the Routing and Remote Access console, and the netsh utility.
Know the most common routing problems and their solutions.
The pathping command and Tracert are excellent ways to troubleshoot your
network.
Know how to use logging and where to change the parameters.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 279
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: What is a metric and how is it used in choosing the best routes?
A: A metric is that value assigned to an IP route for a particular network interface that
tells you how much it’s going to cost to use that specific route. Metrics can be assigned
values based on link speed, number of hops, or even the time delay that might be associated with that particular route.
Q: What are the two principal packet-filtering methods supported by RRAS?
A: The two principal methods used in packet filtering are inbound and outbound filters.
You basically accept all inbound packets except those expressly denied, or you deny all
inbound packets except those expressly allowed.The same principle works for outbound traffic.
Q: How do I check my TCP/IP configuration in Windows Server 2003?
A: If you are troubleshooting your TCP/IP network, the first thing you want to do is
check your TCP/IP configuration on the machine having the problem.You can do this
by clicking Start | Run and typing cmd in the Run text box. Now press the Enter
key.This brings up the command prompt window. At the command prompt, type
ipconfig /all, and then press the Enter key.This command will display a detailed
configuration report containing all of the information concerning your network interfaces, including DNS suffix, IP address, subnet mask, and default gateway. Make sure
that your computer has all the correct settings for the DNS and WINS servers, a correct and available IP address, a correct subnet mask, a correct default gateway, and the
correct host name.
Q: Which tools can I use to test my TCP/IP connections?
A: If you are having problems connecting to a remote server, you’ll want to test your connections.There are two common tools that are used for this task: PING and Tracert.
The ping command is used to verify if a host computer can connect to network
resources or not.The tracert command is used to examine the route being used from
your computer to the destination.The Tracert utility shows the series of IP routers that
are used to deliver packets from your computer to the destination and how long it takes
www.syngress.com
279
255_70_293_ch04.qxd
280
9/9/03
5:17 PM
Page 280
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
for each hop. If the packets cannot reach their destination, the name of the last router
that successfully forwarded the packets is listed.Two other commands that can also be
used to test functionality are route and pathping.
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Understanding IP Routing
1. Your IT Director has decided the new internal network needs to use private
addressing.Which of the following IP addresses are private addresses?
A. 193.168.0.1
B. 171.17.0.1
C. 10.0.0.1
D. 172.16.0.15
2. Your IT Director has determined that your network should use dynamic routing.
You’ve determined that a route is now being considered unreachable.What has happened to that route in the routing table?
A. It has been marked as unreachable in the routing table.
B. Nothing has happened to that route in the routing table.
C. It has been removed from the routing table.
D. You must manually go into the routing table and remove the entry.
3. Your newest hire has been assigned the task of configuring a Windows Server 2003
computer as a router and has asked you how to determine if a machine address or an
IP address is being used at the router.You explain that routers use IP addresses, while
bridges and hubs use machine addresses.You continue to explain that the OSI reference model has seven layers and that IP, or the Internet Protocol, operates at what
layer?
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 281
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
A. The Physical layer
B. The Data Link layer
C. The Network layer
D. The Transport layer
4. Your IT Director has opened a command prompt window on your Windows Server
2003 computer and is trying to figure out what routes are available to this computer.
Which of the following commands should you tell him to use to list the active routes
from the command prompt?
A. route list
B. route print
C. show route
D. dump
5. Your IT Director is determined to use static routing on your large corporate network.
You need to convince him that static routing probably is not the best choice, and you
want him to think that decision was his idea.You decide to do this by asking him
which of the following is an advantage of using static routing?
A. Fault tolerance
B. Scalability
C. Manual configuration
D. Classless routing
6. RRAS is enabled on your Windows Server 2003 computer, and you have three network adapter cards in the computer configured for subnet IDs of 192.168.32.0/20,
192.168.64.0/20, and 192.168.96.0/20.Which subnet ID can you use if you need to
support another subnet with this RRAS server?
A. 192.168.20.0/20
B. 192.168.40.0/20
C. 192.168.48.0/20
D. 192.168.60.0/20
www.syngress.com
281
255_70_293_ch04.qxd
282
9/9/03
5:17 PM
Page 282
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
7. You want to configure a multiple gateway on a Windows Server 2003 machine, but
you have only one NIC installed. How do you accomplish this goal?
A. Assign the IP addresses 192.168.0.10 and 192.168.1.10 to the interface.
B. Assign the IP addresses 10.0.0.1 and 172.16.0.1 to the interface.
C. Assign the IP addresses 172,16.0.1 and 192.168.0.1 to the interface.
D. You cannot configure multiple gateways on a machine with one NIC.
8. Your IT Director has been reading again. He has decided that he wants to convert the
network to OSPF, but he is having some difficulty with terminology. He knows that
an OSPF router can serve one of four roles. His problem is that he can’t remember
which role exists when one of the router’s interfaces is on the backbone area. Help
him out.Which of the following is it?
A. Internal router
B. Area border router
C. Backbone router
D. Autonomous system boundary router
Security Considerations for Routing
9. As the network administrator, you are asked to set up network access so that a group
of contract developers can work via a VPN connection connecting to your network’s
Windows Server 2003 VPN server.The contract developers are all using either
Windows 2000 Professional or Windows XP Professional workstations.You must meet
the following requirements:
■
The contract developers must be allowed to connect to the network via the
Internet.
■
You must use PPP encryption.
■
You must use a protocol that provides tunnel authentication.
■
You must use a protocol that secures the data between the endpoints of the
tunnel.
You configure a VPN using PPTP.Which of requirements are met? (Select all that apply.)
A. The contract developers are able to connect to the network via the Internet.
B. PPP encryption is used.
C. Tunnel authentication is used.
D. Data between the endpoints of the tunnel is secure.
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 283
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
10. You have enabled RRAS on your Windows Server 2003 computer.You want to set
up IP packet filtering to help you manage access from remote clients.Where in the
Routing and Remote Access console will you enable IP packet filters?
A. The properties of the remote access ports
B. The properties of the remote access server
C. The profile of a Remote Access Policy
D. The conditions of a Remote Access Policy
11. You have set up an isolated, secure subnet with only an RRAS server running on
Windows Server 2003 connecting the two parts of your internal network.You are
protecting your internal network against unauthorized access with your firewall, and
authorized users on the intranet establish VPN tunnels to your secure subnet through
the RRAS server.You do have a problem, however. It seems that remote VPN clients
cannot access the secure subnet through your configuration. How should you reconfigure the system to allow remote VPN clients access to the secure subnet?
A. Ask your ISP to create the necessary filters to allow IPSec traffic to pass.
B. Create filters on the RRAS server to allow only VPN traffic to pass.
C. Define filters on the firewall to allow the VPN traffic to pass.
D. Configure the router in front of the firewall to allow IPSec traffic to pass.
12. You’ve been asked to provide Internet access for clients on your network.You decide
to use NAT.You try to establish a secure VPN session from a remote site unsuccessfully.You try again using L2TP. Again the connection fails.You are able to successfully
connect when in the same office.Why are you unable to make a connection from the
remote location?
A. You haven’t configured the NAT server to translate the IP Security packets.
B. You cannot establish an L2TP connection behind a computer running NAT.The
L2TP session fails because the IP Security packets become corrupted.
C. L2PT does not work with Windows Server 2003 VPNs.
D. NAT does not allow for remote networking.
13. You’ve just been asked to set up things so that a group of developers can work from
home and still connect to your office network.The developers are using either
Windows 2000 Professional or Windows XP Professional.You must meet the following requirements:
■
Allow the developers to connect to the network through the Internet.
■
Use PPTP encryption.
www.syngress.com
283
255_70_293_ch04.qxd
284
9/9/03
5:17 PM
Page 284
Chapter 4 • Planning, Implementing, and Maintaining a Routing Strategy
■
Use a protocol that provides tunnel authentication.
■
Use a protocol that secures data between the endpoints of the tunnel.
You plan to configure a VPN that uses L2TP.Which requirement or requirements are met?
A. The developers can connect to the network through the Internet.
B. PPTP encryption is used.
C. Tunnel authentication is provided.
D. Data between the endpoints of the tunnel is secured.
Troubleshooting IP Routing
14. You’ve installed RRAS on a Windows Server 2003 computer in your network.The
network is not connected directly to the Internet, and the private IP address range
you are using is 192.168.0.0.When you dial in, you connect successfully, but you’re
unable to access any resources. Pinging other servers using their IP addresses results in
the message “Request timed out.” Running the ipconfig command shows you that
your dial-up connection is being given the IP address 169.254.75.182.What should
you do to resolve the problem?
A. Configure the remote-access server to act as a DHCP Relay Agent.
B. Ensure that the remote-access server is able to connect to a DHCP server that has
a scope for its subnet.
C. Configure the remote-access server with the address of a DHCP server.
D. Authorize the remote-access server to receive multiple addresses from a DHCP
server.
15. You think you may have a problem on your network.You need to open a command
line window and troubleshoot your network.Which of the following lists of commands represent the command-line utilities most often used in maintaining and
testing routing functionality?
A. show helpers,Trace, PING, Route
B. pathping,Tracert, show helpers, show routing
C. pathping, PING, Route,Tracert
D. pathping, PING, Route,Trace
www.syngress.com
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 285
Planning, Implementing, and Maintaining a Routing Strategy • Chapter 4
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. C, D
9. A, B, D
2. C
10. C
3. C
11. C
4. B
12. B
5. D
13. A, C
6. C
14. B
7. A
15. C
8. C
www.syngress.com
285
255_70_293_ch04.qxd
9/9/03
5:17 PM
Page 286
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 287
Chapter 5
MCSE 70-293
Planning, Implementing,
and Maintaining an
Internet Connectivity
Strategy
Exam Objectives in this chapter:
2
Planning, Implementing, and Maintaining a Network
Infrastructure
2.3
Plan an Internet connectivity strategy
2.5
Troubleshoot connectivity to the Internet.
2.5.1
Diagnose and resolve issues related to Network Address
Translation (NAT).
Summary of Exam Objectives
Exam Objectives Fast Track
Exam Objectives Frequently Asked Questions
Self Test
Self Test Quick Answer Key
287
255_70_293_ch05.qxd
288
9/9/03
5:20 PM
Page 288
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Introduction
Internet connectivity is no longer a luxury for most businesses; it is a necessity. Employees
use the Internet to exchange e-mail with clients, suppliers, and co-workers in other physical
locations; to conduct research via the Web; and to remotely access the local area network
(LAN) from home or when on the road. Creating an effective policy for implementing and
managing the organization’s Internet connections is an important part of the Windows
Server 2003 network administrator’s job.
This chapter is about how to develop the best strategy for connecting your company’s
Windows Server 2003 network to the Internet.We’ll discuss connecting the LAN to the
Internet using routed connections or translated connections (via Internet Connection
Sharing or the Routing and Remote Access Service’s Network Address Translation component).You’ll learn how to use both Internet-based virtual private networks (VPNs) and
router-to-router VPNs to provide connectivity to the company’s LAN from remote locations or to connect two branch offices.We’ll discuss the intricacies of demand-dial/ondemand connections and persistent connections, and explain the difference between
one-way and two-way initiation.We’ll also show you how to use Remote Access Policies to
control VPN connections, and we’ll discuss VPN protocols supported by Windows Server
2003 and how to make VPN connections using either the Point-to-Point Tunneling
Protocol (PPTP) or the Layer 2 Tunneling Protocol (L2TP).You’ll learn about VPN security and the authentication and encryption protocols that make your virtual network private.
Next, we’ll take a look at the Internet Authentication Service (IAS) and how it can
provide centralized user authentication and authorization, centralized auditing and
accounting, and extensibility and scalability.You’ll learn about IAS integration with
Windows Server 2003 Remote Access and Routing Service (RRAS), and how to control
authentication via Remote Access Policies.We’ll show you how to use the IAS Microsoft
Management Console (MMC) snap-in and how to implement monitoring of IAS, and
we’ll discuss the use of the IAS Software Development Kit (SDK).Then we’ll delve a little
deeper into the IAS authentication methods and discuss Remote Authentication Dial-In
User Service (RADIUS) access server support, wireless access points (WAPs), and authenticating switches.
In the next section, we’ll walk you through the process of using the Connection
Manager Administration Kit (CMAK) to create service profiles, custom actions, and custom
help files, as well as VPN support, to make it easier for nontechnical users to connect
remotely without needing to do complex configuration.We’ll talk about security issues
pertaining to Connection Manager, and show you how to prevent editing of service profile
files, how to prevent users from saving their passwords, and how to distribute service profiles securely.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 289
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
EXAM
70-293
OBJECTIVE
2
2.3
2.5
Connecting the LAN to the Internet
You can connect a Windows Server 2003 network to the Internet in two basic ways:
■
Using a router to directly route traffic to and from the Internet
■
Using a translation service to convert traffic from an internal network to Internet
traffic
The following sections discuss the advantages and disadvantages of these methods.
Routed Connections
The traditional method of connecting a network to the Internet is to use a router to route
traffic between the external network and your local network.The advantages of this
approach are that it is easy to configure, requiring only simple hardware setup, and that it
allows full Internet access for all machines on the local network segment. It also allows all
machines on the network to provide services to the Internet.
Routed connections have two chief disadvantages. First, every machine on the local
network is reachable from anywhere on the Internet.This is rarely necessary and creates a
large number of potential security problems. Second, a separate Internet IP address is
required for each machine that can access the Internet. Since IP addresses are scarce and are
issued only to networks that can prove a need for them, this is not the most efficient
approach.
Advantages of Routed Connections
Although translated connections are becoming increasingly popular, routed connections do
have a number of advantages:
■
Since each client is connected to the Internet through the router, clients can connect even if the local network servers are not working.
■
Some Internet clients, such as multimedia applications and games, do not work
correctly over a translated connection.
■
Each machine has a dedicated Internet IP address and can be used for services
such as File Transfer Protocol (FTP) and Domain Name System (DNS) that
require a unique IP address per host.
Hardware and Software Routers
A routed connection uses a router, a device that transmits data between the internal network
and the Internet.There are two types of routers:
■
A hardware router is a dedicated device. Hardware routers provide a simple “outof-the-box” solution for Internet connections.
www.syngress.com
289
255_70_293_ch05.qxd
290
9/9/03
5:20 PM
Page 290
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
■
A software router runs as a service on one of the computers on the network.The
Routing and Remote Access Service (RRAS) in Windows Server 2003 allows a
computer to act as a router.
In order to use a computer as a software router, it must have two network connections:
one to the internal network (LAN) and one to the external network (the Internet).
Microsoft sometimes refers to a computer with two network connections as a multihomed
computer.
IP Addressing for Routed Connections
When you are using a routed connection to the Internet, each machine on the internal
network will need a valid Internet IP address. IP addresses are managed by a central
authority, the American Registry for Internet Numbers (ARIN).You will typically obtain
IP addresses from an Internet Service Provider (ISP), which has obtained a block of
addresses from ARIN for use by its clients.
Once you have been issued one or more IP addresses, you can assign them to the computers in the network.There are two basic ways to accomplish this:
■
By manually configuring an IP address in each computer’s network connection
properties
■
By using the Dynamic Host Configuration Protocol (DHCP) to assign addresses
Using DHCP, you can define the IP addresses you have been issued in the DHCP
server, and clients are automatically assigned, or leased, an address when they are booted. If a
client disconnects from the network, its lease is terminated after a timeout period and available to other computers.
TEST DAY TIP
Any Windows Server 2003 (or Windows 2000 Server) computer can act as a DHCP
server. To configure DHCP, select Start | Administrative Tools | Configure Your
Server Wizard and enable the DHCP Server role.
Translated Connections
The second strategy is to use a service that translates between internal IP addresses and
external addresses used on the Internet. By using this technique, you can enable Internet
access for many computers using a single Internet IP address. Along with conserving address
space, address translation ensures that your computers are not accessible directly from the
Internet, effectively preventing many types of network attacks.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 291
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Network Address Translation (NAT) is an Internet standard defined in RFC 1631 for
systems that translate between internal and external network addresses.Windows networks
support two types of NAT service:
■
Network address translation (NAT) is a full-featured NAT implementation supported by Windows 2000 Server and Windows Server 2003.
■
Internet Connection Sharing (ICS) is a simplified NAT implementation for small
networks, and is supported by Windows 98 Second Edition,Windows Me,
Windows XP, and Windows 2000 Professional.
When you configure the NAT or ICS service, the computer that acts as the NAT
server must have at least two network connections: a connection to the Internet (typically a
modem or broadband connection) and a connection to the LAN containing the computers
that will share the Internet connection.
EXAM
70-293
OBJECTIVE
2.5
Network Address Translation (NAT)
NAT is Microsoft’s full-featured address translation feature.When you access the Internet
on a network that uses a NAT server, outgoing packets are sent to the NAT server, which
changes their originating address and forwards them to the Internet.The returned packets
are delivered to the NAT server.The server then translates the packets to internal IP
addressing and sends them to the machine that made the original request.
The Windows Server 2003 NAT server actually supports three separate services:
■
NAT, the address translation service
■
DHCP for assigning IP addresses to clients that are sharing the Internet connection
■
DNS for name resolution
Depending on your network configuration, you might not need the NAT server to
handle address assignment or name resolution.You can choose whether to use these components when you configure the NAT server. If you have dedicated DHCP or DNS servers
on the network, you can continue to use them with NAT. (The DNS service forwards
requests to an Internet DNS server and returns the results to the appropriate client within
the private network.)
Installing the NAT Service
NAT is part of the RRAS component of Windows Server 2003. RRAS is installed with
Windows Server 2003 but is not enabled by default.You can enable this service using the
Manage Your Server application that is launched when you install the operating system or
by using the Routing and Remote Access MMC snap-in.Windows Server 2003 includes a
wizard that can enable RRAS and set up a NAT server. Exercise 5.01 shows how to configure NAT using the wizard.
www.syngress.com
291
255_70_293_ch05.qxd
292
9/9/03
5:20 PM
Page 292
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
TEST DAY TIP
Remember that you need at least two network interfaces on the NAT server: one
connected to the private network, usually a LAN adapter, and one connected to
the Internet. You can configure a demand-dial Internet connection (if you’re using
a modem or ISDN dial-up instead of an “always-on” connection to the Internet)
during the NAT server setup process.
You can also configure NAT manually using the Routing and Remote Access MMC
snap-in.This is the only way to configure a NAT server on a machine that already has
RRAS enabled. RRAS can perform NAT along with its other functions, which include
acting as a network router or accepting dial-up network connections.
EXERCISE 5.01
INSTALLING NAT USING
THE
WIZARD
You can install NAT on a Windows Server 2003 server that does not yet have
RRAS enabled using the Routing and Remote Access Server Setup Wizard. This
exercise guides you through the process of setting up a basic NAT server using
the Wizard.
1. Select Start | Administrative Tools | Routing and Remote Access to
start the RRAS MMC snap-in.
2. Click the RRAS server name (usually the current machine) in the left
column to highlight it.
3. From the menu, select Action | Configure and Enable Routing and
Remote Access.
4. The Wizard displays a Welcome window. Click Next to continue.
5. The Configuration window appears. Select the Network address
translation (NAT) option, as shown in Figure 5.1, and click Next.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 293
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Figure 5.1 Select NAT from the RRAS Wizard
6. The NAT Internet Connection window is displayed. Here, you can
choose how the NAT server will connect to the Internet. Choose either
Use this public interface to connect to the Internet or Create a new
demand-dial interface to the Internet.
7. You can optionally choose to enable basic security for the Internet
interface by checking the Enable security on the selected interface
by setting up Basic Firewall option. This option is enabled by default.
8. Click Next to continue.
9. The Ready to Apply Selections window is displayed. Click Next to
start the RRAS service.
If you chose to create a new demand-dial interface in Step 6, the DemandDial Interface Wizard will guide you through this process. This Wizard is
described in Exercise 5.04, later in this chapter. Otherwise, you are returned to
the Routing and Remote Access MMC snap-in, and you can now manage the
NAT service as described in the next section.
www.syngress.com
293
255_70_293_ch05.qxd
294
9/9/03
5:20 PM
Page 294
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Managing NAT
After you have enabled RRAS and set up a NAT server, you can manage the server from
the Routing and Remote Access MMC snap-in. Select the server and select Action |
Properties to display the Properties dialog box. Select the IP tab within this dialog to
display the IP properties, shown in Figure 5.2.This page allows you to manage the address
assignment feature of NAT.The NAT server can assign IP addresses in one of two ways:
■
Select Dynamic Host Configuration Protocol (DHCP) to use an existing
DHCP server to handle addressing.
■
Select Static address pool to explicitly list the IP addresses this server can assign
to clients. Once you have selected this option, you can use the Add, Edit, and
Remove options to create a list of one or more IP address ranges for the address
pool.
The IP properties tab also include an option to manage the name resolution feature of
NAT. Select the Enable broadcast name resolution option if you do not have a DNS
or Windows Internet Name Service (WINS) server on the network to handle name resolution. If this option is selected, the RRAS server uses network broadcasts to resolve names.
This eliminates the need for a dedicated name server on single-subnet Windows-based networks.
Figure 5.2 The IP Properties for an RRAS Server
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 295
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
TEST DAY TIP
If you are not using broadcast name resolution, the NAT server needs to know the
IP address of a DNS or WINS server to complete resolution requests. These server
addresses are not part of the RRAS configuration. You must specify them using the
Properties dialog box for the network interface.
Configuring a NAT Connection
You can also manage the settings for a NAT interface from the Routing and Remote
Access console.To access these settings, select the NAT/Basic Firewall entry under IP
routing in the left column, and then select Action | Properties from the menu.The
Properties dialog box is divided into four tabbed sections:
■
NAT / Basic Firewall On this tab, shown in Figure 5.3, you can enable or disable NAT for the connection.You can also enable a basic firewall, which prevents
unauthorized traffic from the Internet from reaching the internal network.You
can also use the Inbound Filters and Outbound Filters buttons to define IP
filters to further secure the connection.
■
Address Pool Allows you to define the Internet addresses that will be used by
the NAT server. Don’t confuse this with the pool of private addresses the server
can assign to clients. At least one Internet address must be included here.You can
also use the Reservations button to define an external address that always
reaches the same internal client machine.This is useful if you need to run a Web
server or other service and make it accessible over the Internet.
■
Services and Ports Allows you to enable various services, such as FTP and
Simple Mail Transfer Protocol (SMTP), that will be accessible to Internet users,
and define the internal machines these packets will be routed to.
■
ICMP Allows you to enable various types of diagnostic packets.These may
be needed if you wish the NAT server to respond to PING or Traceroute
diagnostics.
www.syngress.com
295
255_70_293_ch05.qxd
296
9/9/03
5:20 PM
Page 296
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.3 NAT Properties
How NAT Works
NAT transparently handles translation, so clients do not need to be aware that NAT is in
use. Instead, they are configured with the NAT server’s address as their default gateway.
When a client sends an outgoing packet, it is sent to the NAT server.The NAT server
receives the packet and performs the following tasks:
■
The packet’s destination address and port are stored in an entry in the NAT table,
along with the internal address from which the packet originated.
■
The packet’s source address is changed to the NAT server’s address, and a random
port number is assigned.
■
The packet is sent over the Internet.
■
When the remote server responds, the response is sent to the NAT server at the
port number previously assigned.The NAT server consults the NAT table to
determine which client requested the response, edits the packet to use the client’s
internal IP address as its destination, and sends it to the internal network.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 297
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Some Internet protocols, such as FTP, store addressing information within the packet
itself, which would not normally work with NAT.The NAT server uses a NAT editor to
modify the addresses for these protocols.Windows Server 2003 includes editors for several
protocols. Keep in mind that some protocols may not be supported across the NAT server.
Internet Connection Sharing (ICS)
Internet Connection Sharing (ICS) is a simple implementation of a NAT server and is
included with all versions of Windows 2000,Windows XP, and Windows Server 2003, as
well as Windows 98 Second Edition and Windows Me. It is much easier to configure and
use than the full NAT service. Although ICS supports the basic translation features of NAT,
it has a couple of limitations:
■
ICS supports only a single Internet IP address and a single LAN connection.The
full NAT service can connect any number of public IP addresses to multiple
LANs.
■
ICS cannot be used on networks that have a DHCP or DNS server implemented.
TEST DAY TIP
You should use ICS only when you are not using the NAT feature on the server, or
when you are using an operating system for the NAT host, such as Windows XP,
that supports ICS but not the full NAT service.
Activating the ICS Service
ICS is included and installed automatically with all versions of Windows Server 2003 and
Windows 98 Second Edition and later.This feature is disabled by default, but enabling it is
a simple process.
To enable ICS, open the Properties dialog box for the network adapter that connects
to the Internet and select the Advanced tab.The Advanced properties are displayed, as
shown in Figure 5.4.To enable ICS, simply check the Allow other network users to
connect through this computer’s Internet connection option.You can also optionally
check the Establish a dial-up connection whenever a computer on the network
attempts to access the Internet option for a dial-up Internet connection.
www.syngress.com
297
255_70_293_ch05.qxd
298
9/9/03
5:20 PM
Page 298
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.4 The Advanced Internet Provider Properties
TEST DAY TIP
The ICS options are included only in the Advanced tab of the Properties dialog
box for Internet connections. LAN connections, such as the default Local Area
Connection, do not include this option, since they connect only to the local network. You will, however, find the Connection Sharing option in the Properties
dialog box for VPN connections.
Configuring Services
ICS is primarily a way for computers on your network to access Internet services, but it
also allows you to configure services that are provided by a machine on your network and
available via the Internet.When you use this option, incoming requests from the Internet
are received by the ICS server and forwarded to whichever local machine is providing the
service.
When ICS is enabled, you can click the Settings button in the Advanced tab of the
Properties dialog box to configure the services available on your network and specify
which client machines provide them. No services are enabled by default.The Services
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 299
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
dialog box, shown in Figure 5.5, lists a number of common services and allows you to configure them or add addtional services.
Figure 5.5 The Network Services That Internet Users Can Access
Whether you use one of the predefined services, such as an FTP server or a Telnet
server, or configure a custom service, you need to specify which computer on the local network will provide the service. Exercise 5.02 demonstrates the process of adding a new service.
EXERCISE 5.02
ADDING A CUSTOM SERVICE
You need to add an entry for any service on your network that should be
accessible from outside the network. For example, the Network News Transfer
Protocol (NNTP) service is not included as one of the default options, so you
can add an entry for it. Follow these steps to add a custom service:
1. From the Network Connections window, right-click the Internet connection you are sharing and click Properties.
2. Select the Advanced tab.
www.syngress.com
299
255_70_293_ch05.qxd
300
9/9/03
5:20 PM
Page 300
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
3. Ensure that the Allow other network users to connect through this
computer’s Internet connection is enabled and click Settings.
4. The Services dialog box is displayed. Click Add.
5. The Service Settings dialog is displayed. In the Description of service
text box, enter Net News Transfer Protocol, as shown in Figure 5.6.
Figure 5.6 Service Settings
6. In the Name or IP address text box, enter the machine name or IP
address for the local machine providing the service.
7. In the External port number for this service text box, enter 119.
8. In the Internal port number for this service text box, also enter 119.
9. Click OK.
10. You are returned to the Services dialog box, and the new service is
now listed. Click OK to return to the Properties dialog box.
Implementing Virtual
2 Private Networks (VPNs)
EXAM
70-293
OBJECTIVE
2.3
Traditionally, when you are setting up a private network that spans multiple locations, you
use one or more private wide area network (WAN) links to connect the locations (for
example,T1 lines).While this provides secure high-speed communication between the loca-
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 301
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
tions, it is also relatively expensive. A VPN eliminates the need for dedicated WAN links by
taking advantage of readily available connections to the public Internet.
A VPN is defined as a private network that uses virtual links through a public network
rather than dedicated WAN links.These virtual connections use a technology called tunneling to encrypt private data and encapsulate it in packets to be transmitted over the public
network.
Windows Server 2003 includes VPN functionality as part of RRAS.You can configure
a Windows Server 2003 machine to act as a VPN server, which manages the VPN connections between clients or networks.
TEST DAY TIP
One advantage of using a VPN connection, rather than a dedicated leased line, is
that the VPN connection is flexible. For example, if you move a location, all that is
required to reconnect to the VPN is an Internet connection of any type.
Internet-based VPNs
One common use for a VPN server is to allow clients to remotely access the network. For
example, you might have employees who work from home or who need network access
from their laptops while on the road.Traditionally, this would require a pool of modems and
a dial-up RRAS server, or a dedicated WAN link.With a VPN, since remote clients often
have Internet connectivity, you can configure a VPN server to accept connections from these
clients over the Internet.This provides them with a secure connection to the network
without the need for modems or phone lines, and it often saves money, since a client can use
a low-cost ISP with a local phone number rather than making a long-distance call.
NOTE
Microsoft refers to a VPN connection used for remote access as an Internet-based
VPN. This is also known as a client-server VPN connection. The other type is a
router-to-router connection. Although both types use the Internet for connectivity,
Internet-based VPN refers to client-server connections.
How Internet-based VPNs Work
Figure 5.7 shows how a typical Internet-based VPN works.The remote client connects to
the public Internet and uses VPN client software to initiate a connection with the VPN
server. Communications for the VPN are encrypted and encapsulated into packets sent over
the Internet.
www.syngress.com
301
255_70_293_ch05.qxd
302
9/9/03
5:20 PM
Page 302
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.7 Communications in an Internet-based VPN
Internet
Client
Encrypted Tunnel
Server
Configuring Internet-based VPNs
RRAS supports the protocols needed for a VPN.You can configure these individually or
use the RRAS Setup Wizard to configure a VPN server. Exercise 5.03 guides you through
the process of configuring a VPN server using the Wizard.
EXERCISE 5.03
CONFIGURING A VPN SERVER USING
THE
WIZARD
If you have not yet configured RRAS on a server, you can use the Routing and
Remote Access Server Setup Wizard to configure the server with the basic
options for a VPN server.
NOTE
If you have previously configured the server to use RRAS, in order to perform this
exercise you will need to first disable it. To do so, right-click the RRAS server name
in the left console panel of the Routing and Remote Access MMC and select
Disable Routing and Remote Access.
Follow these steps to configure the VPN server:
1. Select Start | Programs | Administrative Tools | Routing and
Remote Access to start the Routing and Remote Access MMC snap-in.
2. Click the RRAS server name (usually the current machine) in the left
column to highlight it.
3. From the menu, select Action | Configure and Enable Routing and
Remote Access.
4. The Routing and Remote Access Server Setup Wizard displays a
Welcome window. Click Next to continue.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 303
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
5. The Configuration window appears (see Figure 5.1, earlier in the
chapter). Select Virtual Private Network (VPN) access and NAT from
the list and click Next.
6. The Wizard displays a final confirmation window, as shown in Figure
5.8. Click Finish to enable the RRAS and VPN features.
Figure 5.8 Completing the Routing and
Remote Access Server Setup Wizard
7. A dialog box asks whether you wish to start the RRAS service at this
time. Click Yes.
Windows Server 2003 next starts the RRAS service and can accept VPN connections. You are returned to the Routing and Remote Access MMC snap-in,
where you can customize the settings for the VPN server.
Router-to-Router VPNs
While an Internet-based VPN provides easy remote access for individual clients, you can
also configure a larger-scale VPN to connect two geographically separated LANs. A routerto-router VPN requires an Internet connection for each LAN, and it encapsulates traffic on
the Internet to create a virtual WAN between the locations.
A router-to-router VPN can either use demand-dial connections, creating the VPN only
when it is required for traffic between the networks, or persistent connections for an always-on
www.syngress.com
303
255_70_293_ch05.qxd
304
9/9/03
5:20 PM
Page 304
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
VPN. In either case, it can save money, since Internet connectivity is usually available at a
lower cost than a dedicated WAN link between geographically separated sites.The longer
the distance, the more money you are likely to save.
On Demand/Demand-Dial Connections
A demand-dial connection is often the most practical choice for small remote sites that only
occasionally require VPN connectivity. RRAS supports one or more demand-dial connections.You can configure a connection using the Network Interfaces node in the RRAS
MMC snap-in. Exercise 5.04 demonstrates how to add a new demand-dial interface.
EXERCISE 5.04
CONFIGURING A DEMAND-DIAL INTERFACE
You can add a new demand-dial interface on any RRAS computer that has
RRAS configured. If you have not yet configured and enabled RRAS, see the
instructions earlier in this chapter. Follow these steps to create a new demanddial interface:
1. From the Routing and Remote Access MMC snap-in, right-click the
Network Interfaces item in the left column and select New Demanddial Interface.
2. The Demand-Dial Interface Wizard displays an introductory message.
Click Next to continue.
3. You are prompted for a name for the new interface, as shown in Figure
5.9. Enter the name and click Next.
Figure 5.9 Enter a Name for the Demand-Dial Interface
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 305
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
4. The Connection Type window appears. Select Connect using virtual
private networking (VPN) and click Next.
5. The VPN Type window is displayed. You can choose one of the VPN protocols (described in the “VPN Protocols” section later in this chapter).
Select Automatic selection and click Next.
6. You are prompted for the host name or IP address of the remote
router. Enter an address or name and click Next.
7. The Protocols and Security window is displayed, as shown in Figure
5.10. Enable the Route IP packets on this interface option and click
Next.
Figure 5.10 Choose Protocols and Security Options
8. The Static Routes for Remote Networks window is displayed. Click
Add to add a static route. Specify a destination address and subnet
mask, and then click OK.
9. Click Next to continue.
10. The Dial Out Credentials window is displayed. Enter a username,
domain name, and password to connect to the remote network, and
then click Next.
11. The Wizard displays a completion message. Click Finish to complete the
configuration of the demand-dial interface.
www.syngress.com
305
255_70_293_ch05.qxd
306
9/9/03
5:20 PM
Page 306
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
After you have completed this process, the new interface you created is
listed in the Network Interfaces section of the Routing and Remote Access
MMC snap-in. You can select this entry and open its Properties dialog box to
change the configuration.
One-Way versus Two-Way Initiation
You can configure a demand-dial VPN with either one-way or two-way initiation:
■
In one-way initiation, one VPN server is configured to accept demand-dial connections, and the other initiates the connection.
■
In two-way initiation, both VPN servers are configured to accept connections.
Whenever a client of one server requires access to the VPN, it initiates a connection to the other server.
Persistent Connections
Instead of using a demand-dial connection, a VPN server can use a persistent (always-on)
connection to the Internet, such as an existing Digital Subscriber Line (DSL) connection. If
the computer you are using as the VPN server is configured to use this type of Internet
connection, it can be made available to VPN clients.To create a new persistent connection,
select Start | Control Panel | Network Connections | New Connection Wizard.
Remote-Access Policies
You can secure a demand-dial connection in the same way that you secure a connection for
a remote user.The calling router requires a user account on the VPN server.You can configure this user account’s properties with the Allow Access option in the Dial-in properties section to explicitly allow access, or if access is controlled through a Remote Access
Policy, the policy should grant the appropriate user remote access permissions. If you are
using RADIUS authentication (explained in the “Using Internet Authentication Service
(IAS)” section later in this chapter), the policy is configured on the RADIUS server rather
than on the RRAS server.
Each remote-access policy is associated with a dial-in profile, which allows you to configure how the connection can be used.You can use the policy and profile settings to configure the authentication methods allowed, the hours in which dialing out is allowed, and
other settings.These options are explained in detail in Chapter 7.
VPN Protocols
A VPN is created using a tunneling protocol.This is a standard communication protocol that
creates a tunnel through the public network and transmits private data in encrypted form.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 307
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
This is accomplished using encapsulation, a process that encrypts each VPN packet, combines
it with a header to form a standard IP datagram, and sends it over the public network.
Windows Server 2003 supports two standard tunneling protocols: the Point-to-Point
Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP).
PPTP
PPTP is the oldest and most common VPN protocol. PPTP is based on the Point-to-Point
Protocol (PPP), which is typically used for dial-up connections. PPTP encapsulates PPP
frames into IP packets, encrypts the data, and transmits them over the Internet.
PPTP in Windows Server 2003 is based on the existing PPP infrastructure and supports
the same authentication methods as PPP, such as the Password Authentication Protocol
(PAP) and Microsoft Challenge Handshake Authentication Protocol (MS-CHAP).When a
higher-level authentication method is used, PPTP supports Microsoft Point-to-Point
Encryption (MPPE), a strong method of encrypting VPN traffic before allowing it to traverse the public network.
L2TP
L2TP is a more recent tunneling protocol that offers additional features over PPTP. L2TP is
a generic tunneling protocol that can encapsulate packets of many types for transmission
over a network. Unlike PPTP, L2TP does not include encryption.Windows 2003 VPNs use
the IP Security protocol (IPSec) to encrypt data sent over an L2TP tunnel.This provides
end-to-end encryption and greater security than the MPPE encryption used with PPTP.
Refer to Chapter 7 for more details on tunneling protocols.
VPN Security
A VPN combines encapsulation with encryption to create a connection between two systems. Depending on the VPN tunneling protocol you use, one of two encryption protocols
is used to encrypt the data before it passes through the public network: MPPE or IPSec.
MPPE
MPPE is used with VPNs created by PPTP. MPPE provides encryption for the tunnel only;
it does not provide end-to-end encryption from the client to the VPN server. MPPE
requires that the client and server support either the MS-CHAP or Extensible
Authentication Protocol-Transport Layer Security (EAP-TLS) authentication method.
These methods are described in detail in the “Authentication Methods” section later in this
chapter.
IPSec
IPSec is an Internet standard for encrypted IP traffic. Since the L2TP tunneling protocol
does not include encryption by itself, IPSec is used to encrypt the data before it is encapsu-
www.syngress.com
307
255_70_293_ch05.qxd
308
9/9/03
5:20 PM
Page 308
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
lated across the tunnel. Unlike MPPE, IPSec does provide end-to-end encryption.You can
use IPSec over an established PPTP link to add end-to-end encryption.
TEST DAY TIP
IPSec also supports tunnel mode, a built-in ability to create a VPN tunnel without
the use of L2TP. This mode works only with router-to-router VPNs. It is an
advanced feature and is only necessary to support certain hardware that does not
support the standard PPTP or L2TP tunneling protocols.
EXAM
70-293
OBJECTIVE
2
2.3
Using Internet Authentication Service (IAS)
While basic RRAS security is sufficient for small networks, a larger enterprise often needs
a dedicated infrastructure for authentication. RADIUS is a standard for dedicated authentication servers. A RADIUS server provides centralized authentication and access control, and
it can also provide detailed accounting for the use of its services. RADIUS services can be
scaled to handle any enterprise’s authentication needs and extended with multiple authentication servers.
Windows Server 2003 includes Microsoft Internet Authentication Service (IAS), an
implementation of a RADIUS server. IAS supports authentication for Windows-based
clients, as well as for third-party clients that adhere to the RADIUS standard. IAS stores its
authentication information in Active Directory (AD), and you can manage it with Remote
Access Policies.
NOTE
For more detailed information about configuring IAS for specific uses, such as
wireless authentication, see Chapter 7.
Advantages of IAS
While IAS requires the use of an additional server component, it provides a number of
advantages over the standard methods of RRAS authentication.These advantages include
centralized authentication for users, auditing and accounting features, scalability, and seamless integration with the existing features of RRAS.
Centralized User Authentication and Authorization
In the RADIUS standard, remote users do not connect directly to the RADIUS server.
Instead, they connect to a network access server (typically an RRAS server), which acts as a
RADIUS client, connecting to the IAS server and authenticating the user.This provides for
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 309
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
centralized authentication. Any number of RRAS servers can connect to the same IAS
server for authentication.
Centralized Auditing and Accounting
Along with authentication, IAS supports auditing features—tracking when the system is
used, when errors occur, and so on—and can keep a centralized record of usage of the
remote access or VPN servers.This record is stored in a log file, which you can import into
a database or analyze to determine traffic patterns or potential problems.
RRAS Integration
IAS supports the same Remote Access Policy settings as RRAS.You can use these settings
on a simple RRAS server in a small network, and later add an IAS server, move the policies
to the IAS server, and configure one or more RRAS servers to authenticate using IAS.
When using IAS for authentication, RRAS servers no longer have their own Remote
Access Policies, since the IAS server manages a centralized policy.
Control via Remote-Access Policies
As with basic RRAS security, you can define remote-access policies to configure remoteaccess security with IAS.You can define a single set of remote-access policies on the IAS
server, and they will be used by every RRAS server that uses IAS for authentication.This
centralized authentication allows you to quickly define policies for the entire enterprise
without the need to manage individual policies for each RRAS server.
Extensibility and Scalability
IAS provides an extensible architecture for authentication.While it provides only a small
advantage over traditional Windows authentication methods when used on a small network,
IAS excels in large enterprises because it provides centralized authentication.You can scale
from a single IAS server to multiple IAS servers interacting with multiple RRAS servers in
a global network.When you add a new RRAS server, you don’t need to configure its security separately; simply configure it to use the existing IAS server for authentication.
IAS Management
To support IAS, you will need one or more IAS servers.You can install IAS on a domain
controller or member server.The server can be used for other components, such as RRAS,
but if the IAS server will be heavily used, you may wish to dedicate a server for this purpose.You can use a single server or configure a second server to act as a backup. RRAS
servers that authenticate using IAS can contact the backup server if they are unable to reach
the primary server.
The IAS component is included with all editions of Windows Server 2003 except the
Web Edition.You can install IAS on a Windows Server 2003 computer using the
www.syngress.com
309
255_70_293_ch05.qxd
310
9/9/03
5:20 PM
Page 310
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Add/Remove Programs option in Control Panel. Exercise 5.05 demonstrates how to
add this component to a server.
EXERCISE 5.05
INSTALLING IAS
Follow these steps to install IAS on a computer running Windows Server 2003:
1. Select Start | Control Panel | Add/Remove Programs.
2. Select the Add or Remove Windows Components option.
3. Select Networking Services from the list and click Details.
4. Check the box next to Internet Authentication Service and click OK.
5. Click Next to complete the installation.
Activating IAS Authentication
When you have a working IAS server on the network, you can configure the RRAS server
to use IAS authentication.This will disable the normal Remote Access Policies in the
Routing and Remote Access MMC snap-in and forward all authentication to the IAS
server.You can then configure security settings for all RRAS servers centrally at the IAS
server. Exercise 5.06 guides you through the process of enabling IAS authentication for an
RRAS server.
EXERCISE 5.06
SELECTING IAS AUTHENTICATION
To select IAS authentication, you must have already configured and enabled
RRAS services on the computer. Follow these steps to enable IAS authentication:
1. Select Start | Administrative Tools | Routing and Remote Access.
2. Click the RRAS server name in the left column to highlight it. Select
Action | Properties from the menu, or right-click the RRAS server
name and select Properties from the context menu.
3. The Properties dialog box is displayed. Click the Security tab. The
Security properties are displayed, as shown in Figure 5.11.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 311
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Figure 5.11 Security Properties
4. In the Authentication provider drop-down list, select RADIUS
Authentication.
5. Click the Configure button to display the RADIUS server options.
6. Click Add to add a RADIUS server to the list.
7. The Add RADIUS Server dialog box is displayed, as shown in Figure
5.12. Enter the name of the RADIUS server. You can optionally specify a
shared secret using the Change button. Click OK.
Figure 5.12 Add a RADIUS Server
www.syngress.com
311
255_70_293_ch05.qxd
312
9/9/03
5:20 PM
Page 312
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
8. Click OK to exit the Properties dialog box.
9. A dialog box reminds you to restart RRAS to enable the new authentication method. Click OK to continue.
10. You are returned to the Routing and Remote Access MMC snap-in.
Select the RRAS server in the left column and select Action | All Tasks
| Restart from the menu, or right-click the server name and select All
Tasks | Restart from the context menu.
RRAS is now restarted, and RADIUS authentication is enabled using the IAS
server.
EXAM WARNING
If you enter a shared secret (password) in the RADIUS Authentication settings of
RRAS, it must be the same one you already specified in the properties of the IAS
server. This password system provides a basic level of security between RADIUS
clients and servers. Its primary purpose is to ensure that an unauthorized RADIUS
server cannot be added to the network and used to provide incorrect authentication information.
Using the IAS MMC Snap-in
You can manage the configuration of an IAS server using its MMC snap-in.To launch the
IAS management console, select Start | Programs | Administrative Tools | Internet
Authentication Service.The IAS console is shown in Figure 5.13.The left column of the
window displays several components of the IAS server that you can manage, including the
following:
■
RADIUS Clients Lists the clients (RRAS servers) currently configured and
allows you to add new clients.
■
Remote Access Logging Lists log files and allows you to configure additional
logging options.
■
Remote Access Policies Lists current policies and allows you to add policies.
IAS policies are identical to those used on RRAS servers.
■
Connection Request Processing Includes options for forwarding authentication requests to another IAS or RADIUS server for processing.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 313
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Figure 5.13 The IAS Management Console
IAS Monitoring
You can monitor the status of the IAS server using Windows Server 2003’s standard monitoring facilities, including Event Viewer and System Monitor. IAS also supports Simple
Network Management Protocol (SNMP) for centralized monitoring of IAS, along with
other devices and services.
IAS also adds a number of objects to the System Monitor utility when you install it.
You can use the counters within these objects to monitor the performance of the IAS
server.To use System Monitor, select Start | Administrative Tools | Performance,
click the Add Counters (+) button, and select one of the IAS objects to view a list of the
available counters.
IAS SDK
Microsoft also makes an IAS Software Development Kit (SDK) available.You can use this to
create customized behaviors for IAS, control the number of network sessions available to
users, and create customized methods of authorization and authentication.The SDK also
includes development tools for the Extensible Authentication Protocol (EAP) to allow you
to create new types of authentication. EAP is described in the next section.
www.syngress.com
313
255_70_293_ch05.qxd
314
9/9/03
5:20 PM
Page 314
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Authentication Methods
The Windows Server 2003 IAS server supports a number of different authentication
methods.These range from basic, unencrypted authentication to highly secure methods.
Windows Server 2003 also supports an infrastructure that allows external methods of
authentication, such as smart cards. In the following sections, we will discuss authentication
methods supported by IAS.
PPP-based Protocols
IAS supports several simple authentication methods based on the authentication used with
PPP.These are the same basic methods supported by native RRAS authentication.The following are the basic authentication methods you can select:
■
Unencrypted Password (PAP) This option uses PAP, a basic unencrypted
authentication method. Since PAP transmits passwords as plaintext, it provides
very little security.
■
Shiva Password Authentication Protocol (SPAP) SPAP is Shiva’s extended
version of PAP and is slightly more secure.This protocol is included for use with
legacy devices and systems that require it.
■
Encrypted authentication (CHAP) CHAP is a standard protocol that uses
encryption to prevent password snooping. In CHAP, the server sends an encrypted
challenge to the client, and the client uses the password entered by the user to
decrypt it and send a response.
■
Microsoft encrypted authentication (Microsoft-CHAP) MS-CHAP is
Microsoft’s extension of CHAP, which improves security and integrates with
Windows authentication.Version 1 of MS-CHAP is included to support older
operating systems.
■
Microsoft encrypted authentication version 2 (MS-CHAP v2) MS-CHAP
version 2 is an improved version that increases security. Since version 2 is supported by all current versions of Windows, you should choose it over version 1,
unless you are supporting older clients.
EAP
Another choice for Windows Server 2003 and IAS authentication is EAP. EAP is not
strictly an authentication protocol; it is a structure that allows numerous plug-in authentication methods. EAP also allows clients and servers to negotiate the most secure authentication method they both can support.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 315
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
The EAP Infrastructure
Authentication protocols that fit into EAP are called EAP types. Each of these types is handled by a plug-in module.When a client connects to the server and both support EAP, they
negotiate an EAP type for authentication, depending on which types each of them supports. A server that responds to authentication requests is called an authenticator.The authenticator can make any number of requests for information from the client, depending on the
authentication type.
Enabling EAP-based Authentication
To enable EAP authentication on an IAS server, you create a Remote Access Policy that
allows EAP authentication, or you modify an existing policy. Exercise 5.07 demonstrates
how to modify a policy to allow the use of MD5 CHAP authentication through EAP.
EXERCISE 5.07
ENABLING EAP-BASED AUTHENTICATION
You can enable EAP authentication for any Remote Access Policy and specify
the EAP types that can be used. Follow these steps to enable EAP authentication:
1. Select Start | Administrative Tools | Internet Authentication Service.
2. The IAS management console is displayed. Click to highlight Remote
Access Policies in the left column.
3. In the right column, select Connections to Microsoft Routing and
Remote Access Server.
4. Select Action | Properties from the menu, or right-click and select
Properties from the context menu.
5. The Properties dialog box is displayed. Click the Edit Profile button.
6. The Edit Dial-in Profile dialog box is displayed. Select the
Authentication tab.
7. The authentication methods supported by IAS are displayed, as shown
in Figure 5.14. You can enable or disable the non-EAP authentication
methods here. You can also change the order in which the selected EAP
types are negotiated by moving them up or down in the list, using the
Move Up and Move Down buttons.
www.syngress.com
315
255_70_293_ch05.qxd
316
9/9/03
5:20 PM
Page 316
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Figure 5.14 Authentication Methods
8. Click the EAP Methods button. A list of the currently enabled EAP
types is displayed.
9. Click Add and select MD5-Challenge from the list.
10. Click OK, then click OK in the EAP types list.
11. Click OK to exit the Edit Profile dialog box.
12. Click OK to exit the Properties dialog box.
EAP authentication is enabled as long as one or more EAP types appears in
the list during this procedure. You can also remove available types from the list
to disable EAP types or remove support for EAP altogether.
EAP-MD5 CHAP
EAP-MD5 CHAP is an implementation of the same challenge-response system as MSCHAP within the EAP infrastructure. It supports the same level of security as MS-CHAP
v2, but clients must support EAP in order to authenticate with this protocol. Clients that
support MS-CHAP but not EAP will require the non-EAP version of this protocol.
EAP-TLS
Transport Level Security (TLS) is an authentication protocol that uses public-key encryption. All messages between the client and server are securely encrypted.The encryption is
similar to that used with the Internet Secure Sockets Layer (SSL) protocol.This is the
highest level of security provided by Windows Server 2003’s authentication methods.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 317
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
TEST DAY TIP
EAP-TLS also supports smart cards. These are hardware devices that implement
public-key encryption. Smart cards answer challenges within the hardware and do
not transmit the private key, so they provide higher security than simple password
authentication. For more information about smart card authentication, see
Chapter 7.
EAP-RADIUS
EAP-RADIUS is not a true authentication method.This option is an interface between
EAP and RADIUS.When you select EAP-RADIUS, you specify an external RADIUS
server, and all requests for authentication are forwarded to the RADIUS server for processing.This provides a way for clients that only support EAP to be authenticated using the
RADIUS server.
Authorization Methods
IAS supports a variety of methods of authorization, to determine whether a connection is
allowed and what tasks it can perform. Custom authorization methods are also supported.
The following sections discuss different types of authorization in IAS.
Dialed Number Identification Service (DNIS)
DNIS is a phone company service that identifies the number being called and allows you
to authorize the connection based on that number. It is usually used with 800 and 900
numbers, where there are several different numbers that go into the same public exchange
(PBX) system. In dial-up modem pools where several phone numbers can reach the same
group of modems, you can use DNIS authorization to ensure that users are calling a valid
number.
Automatic Number Identification (ANI) and Calling
Line Identification (CLI)
You are probably familiar with caller ID, which works on consumer phone lines to provide
the number from which a call originated. ANI and CLI are the business-line equivalent services. IAS can authorize connections based on ANI or CLI to allow access to valid
incoming numbers.
Guest Authorization
Windows Server 2003’s IAS service can optionally allow guest access for unauthorized users
using the Guest user account. Because this access is unauthenticated, its use is not recommended in most cases, and it is disabled by default.
www.syngress.com
317
255_70_293_ch05.qxd
318
9/9/03
5:20 PM
Page 318
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Access Server Support
In the RADIUS standard, the RADIUS server works with one or more network access
servers (NASs) that provide access to the network. In Windows terminology, this usually
means RRAS servers. IAS also supports the following alternate types of access servers:
■
RADIUS access server support IAS supports RADIUS standard access
servers, whether they are Microsoft servers running IAS or those from other vendors.The standards for RADIUS access servers are defined in RFCs 2865 and
2866.
■
Wireless access points IAS can also provide authentication for wireless access
points using the various 802.11 protocols for wireless networking. For this to
work, the access point hardware must support RADIUS authentication using an
external server.
■
Authenticating switches Some Ethernet switches support RADIUS authentication to authorize nodes attached to the switch. IAS includes the Ethernet port
type, which allows you to manage authentication for these switches.
Outsourced Dialing
IAS supports outsourced dialing (sometimes called wholesale dialing), a standard for the use of
ISP modem pools. In this system, you contract with an ISP to provide your employees
remote network access using the ISP’s existing modems. Users connect to a modem at the
ISP, and a server at the ISP creates a VPN tunnel to connect them to the LAN. A RADIUS
server at the ISP can forward records to your organization’s IAS server, which allows you to
manage access to the modems and obtain auditing and accounting information for their
use.
Outsourced dialing has a number of advantages.The ISP already maintains pools of
modems, and you may be able to obtain access to them at a lower price than the cost of
configuring your own modems.The ISP may also have physical presence in areas you do
not have a facility to provide for local calls, and it relieves you of the burden of managing
modem pools.
EXAM
70-293
OBJECTIVE
2
2.3
Using Connection Manager
Connection Manager is a Windows application that enables a client to initiate a dial-up or
VPN connection to a server running RRAS.To set up a connection, you need to know
whether you are using dial-up,VPN, or another connection type; the phone number or
VPN server to connect to; and other information.
Fortunately, if you frequently have clients or employees that need to create a connection to the RRAS server, you can distribute a customized version of Connection Manager
that already contains most of the required information to connect to the server. Microsoft
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 319
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
distributes the Connection Manager Administration Kit (CMAK), which guides you
through the process of customizing Connection Manager and creating a distribution
package.
TEST DAY TIP
Along with employees who wish to remotely access a company network, CMAK is
often used by ISPs to provide a simple way to set up connections for their customers.
Using CMAK
CMAK works as a Wizard that presents a series of questions about the connection you are
using, and then creates a custom service profile that can be used with Connection Manager
to easily initiate the connection.
Installing and Running CMAK
CMAK is included with Windows Server 2003.To install CMAK, follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Select the Add/Remove Windows Components option.
3. Select Management and Monitoring Tools from the list and click Details.
4. Check the box next to Connection Manager Administration Kit, as shown in
Figure 5.15.
Figure 5.15 Installing CMAK
www.syngress.com
319
255_70_293_ch05.qxd
320
9/9/03
5:20 PM
Page 320
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
5. Click OK, and then click Next to complete the installation.You will need the
Windows Server 2003 CD-ROM.
After CMAK is installed, select Start | Programs | Administrative Tools |
Connection Manager Administration Kit to launch the Wizard. Exercise 5.08 guides
you through the process of using CMAK to create a simple service profile.
EXERCISE 5.08
USING THE CONNECTION MANAGER ADMINISTRATION KIT
The CMAK prompts you for several items of information. Follow these steps to
use CMAK:
1. Select Start | Programs | Administrative Tools | Connection
Manager Administration Kit.
2. An introductory window is displayed. Click Next to continue.
3. The next window asks whether you wish to create a new service profile
or edit an existing one. Select the New profile option and click Next.
4. You are now prompted for a service name. Enter Test Connection in
the Service name text box and test in the File name text box, as
shown in Figure 5.16. Then click Next.
Figure 5.16 Specify a Service Name and Filename
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 321
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
5. The next window asks whether you will be using a realm name. This
allows you to add a standard prefix or suffix to usernames. Select Do
not add a realm name to the user name and click Next to continue.
6. The Merge Profiles window is displayed. This allows you to merge
phone numbers or other information from other profiles to the new
profile. Click Next to continue.
7. The VPN Support window is displayed. This allows you to specify that
a VPN connection will be created. Check the box next to Phone book
from this profile and enter server1 in the VPN Server name or IP
Address text box, as shown in Figure 5.17. Then click Next.
Figure 5.17 Specify VPN Support
8. The VPN Entries window is displayed. Here, you can choose an existing
VPN connection for the profile to support or create a new entry. Click
Next to continue.
9. The Phone Book window is displayed. You can select a phone book file
to provide access numbers to clients. Disable the Automatically download phone book updates option and click Next.
10. The Dial-up Networking Entries window is displayed. You can choose
a current dial-up networking entry to use with the profile or create a
new one. Click Next to continue.
11. The Routing Table Update window is displayed. Click Next to continue.
www.syngress.com
321
255_70_293_ch05.qxd
322
9/9/03
5:20 PM
Page 322
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
12. The Automatic Proxy Configuration window is displayed. Here, you
can specify settings for a proxy server to be used with the connection.
Click Next to continue.
13. The Custom Actions window is displayed. Custom actions are
described later in this section. Click Next to continue.
14. The Logon Bitmap window is displayed. You can choose a default
graphic or your own 330-by-140 pixel graphic to be displayed in the
Connection Manager dialog box. Click Next to continue.
15. The Phone Book Bitmap window is displayed. You can choose a
default graphic to be displayed in the phone book dialog box or specify
a custom 114-by-309 pixel graphic. Click Next to continue.
16. The Icons window is displayed. You can choose custom icons for the
connection or use the defaults. Click Next.
17. The Notification Area Shortcut Menu window is displayed. You can
choose items to be included in a menu available from the icon in the
notification area. This is useful to provide a default list of Internet
applications, such as Web browsers or e-mail programs. Click Next to
continue.
18. The Help File window is displayed. You can use a custom help file, as
described later in this section. Click Next to continue.
19. The Support Information window is displayed. Enter a single line of
text that will be displayed in the Connection Manager dialog box and
click Next to continue.
20. You can choose whether to include the installation files for Connection
Manager with your service profile. Select Install Connection Manager
and click Next to continue.
21. In the next window, you can specify an optional text file to be displayed as a license agreement. Click Next to continue.
22. The Additional Files window is displayed. You can specify any files you
wish to be included with the distribution. Click Next to continue.
23. The Ready to Build the Service Profile window is displayed, as shown
in Figure 5.18. Click Next to begin building the service profile.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 323
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Figure 5.18 Ready to Build the Service Profile
24. A final window is displayed after your profile is created. Click Finish to
exit the Wizard.
Service Profiles
When you complete the CMAK Wizard, your connection profile is stored as a selfextracting executable file. Any additional files you specified are also included in the distribution directory. CMAK creates a directory for your profile, typically under C:\Program
Files\CMAK\Profiles. If you are distributing your customized version of Connection
Manager to customers or employees, copy the files in this directory to a floppy disk or CDROM, or share the folder and provide them with the network path.
Custom Actions
CMAK supports custom actions, to run programs automatically during the Connection
Manager process.This allows you to incorporate any custom software you wish into the
Connection Manager. CMAK supports a variety of different actions that execute at different times:
■
Pre-init actions Execute when Connection Manager starts.
■
Pre-connect actions, pre-dial actions, and pre-tunnel actions Execute
before starting a connection, depending on the type of connection in use.
www.syngress.com
323
255_70_293_ch05.qxd
324
9/9/03
5:20 PM
Page 324
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
■
Post-connect actions Execute after a successful connection.
■
On cancel actions Processed when the user cancels the connection.
■
On error actions Used when an error occurs while connecting.
Custom Help
You can specify a custom help file for use with Connection Manager from the Help File
window in the CMAK Wizard.You can use the default Connection Manager help file as a
basis for your custom version.When you install CMAK, the source files for this help file are
stored in the C:\Program Files\CMAK\Support\CMHelp folder.You can use any standard
help file development tool, such as Microsoft’s Help Workshop, to modify these files and
compile the new help file.
VPN Support
CMAK supports VPN connections as well as dial-up connections.You can specify a VPN
server, or a list of servers, and the protocols that will be enabled by default in Connection
Manager.This makes it easy for clients with existing Internet connections to connect as
VPN clients.
Connection Manager Security Issues
Although customizing Connection Manager with CMAK allows you to simplify the process of connecting to your network, it can also create several potential security issues.The
following sections discuss some common security concerns when using CMAK and how
you can address them.
Preventing Editing of Service Profile Files
You can edit service profiles using the CMAK Wizard, as explained earlier in this chapter.
Only administrators can install this tool on other computers, and users must be members of
the Power Users group to run an existing installation of CMAK. However, because the profiles created by CMAK are stored as simple text files, anyone who has access to the text file
can modify any of its settings with a text editor.
To minimize the risk of users editing the text files, store them in a secure location.
However, once you distribute the files to users, keep in mind that savvy users can edit the
text files on their own computers.While this does not compromise your network security,
realize that the constraints you created using CMAK might not always be followed.
Client Operating System, File System, and Configuration
CMAK can create Connection Manager profiles for a wide variety of Windows operating
systems, which vary greatly in the levels of security they provide. Some features of
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 325
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Connection Manager, such as user certificates, are not supported by older versions of
Windows. For maximum security, require users to have a more recent operating system.
Preventing Users from Saving Passwords
When a computer is accessible by multiple users, there is always the risk of an unauthorized
user using a connection.To minimize this risk, you can prevent users from using the
Remember Password option to store the password for the connection on their computers.To disable this feature, set a value of 1 for the HideRememberPassword option in
the connection profile.You can do this by selecting Edit Advanced Options from the
CMAK Wizard’s final screen or by editing the .cms file in a text editor.
Secure Distribution of Service Profiles
Your service profile might include private information, such as phone numbers, network
server addresses and settings, and pre-shared keys. Depending on the level of detail this
information includes, you might need to make sure that only authorized users can download or obtain a copy of your customized Connection Manager.
www.syngress.com
325
255_70_293_ch05.qxd
326
9/9/03
5:20 PM
Page 326
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Summary of Exam Objectives
Internet connectivity is an important consideration in most networks today.The first consideration when planning Internet connectivity is whether to use a routed connection or a
translated connection to the Internet. A routed connection places all machines in the network on the Internet, and each requires an IP address. A translated connection uses a separate private addressing scheme on the local network, and a server translates between public
and private IP addresses to provide shared Internet access. In Windows networks, translated
connections typically use NAT or ICS, a simplified version of NAT supported by Windows
systems.
A VPN is an extension of a private network using a public network, such as the
Internet, functioning as a conduit between two points.There are two basic types of VPNs:
Internet-based VPNs, used by clients for remote access, and router-to-router VPNs, used to
connect two segments of a WAN.VPNs use a tunneling protocol (such as PPTP or L2TP)
to encapsulate data, in conjunction with an encryption protocol (such as MPPE or IPSec)
to encrypt it before sending it over the public network. RADIUS is an Internet standard
for a server that provides centralized authentication, authorization, and accounting services.
Microsoft IAS is an implementation of a RADIUS server. RADIUS allows you to centralize the authentication and auditing features of one or more RRAS servers. RRAS
servers connect to the IAS server with authentication requests.The IAS server supports
Remote Access Policies, which replace the individual policies normally stored at each
RRAS server.
Windows operating systems can use the Connection Manager utility for creating connections to dial-up networks or VPNs.Windows Server 2003 includes CMAK, which lets
you use a Wizard to customize Connection Manager for your particular connections.
CMAK allows you to specify dial-up or VPN server information, authentication settings,
and other options to create the connection.You can also specify custom icons, graphics, and
a help file to personalize Connection Manager.
Exam Objectives Fast Track
Connecting the LAN to the Internet
LAN connections to the Internet can be either routed or translated.
Windows Server 2003 supports NAT for translating addresses.
ICS is a simplified, limited version of NAT.
NAT is part of RRAS and can be installed using the Routing and Remote
Access Server Setup Wizard or configured using the Routing and Remote Access
management console.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 327
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Implementing Virtual Private Networks (VPNs)
VPNs can be either Internet-based (providing remote access to clients) or routerto-router (connecting two networks that are in geographically separate locations).
Router-to-router VPNs can use either persistent connections or demand-dial
connections.
Demand-dial VPNs can use either one-way or two-way initiation.
VPN tunneling protocols include PPTP and L2TP.
Using Internet Authentication Service (IAS)
RADIUS is the Internet standard for centralized authentication. IAS is the
RADIUS server included with Windows Server 2003.
IAS provides centralized authentication, accounting, and auditing.
IAS integrates with RRAS and supports Remote Aaccess Policies.
IAS supports PPP-based authentication methods, such as MS-CHAP, as well as EAP.
Using Connection Manager
Connection Manager is software you can use to make a connection, which
automates much of the process for you. CMAK lets administrators use a Wizard to
customize Connection Manager.
CMAK stores the choices you enter in a text file called a connection profile and
compiles the information into a customized executable version of Connection
Manager.
CMAK can be used to create connections for dial-up networks or for VPN
clients.
Because the customized Connection Manager can include specific access
information for the network, using CMAK creates security concerns, and
distribution of the connection profile should be restricted.
www.syngress.com
327
255_70_293_ch05.qxd
328
9/9/03
5:20 PM
Page 328
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
Q: Do I need to choose one VPN protocol or the other?
A: No, you can configure the VPN server to support both PPTP and L2TP, and clients can
connect using the most secure protocol that is supported on their computers.
Q: What are the limitations of ICS as compared to NAT?
A: ICS supports a single LAN and a single Internet connection. It also lacks some of the
configuration options of the full NAT service. For example, you cannot configure IP
address assignment options.You also cannot use ICS on a network that has a DNS
and/or DHCP server; NAT should be used in that case.
Q: Can a single RRAS server provide multiple functions, such as NAT and VPN access?
A: Yes, an RRAS server can support any of the features of RRAS simultaneously, although
this will require you to customize the configuration.
Q: Can a single Windows Server 2003 computer act as both RRAS server and IAS server?
A: Yes, you can install IAS on a computer that is already running RRAS, and you can
configure RRAS to use the local IAS server for authentication.
Q: What other options are included in a service profile for CMAK?
A: Along with the options the Wizard guides you through, profiles include a number of
options for dealing with passwords, dialing options,VPN settings, username settings, and
advanced options. Search Microsoft’s TechNet site at www.microsoft.com/technet for a
complete list of the configuration options CMAK supports.
Q: Are there alternatives to RRAS for forming VPN connections?
A: Yes, a number of hardware VPN devices are available.While they require additional
expense, they provide a convenient “out-of-the-box” solution and may be a more
robust solution than using a software VPN.
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 329
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
Q: Some routers support NAT. Is this the same translation feature supported by Windows
Server 2003?
A: The Internet NAT standard defines a general process for address translation.The exact
implementation varies between devices, but the functionality is the same.
Q: Can a client computer connect to two VPNs at the same time?
A: Yes, all this requires is a separate network connection entry for each VPN.You can connect to both using a single Internet connection.
Q: If I have ICS running for network translation, is there an easy way to upgrade to NAT?
A: No, you will need to configure NAT manually. Any custom service entries you have
defined in ICS will need to be reconfigured in NAT.
Q: What is the difference between authentication and authorization?
A: Authentication refers to the methods RRAS or IAS use to determine a user’s identity
and verify that he or she is a legitimate user. Passwords, smart cards, and challengeresponse systems provide authentication. Authorization is the process of determining
what a client is allowed to do on the network after authentication.
Q: Is there any way to restrict connections to certain client operating systems?
A: A new Windows Server 2003 feature, Network Access Quarantine Control, allows you
to create a script that must be run before a client is allowed access, and the script can
check the client operating system or other factors.This feature is discussed in
Chapter 7.
www.syngress.com
329
255_70_293_ch05.qxd
330
9/9/03
5:20 PM
Page 330
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
Connecting the LAN to the Internet
1. You have five Windows XP clients on a network with a Windows Server 2003 server.
The server has an always-on Internet connection with an ISP.What service can you
install on the server to allow the clients to access the Internet, without requiring you
to obtain additional IP addresses from your ISP?
A. PPTP
B. NAT
C. DHCP
D. DNS
2. You are configuring a simple network with two computers, both running Windows
Server 2003. Both will be used as Web servers and must be accessible over the
Internet.You have chosen to assign an Internet IP address to each machine, and you
want to configure a single Internet connection for use by both machines.Which of
the following is the best strategy?
A. Use a routed connection.
B. Use NAT.
C. Use ICS.
D. Two separate connections are required.
3. Your network includes a Windows Server 2003 computer and several workstations
running Windows 2000 and Windows XP.You need to configure the server to provide
shared Internet access to all machines on the network.The server will also act as a
Web server. In addition, one of the workstations is providing an FTP service and
requires its own Internet IP address.Which solution will address all of these requirements?
A. ICS
B. A hardware router
C. NAT
D. IAS
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 331
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
4. You have a DHCP server on the network that automatically assigns IP addresses to
clients.You are configuring a NAT server to provide shared Internet access.You want
clients to use internal addresses from the same pool, whether or not they are using the
Internet.What is the most efficient way to do this?
A. Divide the address pool between the NAT server and the DHCP server.
B. Define identical address pools on the NAT server and the DHCP server.
C. Configure NAT to forward IP addressing requests to the DHCP server.
D. Remove the DHCP server from the network and use NAT exclusively.
Implementing Virtual Private Networks (VPNs)
5. You are planning a VPN to allow traveling employees to access the network from
remote locations. Employees will be using a variety of ISPs to connect to the
Internet.You want to ensure that the VPN offers end-to-end encryption between the
VPN client and server for maximum security.Which VPN protocol should you use?
A. PPTP
B. L2TP only
C. L2TP and IPSec
D. PPP
6. You have configured a VPN server running RRAS under Windows Server 2003. A
number of remote workstations are able to access the network by connecting to the
Internet using local access methods and establishing a VPN connection.Which of the
following terms describes this type of VPN?
A. Router-to-router
B. Point-to-point
C. Internet-based
D. One-way
7. You have configured a router-to-router VPN using two Windows Server 2003 computers as VPN servers, each with a local Internet connection.You have configured the
VPN servers at each end of the VPN to use the PPTP protocol.Which of the following types of encryption will the VPN use in this configuration?
A. L2TP
B. MPPE
C. IPSec
D. EAP
www.syngress.com
331
255_70_293_ch05.qxd
332
9/9/03
5:20 PM
Page 332
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
8. You need to configure a VPN connection between the local network and a remote
branch.The remote branch has access to a dial-up ISP and will be billed by the hour
by the ISP for the time spent online.Which of the following is the best strategy to
configure the VPN?
A. Use a demand-dial connection.
B. Use a persistent connection.
C. Use dial-up access via RRAS.
D. Create a dedicated WAN link.
Using Internet Authentication Service (IAS)
9. You have three RRAS servers configured for VPN access for remote clients.The
servers are currently using Windows authentication, and you wish to use IAS for centralized authentication.You have installed the IAS component on a Windows Server
2003 computer.What additional task is necessary to enable IAS authentication?
A. Install IAS on all RRAS server computers.
B. Configure each RRAS server to use RADIUS authentication.
C. Install a RADIUS client.
D. Choose authentication protocols.
10. You have installed the IAS component on a Windows Server 2003 server.You are
planning the authentication strategy for the IAS server and have configured the IAS
server to use EAP for authentication.Which of the following protocols are supported
by EAP? (Select all that apply.)
A. MD5 CHAP
B. PAP
C. SPAP
D. EAP-TLS
11. You have an IAS server running Windows Server 2003. It supports a group of RRAS
servers used to manage VPN connections for clients.You are configuring the authentication methods for the IAS server and want to allow the clients to use smart cards for
secure and convenient authentication.Which of the following authentication protocols
should you select?
A. MS-CHAP
B. EAP-TLS
www.syngress.com
255_70_293_ch05.qxd
9/9/03
5:20 PM
Page 333
Planning, Implementing, and Maintaining an Internet Connectivity Strategy • Chapter 5
C. MD5 CHAP
D. MS-CHAP v2
12. You have configured an RRAS server on one Windows Server 2003 computer and an
IAS server on another, and configured the RRAS server to use the IAS server for
authentication. In RADIUS terminology, which computer(s) are referred to as network access servers?
A. The IAS server
B. The RRAS servers
C. The clients of the RRAS server
D. Both the IAS and RRAS servers
13. During a security audit, you are monitoring network traffic and notice that plaintext
versions of passwords are passing through the network.You are using an IAS server to
handle authentication.Which protocol do you need to disable at the IAS server to
prevent this security risk?
A. MS-CHAP
B. PAP
C. EAP-TLS
D. CHAP
14. You have an IAS server running Windows Server 2003.You need to enable and configure EAP to support clients that use EAP authentication. In the IAS MMC snap-in,
where do you find the options for configuring EAP?
A. Properties
B. Remote Access Policies
C. Protocols
D. Connection Request Processing
15. You wish to create client software for VPN clients to connect to the network so that
clients do not need to manually specify the VPN server, tunneling protocol, and other
settings.Which program allows you to customize the client software?
A. Connection Manager
B. Connection Manager Administration Kit
C. RRAS MMC snap-in
D. IAS MMC snap-in
www.syngress.com
333
255_70_293_ch05.qxd
334
9/9/03
5:20 PM
Page 334
Chapter 5 • Planning, Implementing, and Maintaining an Internet Connectivity Strategy
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. B
9. B
2. A
10. A, D
3. C
11. B
4. C
12. B
5. C
13. B
6. C
14. B
7. B
15. B
8. A
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 335
Chapter 6
MCSE 70-293
Planning, Implementing,
and Maintaining a Name
Resolution Strategy
Exam Objectives in this Chapter:
2.7
Plan a host name resolution strategy.
2.7.1
Plan a DNS namespace design.
2.7.2
Plan zone replication requirements.
2.7.3
Plan a forwarding configuration.
2.7.5
Examine the interoperability of DNS with third-party DNS solutions.
2.7.4
Plan for DNS security.
2.8
Plan a NetBIOS name resolution strategy.
2.8.2
Plan NetBIOS name resolution by using the Lmhosts file.
2.8.1
Plan a WINS replication strategy.
2.5.2
Diagnose and resolve issues related to name resolution cache
information.
2.9
Troubleshoot host name resolution.
2.9.1
Diagnose and resolve issues related to DNS services.
2.9.2
Diagnose and resolve issues related to client computer
configuration.
335
255_70_293_ch06.qxd
336
9/10/03
5:42 PM
Page 336
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Introduction
Computers “think” in ones and zeros, and the computers and routers on your Windows
Server 2003 network communicate with one another using numbers in the form of IP
addresses and MAC addresses. People, on the other hand, prefer to think in terms of names,
which they use to represent computers and resources.This means that there must be a way
to resolve the names used by the people to the numbers used by the computers, and that is
where name resolution comes in.Without this mechanism, users will be unable to connect
to resources using the “friendly” names they’re used to employing.Thus, it is an important
part of the network administrator’s job to design and implement an effective strategy for
name resolution on the network.
In this chapter, you’ll learn how to plan for the best way of resolving host and
NetBIOS names on your network.We’ll first present an overview of host naming, including
how host names are resolved using the hosts file and using the Domain Name System
(DNS).We’ll discuss issues involved in designing a DNS namespace, such as choosing the
parent domain name, the conventions and limitations that govern host names, the relationship of DNS and Active Directory (AD), and how to support multiple namespaces.
Then we move onto planning DNS server deployment.You’ll find out how to consider
factors such as the number of servers, server roles, server capacity, and server placement.
We’ll also show you how to plan for zone replication between your DNS servers, and we’ll
address planning for forwarding and how DNS interacts with the Dynamic Host
Configuration Protocol (DHCP) on a Windows Server 2003 network.We’ll discuss
Windows Server 2003 DNS server interoperability with Berkeley Internet Name Domain
(BIND) and other non-Windows DNS implementations.You’ll learn about zone transfers
between Windows Server 2003 DNS servers and BIND servers, and we’ll discuss supporting AD with BIND.You’ll learn about split DNS configurations and how interoperability relates to other services such as Windows Internet Name Service (WINS) and
DHCP. Next, we’ll address DNS security issues, including common DNS threats such as
footprinting, redirection, and DNS denial-of-service (DoS) attacks.You’ll learn how to best
secure your DNS deployment by using a split namespace and packet filtering.We’ll discuss
how to determine the best DNS security level for your network. Next, we’ll look at DNS
performance issues.We’ll show you how to monitor DNS server performance and how to
analyze DNS server tests.
In the next section, we’ll address NetBIOS name resolution and provide an overview of
how NetBIOS names are resolved using LMHOSTS files and NetBIOS name servers such
as WINS servers.You’ll find out what’s new for WINS in Windows Server 2003, and we’ll
show you how to plan WINS server deployment and WINS replication.We’ll walk you
through the process of configuring WINS replication partnerships, including push-only,
pull-only, and push/pull configurations.We’ll also discuss common WINS issues, including
configuration, performance, and security issues.We’ll show you how to plan for WINS
database backup and how to troubleshoot name resolution problems related to both host
names and NetBIOS names.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 337
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
EXAM
70-293
OBJECTIVE
2.7
Planning for Host Name Resolution
One of the most common sources of trouble on any Windows network—whether it’s a
Windows NT,Windows 2000, or Windows Server 2003 network—is faulty name resolution. Computers cannot resolve the computer names to the proper IP addresses, or they
cannot find an IP address associated with a computer name at all.When name resolution
(the process of finding the IP addresses associated with computer names and services running on those computers) is not working perfectly, a multitude of problems can arise,
including (but not limited to) the following:
■
Users might not be able to log on to the network.
■
Users might not be able to connect to applications and services residing on
remoter computers.
■
Domain controllers might not be able to communicate with each other.
In fact, problems with name resolution are so common that a typical first step in troubleshooting problems on a Windows network is to ensure that name resolution is working
flawlessly. A common mantra that reflects this situation is the following: “The problem is
irrelevant.The answer is DNS.” Although this is a gross oversimplification of the problems
that can arise on a Windows network, it does contain a germ of truth.
It is critically important that an appropriate name resolution strategy be planned, implemented, and maintained on every Windows network. Starting with Windows 2000, correct
host name resolution is a necessary condition for the proper operation of the network.This
contrasts with Windows NT 4 and earlier networks in which correct NetBIOS name resolution is a necessary condition for the proper operation of the network. NetBIOS name
resolution can still play an important and central role in Windows 2000 and 2003 networks;
However, its importance is subordinate to that of host name resolution, and in some situations reliance on NetBIOS name resolution can be completely eliminated with careful
planning.
Planning for host name resolution on a Windows Server 2003 network means developing and implementing a fault-tolerant and secure strategy, whereby host computers on
the network are always able to resolve computer names to IP addresses and locate services
running on the network in a timely manner. For example, to log on to a Windows Server
2003 network, client computers must be able to locate domain controllers that are able to
process logon requests. On a Windows Server 2003 network, the primary mechanism for
locating the domain controllers is host name resolution through DNS.
Understanding Host Naming
We have mentioned two different kinds of name resolution: host name resolution and
NetBIOS name resolution. In order to understand host naming, you might find it useful to
understand the differences between NetBIOS and host names. In the following sections,
we’ll discuss the characteristics of each.
www.syngress.com
337
255_70_293_ch06.qxd
338
9/10/03
5:42 PM
Page 338
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
NetBIOS over TCP/IP
NetBIOS was originally developed to run on small broadcast-based networks. An early and
commonly implemented network/transport protocol that relies on NetBIOS is NetBEUI,
which is designed to run on a segment. NetBIOS itself was not designed to run on multisegment networks, and it was not initially designed to run on TCP/IP networks. For
NetBIOS applications to work properly, they must be able to locate computers by their
NetBIOS computer names. An example of the use of a NetBIOS application is the use of
the Universal Naming Convention (UNC) path to gain access to a share on a remote computer.The UNC path has the form \\computername\sharename.
On a single-segment network running NetBEUI, a computer trying to connect to
a file share on a remote computer sends a broadcast request to find the Media Access
Control (MAC) address (a unique 12-digit hexadecimal number on Ethernet networks)
associated with the network adapter of the target computer. After it receives a reply to its
request for the MAC address of the computer that owns the NetBIOS name, the requesting
computer can establish a session with the target computer. NetBIOS names either belong
exclusively to the device, such as a NetBIOS computer name, or they are group names that
are not exclusive, such as domain names. In either case, each NetBIOS name must be
unique on the network.
On a TCP/IP network, IP addresses, rather than NetBIOS names, are used to connect
to destination hosts.The process of IP address resolution is similar to NetBIOS resolution
in that it is broadcast-based.When a computer tries to establish a connection with a destination host on the same network segment, it sends out a broadcast request for the MAC
address of the computer configured with the IP address of the destination host.When the
destination host is on a separate network segment, it sends a request for the MAC address
of the default gateway.When the computer learns the MAC address of the destination host
(or the default gateway, if the host is on a remote subnet), it can begin communicating
with it.
Obviously, for NetBIOS applications running on TCP/IP networks, some method must
be implemented so that these applications can use computer names and resolve them to the
appropriate IP and MAC addresses.This is accomplished through the use of a specific
NetBIOS interface called NetBIOS over TCP/IP, also known as NetBT or NBT, implemented in the Windows TCP/IP protocol stack.This interface allows NetBIOS applications
to translate NetBIOS names to IP addresses, which are then subsequently used to resolve to
the appropriate MAC address (the MAC address of the destination host, if on the same
local subnet, or the default gateway, if on a remote subnet).
Host Names
NetBIOS names are required only when using NetBIOS applications that provide access to
services running on remote or local computers. In contrast,WinSock applications, which
are specifically written to run on a TCP/IP stack, use the WinSock interface in the
Windows protocol stack.These applications include Web browsers and servers, FTP servers
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 339
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
and clients, Internet e-mail clients and servers, and so on. However, since these applications
are specifically designed to run on TCP/IP networks, they rely on IP addresses and not
names to establish communications with a remote computer. Unlike the case with
NetBIOS applications, it is not necessary to use a name to establish communications.When
using a WinSock application, you need to use only the IP address of the destination host to
establish communications. Host names are used in place of IP addresses to make it easier for
the human operators of computers. It is much easier for most of us to remember a name
than it is to remember a number.
In contrast to NetBIOS names, there is no necessary relationship between host names
and the IP addresses of the computers they represent. In fact, multiple host names can be
assigned to the same IP address, and a single host name can be assigned to multiple IP
addresses.This last technique is used, for example, to provide a type of simple load balancing
(round-robin DNS resolution) among multiple Web servers that are all hosting the same
Web site. Also, unlike NetBIOS names, host names are not a necessary part of the configuration of the computer. A Web server, for example, does not need to be configured with the
host name used to reach it.
For host names to resolve to the appropriate target computer IP address, the client
computer needs to have some means of being able to resolve the host name to the remote
IP address.There are two primary methods for resolving host names to IP addresses: using a
hosts file or using a DNS server. (On a Windows network, the situation is a little more
complicated, because methods of NetBIOS name resolution can be used when host name
resolution fails.)
Understanding the Hosts File
The hosts file is a text file that is found on the local computer. On Windows-based computers, the path to the hosts file is %systemroot%\system32\drivers\etc\hosts, where
%systemroot% is a variable used to identify the folder where the operating system is
installed, such as C:\Winnt or C:\Windows.
NOTE
Even though the hosts file is a text file, it does not have a .txt extension. Therefore,
you must ensure that the file is not saved with this extension appended to it. For
example, if you open the file in Notepad and then save it as a text file the .txt
extension will be the default. Then Windows will not recognize the hosts file. This
can be particularly problematic on Windows machines that are set to hide
common file extensions by default, because the file will appear to not have the
extension when you view it in the file list in Windows Explorer. This is one of the
first things you should check if you have a hosts file that doesn’t seem to be
working.
www.syngress.com
339
255_70_293_ch06.qxd
340
9/10/03
5:42 PM
Page 340
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
The hosts file contains a list of host names and the IP addresses associated with them.
By default, the hosts file contains only one active entry for the host name localhost, which
points to the loopback IP address of 127.0.0.1.
The structure of the file is simple.To add a host name to IP address mapping, simply
insert a new line containing the IP address of the destination computer followed by the
host name.You can enter either a simple name or a fully qualified domain name (FQDN)
that contains dots, such as www.syngress.com.
Although the hosts file has largely been superceded by DNS as a method of name resolution, it still has a number of valid uses. For example, you can use it to substitute a shorter,
simpler name for a longer, more complex name that is stored on a remote DNS server.You
can also use it for testing purposes. Another purpose of the hosts file is to use it to deliberately block Web sites, such as those that serve banner ads on Web sites, by mapping the
FQDN of the Web sites to the loopback address (127.0.0.1) of your computer.This technique is useful if you want to speed up browsing on Web sites and do not wish to be subjected to large numbers of banners ads. (See http://pgl.yoyo.org/adservers/ for more
information about this use.)
The use of a hosts file can also speed up the process of host name resolution.When you
try to connect to a remote computer using a host name,Windows operating systems prior
to Windows 2000 will first consult their DNS cache stored in memory, then consult the
hosts file, and then consult the DNS server. Beginning with Windows 2000, the hosts file is
parsed whenever modifications are made to it and the contents are stored in the DNS
resolver cache, eliminating the second step. Prior to Windows 2000, the hosts file is parsed
every time host name resolution is required and the result is not found in the DNS cache.
To verify that the contents of the hosts file are stored in the DNS cache, open a command prompt and enter the command ipconfig /displaydns.This will display the contents of the DNS cache. Make a modification to the hosts file and save it.Then run the
same command again.You will see the entry you made in the hosts file listed in the DNS
cache. Figure 6.1 shows the output of the ipconfig /displaydns command after the hosts
file had been saved with the addition of a host record named test_record, pointing to
192.168.100.1.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 341
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Figure 6.1 Output of the ipconfig /displaydns Command
Showing the Contents of the DNS Cache
Understanding DNS
In the early days of the Internet (prior to 1984), there was no such thing as DNS. A single
individual was responsible for updating a hosts.txt file whenever computers were added to
the network.This hosts file was downloaded to other computers in order to maintain an
up-to-date list of host names. Obviously, this solution was not effective when large numbers of computers were added to the Internet.The solution that replaced the use of the
hosts file was DNS.
A DNS server is a computer that contains a database of host names and IP addresses. A
computer configured as a DNS client can use the DNS server to query the database for the
purpose of resolving names to IP addresses. An important characteristic of DNS is that the
DNS server itself runs on a remote computer and will resolve names to IP addresses, as
long as the DNS client has access to it.
There are many DNS servers in use on the Internet. Collectively, these DNS servers
comprise a distributed, hierarchical database containing resource records (RRs) that allow
DNS clients to resolve the host names to IP addresses in the case of forward lookup zones,
and IP addresses to host names in the case of reverse lookup zones. DNS is also responsible
for supplying mail routing and other information for various Internet applications. Because
the billions of RRs that compose the DNS database are distributed, and because DNS uses
an efficient protocol for name resolution (UDP), its performance is exceptional and is for
the most part unaffected by the very large number of host names to IP addresses that it
must resolve on a daily basis.
www.syngress.com
341
255_70_293_ch06.qxd
5:42 PM
Page 342
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Configuring & Implementing...
342
9/10/03
Understanding Common Resource Records (RRs)
Knowing the nature and purpose of common DNS resource records (RRs) is important to an understanding of DNS in general. RRs are defined in RFC 1034. However,
since the publication of this RFC, a number of new RR types have been added. RRs
have the following components:
■
Owner Name The domain name where the RR is found.
■
Type A 16-bit value that identifies the type of RR such as an A, a PTR,
an NS, an MX, or an SOA record.
■
Time To Live (TTL) The amount of time that an RR will be cached on a
server. This is an optional field for many RRs.
■
Class A 16-bit value that identifies the class of the resource, such as IN
for Internet. Windows Server 2003 DNS supports only the IN class. This
is a mandatory field.
■
RDATA A required field that contains information describing the
resource. The length and format of this information vary according to
the type and class of the RR.
Common RR types include the following:
■
A Address record used to map names to IP addresses. When a DNS
client queries for an address record, it will receive an IP address in the
reply. Here is an example:
host1.syngress.com.
■
IN
A 192.168.100.5
PTR Pointer record used to map IP addresses to names in reverse
lookup zones. When a DNS client queries for a PTR record, it will
receive a FQDN as the reply. Here is an example:
5.100168.192.in-addr.arpa.
■
host1.syngress.com.
MX Message Exchanger record used to identify name(s) and priority of
server(s) responsible for handling Simple Mail Transfer Protocol (SMTP)
mail for a domain. Note in the following example that a specific host is
identified for handling mail for the domain. A corresponding address
record must be associated with the host name.
syngress.com.
■
PTR
MX
10 host1.syngress.com.
NS Name Server record used to identify name servers that are responsible for identifying DNS servers for DNS resolution for a domain. Note
in the following example that a specific host is identified for authorita
Continued
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 343
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
tive name servers for the domain. A corresponding glue address record
must be associated with the host name.
syngress.com.
■
IN NS
ns1.syngress.com
CNAME Canonical name used to map an alternate or aliased name to
a primary or canonical domain name. The canonical name must exist,
and there can be only one CNAME per alias. Here is an example:
aliasname.syngress.com
■
CNAME www.syngress.com
SRV Service locator record that all allows multiple servers hosting
TCP/IP-based services to be located by means of a DNS query. This is
used extensively to support AD. For example, SRV RRs allow clients to
locate domain controllers that can process logon requests. Here is an
example:
_ldap._tcp._msdcs
SRV
0 0
389 dc1.syngress.com
SRV 10 0
■
@
389 dc2.syngress.com
SOA Start of Authority record used to indicate the name of origin for
the zone, the name of the server that is the primary authority for the
zone, and other properties (such as e-mail of the responsible administrator, the version number of the zone data file, and other fields). This
record is always the first record to appear in the DNS data. In the following example, note the @ on the left side to designate the owner for
the RR. This symbol is a shorthand designator to indicate the origin
(domain name). It can be used with any record, but it is most often
used with the SOA record.
IN
SOA
ns1.syngress.com.
1
dnsadmin.syngress.com. (
; serial number
3600
; refresh
600
; retry
86400
3600 )
; expire
; min TTL
[1h]
[10m]
[1d]
[1h]
The fields in the SOA record merit some special attention:
■
The serial number indicates the version number of the zone file. When
this number is incremented on a primary DNS server, a secondary DNS
server that is polling the primary DNS server will learn that it needs to
update its zone file through a zone transfer.
Continued
www.syngress.com
343
255_70_293_ch06.qxd
344
9/10/03
5:42 PM
Page 344
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
■
The refresh interval indicates the length of time a secondary DNS server
will wait before polling the primary DNS server to determine if it needs
to copy the DNS data from the primary DNS server. This setting can be
used to control the frequency of zone transfer traffic to secondary DNS
servers.
■
The retry interval indicates how long a secondary DNS server will wait
after a failed zone transfer before trying again.
■
The expire interval indicates how long a secondary DNS server will keep
its records after failing to contact the primary DNS server. This prevents
a secondary DNS server from retaining out-of-date data.
■
The min TTL is the length of time a DNS resolver will cache records that
it has queried on this server. The min TTL is a global value that is
applied to all records, unless a specific TTL is specified in a particular
RR.
Windows Server 2003 DNS also supports new RR types for IPv6, such as the
AAAA RR for 128-bit IPv6 address. Here is an example of an AAAA RR:
host1.syngress.com.
IN
AAAA
4321:123:12:322:3:4:567:34de
For more information about DNS extensions to support IPv6, see RFC 1886 at
www.rfc-editor.org/rfc/rfc1886.txt. For more information about IPv6, see Chapter 3
of this book.
The hierarchical tree on which DNS is based is called the domain namespace. At the top
of the domain namespace is the root, or the dot (.), domain. Below the root domain are the
various subdomains, beginning with the top-level domains, such as .com, .net, edu, and the
various domain names that indicate country codes, such as .ca, .us, .de, and so on. Below
the top-level domains are subdomains, referred to as the second-level domains, such as
microsoft.com, syngress.com, and so on.These second-level domains can have further subdomains, such as authors.syngress.com or research.microsoft.com. Figure 6.2 shows an
example of the hierarchical domain namespace.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 345
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Figure 6.2 Hierarchical DNS Namespace
Root
"."
net
Top-level domain
Second-level domain
syngress.com
Subdomain
com
microsoft.com
ca
shinder.com
research.microsoft.com
www.research.microsoft.com
In the example in Figure 6.2, the domain research.microsoft.com contains an RR for a
host called www.When the name of the host is concatenated with the complete domain
name from right to left (www.research.microsoft.com), the result is the FQDN for the host.
The FQDN indicates the full path from the host to the root domain when read from left
to right.
A true FQDN includes a period at the rightmost end of the domain name to indicate
termination at the root zone.Thus, www.research.microsoft.com. (with the period at the
end) is the true FQDN.This point is a source of some confusion among administrators,
because they normally do not include this rightmost period when they, for example, type a
destination in a Web browser. However, the output of diagnostic utilities such as NSLookup
will be affected if you do not include the period.
Domains versus Zones
It is critically important to understand the difference between domains and zones. As you
can see in Figure 6.2, the domain namespace is partitioned into various subdomains.
However, the hierarchy is also partitioned into various zones. A zone comprises the total set
of RRs contained in an authoritative name server for a domain and its subdomains, starting
from a particular point in the DNS hierarchy.
Consider, for example, the domain microsoft.com.This domain and its subdomain,
research.microsoft.com, might consist of a single zone administered by authoritative name
servers in the microsoft.com domain; that is, all the RRs for the parent and its subdomain
www.syngress.com
345
255_70_293_ch06.qxd
346
9/10/03
5:42 PM
Page 346
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
are contained in the same authoritative name servers. However, it is possible to delegate
authority for the subdomain, research.microsoft.com, to another set of name servers
through the use of NS and A RRs.When this delegation of administrative authority takes
place, the subdomain is administered by a separate zone.The authoritative name servers for
the parent domain, microsoft.com, do not contain records for the subdomain, with the
exception of those records that are necessary to delegate authority for the subdomain to
other name servers. Figure 6.3 illustrates two possible zone configurations for the
microsoft.com domain.
Figure 6.3 Zones versus Domains
microsoft.com
microsoft.com
ns1.microsoft.com
ns1.microsoft.com
dev.microsoft.com
dev.microsoft.com
Delegation of
authority to
subdomain
research.microsoft.com
research.microsoft.com
ns1.research.
microsoft.com
The left side of Figure 6.3 represents a zone of authority, which includes both the parent
and the subdomains for microsoft.com.The authoritative name servers in the parent
domain contain all the RRs for the parent and the subdomain. In the example in Figure
6.3, a name server called ns1.microsoft.com holds all of the RRs for the three domains:
microsoft.com, dev.microsoft.com, and research.microsoft.com.
The right side of Figure 6.3 shows a delegation of authority from the parent domain to
the research.microsoft.com subdomain. In this case, the name server for the parent domain
does not control the records for the research.microsoft.com subdomain, but it does control
the records for the parent and the dev.microsoft.com domain. A server called
ns1.research.microsft.com holds all the RRs for the research.microsoft.com domain.
Creating different zones of authority can be an efficient way of optimizing zones that
contain a great many RRs. However, creating zone delegations can involve a security tradeoff in that different administrators might be responsible for the servers that are authoritative
for the child domains.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 347
Configuring & Implementing...
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Configuring Delegations to Child Domains
from Parent Domains
Knowing how to delegate authority to a child domain is important in implementing
and maintaining a DNS infrastructure. To delegate authority from a parent domain
to a child domain, the DNS servers that are authoritative for the parent domain
must have NS records that identify the names of the DNS servers that are authoritative for the child domain, as well as the A records that point to the IP addresses
of the DNS servers in the child domain. In our fictional example for the
microsoft.com domain, the primary zone file for the microsoft.com domain would
contain a set of records (NS and A records) to delegate authority for the
research.microsoft.com zone:
research
NS
ns1.research.microsoft.com.
ns1.research
A
192.168.100.21
Note the lack of a trailing period after “research” on the left side of the NS
and A records. The lack of a period indicates that this name is unqualified; that is,
it is not an FQDN, and the domain name microsoft.com is implicitly appended to
the left side of the name.
There are a number of ways to delegate authority to a child domain. You can
enter the records manually into the zone file or you can use the New Delegation
Wizard, found on the context menu of the zone that is invoked when you rightclick the zone in the DNS Microsoft Management Console (MMC). A third way to
delegate authority is to create a stub zone for the child domains on the DNS servers
that are authoritative for the parent domain. If you do this, you do not need to
include records to delegate authority in the zone file of the parent domain. Stub
zones are a new feature of DNS in Windows Server 2003. We will discuss their use
in more detail later in this chapter.
In a standard DNS environment, authoritative servers are either primary or secondary
servers. (Secondary servers are sometimes referred to as slave servers.) The primary server has
an updatable version of the flat text file that contains the RRs for the domains for which it
is authoritative.The primary server is the only server on which updates to the RRs can be
made.The secondary server has a read-only copy of the zone file, which is updated by a
process known as zone transfer.
The zone transfer process is usually initiated when the secondary server polls the primary server according to a predefined interval.The secondary server reads the SOA RR
and compares the version number in the record with the version number in its SOA. If the
version number is higher on the primary server, it will initiate the zone transfer process and
copy the zone file over TCP port 53. It is possible to configure a primary DNS server to
contact the secondary DNS servers on its list when there are changes to the zone file. It is
also possible to use an incremental zone transfer (IXFR) to copy only the changes to the zone
file, rather than the entire file, but this depends on whether the DNS servers support the
www.syngress.com
347
255_70_293_ch06.qxd
348
9/10/03
5:42 PM
Page 348
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
IXFR protocol. If the secondary server is capable of IXFR transfers, it will request that the
primary use IXFR to transfer the zone information; otherwise, it will request a standard
zone transfer.
In a Windows 2000 and 2003 environment, it is also possible to store the zone information in AD rather than in flat text files.This configuration is known as an Active
Directory-integrated zone. Updates can be made to any Active Directory-integrated zone; this
is, Active Directory-integrated zones are primary DNS servers. Synchronization of Active
Directory-integrated zones occurs through AD replication, rather than through the standard
DNS mechanism of zone transfer.We will discuss these and other DNS server roles later in
the chapter.
DNS Name Resolution Process
Distributing DNS RRs among many different zones and domains has an effect on the
name resolution process that needs to occur for a DNS client to find a host name-to-IP
address mapping. Let’s take the example of a client trying to connect to
www.research.microsoft.com.The DNS client is configured to use another DNS server to
perform recursion on its behalf. (Performing recursion simply means that the DNS server
will issue iterative queries to other DNS servers and accept referrals from these servers until it
receives a positive or a negative response, and then forward that response to the DNS
client.) The DNS client issues a recursive query to the DNS server; the DNS server subsequently issues a series of iterative queries to resolve the name. Figure 6.4 shows the process
that occurs in order to resolve www.research.microsoft.com to the IP address.
EXAM WARNING
Don’t be confused about the difference between iterative and recursive queries.
Iterative queries occur when a DNS resolver asks a DNS server to perform the work
of finding the answer for it. An analogy will be helpful to illustrate the concept of
iterative and recursive queries. You ask your class instructor a question about AAAA
records. Your instructor says he doesn’t have the answer but will find out. After
doing some research and asking other people for advice and direction, he finds the
answer and relays it to you. In the meantime, you wait for either an informative
answer to your question or a negative response. Your instructor has performed a
series of iterative queries to find the answer. You have issued only a single recursive
query and simply waited for a positive or negative response.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 349
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Figure 6.4 DNS Server Issuing Iterative Queries to Resolve an IP Address
on Behalf of a DNS Client
Root DNS Server
2
dns1.shinder.net queries
Root DNS server. Root
replies with IP address of
.com DNS server
.com DNS Server
3
dns1.shinder.net queries
.com DNS server. The
.com replies with IP
address of
ns1.microsoft.com
dns1.shinder.net
DNS Client
1
DNS client sends recursive
query to dns1.shinder.net for
IP address of
www.research.microsoft.com
6
DNS client receives
response after
dns1.shinder.net performs
iterative queries
ns1.microsoft.com
ns1.research.microsoft.com
4
dns1.shinder.net queries
ns1.microsoft.com. Server
replies with IP address of
ns1.research.microsoft.com
5
dns1.shinder.net queries
ns1.research.microsoft.com.
Server replies with IP
address of
www.research.microsoft.com
The DNS client requests that dns1.shinder.net use recursion to return an answer to its
query for the IP address of www.research.microsoft.com. (By default, both the DNS client
and the DNS server service are configured to support this arrangement.) The DNS server
first checks to see whether it can answer authoritatively from locally configured zone information. If it doesn’t have the zone information, the DNS server then checks its cached
information to see if it has previously answered the same query. If it doesn’t have this information in cache, it then begins the process of recursion to find the answer for the DNS
client.
The process of recursion begins with the contacting of the root DNS servers, which
are authoritative for the top-level domain on the Internet.To find these authoritative
servers, the DNS server will consult its root hints file, which is a list of RRs that provides
information about the name servers that are authoritative for the top-level domain on the
Internet.Windows 2000 and Windows Server 2003 servers will automatically install this file
when you install the DNS service on your server, in most circumstances.You can also get
the most current version of this file from ftp://rs.internic.net/domain/named.root.
www.syngress.com
349
255_70_293_ch06.qxd
350
9/10/03
5:42 PM
Page 350
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Note that the root hints file is present on the DNS server only if the DNS server has
not itself been configured with a root, or ., zone. If this zone is present on your DNS server,
it means that this server is the highest level of authority for the root domain, and the server
will not be able to perform DNS queries on the Internet. If you use the Dcpromo utility
to install and configure the DNS server as a prerequisite for installing a domain controller,
that utility will automatically configure the DNS server with the . zone. If you wish to use
the root hints file on this server to perform recursion on the Internet, you will need to first
delete the . zone from the DNS server.
NOTE
The root hints file is found in the %systemroot%\system32\dns\cache.dns file. By
default, this file is prepopulated with the root hints for Internet servers that are
responsible for resolving top-level domain names and delegating authority to
second-level domains. This file can be modified directly or from the Root Hints tab
of the DNS server property pages. On servers that are configured with a root, or .,
it is recommended that this file be removed completely. In a Windows environment
where you have deployed a private root, DNS servers will learn of the servers
hosting the root zone and automatically update this file, as long as the TCP/IP
properties are configured with the IP addresses of the root servers. You can also
modify the file to reflect your DNS infrastructure.
In this example, the root DNS server is not authoritative for the .com domain, but it
does contain NS records for the servers that are authoritative for this domain. It sends this
information back to dns1.Then dns1 contacts a server that is authoritative for the .com
domain. Again, because authority for the microsoft.com domain has been delegated to
other servers, it sends the name server referral information for the microsoft.com domain to
dns1.Then dns1 contacts a name server that is authoritative for the microsoft.com domain.
If this server had also been authoritative for the research.microsoft.com domain, it would
respond with the IP address of the requested host. However, because authority for this subdomain has been delegated to other name servers, it sends name server referral information
back to dns1, which is finally able to contact an authoritative server and receive a positive
reply to its query for the IP address of www.research.microsoft.com. Once it finds this
information, dns1 sends the positive reply containing the IP address information to the
DNS client, which is then able to connect to the Web site.
This recursion process assumes that no information about the FQDN for
www.research.microsoft.com is cached on either the DNS client or dns1. However, over a
period of time, dns1 would cache information about the domain namespace and would
learn the IP addresses of authoritative name servers for domains and hosts on the Internet,
thereby eliminating steps and speeding up the process of name resolution. But even without
cached information, DNS host name resolution is very efficient, because it will normally
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 351
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
New & Noteworthy...
use small UDP packets (512 bytes), unless the response is too large to be contained in a
single UDP packet; in which case,TCP will be used.
In our example, three kinds of common responses to DNS queries are used:
■
An authoritative answer This means that a response is sent from a server that is
authoritative for the record of domain.
■
A referral answer This means that an answer was sent back to the DNS
requester that contained information not originally requested to provide hints to
find the answer. For example, if the request is for an A RR, the DNS server might
return a CNAME or an NS record in response to the query to help the requester
find the answer.
■
A positive answer This means that a positive response to the query is sent to
the requester.
Using Extension Mechanisms for DNS (EDNS0) to Change
the Default Size of UDP Packets Used by DNS
The original RFC for DNS (RFC 1035) limits the size of UDP packets to 512 bytes.
However, Windows Server 2003 implements a more recent standard for UDP packet
size (RFC 2671) that allows the administrator to configure a larger allowable UDP
packet size for responses to DNS queries. When EDNS0 is configured on the DNS
requester to allow UDP packets that are larger than the default size, the DNS
requester sends this information to the DNS server in a query that contains an OPT
RR that advertises the maximum size of the UDP packet to use in the response.
When the DNS server receives this information, it will truncate the packet at the
maximum allowable size specified in the OPT RR. If this information is not present,
the DNS server assumes that the DNS requester does not support packets larger
than 512 bytes.
Care must be taken when configuring support for EDNS0 to ensure that the
UDP packet does not exceed the maximum transmission unit (MTU) packet size of
any device, such as a router, that the request and response must traverse. To
change the UDP packet size and EDNS0 cache settings, you must modify the
Registry. For more information about EDNS0, see RFC 2671 at www.rfceditor.org/rfc/rfc2671.txt.
A fourth possible response is a negative answer.This means that the authoritative server
does not have a record for the queried name, or that it does have a record for the queried
name, that is a different RR type than specified in the query.
Regardless of the answer that is returned, the results are cached so that subsequent
DNS queries can be answered with nonauthoritative responses from name servers that contain the cached information.With the exception of a negative answer, the results are cached
www.syngress.com
351
255_70_293_ch06.qxd
352
9/10/03
5:42 PM
Page 352
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
according to the value specified for the minimum TTL in the authoritative zone’s SOA
RR; that is, the authoritative name server controls the TTL of the RR for cached records
on DNS requesters. In the case of a negative response, this information is also cached for a
period of five minutes by default to prevent unnecessary consumption of resources if the
name is queried again.The period for caching negative responses is relatively short to allow
the query to be resolved if the RR becomes available in the future. Negative caching is a
DNS standard that is documented in RFC 2308.
It is possible to set up caching-only DNS servers.These are DNS servers that contain no
zone information and function only to provide support for the recursion process for DNS
clients.We will discuss the various DNS server roles later in this chapter.
Forward versus Reverse Lookup Zones
In most of the preceding discussion, we have focused on forward lookup zones.These are
DNS data files that provide answers to forward queries that ask for the IP address of a particular FQDN. However, reverse lookup zones are also widely used to provide answers to reverse
queries that ask for the FQDN of a particular IP address. For example, if you wanted to
find the FQDN associated with a particular IP address, you would perform a reverse
lookup against a reverse lookup zone.
To handle reverse lookups, a special root domain called in-addr.arpa was created.
Subdomains within the in-addr.arpa domain are created using the reverse ordering of the
octets that form an IP address. For example, the reverse lookup domain for the
192.168.100.0/24 network would be 100.168.192.in-addr.arpa.The reason that the IP
addresses are inverted is that IP addresses, when read from left to right, get specific; when
the IP address starts with the more general information first. FQDNs, in contrast, get more
general when read from left to right; the FQDN starts with a specific host name.In order
for reverse lookup zones to work properly, they use a special RR called a PTR record,
which provides the mapping of the IP address in the zone to the FQDN.
Reverse lookup zones are used by certain applications, such as NSLookup (an important diagnostic tool that should be part of every DNS administrator’s arsenal). If a reverse
lookup zone is not configured on the server to which NSLookup is pointing, you will get
an error message when you invoke the nslookup command.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 353
Head of the Class...
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Security Considerations for the Presence
of a Reverse Lookup Zone
Being able to make NSLookup work against your DNS servers is not the most important reason why you should configure reverse lookup zones. Applications on your
internal network, such as DNS clients that are trying to register PTR records in a
reverse lookup zone, can “leak” information about your internal network out to the
Internet if they cannot find a reverse lookup zone on the intranet. To prevent this
information from leaking from your network, you should configure reverse lookup
zones for the addresses in use on your network.
For more information about security and reverse lookup zones, see http://
support.microsoft.com/default.aspx?scid=kb;EN-US;q259922. Note, however, that
the information regarding the name of the blackhole servers in this article is out of
date. The Internet Assigned Numbers Authority (IANA) has set up two blackhole
servers, blackhole-1.iana.org and blackhole-2.iana.org, to handle the bogus
addresses from private networks that leak onto the Internet. For more information
on this topic, see Kent Crispin’s FAQ at http://archives.neohapsis.com/archives/
incidents/2002-09/0059.html.
EXERCISE 6.01
INSTALLING WINDOWS SERVER 2003 DNS SERVICE AND
CONFIGURING FORWARD AND REVERSE LOOKUP ZONES
The exercises in this chapter require that you install Windows Server 2003. You
can download a 180-day evaluation copy of Windows Server 2003, Enterprise
Edition, from www.microsoft.com/windowsserver2003/evaluation/
trial/evalkit.mspx. If you wish to preserve your current operating system, you
can install Windows Server 2003 in a VMware virtual machine, which allows
you to emulate a PC on which to install Windows Server 2003. You can download a 30-day evaluation copy of VMware Workstation 4.0 from
www.vmware.com/vmwarestore/newstore/wkst_eval_login.jsp.
This exercise assumes that a single Windows Server 2003 server is installed
as a stand-alone server and is not a member of any domain.
Before you install the DNS service, you might wish to ensure that the
domain name in the FQDN for the computer name matches the domain name
of the DNS forward lookup zone you plan to install. It is not a requirement
that the domain name of the FQDN and the DNS forward lookup zone match.
However, if they do match, you will find that Windows Server 2003 adds the
appropriate records to the forward lookup zone for the DNS server. To change
the FQDN for the computer, follow these steps:
www.syngress.com
353
255_70_293_ch06.qxd
354
9/10/03
5:42 PM
Page 354
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
1. On the Windows Server 2003 desktop, right-click the My Computer
icon and select Properties from the context menu.
2. Select the Computer Name tab, and then click the Change button.
3. In the Computer Name Changes property pages, click the More
button.
4. In the DNS Suffix and NetBIOS Computer Name property page,
change the primary DNS suffix to tacteam.local (or a name of your
own choosing) and click OK. Reboot the computer when prompted.
Another prerequisite for installing DNS is that your TCP/IP properties should
be configured with a static IP address and the primary DNS settings should be
configured to point to the address of the computer on which you are installing
DNS. To configure TCP/IP properties, follow these steps:
1. On the Windows Server 2003 desktop, right-click the My Network
Places icon and select Properties from the context menu.
2. In the Network Connections folder, right-click the Local Area
Connection icon and select Properties from the context menu.
3. Highlight TCP/IP, and then select Properties.
4. In the TCP/IP properties page, configure a static IP address, and then
configure the primary DNS server settings to point to the IP address of
the server. (For the examples in this chapter, we are using addresses on
the 192.168.100.0/24 network.)
After you have configured your computer with the appropriate FQDN and
IP address, you can install the DNS service. There are a couple of ways you can
do this. You can install the DNS service through the Manage Your Server page
that appears when you first log on to your Windows Server 2003 computer, or
you can install the service through Control Panel | Add/Remove Programs |
Windows Components. In this exercise, we will install the service through
Control Panel. To install the DNS service, follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Select Add/Remove Windows Components.
3. In the Windows Component Wizard dialog box, scroll down the list of
Windows components, highlight Networking Services, and then click
Details.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 355
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
4. In the Networking Services dialog box, click Domain Name System
(DNS) to place a check mark in its box, and then click OK.
5. If prompted, insert the Windows Server 2003 source CD to provide the
installation files for the DNS service, or enter the name of a network
path to the installation files.
The DNS service is now installed on your Windows Server 2003 computer.
By default, the DNS server is installed with the root hints file and will resolve
queries to the Internet. If you have an Internet connection, you can verify this
by using the browser on the Windows Server 2003 server and connecting to a
Web site. (Alternatively, you can verify this by performing the test labeled
Perform a recursive query to other DNS servers, which you can find in the
DNS console on the Monitoring tab of the properties of the DNS server.)
Next, we cover the steps to add a forward lookup zone. We begin by creating a standard primary forward lookup zone:
1. Navigate to the DNS console by selecting Start | Programs |
Administrative Tools | DNS. (You can also invoke the DNS console
through the Manage Your Server page that is displayed when logging
on to the Windows Server 2003 computer.)
2. In the DNS console, right-click Forward Lookup Zones and click New
Zone in the context menu.
3. The New Zone Wizard appears. Click Next. Ensure Primary Zone is
selected as the zone type and click Next.
4. Type in tacteam.local as the zone name, and then click Next. (You can
also type in a domain name of your own choosing. For ease of configuration later, it should match the domain name portion of the FQDN of
the computer name.)
5. Select the option to Create a new file with this name. (A filename
has already been created based on the domain name.) Click Next.
6. On the subsequent page, click Next again to accept the default setting
not to allow dynamic updates, and then click Finish.
We now need to verify the records in the new zone. To do this, perform
these steps:
1. In the DNS console, expand Forward Lookup Zones, and then click the
zone you just created.
2. Examine the contents of the zone on the right side of the window. You
should see three records: an SOA, an NS, and a Host (A) record. If you
are missing any of these records, the reason is that the domain you
chose to create did not match the domain in the FQDN for the com-
www.syngress.com
355
255_70_293_ch06.qxd
356
9/10/03
5:42 PM
Page 356
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
puter name, or the TCP/IP configuration was not pointing to the configured IP address for the primary DNS.
We now can create a reverse lookup zone. The reverse lookup zone is used
to resolve IP addresses to names. In addition, if we want to use NSLookup to
query the DNS server, we need a reverse lookup zone containing a PTR RR that
points to the authoritative DNS server in the zone. The domain name will be
based on the IP subnet and the suffix, in-addr.arpa. In these exercises, we are
using the subnet 192.168.100.0/24, so the reverse lookup domain will be
100.168.192.in-addr.arpa.
1. In the DNS console, right-click Reverse Lookup Zones and click New
Zone in the context menu.
2. Follow the previous steps for creating a forward lookup zone. However,
you will need to type the network ID of your network when prompted.
(The New Zone Wizard will create the appropriate domain name based
on your network ID, so do not change the order of the octets in your
address. If you are following the setup for these exercises, you should
type 192.168.100 as the network ID in the Wizard.)
After you have created the reverse lookup zone, examine the records that
are created in it. You should see only two records: an SOA record and an NS
record. Open a command prompt and invoke the nslookup command. You
should see an error message, such as the following:
*** Can’t find server name for address 192.168.100.21: Non-existent
domain
Default Server:
Address:
UnKnown
192.168.100.21
To correct this situation, we need to add a PTR RR for the DNS server. To do
so, follow these steps:
1. Right-click the reverse lookup zone you just created and select New
Pointer (PTR) from the context menu.
2. In the New Resource Record dialog box, enter the host ID for the DNS
server (the last number in the IP address), click Browse, and navigate
to the A record for your DNS server in the forward lookup zone you
created previously.
3. Finish creating the record. You should now have a PTR record in addition to the NS and SOA records. To verify the record is correct, invoke
the nslookup command from a command prompt. You should see the
name of the DNS server (instead of “Unknown”) in the output.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 357
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Now that you have installed a DNS server and have created forward and
reverse lookup zones, you will be able to explore and examine DNS server settings. You should use the New Delegation Wizard to create a delegation of
authority to a subdomain of the domain you just created. To create a delegation of authority from a parent domain, right-click the forward lookup zone for
the parent domain and select New Delegation. Follow the steps presented by
the Wizard.
It’s obviously better if a DNS server that is authoritative for the subdomain
actually exists, but if this is not the case, you can still create the records used
to delegate authority. If you are able, you should install a second Windows
Server 2003 server to further explore the features of DNS, such zone transfers,
stub domains, and so on. This server can be installed on a virtual machine
using VMware; you can run multiple virtual machines, all of which can communicate with one another on the network.
EXAM
70-293
Designing a DNS Namespace
OBJECTIVE
2.7.1 Designing a DNS namespace is a critically important function for any business that relies
on both the public and the private identities provided by the DNS namespace(s) for interaction with its customers and for the smooth and secure operation of its network.You
should take some of the following considerations into account:
■
Uniqueness Domain names on the Internet must be unique.To guarantee
uniqueness of the public domain namespace, the public domain must be registered
with the Internet Corporation for Assigned Names and Numbers (ICANN)
through one of many authorized registrars. Although it is not a requirement that
your internal domain namespace be unique, it is prudent to ensure its uniqueness.
■
Integration and interaction of public and private DNS namespaces It is
possible to use the same or different DNS namespace(s) for the public and private
networks. Each of these alternatives provides different challenges.To separate the
public and private zones requires both planning and administrative effort. One
method of separating the public and private namespaces is to base the DNS
namespace for AD on the internal network on a delegated subdomain of the
public domain. Another method involves choosing a different domain suffix, such
as .local instead of .com, for the private namespace that is the root of AD.
■
Security Designing a DNS namespace should take into account the security
requirements and configuration of your network. For example, it is extremely
inadvisable to allow any RRs that are specific to your internal network to be
publicly available through DNS queries.You should set up separate name servers
to respond to queries for the IP addresses of the organization’s Internet hosts, such
www.syngress.com
357
255_70_293_ch06.qxd
358
9/10/03
5:42 PM
Page 358
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
as Web and mail servers. Deploying a private root zone can also help to enhance
the security of your DNS infrastructure. Additionally, you need to consider firewall placement and access rules when designing the DNS namespace. Does the
security organization’s security policy allow or restrict access from the Internet to
internal DNS servers? In addition to considering who can query DNS servers, it
is important to consider who can update RR records in the authoritative zones
and how those records are updated. For example, you might not wish to allow
dynamic updates in the top-level domain, but you might want to allow updates in
the child domain.You would design your namespace accordingly.
■
Administration The design of the DNS namespace will affect administration.
For example, using the same domain namespace for both the private and the
public networks will require, at a minimum, a split DNS configuration, where two
name servers (one that is authoritative for the public RRs and one that is authoritative for the private RRs) will need to be implemented and maintained. In this
scenario, special configurations might need to be implemented to allow users on
the corporate network to connect to the organization’s public Web servers.
Choosing the Parent Domain Name
When choosing the parent domain name to support your organization’s business and infrastructure, consider whether to use or acquire an Internet domain name that is registered to
your organization. If the name you choose is for use on your internal network only, you
can use any name you want. However, although it is not a requirement that domain names
used on your internal network be unique, it is a good idea to ensure that they are.
The best way to ensure the use of a unique domain name for the internal network
is to base the domain name on one your company has registered for use on the Internet. If
your organization has not registered a domain name or its currently registered name is not
acceptable for use on the internal network, you should register a new domain name with
an ICANN-accredited registrar.
NOTE
You can find a complete list of ICANN-accredited domain name registrars at
www.icann.org/registrars/accredited-list.html.
Depending on the nature of your organization, you will want to register a domain
name that has a top-level domain (TLD) name like .com, .net, .edu, or .org.You can find a
complete list of top-level domains supported by ICANN, along with a description of their
appropriate uses, at www.icann.org/tlds/. Sometimes, organizations will register their
domain names in as many top-level domains as possible to prevent others from taking
advantage of any brand recognition that the chosen domain name might possess. For
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 359
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
example, in addition to registering a name that has the form mydomain.com, you might
also wish to register mydomain.net, mydomain.biz, mydomain.org, and so on. Furthermore,
organizations that have a prominent presence on the Internet may also register common
misspellings of the domain name to ensure connectivity for users who mistype the name in
their browsers or e-mail clients.You should try to find a domain name that you can register
with as many common top-level domains as possible. For example, if another company has
already registered mydomain.com, but not mydomain.net, you might wish to expand your
search and find a new domain for which you can register a .com extension. Many users
will try a .com extension before trying a .net or other extension to reach your organization’s Web servers.
Before you can register a name, you need to determine if it is unique. Most domain
name registrars provide a service for determining whether a name is available for registration. However, you can also use the Whois application on the InterNic.net Web site to
determine if a name has been registered and who owns the name.You can find the Whois
application at www.internic.net/whois.html.
When you register a domain name, you must provide the registrar with the IP addresses
and host names of one or more DNS servers that will be authoritative for your zone.This
DNS server can be located on your network or on the ISP’s network. In addition, many
registrars offer a service whereby you can host your zone files on their DNS servers and
manage these files directly (usually through a Web-based application).
Host Naming Conventions and Limitations
Regardless of the choice you make for the domain namespace of your internal and external
networks, you should abide by host naming conventions and limitations. According to RFC
1123, “Requirements for Internet Hosts—Application and Support,” which defines naming
standards for host names, the following US-ASCII–based characters are allowed:
■
Uppercase letters (A through Z)
■
Lowercase letters (a through z)
■
Numbers (0 through 9)
■
The hyphen (-)
Note that, according to RFC 1053, DNS resolution is supposed to be case-insensitive.
For this reason, the Microsoft DNS service will “downcase” any uppercase characters that it
encounters to lowercase (it is an optional requirement that case be preserved for use with
DNS; to ensure maximum compatibility Microsoft does not implement the optional
requirement for case preservation). In other words, all uppercase characters will be treated as
lowercase characters.
The RFC 1123 standard is a relatively old one (created in October 1989) and places
limitations on non-English organizations that might wish to use an extended or nonRoman–based character set for their names.Windows 2000 and Windows Server 2003 pro-
www.syngress.com
359
255_70_293_ch06.qxd
360
9/10/03
5:42 PM
Page 360
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
vide support for the more recent RFC 2181, which states that any binary string can be
included in a DNS name.To allow for the use of more characters than are available with
US-ASCII,Windows 2000 and Windows Server 2003 DNS servers provide support by
default for UTF-8, which is a Unicode transformation format. Furthermore,Windows 2000
and higher client operating systems, such as Windows XP, are UTF-8 aware.
UTF-8 is a superset of extended ASCII and additionally provides support for UCS-2,
which is a Unicode character set that allows for the use of the majority of the world’s
writing systems. UTF-8 is backward-compatible with US-ASCII in that the binary representations of characters are identical between the two formats. However, because characters
in some writing systems require more than 8 bits to represent a character, it is not possible
to use character length as a means of calculating the maximum allowable length for a DNS
name, which according to RFC 2181 is 63 octets per label and 255 octets per name.
Because the last byte is used for the terminating dot of an FQDN, the maximum length of
the name is 254 octets (bytes).
It is important to remember that not all DNS servers are UTF-8–aware. It is also possible to turn off UTF-8 support on individual Microsoft DNS servers by configuring the
name-checking format in the DNS server property pages.Therefore, care must be taken in
environments where not all name servers support UTF-8. In particular, when zone information is being transferred between UTF-8 and non-UTF-8 name servers, the zone can
fail to reload on servers that do not support UTF-8 if the zone contains UTF-8 information.
NOTE
Even though Microsoft DNS provides support for UTF-8, it is generally a good idea,
if possible, to limit host and DNS names to the US-ASCII character set supported by
standard DNS to ensure maximum compatibility.
The Underscore Character
While it is legitimate to use the underscore character in NetBIOS names, the inclusion of
this character in a host name is problematic in environments that use older DNS standards
in which its use is prohibited. (The underscore character is allowed in domain names, however, so its use is legitimate in SRV records.) Support for UTF-8 guarantees that the underscore character can be used safely in Microsoft environments. In fact, the underscore is a
reserved character that is used extensively in Microsoft DNS to identify SRV records as per
RFC 2782. However, third-party standard DNS servers such as older UNIX BIND DNS
servers, might not recognize host records that use the underscore. Consequently, host
names, especially those used by Internet-facing servers, should not use the underscore character as a best practice. If you are upgrading a Windows NT 4 environment to Windows
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 361
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Server 2003, you might wish to consider changing the NetBIOS and host names of computers whose names include the underscore character before performing the upgrade.
DNS and Active Directory (AD)
AD was introduced with Windows 2000 and is improved and enhanced in Windows Server
2003. AD is an X.500-based directory service (similar to Novell Directory Services), which
stores information about users, computers, printers, and other objects that compose your
network. AD also provides a consistent naming convention for users and other objects,
making it easy to locate and gain access to these objects.
In addition to providing centralized control of resources and a means to either centralize or decentralize resource management, AD provides a means of logically organizing
objects into administrative units.The core administrative unit of AD is the domain. A
domain is a collection of objects that are grouped together into a single administrative unit
in a common database.These objects share common security policies (for example, minimum password length). Furthermore, the domain itself is a unit of replication within AD
among all the domain controllers that are members of a particular domain.There is a very
close relationship between DNS and AD: the AD domain name is also the DNS domain
name, which is stored in a DNS zone.
Domains are grouped into a logical hierarchy referred to as a domain tree.This logical
hierarchy mirrors the hierarchy of the DNS namespace.When a new domain is added to
the domain tree, it becomes a child domain of the parent domain to which it is added, as is the
case with the DNS namespace. Furthermore, the DNS name for the new child domain is
contiguous with the parent domain; that is, both the parent and child domain are part of
the same DNS namespace.
Let’s take the example of a root Windows Server 2003 domain that is named
shinder.net.We add a child domain named corp to the parent domain.The resulting unique
FQDN for the child domain is corp.shinder.net.
AD can comprise more than one domain tree.The resulting group of domain trees is
called a forest.The domain trees do not share a contiguous DNS namespace. However, they
do share trust relationships and a common AD schema, that is replicated to domain controllers throughout the forest. If there is only one domain tree in the forest, the subdomains
in the tree are child domains of and contiguous with the forest root domain, which is the first
domain controller installed into AD.The forest root domain and its child domains form
another administrative and security boundary.
If there is more than one domain tree in the forest, the forest has a disjointed DNS
namespace.That is, the namespace for the entire forest is not contiguous. Disjointed name
spaces may require special DNS configurations in order to ensure proper name resolution
throughout the forest. For example, if you have a private root zone, you need to ensure that
you add delegations for your top-level domains to the root zone so that DNS requesters can
find the servers that are authoritative for the appropriate domain. Alternatively, you might
need to configure secondary servers and conditional forwarders to ensure name
resolution.
www.syngress.com
361
255_70_293_ch06.qxd
362
9/10/03
5:42 PM
Page 362
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Figure 6.5 shows the relationship between an AD forest and domain trees. Note the
similarity of the AD domain names with the DNS namespace.
As noted earlier, AD has a close relationship with DNS. AD is, in fact, dependent on
DNS, which is fundamental to its operation. In a Windows 2000 or Windows Server 2003
Figure 6.5 An Active Directory Forest with Two Domain Trees
Shinder.local
Tacteam.local
Forest Root Domain
Corp.shinder.local
Test.shinder.local
Corp.tacteam.local
network, hosts must be capable of resolving names to IP addresses using DNS.
As a prerequisite to installing AD, you must first have a DNS infrastructure in place on
your network and your TCP/IP stack must be configured to use an appropriate DNS
server.The DNS server must be authoritative for the domain name of your AD and must
be able to support a special kind of RR known as an SRV record, which provides information about well-known network services and replaces the legacy WKS record. By default,
Windows 2000 and Windows Server 2003 DNS servers provide support for these records.
Other DNS servers, such as those that implement the most recent version of BIND (BIND
9 as of this writing), might support these records as well, but this needs to be confirmed
beforehand if you are using something other than Microsoft DNS.
The DNS server should also be capable of supporting the following:
■
Dynamic DNS (DDNS) updates DDNS is a protocol that allows servers and
DNS clients to update DNS records in the master zone file. Although it is not a
requirement that the DNS server support DDNS, it is highly recommended that
it do so. Support for DDNS eliminates a considerable amount of administrative
work that must be performed in the form of manually adding DNS records to
support AD and the network infrastructure in general.Windows 2000 and
Windows Server 2003 DNS servers support DDNS, as does BIND 9.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 363
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
■
Incremental zone transfers (IXFR) When a zone file on a master DNS
server is updated on a secondary DNS server, the entire file is transferred over
TCP port 53 using the AFXR protocol.To eliminate unnecessary traffic associated with zone transfers, the IXFR protocol allows for the transfer of specific
updated records, rather than the entire file, between master and secondary servers.
The Microsoft DNS service supports IXFR, as do BIND versions 8 and 9.
If an appropriate DNS server is not available when you install your first Windows
Server 2003 domain controller, the Dcpromo.exe application will prompt you to install and
configure the DNS service on the computer you are promoting to a domain controller.
If you choose to install DNS through the Dcpromo.exe application, you should note
that a . (root) zone will also be installed at the same time. If this zone is present on the
DNS server, you will not be able to use the DNS server to resolve queries for hosts in
zones for which the server is not authoritative.That is, you will not be able to use this DNS
server to resolve queries on the Internet.You can correct this situation by deleting the root
zone and either configuring the DNS server as a forwarder or adding the root hints file.
AD is capable of storing DNS zone information in the form of Active Directory-integrated zones.We will discuss this feature in more detail later in this chapter.
NOTE
When you install a domain controller, a file called netlogon.dns is created in the
%systemroot%\system32\config folder. This file contains the SRV and other RRs
required to support AD DNS resolution. You can use this file to assist in populating
the zone file of a DNS server that does not support dynamic updates.
Supporting Multiple Namespaces
When you plan to use DNS for name resolution on your intranet and also plan to have a
presence on the Internet, you need to consider how to support one or multiple name
spaces. Assuming that you have a publicly registered Internet domain name and wish to
base the internal domain name on this one, you have three choices for the selection of your
internal domain name:
■
Same domain name for external and internal use In this scenario, if your
publicly registered domain is mydomain.com for use on the Internet, you use
mydomain.com as your internal domain name for your intranet.This configuration requires that you manage separate DNS servers for your internal network and
the external network that are both authoritative for the same domain name.This
configuration is sometime referred to as a split DNS. However, the internal DNS
servers will contain RRs that are specific to your internal network and possibly
contain RRs for your publicly available Web and mail servers.The DNS servers
www.syngress.com
363
255_70_293_ch06.qxd
364
9/10/03
5:42 PM
Page 364
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
that are authoritative for the internal network should not be available to external
clients. Depending on your security requirements and network configuration, you
might find it necessary to maintain a copy of your Internet-facing servers such as
your Web server on your intranet for use by your internal clients.The external
DNS server that is authoritative for the domain will contain RRs for your publicly available Internet-facing servers only (such as the Web and mail servers) and
will not contain RRs for your internal network.This model increases the administrative effort for managing DNS records and security, so it is not a recommended solution. However, a key advantage is that your organization’s users do
not need to remember different domain names for your organization’s externally
available servers.
■
Different namespace for internal use In this scenario, you would use either a
completely different name for the internal name of the intranet or use a domain
namespace based on the registered domain name but with a different top-level
domain suffix, for example, mydomain.local. Microsoft recommends using a
namespace based on a registered domain name in the (unlikely but possible) event
that two organizations that are using the same AD name merge. If the domain
name is registered, it must be unique by definition. A key advantage of this
approach is that it provides you with a unique and separate namespace for use on
your internal network.With this configuration, the administrative effort required
to manage the domain namespace is minimized, compared to using the same
domain name for internal and external use. Also, security is enhanced and easier
to manage for the following reasons:
■
The internal namespace is not exposed in the form of NS and A records used
to delegate authority to the child domain in the parent domain.
■
The internal domain namespace is not reachable by clients on the Internet.
■
It is not necessary to transfer zone information between the publicly available
DNS servers to internal DNS servers that might function as primary masters
or secondary servers for the parent domain zone file.
A disadvantage of this option is that it requires that you manage two separate
DNS namespaces, increasing administrative complexity. For example, using an
unrelated internal domain name might require you to register this name with
ICANN. Furthermore, using an unrelated internal domain name might cause
confusion among users in your company.
■
Delegated subdomain for internal use In this scenario, your internal domain
namespace begins at a subdomain of the publicly registered domain namespace.
For example, if your domain name is mydomain.com, you would use something
like internal.mydomain.com for your internal namespace on your intranet.To
support this configuration, you need internal DNS servers that are authoritative
for the subdomain and are available only to your internal network (that is, the
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 365
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
child domain namespace is not accessible to external users).Your internal clients,
however, would be able to gain access to both the internal and external DNS
servers.This approach has a number of advantages:
■
Administrative effort to maintain the DNS namespace is minimized.
■
Both your internal and Internet-facing servers share the same contiguous
namespace, making it easier for users to connect to these resources.
■
Any DNS records used for AD are isolated in the child domain and its subdomains.The delegated child domain becomes the forest root domain for AD.
Disjointed Namespaces
Many companies have needed to deploy a disjointed namespace; that is, they design their
DNS infrastructure to support two or more noncontiguous namespaces. For example,
because of the high level of trust required for Domain Admins in a forest, many companies
have deployed multiple forests to meet strict security requirements. In other cases, because
of mergers and acquisitions, companies have needed to create Windows NT-style trusts
between individual domains in the separate forests to enable resource access.
In Windows Server 2003, it is now possible to create to create one-way or two-way,
cross-forest transitive Kerberos trusts. A two-way transitive trust simplifies resource management because it automatically enables trusts between all domains in the separate forests.This
feature, along with complex business needs to deploy disjointed namespaces for separate
business units, will make disjointed namespaces more common. Implementing a stable DNS
infrastructure to support DNS resolution for a disjointed namespace creates challenges for
the DNS administrator. For example, the DNS administrators in the separate forests might
need to host secondary zones for the primary zones in the remote forests.The Windows
Server 2003 DNS service includes two new features that make it easier to support disjointed namespaces:
■
Conditional forwarding Makes it possible to configure a DNS server to automatically contact predefined DNS servers based on the domain name in the
query request.Thus, when a DNS server encounters a query request for name resolution for resources in a separate namespace, it can forward this query to a particular, predefined set of DNS servers.
■
Stub zone A concept borrowed from implementations of BIND.The stub zone
is a special kind of secondary zone and consists of only a subset of records from
the primary zone of the child domain: the SOA, NS, and A records that identify
the DNS servers that are authoritative for the child domain.The NS and A
records (sometimes known as glue records) are updated on the DNS server hosting
the stub zone based on the refresh interval specified in the SOA record. A DNS
server hosting a stub zone can respond to recursive queries and contact the DNS
servers that are authoritative for the child domain, or it can respond to iterative
www.syngress.com
365
255_70_293_ch06.qxd
366
9/10/03
5:42 PM
Page 366
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
queries and provide referrals to the DNS servers that are authoritative for the
child domain.
When a DNS server hosts a stub zone for another domain, the server can contact the
authoritative servers for the domain directly when it receives a request to resolve a name
query, helping to reduce DNS name query traffic and the load on the primary DNS server.
Stub zones are useful in situations where authority is delegated to DNS servers in a child
domain from a parent domain, such as when you are deploying your own internal root (discussed in the next section) and need to support a disjointed namespace. Stub zones remove
the need to manually maintain glue records for the child domain in the parent domain. If a
DNS administrator changes the NS or glue records in the child domain, this information
will be updated in the stub zone, making it unnecessary for the DNS administrator in the
parent domain to manually update records used to delegate authority.
These automatic updates serve to prevent a specific and common problem in a DNS
infrastructure, which is known as lame delegation. A lame delegation occurs when the NS
and glue address records used to delegate authority from a parent to a child domain are
incorrect and prevent DNS servers from contacting DNS servers that are authoritative for a
child domain.
NOTE
Because a stub zone is a kind of secondary zone, it is important to ensure that the
zone transfer security is configured appropriately in the authoritative subdomain
so that the stub zone can be replicated to the parent domain that is hosting the
stub zone. By default, when you set up a primary zone, the zone transfer security
allows zone transfers only to secondaries listed on the Name Servers tab. You will
need to change these settings to allow zone transfers to occur to specific IP
addresses, including those for the DNS servers that are configured to host the stub
zone and are not listed in the Name Servers tab.
EXAM WARNING
You should know how to support disjointed namespaces and how to prevent problems arising from improperly configuring delegations of authority to other domain
servers, because these are important issues in a Windows DNS infrastructure. You
should be prepared for exam questions that require a thorough understanding of
the challenges and solutions involved in supporting a disjointed namespace, such
as the use of stub zones and conditional forwarding (which can be used as an
alternative to stub zones). Additionally, you should know how to manually delegate authority from a parent to a child domain.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 367
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Deploying an Internal DNS Root Zone
In considering your DNS infrastructure, you should determine whether it is necessary or
desirable to deploy an internal DNS root zone (the . zone).When you deploy a private
root zone, you create a configuration whereby your DNS servers are authoritative for the
entire DNS namespace.The private root zone contains only delegations to your internal
top-level domains. Consequently, these DNS servers will not perform DNS name resolution on the Internet. If you wish your DNS servers to perform name resolution outside
your organization (for example, to servers belonging to a partner or merged organization),
you can add delegations from your root zone and top-level domains in the form of NS and
glue A records to external DNS servers that are authoritative for other domains. In this situation, it might be advantageous to deploy a stub zone on dns1.shinder.local so that the NS
and glue A records for DNS servers in the tacteam.net domain are automatically updated.
A primary advantage of this approach is enhanced security.Your DNS clients and
servers that are authoritative for your DNS zones never send DNS information on the
Internet. Furthermore, for large and complex networks that span WAN links, deploying a
private root zone helps to simplify your DNS infrastructure.
If Internet name resolution is a requirement on your network, you might not be able
to deploy a root zone. However, if your client computers are capable of using proxy servers
such as ISA Server 2000, client computers can access Internet resources through the proxy
server, which will perform name resolution on their behalf.The proxy server and computers that cannot use the proxy client software need to be configured to use separate,
internal DNS forwarders or other DNS servers for Internet name resolution.
Figure 6.6 shows a possible deployment of an internal private root zone in combination
with a proxy server to allow connectivity to external Web sites for client PCs.The figure
also shows a delegation to a disjointed namespace (tacteam.net) to allow an internal DNS
server to resolve host names on the tacteam.net network. Note that dns1.shinder.local does
not perform Internet name resolution for client PCs.The ISA Server contacts a DNS server
capable of performing name resolution on the Internet. However, dns1.shinder.local, by
virtue of a name server delegation, performs recursive DNS resolution for hosts in the
tacteam.net network.
www.syngress.com
367
255_70_293_ch06.qxd
368
9/10/03
5:42 PM
Page 368
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Figure 6.6 Deployment of a Private Root Zone
Internet
Internet Root
DNS Server
ISA Server
Dns1.shinder.local:
Authoritative for
private Root and
Shinder.local zones
External DNS
PC Client
Name Server Delegation
for Tacteam.net
PC Client
Dns1.tacteam.net:
Authoritative for
Tacteam.net
In the example in Figure 6.6, a considerable amount of DNS name resolution traffic
can cross a WAN link between the shinder.local and the tacteam.net networks.To reduce
this traffic, you can host a secondary zone for tacteam.net on dns1.shinder.local and host a
secondary zone for shinder.local on dns1.tacteam.net. In fact, in order for dns1.tacteam.net
to perform name resolution for hosts on the shinder.local network, you must either host a
secondary zone for shinder.local, or use some other configuration, such as conditional forwarding to make it possible for this name resolution to occur.
General Guidelines for Internal Domain Namespaces
In deciding which approach is best for your organization, take into account a number of
complex factors, such as the presence of firewalls and proxy servers, client software, and the
number and location of DNS servers under your control. Regardless of the approach you
take, you should follow some common-sense guidelines:
■
Keep it simple. Don’t create a DNS infrastructure with too many subdomains
(limit the number to five or fewer subdomains). As a corollary to this, try to limit
the number of authoritative zones to a minimum number; don’t create separate
zones of authority for individual subdomains, unless it is necessary.
■
Use your own company or product names, not those of another company.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 369
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
■
Register the domain names used by your company and base internal names on
registered names.
■
Avoid acronyms and geographical names that might not be easily understood.
■
Don’t base names on things that are likely to change, such as business units or
divisions that can disappear or be renamed during the next company reorganization.
■
Don’t repeat names that occur on the Internet. For example, don’t create a toplevel domain name that already exists on the Internet, such as .ca, .biz, and so on.
This will cause problems for external name resolution.
■
Consider security and ease of administration—these goals might be mutually
exclusive and require trade-offs.
■
Use host names that are unique across your entire DNS infrastructure (keep in
mind that DNS is not case-sensitive).
■
Develop a convention for naming internal computers that is consistent, informative, and easily understood and remembered.
■
If possible, use US-ASCII characters only for host and domain names and consider changing any NetBIOS computer names to ensure conformity with the USASCII character set.
■
If you’re using AD, make sure that the primary DNS suffix on your computers
matches the AD domain name.
Planning DNS Server Deployment
Once you have determined your requirements for your DNS namespace and host names
and have determined the number of subdomains, you must plan for the deployment of the
DNS infrastructure on DNS servers.The goal of this planning is to ensure maximum availability, fault tolerance, currency of updated DNS records, and security, while at the same
time minimizing the amount of traffic associated with DNS query and zone transfer traffic.
The size and placement of zone files in your DNS topology will have a direct bearing on
these considerations.Your network topology also has a direct bearing on these considerations. For example, the presence of WAN links connecting remote subnets and the available
bandwidth on those links will affect the deployment of your DNS infrastructure.
Planning the Number of DNS Servers
On a simple network consisting of a single zone and relatively few hosts, you should try to
deploy a minimum of two DNS servers.With two DNS servers, you ensure fault tolerance
in the event that one DNS server fails or is temporarily removed from the network for
maintenance.
www.syngress.com
369
255_70_293_ch06.qxd
370
9/10/03
5:42 PM
Page 370
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
On larger, more complex networks, you should deploy at least two DNS servers for
each zone of authority you administer on your network.To reduce administrative complexity, keep the number of DNS servers you deploy to a minimum, while at the same time
ensuring a high level of availability, fast query response times, and currency of records.
To reduce administrative complexity and to ensure fast query response times and fault
tolerance, you can configure servers in a variety of roles. For example, you can configure
conditional forwarders and other types of caching-only servers and use these in combination
with DNS servers that are authoritative for particular domains.We will discuss forwarders
and other DNS server roles later in this chapter.
To determine the number of DNS servers you need, you should keep the following
guidelines in mind:
■
A Windows Server 2003 DNS server on a 700 MHz Pentium III or higher computer with at least 256MB RAM can handle a large number of queries, more
than 10,000 per second. If you experience slow response times, you can add additional DNS servers in the form of secondary servers or Active Directory-integrated zones.
■
A DNS server can host many different zones—as many as 20,000 small zones that
contain only a few RR in addition to the SOA, NS, and glue address records. If
there is excessive traffic related to recursive queries on the network as a result of
delegation to other zones, DNS servers can be configured as secondary servers to
remote primary servers.
■
If you have high-speed, reliable WAN links, you can use centrally located DNS
servers to resolve queries for clients located in remote subnets.
■
If WAN links are not reliable, you can set up a secondary DNS server on the
remote network to ensure availability of zone information.
■
Because DHCP servers and clients can automatically update DNS zone records
using DDNS, zone replication traffic can become an issue on large networks even
though Windows Server 2003 DNS supports incremental zone updates. If zone
replication traffic across WAN links is a consideration, you can set up cachingonly forwarders on the remote subnets to eliminate this traffic.
■
DNS servers can have multiple roles. For example, a DNS server hosting a primary zone for a particular domain can be configured as a conditional forwarder
for other domains. Configuring a server as a conditional forwarder allows it to
build up a cache of frequent queries for host name resolution, helping to reduce
DNS-related traffic for particular domains.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 371
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
NOTE
When determining how many DNS servers you need, consider the importance of
fault tolerance. You should never have only a single DNS server; a minimum of two
is recommended, so that you will have a backup in case the primary server goes
down.
Planning for DNS Server Capacity
Your DNS deployment plan will also depend on the capacity of your DNS servers to
respond to queries in a timely manner and their ability to load zone files into memory.The
Windows Server 2003 Resource Kit provides the following typical recommendation for a
Windows Server 2003 DNS server:
■
Pentium II computer running at 400 MHz
■
256MB RAM
■
4GB hard drive
■
Network adapter
This should be considered a minimum configuration for a DNS server. Adding RAM
or using a faster processor will increase performance, especially if the DNS server must
respond to many queries or load large zone files. Adding RAM can be particularly helpful
for improving DNS performance. On startup, an authoritative DNS server loads its zone
files into RAM. A typical RR consumes approximately 100 bytes of RAM, although the
precise value is determined by the kind of RR; for example, an SRV RR consumes more
RAM than an A RR.The DNS service itself uses 4MB of RAM without loading any
zones.You can use these figures to determine the amount of RAM you need to support
your zone files.
You should also keep in mind that a DNS server caches query results in RAM and can
return nonauthoritative responses to query requests from its cache. (When a DNS server performs a recursive query on behalf of a DNS client, it stores the result in cache.The next
time a DNS client makes a query request for the same record, the DNS server responds
with a nonauthoritative answer from its cache.) The more RAM available for caching
responses, the better the performance for returning nonauthoritative answers to DNS
clients on the network.
The performance of the DNS server is also influenced by the number and types of
DNS queries to which it must respond. Also, a multihomed DNS server (a DNS server
with more than one network interface) that is listening on more than one IP address for
DNS queries consumes additional resources. If the DNS server is also a primary server, the
number of secondary servers that are polling for updates of the primary zone also have an
effect on performance.
www.syngress.com
371
255_70_293_ch06.qxd
372
9/10/03
5:42 PM
Page 372
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Another factor that has an effect on performance is whether the DNS server is processing dynamic updates to zone files and whether the computer is also configured as a
domain controller and processing secure updates to the zone files.
NOTE
In some baseline tests that Microsoft performed on a single-processor Pentium III
733 MHz computer with 256MB of RAM and a 4GB hard drive, the DNS service
was able to handle 9500 queries per second and 1300 dynamic updates per
second with an average CPU utilization of 75 percent. The test machine had all
unnecessary services removed and was not a domain controller.
To gain a more precise understanding of the resources required for your DNS server,
you can gather information from the DNS-related Performance Monitor counters that are
installed with the DNS service.We will discuss the topic of monitoring DNS performance
in more detail later in the chapter.
Planning DNS Server Placement
Considering where to place DNS servers, you should try to eliminate single points of
failure to ensure the availability of DNS and AD services.This means that for every zone in
your control, you should have at least two authoritative servers for fault tolerance. All DNS
clients should be configured with the IP addresses of primary and at least one alternate
DNS server to contact for name resolution.The following guidelines might assist in determining placement of your DNS servers:
■
On segmented LAN environments, you should have at least two authoritative
servers. These servers should be installed on different subnets.
■
On a WAN, you should try to ensure that an authoritative DNS server is installed
at each geographic location.
■
If you are hosting an authoritative DNS for your Internet-facing hosts such as
your Web and mail servers, consider hosting an offsite secondary DNS server at
your ISP or on your domain name registrar’s network.
■
Consider which services will be unavailable if the router fails on your network
segment. For example, if you have a small branch office that lacks a domain controller, users will not be able to use the services provided by AD if the router fails.
In this case, there might not be any advantage to deploying a secondary server
that is authoritative for your AD zones.
■
Consider zone replication traffic across slow WAN links. If zone replication traffic
consumes too much bandwidth, consider using forwarding servers in the remote
location.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 373
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Planning DNS Server Roles
In order to properly plan, implement, and maintain a DNS infrastructure for your network,
you should have an understanding of the various DNS server roles that you can install and
configure.
■
Authoritative name servers These are servers that contain the complete zone
information for a domain and possibly its subdomains. Any domain will be served
by one or more authoritative name servers. For purposes of fault tolerance and
load balancing, there should be at least two authoritative name servers for each
zone. In a Windows 2000 and Windows Server 2003 environment, it is possible to
configure three types of authoritative name servers:
■
A primary master server is the authoritative name server that holds the updatable RRs. Any changes made to the zone file information must be made on
this server. Unless you are using Active Directory-integrated zones, there is
only one primary master DNS server for each zone of authority. A standalone server, member server, or Windows 2000 or Windows Server 2003
domain controller can be configured as a primary server.
■
Secondary servers, sometimes known as slave servers, hold a read-only copy of
zone information that is transferred from the primary master server during a
process known as zone transfer to ensure that RRs are synchronized between
the secondary servers and the primary server. A zone transfer occurs in one of
two ways. One way is for the secondary servers to poll the primary master
server according to the refresh interval in the SOA RR and compare the version number in the SOA RR in the primary’s zone file with its own. If the
number is larger, it will initiate the zone transfer process. Alternatively, the primary master server can notify the secondary servers on its list whenever
updates are made to the zone file. A secondary server can also be configured
to do zone transfers to other secondary servers.This configuration is used primarily in situations where the polling of the primary DNS server by a large
number of secondary servers puts an unacceptable load on it.The trade-off
lies in currency of records, since updates from the primary DNS server must
travel through more than one secondary server before all the records are synchronized among DNS servers.
■
The Active-Directory-integrated configuration is specific to Windows 2000 and
Windows Server 2003. Instead of zone information being stored in flat text
files as is the case with the primary and secondary DNS servers, zone information is stored in AD. Rather than relying on the mechanism of zone transfers, AD replication is responsible for ensuring that zone information is
synchronized among all the participating DNS servers. Another key advantage
of using Active Directory-integrated zones is that any DNS server that stores
the zone information can update RRs; that is, more than one DNS server can
www.syngress.com
373
255_70_293_ch06.qxd
374
9/10/03
5:42 PM
Page 374
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
update the zone information. Secondary zones cannot be stored in AD. Active
Directory-integrated zones provide enhanced security for DNS updates and
zone replication traffic in several ways: all DNS servers hosting Active
Directory-integrated zones must be registered in AD, AD replication traffic is
encrypted, and you can use access control lists (ACLs) to restrict the hosts that
are allowed to update RRs using DDNS (secure dynamic updates).
■
Stealth servers When you register the name servers that are authoritative for
your Internet domain namespace, you must supply at least one or two name
servers that are authoritative for the zone so that authority can be delegated from
the parent domain (.com, .net, and so on) to your servers. It is possible, however,
for these servers to be secondary, or slave servers to a primary master server that is
not listed in the registered NS records for the zone listed by the registrar as being
authoritative for your domain. Usually, the primary master server is located behind
a firewall, and access to the primary server itself and zone transfers to the secondary servers are tightly controlled by access rules on the firewall.
■
Caching name servers A caching name server performs queries on behalf of
DNS, but the server itself is not authoritative for any zones.When you first set up
a Windows DNS server with the root hints file, it is a caching name server that
can resolve queries for Internet hosts using information it possesses about the
name servers that are authoritative for the root zone. After time, the caching name
server builds up a list of commonly queried names in its cache, which is subsequently used to answer queries on behalf of clients.
■
Forwarding servers A forwarding server is a kind of caching name server that
sends queries to a predetermined list of name servers, known as forwarders, which
can perform recursive queries on its behalf.The forwarding server will send its
query to each forwarder in its list until it receives a positive or negative response.
After it exhausts the name servers in its list, it can be configured to send requests
to servers on the Internet using its root hints file. Alternatively, a forwarder can be
configured to stop at this point, by disabling recursion, and send a negative
response back to the original DNS requester if the forwarder cannot resolve the
query. If recursion is disabled on the forwarding server, it is referred to as a forward-only server.There are a number of uses for forwarding servers and forwarders.
They are often used when you want to tightly control which DNS servers (the
forwarders) are able to send and receive DNS traffic through your firewall.
Another common use of forwarders is to handle DNS queries performed across
relatively slow WAN links on a corporate network. In the remote network, a
name server is configured to forward queries to a more powerful caching name
server that has a larger cache and is better able to resolve DNS queries as result of
having access to more bandwidth, rather than send its queries directly to the
Internet. A new feature of Windows Server 2003 DNS allows the configuration of
conditional forwarding. Conditional forwarding allows the DNS administrator to
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 375
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
configure the forwarding server to contact specific name servers based on the
domain name specified in the query.To configure a conditional forwarder, you
specify the domain name and the IP addresses of the servers that are responsible
for resolving host names in these domains. Conditional forwarders provide intelligent name resolution and are typically used to reduce the amount of traffic related
to recursion on your network.
■
Nonrecursive servers A nonrecursive server is one on which you have disabled
recursion so that it is not able to perform recursive queries on behalf of DNS
requesters. Disabling recursion on a name server also prevents it from using forwarders to resolve queries. Usually, recursion is disabled on authoritative name
servers that provide name resolution for DNS requesters on the Internet, performing queries to locate your Internet hosts such as your Web and mail servers.
By disabling recursion on these name servers, you ensure that the servers will
respond positively only to queries for RRs in zones for which they are authoritative, and hence tighten the security of these servers. DNS clients on the Internet
will not be able to configure their TCP/IP settings to point to your DNS servers
for name resolution.
These name server roles are only logically separate from one another. It is possible to
combine roles on a single name server. For example, a DNS server can be configured to be
a primary master for one domain zone file and as a secondary for other domain zone files.
However, it is often advantageous to separate these roles and place them on separate servers.
By doing so, you are better able to design your DNS infrastructure to take into account the
contingencies of your network infrastructure, such as the speed of your WAN links, the
presence of firewalls, the need for security, and so on.
Domain Controller versus Member Server
In an AD environment, you have the choice to install and configure DNS on your domain
controllers or on member servers. If you install DNS on your domain controllers, you can
configure Active Directory-integrated zones.
Active Directory-integrated zones provide the following advantages over standard
DNS zones:
■
There is not a single point of failure for the primary zone. In a standard DNS
environment, if the primary master DNS server fails and is not brought online
within a particular amount of time (specified in the SOA record), the secondary
servers will remove the RRs from their zone, and name resolution will fail for the
entire domain.
■
In large environments where DHCP servers and clients are updating RRs, this
load can be distributed among domain controllers that store zone information
in AD.
www.syngress.com
375
255_70_293_ch06.qxd
5:42 PM
Page 376
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
New & Noteworthy...
376
9/10/03
■
Active Directory-integrated zones provide enhanced security for zone replication
in that DNS servers must be registered in AD and AD replication traffic is
encrypted.
■
You can use secure dynamic updates with Active Directory-integrated zones to
tighten security further.
■
Synchronization of zone information occurs automatically through AD replication. No further configuration is necessary to facilitate transfer of zone information among participating servers.
■
AD replication is more efficient than the standard zone transfer mechanisms. For
example, AD replication propagates only the last changes. Even though an incremental zone transfer copies only the changes to the RRs, it propagates all the
incremental changes to the RRs that have occurred since the last update. If you
are not using IXFR, the entire zone file is copied whenever an update is made.
■
AD replication will compress replication traffic in certain circumstances, further
reducing the bandwidth needed for DNS-related traffic.
Using the Application Directory Partition
for Active Directory-Integrated Zones
Windows Server 2003 enhances the design and functionality of AD through the
application directory partition, which is a new feature of Windows Server 2003. In
Windows 2000, Active Directory-integrated zones are contained in the domain partition and are replicated to all domain controllers, regardless of whether the DNS
service is installed on those computers. In contrast, Windows Server 2003 installs
an application directory partition on only those domain controllers that have the
DNS service installed. The application directory partition allows you confine DNSrelated replication to a subset of computers that have the partition installed. By
using application directory partitions, you can reduce the size of the Global Catalog
and the amount of replication traffic between domain controllers. This is a significant advantage when you have a large infrastructure in which DNS or another
application is making a large number of frequent updates to AD, which would otherwise flood your network with replication traffic and negatively affect domain
controller performance.
When you are installing the first Windows Server 2003 AD domain controller,
two application directory partitions are created by default: ForestDNSZones, a
forest-wide partition, and DomainDNSZones, a domain-wide partition for each
domain in the forest.
Active Directory-integrated zones can be used in combination with secondary servers.
For example, you can use secondary zones on servers that are not configured as domain
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 377
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
controllers.This is advantageous in situations where you do not want AD traffic replicated
across a WAN link, but you do want to have an authoritative DNS server available at a
remote location.You cannot simultaneously load a standard text-based primary zone file
and an Active Directory-integrated zone for the same domain on the same domain controller. However, you can combine primary, secondary, and Active Directory-integrated
zones on the same domain controller. On a stand-alone or member server, primary and secondary zones can be combined on the same server. Furthermore, if you have multiple IP
addresses bound to the server, you can emulate a secondary server on the same computer
where the primary is located.This configuration is useful in very small environments where
you have only one server.
EXAM
70-293
Planning for Zone Replication
OBJECTIVE
2.7.2 In planning your DNS infrastructure, you need to decide on the number and placement of
your DNS servers. In particular, you must decide which servers will host zone files for your
domains. Distributing zone files across your network has a number of advantages. For
example, distributed zone files reduce the network traffic caused by DNS queries, increase
availability and fault tolerance, provide load balancing, and result in shorter query response
times. However, distributing zone files requires that you replicate zone information among
your DNS servers, increasing traffic associated with zone transfers or AD replication (if you
have enabled Active Directory-integrated zones). Zone files also increase the storage space
requirements on DNS servers. Furthermore, replicating zone information increases the
administrative effort required to maintain the DNS infrastructure.
In planning for zone replication, you must decide which mechanism you will use for
zone replication: either standard DNS zone transfers or AD replication.This decision will
depend on a number of factors including the storage location (file-based or AD), the type
of zone information (primary, secondary, or stub), and whether you need enhanced security.
If you are using stand-alone, member servers, or other implementations of DNS such as
BIND, you must use standard DNS mechanisms for zone transfers. Depending on the version of DNS or BIND you are using, you can use either full (AXFR) or incremental
(IXFR) zone transfers to propagate zone information. Incremental zone transfers reduce
traffic by propagating only the incremental changes since the last update.
NOTE
You cannot use IXFR on Windows NT 4 DNS servers or on versions of BIND earlier
than BIND 8.2.1.
Microsoft and other DNS servers optimize traffic associated with standard zone transfers by compressing the zone transfer information and including multiple RRs in individual
TCP packets.This mechanism is referred to as fast zone transfers (it should not be confused
with IXFR).Versions of BIND earlier than 4.9.4 do not support fast zone transfers. Support
www.syngress.com
377
255_70_293_ch06.qxd
378
9/10/03
5:42 PM
Page 378
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
for fast zone transfers to BIND secondaries is enabled by default on Microsoft DNS servers,
but it can be disabled.
A zone transfer is initiated when the secondary servers determine that the version
number in their SOA RR is lower than the version number in the primary’s SOA RR,
indicating an update to the primary zone.The secondary servers will compare the SOA
version number in the following situations:
■
When they are notified of a change by the primary server
■
When the refresh interval specified in the SOA has elapsed
■
When the DNS service on the secondary server is started
■
When a zone transfer is manually initiated by the administrator
When the secondary server determines it needs to update its zone file, it will make a
request for an incremental zone transfer (IXFR) or a full zone transfer (AXFR).
The notify list should contain only the IP addresses of secondary servers. It is not necessary to use this list to notify other domain controllers that have a copy of the Active
Directory-integrated zone. Active Directory-integrated zones poll approximately every 15
minutes for updates. In fact, adding domain controllers to the notify list can actually
degrade performance. Figure 6.7 shows the property pages for configuring a secondary
zone transfer notify list.
Figure 6.7 Configuring a Notify List for Zone Transfers
NOTE
You should carefully consider the implications of the configuration settings for
zone transfers. Configuring IP addresses in the notify list will increase the frequency and amount of zone transfer traffic on your network. If it is important that
secondary servers be as up-to-date as possible, you should include their IP
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 379
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
addresses in the notify list. Increasing the refresh interval in the SOA RR will
decrease the frequency of polling by secondary DNS servers and consequently
decrease the frequency of zone transfers. If decreasing the amount of zone
transfer traffic is a more important consideration than currency up to date DNS
data on the secondary DNS servers, you should leave them off the notify list and
increase the refresh interval. It might be desirable to do this, for example, if the
secondary DNS is separated from the primary DNS by a slow WAN link.
Active Directory-integrated Zone Replication Scope
If you are using AD, you can use Active Directory-integrated zones that rely on AD to
propagate zone information among domain controllers. Active Directory-integrated zones
can further assist in reducing replication traffic because they replicate only the last change
to RRs, rather than the incremental changes, and can compress replication traffic.
Furthermore, if all your domain controllers are running Windows Server 2003, you can further reduce this replication traffic by defining a scope for the replication of DNS-related
information in AD.This is accomplished by leveraging a new feature of Windows Server
2003, the application directory partition (discussed previously).The broader the scope of
replication, the more replication traffic that is generated.
In a Windows Server 2003 environment, you must specify an Active Directory-integrated scope.The choices for the replication scope are described in Table 6.1.
Table 6.1 Active Directory-integrated Zone Replication Scope Options
DNS Zone Replication Scope
Description and Usage
All DNS servers in the AD forest
This is the broadest scope for DNS zone replication
and produces the most replication traffic. Zone data
is replicated to all Windows Server 2003 domain
controllers on which the DNS service is installed in the
entire forest. You can use this option only when all
your domain controllers are running Windows Server
2003.
This is the default zone replication setting for DNS
installed on Windows Server 2003 domain controllers.
Zone information is replicated to all the Windows
Server 2003 domain controllers on which the DNS
service is installed in the domain. This option is
desirable when you want to limit or restrict replication
of zone information to only the domain controllers in
your AD domain. Zone information is not replicated to
Windows 2000 domain controllers.
All DNS servers in a specified
AD domain
Continued
www.syngress.com
379
255_70_293_ch06.qxd
380
9/10/03
5:42 PM
Page 380
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Table 6.1 Active Directory-integrated Zone Replication Scope Options
DNS Zone Replication Scope
Description and Usage
All domain controllers in the
AD domain
This option replicates DNS zone information to all
domain controllers in the AD domain, regardless of
whether or not the DNS service is installed on them.
This option is desirable in mixed environment where
Windows 2000 domain controllers are used.
This option allows the customization of your zone
replication environment. To use this option, your
Windows Server 2003 domain controllers running DNS
must be enlisted in the application directory partition.
You can use the Dnscmd command-line utility to enlist
DNS servers. The syntax for the command is dnscmd
All domain controllers specified
in the replication scope of a
DNS application directory
partition
[DNS_server_name] /EnlistDirectoryPartition [FQDN of
partition]. All fields are required.
A significant advantage of using the application directory partition to store zone data is
that the data is not replicated throughout the AD forest in the Global Catalog.This would
be the case if AD zone data were stored in the domain partition, as it is in Windows 2000.
When using intersite replication (replication between different sites), the application directory partition is replicated according to the same schedule as the domain partition.
To change the replication scope, you can use the DNS console, which presents the
choices indicated in Figure 6.8.There are four choices, corresponding to the descriptions in
Table 6.1.The choices are to replicate zone data to all DNS server in the AD forest, to all
DNS servers in the AD domain, to all domain controllers in the AD domain, and to all
domain controllers specified in the scope of [a specified] application directory partition.The
last choice to customize the zone replication environment is grayed out and unavailable
because the server has not been enlisted in other partitions.
Figure 6.8 Changing Replication Scope for Windows Server 2003
Active Directory-integrated Zones
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 381
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
By default, when you first create an Active Directory-integrated zone and an application directory partition has not been created, you have the option of creating the partition
using the DNS console utility.You can also use the Ntds utility to create or delete application directory partitions and the Dnscmd utility to create the default application directory
partitions. If the default partitions have already been created, you will get an error message
indicating that the partition already exists.When you use the DNS console utility to create
the application directory partition, you are presented with two exclusive choices:
■
To create a single application directory partition that stores DNS zone data and
replicates that data to all DNS servers in the domain. If you respond No to this
choice, you will be presented with the second choice.
■
To create a single application directory partition that stores DNS zone data and
replicates that data to all DNS servers in the forest.This creates the broadest scope
for replication of DNS zone data.
Figure 6.9 shows the choices for creating an application directory partition using the
DNS console.The two dialog boxes below the DNS console window appear when you use
the DNS console to create the default application directory partitions.
Figure 6.9 Creating the application directory partition using the DNS console
www.syngress.com
381
255_70_293_ch06.qxd
382
9/10/03
5:42 PM
Page 382
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
NOTE
In order for the application directory partition to exist, the domain naming master
Flexible Single Master of Operations (FSMO) role must be running on a Windows
Server 2003 domain controller. In situations where you have upgraded a Windows
2000 domain controller to Windows Server 2003 and wish to change the replication scope from the domain to the application directory partition, you must first
ensure that a Windows Server 2003 domain controller is the domain naming
master. Otherwise, you will get an error message when you try to change the replication scope.
Security for Zone Replication
It is also important to ensure that zone replication traffic is secure, especially in situations
where standard zone transfers are occurring over the Internet.To secure zone replication,
you can configure Microsoft DNS to transfer zone information to only those servers that
are found in the zone’s name server list. However, you can further tighten security by specifying individual IP addresses that are allowed to receive zone transfers.
In situations where you are transferring zone transfer information over the Internet or
you are concerned that this traffic can be intercepted, you should also consider using Virtual
Private Network (VPN) tunnels or Internet Protocol Security (IPSec) to encrypt this
traffic. Recent versions of BIND can use transactions signatures (TSIG) to secure zone
transfers, but Microsoft does not support secure zone transfers to secondary zones. Hence
the need for VPN tunnels and IPSec.
Using Active Directory-integrated zones also increases the security of your replication
data by ensuring that all DNS servers are registered in AD and by using the security mechanisms inherent in AD replication.The security for zone transfers arises from the security of
AD when you use Active Directory-integrated zones.Where possible, you should use Active
Directory-integrated zones exclusively to improve performance and security of zone replication traffic.
General Guidelines for Planning for Zone Replication
You should keep the following guidelines in mind when planning for the distribution of
zone files in your infrastructure:
■
Limiting the number of zones of authority in your DNS infrastructure simplifies
administration. For each subdomain that has a separate zone of authority, you
must ensure that the delegation of authority is correct for the subdomain and plan
for the appropriate zone replication for each of these subdomains.
■
Distributing zone files increases the traffic associated with zone transfers or AD
replication.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 383
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
EXAM
70-293
■
Distributing zone files reduces the amount of traffic associated with name resolution queries.
■
Distributing zone files provides a means for supporting a disjointed namespace.
■
Distributing zone files increases availability and fault tolerance. It also reduces
query response times.
■
If you are using Active Directory-integrated zones and all your DNS servers are
installed on Windows Server 2003 domain controllers, you can use an application
directory partition to reduce the replication traffic associated with the transfer of
zone information.
■
You can minimize the bandwidth consumed by standard zone transfers by modifying the schedule for transfers to secondary zones.
■
You should configure a primary server to notify only secondary servers. However,
you should note that configuring the notify list to transfer zone information with
the IP addresses of servers hosting the Active Directory-integrated zone can actually degrade performance.
■
If you are using standard DNS zone transfers, you should try to implement incremental zone transfers and fast zone transfers where possible.
■
A DNS server that is hosting an Active Directory-integrated zone or a standard
primary zone can also host a standard secondary zone for another domain.
■
A stub zone is a synchronized copy of a subset of an authoritative zone’s RRs: the
SOA, NS, and glue address records that identify authoritative name servers for a
particular domain.
■
A stub zone can reduce cross-domain referral and other DNS traffic.
■
Security of zone data should be a consideration in your design and implementation. Active Directory-integrated zones provide more security than standard zone
types. If you are using standard zone types, security can be enhanced by restricting
the hosts that are allowed to receive zone transfers and by encrypting zone
transfer traffic using VPN tunnels or IPSec using the strongest level of encryption
possible.
Planning for Forwarding
OBJECTIVE
2.7.3 Distributing zone files throughout your infrastructure provides one means of ensuring efficient DNS name resolution. However, it is not always desirable or possible to distribute
zone files to facilitate efficient DNS name resolution.
Consider a situation in which a large company has a small branch office connected
by a slow WAN link. If the branch office were to host a copy of the zone files, the zone
replication traffic could overwhelm the slow WAN link. In a situation like this, it is advanta-
www.syngress.com
383
255_70_293_ch06.qxd
384
9/10/03
5:42 PM
Page 384
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
geous to configure a DNS server in the branch office that forwards DNS queries to specific
servers in the main office.This increases the amount of name resolution traffic that crosses
the WAN link, but it eliminates the more significant zone replication traffic.
It might also be advantageous in this situation to configure the DNS server in the
branch office to forward all queries for Internet name resolution to a forwarder in the main
office that is better able to resolve Internet queries.This forwarder can resolve queries
directly by contacting authoritative DNS servers on the Internet using its more ample
bandwidth and capacity, or it may be able to resolve queries from its larger cache.
A forwarder is simply a DNS server that receives queries that are forwarded to it by
other DNS servers that are not capable of resolving the DNS query.Whenever a DNS
server receives a query, it will try to answer the query from the data stored in its zone files
or cache. Unless it has been configured otherwise (that is, as a nonrecursive server or a
root-level server), if the DNS server cannot answer the query from its data it will either
contact authoritative root servers or forward the query to a forwarder.
A forwarding server configured to use recursion if the configured sets of forwarders are
unable to resolve name queries.This configuration might be desirable in situations where
you want the DNS server to continue to attempt to resolve queries in the event that the
forwarders are unable to do so. If the forwarders are unable to answer queries, the forwarding server will continue to use standard DNS methods to resolve the queries starting
with the root-level servers. However, this configuration might not always be desirable or
possible. In this case, you can configure the forwarding server to not use recursion if the
queries to the forwarders fail. If resolution fails using the configured set of forwarders, the
name resolution process stops and a negative response is sent to the DNS client.
Servers that are configured to not use recursion are called forward-only servers.You configure a forward-only server by checking the box labeled Do not use recursion for this
domain in the Forwarders property page (see Figure 6.11 in the next section).
Using forwarders can help reduce the amount of DNS traffic related to recursion in
addition to reducing the traffic related to zone replication.Their use can also help to
enhance security by minimizing the number of DNS servers that need to communicate
with one another across firewalls. Other advantages can be realized by using conditional
forwarding, a new feature of Windows Server 2003 DNS.
Conditional Forwarding
Conditional forwarding adds intelligence to the forwarding of DNS queries. In previous
versions of Microsoft DNS, you could configure a forwarding server to forward queries for
all domains it could not resolve to only a single set of forwarders. In this setup, the list of
forwarders was responsible for resolving names for the entire domain namespace on behalf
of the forwarding server.With conditional forwarding, it is possible for the DNS administrator to configure a forwarding server to contact different sets of forwarders based on the
domain name in the query. Figure 6.10 shows a possible design configuration for conditional forwarding.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 385
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Figure 6.10 Conditional Forwarding Configured to Send Queries
Directly to an Authoritative Server
Root DNS servers
delegation of authority
Query for host on corp.tacteam.net
dns1.tacteam.net
authoritative for tacteam.net
delegation of authority
DNS client
dns1.shinder.net
DNS conditional forwarding
configured to send queries for
corp.tacteam.net directly to
dns1.corp.tacteam.net
dns1.corp.tacteam.net
authoritative for corp.tacteam.net
In Figure 6.10, dns1.shinder.net has been configured to send any query requests for
hosts in the corp.tacteam.net domain directly to dns1.corp.tacteam.net, which is authoritative for the zone. If conditional forwarding had not been configured, dns1.shinder.net
would need to send a set of iterative queries to the root servers and dns1.tacteam.net in
order to find the server that is authoritative for corp.tacteam.net.This configuration helps
to eliminate network traffic related to DNS name resolution and reduces DNS query
response time. Also, since dns1.shinder.net is a direct point of contact with
dns1.corp.tacteam.net, over time it would acquire a significant number of cached RRs for
hosts in the corp.tacteam.net domain.
You can also imagine in this configuration that corp.tacteam.net is the forest root
domain for AD. In this situation, it is both possible and highly desirable to limit DNS access
through the firewall that protects the internal network for corp.tacteam.net to specific forwarding DNS servers.
As you can also infer from this scenario, using conditional forwarders eliminates the
need to use secondary zones to support a disjointed namespace. It is not necessary to host a
www.syngress.com
385
255_70_293_ch06.qxd
386
9/10/03
5:42 PM
Page 386
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
secondary zone for the corp.tacteam.net zone on the shinder.net network. (You could also
use stub zones to eliminate the need for the secondary zones, but conditional forwarding is
a preferable solution.) To increase the fault tolerance of this solution, you should specify
more than one forwarder in the list of servers for the forwarding server to contact to perform name resolution for the remote domain.
Figure 6.11 shows conditional forwarding configured for the corp.tacteam.net domain.
Note that you can disable recursion on a per-domain basis.
Figure 6.11 Conditional Forwarding for the corp.tacteam.net Domain
General Guidelines for Using Forwarders
The following guidelines might assist you in planning to use forwarders as part of a DNS
infrastructure:
■
Forwarders can eliminate the need to host secondary zone files across slow WAN
links that might otherwise saturate bandwidth during zone replication.
■
Conditional forwarders can directly query authoritative name servers based on the
domain name in the query.
■
Conditional forwarders can assist in providing support for a disjointed namespace
and are a preferred solution over using stub zones for the same purpose.
■
Fault tolerance can be enhanced by specifying multiple forwarders and by
enabling recursion if queries to forwarders fail.
■
Using forwarders can enhance security by minimizing the number of DNS
servers that need to communicate with each other across firewalls.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 387
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
EXAM WARNING
Conditional forwarding is an important new and useful feature of Windows Server
2003 DNS. You should be familiar with configuring conditional forwarding and
understand the reasons that conditional forwarding is a preferable solution in a
given environment.
DNS/DHCP Interaction
As is the case with Windows 2000,Windows Server 2003 supports the DDNS standard
(RFC 2136) to dynamically update both forward and reverse lookup zones with A and
PTR RRs, respectively. (A forward lookup zone resolves host names to IP addresses; a
reverse lookup zone resolves IP addresses to host names.) DDNS reduces much of the
administrative burden in managing a zone files in a DNS infrastructure. In particular,
DDNS makes it possible for AD domain controllers to create and update the SRV RRs
that are fundamental to the proper operation of AD. DDNS is also used in combination
with DHCP to ensure that DHCP clients will have the appropriate records registered for
them in DNS and the DNS records are updated whenever IP addresses change or DHCP
leases expire.
Both clients and DHCP servers are capable of updating the zone records. However,
only clients that are running Windows 2000,Windows XP, or Windows Server 2003 operating systems are capable of directly updating DNS zones.This is the default configuration
for these clients and can be disabled on the DNS tab of the Advanced property page for
TCP/IP. Usually, DHCP clients will update their own A records in the forward lookup
zone, but the DHCP servers will update the PTR record in the reverse lookup zone (the
computer “owns” the host name, but the DHCP server “owns” the IP address). Clients with
manually configured IP addresses will always try to register both an A and a PTR record.
Other level clients, such as Windows 9x and Windows NT 4, must rely on DHCP servers
to update both A and PTR RRs on their behalf.
When a client or a DHCP server attempts to update an RR, it will first query the
DNS server that it is configured with to find the DNS server that is authoritative for the
domain name it is trying to register. Once it determines this information, the DNS client
will send an update request to the server that is authoritative for the zone. If the update
request meets the prerequisites for updating the record, the record is updated. If the prerequisites are not met, the update fails.The client is notified of either the success or failure of
the update. In the case of failure, the DNS client will attempt to register the record again in
a 5-, 10-, and then a repeated 50-minute interval.
DHCP clients that are capable of dynamically updating DNS records use the DHCP
client option 81 to provide the FQDN as specified by the full computer name in the properties of the My Computer object, and instructions for the DHCP server to handle
DDNS registration. (This is configured on the DNS tab of the Advanced property page
www.syngress.com
387
255_70_293_ch06.qxd
5:42 PM
Page 388
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
for TCP/IP of the client computer.) The client’s FQDN is used to register the name with
the appropriate DNS server that is authoritative for the zone. Other level clients will be
registered with DNS servers that are authoritative for the domain name configured for the
DHCP scope.
DHCP Client and Netlogon Service
Head of the Class...
388
9/10/03
The ability for a Windows XP and Windows 2000 Professional client to update a
DNS record requires the DHCP client service to be running. The DHCP client service,
rather than the DNS client service, is responsible for sending dynamic update
requests to the primary DNS. The reason for this is to ensure that updates to the
zone file occur whenever there is a change in the IP address associated with a computer as a result of DHCP. This is true regardless of whether or not the client is configured to acquire its TCP/IP configuration from a DHCP service or has a static TCP/IP
configuration. When a client creates a DNS registration, it will use a default value
of 20 minutes for the TTL on record, which overrides the min TTL value in the SOA
record. Using the DHCP client service, DNS clients will send an update request
opcode every 24 hours for their A and PTR records. If there is no change to the
name and IP address mapping, this update request is considered a refresh and does
not result in a change to the version number of the DNS zone file.
The situation for servers and domain controllers is a little different, owing to
the importance of having accurate DNS data for these computers. These computers
send an update request every hour. If the computer is a domain controller, the
Netlogon server is responsible for sending the update every hour. A, PTR, CNAME.
and SRV records. (In the case of Windows 2003 domain controllers the update
interval is every 15 minutes.)
For more information about this topic, see the Microsoft Knowledge Base
article “How to Enable/Disable Windows 2000 Dynamic DNS Registrations” at
http://support.microsoft.com/default.aspx?scid=kb;en-us;246804.
A DHCP server will do the following, depending on its configuration:
■
Update the A and PTR records, if requested by the client.
■
Always update the A and PTR records, regardless of the client request.
A DHCP server will attempt to update A and PTR records if requested by the client.
Figure 6.12 shows the default configuration for the DHCP server on the properties page
for the DHCP server in the DHCP console. A similar property page exists for the DHCP
scope.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 389
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Figure 6.12 Default DHCP Configuration for Dynamic DNS Updates
To configure the DHCP server to update DNS records, regardless of the client request,
you can select the radio button labeled Always dynamically update DNS A and PTR
records. If you wish to configure DHCP to perform DNS updates on behalf of legacy
clients, you can select the check box labeled Dynamically update DNS A and PTR
records for DHCP clients that do not request updates (for example, clients running Windows NT 4.0). By default, the DHCP server is configured to remove both the
A and the PTR records from the DNS zone.You can change this behavior by clearing the
box labeled Discard A and PTR records when lease is deleted.When you clear this
box, the DHCP will attempt to remove the PTR record when the lease expires.
Security Considerations for DDNS and DHCP
Implementing DDNS creates some security risks in that unauthorized computers and users
might be able to update DNS records. In the case of public Web servers, the consequences
of the unauthorized registration of a rogue Web server IP address to replace a valid one can
be very significant indeed. For this reason, it is not a good idea to enable DDNS on any
zones that are used to resolve names for your Internet-facing servers.
To mitigate the risk of unauthorized updates, you can require the use of secure dynamic
updates. However, the option to use secure dynamic updates is available only if you are using
Active Directory-integrated zones. (On a standard primary zone, you have two choices for
security: secure and non-secure.) When you enable this option, you are able to control
which computers, users, or groups are able to modify RRs in the zone. For this reason
alone, you should consider the using DDNS only if you are using Active Directory-integrated zones.
If you have enabled secure updates, there is a potential for problems caused by the
ownership of records.When a DNS client or a DHCP server updates a zone file with an
RR, it becomes the owner of that record. Normally, this does not create a problem.
www.syngress.com
389
255_70_293_ch06.qxd
390
9/10/03
5:42 PM
Page 390
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
However, in some circumstances, the ownership of an RR can prevent a valid update to it.
Consider the case of a client that is upgraded to Windows XP. After the upgrade, it attempts
to update the RR in the zone.The attempt will fail because the record is owned by the
DHCP server that originally created the record on the client’s behalf. Or, consider the case
where a different DHCP server other than the original one, tries to register an update on
the client’s behalf. Again, the attempt will fail.To resolve this problem, you can use a special
security group called DnsUpdateProxy.
DnsUpdateProxy Group
Any objects that are created by members of the DnsUpdateProxy group have no security
and are ownerless. Consequently, the first authenticated computer that updates the record is
able to take ownership of the object.Therefore, if you enable secure dynamic updates only,
you should place all DHCP servers in this group before they start registering names.
The DnsUpdateProxy group can create a security risk, however, if the DHCP server is
installed on a domain controller. If the DHCP server that is a member of the
DnsUpdateProxy group is installed on a domain controller, all the SRV, the A records for
domain controller on which DHCP is installed and other critical records created by the
domain controller for AD functionality will be ownerless, allowing the first authenticated
user who tries to update them to become the owner. For this reason, you should not install
a DHCP server on a domain controller if you are using the DnsUpdateProxy group.
If, for whatever reason you do need to install DHCP on a domain controller, or if
DHCP is updating A records for clients in forward lookup zones, you should configure
your DHCP server(s) to use DNS dynamic update credentials.To do this, you configure a
security principal (a user account in this case) for use by all your DHCP servers when they
update a DNS zone.You then configure your DHCP servers to use this account for
dynamic updates. (This is a new feature of Windows Server 2003 and is not available on
Windows 2000.) This obviates the problems arising from ownerless records created by
DHCP servers in the DnsUpdateProxy group. In particular, enabling this configuration prevents a DHCP server from using the elevated permissions it inherits by virtue of its being
installed on a domain controller. Figure 6.13 shows the Advanced tab on the DHCP
server property page where you configure credentials for dynamic updates.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 391
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Head of the Class...
Figure 6.13 Configuring Credentials for DHCP Updates to Dynamic Zones
Generic Security Service TSIG (GSS-TSIG)
and Dynamic Updates
Microsoft uses a dialect of transaction signatures (TSIG) as the underlying mechanism for secure dynamic updates, as specified in RFC 2485. This dialect, Generic
Security Service TSIG (GSS-TSIG), is not spoken by other implementations of DNS. A
version of BIND 9.x is supposed to provide this support in the future, but as of this
writing, BIND 9.2 (the most current version) does not provide this support. This lack
of interoperability can cause issues if you are trying to integrate BIND into your
Windows environment. For example if you want a BIND server to handle all your
dynamic updates, which makes the zone become a much more complex administrative challenge, as well as if you want a BIND DNS client to be able to update
records using secure dynamic update.
In BIND 9, TSIG is used primarily for secure server-to-server communications
(for example, zone transfer, notify, and recursive query messages). However, TSIG
can be used in a BIND environment for secure dynamic updates.
Aging and Scavenging of DNS Records
When you enable zones for dynamic updates, it is possible that the zone data files will
acquire a large number of superfluous and outdated records that might have a negative
effect on DNS performance. For example, if you retire a user’s workstation and disconnect
it from the network, the RRs for that computer might remain in the DNS data.To help
ensure the integrity and currency of DNS data, you can enable aging and scavenging of
outdated DNS records. (By default, the aging and scavenging option is not enabled.)
www.syngress.com
391
255_70_293_ch06.qxd
392
9/10/03
5:42 PM
Page 392
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Aging and scavenging can be set on a per-zone or per-DNS server basis. Per-zone settings override per-DNS server settings. Figure 6.14 shows the server-wide aging and scavenging property page.
Figure 6.14 Aging and Scavenging Settings for a DNS Server
The No-refresh interval setting is the amount of time that must elapse before a DNS
client or DHCP server can refresh a timestamp for a record.When a DNS client creates a
record, it is assigned a timestamp.The DNS client attempts to refresh this record every 24
hours. Unless the record is changed (for example, the client receives a new IP address), the
timestamp cannot be refreshed for a default period of seven days. After the seven days have
elapsed, the DNS client can refresh the timestamp, which starts the timer on the no-refresh
interval for the record. If the record is not refreshed in the seven-day period, it can be scavenged.When the record is scavenged, however, depends on another setting, the
Scavenging period.This setting is enabled and configured on the Advanced tab of the
property pages for the DNS server.To enable scavenging, you must enable this setting, as
well as the settings for No-refresh interval and Refresh interval.
EXAM WARNING
DDNS and its interaction with DHCP are important concepts. You should be thoroughly familiar with the implementation of DDNS and DHCP to support dynamic
updates to DNS zones. Your understanding of these concepts should also be
informed by a thorough understanding of the security implications for enabling
DDNS.
EXAM
70-293
Windows Server 2003 DNS Interoperability
OBJECTIVE
2.7.5 In addition to it interoperability with DHCP, the Windows Server 2003 DNS is designed
to interoperate with other implementations of DNS such as BIND, and with other
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 393
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Windows Server 2003 services such as WINS. In this section, we examine the interoperability of Windows Server 2003 with other DNS servers and Windows Server 2003 services.
BIND and Other DNS Server Implementations
One of the design goals of Windows 2000 and Windows Server 2003 is to ensure that they
conform as much as possible with TCP/IP and other standards, as defined by various organizations and governing bodies.This, in turn, helps to ensure that Windows can interoperate
with a wide variety of heterogeneous systems.
With some exceptions, such as the addition of functionality required for the interoperability of DNS and WINS,Windows Server 2003 DNS is a completely standards-based
implementation of DNS. As such, it will interoperate with other standards-based implementations of DNS, such as BIND. In fact, in many cases, it is not necessary to forsake a current
implementation of DNS for Windows Server 2003 DNS as long as the implementation of
DNS supports current DNS standards.That said, management of your DNS infrastructure is
easier if all your DNS servers are Windows Server 2003 servers.
The degree of interoperability will depend on the version of BIND with which
the Windows Server 2003 DNS server interacts. Like other standards, the standards for DNS
are evolving, and earlier implementations of DNS such as the DNS in Windows NT 4 or
earlier versions of BIND will not interoperate completely with Windows Server 2003
DNS. In some cases, the presence of downlevel and legacy implementations of DNS can
create problems in the DNS infrastructure.
BIND stands for Berkeley Internet Name Domain and was developed by a group of
graduate students at University of California at Berkeley in the mid-1980s for use on
UNIX operating systems. BIND is now the responsibility of the Internet Software
Consortium (ISC).The ISC’s first release was BIND 4.9.3. BIND 8 was released in 1997.
BIND 9.2 is the most current version as of this writing. BIND 8 is still widely used.The
latest version is 8.4.1, and it should be implemented because it fixes a number of security
holes and bugs with earlier versions.Version 4 of BIND has been officially deprecated by
ISC, and its use is not recommended. However, if BIND 4 cannot be upgraded to BIND 8
or 9, you should upgrade to BIND 4.9.11.
Table 6.2 shows a comparison of features support by various implementations of DNS.
Table 6.2 Windows DNS and BIND Compatibility Comparison
Feature
Windows
Windows Windows
Server 2003 2000
NT 4
RFC 2782–SRV RRs
Yes
Yes
BIND
9.2
Yes, with
Yes
Service Pack 4
or higher
installed
BIND
8.4.1
BIND
4.9.3
Yes
No
(minimum
version is
is BIND 8.1.2)
Continued
www.syngress.com
393
255_70_293_ch06.qxd
394
9/10/03
5:42 PM
Page 394
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Table 6.2 Windows DNS and BIND Compatibility Comparison
Feature
Windows
Server 2003
Windows
2000
Windows BIND
NT 4
9.2
BIND
8.4.1
Fast zone
transfer
Yes
Yes
Yes
Yes
Yes
Incremental
zone transfer
Yes
Yes
No
Yes
Dynamic
updates
Stub zones
Yes
Yes
Yes
Yes
No (but is
supported
in versions
of BIND
later than
4.9.4)
Yes (but not No
supported
in versions
of BIND
earlier than
8.1.2)
Yes
No
Yes
No
No
Yes
Yes
Conditional
forwarding
DNSSec
Yes
No
No
Yes
No
Experimental
No
Limited
support to
allow loading
of DNSSec
RRs in secondary zones
Yes, if using
AD-integrated
zones with
secure updates
only
Yes
No
No
Yes
Yes
No
Yes, if using
No
AD-integrated
zones with
secure updates
only
Yes
No
No
No
No
No
(Support
for only
simple
secure
updates,
as per
RFC 3007)
Yes
No
(support
for only
simple
secure
updates,
as per
RFC 3007)
Yes
No
ACLs on RRs
GSS-TSIG for
secure dynamic
updates
TSIG for
No
securing zone
transfers and
notify messages
No
No
BIND
4.9.3
No
Continued
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 395
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Table 6.2 Windows DNS and BIND Compatibility Comparison
Feature
Windows
Server 2003
Windows
2000
Windows BIND
NT 4
9.2
BIND
8.4.1
BIND
4.9.3
Kerberos for
secure zone
transfers
Yes, when
using ADintegrated
zones
Yes
Yes, when
using ADintegrated
zones
Yes
No
No
No
No
Yes
No
No
No
Yes
No
No
No
No
Yes
No
No
No
No
WINS and
WINS-R records
UTF-8
Yes
character
encoding
Aging and
Yes
scavenging
of RRs
Zone Transfers with BIND
BIND supports standard primary and secondary DNS zones.Thus, BIND servers can be
used as both primary DNS servers that transfer zone files to Microsoft DNS secondary
servers and vice versa. A BIND server can also be configured as a secondary server to an
Active Directory-integrated zone. However, an Active Directory-integrated cannot be a
secondary zone, so it is not possible for a BIND server to host a primary zone that transfers
zone information to a secondary zone configured in AD. Also note that if you want to
secure zone transfers between BIND and Microsoft DNS servers, you will not be able to
use the TSIG mechanisms available to recent implementations of BIND.
NOTE
To secure transfers of DNS zones, you must either implement zones that are exclusively Active Directory-integrated or use some other mechanism, such as VPN tunnels and IPSec if you are using standard DNS zones.
Versions of BIND earlier than BIND 4.9.4 do not support the fast transfer method for
zone replication.When the fast transfer method for zone replication is enabled, multiple
zone RRs are compressed in the TCP/IP packet. Fast zone transfers are enabled by default
in Windows DNS.You should disable fast zone transfers only if your secondary DNS
servers are running versions of BIND earlier than version 4.9.4.The configuration for fast
zone transfers can be enabled or disabled only on a server-wide basis.You cannot enable or
disable it on a per-zone basis. Disabling fast zone transfers does not affect zone replication
between Windows DNS servers. Figure 6.15 shows the default configuration that enables
www.syngress.com
395
255_70_293_ch06.qxd
396
9/10/03
5:42 PM
Page 396
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
fast zone transfers.To disable fast zone transfers for BIND secondary servers, navigate to the
Advanced tab of the property pages for the DNS server and clear the check box for
BIND secondaries.
Figure 6.15 Enabling Fast Zone Transfers for BIND Secondaries
Windows DNS zone files can contain RRs that can cause problems for BIND secondaries.These records include those that use an underscore in the host or domain name and
the WINS and WINS-R records. On some versions of BIND, notably BIND 8.0, the presence of these records can cause the zone to fail to load.
Although the underscore is a valid character in a NetBIOS name, it is not a valid character for DNS host names, according to RFCs 851, 952, and 1123. (The underscore is a
valid character for domain names, and the more recent RFC 2181 specifies that any binary
string can be used to represent a host name, but not all DNS servers conform to the standards specified in RFC 2181.) BIND version 8, in particular, will have problems if it
encounters underscores in the host or domain names when it loads the data for the secondary zone.This is a result of a feature in BIND 8 known as name checking, which
restricts the character set used for host and domain names. If underscores are present in host
names, you have two choices: rename the computers so that their names do not have
underscores, or disable name checking on the BIND 8 server by changing the default
check-name setting on the BIND 8 server from Fail to Warn or Ignore.
If a BIND 8 server is hosting a primary or secondary zone for AD SRV records, the
only choice is to disable name checking, because these records contain underscores in the
domain names, and these cannot be changed. (BIND 9 does not restrict the character set
for domain names, so this is not an issue if you are running BIND 9.)
The proprietary WINS forward and reverse lookup records also create problems for
BIND secondaries. In this case, the issue is caused by the deed WINS record is not part of
the DNS standard and not recognized by other DNS servers. Non-Microsoft DNS servers
will see the WINS forward and reverse lookup records as bad records, causing either data
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 397
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
errors or the failure of the zone to load. If you are using BIND secondaries for a zone
hosting WINS records, you have two choices: configure the WINS records not to replicate
or configure a separate referral zone for WINS records. It is preferable to configure a separate referral zone for WINS records, because clients who contact secondary DNS servers
might get different answers from those clients who contact the primary DNS server.We
will discuss WINS and DNS interaction in more detail later in this chapter.
Supporting AD with BIND
As we mentioned earlier, you can support AD using BIND servers rather then Windows
Server 2003 DNS.The minimum requirement for a DNS server to support AD is that it be
able to host SRV records in its data. DDNS is only an optional requirement for a DNS
server.Thus, a Windows NT 4 DNS with Service Pack 4 or later could be used to support
AD records.
To host AD records, the minimum version of BIND that must be used is version 8.2.2
patch 7. If you use BIND 8, you must configure the check-name setting to Ignore so
that it will load a zone containing underscores in domain names.This setting is not necessary on BIND 9 servers because they do not restrict character sets used for domain names.
Both BIND 9 and BIND 8.2.2 are capable of supporting dynamic updates.To allow
domain controllers to dynamically register their DNS data, you can configure the allowupdate setting in the named.conf configuration file on the BIND servers. However, it is
not possible to configure ACLs on individual RRs (as it is when you are using Active
Directory-integrated zones configured for secure updates only).
BIND might be uncomfortable, for security and other reasons, with allowing dynamic
updates in the master zone file that hosts the DNS records currently in use.The allowupdate setting allows you to specify the IP addresses of the servers that can dynamically
update records in the zone. However, IP addresses can be spoofed, so this isn’t a very strong
level of security.
NOTE
Secure dynamic updates can be configured for secure zones hosted on BIND
servers by using DNSSEC, as per RFC 3007. However, because many of the standards that govern secure updates and related issues are in the immature stages of
being developed as officially accepted standards, Microsoft chose not to implement the same standards as BIND. (There is currently no single IETF standard for
secure dynamic updates that addresses interoperability of the various mechanisms
for secure updates.) Thus, Windows clients and DNS servers are not able to use
DNSSEC mechanisms to provide secure dynamic updates for zones hosted on BIND
servers.
www.syngress.com
397
255_70_293_ch06.qxd
398
9/10/03
5:42 PM
Page 398
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
One way to mitigate the risk of using BIND servers for dynamic updates is to create
subdomains to host the AD DNS data. For example, if the domain name is
mycompany.com, you can create a separate zone called ad.mycompany.com.To create this
zone, you must issue a zone statement specifying the zone name and the location of the
files in the named.conf file on the BIND server. However, Microsoft Active Directory-integrated zones still provide a much higher level of security. For this reason, it is preferable to
use Active Directory-integrated zones. BIND administrators can delegate authority to a
subdomain hosted in Active Directory-integrated zones and configure BIND servers as secondaries to this zone to enhance fault tolerance and availability.
Split DNS Configuration
Many organizations want to use the same name on their internal network as they do on
their publicly available external network. For example, suppose that a company’s name is
mycompany.com and its Web server and e-mail servers located in the DMZ use this
domain name in their FQDN.The company also wants to use this name for its AD domain
on the internal network.This situation creates a number of challenges. Foremost among
these is security of internal DNS records. It is not desirable to expose internal host names
and IP addresses to external clients, even if these hosts cannot be reached by external clients
because of restrictions on the firewall. Also, it is not a recommended DNS best practice to
include any record in a zone file for a host that is unreachable.
At a minimum, a properly secured DNS configuration requires that the DNS records
for the internal namespace be accessible to internal clients only and not accessible to
external clients. Furthermore, internal clients should be able to resolve queries for external
hosts on the Internet so that e-mail servers are able to send mail to external hosts and users
are able to connect to the Internet. Finally, the bastion hosts (computers that can communicate with both the Internet and the intranet) that are responsible for delivering e-mail to
the internal network should be able to successfully locate and communicate with the
appropriate internal servers through the firewall.
This situation implies the use of a split DNS configuration. A split DNS configuration
requires two sets of name servers for the same namespace. For example, suppose that a set of
DNS servers in the DMZ contains records for the hosts, such as the A records for the Web
servers, the MX and A records for the mail servers, and the NS and A records for the DNS
servers in the DMZ. Another set of authoritative DNS servers that contains records for
internal hosts is configured in the internal network for the same namespace.The DNS
servers configured on the internal network are not accessible to external clients for name
resolution.
Internal clients should also be able to gain access to the company’s publicly available
Web servers. Depending on the configuration of the infrastructure, this can create some
challenges. For example, if the company is using ISA Server as its firewall and making a
Web server in its DMZ available to external clients via Web server publishing rules, internal
clients might not be able to connect to the internal Web server if the internal DNS uses an
A record for the Web server that points to an external address. Supporting this kind of conwww.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 399
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
figuration requires that the internal DNS servers use A records that point to the internal IP
address of the Web server and not the external IP address that is used to publish the Web
server for external clients. In other words, the A records for the Web server will differ in the
internal and external DNS servers that are authoritative for the zone. Figure 6.16 shows a
possible configuration for a split DNS to allow internal clients to connect to the publicly
available Web server.
Figure 6.16 Split DNS Configuration to Allow Internal Clients
to Connect to the Web Server in the DMZ
Internet
External DNS for tacteam.net
A record for www.tacteam.net =
2.2.2.1
ISA Server
www.tacteam.net
192.168.1.5
ISA Server
DMZ
192.168.1.0/24
Internal DNS for tacteam.net
A record for www.tacteam.net =
192.168.1.5
Internal Network:
192.168.2.0/24
NOTE
Supporting a split DNS configuration involves more effort on the part of the DNS
administrator. For example, the DNS administrator might need to manually update
separate DNS servers that are authoritative for the same zone. In addition, the DNS
administrator must ensure that no records for the internal network appear in the
publicly available DNS server.
Interoperability with WINS
In a mixed environment that includes downlevel clients such as Windows NT 4 and
Windows 95, you must continue to support NetBIOS name resolution.The primary mechanism for supporting NetBIOS name resolution in a segmented network is through WINS,
which allows clients on different subnets to register and resolve NetBIOS computer names
on WINS servers. In some situations, it might be necessary for UNIX clients, which do not
www.syngress.com
399
255_70_293_ch06.qxd
400
9/10/03
5:42 PM
Page 400
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
support NetBIOS, to connect to Windows NT 4 computers. In order to resolve the
Windows NT 4 computer names, the UNIX hosts must use DNS. However, if the
Windows NT 4 server is configured with a static IP address, it will not be able to dynamically register its host name and IP address in DNS.
One way to support DNS resolution for NetBIOS computer names is to integrate
WINS with DNS through WINS forward and reverse lookup records.When a DNS zone
is configured with WINS forward or reverse lookup records, it will consult a WINS server
to resolve host names for records that are not present in its zone data.
For example, suppose that a UNIX host needs to send a print a job to Windows NT 4
server named PServer1.tacteam.local.The UNIX host sends a query for
PServer1.tacteam.local to the DNS server authoritative for the tacteam.local zone.The
DNS server does not find a record for PServer1 in its zone data, so it performs a WINS
lookup to the IP address of the server listed in its WINS forward lookup record. After
receiving a reply from the WINS server, it sends the information to the UNIX host.The
DNS server that performs the NetBIOS resolution will keep the record in its cache for a
configurable interval (the default is 15 minutes), so that if it receives a query for the same
name within the interval, it can resolve the name from its cache.
As a result of this integration with WINS and DNS, it is not necessary for the DNS
administrator to manually update the DNS zones with A records for NetBIOS computers
that are incapable of updating DNS data on their own.The configuration of WINS forward
and reverse lookup records is performed on a per-zone basis.To configure WINS lookup
records, go to the forward or reverse lookup zone for which you wish to configure WINS
integration, go to the property pages for the zone, and click the WINS tab. Figure 6.17
shows the WINS tab property pages.
Figure 6.17 WINS tab for a DNS Forward Zone
Showing Advanced Configuration Options
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 401
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
There are a few things to note about the configuration shown in Figure 6.17:
■
Two WINS servers are specified to improve fault tolerance in the event that the
first WINS server does not have the record or is unreachable.
■
The check box for Do not replicate this record is selected.The purpose of this
configuration is to prevent the replication of WINS records to BIND secondaries
that might encounter data errors or fail to load the zone if they encounter the
proprietary WINS record in the replicated data.
■
Cache time-out and Lookup time-out values are configured in the
Advanced properties of the WINS tab.The Cache time-out value indicates the
length of time the DNS server will cache WINS records.The Lookup time-out
value indicates the length of time the DNS server will wait for a response from a
WINS server.
The WINS forward record has the following format in the zone file:
@
WINS
LOCAL
L2 C900 (192.168.100.20 192.168.179.3)
The @ is a kind of shorthand used in DNS files to indicate the domain name, also
known as the origin for the domain, in this case tacteam.local.The LOCAL label indicates
that the record should not be sent to secondary servers as part of zone replication.The L2
label refers to the lookup timeout value of two seconds.The C900 label indicates the cache
timeout value of 900 seconds, or 15 minutes. Both of these represent the default values. If
you have a relatively static environment, it can be advantageous to configure a longer cache
timeout value of perhaps an hour or more.
WINS Reverse Lookup Records
Reverse lookup zones are used to resolve IP addresses to host names, rather than host
names to IP addresses, as is the case with forward lookup zones.WINS records are not
indexed by IP address.Therefore, the WINS server cannot do a reverse lookup.
Consequently, in a reverse lookup zone, A WINS-R RR will cause the DNS server to issue
a remote adapter node status query using the nbtstat command to determine the NetBIOS
name associated with an IP address.
Configuring a WINS-R record in a reverse lookup zone is similar to configuring a
WINS record. Figure 6.18 shows the property pages of the WINS-R tab for a reverse
lookup zone.
www.syngress.com
401
255_70_293_ch06.qxd
402
9/10/03
5:42 PM
Page 402
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Figure 6.18 The WINS-R Tab for a DNS Reverse Lookup Zone Showing Advanced
Configuration Options
As with WINS forward lookup records, you have the option of preventing the WINSR record from replicating to secondary servers.This will prevent problems with BIND secondaries encountering this record in the zone data.
Note that the values in the WINS-R record are different. Instead of specifying the IP
address of a WINS server, you specify the domain name that should be appended to the
reverse lookup query response. Also, in the Advanced property page, you can check a box
to Submit DNS domain as NetBIOS scope.This option should be used only if you are
using NetBIOS scopes on a subnet. When this option is selected, DNS uses the host name
as a NetBIOS computer name to query the remote adapter node status, but submits the
domain name as a NetBIOS scope identifier.
NOTE
NetBIOS scopes are used in certain, rare circumstances when it is necessary to isolate legacy computers from communicating with other groups of computers on the
same subnet.
A WINS-R RR has a similar format to a WINS forward record in the zone data file:
@
WINSR
LOCAL
L2 C900 (tacteam.local. )
The @ indicates the origin of the domain, in this case the 100.168.192.in-addr.arpa
reverse lookup domain.The tacteam.local. value is the domain name that will be appended
to the host name.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 403
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
WINS Referral Zones
In a mixed DNS infrastructure where you are not replicating WINS RRs to secondaries,
clients will get varying answers to queries if they query a secondary zone for a WINS
record.To get around this problem and to provide a means of organizing and distinguishing
between WINS and DNS records, you should configure a WINS referral zone. A WINS
referral zone is a delegated child subdomain of the parent domain.The WINS child domain
contains only the SOA for the child domain and the WINS RRs. For example, if the
parent domain is tacteam.local, you would configure a child domain named something like
wins.tacteam.local. If you have a large network with multiple WINS servers for different
locations, you could use multiple child domains, such as dallas.tacteam.local and
edmonton.tacteam.local. However, in order for this configuration to work in your environment, you need to populate the DNS suffix search list on your DNS clients so that they
will append the domain name of the WINS referral zone to unqualified queries (queries
that do not use the FQDN). Figure 6.19 shows a possible configuration of a DNS client to
support WINS referral zones.
Figure 6.19 DNS Client Suffix Search List Configured
to Support WINS Referral Zones
You should note that this configuration overrides the default configuration, which is to
Append primary and connection specific suffixes and Append parent suffixes of
the primary DNS suffix.The default configuration allows a client to send a query for an
unqualified host name based on the suffix configured for it in the properties of My
Computer and to devolve the domain name to the suffix of the parent domain. For
example, if the client FQDN is host1.dev.research.tacteam.local, and it issues a recursive
query to resolve the name PServer1 to an IP address, it will first append dev.teacteam.local
www.syngress.com
403
255_70_293_ch06.qxd
404
9/10/03
5:42 PM
Page 404
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
to the name query. If the query fails, it will subsequently devolve the suffix to the parent
domain and append tacteam.local to the name query.
Overriding the default settings for the DNS suffix search list increases administrative
effort. However, you can reduce the administration of DNS client settings by using Group
Policy settings to supply the clients with a DNS suffix search list.You cannot use DHCP
options to specify a custom DNS suffix search list because Option 015 (DNS Domain
name), which is used to specify the DNS domain name to append to unqualified queries,
allows only one value. If you are implementing a custom DNS suffix search list, you should
keep this list as small as possible to reduce DNS traffic on your network.
EXAM
70-293
DNS Security Issues
OBJECTIVE
2.7.4 Security should always be a primary consideration in the deployment of any network service.This is also true of the implementation of a DNS infrastructure. DNS is an open standard that is used throughout the Internet. Over the years, a number of exploits have
appeared that can compromise an unsecured DNS infrastructure.When DNS is compromised, hackers can learn information about your internal network that they can subsequently use to launch other attacks. Furthermore, if a DNS server is vulnerable to DoS
attacks, hackers can prevent name resolution from occurring for critical servers such as your
Web and mail servers. Finally, an unsecured DNS server can be compromised with the
addition of false records that redirect traffic to bogus Web and mail servers.
Security measures that you can take to mitigate risk to your DNS infrastructure include
those available to standard DNS implementations, such as disabling recursion on Internetfacing servers, as well as those available to Windows Server 2003 DNS only, such as using
Active Directory-integrated zones for zone transfers and secure dynamic updates.
As with developing any security policy, it is important to understand the nature and
likelihood of the threats involved to determine the cost to the organization if a particular
threat is realized, and then compare this cost with that of implementing countermeasures to
mitigate the risk to the organization. Certain trade-offs need to be considered. For example,
to completely secure your DNS infrastructure from attacks launched from the Internet, the
only completely reliable countermeasure is to not have an Internet connection. Obviously,
many organizations could not survive without Internet access, so this particular countermeasure is not appropriate.
In the next section, we will take a look at common threats to a DNS infrastructure.
Then we will review the standard and Windows-specific countermeasures you can take to
mitigate the risk from these threats.
Common DNS Threats
An unsecured DNS infrastructure is vulnerable to a number of common threats.These
include footprinting, redirection, and DoS attacks.These threats are described in the following sections.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 405
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Footprinting
Footprinting is the process whereby attackers gain information about your internal DNS
RRs and are subsequently able to use this information to infer the identity and purpose of
servers on your internal network. Attackers can use this information in a variety of ways to
compromise the organization. For example, an attacker can use this information to launch
data modification attacks using spoofed IP addresses to compromise critical servers and data on
the internal network. Another possibility is that, because host names are often informative,
the attacker could use this information to infer confidential information about the internal
operations of the company, such as products that are under development.
Footprinting often occurs when zone transfers are not secured and the attacker is able
to perform a name dump from authoritative servers using the nslookup command with
the ls option or the dig command with the afxr option—both of these commands initiate
a zone transfer from the target domain.
To mitigate the risk from footprinting, it is important to ensure that zone transfers are
secured. At the very least, zone transfers should be allowed to only a predetermined list of
IP addresses that can be configured in the properties of the primary zone on the DNS
server, as shown in Figure 6.20.You should also remember to secure your secondary name
servers from unauthorized zone transfers, not just your primary server. Keep in mind that a
secondary name server can also transfer zone information. However, even this configuration
is vulnerable. For maximum security of zone transfers, you should ensure that zone transfers
occur only within Active Directory-integrated zones. If you must transfer zone information
over the Internet, you should also consider the use of VPN tunnels or IPSec to secure this
traffic.
Figure 6.20 Configuring a Primary Zone with a List of Secondaries
Authorized to Do Zone Transfers
www.syngress.com
405
255_70_293_ch06.qxd
406
9/10/03
5:42 PM
Page 406
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Redirection
A redirection attack occurs when an attacker is able to modify DNS records to redirect Web
server or other traffic to servers under the attacker’s control.This attack occurs when an
attacker is able to write information to the zone file. For example, this might happen if
dynamic updates are enabled on a zone that is located on an Internet-facing DNS server.
For this reason, it is always prudent to disable dynamic updates on zone files that are accessible to clients on the Internet.
Another common cause of redirection attacks is cache pollution (also called cache
poisoning). Cache pollution can occur when a DNS server queries another DNS server and
receives a reply from the queried DNS server that is outside the domain namespace in the
original query. Unless countermeasures are taken, the DNS server will store this referral
information in its cache, even though it did not originally request the information. For
example, suppose that your DNS server issues a query for the MX record in the sampledomain.com domain.The authoritative DNS for the sampledomain.com server responds with
the MX record, but it also replies with a bogus record for a.root-servers.net, listing its own
IP address for the A record.Your DNS server now has a bogus record for a root-level DNS
server in its cache.
DNS servers are vulnerable to cache pollution if an answer to a DNS query can be falsified.The consequences of cache pollution can be severe. Imagine what might happen if
the poisoned cache of a DNS server redirected users to bogus Web site that contained malicious code designed to install Trojan viruses on client computers.
When cache pollution protection is enabled, the DNS server will discard from its cache
the records it receives in response to queries if those responses contain information unrelated to the domain subtree of the requested resource. In our example, if protection against
cache pollution is enabled, the DNS server will cache the MX record for the mail server in
sampledomain.com, but will not cache the record for the a.root-servers.net, since it is not
part of the queried domain subtree. Cache pollution protection is a DNS server-wide setting (Secure cache against pollution) and is enabled by default on Windows Server
2003 DNS servers (see Figure 6.15 earlier in this chapter).
Another way to mitigate the risk of cache pollution is to disable recursion on the DNS
server. An attacker can use recursion to query the DNS server for resources in the attacker’s
domain.The recursive name server is then forced to query DNS servers in the attacker’s
domain that might attempt to pollute the cache of the recursive server.
DoS Attacks
A DoS attack occurs when a DNS server is deliberately flooded with traffic to the extent
that it cannot respond to legitimate requests. DoS attacks on a DNS can be in-band on
UDP and TCP port 53 (the ports used for DNS queries and zone transfers), or they can be
out-of-band. In the case of an in-band attack, DNS servers are flooded with recursive
queries to the extent that they become unable to handle legitimate queries, or the DNS
service is subjected to a buffer overflow attack specific to the DNS service. In an out-of-
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 407
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
band DoS attack, the DNS server is the victim of an attack that is not specific to the DNS
service, such as buffer overflow, SYN, and Smurf attacks.When a DoS attack occurs on a
DNS server, mail servers and Web servers become unavailable as well because the host
names for these servers cannot be resolved to IP addresses.
One approach to mitigate the risk of DoS attacks against your DNS server is to eliminate single points of failure by having multiple DNS servers that are located on separate
subnets served by separate routers. Also, you can arrange to have secondary servers hosted
offsite by a third party, such as your ISP.
NOTE
Recently, Microsoft’s own DNS servers were the victims of a DoS attack that made
a number of Microsoft Web sites inaccessible. The reason that Microsoft’s DNS
servers were vulnerable is that all of them were placed in the same physical location behind a single router, hence exposing a single point of failure.
To provide further protection against in-band DoS attacks, you can disable recursion on
Internet-facing DNS servers. Recursive queries take a relatively long time to process,
making a DNS server that performs recursion vulnerable to a DoS attack that involves
sending a large number of recursive queries to the DNS server.When you disable recursion
on a DNS server, it will not respond to recursive queries issued by DNS clients. DNS
clients will not be able to use this server to resolve names on the Internet. However, the
DNS server will still respond to iterative queries issued by other DNS servers.This means
that it will respond to queries for resources in zones for which it authoritative.
Recursion is a server-wide DNS setting and is enabled by default. (You can also disable
recursion for forwarding servers on a per-domain basis.) If you disable recursion for the
entire DNS server, you will not be able to use that DNS server as a forwarder.You can see
the Disable recursion (also disables forwarders) option in Figure 6.15, shown earlier
in the chapter. On internal DNS servers, it is often not desirable to disable recursion. In this
case, these DNS servers need to be protected by firewall access rules that prevent their use
by DNS clients on the Internet.
To provide further protection against both in-band and out-of-band DoS attacks, it is
important to ensure that you apply the latest service packs and harden the servers as much
as possible. In addition, your firewall access rules and packet filtering should be configured
to prevent any external traffic that is not related to the DNS service from reaching the
DNS server. For example, a firewall that is in front of a DNS server in a DMZ should allow
traffic to reach the DNS server only on TCP and UDP port 53.
Securing DNS Deployment
In the preceding section, we identified some of the common threats to the DNS infrastructure and provided a number of countermeasures such as securing zone transfers, disabling
www.syngress.com
407
255_70_293_ch06.qxd
408
9/10/03
5:42 PM
Page 408
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
recursion, and enabling protection against cache pollution. However, securing a DNS infrastructure requires more than just fine-tuning settings of the individual DNS servers.
Securing the DNS infrastructure starts with the design and implementation of your
DNS namespace, and continues with the implementation and configuration of the DNS
servers themselves, along with the implementation and configuration of firewalls, routers,
and other network devices that can serve to protect individual servers and the network
itself. It is possible, for example, to use a private root zone on your intranet and tightly control DNS query access to the Internet. Using a private root in combination with a DNS
security policy that restricts DNS queries to the Internet can result in enhanced security
for your organization.
DNS Security Levels
To assist in the secure deployment of a DNS infrastructure, Microsoft has published
guidelines on its Web site and within the Windows Server 2003 help files that categorize
three basic levels of DNS security: low level, medium level, and high level. In the following
sections, we will discuss each level in more detail. In considering these models, you should
assume that they represent a set of ideal guidelines for the purposes of conceptualization
and example. Many organizations do not want to slavishly abide by the models in their
purest form.
Low-level DNS Security
The low level of DNS security is precisely that: low. In fact, some of the default security
configurations of DNS are removed entirely.The effective security is none at all. As the
Windows Server 2003 help files state, this kind of configuration should be used only when
there is no concern for the integrity of your DNS data or there is no threat that the DNS
data on a private network is accessible from the Internet.The characteristics of low-level
security are as follows:
■
The DNS infrastructure is fully exposed to the Internet.
■
All the DNS servers in your network use standard DNS resolution.
■
All DNS servers are capable of performing queries to the Internet using root
hints that point to the root servers for the Internet.
■
Zone transfers are allowed to any server, which represents a removal of the default
setting to allow zone transfers only to servers listed in the Name Servers tab.
■
The default setting to prevent cache pollution is disabled on the DNS server.
■
Multihomed DNS servers (servers with multiple IP addresses) are configured to
listen for DNS queries on all configured interfaces.
■
All zones are configured to accept dynamic updates from DNS clients.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 409
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
■
UDP and TCP port 53 are open on the firewall for both the source and destination address (that is, the firewall allows any DNS traffic to traverse your firewall,
regardless of whether it is initiated by an external or an internal host).
Some organizations may have such a deployment; however, it would be extremely
unwise to deploy something like this yourself.Turning off cache pollution protection, in
particular, exposes your DNS infrastructure to an unacceptable level of risk, relative to the
cost of leaving the default configuration enabled.
Medium-level DNS Security
The medium level of DNS security takes advantage of the countermeasures that are available in a DNS infrastructure where zone data is stored in standard primary or secondary
zone files.The security features available through Active Directory-integrated zones are not
employed here.The characteristics of medium-level security are as follows:
■
Exposure of your DNS infrastructure to the Internet is minimized.
■
Internal DNS servers are configured to use a limited list of forwarders when they
cannot resolve names locally.
■
The default configuration to limit zone transfers to DNS servers listed on the
Name Servers tab is left in place.
■
In the case of multihomed DNS servers, the DNS servers are configured to listen
on only specified IP addresses.
■
The default setting to prevent cache pollution is left in place.
■
No dynamic updates are allowed on any zones.
■
The firewall is configured to limit the traffic traversing the firewall to a limited set
of source and destination addresses. Only the external DNS servers under your
control are allowed to communicate with internal DNS servers.
■
Only the external DNS servers in front of your firewall are configured with root
hints to perform recursion.
■
All name resolution required by a host on your internal network is performed by
proxy servers or gateways.
This represents a more reasonable and prudent approach to mitigating risk to the DNS
infrastructure than is offered by the low level, with a low cost of implementation relative to
the advantages gained.
High-level DNS Security
A high-level security policy starts with the medium-level security policy and further
enhances security by leveraging the security available with Active Directory-integrated
zones. Furthermore, the high-level security policy assumes that there is no DNS communiwww.syngress.com
409
255_70_293_ch06.qxd
410
9/10/03
5:42 PM
Page 410
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
cation with the Internet.This is an unlikely configuration but something like it might be
implemented by organizations that have strict security requirements, and the risk of connectivity to the Internet is deemed to be too great.The characteristics of a high-level security policy are as follows:
■
No DNS communication is allowed between the Internet and internal DNS
servers.
■
The internal DNS infrastructure deploys a private, internal root namespace and is
authoritative for all zones.
■
The root hints file on all DNS servers points to only the IP addresses of the
internal DNS servers that are authoritative for the private root zone.
■
Zone transfers are limited to specific IP addresses, rather than just servers listed on
the Name Server tab.
■
DNS servers are configured to listen on specific IP addresses.
■
All DNS servers run on domain controllers, with discretionary access control lists
(DACLs) configured to allow only specific authorized individuals to perform
administrative tasks on the DNS servers.
■
All DNS zones are configured as Active Directory-integrated zones, with DACLs
configured to allow only specific authorized individuals to create, modify, or
delete DNS zones.
■
All RRs stored in Active Directory-integrated zones have DACLs to allow only
specific individuals to create, delete, or modify zone data.
■
No dynamic updates are allowed on the root and top-level domains.
■
Only secure dynamic updates are allowed on the child domains.
For many organizations, none of these models will be adequate.The cost, for example,
of not allowing DNS communication with the Internet, and expense of connectivity, might
be too great.The reality is that many organizations will want to develop and deploy a DNS
security model that is hybrid of the medium-level and high-level security models.
General DNS Security Guidelines
In planning for the security of your DNS infrastructure, you will want to take into account
the design of your DNS namespace, the number and type of DNS servers and zones you
plan to deploy, and whether the DNS servers will be serving internal or external clients.
You will also want to take into account the security already present or needed in your current infrastructure, such as the location, type, and configuration of firewalls that protect your
network.
In most cases, it is desirable to maintain a set of DNS servers that serve the internal
network only and a separate set of external DNS servers that allow DNS clients on the
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 411
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Internet to be able to resolve the names for your Web, mail, and other publicly available
servers. Each set of DNS servers would have different security configurations, depending on
their role. Furthermore, it is desirable to further enhance security of these two sets of DNS
servers by maintaining either a split DNS configuration if you choose to use the same
namespace for the intranet and Internet, or a split DNS namespace for the intranet and
Internet. If your internal namespace includes a private root zone, you can further enhance
the security of the DNS infrastructure.
Security Guidelines for an External DNS Infrastructure
Integrity and availability of DNS data are primary considerations for an external DNS
infrastructure, and your design should be informed by these considerations:
■
Place all DNS servers in a DMZ or a perimeter network to ensure that access
rules and packet filtering on firewalls and routers tightly control source and destination addresses and ports. If possible, configure single-purpose DNS servers and
allow traffic on only UDP and TCP port 53 to reach these servers from the
Internet.
■
Uninstall all unnecessary services from these servers, install current service packs,
and harden the servers as much as possible.
■
Eliminate single points of failure by hosting DNS servers on different subnets
served by different routers. Consider hosting a secondary server at your ISP, for
example.This will help mitigate the risk of DoS attacks.
■
Consider using a stealth primary server to update read-only secondary servers that
are registered with ICANN.
■
Allow zone transfers to only a specific set of IP addresses and consider using
IPSec or VPN tunnels to enhance the security of zone transfer traffic.
■
Do not enable dynamic updates on Internet-facing DNS servers.
■
Enable protection against cache pollution on Internet-facing DNS servers.
■
Disable recursion on Internet-facing servers.
■
Regularly monitor DNS logs and Event Viewer.
Security Guidelines for an Internal DNS Infrastructure
Confidentiality, integrity, and availability of DNS data are primary considerations for an
internal DNS infrastructure.The following are security guidelines to consider:
■
Consider using a separate, internal namespace to enhance security.
■
Do not allow external access from the Internet to your internal DNS servers.
www.syngress.com
411
255_70_293_ch06.qxd
5:42 PM
Page 412
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Configuring & Implementing...
412
9/10/03
■
Consider using a proxy server or a gateway to manage Internet DNS requests for
internal clients.
■
Use Active Directory-integrated zones and allow only secure updates to these
zones.
■
Specify and limit the servers that are able to receive zone transfers.
■
Eliminate single points of failure and consider how internal DNS clients will
resolve names in the event that the primary DNS server in their TCP/IP configuration fails.
■
Consider that delegating authority of child domains can involve a security tradeoff if different administrators are responsible for the authoritative DNS servers.
DNS Ports
For configuring firewall access rules, keep in mind that DNS uses both TCP port 53
and UDP port 53 for DNS communications. UDP is generally used for normal query
traffic, whereas TCP is used for zone transfers. However, if the DNS server cannot
deliver a response to the query using UDP because the response is too large, it will
ask the resolver to switch to TCP port 53. This should occur only rarely (or never) if
the DNS records are properly configured. The most common cause is an excessive
and improper use of records used for round-robin name resolution or an excessive
number of name server records.
You can use EDNS0 (discussed earlier in this chapter) to increase the default
size for UDP packets. However, you would want to do this on your internal network,
not the Internet. If you want to load-balance your Internet Web servers, you might
want to consider using NLB or a third-party product such as BigIP from F5. In any
event, it should be safe to block inbound traffic on TCP port 25 to prevent zone
transfers from all but authorized DNS servers.
Monitoring DNS Servers
An important task in maintaining a DNS environment is monitoring the DNS servers to
ensure that they are resolving names and IP addresses properly, and to ensure that they have
sufficient resources to handle their workload.Windows Server 2003 and the Windows
Server 2003 DNS service provide a number of tools for monitoring DNS servers.These
tools include the Monitoring tab on the DNS console, DNS debug logging, DNS event
logging, and DNS Performance Monitor counters, as well as command-line tools such as
NSLookup.exe, Dnscmd.exe, and DNSLint.exe. In this section, we will briefly cover the use
of these tools to monitor a DNS server environment.
www.syngress.com
255_70_293_ch06.qxd
9/10/03
5:42 PM
Page 413
Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 6
Testing DNS Server Configuration with
the DNS Console Monitoring Tab
The DNS console provides a simple but effective tool for ensuring that the DNS service is
working properly.To use this tool, click the Monitoring tab of the properties for the DNS
server, as shown in Figure 6.21.
Figure 6.21 Performing Simple and Recursive Queries
Using the Monitoring Tab of the DNS Server Properties
The Monitoring tab allows you to perform a simple and a recursive query test to
ensure proper operation. A simple query test uses the DNS client installed on the DNS
server to send a local query to the DNS server. A recursive query test uses the local DNS
client as well. However, in this case, the DNS client requests that the DNS service use
recursion to resolve an NS-type query for the root zone. Failure of this test usually indicates a problem with network connectivity or incorrectly configured root hints. (In the
example in Figure 6.21, the recursive query test failed because the network adapter was
unplugged before the test was run, and the DNS server could not connect to the servers
listed in the root hints file.) When a DNS server fails one of these tests, a warning symbol is
displayed on the DNS server in the DNS console. Note that you can set up automatic
simple and recursive query testing in the Monitoring tab. It is a good practice to use these
tests after you have set up a DNS server or have made a configuration change on a current
DNS server.
www.syngress.com
413
255_70_293_ch06.qxd
414
9/10/03
5:42 PM
Page 414
Chapter 6 • Planning, Implementing, and Maintaining a Name Resolution Strategy
Debug Logging
If you need to analyze and monitor the DNS server performance in greater detail, you can
use the optional debug tool that you can enable in the Debug Logging tab of the DNS
server property pages. Because debug logging consumes significant resources, it is not
enabled by default and should be enabled only on a temporary basis, such as when you’re
trying to troubleshoot a problem with DNS. Figure 6.22 shows the configurable properties
for DNS debug logging.
Figure 6.22 Debug Logging Properties
As you can see in Figure 6.22, you have