Windows XP s Network Services

Windows XP's Network Services

Besides file and printer sharing, Windows XP provides many other network services. You might never interact with some of these services directly, but their presence makes Windows the amazing application platform it is.

Let's take a tour of Windows network services. I'll describe what each service is, why it's useful, perhaps a bit about how it works, and I'll tell you where to find out how to install, configure, or use it, if appropriate.

File and Printer Sharing

Networking software was originally developed in order to share and transfer files between computers. (America Online Buddy Chat came later, if you can believe that!) Windows XP comes with the following features:

• Client for Microsoft Networks, which gives access to files and printers shared by other Windows computers as well as OS/2, UNIX, Linux, and so on.

• File and Printer Sharing for Microsoft Networks, which lets Windows XP Professional share files and printers with users of those same operating systems. Windows XP Pro is limited to 10 simultaneous connections from other computers; the Server version is required for larger LANs.

• Web Sharing, which is a new technology that provides secure file copying to and from shared folders over the Internet, using the Web's Hypertext Transfer Protocol. The "new" part is that it uses full Windows security and the Windows Explorer user interface, while the underlying technology is based on the World Wide Web and Microsoft's Internet Information Server.

• Client for Novell Networks, which gives access to files and printers shared by Novell NetWare file servers.

• Print Services for UNIX, which lets you use and share printers with computers using the UNIX operating system's LPR protocol.

Unlike Windows 200x Server, however, Pro has no tools to share files with Apple Macintosh computers or to use Macintosh shared folders.

For information about installing, configuring, and using Microsoft network software,

For information about interacting with Novell and UNIX servers, Roaming User Profiles

When Windows XP Professional is connected to a Windows Server domain, besides simply validating usernames and passwords, Server can supply Pro computers with a profile for each user as he or she logs in.

A profile contains information that helps Windows XP Professional make its desktop and folders look the same no matter which physical computer you use. User profiles contain the following:

• Desktop icons and shortcuts

• The contents of your My Files and Documents folder

• Your configuration and preference settings for all the software you use, from your Word preferences to your choice of screen savers

• Management settings that control, for example, whether you are allowed to change Control Panel entries

Roaming user profiles are covered in more depth in Chapter 28, "Managing Users."

Distributed Applications

Windows XP provides network protocols that let software application developers write programs that interact across a network. You will probably never have to install, configure, or even know such protocols exist; you'll just use the programs that use them and happily go about your business. But someone may mention them, so you should be familiar with their names: RPC and COM+.

RPC

Microsoft's remote procedure call (RPC) network protocol allows software to be split into pieces that run on different computers and interact across a network. The RPC mechanism is used, for instance, when a user on one Windows computer pauses print spooling on another. It's the basis of most of Windows's remote management capabilities; these are more sophisticated things than the authors of the basic file sharing protocols made allowances for.

COM+ (Formerly COM and DCOM)

The former Component Object Model (COM) and Distributed COM (DCOM) services have been combined in Windows 2000 and XP to the upgraded COM+ service. COM+ provides software developers tools to build highly modular software in a variety of languages. The "+" and "Distributed" parts refer to the service's ability to let software communicate across the network with software running on other computers. For example, Windows Management Instrumentation (WMI) uses COM+ to provide a means of remotely of monitoring and managing networked computers.

NOTE

If you read about the security improvements provided by Windows XP Service Pack 2, you may notice RPC and DCOM are mentioned. Before Service Pack 2, applications that used RPC and DCOM could receive "anonymous" connections from remote computers by default. After SP2, the default is for remote connections to require authentication. Also, by default, Windows Firewall blocks incoming RPC and DCOM requests, all of which initially use TCP Port 135. This port must be opened to allow remote computers to access RPC/DCOM services on your computer. In addition, Windows Firewall must be told which applications are allowed to receive the incoming connections. If you or your company has developed RPC or DCOM applications, configuration or programming changes will probably be necessary to make them work after installing SP2. (On a corporate network, this will be done through Group Policy.)

To learn more about COM and DCOM, pick up a copy of COM/DCOM Unleashed, published by Sams Publishing. For information about SP2 changes to RPC and DCOM, visit www.microsoft.com/technet and search for the words "dcom rpc developer sp2".

Messenger Service

Windows has a built-in network service called the Messenger service. This Messenger has nothing to do with the Windows Messenger instant messaging program discussed in Chapter 12. Rather, it's a very primitive system that lets computers on a network send short pop-up messages to each other. These services were designed to send simple notices, for example, to let Administrators notify users of an impending network shutdown and for print servers to notify users that their print job has completed.

The Messenger service displays received messages in a pop-up dialog. The related Alerter service can be set up to watch System Monitor parameters and send a message to an administrator if it detects an abnormal condition like a filled hard drive. Unfortunately, the services were widely abused by spammers and unscrupulous Web site operators to display advertisements. Therefore, after installing Service Pack 2, the Alerter and Messenger services will be disabled by default. (They can be restored by changing their startup setting to "Automatic" in the Computer Management "Services" list.)

Windows Peer-to-Peer Networking

With an unfortunate and confusing name, since this relatively new networking addition has nothing to do with the peer-to-peer networking we've been discussing so far in this chapter, Windows Peer-to-Peer Networking is a new service that lets software developers write applications that run on multiple computers. The potential applications include number-crunching tools that can take advantage of unused processing power on other people's computers, file and media sharing tools (think Napster), and discussion/collaboration/communication tools.

.NET

The .NET (pronounced "dot net") initiative is Microsoft's most recent replacement for COM, DCOM, and RPC. .NET is an entire software framework for Internet-enabled software application development. Again, it's something that you will probably never interact with directly, but it will make possible a whole new generation of software applications.

Virtual Private Networking

Windows XP Professional can connect to remote LANs through the Internet using Virtual Private Networking (VPN). This very secure technology makes it safe to use Microsoft networking over the Internet.

If youre interested in learning more about Virtual Private Networking, see "Virtual Private Networking," p. 708.

Remote Access

If you travel with a laptop or often work from a location outside your physical LAN, you can still use RAS (Remote Access Service, also called dial-up networking) to interact with people and files on your network.

For more detailed information about RAS, p. 674.

Connection by Modem

Windows XP Professional allows you to configure a modem for incoming connections as well as outgoing. You can provide access to your LAN via modem, for example, to retrieve files from your office while you are at home or in the field. At most, two incoming connections are permitted with Pro.

To configure Remote Access, p. 675.

Incoming VPN

Windows XP Professional also allows you to connect to your LAN via the Point-to-Point Tunneling Protocol (PPTP); that is, it lets you create a Virtual Private Network. If your LAN has a full-time Internet connection, it will (or it should) have a firewall installed, thus preventing you from using file sharing directly from the outside world. A VPN connection lets you safely penetrate the firewall to gain access to your LAN over the Internet.

Remote Desktop and Windows Terminal Services

Windows XP Professional and Windows 2000 Server/Windows 2003 Server provide a sort of remote-control system called, variously, Windows Terminal Services, Remote Desktop, and Remote Assistance. Terminal Services let you use a computer remotely. Your applications run on the remote computer, while you use your local computer's display, keyboard, and mouse. There are three names for what is basically the same piece of software, because it's used three different ways:

• Terminal Services A Windows 2000 Server/Windows 2003 Server can be set up to host applications used by remote clients. For example, one beefy computer can run complex software, while the remote computers, which only need to provide a display and keyboard, can be relative lightweights. Terminal services is also great for remote administration of a servera manager can sit in front of one computer, but can control and configure servers anywhere in the world.

  Although the service is provided only by Windows 2000 Server/Windows 2003 Server, the client software is available for Windows XP, 2000, 9x, and NT.

• Remote Desktop Windows XP Professional has a Remote Desktop feature, which is a copy of the Terminal Services server limited to one incoming connection. It's intended, for example, to enable an employee to access his or her Windows XP Pro computer at the office from home. When a remote user is connected, the XP computer's screen blanks out, so only one person at a time can use the computer.

• Remote Assistance Windows XP Professional and Home Editions' Remote Assistance feature is based onyou guessed itTerminal Services again, also limited to one connection. In this case, however, the desktop is not blanked out when the remote user attaches: It's intended for the remote and local user to work together to resolve a problem. Also, the remote connection can only occur when the computer owner emails the remote user an electronic invitation, which is good for one connection only. This makes the service useless for general remote-employee-type work, but handy for one-time assistance.

Internet Connection Sharing

Windows XP Professional has a handy feature that first appeared in the Windows 98 Second Edition: Internet Connection Sharing. This feature lets one XP Pro computer with a modem or high-speed Internet connection provide Internet access to all users of a LAN.

This access is somewhat limited, however. It requires that the LAN use the Windows built-in automatic IP address configuration system, so it's incompatible with WAN configurations. It also requires that the computer with the modem or high-speed connection be left turned on all the time.

Connection sharing is described in more detail in Chapter 19, "Connecting Your LAN to the Internet."

Windows Firewall

With Service Pack 2, Microsoft significantly beefed up the Internet security features of Windows XP. Windows Firewall replaced the earlier Internet Connection Firewall. Among other things, Windows Firewall addresses one of the more stunning deficiencies in the older firewall, which left computers unprotected for 10 to 30 seconds during the bootup process. You might not think that 10 to 30 seconds is much, but with millions of Windows-based computers connected to the Internet, thousands of computers got infected by computer viruses and worse through that window of opportunity.

Windows Firewall is discussed in Chapter 19, "Connecting Your LAN to the Internet," and in Chapter 21, "Network Security."

Universal Plug and Play

Windows XP includes support for Universal Plug and Play (UPnP), a network protocol that lets "smart" networked devices advertise their presence on the network. For instance, many of the inexpensive Internet connection sharing routers on the market are UPnP-enabled. Windows XP will automatically detect their presence and can to a limited extent let you configure them through the Windows interface. More importantly, UPnP lets network-dependent application software like Microsoft Messenger function correctly across an Internet router; UPnP provides a means for the application and the router to talk to each other.

There is some discussion of UPnP in Chapter 12, "Chatting and Conferencing with Windows Messenger," and more in Chapters 19 and 21.

Active Directory

As discussed earlier in this chapter, Windows 2000 and Windows XP can take advantage of a service called the Active Directory (AD). Active Directory combines a name/address directory, management and security services, and wide-area replicated database technologies to provide a foundation for all of Windows' networking functions. If your network is managed by a Windows 200x Server with AD installed, this service is automatically and transparently made available to you. AD is entirely based on TCP/IP technology, and for this reason, all Windows XP computers should use TCP/IP as their primary, if not only, network protocol.

To learn how to use Active Directory services, p. 619.

Active Directory is a distributed database. Distributed means that information about separate parts of a geographically dispersed network are automatically copied from region to region, from server to server, so that the same information is available at all locations. Any of the information can be managed from any location, and the changes made automatically propagate throughout the network. This might not matter or make sense to the user of an eight-person network, but to the manager of a corporate network that spans several continents, the ability to manage a given computer just as easily from Canada as from Canberra is very appealing indeed.

Active Directory is a true database: It can store any sort of information. Out of the box, it's used to store usernames, passwords, group membership, privileges and other security information, and feature-limiting controls called Group Policies, as well as the names and locations of computers and network printers. But it can also be used by software developers to store arbitrary information about software applications, such as the location and names of the nearest database serversanything that would be useful to have spread throughout an organization's network.

The most significant part of AD is that it's hierarchical: It arranges information in user-defined groups called containers, which can be nested to any depth. The purpose of this hierarchy is to let AD represent the real structure of an organization. AD lets a network manager define groups by geographical region, department, workgroup, function, or whatever categories make sense to the organization. Each grouping can contain other groups, until finally actual users and/or their computers, printers, and other resources are entered.

The purpose of this feature is to enable network managers to assign usage and management privileges like the right to access certain files or the right to manage user accounts to these containers at appropriate levels, rather than to individuals. A network manager therefore can grant access to users based on the organization's own structure rather than on a user-by-user basis or through "flat" enterprise-wide groups.

For example, let's say a company has East Coast and West Coast divisions and an accounting department in each (see Figure 15.9).

If the network manager grants read and write privileges to a shared network folder to the East Coast container, then all users anywhere in the East Coast structure (Jose, Sue, Bob, and Mary) get access rights to the folder. If Jose is granted "manager" rights to the East Coast Accounting group, then he can control the user accounts for Sue and himself.

Management of all East Coast printers could be granted to a network manager by granting him management rights to the East Coast container. He then would get the right to manage any printers within the entire container, across all its subdivisions.

Active Directory can be integrated into the domain name system for a company's network so that, for example, a computer in the East Coast accounting division could be named bigbox.accounting.eastcost.mycompany.com.

Active Directory is used internally by Windows tools such as Explorer, My Network Places, and the Printer Manager. User-written programs can get access to the directory's contents through a programming interface called Active Directory Services Interface (ADSI) or more generally through an Internet protocol called Lightweight Directory Access Protocol (LDAP), which is an industry standard for directory queries and responses. Email programs, for example, can be designed to use LDAP to search for email addresses, regardless of the underlying network system, whether it's based on Windows, Novell NetWare, or other networking systems.

IntelliMirror

You might hear the term IntelliMirror and wonder what sort of network feature it is. IntelliMirror actually is just Microsoft's name for several features and services provided by its domain networks based on Active Directory. These are

• Remote Installation Windows XP can be installed from scratch onto an empty hard drive over a network.

• Roaming User Profiles Your My Documents folder and your preferences settings are stored on the network servers and copied to the computers you use, so they're available anywhere on your enterprise network.

• Group Policy Windows's capability to "force" preferences settings and restrict access to system configuration dialog boxes is based on Registry entries defined by the network administrators and copied to your computer when you log in.

• Application Publication Application software such as Word and Excel can be installed automatically across the network, based again on Group policy settings.

Together, these features let network administrators give you the experience of walking up to any computer in your organization and having it be "your" computer with all your files, settings, and applications. You should, in theory, even be able to log off, throw your computer out the window, and replace it with a brand new, empty one, and in short order pick up your work where you left off. In theory, anyway.

Intranet/Internet Services and Tools

Finally, Windows XP comes with a full complement of applications and tools that Internet and UNIX users expect on a TCP/IP-based computer. They're not part of Windows Networking, technically speaking, because they don't use the Networking Clients. They communicate with other computers using TCP/IP directly. These tools include the following:

• Internet Explorer (Web browser)

• SNMP Agents

• Telnet

• Ping

• FTP

• NetMeeting

• nslookup

• pathping

• tracert

• Outlook Express (SMTP/POP mail client)

• Internet Information Server (Web server)

These programs are discussed in Part III of this book, "Windows XP and the Internet."

Security

Finally, Windows XP Professional, when it's part of a Windows Server-based network, supports the use of two very sophisticated network security systems to encrypt network traffic and to communicate passwords and information about user rights between computers.

Windows XP Professional supports the IPSec TCP/IP data encryption standard. IPSec provides a means for each of the data packets sent across a network to be encryptedscrambledso that an eavesdropper with a wiretapping device can't glean passwords or other sensitive information from your data while it flows through the wires of your building, through airwaves in a wireless network, or across the Internet.

Windows XP also supports the Kerberos network authentication protocol, which was developed at to the Massachusetts Institute of Technology (MIT) and is now widely used in secure distributed network operating systems. Kerberos manages the identification of computer users on a network to eliminate many network security risks, such as the recording and playback of passwords.

TIP

Both IPSec TCP/IP data encryption and Kerberos network authentication protocol are activated under the control of the administrator of Windows /200x Server and are invisible to you as a Windows XP Professional user.

NOTE

If you're really into securityand I mean really into securityI recommend that you grab a copy of Microsoft Windows 2000 Security Handbook, published by Que (ISBN: 0-7897-1999-1). Better hang on to your hat, though…