Network Operating Systems


Early network operating systems provided just the basics in terms of network services, such as file and printer sharing. Today's network operating systems offer a far broader range of network services; some of these services are used in almost every network environment, and others are used in only a few.

Despite the complexity of operating systems, the basic function and purpose of a network operating system is straightforward: to provide services to the network. The following are some of the most common of these services:

  • Authentication services

  • File and print services

  • Web server services

  • Firewall and proxy services

  • Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) services

These are just a few of a large number of services that a network operating system can provide.

The following sections discuss the major operating systems currently in use and how each of them deals with basic services such as authentication, security, and file and print services.

Linux/UNIX

Providing a summary of Linux in a few paragraphs is a difficult task. Unlike other operating systems, each of which has only a single variation, Linux is a freely distributable open source operating system that has many variants called distributions. Each of these distributions offers a slightly different approach to certain aspects of the operating system, such as installation and management utilities. Some of the most common Linux distributions include Red Hat, SuSE, Debian, and Caldera. In light of the many versions of Linux, if a command or an approach is listed in this section and is not available in the version of Linux you are using, you can look for an equivalent command or approach in your version, and you will very likely find one.

Linux Authentication

People who are used to working on a Windows-based system will no doubt discover that administration on a Linux system is very different. For instance, authentication information such as a list of users is kept in a text file. This file, /etc/passwd, controls who can and cannot log on to the system.

For a user to log on to the system, a valid username and password combination must be supplied. Both of these pieces of information are case sensitive.

Linux File and Print Services

Although it is not the most obvious choice for a file and print server platform, Linux can perform the role of a file and print server admirably. In a base configuration, the volumes on a Linux server are not available to network clients. To make them available, one of two file sharing services is commonly used:

  • NFS NFS is the original file-sharing system used with Linux. NFS makes it possible for areas of the hard disk on a Linux system to be shared with other clients on the network. Once the share has been established from the client side, the fact that the drive is on another system is transparent to the user.

  • Samba Samba provides Server Message Block functionality so that areas of the Linux server disks can be made available to Windows clients. In much the same way as on Windows servers, Samba facilitates the sharing of folders that can then be accessed by Windows client computers. Samba also makes it possible for Linux printer resources to be shared with Windows clients.

As with the other NOS discussed in this chapter, Linux has a file system permission structure that makes it possible to restrict access to files or directories. In Linux, each file or directory can be assigned a very basic set of file rights that dictates the actions that can be performed on the file. The basic rights are Read, Write, and Execute. The rights can be expressed in an alphabetic format (that is, RWX) or a numeric format (777). The rights to a file can be derived from the file ownership, from a group object, or from an "everyone" designator, which covers all users who are authenticated on the server. The Linux file permission structure might not be as sophisticated as those found in other network operating systems, but it is still more than sufficient in many environments.

Printing on a Linux system occurs through a service called the Line Printer daemon. The Line Printer functionality can be accessed by any user on the network who is properly authorized and connected. In later versions of Linux, some distributions have started to provide a more enhanced printing system called the Common UNIX Printing System (CUPS). Many people, however, still prefer to use the traditional Line Printer system because of its simplicity and efficiency.

Linux Application Support

If you can think of an application that you might need, chances are that it is available for Linux in some form. As well as highly sophisticated commercial applications produced by large software companies, you can find software for the Linux platform that is written by an equally enthusiastic army of small software development companies and individuals. This means that application support for Linux is on par with, if not greater than, that in other network operating systems, such as NetWare, even if it has not yet reached the levels achieved by Windows server platforms.

In a sense, all applications created for Linux are third-party applications in that Linux itself is only an operating system kernel. The applications that run on this kernel provide Linux with its functionality.

On the assumption that a network server will have a number of requirements, it is common practice for the Linux kernel to be bundled with various applications and provided to customers as a package, which, as discussed earlier, is called a distribution.

One aspect in which Linux certainly has the edge over other operating systems is that many Linux applications are free. Developed in the same spirit as Linux itself, and in many cases governed by the same licensing types, these free applications can seriously reduce the cost of maintaining a network server. Although it can be said that there are also free server-type applications for Windows and NetWare, there are certainly not as many of them as there are for Linux. (Note that we are referring to server applications, not applications targeted at workstation or end-user applications.)

Linux Security

Considerable effort has been put into making Linux a very secure network operating system, and those efforts are evident. When it is configured correctly, Linux is a very secure operating system; therefore, it is often used as a company's firewall server. The following are a few highlights of Linux security:

  • Resource access As in the other network operating systems, access to resources on a Linux network is controlled through permissions. Access control lists identifying systems and who can access what resources are held in text files such as hosts.deny and hosts.allow. Permissions for network resources and services can be assigned to an individual user or to a group of users.

  • User authentication To access the local system resources or any network resources, user authentication, in the form of a username and a password, is required. The user account information is kept in a text file known as the /etc/passwd file in the Linux system.

    To log on to a Linux server, the user must supply a valid username and password. Both of these values are case sensitive.


  • File and directory security The default file system used by Linux is the EXT2 file system. Like NTFS, which is used with Windows servers, EXT2 allows administrators to assign permissions to individual files and folders. These permissions are used to control who is allowed access to specific data on the server. A secure server should have permissions set on the important data in the system.

As Linux continues to grow in popularity, it will become an increasingly common sight in server rooms of organizations of all sizes. As a network administrator, you should prepare yourself for when you encounter a Linux systemnot if.

Of the platforms discussed in this chapter, UNIX and Linux have the most simplistic approach to file system security, although for most environments, this approach is more than sufficient. File permissions can be assigned to either the creator of a file or directory, a group, or the entity "everyone," which includes any authenticated user.

UNIX and Linux have only three rights that can be assigned. These rights are listed in Table 7.1.

Table 7.1. File Permissions on UNIX/Linux

Right

Description

Read

Allows files to be listed, opened, and read

Write

Allows files to be created, written to, or modified

Execute

Allows files to be executed (that is, run)


The file permissions are listed to the right of the file. The first value specifies whether the file is a file (-) or a directory (d). The next three values specify the file rights for the user, the next three for the group, and the next three for the "everyone" assignment.

Mac OS X Server

Mac OS is the operating system created for Apple Computer's line of personal computers. Mac OS has a long history, with the original version being released in 1984 to run on the original Macintosh computer. In 1999, Apple released its last major revision to its aging 'Classic' operating system, Mac OS 9.

The successor to the Classic Mac OS was Mac OS X, a UNIX-like operating system with a friendly and familiar user interface. Successive versions of Mac OS X have a decimal numeralfor example, Mac OS X.1, X.2, and so on.

Because Mac OS X uses Linux/UNIX technology, most of the previous section on Linux applies to a Mac OS X server.

To identify a version of an operating system installed on any Macintosh computer, click on the Apple menu, and choose About This Mac, or About This Computer. You will see a screen listing the version number of the operating system as well as the amount of RAM installed.


Mac OS X File Systems and File and Print Services

As you might expect, the file systems used on Windows-based PCs is different from those used in an Apple system. Instead of the FAT or FAT32 file system, the original Mac file system was Apple's Macintosh File System (MFS). MFS was used with earlier Mac versions including Mac OS 13.

Mac OS 4 introduced Apple's Hierarchical File System (HFS). HFS was the primary file system format used on the Macintosh Plus and later models, until Mac OS 8.1, when HFS was replaced by HFS Plus.

HFS+ is the file system most commonly associated with Mac OS X. Like NTFS, HFS+ includes many enhanced features. HFS+ supports disk quotas, byte-range locking, finder information in metadata, support for hiding file extensions on a per-file basis, and more. One of the more publicized features of HFS+ is journaling. In a journaled file system, the system keeps a log of the hard disk's main data activity. In case of a crash or other system failure, the file system can retrieve lost data by consulting the "journal" log, restoring the system to its previous state instead of having to go through the lengthy process of rebuilding the data.

When installing the Mac OS on a computer, always choose an HFS+ or HFS+ (journaled) file system type. Other file systems do not properly support metadata and permissions used by the OS.


The following is a list of other file systems supported by Mac OS X:

  • ISO9660 Mac supports the ISO9660 file system standard. This is a system-independent file system for read-only data CDs.

  • MS-DOS Mac OS X includes support for MS-DOS file system (FAT12, FAT16, and FAT32).

  • NTFS Mac OS X includes read-only support for NTFS.

  • UDF UDF (Universal Disk Format) is the filesystem used by DVD-ROM (including DVD-video and DVD-audio) discs and by many CD-R/RW packet-writing programs.

When working in a heterogeneous network environment (one that uses different OS platforms), Mac OS X offers a wide-range of support for network file and print services supporting various file sharing protocols. A file sharing protocol is a high-level network protocol that provides the structure and language for file requests between clients and servers. It provides the commands for opening, reading, writing, and closing files across the network. Each OS has a different protocol used as the file sharing protocol.

In order for a client to have access to multiple servers running different operating systems, either the client supports the file sharing protocol of each operating system or the server supports the file sharing protocol of each client. Software that adds this capability is very common and enables interoperability between Windows, Macintosh, NetWare, and UNIX platforms. The following is a list of file sharing protocols supported by Mac OS X:

  • Apple Filing Protocol (AFP) The Apple Filing Protocol (AFP) is an Apple proprietary protocol for file sharing over the network using TCP/IP. If you have a Windows NT or Windows 2000\ 2003 server, you can turn on Apple File Protocol (AFP). AFP is the native Macintosh file sharing protocol and when enabled, Macs will be able to see the server.

  • Server Message Blocks/ Common Internet File System (SMB/CIFS) Mac OS X includes cross-platform support for SMB/CFS, the protocols that enable file sharing between network nodes in a Windows environment. Using Mac OS X, Macintosh clients can connect directly to Windows servers thanks to the SMB client built in to the Mac OS. Support for SMB/CFS is supplied by the Samba software package, and installed on all versions of Mac OS X by default. Samba is a networking tool originally designed to integrate Windows file sharing protocol (SMB/CIFS) and UNIX systems on a network. Running on a UNIX system, it allows Windows to share files and printers on the UNIX host, and it also allows UNIX users to access resources shared by Windows systems. Whenever possible, use Mac OS X v10.2 or greater to ensure the best compatibility with Windows file servers. When using the SMB protocol to connect to a Windows 2000 or 2003 file server, make sure that SMB signing (packet signing) is disabled on that server.

  • Network Filing System (NFS) NFS is a file sharing protocol associated with UNIX/Linux systems. Clients using Mac OS X are able to connect to Linux/UNIX servers using NFS, just like the other UNIX stations on the network. NFS can be problematic because file permissions are applied to newly created files and folders on the server based on the user ID and group ID from the client computer, unless otherwise specified by the server administrator.

Mac OS X Security

As with any other OS, Mac OS X has been designed to meet the security needs of today's businesses. This includes security measures in the local network and security protocols to be used on remote networks.

The most fundamental level of security lies within the operating system itself. Any interaction with the system requires some form of authentication.

The first level is user authentication. Mac OS X implements role-based user accounts. Three account types are available on Mac OS X client machines (machines not a part of a Windows domain or Mac OS X Server infrastructure), whose options can be configured in the Accounts area in the System Preferences application.

  • Limited The most restricted type of account, limited users might only be able to see certain parts of the file system, and only run applications approved by an administrative user. As of Mac OS X v10.4, system administrators can also restrict network access to lists of approved websites and email addresses.

  • Standard Most users on a machine will fall into this category. Standard users are allowed to run any applications that are installed in directories they have access to, but can only write to their home directories and directories that have been set up for them by a system administrator. Standard users are also restricted from making any configuration changes that affect anything beyond their user account (such as network settings).

  • Administrator This account type allows the user to make systemwide changes to the machine, change permissions of files and directories they do not directly own, and manage accounts. Every Mac OS X computer must have at least one administrative account.

Being a UNIX-like operating system, Mac OS X naturally inherits a UNIX-style file system permission system. Every file and folder on the machine has three levels of access with three possible settings each. Persons familiar with UNIX, Linux, and BSD systems will feel right at home with this environment. Refer to Table 7.1 for details on Mac OS X permissions. Fortunately for those not familiar with the chmod and chown GNU commands, the MAC Finder provides an interface for managing permissions in the Get Info window. In the info window for any file or folder on the computer, there is an Ownership & Permissions area listing all possible permissions variables for the given object. The three levels of access for each file and folder are Owner, Group, and Everyone (or Other). The owner is usually the user who created the object on the system. Groups are logical collections of users on a machine. On Mac OS X Client machines, groups cannot be created or modified; however, two key groups are automatically created and maintained to assist with machine administration:

  • All administrator level users automatically belong to the Admin group.

  • All other users belong to the Staff group.

Novell NetWare

Once the network operating system of choice for all but a few networks, NetWare's popularity has declined significantly over recent years. However, NetWare is still widely used in many environments, including government and education. The latest version of NetWare, version 6.5, continues Novell's tradition of providing feature rich enterprise class network operating systems.

The information this chapter provides on Novell NetWare is intended to apply to NetWare 6 and 6.5. If you find yourself working on an older version of NetWare, you might find that some of the commands and utilities are different from those discussed here.


One of the features that really put NetWare on the networking map was Novell Directory Services (NDS). Like Microsoft's Active Directory, NDS (which has been around since 1994) is a directory services system that enables network objects to be stored in a database. This database can then be divided and distributed among different servers on the network. These processes are known as partitioning (the dividing) and replication (the distribution among servers on the network). Although introduced as NDS with NetWare 4.x, Novell has now renamed the product eDirectory and made it platform independent.

Although a detailed understanding of eDirectory is not required for the Network+ exam, working with a NetWare server will most certainly require a thorough knowledge of this product.


Like the other network operating systems, NetWare is a full-featured operating system that offers all the functions required by an organization, including file and print services, DNS and DHCP servers, and FTP and Web servers. NetWare also supports a wide range of third-party hardware and software.

NetWare Authentication

As with all the other network operating systems discussed in this chapter, by default NetWare authentication is performed by using a username and password combination. As well as supplying this information, users also need to tell client software which NDS tree to authenticate to and the location of the user object in the NDS tree. NetWare also supports numerous other authentication mechanisms such as smartcards and biometrics.

By default, passwords in NetWare are not case sensitive.


After a user has been validated to the eDirectory tree, an assortment of restrictions is evaluated, including allowed logon times and station restrictions. These prevent users from logging on during restricted times and from certain workstations.

In versions of NetWare up to and including 3.x, NetWare used a system called the Bindery to store user, group, and printing information. NDS was introduced with NetWare 4 to replace the Bindery and has been used on every NetWare version since then, though as mentioned, the product is now called eDirectory.


Information about the user account and what the user can and can't access is stored in the NDS. For this reason, a copy of the NDS must be available in order for the user to be able to log on. Also, each time a user attempts to access a resource, their authentication status is checked in the NDS to make sure that they are who they say they are, and that they are allowed to access the resource. One benefit of this system is that a user need only log on once in order to be permitted resources anywhere on the network.

NetWare File Services

For many years, NetWare was considered the operating system of choice for providing file and print services. Although that might no longer be the case, many people in the IT industry still see NetWare as primarily a file and print server platform.

NetWare uses a file sharing system in which all areas of the disk are available to all users who have permissions. There is no concept of share points as with Windows server operating systems, although it is possible for a user to connect to a specific folder on the server if necessary. Instead, users can map a drive to an area of a disk called a volume. Only the areas of the volume to which the user has been assigned permissions are available to that user.

In versions of NetWare since 5.1, Novell has offered a service called Novell Storage Services (NSS). NSS allows for larger volume sizes and improves the performance of file serving.


Novell offers compatibility with various client operating systems by using special software drivers known as name spaces to make drives available to clients. Most commonly, the driver that mimics the file properties of Windows clients, which is called "long," is used, though NFS is also enabled by default in NetWare 6.x.

File system security on NetWare is the most sophisticated of any of the popular network operating systems. In addition to a full set of file permissions, NetWare also accommodates file permission inheritance and filters to cancel out that inheritance. For those who are unfamiliar with the various features of NetWare file system security, it can all seem a bit bewildering. When you are used to it, though, you realize that it allows an extremely high level of control over files and directories.

The term inheritance is used to describe the process of rights flowing down the folder structure. For example, rights are assigned at the top of the folder structure, and unless they are blocked at a lower level, they flow to the bottom of the structure. All common network operating systems employ file inheritance in one way or another.


At the core of NetWare file system security are the basic permissions. These permissions can be assigned to individual files or, where appropriate, folders. The file system rights available on a NetWare server are listed in Table 7.2.

Table 7.2. File Permissions on a NetWare Server

Right

Description

Supervisor

Supervisoryimplies all rights

Read

Allows the file to be read

Write

Allows the file to be written to

Create

Allows new files to be created

Erase

Allows files to be deleted

Modify

Allows the attributes of the file to be changed

Filescan

Allows the file to be viewed

Access Control

Allows the file permissions to be manipulated


In addition to file permission rights, on a NetWare server, files can also be assigned a range of attributes. These attributes include options such as Rename Inhibit and Delete Inhibit.

NetWare Print Services

Printing with NetWare can be implemented in a variety of ways. Traditionally, printers were defined on the server, and print queues were associated with those printers. In NetWare 6, a feature called Novell Distributed Print Services was introduced, which enables a more dynamic printing environment to be created. NetWare 6 also introduced a new feature called iPrint, which allows users to see graphical maps of the network and point and click to access network devices.

To access a printer on NetWare, clients capture the output that would normally be directed to a local printer port and send it to the network printer. In early versions of NetWare, this was a process performed by using a command-line utility, called capture. Today, the process has been hidden behind the graphical interface of the client software and is largely unnoticed.

NetWare Application Support

Although application support will always be a topic of much debate, the reality is that third-party application support for NetWare is not nearly at the same level as it is for the Windows server platforms. NetWare would even have a hard time competing against Linux in this respect. However, many applications are available for NetWare, and you are likely to have a choice of applications for any given purpose.

On a NetWare server, console utilities and drivers are implemented through pieces of software called NetWare Loadable Modules (NLMs). Most NLMs can be loaded and unloaded as needed.


Even though third-party support might be lacking, the applications included with the NetWare package provide many of the commonly desired network services. This includes a DHCP server, a DNS server, and a Web server application, as well as a range of other services.

NetWare Security

Similar to the other network operating systems, NetWare has many security features to help secure the server and the network. The key areas of NetWare security include the following:

  • Resource access Resource access in NetWare is controlled, as is everything else related to security, through directory services. For a user to gain access to a network resourcewhether it be a file, directory, printer, or serverthe appropriate permissions must be applied through the directory. Permissions can be granted to the user, to a group to which the user belongs, or to an eDirectory container object in which the user resides. Rights to objects can be inherited or gained from other user IDs through a process called security equivalence.

  • User authentication As with the other network operating systems, accessing a NetWare server and network resources requires a username and password combination. To log on to a NetWare server, the context of the user must also be specified and, in some instances, the name of the eDirectory or NDS tree must also be provided. Context is a term used to refer to the location of an object, in this case the user object, in the eDirectory tree. Without the correct context, the security subsystem is unable to identify the correct user ID and does not grant access to the server. Because the context can be quite complex and the tree name is generally not used except at the point of login, it's common practice to configure users' workstations to default to a certain tree and context rather than requiring them to provide this information. This way, a user needs to provide only a username and password.

    To gain access to a NetWare server, or more accurately eDirectory or NDS, four pieces of information are normally required: a username, a password, a directory context, and the name of the tree to which the user wants to log in. In addition, you can specify a server name, although this is not required.


  • File and directory security NetWare provides a very comprehensive file and directory permissions system, which allows rights to be assigned to users, groups, and other directory services objects. Rights are inheritable, which means that rights assigned at one file system level flow down through the structure until they reach the end of the file system tree, unless they are countered by an inherited rights mask or by an explicit trustee assignment. Much the same process is used to manage and assign rights within the eDirectory tree, although the actual set of rights that can be assigned is different.

The NetWare console can and should be locked for security purposes. You can lock the NetWare console by using a utility called scrsaver, which you run from the server command line.

With the proliferation of Microsoft Windows server platforms, you might not actually get to work with a NetWare server. But if you do, you'll find that there is good reason why NetWare was king of the network operating system hill for so long.

Windows 2000 and Windows Server 2003

Windows 2000 was the follow-up to the popular Windows NT 4 network operating system, and it quickly established itself as a reliable and robust operating system. Windows 2000 built on the success of its predecessor and offered many improvements and advancements. In 2003, Microsoft released the latest version of its Windows server family of productsthe aptly named Windows Server 2003. Microsoft still currently supports Windows 2000, and many organizations still have Windows 2000 Server systems deployed.

Three different versions of Windows 2000 are available for server platforms: Windows 2000 Server, Advanced Server, and Datacenter Server. Windows 2000 is also available as a workstation operating system: Windows 2000 Professional. Windows 2000 Professional has the majority of features, capabilities, and strengths of Windows 2000 Server products but omits the server-type network services and capabilities.

Like Windows 2000, there are also a number of versions of Windows Server 2003; Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, and Windows Server 2003 Datacenter Edition. Additionally, Windows Server 2003 Web Edition is designed as a platform for Web-based applications and services. Microsoft fully expects that you will mix and match editions of Windows Server 2003 on a network, so interoperability between the editions is seamless.

To make things easier, from this point on, we'll refer to both Windows 2000 Server and Windows Server 2003 simply as Windows servers, unless there is a need to identify differences between the two.


Microsoft Active Directory

Active Directory is a directory services system, similar in nature to Novell's eDirectory, which allows network objects such as users and groups to be placed into logical areas of a database. This database can then be distributed among various serversall of which participate in the Active Directory structure. Because all the network object information is placed in a single database, albeit a distributed one, it can be used by any network application or subsystem, eliminating the need for duplicate information to be held on each server of the network. In the case of Microsoft server operating systems, Windows 2000 was the first network operating system to take this approach. Previous to this, user accounts on Windows servers were stored on each server, and special relationships called trusts had to be set up in order to allow users on one server to access resources in another. In Active Directory, trusts still exist, though their role is somewhat different.

Windows servers on a network can either be domain controllers or member servers. Domain controllers are servers that have Active Directory installed and hold a copy of the Active Directory database. The term domain is used to describe a logical section of the Active Directory database. Domain controllers store user account information, so they can provide network authentication. An Active Directory domain can have several domain controllers, with each one having a read/write copy of the Active Directory database. In fact, for fault-tolerant reasons, this is a good strategy to employ.

Active Directory is a complex subject, and much of the information in this section is not needed for the Network+ exam. For further information on Active Directory, refer to Microsoft's website (www.microsoft.com).


Member servers are not involved in the authentication of network users and do not take part in the Active Directory replication process. Member servers are commonly employed as file and print servers, or with additional software, as database servers, Web servers, firewalls, or servers for other important network services such as DHCP and DNS.

Windows Authentication

The authentication process facilitated by a Windows server allows users logging on to the network to identify themselves to the Active Directory, and subsequently to access all the network resources to which they have permissions. This means that it is necessary to log on only once to access all the resources on the network. The nature of directory services means that other applications, such as a Web server, can interface with the directory and use the same authentication information.

Microsoft Active Directory uses Kerberos as its native authentication protocol. For more information on Kerberos, refer to Chapter 6, "WAN Technologies, Remote Access, and Security Protocols."


Passwords on Windows server operating systems are case sensitive.


In addition to the standard authentication mechanism of usernames and passwords, Windows server platforms also support other authentication systems such as smartcards and biometrics. Implementation of these methods requires additional hardware and software.

Windows Server File and Print Services

The provision of file and print sharing services is a mainstay of any network operating systems, and Windows servers are no exception. Windows server systems use a principle called shares to make areas of a disk available to users. These shares can be secured by share permissions that can be used on any file system, along with file and folder permissions if they are resident on New Technology File System (NTFS) partitions.

In order to use file or folder level permissions on a Windows server system, the disk must be formatted with the NTFS file system. FAT or FAT32 partitions do not support file level permissions, and must rely solely on share permissions to provide security.


Both Windows 2000 Server and Windows Server 2003 use the same mechanisms to provide file system security. Rights can be assigned to users, groups, and some special entities, which include the "everyone" assignment. Table 7.3 describes the basic file permissions that can be used with NTFS on Windows Server platforms.

Table 7.3. Basic File Permissions with NTFS on Windows and Windows Server 2003

Right

Description

Full Control

Provides all rights

Modify

Allows files to be modified

Read & Execute

Allows files to be read and executed (that is, run)

List Folder Contents

Allows the files in a folder to be listed

Read

Allows a file to be read

Write

Allows a file to be written to


An added complexity to file system security on Windows platforms is that the shares created to allow users to access folders across the network can also be assigned a set of permissions. Although these permissions are quite basic (Full Control, Change, and Read), they must be considered because, when assigned, they are combined with NTFS permissions. The rule in this situation is that the most restrictive permissions assignment applies. For example, if a user connects through a share with Read permission and then tries to access a file to which he has the NTFS Full Control right, the actual permissions would be Read. The most restrictive right (in this case, the Share Read permission) overrides the other permissions assignment.

In addition to the basic file sharing and permission systems, Windows server systems also include some advanced features to further enhance the file and server capabilities. These features include the following:

  • Disk quotas The amount of disk space available to a user can be restricted and managed through disk quotas. This is a useful element of control over disk usage.

  • Encrypting File System (EFS) EFS allows files to be encrypted while on the disk, preventing unauthorized access. The main advantage of EFS is that it keeps the files encrypted even if the user or organization loses physical control of the drives, such as with a laptop computer.

  • Distributed File System (DFS) DFS allows multiple directories on distributed servers to be represented through a single share point, simplifying access for users and administration.

Windows server systems support the FAT, FAT32, and NTFS file systems. However, if you are configuring a server, you are unlikely to use FAT or FAT32 as they do not offer any file level security. Also, you need NTFS if you want to take advantage of features such as disk quotas, DFS, EFS, file compression, or auditing. You also need NTFS to support Active Directory.

Client operating systems such as Windows 95, 98, and Me do not support NTFS. You can only create NTFS partitions on Windows XP, Windows NT 4, Windows 2000, and Windows Server 2003.


Windows client systems often use the FAT32 file system, but on a server, you should always use NTFS unless you have a very good reason not to. With FAT or FAT32, you can only use share level permissions; you cannot protect files or folders directly as you can with NTFS.


Although it is possible to convert a partition formatted with FAT or FAT32, it is recommended that you format a drive as NTFS when you are creating partitions rather than converting at a later date. Drives originally formatted with NTFS have less fragmentation and better performance than those converted from FAT. If you do need to convert a partition, you can use the CONVERT utility, but the process is one way. Once you have converted from FAT, you can never go back.

You can use the Convert.exe utility to convert from FAT or FAT32 to NTFS. The syntax is Convert c:/fs:ntfs /v.


It is recommended that, whenever possible, you format a drive as NTFS when you are creating partitions rather than convert from FAT to NTFS at a later date. Drives originally formatted with NTFS have less fragmentation and better performance than those converted from FAT.


Windows server provides comprehensive print server functionality. Clients are able to connect to printers across the network without the need for locally installed printer drivers. The drivers are stored on the server and downloaded when the user connects to the printer, making it easy to ensure that users are using the latest version of the correct driver.

Printing on a Windows server can be controlled through a permission mechanism similar to that used in file system security, though it is less complex. Preconfigured groups also allow you to delegate the management of printing functions, which can be a good idea in large environments.

All these features combine to make Windows a very solid choice as a file and print server.

Windows Application Support

Of all the network operating systems discussed in this chapter, Windows server platforms have the best overall level of support by third-party applications. In addition to having superb third-party application support, Windows server operating systems come with a complete set of tools and services that satisfy almost every need a company could have from a network operating system. These applications include DNS and DHCP server services, performance-monitoring tools, Web server applications, remote access capabilities, and network monitoring tools.

Windows Security

Windows server operating systems provide a full range of security features that make for very secure network operating systems. Windows Server 2003 is considered more secure than Windows 2000, as it employs a "secure by default" strategy through which unnecessary applications, services, and security configurations are disabled by default. Administrators can then enable applications and services on an as needed basis.

Watch the Caps Lock To log on to a Windows server system, a valid username and password are required. The password is case sensitive, but the username is not.


As with any other network operating system, you should make sure that Windows servers are updated with the latest operating systems service packs, patches, and security updates. Without them, your systems might be vulnerable to a range of threats and attacks that might compromise your network.


Authentication security is provided on Windows servers through Kerberos version 5. File system security and encryption are provided through NTFS permissions and EFS. Network communication can be protected by a range of security and authentication protocols, though IPSec (which is discussed in Chapter 6) is most commonly used on Windows server networks to provide both encryption and authentication for network data.

AppleShare IP

Mac OSbased computers usually can be counted on to rely on the AppleShare IP protocol (although, this is very much at the whim of a network administrator with a modern network, as both Mac OS clients and Mac OS servers support so many other protocols). When connecting Macintosh clients to a server of a different platform, it is often necessary to enable AppleShare services to provide backward compatibility to older workstations, or to provide effective security.

In the classic versions of the Mac OS, AppleShare functionality was provided by a suite of extensions and control panels providing configuration and core services for this networking protocol. As always, when integrating computers using older software onto a newer network, download and install the latest versions of the AppleShare software from Apple Computer's website, and make sure that the operating system is up-to-date. Download the latest version of AppleShare from Apple's support website at http://www.apple.com/support/.Mac OS X computers should be kept up-to-date with the Software Update utility accessible via System Preferences.

Although AppleShare IP provides a secure way for a user and server to exchange names and passwords, it is not an encrypted protocol. It is theoretically possible for an IP packet to be intercepted and its contents read by a third party. Therefore, care should be taken when exchanging sensitive data. Fortunately, AppleShare IP is a pure TCP/IP protocol, so it may be "tunneled" using any variety of encryption methods. The Mac OS itself supports L2TP over IPSec and PPTP, which are capable of encrypting network packets to prevent anyone from reading intercepted packets.

AppleShare Authentication

The most important task to be accomplished between the client and server using the AppleShare protocol is authentication. How is the server to know that the user can be trusted to perform operations on files and folders? What if the user is attempting to connect to a non-Apple file server that supports a unique authentication standard?

On connecting to any AppleShare service on any server, the first thing the client does is try to determine what method of authentication the server supports. Can an Apple protocol be used? What about Kerberos, or the Microsoft authentication protocol? If the server supports more than one authentication method, the user is asked to choose one. The exception is the plain-text method. If the server and client don't have compatible authentication software installed, a username and password can be exchanged via plain text, if the server has been allowed to support it. However, if any more secure method is available, the plain-text option won't be given.

Because various software vendors sell servers that support AppleShare IP, clients need to be able to add authentication methods. Recent versions of AppleShare support user authentication modules, which are simple plug-ins that add authentication methods to a client.

The most common plug-in is the Microsoft UAM, required to connect to Windows 2000 and 2003 servers. This software comes with the server and is also available for download from Microsoft's support website. This module allows AppleShare IP clients to use Microsoft's native Windows authentication protocol, allowing administrators to provide enhanced security by using SMB services with packet signing turned on, as well as providing secure access to Macintosh clients.



    Network+ Exam Cram 2
    Network+ Exam Cram 2
    ISBN: 078974905X
    EAN: N/A
    Year: 2003
    Pages: 194

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net