****************************
Vulnerability Scanning
and Fixing
Security vulnerability scanning and fixing with GFI LANguard Network Scanner
- Download your
free version today!
****************************
70-290 - Managing and Maintaining a Microsoft Windows Server 2003 Environment
The four different versions of Windows Server 2003 are:
1. Web edition – which supports one or two processors
2. Standard Edition – which supports two processors
3. Enterprise Edition – will support up to 8 processors
4. Datacenter Edition – can work with up to 32 processors
The operating system must be “activated” (with the exception of volume license versions) in order to be usable. This is intended to provide copy protection and prevent piracy.
Setup Manager can be used to create answer files (known as Uniqueness Database Files, or UDFs) for automatically providing computer or user information during setup. The Sysprep (System Preparation Tool) utility has also been improved, and is used to prepare an ideal machine to have an image made of it that can be used on other installations.
Microsoft licensed Logical Disk Manager (LDM) from Veritas and included it with Windows Server 2003 to handle drives and their operations. The two primary disk types now available are:
1. Basic Master Boot Record (MBR) disks – can utilize up to four primary partitions, or up to three primary partitions and one extended partition. You can also use free space on an extended partition to create logical drives. As opposed to Windows 2000, basic partitions can now be extended without needing to convert them to dynamic.
2. Dynamic Disks – which are volume-oriented instead of disk oriented, and first became available with Windows 2000
A third type - Basic GPT disks – are a hybrid that are only available on Intel 64-bit systems, and they support up to 128 partitions
LDM can be used to create the following types of volumes:
1. Simple – the basic choice
2. Spanned – this links together free space from disk(s) to form a single logical drive
3. Striped – also known as RAID 0
4. Mirrored – also known as RAID 1
5. RAID 5 – striping with parity
The Hardware Troubleshooting Wizard is used to walk through solutions to common problems while the Add/Remove Hardware Wizard is used for uninstalling (permanent) and unplugging (temporary) devices. You must stop a device before removing it in order to prevent error. This wizard can be used to add IEEE 1394 bus host controllers, imaging devices, multi-port serial adapters, SCSI controllers, tape devices, and a plethora of others.
The Disk Defragmenter which first appeared with Windows 2000 has been enhanced with 2003. It works with NTFS, FAT, and FAT32 to analyze the amount of fragmentation that exists. It can take files and rewrite them back to the disk in contiguous units – thus enhancing read and write performance. It can now work compressed files, and any cluster size, as well as be run from the command-line (using the DEFRAG executable).
The Disk Management console is the graphical interface used to perform most disk operations, such as creating or extending partitions, converting basic disks to dynamic, creating volumes and mirrors. It is also used to implement RAID 5 arrays.
Driver Signing - Microsoft digitally signs all drivers that are qualified to run with Windows Server 2003. You have the option to install only drivers that have been signed, see a warning when drivers haven't been signed so you can decide then, or never allow unsigned drivers to be installed. This can be set from control panel, system on the hardware tab. SIGVERIF.EXE can look for files that are not digitally signed. Windows Update is used to keep a list of known bad drivers current and prevent you from (refuse to allow you to continue) installing drivers known to cause problems. The list of known bad drivers is kept in the drv_protect.htm file.
System File Checker - System File Checker (sfc.exe) is a command line utility that scans and verifies the versions of all protected system files after you restart your computer. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the driver cache folder and replaces the incorrect file.
Windows File Protection (WFP) - runs in the background and watches for applications trying to replace your system files such as .sys, .dll, .ocx, .ttf, .fon, and .exe files. If an application attempts to replace a system file with one that is not signed, Windows file protection replaces it back with one stored in dllcache and logs the attempt in the Event log. There are 4 instances where File protection will allow the files to be replaced:
- Service Packs that use Update.exe
- Hotfix distributions using Hotfix.exe
- Operating system upgrades using Winnt32.exe
- Windows Update service
Service Packs are self-running programs that modify your operating system. Upgrades to Windows Server 2003 will come in the form of Service Packs, with each Service Pack containing patches and fixes to components and additional features.
The Software Update Service (SUS) is used for centralized distribution of hotfixes and security updates. Using SUS, a client updates its software from a server within the internal network instead of needing to access Microsoft to accomplish this. This allows administrators to update clients that do not access the Internet, as well as evaluate and test each update before making it generally available. Group Policies can be used to target update servers.
Profiles - can exist for users and hardware. While every user should have their own profile, under most circumstances, most desktop computers should have only one hardware profile since the hardware connected to it will not deviate greatly. The hardware connected to a laptop/mobile computer CAN deviate from day to day – based on where it is being used – and multiple hardware profiles should be considered. If there are multiple hardware profiles on the system, a menu of choices will appear during the boot process.
A “roaming profile” allows a user to have the same desktop regardless of the machine he/she uses. A roaming profile can be created from the Active Directory Users and Computers console by a member of the Account Operators group, Domain Admins group, or Enterprise Admins group. A “mandatory profile” is a deviation on the roaming theme in which the user cannot make any permanent changes to their settings. To create a mandatory profile, the actual file’s name is changed from NTUSER.DAT to NTUSER.MAN.
It is highly recommended to put users into groups and give permissions to the groups. In Windows Server 2003, the following types of groups exist:
· Machine local
· Domain local
· Global
· Universal
· Builtin – these are Domain local groups that exists for compatibility with Windows NT. Be default, the following groups are found on all Windows Server 2003 systems: Administrators, Backup Operators, Guests, Network Configuration Operators, Power Users, Print Operators, Remote Desktop Users, Replicator, and Users. These built-in users and groups cannot be deleted.
Account Policies are set at the domain level. The Account Lockout Policy determines how many unsuccessful attempts are allowed before an account is locked out and how long it will remain locked out. There are three settings that can be configured:
Lockout count – how many invalid attempts are allowed before locking
Lockout reset time – the amount of time that is allowed between invalid attempts
Lockout duration – how long the account is locked for.
Windows Server 2003 also has a “Password Reset Disk” capability that can be used to access a standalone server if the password has been lost. This is useful in the event an administrator has left under unfavorable circumstances. This is created by using the Forgotten Password Wizard.
IAS (Internet Authentication Service) can be used to enforce (through policies) issues such as: RADIUS clients allowed, incoming phone numbers to accept, the type of media used to establish the connection, user membership in security groups, and the time of allowed access (day, hour, etc.). IAS is used for centralized administration and to enforce access policies. It works with PAP, CHAP, MS-CHAP, and EAP. IAS is useful for centralized auditing, scaling systems for growing demand, monitoring usage remotely, and working with a graphical interface through an MMC snap-in.
Remote Access Authentication Protocols:
CHAP - (Challenge Handshake Authentication Protocol) - uses the
industry standard MD5 1-way encryption scheme to encrypt the response.
Highly Secure.
EAP (Extensible Authentication Protocol) - Client and server negotiate
the Authentication method to include MD5 username and password encryption,
smart-cards, token cards, retina or fingerprint scanners and other third
party authentication technologies.
MS-CHAP (Microsoft Challenge Handshake Authentication Protocol)-
1-way encrypted password. This is enabled by default on a Windows
Server 2003 running RAS. Highly Secure. This differs from CHAP in
that client communication must be between two Microsoft operating systems.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication Protocol v2)-
Strong encryption. Windows clients use this by default for dialup
networking (also known as DUN). Windows 2000,NT4 and Win98 clients
use this by default for VPN. Highly Secure. Version 2 differs from
version 1 primarily in that two-way (mutual) authentication is implemented
in version 2.
PAP (Password Authentication Protocol) - uses clear text passwords.
Provides little security.
SPAP - (Shiva Password Authentication Protocol) - more secure than
PAP, it is uses to connect to Shiva LANRover. Medium Security.
Sharing Data:
One of the main reason networks were created is for the sharing of data
and printers. Windows Server 2003 now also allows for fax
sharing, remote desktop, and WebDAV (Web-based Distributed Authoring and
Versioning).
When a folder is shared, permissions are given to users that need to access the folder. The two types of permissions are Share level and NTFS permissions, when NTFS is the file system in use.
|
Share Level Permissions:
By default, the Everyone group is given read permission when a file is
shared. This differs from earlier operating systems in which Everyone
was assigned full control permissions on all new shares. Share permissions
apply only when a user is accessing the file or folder across the network.
If a user logs on locally, Share level permissions will have no effect.
Only NTFS permissions – if applicable - will be in effect.
Available Share permissions are:
- Full Control - Allows user to change permissions, take ownership of NTFS files, Perform all tasks permitted by change permissions
- Change - Create folders and add files, Manipulate data in files, change file attributes, Delete Folders and files, Perform all tasks permitted by the read permission.
- Read - Display names of folders and files, Display data and attributes of files, Run program files, Manipulate subfolders.
- These permissions can either be allowed or denied.
Share level permissions can be applied on a user or on a group level. When a user attempts to access a shared folder, all of the permissions for that user are combined. If a user is in one group with Full Control, one group with Change and the user himself has read, the combined permissions will be the least restrictive or Full Control. Any time the user is explicitly denied access whether it is a user or group permission, this overrides all other permissions. A user can be in one group with Full Control, one group which is denied access and the user himself can have Change permissions, the effective permissions will be no access as this overrides all of the other permissions. Always assign the most restrictive permissions you can to a user. You don't want them to be able to do anything more than they need to.
The easiest and most efficient way to assign permissions is to do it on a group basis. If everyone in your finance department needs certain permissions to several folders, assign the permissions to a group called finance, then when a new employee joins the team, all you have to do is place this employee’s user account in the finance group and all of their permissions will be there.
Windows 2003 shares some folders by default for administrative purposes. These shares will show up with a $ as the last character of the name. The dollar sign signifies that the share is hidden from the browse list. These default administrative shares are only accessible by users with administrative rights. If you want to hide any of the shares that you create, you can use a $ as the last character of the name to make it hidden.
“Shadow copies” can be created to allow users to view the contents of shared folders as they existed at an earlier point in time. As such, a shadow copy is essentially a snapshot of a folder that is stored in a hidden folder – System Volume Information.
A folder can be shared under an unlimited number of names after it has been shared the first time. You can also share a file from the command line using the NET SHARE command locally or the RMTSHARE command remotely.
Windows Server 2003 addresses the issue of having many share points on many different servers by implementing DFS – Distributed File System. DFS allows a user to connect to one share point, which may contain shares from many different locations. Dfs replication is journal-based and disabled by default. Automatic Dfs replication is possible only with the NTFS file system in use. An improvement over Windows 2000 is that a server can now host multiple Dfs domain roots.
NTFS Permissions:
When a volume is formatted with the NTFS file system, NTFS permissions can be used to secure resources. NTFS permissions allow you to assign permissions at the folder and file level while Share permissions are limited to the folder level. NTFS permissions are also a lot more granular than Share level permissions allowing you to permission such things as traverse folders, write attributes and much more.
Applying NTFS Permissions:
Users can be assigned permissions directly or can be put into groups that have permissions assigned. All individual permissions and group permissions are combined to find out the users effective permissions. It is highly recommended to put users into groups and give permissions to the groups.
File permissions take precedence over folder permissions.
Combining Share and NTFS permissions.
When figuring permissions, look at share and NTFS separately. Take the least restrictive share permission and the least restrictive NTFS permission. Now take the most restrictive of the two and that is your effective permission.
Permissions and Moving/Copying files on NTFS volumes:
When copying folders or files either from one partition to another or on the same partition, the permissions will be inherited from the target folder.
When moving files to another partition, the permissions will be inherited from the target folder.
When moving files or folders on the same partition, the permissions will remain intact. This is the only time permissions are retained and not inherited.
Windows Server 2003 differs from earlier Microsoft operating systems in that it formats the boot partition as NTFS during setup. Windows 2000 and others first formatted this as FAT. The OFORMAT utility is used to configure FAT boundaries during installation so they can be easily converted to NTFS at a later time (using the CONVERT utility).
Anytime after the installation, the CONVERT.EXE utility allows you to convert a FAT or FAT32 file system to NTFS without data loss. The syntax for this command is as follows: CONVERT volume /FS:NTFS
Event Viewer – the primary tool used for viewing log files. In addition to the three log files that have always existed (Application, System – which contains information about services and drivers that fail to start - and Security), there are now log files for: Directory Services, File Replication Service, and DNS, if those services are in use.
System Monitor – an ActiveX tool that can graphically display performance of various real-time statistics. Within it, the workstation is divided into a number of different objects, and each object is divided into one or more counters. System Monitor appears on the Performance tool (Start – Programs – Administrative Tools – Performance) and it is the primary performance tool for the system. Performance Logs and Alerts enables you to record data to create and compare with a baseline (to get a long-term look at how the system is operating) or send administrative alerts when thresholds are reached.
Optimal performance from a system is what you are always striving for. Optimal performance is attained when a system is running (processing, responding, and so on) as fast as it possibly can, given the resources available to it.
Task Manager – can be used to see the status of programs that are running (and also stop programs that have stopped responding). It can be used to assess process activity (using up to 15 separate parameters), and has a graphical element that allows you to analyze performance usage. It’s Application tab shows the status of the programs currently running on the system, while the Performance tab shows graphical representations of CPU and memory usage. Task Manager is the ONLY tool that can be used to change the priority of a process that is already running. The only way to start a process at a different priority level than its default is to use the START.EXE utility.
Licensing is available on a “Per Device or Per User” basis or a “Per Server” basis. In the first model, every computer must have a separate Client Access License (CAL); that CAL allows the computer to access any server that it wants in the Windows 2003 family. Under the per-server mode, a server is allowed a certain number of concurrent connections. The per-server mode is often used by small companies with only one server, with other companies will benefit from using the other licensing mode.
Printing can be done to a variety of locations:
· To a local print device
· To a networked print device
· To a Windows server
· To a Unix server
· To a third-party server
· To a device over the Internet (using IPP – Internet Printing Protocol). To do this, the IIS service must be loaded.
To, or from, a mainframe host
Windows Server 2003 features built-in disk quota management. Users
can be limited to a certain amount of disk space on the file server on
a volume by volume basis. You can customize how much space and can
configure warnings when a certain amount is used. You can also not
allow the user to save any additional data when their limit is reached.
Disk quotas must be assigned manually for existing users of a volume if
you enable disk quotas after the volume is already active, but new users
(after enabling this feature) are automatically set for the fixed quotas.
When a user meets their quota, they will still be able to open files,
but not save changes or add new files.
Common areas of bottlenecks include:
memory, processor, disk, network, and applications/processes.
TCP/IP utilities to know for network performance:
ARP - Address Resolution Protocol - displays a cache of locally
resolved IP addresses to Media Access Control (MAC) addresses.
Finger - Retrieves system info from a remote computer that supports
the TCP/IP finger service.
FTP - File Transfer Protocol - provides file transfers between
TCP/IP hosts with one running FTP software.
Hostname - returns the local computers host name.
IPCONFIG - Verifies TCP/IP information. with the “/all” switch,
it will give DHCP, DNS and WINS addresses. WINIPCFG is the utility
used in place of IPCONGIG on Win9.x workstations. The /DISPLAYDNS, /FLUSHDNS,
and /REGISTERDNS options are used to directly interact with Domain Name
Service variables.
LPD - Line Printer Daemon - Services LPR requests and submits print
jobs to a printer device.
LPQ - Line Printer Queue - Obtain status of a print queue on a
host running the LPD Service.
LPR - Line Printer Remote - Prints a file to a host running the
LPD Service.
NBTstat - Checks the state of current NetBIOS over TCP/IP connections,
updates LMHOSTS cache, determines registered name.
Netdiag – Tests the network functions and provides a report of
the results.
Netsh – Network Shell. This utility can be used to interact with most services from the command-line.
Netstat - Displays Protocol statistics and the current state of TCP/IP connections. The –a option is used to see all information.
NSlookup - examines entries in the DNS database pertaining to a
particular host or domain.
Pathping –acts as combination of ping and tracert. It sends echoes
requests out and identifies the host that hears them.
PING - Packet Internet Groper - Verifies that TCP/IP is configured correctly and that another host is available.
REXEC - Remote Execution - Runs a process on a remote computer.
Route - views or modifies the local routing table.
RSH - Remote Shell - runs commands on a UNIX host.
Telnet - Provides Terminal Emulation to a TCP/IP host running Telnet
server software.
Tracert - verifies the route used from the local host to the remote
host. This is superior to PING in that it also shows the route taken to
reach the remote host.
The RunAs utility has can now be told to use current environment variables (with the /env switch), or save credentials (/savecred), as well as use smartcards (/smartcard) or run across the network only (/netonly). The Secondary Logon Service (SLS) has been added to Windows Server 2003 to allow a user to log in as a normal user, then access higher-level functions when they need to.
File compression can be done from the command-line using the COMPACT utility. You cannot compress a file that is encrypted, or encrypt a file that is compressed – these operations are mutually exclusive.
EFS file encryption now remains on files in offline storage. EFS files can now also be shared across the network and warnings are given when a user attempts to copy a file to a device that will not protect the file. The CIPHER utility is used to interact with encrypted files from the command-line.
Several utilities can be used to assist with system maintenance. These include:
AUTOCHK – a version of CHKDSK that can run during startup
Automatic System Recovery (ASR) – acts as an easier method of restoring after a failure by saving a catalog and configuration information on a floppy
CHKDSK – looks for file system problems, such as corruption, and corrects them
CHKNTFS – checks the NTFS file system
Disk Cleanup – this rids a system of temporary files, Recycle Bin contents, and other old data
The four tabs of the Windows Server 2003 Backup Utility are:
1. Welcome
2. Backup
3. Restore and Manage Media
4. Schedule Jobs
An incremental backup includes up all files that have the archive bit on, and then turns that bit off. A normal/full backup gets all files, regardless of the status of the archive bit, and then turns the bit off (if it was on). A differential backup gets all files with the archive bit on, and then leaves it on. A daily backup is valid only for the day (as the name implies). A copy backup backs up files and leaves the archive bit on.
A backup log can be configured from the options of the Backup Utility. You can choose either “Detailed” or “Summary” log files. A detailed file includes the name of every file backed up, while a summary only offers a file count and indicates any files that were skipped.
To start Windows Server 2003 in Safe mode, press F8 when the Please Select The Operating System To Start message appears. Safe mode enables you to start the system with a minimal set of device drivers and services. Choices appearing on the option menu are:
· Safe mode
· Safe mode with networking
· Safe mode with command prompt
· Enable boot logging (which sends the output to ntbtlog.txt)
· Enable VGA mode
· Last Known Good configuration
· Debugging mode
· Directory Service Restore mode (on domain controllers only)
Recovery Console - Windows Server 2003 has a Recovery Console to help when you have trouble booting. The Recovery Console is not installed by default. Install the Recovery Console by booting from the Windows Server 2003 CD and choosing Repair, or running winnt32.exe /cmdcons from the I386 directory of the CD. This copies the files locally and you will now see an option to enter the Recovery Console at boot up.
The Recovery Console is limited to administrators, and you must give the Administrator password when choosing it. This utility will allow you to do such things as:
- Use, copy, rename or replace operating system files and folders.
- Enable or disable services or devices from starting when you next start your computer.
- Repair the file system boot sector or the Master Boot Record (MBR).
- Create and format partitions on drives.
©2000 www.CERTguide.com
Hot!!! - CERTguide's FREE Online
Practice exams are now located at
www.123cert.com -
70-210, 70-215, 70-216, 70-217, CCNA, Network+, Linux+, A Plus Core, A+
Hardware - Hot!!!