9.3. Exam 70-293 Highlighters Index In this section, I've attempted to compile the facts within the exam's subject areas that you are most likely to need another look atin other words, the areas of study that you might have highlighted while reading the Study Guide. The title of each highlighted element corresponds to the heading title in the Exam 70-293 Study Guide. In this way, if you have a question about a highlight, you can refer back to the corresponding section in the study guide. For the most part, the entries under a heading are organized as term lists with a Windows Server 2003 feature, component, or administration tool as the term, and the key details for this feature, component, or administration tool listed next. 9.3.1. Planning and Implementing Server Roles and Server Security Summary of highlights from the "Planning and Implementing Server Roles and Server Security" section of the Exam 70-293 Study Guide.
Operating system selection -
Computers should be configured with the operating system that is appropriate for their role. Create specific guidelines for choosing which operating system to use when. Include specifics on hardware requirements, duty life, and upgrade frequency.
Client operating system selection -
Server operating system selection -
Windows Server 2003, Web Edition is for enterprise Intranets and Internet web sites. Windows Server 2003, Standard Edition is for small or branch office use. Windows Server 2003, Enterprise Edition is for larger organizations. Windows Server 2003, Datacenter Edition is for large-scale data centers. A comparison of each edition is provided in Table 9-1.
Table 9-1. Comparison of Windows Server 2003 operating system editions| | Windows Server 2003, Web Edition | Windows Server 2003, Standard Edition | Windows Server 2003, Enterprise Edition | Windows Server 2003, Datacenter Edition |
|---|
Minimum processor speed | 133 MHz | 133 MHz for x86; 733 MHz for 64-bit | 133 MHz for x86; 733 MHz for 64-bit | 400 MHz for x86; 733 MHz for 64-bit | Minimum recommended processor speed | 550 MHz | 550 MHz | 733 MHz | 733 MHz | Multiprocessor support | Up to 2 | Up to 4 | Up to 8 | 8 to 64 | Minimum RAM | 128 MB | 128 MB | 128 MB | 512 MB | Minimum recommended RAM | 256 MB | 256 MB | 256 MB | 1 GB | Maximum RAM | 2 GB | 4 GB | 32 GB for x86; 1 TB for 64-bit | 64 GB for x86; 1 TB for 64-bit | Active Directory support | Domain member only | DC or member | DC or member | DC or member |
Server configurations -
Member servers are a part of a domain but don't store directory information. Domain controllers store directory information, provide authentication, and offer directory services. Standalone servers have their own security database for authenticating logon requests.
Server roles -
Secure baseline installation -
Security plans -
Should be part of a larger enterprise security effort Should be created with an understanding of default security settings Should detail the specific security features to use Should meet the objectives and requirements of the enterprise security policy
Enterprise-wide security policies -
Should identify potential security risks Should specify minimum security requirements Should specify the minimum set of required security features Should provide plans for meeting required security levels Should be managed by a designated security team
Security teams -
Members should include users, administrators, and managers. Members should have a strong understanding of security. Members should develop security policy as part of an ongoing effort. Members are responsible for enforcement, ongoing education, and distribution as appropriate.
Security policy -
Should include a plan for securing the organization's infrastructure Should include a plan for implementing required security features Should include a plan for ongoing management and evaluation of security
Areas of security -
Access controls are used to manage access to resources and determine who has access to what. Authentication mechanisms are used to verify a user's identity prior to providing access to resources. Auditing is used to monitor access and use of privileges.
Ways to enhance security -
Network security can be enhanced using firewalls, proxies, and Network Address Translation (NAT). Resource access can be controlled using encrypted passwords, certificates, and hardware devices. Data can be protected using NTFS security and the Encrypting File System (EFS).
NTFS permissions -
Both basic and advanced permissions can be used with NTFS. All files and folders have specific owners, and permissions are inherited from parent folders. You can modify permissions, ownership, and inheritance on the Security tab.
Default NTFS permissions -
Setup grants the Everyone group Full Control on nonsystem drives. Setup configures default permissions on the system drive, as shown in Table 9-2.
Table 9-2. Default NTFS permissions on the system drive| | %SystemDrive% folder and non-Windows specific subfolders | Documents and Settings folder | Program Files folder | %Windir% folder |
|---|
Administrators Group | Full Control | Full Control | Full Control | Full Control | Users Group | Read & Execute, List Folder Contents, Read, Create Folders/Append Data, Create Files/Write Data (subfolders only) | Read & Execute, List Folder Contents, Read | N/A | N/A | Everyone Group | Read & Execute (root only not subfolders) | Read & Execute, List Folder Contents, Read | N/A | N/A | Authenticated Users Group | N/A | N/A | Read & Execute, List Folder Contents, Read, Modify | Read & Execute, List Folder Contents, Read, Modify | Server Operators Group | N/A | N/A | Read & Execute, List Folder Contents, Read, Write | Read & Execute, List Folder Contents, Read, Write | Creator Owner | Full Control (subfolders and files only) | N/A | Full Control (subfolders and files only) | Full Control (subfolders and files only) | System | Full Control | Full Control | Full Control | Full Control |
Default share permissions -
Drive shares are available to Administrators, and the permissions cannot be modified. Everyone group has Read permissions on a share by default on Windows Server 2003. Everyone group has Full Control permission on a share by default on Windows 2000.
Difference between share and NTFS permissions -
Default Registry permissions -
Members of the Administrators group have Full Control permissions for all keys. The System user has Full Control permissions for all keys. The Everyone group has Read permission for HKEY_LOCAL_MACHINE and HKEY_USERS keys. The Authenticated Users group have Read permissions for HKEY_CLASSES_ROOT. The Server Operators group has permissions to read, create, and modify HKEY_CLASSES_ROOT. The Users group has Read permissions for HKEY_CURRENT_CONFIG.
Default Active Directory permissions -
Enterprise Admins have Full Control permission over the domain. Domain Admins and Administrators can create and manage most objects in the domain. Account Operators are granted Full Control permission over account-related groups. Server Operators are granted Full Control over Domain Controllers. Authenticated Users assigned Read permissions and some limited special permissions.
Delegation of control -
Delegation is useful if you want to give someone limited administrative privileges. Delegate control to grant permission to manage users, groups, computers, or other objects. To delegate control, use the Delegation Of Control Wizard in Active Directory Users And Computers.
Active Directory object permissions -
The Advanced Features view gives you access to Active Directory object permissions. To view, select Advanced Features on the View menu in Active Directory Users And Computers. Right-click the object and then select Properties. Use the Security tab options.
Default security for password policies -
With Enforce Password History, the default value is 24 passwords remembered. With Maximum Password Age, the default value is 42 days. With Minimum Password Age, the default value is 1 day. With Minimum Password Length, the default value is seven characters. With Passwords Must Meet Complexity Requirements, the policy is enabled by default. With Store Passwords Using Reversible Encryption, the policy is disabled by default.
Default security for account policies -
With Account Lockout Duration, the policy is not defined by default. With Account Lockout Threshold, the default value is zero, meaning accounts will not be locked out due to Account Lockout policy. With Reset Account Lockout Counter After, the policy is not defined by default.
Default security for Kerberos policies -
With Enforce User Logon Restrictions, the policy is enabled by default. With Maximum Lifetime For Service Ticket, the default maximum duration is 600 minutes. With Maximum Lifetime For User Ticket, the maximum duration is 10 hours by default. With Maximum Lifetime For User Ticket Renewal, the maximum renewal period is seven days by default. With Maximum Tolerance For Computer Clock Synchronization, computers must be synchronized within five minutes of each other. If they aren't, authentication fails.
Local policies -
Audit Policy is used to manage audit policy for an Active Directory domain. User Rights Assignment is used to manage user rights assignment for an Active Directory domain. Security Options are used to manage additional security options. Manage local policies through the applicable GPOs.
Hardening servers -
Group policies are applied in the following order: -
Local computer group policy Site group policy Domain group policy Organizational unit (OU) group policy
Group policy settings -
Settings applied last have precedence by default, meaning they overwrite previously applied settings. The cumulative affects of policy settings are determined by inheritance- and policy-processing rules. GPOs inherit settings unless inheritance is blocked or overridden. The end result of inheritance- and policy-processing is referred to as the Resultant Set of Policy (RSoP). By determining the RSoP for a user or computer, you can determine the policy settings in affect.
Default GPOs -
Workstations and member servers are placed in the Computers container. Workstations and member servers are only affected by site and domain GPOs Domain controllers are placed in the Domain Controllers OU. Domain controllers are affected by site, domain, and Default Domain Controllers Policy GPOs.
Role-specific security configurations -
You can create role-specific security configurations using GPOs and OUs. Create role-specific OUs and configure policy settings for that role, then move computers to the appropriate OU.
Security settings -
Key security settings are stored under Computer Configuration\Windows Settings\Security Settings. These are the same areas of policy that are managed using security templates. Account policy settings control security for passwords, account lockout, and Kerberos. Local Policy settings control security for auditing, user rights assignment, and other security options. Event log policy settings control security for event logging. Restricted groups settings control security for local group membership administration. System services settings control security and startup mode for local services. Filesystem policy settings control security for the local filesystem. Registry policy settings control the values of security-related registry keys.
Security templates -
These are stored in the %SystemRoot%\Security\Templates folder. These can be imported into GPOs. These contain customized group policy definitions that apply essential security settings. These are used to implement and manage network security. These are created and configured using the Security Templates snap-in. These are applied and analyzed using the Security Configuration And Analysis snap-in.
Creating security templates -
Use the Security Templates snap-in to create templates. Create a copy of a template by right-clicking the template you want to copy and clicking Save As. Create a new template by right-clicking the C:\Windows\security\templates node and selecting New Template.
Applying security template settings and analyzing security -
Use the Security Configuration And Analysis snap-in to apply templates and to compare settings. Comparing settings pinpoints any discrepancies between what is implemented currently and what is defined in a security template.
9.3.2. Planning, Implementing, and Maintaining a Network Infrastructure Summary of highlights from the "Planning, Implementing, and Maintaining a Network Infrastructure" section of the Exam 70-293 Study Guide.
Network infrastructure planning requires -
A Network topology strategy A TCP/IP addressing strategy An Internet connectivity strategy A name resolution strategy
Network infrastructure -
Encompasses networking, connectivity, security, routing, and management. A network's physical structure is the physical design that defines its topology and its hardware. A network's logical structure is the logical design that defines the abstract architecture.
Open Systems Interconnection (OSI) reference model -
Defines the functions that are implemented in various networking protocols. Has seven layers: Application, Presentation, Session, Transport, Network, Data-Link, and Physical.
Data-Link Layer -
This defines the interface between the network medium and the software running on a hardware device. This is responsible for packet addressing, media access control, and data encapsulation.
Data-Link Layer sublayers -
The logical link control (LLC) sublayer controls frame synchronizations, flow control, and error checking. The media access control (MAC) sublayer controls transmission of data packets.
Data-link Layer protocol -
Data-Link Layer protocol suite -
The protocol suite implements the functions of the network and transport layers. Session, presentation, and application layer functions are provided by a protocol in the protocol suite, by a separate application-layer protocol, or by both.
Types of Data Link Layer protocol suites -
Few current networks use Internet Package Exchange (IPX). Few current networks use NetBIOS Extended User Interface (NetBEUI). Most current networks use Transmission Control Protocol/Internet Protocol (TCP/IP).
TCP/IP -
IP operates at the network layer. TCP operates at the transport layer. TCP/IP includes the User Datagram Protocol (UDP) transport layer protocol.
TCP -
Is a reliable, connection-oriented protocol Relies on connections being established between two hardware devices prior to communicating Uses acknowledgements to ensure data is received
UDP -
Is a connectionless protocol Allows two hardware devices to communicate without first establishing a connection Doesn't use acknowledgments
When selecting a Data Link Layer protocol -
Consider the physical distance between hardware devices Consider the required transmission speed Consider the cost and budget
Media types include -
Unshielded Twisted Pair (UTP), which consists of four pairs of wires, each twisted together. Fiber optic, which consists of a strand of plastic or glass that carries signals in the form of light pulses. Wireless, which uses wireless broadcasting and wireless transceivers instead of physical cabling.
UTP cabling -
Fiber-optic cabling -
Wireless networking -
Uses wireless network adapters and wireless access points. Wireless access points, or base stations, are connected to the organization's network. Most wireless devices conform to standards based on the IEEE 802.1 specification.
Ethernet -
Ethernet running at 10 megabits per second can have no more than 4 hubs on a single LAN. Ethernet running at 100 megabits per second can have no more than 2 hubs on a single LAN. Ethernet running at 1,000 megabits per second can have no more than 1 hub on a single LAN. Common Ethernet variants are summarized in Table 9-3.
Table 9-3. Common Ethernet variantsEthernet type | Designation | Cable type | Cable speed | Max. segment length |
|---|
Standard Ethernet | 10Base-T | Category 3 UTP | 10 Mbps | 100 meters | Fast Ethernet | 100Base-T | Category 5 UTP | 100 Mbps | 100 meters | Gigabit Ethernet | 1000Base-T | Category 5E UTP | 1,000 Mbps | 100 meters | Gigabit Ethernet | 1000Base-LX | 50/125 or 62.5/125 multimode fiber | 10,000 Mbps | 550 meters | Gigabit Ethernet | 1000Base-SX | 50/125 multimode fiber | 1,000 Mbps | 500 meters | Gigabit Ethernet | 1000Base-SX | 62.5/125 multimode fiber | 1,000 Mbps | 220 meters | Gigabit Ethernet | 1000Base-LX | 9/125 single mode fiber | 1,000 Mbps | 3,000 meters |
Types of IP addresses -
Static IP addresses are those manually assigned to computers. Dynamic IP addresses are automatically obtained from a DHCP server. Automatic private IP addresses (APIPA) are used when DHCP is configured but unavailable.
Determining IP addressing needs -
How many networks do you need? How many computers on each network? Will computers need to connect directly to the Internet?
TCP/IP version 4 -
Standard unicast IP classes are Class A, Class B, and Class C. Addresses are comprised of sets of 32-bit numbers. Each 8-bit section is called an octet. Public (registered) IP addresses must be registered with an ISP. Private (unregistered) IP addresses do not need to be registered with an ISP.
Class A networks -
The first octet identifies the network and the last three octets identify computers. Allow millions of hosts but a small number of networks. Have addresses that begin with a number between 1 and 126. Private Class A network addresses have a network ID of 10.0.0.0.
Class B networks -
The first two octets identify the network and the last two octets identify computers. Allow equal number of networks and hosts. Have addresses that begin with a number between 128 and 191. Private Class B network addresses have a network ID of 172.16.0.0.
Class C networks -
The first three octets identify the network and the last octet identifies computers. Allow many networks and relatively few hosts per network. Have addresses that begin with a number between 192 and 223. Private Class C network addresses have a network ID of 192.168.0.0.
IP routers -
IP routing protocols -
DHCP Relay Agent routing protocol enables routing of DHCP broadcast messages between subnets. Routing Information Protocol (RIP) version 2 for Internet Protocol enables dynamic routing between subnets. Open Shortest Path First (OSPF) enables extended dynamic routing between subnets. Network Address Translation (NAT) provides internet connectivity and Basic Firewall functions to internal clients.
IP subnets -
The subnet mask specifies the bits to use for the network ID and the bits to use for the host ID. In prefix notation, the network ID is followed by the number of bits in the network ID. Without subnetting: Class A networks are /8 networks. Class B networks are /16 networks. Class C networks are /24 networks.
Subnet masks -
Bits values are assigned in a specific order, from the most significant bits to the least significant bits. Bits in the subnet mask are always set consecutively from left to right. From left to right, the values of each bit are 128, 64, 32, 16, 8, 4, 2, and 1. Each bit that's set is noted by a 1, which means the bit is on.
Subnetting -
You can use subnetting to subdivide a network. You need to calculate the network address of each subnet, and from that, determine usable IP addresses. Extract the octet that contains both the subnet bits and host identifier bits and subtract it from 256. The result is the network address of the second subnet.
Diagnosing and resolving Automatic Private IP Addressing -
An active network connection is required for automatic configuration to work properly. The media may be disconnected at either end of the network cable. Attempt to renew the IP address by typing ipconfig /renew at a command prompt. Disable APIPA using the IPAutoconfigurationEnabled DWORD value-entry in the Registry.
Diagnosing and Resolving incorrect TCP/IP configuration -
Check for invalid gateway configuration. Check for invalid IP address. Check for invalid subnet mask. Check for invalid DNS configuration. Check for invalid WINS configuration. Use ping, arp, pathping, tracert, and netdiag for testing.
Diagnosing and resolving DNS caching issues -
Use ipconfig /displaydns to displays the entries in the DNS cache. Use ipconfig /flushdns to purge the entries in the DNS cache. Use ipconfig /registerdns to refresh leased IP addresses and re-register DNS.
Verifying leases and DHCP reservation configuration -
Select a server's Active Leases node in the DHCP console. If a lease expires and is not renewed, the computer might have been moved. If a reservation is inactive, the reservation may be incorrectly configured.
Verifying the client configuration and examining the System event log -
View the current TCP/IP configuration by typing ipconfig /all at a command prompt. Warning messages regarding address conflicts are displayed in the system tray on the client computer. The System event log may have the Event ID 1055 and the source as DHCP.
Diagnosing and Resolving Issues DHCP server configuration -
Set predefined options, which set preset values and can be overridden at any other level. Set server options, which can be overridden by scope, class, and reservation options. Set scope options, which can be overridden by class and reservation options. Set class options, which can be overridden by reservation options. Set reservation options, which can be overridden only by manually assigned TCP/IP settings.
Resolve DHCP configuration problems by -
Checking the Internet Protocol (TCP/IP) properties on the client. Configuring scope options to override other options, as necessary. Releasing and renew the client lease to ensure the client gets the correct settings.
Internet connectivity strategy -
The strategy should address the security policies and requirements of the organization. The strategy should address the needs of users within the organization. Most organizations require bandwidth for internal users and for the organization's web presence. Ideally, you'll have a separate strategy for each type of bandwidth required.
Determining bandwidth requirements -
Determine how many users on average will simultaneously access the Internet. Determine when Internet bandwidth is needed. Determine the relative importance of Internet access as compared to the cost of the access. Determine the categories of users relative to the types of Internet applications users run. Determine where users are located.
Choosing an Internet access solution -
Every Internet access solution requires a WAN connection, a WAN router, and an ISP. The connection should be protected with NAT and firewall technology and possibly proxy technology. Table 9-4 provides a summary of key Internet access solutions.
Table 9-4. Summary of key Internet access solutionsConnection type | Transmission speed | Simultaneous users/application |
|---|
Dial-up/Dual dial-up Modem | Up to 56 Kbps/Up to 128 Kbps | 8-10 email users 2-3 web users 1-2 large files/attachments | ISDN (Basic Rate Interface) | Up to 128 Kbps | 8-10 email users 2-3 web users 1-2 large files/attachments | ISDN (Primary Rate Interface) | Up to 1.544 Mbps | 50-70 email users 20-30 web users 12-20 large files/attachments | Cable Modem | Up to 7 Mbps downstream and 768 Kbps upstream | 100-150 email users 50-75 web users 30-50 large files/attachments | DSL Modem | Up to 5 Mbps downstream and 768 Kbps upstream | 90-120 email users 40-60 web users 24-40 large files/attachments | T-1 | 1.544 Mbps | 50-70 email users 20-30 web users 12-20 large files/attachments | Fractional T-1 | Up to 1.544 Mbps in 64 Kbps increments | Varies depending on bandwidth | T-3 | 44.736 Mbps | 1500-2500 email users 600-900 web users 360-600 large files/attachments | Fractional T-3 | Up to 44.736 Mbps in 1.544 Mbps increments | Varies depending on bandwidth |
WAN connections -
Most WAN connections must be terminated using a separate piece of hardware. For a dial-up connection, a modem is used to terminate the WAN connection. ISDN, Cable, and DSL connections use a combination terminator/router. For a leased T-1 and T-3 line, a CSU/DSU is used to terminate the WAN connection.
Diagnosing and resolving LAN/WAN problems -
Problems experienced by all clients on a subnet may be due to the hub or switch. Problems experienced by all clients on all subnets may be due to problems with the WAN. Try to determine whether the problem affects access to all resources or only Internet resources. For internal problems not due to client configurations, examine Internet infrastructure components. NAT routers, proxies, and firewalls must have a routing interface that connects to the WAN. NAT routers must be configured to work with computers on your internal network. Firewalls or proxies must be configured properly, and both may be configured to block access.
Diagnosing WAN problems -
The TRacert, ping, and pingpath commands can help you determine where a WAN problem originates. WAN routers require one interface connected to the internal network and one connected to the WAN. The CSU/DSU terminating the WAN connection may also be the source of the problem. Cycle the power on the CSU/DSU or reset the CSU/DSU. The ISP may have a problem with its network infrastructure or Internet connectivity. The problem could extend to the Internet backbone.
Planning a name resolution strategy -
Name resolution is essential for all TCP/IP networks. Windows Internet Naming Service (WINS) is used to resolve NetBIOS names. NetBIOS is also required for some applications, such as the Computer Browser service. Domain Name System (DNS) is used to resolve DNS hostnames. DNS is preferred for Windows 2000 and later systems.
NetBIOS namespace -
NetBIOS uses a flat naming structure. Each computer has a unique NetBIOS name of up to 16 characters; 15 on Windows systems. Windows reserves the 16th character to identify the type of resource represented by the name. NetBIOS is intended for use on private networks only, and not on the public Internet.
DNS namespace -
DNS uses a hierarchical namespace. DNS names can be up to 255 characters in length. With DNS, computers are grouped by name with domains. Domains establish a hierarchical naming structure. A computer's FQDN is its hostname combined with the related domain name.
Planning DNS name resolution strategy -
DNS is the primary name service for Windows 2000 and later. DNS translates computer names to IP addresses and vice versa. Forward lookups resolve computer names to IP addresses. Reverse lookups resolve IP addresses to computer names. By default, DHCP clients running Windows 2000 or later update their host (A) records in DNS. By default DHCP servers update the pointer (PTR) records on behalf of clients. DNS uses both iterative and recursive queries to resolve queries.
DNS servers -
DNS servers are said to be either authoritative or nonauthoritative for a zone. An authoritative DNS server for a zone is the primary source from which other DNS servers resolve. A nonauthoritative DNS server relies on an authoritative DNS server to keep its cache up to date.
DNS zones -
Each DNS server is responsible for name resolution within zones. A zone is a portion of the DNS database that is being managed. A single zone can contain a single domain or it can span multiple domains. By default, zone files are created as standard text files on the DNS server. Zone data can be stored in Active Directory by creating an Active Directory-integrated zone. Zones always consist of entire domains or subdomains. Domains must be contiguous in the DNS namespace.
Types of zone files -
A primary zone file is the master copy of a zone. A secondary zone is a read-only copy of a primary zone. A stub zone lists authoritative name servers for a zone.
DNS domain structure -
You'll want to have primary and alternate name servers. All changes to zones are made in the primary zone and replicated to secondary zones. Use secondary zones to make copies of zones and to distribute workload.
Stub zones -
Stub zones list authoritative name servers for a zone. Servers hosting stub zones direct related queries to authoritative servers. Stubs zones are most often used to track authoritative name servers for delegated zones.
Using multiple zones -
Windows Server 2003 DNS servers can support and manage 200,000 zones on a single server. You'll usually want to create multiple zones on a server, and then delegate zones to other servers. Control over zones can be delegated to make it easier to manage the DNS namespace. When you delegate a zone, you assign authority over a portion of the DNS namespace.
DNS server roles -
A single DNS server can have multiple roles. Primary DNS servers maintain one or more primary zone files. Secondary DNS servers maintain one or more secondary copies of zone files. Forwarding-only (caching-only) DNS servers cache resolved queries, contain no zones, and host no domains. A DNS server acts as a forwarding-only server if you've installed DNS Server service but have configured no DNS zones.
Planning zone replication -
Multiple DNS servers provide fault tolerance and distribute the name resolution workload. With file-based zones, you need primary and secondary DNS servers, and must replicate zone data. With Active Directory-integrated zones, the zone database is replicated automatically.
Zone transfers -
When you configure primary and secondary zones, you must configure zone transfers. Zone transfers are used to send a copy of a zone to requesting servers. Zone transfers ensure secondary servers are kept up to date. By default, zone transfers are not allowed or are restricted only to specified name servers. Limit the list of servers that can make zone transfer requests to enhance security. Windows Server 2003 DNS servers use incremental transfers.
Zone transfer notification -
When zone files change, secondary servers can be notified automatically. By default, automatic notification is enabled but only to a designated list of name servers. You must specify the designated name servers.
Active Directory-integrated zones -
Zone data is stored in the Active Directory database and replicated automatically. Active Directory-integrated zones use incremental replication. By default, DNS zone data is replicated to all other DCs acting as DNS servers in the domain. You can also replicate to all DCs acting as DNS servers in the forest or to all DCs in the domain.
Using secondaries with Active Directory-integrated zones -
Use secondaries when no other domain controllers are running DNS in the Active Directory domain. Use secondaries when no other domain controllers are in the Active Directory domain. Use secondaries when no other DNS servers in the organization are running Windows Server 2003.
Planning a forwarding configuration -
Most DNS servers rely on forwarders; a forwarder is a DNS server that receives queries from other DNS servers. Use forwarders to regulate the flow of name resolution traffic and to limit transfer of queries outside the internal network. By default, a DNS server can forward queries to DNS servers in all other DNS domains. You can control forwarding using designated forwarders.
Chaining and conditional forwarders -
When you chain forwarders, you configure a DNS server acting as a forwarder so that it can also forward queries to another forwarder. When you conditionally forward, you do so based on the domain name specified in the name resolution request.
Configuring forwarding -
Planning for DNS security -
By default, DHCP clients running Windows 2000 or later update their host (A) records in DNS. DHCP servers update the pointer (PTR) records on behalf of clients. Dynamic updates occur only when the client is configured with a domain suffix that matches a zone name hosted by the preferred DNS server. When clients register their own A records, the method they use is not secure. HCP servers dynamically update A and PTR records on behalf of clients using secure dynamic updates. DNS records created using secure dynamic updates can only be updated by the server that created them.
DnsUpdateProxy -
Records created by DnsUpdateProxy members have no security settings and thus have no owners. Removal of security settings allows member DHCP servers to modify records created by their group. DnsUpdateProxy shouldn't be used when clients update A records and servers update PTR records. In most cases, domain controllers should not be configured as DHCP servers. If DCs are DHCP servers and are members of the DnsUpdateProxy group, records created by the Netlogon service for the DC are not secure.
Dynamic updates -
In DNS, each zone has settings for dynamic updates. Configure these options on the General tab of the zone's properties dialog box.
Dynamic update settings -
Dynamic updates can be set to secure only, nonsecure and secure, or none. With secure only, secure DNS updates only can be made. With nonsecure and secure, clients can make nonsecure updates and servers can make secure updates. With none, dynamic updates are disabled. Secure only is the most secure and available only with Active Directory-integrated zones.
Safeguarding DNS -
DNS is vulnerable to many types of security threats. Multiple DNS servers provide fault tolerance and protection for name resolution. If zone transfers are allowed, they should be limited. To prevent possible unauthorized access, have the DNS server listen only to selected IP addresses. Secure the cache against pollution to ensure that attackers cannot load the DNS server's name cache with incorrect data.
Using third-party DNS solutions -
Windows Server 2003 is compliant with most DNS-related RFCs. This compliancy ensures that Windows Server 2003 DNS servers can be used with third-party DNS servers. Windows Server 2003 DNS servers can act as primaries for secondary DNS servers using third-party solutions. Windows Server 2003 DNS servers can act as secondaries for primary DNS servers using third-party solutions. You'll need to configure zone transfers between the primary and secondary servers. To ensure RFC 1123 compliance, set Name Checking to Strict RFC (ANSI).
Planning a NetBIOS name resolution strategy -
NetBIOS computer names are used for backward compatibility. By default, NetBIOS uses broadcast messages to resolve computer names on the local subnet. These broadcast transmissions are not routed and are suitable for small networks with a single subnet.
LMHOSTS -
LMHOSTS is a text file stored in the %SystemRoot%\System32\Drivers\Etc folder. Entries in the LMHOSTS file must be manually created. A basic entry consists of an IP address followed by at least one space and a NetBIOS name. Comments can be inserted using a pound (#) symbol.
Planning a WINS replication strategy -
Enable WINS name resolution on a network by configuring WINS clients and servers. You must install WINS servers and configure clients with the IP addresses of the servers. Clients can communicate with WINS servers even if the servers are on different subnets. WINS servers require no configuration to register and resolve names. Name registration is automatic with WINS. Clients transmit NetBIOS names using the configured name resolution method.
WINS name resolution methods -
With B-node (broadcast) methods, clients use broadcast messages to resolve computer names to IP addresses. With P-node (peer-to-peer) methods, clients use WINS servers to resolve computer names to IP addresses. With M-node (mixed) methods, clients first try to use broadcasts for name resolution. If this fails, they query a WINS server. With H-node (hybrid) methods, clients first query a WINS server. If this fails, they try broadcasts. If WINS servers are available on the network, Windows clients use the p-node method by default. If no WINS servers are available on the network, Windows clients use the b-node method by default. In DHCP, you can set the name resolution method using the 046 WINS/NBT Node Type option. In DHCP, you can specify the WINS servers using the 044 WINS Server option. For optimal performance, you'll typically want WINS clients to use the h-node method.
Automatic WINS registration -
WINS clients attempt to register their computer name and IP address in the WINS database. If the name and IP address aren't in use, the server accepts the request and registers the client. The client uses the name for a set lease period and must reregister during the renewal interval. If the client can't or doesn't renew the lease, the WINS server releases the name and IP address. WINS clients automatically release their names when they are shut down.
Configuring WINS servers -
WINS server replicationemphasis> -
WINS servers can replicate their databases using push partners, pull partners, or both. A push partner is a WINS server that notifies other WINS servers of changes on the network. A pull partner is a WINS server that requests replicas from a push partner. When a push partner notifies the server, the pull partner responds by requesting an update, and then the push partner sends the changes. When WINS servers provide services for the same clients, you usually want the servers to be push and pull partners with each other. This is the default configuration when you use replication partners. For increased reliability, you can configure persistent connections between replication partners.
Pull partners -
Pull partners pull database entries from their replication partners according to the replication interval. By default, the replication interval for pull replication is every 30 minutes.
Push partners -
Push partners use the version ID on the WINS database to determine when to notify of changes. The version ID is incremented each time a change is made. Replication partners can be notified after a specific number of changes have been made. By default, however, no push triggers are sent to replication partners.
9.3.3. Planning, Implementing, and Maintaining Routing and Remote Access Summary of highlights from the "Planning, Implementing, and Maintaining Routing and Remote Access" section of the Exam 70-293 Study Guide.
Planning a routing strategy -
Both hardware and software routers can be used to connect your organization's LANs and WANs. Most local area networks have multiple subnets over which local hosts communicate. You typically use a single LAN router to connect two subnets. LAN routers must have a configured routing interface for each subnet being connected. With WAN connections, install a WAN router at each site and connect using a WAN link. You can build in redundancy and fault tolerance using additional, redundant WAN connections. The same routing technologies that are used on LANs can be used on WANs.
Common WAN configurations -
In ring topology, all sites are connected in a ring and each site has two possible routes to another site. In mesh topology, every site is connected to every other site. In star topology, a central site is connected to remote sites, and there are no redundant connections.
Identifying routing protocols to use -
To route traffic, routers must be configured with the appropriate routing entries. Routers can use static or dynamic routing. With static routing, administrators create and maintain routing entries. With dynamic routing, the router creates and maintains entries automatically. Your routing strategy will depend on the number of networks, routers, and sites.
TCP/IP routing -
When you install Routing And Remote Access and enable IP routing, you can add routing protocols. Routing Information Protocol (RIP) version 2 for Internet Protocol is ideal for small networks. Open Shortest Path First (OSPF) is better for larger networks.
Understanding RIP -
Initially the only entries in routing tables are for the networks to which the router is physically connected. The router starts sending announcements of its availability. Responses from announcements allow the router to update its routing tables. With periodic update mode, announcements are sent periodically to learn of available routes, and routes are deleted automatically when the router is stopped and restarted. With auto-static update mode, announcements are sent when other routers request updates, learned routes are added as static, and routes remain until they are manually deleted.
Understanding OSPF -
OSPF uses the Shortest Path First (SPF) algorithm to calculate routes. The route with the lowest route cost is the shortest path. The shortest path is always used first when routing. An OSPF router maintains a link-state database that it uses to track the changes in network topology. Data is synchronized with adjacent routers and nonbroadcast multiple access (NBMA) neighbors. When a change is made to the network topology, the first router to identify it sends out a change notification. OSPF divides the network into transit areas, which can be thought of as areas of responsibility. OSPF routers maintain link-state information only for those transit areas for which they've been configured.
Static routes -
Static routes provide a permanent mapping to a specific destination network. Static routes are set according to the network ID, network mask, gateway, and relative cost of the route. Routers use this information to determine the gateway to use to forward packet. Static routes are not shared between routers.
Planning routing for IP multicast traffic -
With TCP version 4, Class D IP addresses use multicast transmissions. With multicast transmissions, a group of computers known as the host group have a single destination IP address. A single source computer can send a single message to multiple recipients via the host group address. Members of the host group can be located on any LAN on the network or across WANs. LAN/WAN routers must know which hosts are members of the group. Members of a multicast host group must register themselves with routers using the Internet Group Management Protocol (IGMP). All group members and all routers providing access must support IGMP. All Windows computers that use TCP/IP support IGMP. RRAS servers can be configured with the IGMP routing protocol.
Analyzing protocol security requirements for remote access -
You should configure security to safeguard the network and meet security requirements. Determine who needs remote access. Determine what level of access each user requires. Determine what applications, if any, users need to run. Configure the dial-in properties of the user's account. Use Remote Access Permission (Dial-in or VPN) to allow, deny, or control access through policy. Use Verify Caller ID to set the user's telephone number for verification. Use Callback Options to configure whether callback is required.
Managing remote access security -
Right-click a server entry in the Routing And Remote Access console and select Properties. Use the Security tab options to configure remote access security. With VPN, you can use IPSec with L2TP to enhance security by using a preshared key.
Authentication options -
Windows Authentication lets you use standard Windows security for authentication. Remote Authentication Dial-in User Service (RADIUS) is used to centralize the authentication of remote access clients and the storage of accounting information.
Accounting options -
None turns off the logging of connection requests and sessions. Windows Accounting logs connection requests and sessions in logfiles stored in the Remote Access Logging folder. RADIUS Accounting sends details about connection request and sessions to a RADIUS server.
User authentication methods -
Extensible Authentication Protocol (EAP) extends the authentication methods for PPP connections. Microsoft Encrypted Authentication version 2 (MS-CHAP v2) authenticates remote access and demand-dial connections using mutual authentication and strong encryption. MS-CHAP v2 is required for encrypted PPP and PPTP connections. Microsoft Encrypted Authentication (MS-CHAP) authenticates remote access and demand-dial connections using encryption. MS-CHAP is required for encrypted PPP and PPTP connections. Encrypted Authentication (CHAP) authenticates remote access and demand-dial connections using encryption. Shiva Password Authentication Protocol (SPAP) uses authentication with reversible encryption and is compatible with Shiva LAN Rover and Shiva clients. SPAP is not secure. Unencrypted Password (PAP) uses Password Authentication Protocol (PAP) and sends passwords in plain text during authentication. PAP is the most unsecure authentication method.
Remote access policies -
Remote access policies for use with EAP are specified using the Remote Access Policies node. Connections To Microsoft Routing And Remote Access Server applies to connections to the currently selected RRAS server. Connections To Other Access Servers applies to connections to other access servers via the current RRAS server. New remote access policies can be created by right-clicking the Remote Access Policies node and selecting New Remote Access Policy. Each policy can have a dial-in profile associated with it, which is used to set access permissions. Right-click a policy, select Properties, and then click the Edit Profile button to view and modify the profile settings. Remote access settings defined in a user's profile have precedence over dial-in profile settings.
Planning remote access policies -
After authentication and verification, the RRAS server attempts to authorize the user. Authorization determines whether the server should permit the user to connect. Remote access policies are used to define specific conditions for authorization. You can create policies that limit access based on group, time of day, day of the week, and more. You can specify through policies what authentication and encryption protocols must be used. You can define different policies for different types of connections.
Remote access policy review rules -
RRAS checks against the highest priority remote access policy. If there are no policies listed, RRAS rejects the connection. If all conditions not satisfied, RAS checks the next highest-priority remote access policy, and continues through all the policies until it finds a match for all conditions. If the connection doesn't satisfy all the conditions in any one of the policies, RRAS rejects the connection. When the connection satisfies all the conditions of a policy, RRAS next checks whether the user's dial-in properties should be ignored. This option is set using the advanced attribute Ignore-User-Dialin-Properties. If Ignore-User-Dialin-Properties is set to True, RRAS checks the remote access permission setting of the policy to determine whether to grant or deny access. If Ignore-User-Dialin-Properties is set to False, RRAS checks the user's dial-in properties to determine whether to grant or deny access.
Diagnosing and resolving issues related to establishing a remote access dial-up connection -
On the General tab of the server's Properties dialog box, verify that Remote Access Server is enabled. On the IP tab of the server's Properties dialog box, verify that IP Routing is enabled if clients should have access to the network, and disabled if clients should have access to the RRAS server only. If static IP addresses are used, verify that the address pool configuration is correct and that there are available IP addresses. If dynamic IP addresses are used, verify the configuration of the DHCP server. The IP address scope must be large enough so that the RRAS server can requests blocks of 10 IP addresses. Using the Ports node, verify that the server has properly configured modem ports and that not all modem ports are assigned. Verify that the client, the RRAS server, and the remote access policy have at least one common authentication method configured. Verify that the client and the server permissions, credentials, and access policies are configured correctly.
Diagnosing and resolving issues related to remote access VPNs -
On the General tab of the server's Properties dialog box, verify that Remote Access Server is enabled. Using the Ports node, verify that server has properly configured ports and that not all ports are assigned. On the Security tab of the server's Properties dialog box, verify that the server is using the appropriate authentication provider and then the appropriate authentication methods are selected for use. Verify the remote access profile settings are correct and do not conflict with the server properties. Right-click a remote access policy, select Properties, then click the Edit Profile button. Verify that the client, the RRAS server and the remote access policy have at least one common authentication method configured. Verify the RRAS server is made a member of the RAS And IAS Servers security group in the local domain. This membership is required for proper working of routing and remote access. Verify the underling dial-up configuration as discussed in the previous section.
Diagnosing and resolving issues related to resources beyond the remote access server -
On the General tab of the server's Properties dialog box, verify that Router is enabled. On the General tab of the server's Properties dialog box, verify that LAN And Demand-Dial Routing is selected. On the IP tab of the server's Properties dialog box, verify that Enable IP Routing is selected. If static IP addresses are used, verify that the client's TCP/IP settings are correct. If dynamic IP addresses are used, verify that the client is obtaining the proper TCP/IP settings from the DHCP server. If your remote access clients use NetBIOS for name resolution, verify that Enable Broadcast Name Resolution is selected on the IP tab.
Troubleshooting router-to-router VPNs -
For the source and destination router, verify on the General tab of the server's Properties dialog box that both Router and LAN And Demand-Dial Routing are selected. For the source and destination router, verify on the IP tab of the server's Properties dialog box that Enable IP Routing is selected. For the source and destination router, verify that the servers have properly configured PPTP or L2TP ports. For the source and destination router, verify that the interface used for routing has Enable IP Router Manager selected on the General tab of the connection properties dialog box so that IP traffic can be routed over the connection. For the source and destination router, verify that the static routes are configured as appropriate to allow traffic over the appropriate interface. For the source and destination router, verify that permissions, credentials, and access policies are configured correctly.
Troubleshooting demand-dial routing -
Verify that Routing And Remote Access Services is installed. Verify on the General tab of the server's Properties dialog box that both Router and LAN And Demand-Dial Routing are selected. Verify on the IP tab of the server's Properties dialog box that Enable IP Routing is selected. Verify that the demand-dial interfaces are enabled and configured properly. Verify that the static routes are configured properly and that Use This Route To Initiate Demand-Dial Connections is selected in the static route properties. Verify that the Security tab settings of the network interfaces use a common configuration. Verify that the Networking tab settings of the network interfaces use a common VPN type. Verify that the servers use the appropriate authentication providers and that the appropriate authentication methods are selected for use. The servers must have at least one common authentication method. Verify that the servers have properly configured ports for demand-dial use. Verify that packet filters aren't blocking the routing.
9.3.4. Planning, Implementing, and Maintaining Server Availability Summary of highlights from the "Planning, Implementing, and Maintaining Server Availability" section of the Exam 70-293 Study Guide.
Understanding availability goals -
Every server deployment should be planned, implemented, and maintained with availability in mind. Availability refers to the server's ability to withstand hardware, application, or service outage. Most noncritical systems, applications, or services have a moderate-availability goal of 99 percent. Most critical systems, applications, or services have a high-availability goal of 99.9 percent.
Meeting 99 percent availability goals -
Identify the initial hardware requirements for memory, processors, disks, and networking. Plan a monitoring strategy that identifies potential and actual system bottlenecks. Plan a backup and recovery strategy that meets the availability goal in terms of recovery time.
Meeting 99.9 percent high-availability goals -
Identify the initial hardware requirements for memory, processors, disks, and networking. Identify high availability software solutions to meet availability goals. Plan a monitoring strategy that identifies potential and actual system bottlenecks. Plan a backup and recovery strategy that meets the availability goal in terms of recovery time and also works with your chosen availability software solution.
System Monitor -
System Monitor can use graphic, histogram, and report formats for real-time performance. Add counters by clicking the Add button or pressing CTL+L.
Choosing objects to monitor -
For Memory performance monitoring, related objects include Cache, Memory, and Paging File. For Processor performance monitoring, related objects include Processor, Job Object, Process, and Thread. For Disk performance monitoring, related objects include LogicalDisk, PhysicalDisk, and System. For Network performance monitoring, related objects include Network Interface, Server, and Server Work Queues.
Monitoring memory performance objects -
Windows systems have both physical and virtual memory. Memory bottlenecks occur when low available memory causes increased paging. Soft page faults occur when the system must look for the necessary data in another area of memory. Hard faults occur when the system must look for the necessary data in virtual memory on disk. Hard page faults can make the system appear to have a disk problem due to excessive page swapping. Memory\Available Kbytes is the amount of physical memory not yet in use. Memory\Committed Bytes is the amount of committed virtual memory. Memory\PageFaults/sec tracks page faults per second.
Monitoring processor performance objects -
Systems with high-processor utilization may perform poorly. Determine processor utilization using Processor\%Processor Time. System\Processor Queue Length tracks number of threads waiting to be executed.
Monitoring network performance objects -
The available network bandwidth determines how fast data is sent between clients and servers. The network interface current bandwidth determines capacity to send or receive data. The Network Interface\Output Queue Length counter can help you identify network saturation issues. The Network Interface\Current Bandwidth tracks current bandwidth setting. The Network Interface\Bytes Total/sec provides the total bytes transferred or received per second.
Monitoring disk performance objects -
PhysicalDisk objects represent each physical hard disk. LogicalDisk objects represent each logical volume. LogicalDisk\%Free Space tracks free space on logical disks. PhysicalDisk\Disk Writes/sec and Physical Disk\Disk Reads/sec track I/O activity. Physical Disk\CurrentDisk Queue Length tracks disk-queuing activity.
Planning services for high availability -
Windows supports three high-availability software solutions. Network Load Balancing (NLB) provides high availability for IP-based applications and services. Component Load Balancing (CLB) provides high availability for COM+ application components. Server cluster provides high availability for business-critical applications and services.
Planning a high-availability solution that uses Network Load Balancing -
All editions of Windows Server 2003 support network load balancing. NLB used to distribute incoming IP traffic across servers that share a single virtual IP address. If one of the load-balanced servers fails, the remaining servers handle the workload of the failed server. Clients should automatically retry the failed connection, and then be redirected to another server. A failed server can rejoin the group automatically and start handling requests. Because no data is shared between nodes, clients should store data prior to submitting for processing.
Using NLB -
You can balance the load across 2 to 32 systems. Any IP-based application that uses TCP, UDP, or GRE can be used with network load balancing. Applications that are load balanced include: FTP over TCP/IP, HTTP over TCP/IP, HTTPS over TCP/IP, IMAP4 over TCP/IP, POP3 over TCP/IP, and SMTP over TCP/IP.
Working with Network Load Balancing -
Creating an NLB cluster -
Create the NLB cluster with an initial host, and then add additional nodes. A virtual IP address is used for the public traffic for the cluster. This IP address is fixed and cannot be a dynamic DHCP address. By default, all TCP and UPD traffic is load balanced across all members of the cluster. Host priority sets the order in which traffic is routed among members of the cluster.
Planning a high-availability solution that uses Clustering Services -
Windows Server 2003 Enterprise Edition supports clustering for up to eight nodes. Windows Server 2003 Datacenter Edition supports clustering for up to eight nodes. Windows Server 2003 supports single node clustering, single quorum device server clusters, and majority node server clusters. Most organizations use either single-node server clusters or single quorum device server clusters. Majority node server clusters typically are used with geographically separated servers. With 32-bit Windows Server 2003, you can use SCSI or fibre channel to share storage devices. With 64-bit Windows Server 2003, fibre channel is required. Server clusters can only use TCP/IP. However, clients should have NetBIOS enabled so they can browse to a virtual server by name.
Single-node clustering -
Single quorum device server clusters -
This is a cluster configuration with two or more nodes connected to the same cluster storage devices. All members in the cluster use the same cluster quorum device. The quorum device stores cluster configuration and recovery data.
Majority node server clusters -
This is a cluster configuration with two or more nodes. Each node can have its own cluster storage device and its own local quorum device. The cluster configuration and recovery data is stored on multiple disks across the cluster.
Using server clustering -
Nodes can be either active or passive. Active nodes actively handle requests from clients. Passive nodes wait on standby for another node to fail.
Cluster resource groups -
Any cluster-aware application or service can be clustered using resource groups. Resource groups are units of failover that are configured on a single node. When any of the resources in the group fail, failover is initiated for the entire resource group. Cluster-aware applications and services include: Distributed File System (DFS), DHCP, Exchange Server, folder shares, IIS, printer shares, SMTP, SQL Server, and WINS.
Cluster state flags -
Track the status of each node in the cluster as part of the heartbeat monitoring. Down indicates that a node is not active in the cluster. Joining indicates that the node is in the process of becoming an active participant in the cluster. Paused indicates that the node is active but cannot or has not taken ownership of any resource groups. Up indicates that the node is active in the cluster. Unknown indicates that the node's state cannot be determined.
Cluster heartbeat -
Server clusters send heartbeat messages on dedicated cluster adapters. The heartbeat is used to track the availability of each node. If a node fails to send a heartbeat message within a specified time, Cluster service initiates failover. When failover occurs, another server takes over the workload. When the failed resource is back online, the original server is able to regain control of the resource.
Working with Cluster Administrator -
Use the Cluster Administrator to implement and manage server clustering. Click Cluster Administrator on the Administrative Tools menu or type cluadmin. Create the server cluster with an initial node, and then add additional nodes.
Managing backup procedures -
Normal (full) backups should include System State data. Incremental backups contain changes since the last full or incremental backup. Differential backups contain changes since the last full backup. Daily backups contain all the files changed during the day.
Creating Automated System Recovery (ASR) data -
ASR data stores essential boot files and the complete System State. Create ASR data using the Backup utility. Primary data is stored on the backup media you choose. Secondary data needed to boot the system and access the primary data is stored on a floppy disk. Click the Automated System Recovery Wizard button on the Welcome tab.
ASR recovery -
Restart the system and boot it off the installation CD-ROM. During the text portion of the setup, press F2 to perform an Automated System Recovery. ASR then guides you through the recovery process.
System State -
System State includes the system registry, boot files, protected system files, and the COM+ registration database. On domain controllers, System State includes Active Directory data and system volume (SysVol) files. System State can be backed up locally only.
Shadow Copies -
Supplement but do not replace routine backups. Shadow Copies are point-in-time backups of previous file versions. They work only for shared folders on NTFS volumes.
Configuring Shadow Copy -
Shadow Copy service will save up to 64 versions, by default. Number of versions is limited by maximum space usage allowed. By default, 10 percent of volume size is set as the maximum space usage allowed. To configure shadow copies, right-click Disk Management and click All Tasks  Configure Shadow Copies. Alternatively, choose Volume Properties  Shadow Copies tab. Recovering from operating system failure -
Restore backup data using the Backup utility. Click the Restore Wizard button to get started. Active Directory must be restored either authoritatively or nonauthoritatively. Press F8 during system startup to access the advanced boot options and select Directory Services Restore Mode.
9.3.5. Planning, Implementing, and Maintaining Network Security and Infrastructure Summary of highlights from the "Planning, Implementing, and Maintaining Network Security and Infrastructure" section of the Exam 70-293 Study Guide.
Port and protocol security -
Computers on TCP/IP networks use specific protocols and ports for communications. Servers configured to use a specific protocol listen on a specific TCP or UDP port for requests. The Internet Assigned Numbers Authority (IANA) is responsible for assigning ports. Commonly used protocols have permanently assigned port numbers, referred to as well-known ports. Clients may in some cases use a randomly assigned port, referred to as an ephemeral port.
Listing TCP and UDP port connections -
Type netstat -ano at a command prompt to list all TCP and UDP port connections. Type tasklist /fi "pid eq ProcessNumber" to determine which program is using a port. Commonly used ports are summarized in Table 9-5.
Table 9-5. Commonly used TCP and UDP portsProtocol | Listen port |
|---|
Domain Name System (DNS) | TCP port 53 and UDP port 53 | Dynamic Host Configuration Protocol (Client) | UDP port 68 | Dynamic Host Configuration Protocol (Server) | UDP port 67 | File Transfer Protocol (FTP) | TCP port 20 for data; TCP port 21 for control | Global Catalog | TCP port 3268 | Global Catalog with LDAP/SSL | TCP port 3269 | Hypertext Transfer Protocol (HTTP) | TCP port 80 | Installation Bootstrap Service | TCP ports 1067 and 1068 | Internet Authentication Service (IAS) | UDP ports 1645, 1646, 1812, and 1813 | Internet Security Association and Key Management (ISAKM) | UDP port 500 | Kerberos change password protocol | TCP port 464 | Kerberos version 5 | UDP port 88 | Layer 2 Tunneling Protocol (L2TP) | UDP port 1701 | LDAP Secure Sockets Layer (SSL) | TCP port 686 | Lightweight Directory Access Protocol (LDAP) | TCP port 389 and UDP port 389 | NetBIOS Datagram protocol | UDP port 138 | NetBIOS Name Server protocol | UDP port 137 | NetBIOS Session Services | TCP port 139 | Network News Transfer Protocol (NNTP) | TCP port 119 | Point-to-Point Tunneling Protocol (PPTP) | TCP port 1723 | Post Office Protocol (POP) | TCP port 110 | Remote Desktop Protocol (RDP) | TCP port 3389 | Remote procedure call (RPC) | TCP port 135 | RPC over HTTP | TCP port 593 | Secure Hypertext Transfer Protocol (HTTPS) | TCP port 443 | Secure NNTP | TCP port 563 | Sever Message Block (SMB) over IP | TCP port 445 and UDP port 445 | Simple Mail Transfer Protocol (SMTP) | TCP port 25 | Simple Network Management Protocol (SNMP) | UDP port 161 | Simple Network Management Protocol trap | UDP port 162 | Windows Product Activation | TCP port 80 and 443 |
Packet filtering -
Packet filtering is the most common way to secure a server. Packet filtering controls the permitted TCP/IP traffic. Packets that do not meet the requirements of a particular filter are discarded. Packet filtering is used primarily by firewalls and routers connected to the Internet.
Packet-filtering techniques -
Determine the types of traffic that you will permit and the types of traffic that you will deny. Configure packet filtering to be inclusive or exclusive. With an inclusive approach, you completely block all traffic, and then specify the permitted traffic. With an exclusive approach, you open the connection completely, and then specify the denied traffic. The inclusive approach is more secure, but more difficult to configure.
Configuring packet filtering -
Windows Firewall -
Windows XP Professional and Windows Server 2003 include the Windows Firewall. To start Windows Firewall, click Windows Firewall in the Control Panel. When Windows Firewall is enabled, all outside sources are blocked by default, and only the exceptions specified on the Exceptions tab are allowed. Do not use Windows Firewall on Windows Server 2003 systems configured as IP routers or for remote access servers. Instead, use the NAT/Basic Firewall features of RRAS.
TCP/IP filtering -
Windows XP Professional and Windows Server 2003 include TCP/IP filtering. TCP/IP filtering is configured via Local Area Connection properties. When enabled, all TCP, UDP, and IP protocols are allowed by default. To filter TCP traffic, click Permit Only for TCP Ports. Click Add to define a permitted TCP port. To filter UDP traffic, click Permit Only for UDP Ports. Click Add to define a permitted UDP port.
RRAS packet filtering -
RRAS should use RRAS packet filtering or the Basic Firewall. RRAS packet filtering should be configured on the WAN interface. Use Inbound Filters to limit incoming traffic. Use Outbound Filters to limit outgoing traffic. On the General tab, click the Outbound Filters button, and then configure filters if you want to limit outgoing traffic.
Planning and configuring an IPSec policy -
IPSec is a technology for authenticating and encrypting IP traffic between computers. IPSec operates at the network layer as an extension to the IP protocol. IPSec secures traffic by encrypting it and then encapsulating it prior to transmission. IPSec is application-independent. Other encryption protocols operate at the application layer and are for specific types of traffic only.
Using IPSec -
With Layer 2 Tunneling Protocol (L2TP) and VPN, use IPSec to enhance security. Use IPSec to secure communications on an internal network. Use IPSec to secure communications between networks. Use IPSec to secure communications between remote access clients and the internal network.
Applying IPSec policies -
IPSec is applied using Group Policy. For Active Directory domains, IPSec policies are stored under Computer Configuration\Windows Settings\Security Settings\IP Security Settings On Active Directory. For computers in workgroups, you can configure local group policy under Computer Configuration\Windows Settings\Security Settings\IP Security Settings On Local Computer.
IPSec components -
IPSec has four key components: IPSec Policy Agent, Internet Key Exchange, IPSec Drive, and IPSec Policy.
IPSec Policy Agent -
The IPSec Policy Agent provides the services needed for end-to-end security. On Windows 2000 and later systems, the IPSec Policy Agent is the IPSEC Services service (lsass.exe).
Internet Key Exchange -
The Internet Key Exchange (IKE) is the protocol used to negotiate the key exchange. Computers negotiate encryption algorithm, hashing algorithm, and authentication method. Computers also exchange information about key generation.
IPSec Driver -
The IPSec Driver generates required checksums, creates IPSec packets, and encrypts data. The Driver compares outgoing packets to the filter list obtained from the IPSec policy being used. For incoming packets, the Driver calculates hashes/checksums, and compares to hashes/checksums in the received packets.
IPSec policy -
IPSec policy defines packet filters that enforce security by blocking, allowing, or initiating secure communications. Multiple IPSec policies can be defined; one policy only is applied at a time. To determine whether IPSec policy is applied to a computer, use IP Security Policy Management. To monitor IPSec, use IP Security Monitor or type netsh ipsec static show all.
Active Directory default IPSec policies -
With Server (Request Security) policy, servers request but does not require secure communications. With Client (Respond Only), client communication is normally unsecure but Active Directory responds to server requests for secure communications. With Secure Server (Require Security), servers require secure communications. Servers will not respond to clients that do not or cannot use secure communications.
IPSec policy components -
IPSec policy rules -
IP filter lists -
IP filter lists are collections of filters that specify what types of traffic a computer should secure. Filters can be applied based on source/destination IP address, protocol, and source/destination port.
Filter actions -
Filter actions specify exactly how IPSec should secure the filtered packets. Filter actions require at least one security method. With integrity and encryption security, the data will be encrypted and authenticated. With integrity-only security, the data will be authenticated but not encrypted.
Terminal Services -
Uses Remote Desktop for Administration and Terminal Server modes. For administration, you'll use Remote Desktop For Administration.
Remote Desktop For Administration -
TCP port 3389 must be opened to allow remote access. Select Remote Users to specify users granted remote access permission. By default, the Administrators group is granted remote access permission. To enable, access the Remote tab of the System utility and select Enable Remote Desktop For This Computer.
Remote Assistance -
Allows a user to send remote assistance invitations. To enable, access the System utility's Remote tab and select Turn On Remote Assistance. To send a remote assistance request, in Windows Messenger, click Actions Ask For Remote Assistance.
Planning security for wireless networks -
Wireless networks use technologies based on the IEEE 802.11 specification. Securing a wireless network is different from securing a wired network. On a wireless network, anyone within range of one of your wireless access points could gain access. All wireless transmissions should be secured and encrypted.
Wi-Fi Protected Access (WPA) -
WPA enterprise mode -
Wireless devices have unique session keys and shared group keys. Session keys are unique to each association between an access point and a wireless client. Group keys are shared among all clients connected to the same access point. Both key sets are generated dynamically and rotated.
WPA home/small office mode -
Also referred to as WPA-PSK; devices don't use a changing encryption key. Uses a preshared encryption key, referred to as a group key, which is programmed in. Session keys are generated and changed automatically.
Wireless Equivalency Protection (WEP) -
WEP encrypts data using private key encryption. All data is encrypted using before it is transmitted. Data must be decrypted using the correct private key.
Robust Security Network (RSN) -
Encryption algorithms -
Extensible Authentication Protocol (EAP) used with Protected EAP (PEAP) Extensible Authentication Protocol (EAP) used with Smart card or other PKI certificate Advanced Encryption Standard (AES) Temporal Key Integrity Protocol (TKIP)
Wireless device operating modes -
With ad hoc networks, two or more wireless devices communicate directly with each other. With infrastructure networks, wireless adapters connect to an access point rather than to another computer directly.
Troubleshooting security for data transmission -
Determine IPSec policy mismatch by examining the Security logs on the client and the server. The Security log may contain warning messages related to failed Internet Key Exchange negotiation. Enhance logging by enabling Audit Logon Events and Audit Policy Change for Success and Failure. Log dropped packets using netsh ipsec dynamic set config ipsecdiagnostics 7. Disable diagnostic logging by using netsh ipsec dynamic set config ipsecdiagnostics 0.
Software Update Infrastructure -
Automatic Updates allows a system to automatically connect to update operating system. Windows Update extends updates to select Microsoft products. Windows Server Update Services (WSUS) allows organizations to use their own update servers.
Windows Server Update Services (WSUS) -
WSUS has both a server and client component. The WSUS client is an extension of Automatic Updates and has self-updating for auto-install. The WSUS server uses a data store that runs with MSDE, WMSDE, or SQL Server. SUS 1.0 servers can be migrated to WSUS using WSUSITIL.EXE. WSUS is designed to handle updates for most Microsoft products.
Planning and configuring a Public Key Infrastructure (PKI) -
PKI provides the components and services for using public and private keys with digital certificates. You can use certificates for authentication and encryption. Client certificates contain identifying information about a client. Server certificates contain identifying information about a server. Windows Server 2003 includes Microsoft Certificate Services. Microsoft Certificate Services allow you to issue and manage digital certificates.
Understanding public and private key encryption -
The client obtains the server's public key and uses it to encrypt the message. The message is sent securely. The server receives the encrypted message and decrypts with its private key. The server obtains the client's public key and uses it to encrypt the reply. The reply is sent securely. The client receives encrypted reply and decrypts with its private key.
Certificate authorities -
Certificate authorities are used to issue digital certificates. A certificate authority (CA) is a trusted agency responsible for confirming the identity and issuing certificates. Certificate servers can be configured as one enterprise or stand-alone CAs.
Enterprise CAs -
Enterprise CAs use certificate templates and publish their certificates/revocation lists to Active Directory. Enterprise CAs use Active Directory to determine whether to automatically approve or deny certificate enrollment requests. Clients must have access to Active Directory to receive certificates.
Enterprise root CA -
This is the certificate server at the root of the hierarchy for an Active Directory domain. The enterprise root CA is the most trusted CA in the enterprise and is integrated with Active Directory. The enterprise root CA is at the top of the enterprise CA hierarchy. There can be only one root CA in an enterprise. All other CAs in the hierarchy must be enterprise subordinate CAs.
Enterprise subordinate CA -
A certificate server that is a member of an existing CA hierarchy. The enterprise subordinate CA can issue certificates but must obtain its own CA certificate from the enterprise root CA. Use one or more levels of enterprise subordinate CAs to safeguard the root CA's private key.
Stand-alone CAs -
Stand-alone CAs do not use templates and are not integrated with Active Directory. Stand-alone CAs store information locally. By default, stand-alone CAs use manual enrollment. If you plan to use a single stand-alone CA, it must be configured as a stand-alone root CA.
Stand-alone root CA -
Stand-alone subordinate CA -
A certificate server that is a member of an existing nonenterprise (workgroup) hierarchy. The stand-alone subordinate CA can issue certificates but must obtain its own CA certificate from the stand-alone root CA in its hierarchy.
Planning for smart cards -
A smart card is a small card-sized device that contains memory and/or integrated circuitry. Windows can use smart cards for authentication during logon. You must install smart card reader devices and set up smart cards to use for user logons. Stand-alone CAs do not store certificates in Active Directory and should not be used to issue smart card certificates.
|
