3.3. Exam 70-290 Highlighters Index Here I've attempted to compile the facts within the exam's subject areas that you are most likely to need another look atin other words, the areas of study that you might have highlighted while reading the Study Guide. The title of each highlighted element corresponds to the heading title in the Exam 70-290 Study Guide. In this way, if you have a question about a highlight, you can refer back to the corresponding section in the study guide. For the most part, the entries under a heading are organized as term lists with a Windows Server 2003 feature, component, or administration tool as the term and the key details for this feature, component, or administration tool listed next. Here are examples:
AdminPak -
Only tools needed to manage installed components and services are installed by default. Install AdminPak to ensure you have a consistent tool set. Installed from I386\AdminPak.msi on the Windows Server 2003 CD.
Support Tools -
Extend the core set of administration tools. Include additional useful utilities and commands. Installed from Support\Tools\Suptools.msi on the Windows Server 2003 CD.
In this example, the highlights are for AdminPak and Support Tools. The entries under the listed term summarize key information that you should know about AdminPak and Support Toolsand are possibly the same details you might have highlighted as part of your exam prep. Since I've done the highlighting for you though, you don't need to get out your highlighting markers or mark up the pages (unless of course you really want to). 3.3.1. Essential Administration Tools Summary of highlights from the "Essential Administration Tools" section of the Exam 70-290 Study Guide.
Microsoft Management Console (MMC) -
The primary administration tools are built using MMC. Author mode allows changes. Start with /a option. User mode allows access but no changes. Right-click the console root and then select Connect To Another Computer.
Terminal Services -
Uses Remote Desktop for Administration and Terminal Server modes. For administration, you'll use Remote Desktop for Administration
Remote Desktop for Administration -
TCP port 3389 must be opened to allow remote access. Select Remote Users to specify users granted remote access permission. By default, Administrators group is granted remote access permission. To enable, access the Remote tab of the System utility and select Enable Remote Desktop For This Computer.
Remote Assistance -
Allows a user to send remote assistance invitations. To enable, access the System utility's Remote tab and select Turn On Remote Assistance. To send a remote assistance request, in Windows Messenger, click Actions  Ask for Remote Assistance.
3.3.2. Managing and Maintaining Physical and Logical Devices Summary of highlights from the "Managing and Maintaining Physical and Logical Devices" section of the Exam 70-290 Study Guide.
Hardware Devices -
PnP allows Windows to detect and install a hardware device automatically. Non-PnP devices are not detected automatically. Install devices using the Add Hardware Wizard in Control Panel.
Signed and Unsigned device drivers -
By default, Windows Server 2003 warns you if you try to install an unsigned device driver. To set signing options, click the Driver Signing button on the Hardware tab of the System utility. Ignore allows all device drivers to be installed without prompt. Warn prompts with a warning message prior to installing a hardware device with an unsigned driver. Block prevents installing unsigned drivers.
Device Manager -
All detected devices are listed in Device Manager. In Device Manager, an improperly configured device is listed with a yellow warning icon. On a device's Driver tab, click Update Drive to install a new driver. On a device's Driver tab, click Rollback Driver to go back to previous driver version. On the device's General tab, click Reinstall Driver to start the Hardware Update Wizard.
Bad device configuration -
Press F8 as the system starts and use the Last Known Good Configuration to restore the registry key HKLM\System\CurrentControlSet with the previous driver information. Press F8 as the system starts and use Safe Mode to try to correct a device problem. Start from Windows Server 2003 CD to access Recovery Console and press R to choose Repair Or Recover. Press C to start the Recovery Console.
Partition styles -
x86-based computers use the MBR partition style. Itanium-based computers running 64-bit Windows use MBR and GPT partition styles. X64-based computers use the MBR partition style.
Disk types -
Basic disks. Dynamic disks.
Special volumes -
The system volume contains the hardware-specific files needed to load Windows. The boot volume contains the operating system and operating system-related files. The active volume is the drive section from which the operating system starts.
Basic disks -
Use partitions to map out the disk structure. Accessible on just about every operating system. Have primary partitions and extended partitions containing logical drives. Have up to four primary partitions, or up to three primary partitions and one extended partition.
Basic disk partition types -
Each primary partition is represented with one logical volume. Each extended partition is represented by one or more logical drives. A logical drive is a logical volume that represents all of or part of an extended partition.
Dynamic disks -
Use volume to map out disk structure. Not supported for removable media, on portable computers, or with disks connected via FireWire/USB. Up to 2,000 volumes on a dynamic disk; the recommended maximum is 32. Non-fault tolerant volumes provide no data redundancy or failure protection. Fault tolerant volumes provide data redundancy and failure protection.
Dynamic volume types -
Simple volume is the equivalent to a basic disk partition and can be extended. Spanned volume is used to combine unallocated space on multiple disks and can be extended. No operating system allowed on a spanned volume. Striped volume (RAID-0) is used to combine unallocated space on 2-32 disks; uses efficient striping, but cannot be extended. Mirrored volume (RAID-1) creates two identical copies of a volume on two separate disks and is fault tolerant. Boot and system volumes can be mirrored. Striped with parity volume (RAID-5) is used to combine unallocated space on 3-32 disks; uses striping of parity for fault tolerance.
Volume formatting -
FAT (FAT16) uses 16-bit file allocation tables with maximum volume size of 4 GB. FAT32 uses 32-bit file allocation tables with maximum size of 2 TB; limited on Windows to 32 GB. NTFS uses a master file table that contains records for each file and metadata; up to 2 TB on basic MBR disks.
NTFS supports -
Logical volumes -
Disk Management -
Used to manage disk storage on both local and remote computers. Configuring disks and volumes using Disk Management is a five-step process: Install or attach the disk. Initialize the disk to make it available for use. Convert basic disks to dynamic disks as necessary. Create and format a disk's volumes. Assign drive letters or mount points.
DiskPart -
A command-line utility for managing disks. Can be used interactively or with scripts. Doesn't format; use the FORMAT command.
Check Disk -
Disk Defragmenter -
3.3.3. Managing Users, Computers, and Groups Summary of highlights from the "Managing Users, Computers, and Groups" section of the Exam 70-290 Study Guide.
Domains vs. workgroups -
In domains, Active Directory is used to provide directory services. In workgroups, each local computer has a SAM database.
User, computer, and group naming -
Names assigned to users, computers, and groups are used for assignment and reference purposes. In a workgroup, each computer must have a unique name. In Active Directory, all user, computer, and group names must be unique on a per-domain basis.
Computer accounts -
The computer must be a member of the domain. Prestage by creating a computer account before joining it to the domain. When not prestaging, Active Directory will create the computer account. Manage computer accounts using Active Directory Users And Computers (dsa.msc). Create a computer account: right-click a container select New  Computer. Join to a domain: open System. On the Computer Name tab, click Change. Join to a domain: use NETDOM ADD.
Computer properties and passwords -
Troubleshooting computer accounts -
To troubleshoot incorrect network settings, access Network Connections Local Area Connection from the Control Panel. To reset computer passwords, leave the domain and then rejoin or use NETDOM RESETPWD.
Groups -
Distribution groups are used for email distribution lists; they do not have security descriptors. Security groups are used to assign access permissions; they have security descriptors. Table 3-2 summarizes types of groups and Table 3-3 summarizes how domain functional level affects groups. Table 3-2. Types of groupsGroup scope | How it is used | Can include |
|---|
Domain local | Primarily to assign access permissions to resources within a single domain. | Members from any domain in the forest and from trusted domains in other forests. Typically, global and universal groups are members of domain local groups. | Global | Primarily to define sets of users or computers in the same domain that share a similar role, function, or job. | Only accounts and groups from the domain in which defined, including other global groups. | Universal | Primarily to define sets of users or computers that should have wide permissions throughout a domain or forest. | Accounts and groups from any domain in the forest, including other universal groups and global groups. |
Table 3-3. Domain functional level and groupsDomain functional level | Domain local | Global | Universal |
|---|
Windows 2000 Mixed, Windows Server 2003 Interim | Can contain accounts and global groups from any domain. | Accounts from the same domain only. | Security universal groups can't be created. | Windows 2000 Native, Windows Server 2003 | Accounts and global groups from any domain; domain local groups from the same domain only. | Accounts and other global groups from the same domain only. | Accounts from any domain; global and universal groups from any domain. |
Changing group scope -
Domain local groups can be changed to universal groups; no member can have domain local scope. Global groups can be changed to universal groups; no member can have global scope. Universal groups can be changed to domain local or global groups; no member can have global scope for global.
Creating and managing groups -
Groups can be created using Active Directory Users And Computers (dsa.msc). To create a group, right-click a container and select New Group. To view where the group is a member, use the Member Of tab. Create a group using DSADD GROUP. Modify a group using DSMOD GROUP.
Implicit groups and special identities -
Membership in implicit groups is implicitly applied. Implicit groups cannot be created or deleted. No changing the membership of implicit groups. Apply user rights and assign security permissions as necessary.
User accounts -
With local machine user accounts, users log on locally and access local resources using local accounts. With domain user accounts, users log on to a domain and access network resources using domain accounts.
Creating user accounts -
Create a user account using Active Directory Users And Computers. To create a user, right-click a container and select New User. Importing and exporting user accounts -
Use CSVDE for importing and exporting Active Directory objects. For imports, CSVDE uses a comma-delimited text file as the import source. For exports, CSVDE writes the exported objects to a comma-delimited text file.
User profiles -
User profiles contain user environment settings. Every computer has a default profile. A user's environment settings are extended by the All Users profile.
Roaming user profiles -
A roaming profile allows user settings to move with a user from computer to computer. The profile is stored on a server and downloaded to a computer upon logon. Changes to roaming user profiles are uploaded on logoff, and downloaded on logon. Set roaming profile in Active Directory Users And Computers: on the account's Profile tab, use the Profile Path field. Set roaming profile using DSMOD USER: use the -profile option.
Mandatory user profiles -
Prevent users from making permanent changes to the desktop. Changes are not saved in the profile and thus are lost when a user logs off. Configure a mandatory user profile by changing Ntuser.dat to Ntuser.man.
User access and authentication -
Password policy controls how passwords are managed. Account lockout policy controls whether and how accounts are locked out. Set Password Policy using Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy. Set Account Locking Policy using Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy.
Diagnosing and resolving user account problems -
Users cannot log on when an account being disabled or locked out. Active Directory Users And Computers shows disabled accounts with a red warning icon. Right-click the account and then select Enable Account. Search the entire domain for disabled accounts with dsquery user -disabled. A locked account cannot be used for logging on until the lockout duration has elapsed or the account is reset. Right-click the locked account and then select Properties. On the Account tab, clear Account Is Locked Out.
Diagnosing and resolving user authentication problems -
Account credentials are validated during logon by a domain controller. When network connection is down or there is no domain controller, cached credentials can be used. Each member computer in a domain can cache up to 10 credentials by default.
3.3.4. Managing and Maintaining Access to Network Resources Summary of highlights from the "Managing and Maintaining Access to Network Resources" section of the Exam 70-290 Study Guide.
Shared folders -
Users access files stored on Windows servers using shared folders. Standard shares are used to access folders over a network. Web shares are used to access folders over the Internet. Share permissions can be granted to a user or group. Share permissions determine the maximum allowed access level. Filesystem permissions can further restrict or block access.
Share permissions -
Full Control grants both Read and Change. It also allows change permissions and take ownership. Change grants Read permission. It also allows create, modify, change attributes, and delete. Read allows view, read data and attributes, and run program files.
Creating shared folders -
Share a folder by right-clicking a folder, selecting Sharing And Security, and then selecting Share This Folder. Users access shared folders by a share name using a network drive. Shares with names ending in a dollar sign ($) are hidden. Hidden shares do not appear on the network browse list.
Web shares -
Web share permissions -
Access permissions for web shares -
Read allows web users to read files in the folder. Write allows web users to write data in the folder. Script Source Access allows web users to access the source code for scripts (not recommended). Directory Browsing allows web users to browse the folder and its subfolders (not recommended).
Application permissions for web shares -
None disallows the execution of programs and scripts. Scripts allows scripts to be run from the Web. Execute (Includes Scripts) allows both programs and scripts to be executed from the Web. Configure application permissions on the Web Sharing tab.
Attributes of files and folders -
All files and folders have basic attributes. Hidden determines whether files and folders are displayed in directory listings. Read-only makes the file or folder read-only. On NTFS, the Read-only attribute is shown dimmed initially. Some files and folders have extended attributes. Extended attributes come from named data streams.
Filesystem permissions -
Filesystem permissions determine access controls. FAT volumes have no filesystem permissions. Only NTFS volumes have filesystem permissions.
NTFS permissions -
Every file and folder has an access control list (ACL). Access permissions are stored within the ACL as access control entries (ACEs). ACEs detail the specific permissions that apply to each user and group. NTFS has both basic and special permission sets. Basic permissions represent a grouping of special permissions. Special or advanced permissions provide granular control.
Basic permissions -
In the Properties dialog box, select the Security tab. Tables 3-4 and 3-5 summarize basic permissions for files and folders. Table 3-4. Basic permissions for filesPermission | Description |
|---|
Full Control | Permits reading and listing of files; writing to files; deleting files and file contents; viewing attributes and permissions of files; changing attributes and permissions of files; taking ownership of files | Modify | Permits reading and listing of files; writing to files; deleting files and file contents; viewing attributes; setting attributes | Read & Execute | Permits executing files; reading and listing of files; viewing attributes and permissions of files | Write | Permits writing to files; creating files; appending data to files; deleting files and file contents; setting attributes of files | Read | Permits reading and listing of files; viewing attributes and permissions of files |
Table 3-5. Basic permissions for foldersPermission | Description |
|---|
Full Control | Permits reading and listing of folders and files; writing to files; creating folders and files; deleting folders; files and file contents; viewing attributes and permissions of folders and files; changing attributes and permissions of folders and files; taking ownership of folders and files | Modify | Permits reading and listing of folders and files; writing to files; creating folders and files, deleting folders, files and file contents; viewing and setting attributes of folders and files | Read & Execute | Permits executing files; reading and listing of folders and files; viewing attributes and permissions of folders and files | List Folder Contents | Permits reading and listing of folders and files; executing files | Write | Permits creating files in folders | Read | Permits reading and listing of folders and files; viewing attributes and permissions of folders and files |
Special permissions -
Special permissions, shown in Table 3-6, allow direct editing of the access control entries (ACEs). There are two general types of permissions: those that are inherited and those that are not inherited. The folder from which settings are inherited is listed (if applicable). Each ACE, listed in the Advanced Security Settings dialog box, can be edited. Table 3-6. Special Permissions for folders and filesSpecial Permission | Description |
|---|
Traverse Folder/Execute File | Traverse Folder permits moving through folders to access a folder or file even if the group or user doesn't have explicit access to traversed folders; user or group must also have the Bypass Traverse Checking user right. Execute File permits running an executable file. | List Folder/Read Data | List Folder permits viewing file and folder names. Read Data permits viewing the contents of a file. | Read Attributes | Permits reading the basic attributes of a folder or file. These attributes include Read-only, Hidden, System, and Archive. | Read Extended Attributes | Permits reading extended attributes associated with a folder or file. | Create Files/Write Data | Create Files permits adding files to a folder. Write Data permits overwriting existing data in a file (but not adding new data to an existing file since this is covered by Append Data). | Create Folders/Append Data | Create Folders permits creating subfolders within folders. Append Data permits adding data to the end of an existing file (but not to overwrite existing data as this is covered by Write Data). | Write Attributes | Permits changing basic attributes of a folder or file. These attributes include Read-only, Hidden, System, and Archive. | Write Extended Attributes | Permits changing extended attributes of a folder or file. | Delete Subfolders and Files | Permits deleting the contents of a folder, even if Delete permission on the subfolder or file isn't specifically granted. | Delete | Permits deleting a folder or file. If a group or user doesn't have Delete permission, the group or user granted the Delete Subfolders and Files permission can still delete the folder or file. | Read Permissions | Permits reading all basic and special permissions assigned to a folder or file. | Change Permissions | Permits changing basic and special permissions assigned to a folder or file. | Take Ownership | Permits taking ownership of a folder or file. The owner of a folder or file can always change permissions on it, even if other permissions were removed. By default, administrators can always take ownership of a folder or file and can also grant this permission to others. |
Effective permissions -
Often groups or users have multiple applicable permission sets. The Effective Permissions tab allows you to determine the collective set of permissions that apply. You cannot determine effective permissions for implicit groups or special identities. Share permissions are also not included while calculating effective permissions.
Ownership of files and folders -
Creator Owner identity represents the creator and owner of objects. Owner has complete control to grant access and grant Take Ownership permission. Ownership can be taken or transferred on the Owner tab of the Advanced Security Settings dialog box.
Inherited permissions -
Permissions are inherited from parent folders by default. A file inherits its permissions from the folder in which it is stored. A subfolder inherits its permissions from the folder in which it is stored. Folders stored in the root of a drive inherit the permissions of the drive. Change inherited permissions by accessing the parent folder. Override inheritance on the Permissions tab of the Advanced Security Settings dialog box.
Troubleshooting access to folders and files -
Check the folder path and the logon credentials. Check the network connection and cabling. Check the share permissions. Check the NTFS permissions. Check the basic attributes. Check for restrictions based on encryption.
Terminal Services -
Remote Desktop for Administration is as a limited Terminal Server mode. Terminal Server users establish remote sessions with a server to run Windows-based applications. Add users or groups to the Remote Desktop Users group to allow users to log on a terminal server. Manage RDP configuration using the Terminal Services Configuration tool (tssc.msc). Right-click the RDP-Tcp connection to modify the RDP settings. Manage Terminal Services security using the Permissions tab of the RDP-Tcp Properties dialog box.
Terminal Services Basic permissions -
Full Control grants users full control over all sessions. User access allows users to log on, view session settings, and connect to another session. Guest access allows users to log on to a terminal server.
Diagnosing and resolving issues related to client access to Terminal Services -
Connect to a Terminal Server using the Remote Desktop Connection client. Click Options to set expanded session settings. Invalid credentials or connection server: make sure the clients are using the correct username, password, and domain settings. Improper group assignment: user must be a member of the Remote Desktop Users group in Active Directory. Incorrect authentication mode: user may need to type the fully qualified domain name for the terminal server. Use the Sessions tab to limit, disconnect, or end user sessions.
3.3.5. Managing and Maintaining a Server Environment Summary of highlights from the "Managing and Maintaining a Server Environment" section of the Exam 70-290 Study Guide.
Event logs -
Application log contains events logged by Windows applications and printers configured on the system. Security log contains events related to security auditing. Enable auditing. Control access using the Manage Auditing and the Security Log user rights. System log contains events logged by operating system components and services. Directory Service log records events from Active Directory on DCs. DNS Server log records events from DNS on a name server.
Accessing and reviewing events -
Event logs are accessible in the Event Viewer (eventvwr.exe). Event type specifies the type of event that occurred. Event source specifies related component or service Event category specifies the general category of the event.
Event types -
Information events are routine events that typically record successful actions. Success Audit events indicate successful execution of an action (only when auditing enabled). Failure Audit events indicate failed execution of an action (only when auditing enabled). Warning events alert administrators to possible problems. Error events alert administrators to specific problems and errors.
Monitoring system performance -
Task Manager displays the current status of applications, background processes, and system resources. Performance Console is used for comprehensive monitoring and analysis.
Performance console -
Click Performance under Administrative Tools, or from the command prompt, type perfmon.msc. System Monitor is used to collect real-time performance data. Performance Logs record performance data in logs for later review. Performance alerts trigger when performance parameters are reached. Performance Monitor Users can monitor performance counters, logs, and alerts. Performance Log users can schedule logging and alerting.
Performance objects, instances, and counters -
Performance objects represent system and application components with measurable sets of properties. Performance object instances represent specific occurrences of performance objects. Performance counters represent the measurable properties of performance objects.
System Monitor -
System Monitor can use graphic, histogram, and report formats for real-time performance. Add counters by clicking the Add button or pressing Ctrl+L.
Performance logging -
Performance alerting -
Alerts are triggered when a performance parameter reaches a specific limit or threshold. Alerts can be configured to log an entry in the Application event log, start an application, send a network message, and/or to start a performance log.
Choosing objects to monitor -
For Memory performance monitoring, related objects include Cache, Memory, and Paging File. For Processor performance monitoring, related objects include Processor, Job Object, Process, and Thread. For Disk performance monitoring, related objects include LogicalDisk, PhysicalDisk, and System. For Network performance monitoring, related objects include Network Interface, Server, and Server Work Queues.
Monitoring memory performance objects -
Windows systems have both physical and virtual memory. Memory bottlenecks occur when low available memory causes increased paging. Soft page faults occur when the system must look for the necessary data in another area of memory. Hard faults occur when the system must look for the necessary data in virtual memory on disk. Hard page faults can make the system appear to have a disk problem due to excessive page swapping. Memory\Available Kbytes is the amount of physical memory not yet in use. Memory\Committed Bytes is the amount of committed virtual memory. Memory\PageFaults/sec tracks page faults per second.
Monitoring processor performance objects -
Systems with high processor utilization may perform poorly. Determine processor utilization using Processor\%Processor Time. System\Processor Queue Length tracks number of threads waiting to be executed.
Monitoring network performance objects -
Available network bandwidth determines how fast data is sent between clients and servers. Network interface current bandwidth determines capacity to send or receive data. Network Interface\Output Queue Length counter can help you identify network saturation issues. Network Interface\Current Bandwidth tracks current bandwidth setting. Network Interface\Bytes Total/sec provides the total bytes transferred or received per second.
Monitoring disk performance objects -
PhysicalDisk objects represent each physical hard disk. LogicalDisk objects represent each logical volume. LogicalDisk\%Free Space tracks free space on logical disks. PhysicalDisk\Disk Writes/sec and Physical Disk\Disk Reads/sec track I/O activity. Physical Disk\CurrentDisk Queue Length tracks disk-queuing activity.
Disk quotas -
Disk quotas help you track and manage disk space usage. NTFS disk quotas are configured on a per-user, per-volume basis. Disk quotas cannot be configured for groups.
NTFS disk quotas configuration -
Configured through Group Policy. Configured through the Quota tab on the NTFS volume. Policy settings override Quota tab settings in most cases.
Quota warnings and limits -
A quota warning is used to warn users on space usage. A quota limit sets a specific limit on space usage. Users see warning prompts. Administrators can track disk usage in the Application event log.
Quota entries -
View current usage using disk quota entries. On the Quota tab, click the Quota Entries button. Quotas do not affect the built-in Administrators group. Quotas affect all other system user accounts and domain/local user accounts.
Print queues -
Print servers -
A print server is a computer that is configured to share a printer. Install and manage printers using the Printers And Faxes folder. Users send print jobs to a shared printer. The print server spools the print job to the spooling folder on its local disk. By default, the print spooler folder is located in \Windows\System32\Spool\Printers. Spooled print jobs are queued to be printed. Each printer has its own print queue. All printers have the same spool folder. Check the status of the Print Spooler service using Administrative Tools Services utility. Server Properties to access print server properties. Printer Properties -
In the Printers And Faxes window, printers are listed by their local name. Shared printers have a shared name. Print jobs are routed to printers according to configured ports. Right-click a printer, and then select Properties.
Printer Properties dialog box tabs -
On the General tab, view or set the printer name, location, and comments. On the Sharing tab, view or set the printer share name. List the share in the directory. Set additional drivers for downlevel clients and printing defaults. On the Ports tab, view or set printer ports. Enable or disable printer pooling. On the Advanced tab, view or set drivers, availability, priority, and spooling options. On the Security tab, view or set access permissions for the print queue.
Print queues and print jobs -
Manage print queues and jobs using the print management window. Double-click the printer icon in the Printers And Faxes folder. Right-click a document and choose Properties. Delete all print jobs queued by clicking Printer Cancel All Documents.
Print permissions -
Print queue permissions are separate from the NTFS access permissions on the related spooling folder. By default, the special identity Everyone has permission to print. Creator Owner can manage documents and print. Administrators, Print Operators, and Server Operators can print, manage printers, and manage documents.
Internet Information Services -
IIS provides essential web services. Install by clicking Add Or Remove Programs in Control Panel. Manage using the Internet Services Manager. Click Start Programs Administrative Tools Internet Information Services (IIS) Manager. %SystemDrive%\Inetpub\wwwroot. Web server logfiles are written to %SystemRoot%\system32\LogFiles\w3svc. IIS Reset (iisreset.exe) is used to stop and then restart all IIS-related services.
Configuring IIS -
General IIS settings control editing of the IIS metabase and available MIME types. Global sites settings determine the global settings for all sites of a particular type. Local site settings determine the effective settings for a specific site.
Backup or restore the IIS configuration -
Managing security for IIS -
IIS provides the top layer of security. Window provides the bottom layer of security. IIS security focuses on authentication controls and content permissions.
IIS authentication controls -
Click the Directory Security or File Security tab. Anonymous authentication allows access to resources without being prompted for username and password. Basic authentication prompts name and password, which is passed as clear text unless SSL is used. Digest authentication securely transmits via HTTP 1.1 digest authentication using user credentials (Active Directory domains only). Integrated Windows Authentication:uses standard Windows security to validate identity (doesn't require SSL). .NET Passport authentication uses .NET Passport authentication to validate access and credentials. Authentication controls can be set globally, for the site, for directories within the site and for pages.
IIS content permissions -
Content permissions provide the top level of security for IIS. Content permissions can be set both globally and locally. Set permissions on the Home Directory, Directory, or File tab as appropriate.
Configuring IIS content permissions -
Read allows web users to read files in the folder. Write allows web users to write data in the folder. Script Source Access allows web users to access the source code for scripts (not recommended). Directory Browsing allows web users to browse the folder and its subfolders (not recommended). Index This Resource allows the Indexing Service to index for keyword searches. Log Visits ensures access to files is recorded in the IIS logs.
IIS application permissions -
None disallows the execution of programs and scripts. Scripts Only allows scripts to run when accessed via IIS. Scripts and Executables allows both programs and scripts to run when accessed via IIS.
Software Update infrastructure -
Automatic Updates allows a system to automatically connect to update operating system. Windows Update extends updates to select Microsoft products. Windows Server Update Services allows organizations to use their own update servers.
Windows Server Update Services (WSUS) -
WSUS has both a server and client component. The WSUS client is an extension of Automatic Updates and has self updating for auto install. The WSUS server uses a data store that runs with MSDE, WMSDE, or SQL Server. SUS 1.0 servers can be migrated to WSUS using WSUSITIL.EXE. WSUS is designed to handle updates for all Microsoft products.
Installing Windows Software Update Services -
WSUS requires: IIS (and you must install the World Wide Web Server Service at a minimum) Background Intelligent Transfer Service (BITS) 2.0 Microsoft .NET Framework 1.1 Service Pack 1 for Windows Server 2003 WUS uses HTTP port 80 and HTTPS port 443. Custom Web site for WSUS uses port 8530 by default. Install WSUS on a server using WSUSSetup.exe.
Configuring Windows Software Update Services -
Installing and configuring Automatic Client Update settings -
Make the client computer aware of the WSUS configuration. Configure Automatic Updates to download and install updates. Specify through policy that the WSUS server should be used for obtaining updates. In a Group Policy editor, configure Automatic Updates policy under Computer Configuration Administrative Templates Windows Components Windows Update. Administrative Templates Windows Components Windows Update.
Software site licensing -
Client access licenses -
Per server: each concurrent connection to a server requires a client access license. Per user or per device: each client requires a client access license that allows it to connect to a Windows server. Per processor: each processor (physical or virtual) on a server must have a license. Windows Server 2003 Terminal Services includes two CALs for remote desktop administration.
Server licensing -
Microsoft allows a one-time only switch from per-server to per-user/per-device licensing. Microsoft does not permit switching from per-user/per-device to per-server licensing. To manage licensing, you must be a member of the Administrators group. Per-server licensing is best when there are few servers and there is limited access of these servers. Otherwise, use per-user or per-device licensing, which allows for a mixture of users and devices.
Managing server licensing -
The licensing utility in Control Panel is for workgroups or individual servers. The licensing console under Administrative Tools is for domains (centralized control on a per-site basis). A designated site licensing server replicates the licensing throughout a site. Determine the site-licensing server in Active Directory Sites And Services. Double-click Licensing Site Settings. By default, the license server is the first domain controller installed in a domain. Site licensing can be moved to a member server or domain controller.
Using license groups -
A license group is a collection of users who share one or more CALs. With license groups, CALs are assigned from the group allocation.
3.3.6. Managing and Implementing Disaster Recovery Summary of highlights from the "Managing and Implementing Disaster Recovery" section of the Exam 70-290 Study Guide.
Managing backup procedures -
Normal (full) backups should include System State data. Incremental backups contain changes since the last full or incremental backup. Differential backups contain changes since the last full backup. Daily backups contain all the files changed during the day.
Creating Automated System Recovery (ASR) data -
ASR data stores essential boot files and the complete System State. Create ASR data using the Backup utility. Primary data is stored on the backup media you choose. Secondary data needed to boot the system and access the primary data is stored on a floppy disk. Click the Automated System Recovery Wizard button on the Welcome tab.
ASR Recovery -
Restart the system and boot the system off the installation CD-ROM. During the text portion of the setup, press F2 to perform an ASR. ASR then guides you through the recovery process.
System State -
System State includes the system registry, boot files, protected system files, and the COM+ registration database. On domain controllers, System State includes Active Directory data and system volume (SysVol) files. System State can be backed up locally only.
Backing up files and System State data to media -
Back up workstations and servers using the Backup utility. Click the Backup Wizard button to start the backup process. Create a scheduled backup job on the Schedule Jobs tab by clicking Add Job. Make sure the Task Scheduler service is running. Display a detailed run report by clicking Tools Report.
Backup Storage media -
The Removable Storage snap-in enables you to view and manage removable media devices. Removable Storage is included by default in the Computer Management Console. All media in Removable storage is organized by media type, media pool, and library. CDs and DVDs are not supported as storage media in Windows Server 2003.
Configuring security for backup operations -
The Backup Files And Directories user right allows users to back up files. These include encrypted files. Restore Files And Directories allows users to restore files. User rights are defined in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment. On Domain Controllers, Backup Operators, Server Operators, and Administrators are granted both rights. On stand-alone and member servers, Backup Operators and Administrators are granted both rights. Add a user to Backup Operators group to grant the right to back up and restore data.
Shadow Copies -
Supplement but do not replace routine backups. Shadow Copies are point-in-time backups of previous file versions. They work only for shared folders on NTFS volumes.
Configuring Shadow Copy -
Shadow Copy service will save up to 64 versions, by default. Number of versions is limited by maximum space usage allowed. By default, 10 percent of volume size is set as the maximum space usage allowed. To configure shadow copies, right-click Disk Management and click All Tasks Configure Shadow Copies. Alternatively, from volume properties, click the Shadow Copies tab. Recovering from operating system failure -
Restore backup data using the Backup utility. Click the Restore Wizard button to get started. Active Directory must be restored either authoritatively or nonauthoritatively. Press F8 during system startup to access the advanced boot options and select Directory Services Restore Mode.
|
