Windows Advanced server
Nutshell:
Microsoft
Advanced Server
Date of course: _____________________________________
Name of Student: ___________________________________
Rev 1.2
Created by Michael March
Contact Information: michaelmarch@gmail.com
Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Network Monitor and System Monitor 5
IP Addressing Facts 6
Troubleshooting TCP/IP 6
DHCP Authorization 7
DHCP Scope Facts 8
DHCP Option Facts 8
DHCP Server Backup and Recovery 10
Troubleshooting DHCP 10
DNS Name Resolution Process 11
DNS facts 11
Zone Types 12
Common Resource Records 13
Dynamic DNS Facts 14
AD-Integrated Zone Facts 15
Root Hint Facts 16
DNS Design Guidelines 18
DNS Solutions 19
DNS Troubleshooting Tools 20
Remote Access Facts 22
Troubleshooting Demand Dial Routing 30
NAT Facts 32
DHCP Relay Agent Facts 32
Common Port Numbers 33
Firewall and Proxy Facts 34
VPN Protocols 35
IPSec Facts 36
Preconfigured Templates 37
Template Facts 38
Microsoft Baseline Security Analyzer 38
Security Principles Facts 39
Services Facts 40
SUS Facts 40
WSUS Facts 41
Network Monitor and System Monitor
Two common tools, Network Monitor and System Monitor, are useful in monitoring your system. While both can be used to gather some information related to network performance, Network Monitor is the tool you will use most often to analyze network traffic and gather information about communication between two computers. The following table compares the features of Network Monitor and System Monitor.
Characteristic Network Monitor System Monitor
Data collected Captures packets (or packet fragments) and their contents.
Reports statistics about network traffic. Monitors system statistics, producing counters and charts of system performance.
Monitors local system components including disk, processor, memory, and network statistics.
Data reports View contents of sent and received packets.
View network traffic statistics. View graphs of system performance and counters.
Event tracking Configure triggers to stop capture or execute a command based on a specific network traffic event (or packet type). Configure alerts to log an entry, send a message, or run a program when a counter reaches a specific threshold.
Identifying captured data Configure filters to capture only specific packets or to display only certain packets. Select objects and counters to identify the statistics you want to track.
You should know the following facts about Network Monitor:
• The free version of Network Monitor that comes with Windows can only monitor traffic to and from the local computer.
• To capture all network packets, use the SMS version of Network Monitor.
• Even when using the SMS version, you cannot capture packets sent to other computers on other segments through a switch. (Switched traffic is only sent to the segment where the destination computer sits.)
• Use Dedicated Capture mode with Network Monitor to ensure you capture all packets.
IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class Address Range Default Mask
A 1.0.0.0 to 126.255.255.255 255.0.0.0
B 128.0.0.0 to 191.255.255.255 255.255.0.0
C 192.0.0.0 to 223.255.255.255 255.255.255.0
D 224.0.0.0 to 239.255.255.255 (multicast addresses)
E 240.0.0.0 to 255.255.255.255 (experimental addresses)
You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses:
The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.
Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and other IP configuration values.
If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the computer could not contact a DHCP server. Use Ipconfig /renew to try contacting the DHCP server again.
Use Ping (Packet Internet Groper) to send small packets to a computer to see if the computer responds. Microsoft recommends the following use of Ping:
• Ping the loopback address (127.0.0.1). This verifies that the TCP/IP protocol stack has been properly installed.
• Ping the local IP address assigned to the machine. This verifies communication to the NIC.
• Ping the default gateway. This verifies connectivity to the default gateway or to another machine on the local network. This verifies that the local network is accessible.
• Ping a remote host. This checks the connectivity between the default gateway and the remote host.
Use Tracert to see the route packets take through an internetwork between two devices.
Use Pathping to view the route of the connection and the connectivity response time. This can help identify where communication latency occurs.
Use the Arp -d * command to remove all dynamic ARP entries from the ARP list. (Arp -d clears the ARP cache.)
Use the Windows system logs to track DHCP service startup and shutdown as well as critical errors.
DHCP Authorization
Be aware of the following facts about DHCP server authorization.
Authorization is required if you are using Active Directory; no authorization is required, however, for a standalone server.
When you authorize a DHCP server, its IP address is added to a list of authorized DHCP server maintained in Active Directory.
When a DHCP server starts, its IP address is compared to the Active Directory list. If it is found, the server is allowed to issue IP addresses. If it is not found, the server is not allowed to issue IP addresses, and the server does not respond to DHCP requests.
Only Windows 2000 or Windows 2003 servers check for authorization.
You can authorize a server before DHCP is installed.
Rogue DHCP servers running other operating systems (like Unix, NetWare, or Windows NT) do not check for authorization before assigning addresses.
A Windows DHCP server checks for authorization when it boots and reauthorizes every five minutes.
You must be a member of the Enterprise Admins group to authorize a server.
In some cases, when you install DHCP on a domain controller, it will be authorized automatically.
When you install DHCP, the server is added automatically to the DHCP console on the local machine. When it is installed on another machine, you must add it manually to the local DHCP console.
DHCP Scope Facts
You should know the following facts about DHCP scopes:
• Use exclusions to prevent the DHCP server from assigning certain IP addresses. For example, exclude any IP addresses for devices that are not DHCP clients.
• Use reservations to make sure a client gets the same IP address each time from the DHCP server. The reservation associates the MAC address with the IP address the client should receive. For example, use a reservation for servers and printers to keep their IP addresses consistent while still assigning the addresses dynamically.
• When using reservations, do not exclude the addresses you want to assign.
• To change the subnet mask used by a scope, you must delete and recreate the scope. You cannot selectively change the subnet mask in an existing DHCP scope.
• The scope must be activated before the DHCP server will assign addresses to clients.
DHCP Option Facts
Through DHCP, you can deliver a wide range of TCP/IP configuration parameters (not just the IP address and mask). Additional parameters are delivered by configuring DHCP options. Options can be set at the following levels:
• Server. Options set on the server are delivered to all clients of that DHCP server.
• Scope. Options set on the scope are delivered to all computers that obtain an IP address from within the scope.
• Class. A class defines a group of computers that share common characteristics. For example, the vendor class can be used to deliver options to Microsoft Windows clients. Class options are delivered to all computers within the class.
• Reserved client. Options set on a reservation are delivered to the specific client.
Options are applied in the order listed above. If conflicting settings are delivered, the last parameters delivered will take precedence over the previous settings.
Common options include:
• 003 Router, the IP address of the default router (the default gateway)
• 006 DNS Servers, the IP address of DNS server or servers
• 015 DNS Domain Name, the domain that the client belongs to; used to update DNS server
• 044 WINS/NBNS Servers, the IP address of WINS server or servers
• 046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS name servers
DHCP Server Backup and Recovery
To move the DHCP service from one server to another, you must perform operations on the source and destination machines.
Source machine:
In DHCP Console, back up DHCP. The backup includes:
• Scopes, exclusions, and reservations.
• DHCP configurations.
• DHCP-related registry settings.
• Stop and disable the DHCP service.
• Copy the DHCP backup files to the destination machine.
On the destination machine:
• Install DHCP.
• Stop the DHCP service.
• In DHCP Console, restore the DHCP backup files.
• Verify the DHCP configuration and start DHCP.
Troubleshooting DHCP
For a Windows 2003 Server DHCP server to deliver IP addresses, the following conditions must be met:
• The server must be authorized.
• The DHCP service must be running (the DHCP server is started).
• The scope must be started.
• There must be IP addresses in the scope that are free to be assigned, or a reservation for the client must be defined.
• The client must be configured to receive its IP address from the DHCP server.
• One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The following table lists the command switches useful in troubleshooting DHCP.
Command Use
Ipconfig /all View TCP/IP configuration including the IP address, mask, default gateway, and any other DHCP-delivered parameters.
In addition, the command shows the IP address of the DHCP server from which configuration information was received.
Ipconfig /renew Renew DHCP configuration for specific or multiple adapters.
Ipconfig /release Releases DHCP configuration and discards IP address configuration for specific or multiple adapters.
An address IP address in the 169.254.0.0 range indicates that the client could not contact the DHCP server and has used APIPA to assign itself an address.
You should recognize the following symptoms of a rogue server:
• Incorrect IP configuration information.
• Duplicate addresses assigned.
• Ipconfig /all shows the DHCP server address incorrectly.
• DHCPNAK messages at the client during lease renewal.
If the client has an address from the wrong server, remove the rogue server, then do Ipconfig /release followed by Ipconfig /renew.
DNS Name Resolution Process
You should be familiar with the DNS name resolution process:
When a DNS name resolution request is forwarded to a DNS server, the DNS server examines its local DNS cache for the IP address.
If the IP address is not in the DNS server's cache, it checks its Hosts file. (Since the Hosts file is a static text file, it is not commonly used.)
If the DNS server is not authoritative and configured for forwarding, the DNS server forwards the request to a higher-level DNS server.
If the DNS server cannot forward the request, or if forwarding fails, the DNS server uses its Root Hints file (also known as Cache.dns). The Root Hints file lists the 13 root DNS servers.
The root DNS server responds with the address of a com, edu, net, or other DNS server type (depending on the request).
The DNS server forwards the request to the high-level DNS server, which can respond with a variety of IP addresses.
DNS facts
DNS translates a hostname to an IP address.
The DNS hierarchy is made up of the following components:
. (dot) domain (also called the root domain)
Top Level Domains (TLDs) (.com, .edu, .gov)
Domains
Hosts
A fully qualified domain name (FQDN) must include the name of the host and the domain, not just the domain.
A forward lookup uses the host name (or the FQDN) to find the IP address.
A reverse lookup uses the IP address to find host name (or FQDN).
A DNS server can forward a DNS request to an upstream DNS server if it cannot resolve a host name to an IP address.
An authoritative server is a DNS server that has a full, complete copy of all the records for a particular domain.
A caching-only DNS server has no zone information; it is not authoritative for any domains.
The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers. A DNS server uses the Root Hints file to forward a request to a Root DNS server as a last resort to resolve a host name to an IP address.
A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers.
Recursion is the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Most client computers do not perform recursion, rather they submit a DNS request to the DNS server and wait for a complete response. Many DNS servers will perform recursion.
Zone Types
The table below lists the types of DNS zones:
Zone Type Description
Standard primary Host name-to-IP address name resolution.
Data is stored in a flat text file.
Read-write copy of the data.
Standard secondary Host name-to-IP address name resolution.
Data is copied from another DNS server.
Read-only copy of the data.
Reverse lookup IP address to host name resolution.
Can be both primary and secondary zones.
Active Directory-integrated Data is stored in Active Directory.
Data is shared between domain controllers.
Data is read-write on all servers with the data.
Provides automatic replication, fault tolerance, and distributed administration of DNS data.
You should also know the following facts about zones:
To configure reverse lookup for a subnetted IP network, enable the Advanced view in the DNS console.
Reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
Common Resource Records
The table below lists the most common resource records.
Record Type Use
A (host address) The A record maps a DNS host name to an IP address. This is the most common resource record type.
CNAME (canonical name) The CNAME record provides alternate names (or aliases) to hosts that already have an A record.
MX (Mail Exchanger) The MX record identifies servers that can be used to deliver mail.
NS (name server) The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone.
PTR (pointer) In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record).
SOA (Start of Authority) The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone. The SOA record includes parameters such as the authoritative server and the zone file serial number.
SRV (service locator) The SRV record is used by Windows 2003 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2003 automatically creates these records as needed.
Dynamic DNS Facts
For a Windows 2000/XP/2003 client, the following process is used to dynamically update the DNS database.
The client boots and receives an IP address from the DHCP server.
The client sends a DNS update request to update the forward lookup record.
The DHCP server sends an update request to update the reverse lookup record.
For non-dynamic update clients, the DHCP server sends both the forward and reverse lookup updates. You can also configure the DHCP server to perform both tasks for Windows clients.
To enable dynamic updates, use the following steps:
On the Windows DNS server, open the Zone Properties dialog box and enable dynamic updates.
In the TCP/IP Properties of the client, make sure dynamic DNS is enabled (enabled is the default setting).
Note: You may also need to enable dynamic updates on the DHCP server if you're doing dynamic updates by proxy.
You should know the following facts about secure dynamic DNS:
Secure dynamic updates are only available for Active Directory-integrated zones.
To use secure DDNS, a client must be a member of the same Active Directory domain as the DDNS server.
Only the original client can alter or remove records when using secure DDNS.
DNS Client Settings
DNS uses fully qualified domain names (FQDN) to identify a computer. FQDNs are composed of the host name and the domain name (also called a suffix). Windows client computers can be identified using two different DNS suffixes:
Primary suffix, set through the System properties.
Connection-specific suffix, configured through the TCP/IP properties for the network adapter.
With dynamic DNS, client computers can update the DNS database with their host name. Keep in mind the following facts about client dynamic updates:
By default, Windows 2000/XP/2003 clients register their DNS name with the DNS server.
In the TCP/IP properties, Advanced settings, DNS tab, the Register this connection's addresses in DNS setting controls whether the client dynamically registers its name with DNS.
With dynamic DNS enabled on the client, the computer will register its full DNS name from the configuration on the Network Identification tab of the System applet (using the primary suffix).
You can configure the client to register two different DNS names with the DNS server. To do this, in the TCP/IP properties, Advanced settings, DNS tab, identify an additional DNS suffix for the client and enable the Use this connection's DNS suffix in DNS registration option. When enabled, the client will register its name with the connection-specific suffix as well as the primary suffix.
You can also configure the client with custom search suffixes.
By default, when you submit a DNS query without using the fully qualified domain name (FQDN), the client computer appends the computer's domain to the name to perform the DNS lookup. The client will also use parent suffixes to try the request multiple times.
Edit the Advanced TCP/IP properties to customize the search suffixes. You can specify search suffixes outside of the parent suffixes, and modify the order in which suffixes are used for searches.
AD-Integrated Zone Facts
Using Active Directory to manage zone information has the following advantages:
No single point of failure. Changes are made to multiple rather than individual servers.
Fault tolerance. Each host server maintains up-to-date zone information.
Single replication topology. Zone transfers occur through Active Directory replication.
Secure dynamic updates. Only authorized computers can update dynamically.
Simplified management. Any authorized computer can initiate changes to the zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you have the following options:
Replication Option Where data is replicated
2000 Default All domain controllers in a domain receive the information whether or not they have DNS installed.
DomainDNSZones All domain controllers with DNS in the domain receive the information.
ForestDNSZones All domain controllers with DNS in the forest receive the information. (Used most effectively when you have very important records that need to be available throughout the forest.)
Application Partitions All domain controllers within the application partition. By using an application partition, you can customize which domain controllers will receive the DNS data.
Root Hint Facts
Keep in mind the following facts regarding root hints.
The Cache.dns file holds the 13 root hint addresses for the Internet root servers. The Cache.dns file can be found in two locations:
%SystemRoot%\system32\dns\Cache.dns (the copy in use)
%SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the backup location)
If you have a root zone configured on a DNS server, the server will act as a root zone server.
A DNS server configured as a root zone server will never use the root hints file (Cache.dns). It considers itself authoritative. Consequently, the server won't access the Internet to forward DNS queries.
If you want the DNS server to access the Internet, delete the root zone in the DNS Console.
You can configure root hints through the properties of a DNS server or by configuring the DNS server's Cache.dns file. If the server is configured to load data from Active Directory, you must configure root hints using the DNS snap-in because the local Cache.dns is not used (the root hints data is stored in AD).
Stub Zones and Forwarding Facts
You should know the following facts about DNS performance:
A stub zone holds copies of the following DNS record types:
NS records for all DNS servers (primary and secondary).
SOA record for the primary server.
DNS A records (also called glue records) for the DNS servers.
A stub zone is dynamic. It will update itself with changes.
Use a stub zone to provide quick access to the name server list and to provide a method of keeping the name server list updated without replicating zone data.
Conditional forwarding allows DNS queries to be forwarded to specific DNS servers that have specific zones.
Conditional forwarding is static. You set up an IP address which handles a specific type of query.
Conditional forwarding must be updated when changes to forwarders are made.
If a DNS server is configured to use forwarders, you can disable recursion on the DNS server. This means the server submits requests to the forwarder and waits for a response.
Zone Transfer Facts
Replication through standard zones takes place through zone transfers. Secondary servers contact their master servers for new zone information. You should know the following facts about zone transfers:
The zone serial number is modified when changes are made to the zone file.
Zone transfer is initiated when a secondary server checks the master server and finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary server when changes have been made.
By default, a DNS server replicates the entire zone database (called a full zone transfer or AXFR).
A partial zone transfer, in which only the changed information is replicated, is also called an incremental zone transfer or IXFR.
To initiate a manual transfer, increment the serial number first. Otherwise, no transfer will occur (a transfer only occurs when the serial number has changed).
You can improve DNS performance by placing multiple DNS servers on your network. For example, you can place a secondary server on the other side of a WAN link to reduce WAN traffic caused by name resolution. However, zone replication traffic must still cross the WAN link.
A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers.
An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when AD replicates.
If a zone is Active Directory-integrated and has no secondary servers, you can disable zone transfers. Zone data will continue to be replicated through Active Directory.
Normally, zone transfers happen automatically at periodic intervals. You can force an update of zone data through the DNS console or by using the Dnscmd command. The following table lists some actions you can take to refresh zone data manually.
DNS Console Action Dnscmd Option Result
Reload Dnscmd /ReloadZone The server reloads zone data from its local copy (it reads the data back in from the zone file on the hard disk).
Transfer from Master Dnscmd /Refresh Initiates a normal zone transfer. The DNS server compares its version number with the version of the zone master. If the version numbers are the same, no zone transfer takes place.
Reload from Master N/A The DNS server dumps its copy of the data and reloads the entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server and then transfer the data from the master, or you can simply reload the data from the master.
DNS Design Guidelines
Keep in mind the following facts about DNS namespace design:
Active Directory requires DNS.
A split-brain DNS solution allows you to run internal DNS and external DNS that don't communicate with one another. This helps to maintain internal security.
Following are three split-brain DNS configuration options:
Set up the same DNS name internally and externally.
Set up different DNS names internally and externally.
Set up the internal DNS as a subdomain of the external DNS.
The purpose of a split-brain DNS solution is to:
Allow external clients to access only external resources.
Allow internal clients to access all resources.
The table below lists the split-brain DNS configurations.
Split-brain DNS Configuration Implementation
Same Internal and External DNS Names Set both DNS servers as primary to prevent zone transfer traffic.
Allow internal client access to external resources by copying external resource records to the internal DNS server.
Different Internal and External DNS Names To allow internal clients to access external resources, set up a forwarder, either a regular forwarder or a conditional forwarder.
Internal DNS Name as Subdomain of External DNS Name One possible advantage is that you can run separate DNS infrastructures (e.g., an external Unix infrastructure and an internal Microsoft infrastructure).
One danger is that outside queries could include the internal namespace. Use the firewall to block these types of queries.
Set up a forwarder to allow internal clients to access external resources.
DNS Solutions
You have a wide variety of tools to help you in designing a DNS solution. The following table lists various zone types and configuration options and when to use each.
Solution Use
Primary zone Select a primary zone to manage zone data on non-domain controllers or non-Windows DNS servers.
Secondary zone Select a secondary zone to copy read-only zone data from another server. For example, your Windows server can be a secondary server to a non-Windows server, or a non-Windows server can be a secondary server to an Active Directory-integrated zone. Secondary zone servers accomplish three tasks:
Fault tolerance
Load balancing
Reduce name resolution traffic over WAN links
Reverse lookup zone Use a reverse lookup zone to find the host name for a given IP address. For example, use a reverse lookup zone if you need to identify the host name of clients who connect to a server or services. Following are reasons to set up reverse lookup zones:
To use Nslookup by using the IP address.
To use IP filtering in IIS.
To accommodate applications that rely on reverse lookups.
Active Directory-integrated zone Use when you have DNS servers that are also domain controllers. AD-I zones allow multi-master updates to the DNS database, automatically replicate data through Active Directory (rather than conventional DNS replication), secures zone updates, and allow secure dynamic client registration.
Caching only server Use to reduce DNS name resolution traffic over WAN links without the zone transfer traffic.
Zone delegation Use to subdivide a zone into multiple zones. This allows other administrators to manage parts of your name space.
Forwarders Use to send DNS queries to other servers when the current server does not hold the data.
Conditional forwarding Use to forward DNS queries based on the domain name characteristics. Without conditional forwarding, all requests are forwarded to the same servers. With conditional forwarding, requests are forwarded based on the domain name.
Stub zone Use when you need to automatically update lists of name servers for a domain but do not want to replicate zone data.
Root zone Use to make your DNS server authoritative for the entire name space. For example, you can configure a root zone to prevent name queries from being forwarded to the Internet root zone servers.
Root hints Root hints point to the root zone servers. Normally root hints point to the Internet root zone servers. If you have a custom root zone, make sure root hints on internal servers point to your root zone servers.
Dynamic DNS Use to allow clients to update DNS records.
Secure updates Use to prevent unauthorized changes to dynamically-created DNS records. When enabled, only domain members can register DNS records, and only the same computer can modify those records. Secure updates are available only on Active Directory-integrated zones.
DNS Troubleshooting Tools
You should know how to use the tools listed in this table:
Tool Use
Nslookup Use the Nslookup tool to perform DNS name resolution. Enter the name of the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd Dnscmd displays the properties of DNS servers, zones, and resource records. You can also use Dnscmd to modify these properties, create and delete zones and resource records, and force replication.
Ping Use Ping to determine if an IP address is accessible. If you can ping an IP address, try to ping the logical name of the host. If the logical name test fails, you should troubleshoot the name resolution system.
Network Monitor Use Network Monitor to analyze and monitor network traffic.
Ipconfig You can use Ipconfig without switches to display the IP address, subnet mask, and default gateway for all adapters. However, the following switches are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache.
/Flushdns, to flush the local DNS cache.
/Registerdns, to force a client to register its DNS information.
DNSLint The DNSLint utility helps you to isolate and diagnose DNS problems. You must use one of the three following switches with DNSLint.
/d, to perform domain name tests
/ad, to perform AD tests
/ql, to perform DNS query tests from a list
To provide fault tolerance for DNS servers, use one of the following strategies:
Use Active Directory-integrated zones. If one DNS server goes down, zone data is still stored in Active Directory. Be sure to analyze the replication scope to make sure you have at least two servers holding the DNS data for each zone.
Create secondary zones. If the primary server goes down, you can change one of the secondary zones to the primary zone.
Back up the DNS database. If you have only one DNS server, be sure to back up the DNS database. For non-Active Directory-integrated zones, you can back up the DNS files or copy them to another location. For Active Directory-integrated zones, you must back up the system state data (because DNS is stored in Active Directory).
Remote Access Facts
Keep in mind the following facts about configuring remote access.
The number of dial-up modem connections permitted depends on the number of modems that are installed on the remote access server. If you have only one modem installed on the server, you can only have one modem connection at a time.
Before shutting a remote access server down, terminate all client idle sessions.
To enable clients to receive their addresses from a DHCP server, configure the remote access server to use DHCP for addressing.
When you use PPP as the WAN protocol, you can use DHCP for addressing and encryption.
To allow remote clients to access resources on both the remote access server and the local network, enable both remote access and LAN routing. To restrict access to only the remote access server, enable only remote access.
When you establish a LAN protocol, the client must be configured with all protocols used by all devices on the private network with which it communicates.
To access resources on a remote network, users must be given the appropriate permissions.
Authentication Protocol Comparison
Authentication protocols ensure that remote users have the necessary credentials for remote access. The following table compares the authentication protocols supported by a Windows 2003 remote access server. Protocols are listed in order, from least secure to most secure. As a rule, select the highest level of authentication supported by the clients.
Protocol Characteristics Client Support
Password Authentication Protocol (PAP) Client sends a username and plain text password for authentication.
Password can be easily intercepted.
Use only when no other form of authentication is supported 2003/XP/2000
NT 3.5/4.0
95/98/ME
Shiva Password Authentication Protocol (SPAP) Used to connect to a Shiva LAN Rover.
Uses an encrypted password for authentication.
Password encryption is easily reversible 2003/XP/2000
NT 3.5/4.0
95/98/ME
Challenge Handshake Authentication Protocol (CHAP) Uses a three-way handshake (challenge/response).
Uses MD5 hashing of the shared secret for authentication. 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) Similar to MS-CHAP v2, uses challenge/response for authentication.
Server authenticates the client (client cannot authenticate the server).
Encrypts the secret used for authentication 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2) Highest level of authentication possible without using EAP.
Uses a challenge/response mechanism for authentication.
Allows both the client and the server to authenticate each other.
Encrypts the secret used for authentication. 2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the latest updates for a VPN connection only)
Extensible Authentication Protocol (EAP) Client and server negotiate the characteristics of authentication.
Used for smart cards or biometric authentication. 2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial authentication to the wireless access point. When using PEAP, select one of the following two options:
PEAP-EAP-TLS. This authentication method uses certificates (either on the local system or on a smart card) to complete the authentication process.
PEAP-MS-CHAP v2. This method uses certificates on the server, but simple passwords on the client. Use this method when the client does not have a certificate.
PEAP support is enabled as follows:
Windows XP SP1, included as a feature of the service pack.
Windows Server 2003.
Windows 2000, supported through a special download and install.
Remote Access Client Configuration
You should know the following facts about remote access client configuration:
The client must be running all networking protocols (such as IP or IPX) that are used on destination computers.
Both the remote access client and the remote access server must use a common WAN protocol (such as PPP).
If your client and server have multiple modems, you can configure both to use multilink. With multilink, multiple physical connections are established to increase the bandwidth of a single connection. When using multilink, enable Bandwidth Allocation Protocol (BAP) to establish and drop links based on link activity.
Callback is a form of security in which the server disconnects the user after authentication then immediately calls the user back. The server can use a preset phone number for each user, or the user can enter a callback phone number after authentication. You cannot use multilink and callback together.
To configure remote clients for DNS, configure them with the IP address of the DNS server on the private network. DNS requests will be automatically routed to the DNS server.
Remote Access Policy Facts
A remote access policy consists of the following components.
Component Description
Conditions Remote access conditions identify which policies apply to incoming connections. The remote access server checks the conditions included with a policy. If all conditions match, the server processes the policy and user account settings to determine what access to allow or deny.
Permissions Permissions determine whether remote access is granted or denied. Permissions come from a combination of settings in the user account and the remote access policy. There are only three possible permission settings:
Grant remote access
Deny remote access
Control access through the remote access policy (only settable in the user account)
Profile A profile is the list of settings that are applied to the connection once access is granted. Profile settings can reject or restrict remote access to connections that:
Use a specific media type
Are initiated during specific days and times
Use specific authentication protocols
Use specific encryption protocols
You should be familiar with the RAPCAP process:
Remote access policies determine the level of access remote clients get to resources.
Authorization for access to resources is determined by three steps:
Conditions
Permissions
Profile settings
Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy in order is checked.
You should put more specific (or restrictive) policies at the top of the list to make sure they're not supplanted by more general policies.
When a match is found, that policy will be used for the connection (no other policies will be checked).
If the connection does not match any conditions in any policy, the connection will be refused.
After a matching policy is found, permissions are checked. If the permissions deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy (unless Control access through Remote Access Policy is selected).
By default, the user account setting for remote access is set to Deny.
The Control access through Remote Access Policy setting is only available in 2000 native mode or Windows 2003 domain functional level.
If the permissions grant access, the policy profile is checked for additional conditions.
If all profile conditions match, the connection is granted. If not, it is refused.
You can establish enough restrictions through the profile to prevent user access.
You should also know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
IAS Facts
If your network includes several remote access servers, you can control remote access from a single location by installing a Remote Authentication Dial-In User Service (RADIUS) server. Internet Authentication Service (IAS) is the service you install on a Windows 2000 server to make it a RADIUS server.
You should know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
Troubleshooting Remote Access
Most remote access problems are caused by misconfiguration. Problems are typically manifested by an error message that describes the nature of the problem. Read the error messages to identify likely causes, and then verify the applicable remote access configuration parameters.
When you try to establish a remote access connection, the following four processes take place:
Opening the port. The system initializes the modem or port used for remote access.
Dialing. The system attempts to connect to the remote system.
Authenticating. After a physical connection with the remote system is made, authentication protocols and credentials are verified.
Registering the computer. The computer is identified on the network and access is granted.
If the connection fails in the first two stages (making the connection):
Verify the hardware and physical connection.
Verify the configuration of the remote access connection object.
Verify that there are free ports on the remote access server to answer the call.
If the connection fails during the last two stages (authenticating and registering the computer):
Verify the username and password against a valid user account.
Check remote access policies.
Verify that authentication protocols match between the client and the server.
Verify remote access addressing.
If a connection can be made, but the client can only access resources on the remote access server (and not on other servers connected to the remote network):
Verify that the client is using all necessary LAN protocols used by servers on the remote network.
Verify that the remote access server is configured for both remote access and LAN routing.
Default and Static Routes
You should know the following facts about routes:
Routes to directly connected networks are automatically created. If a router only needs to communicate with directly-connected networks, no special routes are needed.
Use the Route Print command to view the routing table.
Use the Route Add command to add routes from the command prompt. Use the syntax:
Route add destination_address mask subnet_mask -p
For example, to add a route to network 192.168.1.0 with mask 255.255.255.0, use the command:
Route add 192.168.1.0 mask 255.255.255.0 -p
The -p parameter makes the route permanent. It will be added each time the router reboots.
A default-route is used when no other routes in the routing table are found. You can also add a default-route entry to your routing table.
Keep in mind the following when creating special routes:
For a route to a subnet (network), enter the subnet address and mask.
For a route to a host, enter the host IP address and 255.255.255.255 for the mask.
For the default route, use 0.0.0.0 for the network and 0.0.0.0 for the mask.
Choosing a Routing Solution
The following table lists router solutions and their applications.
Solution Uses
Default routing entries Use when the router has only directly-connected networks.
Static routes Use for small networks (10 subnets or less) that do not change often.
Use to eliminate traffic due to routing updates.
RIP Use for small networks (50 or less subnets) when a dynamic solution is required.
OSPF Use for larger networks (50 or more subnets) when a dynamic solution is required.
Use when you want to minimize (or reduce) traffic due to routing updates.
Windows 2003 supports RIP 1 and RIP 2. RIP has the following characteristics:
RIP uses hop and tick counts to calculate optimal routes.
RIP routing is limited to 15 hops to any location (16 hops indicates the network is unreachable).
At startup, the router advertises itself and information about its directly-connected networks and requests other routers to respond.
RIP broadcasts its entire routing table every 30 seconds.
A RIP broadcast has a limit of 25 network entries. If more networks are in the routing table, additional broadcasts must be made.
At router shutdown, the router advertises that it is going down. Routers receiving this notification remove all routes accessible through the downed router from their tables.
Each route has a timeout value of 180 seconds. Each new broadcast containing information for that route resets the timeout.
Failed routes are detected when the timeout is reached. After the timeout, the route is removed.
RIP 2 supports multicasts, variable subnets, authentication, and next hop addresses.
Demand Dial Routing Facts
The following process is used to establish a demand-dial link:
A host sends a message to a host on the remote network.
The source router identifies the remote network, and initiates a link by calling the destination router.
The destination router answers the call, and verifies the user credentials and permissions.
The destination router identifies the link as a demand-dial link by matching the username with its port name.
Data is transferred to the destination host.
The link stays active until the preconfigured idle disconnect time. If no data has been sent during that time, the link is dropped.
To configure and enable demand-dial routing, complete the following tasks:
Enable demand-dial routing on the server.
Enable the port for use by demand-dial.
Add the port as a demand-dial interface.
Create a user account on the local system or domain that corresponds to the local demand-dial port. (You can use the Demand Dial Interface wizard to create this account automatically.)
Set the credentials for the remote user account that corresponds to the remote demand-dial interface.
Create static routes or configure auto-static updates to add routes to the remote network.
Auto-static updates can be used to populate the routing table with remote routes over a demand dial link. Keep in mind the following about auto-static updates.
A routing protocol is used initially to share routing information. However, the information is sent only once. The routers do not exchange periodic broadcasts.
Because auto-static updates are not performed on a regular basis through the routing protocol's default advertisements, you must either manually perform the update or schedule updates as a scheduled task. When you schedule updates, routing exchanges take place at much longer intervals than the routing protocol's update interval.
You can configure auto-static updates for IP RIP, IPX RIP, and IPX SAP, but not for OSPF.
Troubleshooting Demand Dial Routing
Use the information in the following table to troubleshoot demand dial routing problems:
Problem Cause and Solution
Application and time-out errors Some errors happen with demand-dial routing because the link between the routers is not yet established when data is first sent from a host. The host assumes the link exists and begins sending data. In the meantime, the router must call the remote system and establish the link. The time delay can cause the router buffer to fill, or the delay may lead the application to think the remote system is not responding. In most cases, retrying the request succeeds.
Authentication errors Authentication errors are typically caused by incorrectly configuring the username used by the demand-dial router to contact the remote router. Verify that the username matches the remote port, and that a user account with dial-up permission exists. Also verify the remote access policies and remove any restrictions that incorrectly limit access.
Only one-way communication If one host can connect to the remote router, but a host on the remote network cannot connect back, verify that the username settings for both routers match the remote port name. It is also possible for one router to use an incorrect username, but still be granted a connection if there is a user account with that name. However, the connection will be a remote access connection, not a demand-dial connection.
Endpoint identifier errors Endpoint identifier errors occur when compatible addresses (such as IP addresses on the same subnet) are not assigned to each communicating port. Check to make sure that a DHCP server is available, or that the dial-up line is configured to assign addresses.
Lost auto-static routes If you have configured the server for auto-static routing updates, and the routing table contains data but later is empty, check to make sure that each router can establish a connection with the other. If a connection cannot be made to send the updates, the table will not contain any auto-static routes because they have been deleted. Correct the problem by scheduling auto-static updates or updating routes manually.
NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the Internet without obtaining registered addresses for every host. Private addresses are translated to the public address of the NAT router.
The NAT router maps port numbers to private IP addresses. Responses to Internet requests include the port number appended by the NAT router. This allows the NAT router to forward responses back to the correct private host.
NAT supports a limit of 5,000 concurrent connections.
NAT provides some security for the private network because it translates or hides the private addresses. In addition, outside hosts cannot normally initiate contact with private hosts (unless explicitly configured).
A NAT router can act as a limited-function DHCP server, assigning addresses to private hosts.
A NAT router can forward DNS requests to the Internet.
NAT does not work with IP protocols that embed an IP address in the packet data. For this reason, you cannot create a VPN on two sides of a NAT router. However, special modifications do allow FTP to function with NAT.
DHCP Relay Agent Facts
To properly configure the Relay Agent, you need to perform three tasks:
Add the Relay Agent via the remote access snap-in.
Configure the router's interface to relay DHCP packets.
Configure the Relay Agent with the main DHCP server's IP address.
Instead of configuring a relay agent, you can also enable BOOTP forwarding on the router, or place a DHCP server on the local subnet.
Common Port Numbers
Port numbers identify a specific service running on a computer. As a best practice, configure your firewall to allow only the ports for the services provided on your network (and block all others). The following table lists port numbers for common services.
Port(s) Service
20, 21 File Transfer Protocol (FTP)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
50, 51 IPSec
53 Domain Name Server (DNS)
67, 68 Dynamic Host Configuration Protocol (DHCP)
69 Trivial File Transfer Protocol (TFTP)
80 HyperText Transfer Protocol (HTTP)
88, 749 Kerberos
110 Post Office Protocol (POP3)
119 Network News Transport Protocol (NNTP)
137-139 NetBIOS
143 Internet Message Access Protocol (IMAP4)
161, 162 Simple Network Management Protocol (SNMP)
389 Lightweight Directory Access Protocol (LDAP)
443 HTTP with Secure Sockets Layer (SSL)
500 (UDP), 1701 Layer Two Tunneling Protocol (L2TP)
1723 Point-to-point Tunneling Protocol (PPTP)
For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and 443.
Firewall and Proxy Facts
Keep in mind the following facts about firewalls and proxy servers.
• A firewall prevents invalid communications from entering a network while allowing valid communications to travel in and out.
• TCP/IP Filtering is a form of a very basic firewall.
• TCP/IP Filtering allows you to block ports that you specify.
• TCP/IP Filtering requires you to enable the setting for all NICs or no NICs.
• ICF blocks all externally generated communications. Communications generated internally can pass through the firewall as well as external responses to those communications.
• You can allow external communications through the firewall by enabling the appropriate ports.
• Packet filtering is available in the RAS Console.
• Packet filtering allows you to specify input and output filters for each NIC.
• Packet filtering allows you to restrict access based on ports, protocols, or IP addresses.
• Packet filtering offers a higher degree of control over network traffic.
• An ingress filter allows you to prevent malicious actions like address spoofing.
• An ingress filter will inspect packet headers to verify them.
• Proxy servers speed up Web caching and restrict access to the Internet.
• Through caching, a proxy server can significantly increase bandwidth performance.
• A proxy server allows you to restrict Internet access through user and group accounts.
• Client browsers can either automatically detect the proxy server or access it through a specific proxy IP address.
VPN Protocols
If you are designing a VPN connection, you must identify the tunneling protocol used for the connection. Windows 2003 supports the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP), supported by all 32-bit Microsoft clients.
Layer Two Tunneling Protocol (L2TP), supported by Windows 2000/XP/2003 clients.
The tunneling protocol you choose will also effect the authentication and encryption options available. The following table summarizes these choices.
Tunneling Protocol Authentication Protocol Encryption Protocol OS Support
PPTP EAP* or MS-CHAP (v1 or v2) MPPE 2000/XP/2003
NT 4.0
95/98/ME
L2TP EAP or MS-CHAP (v1 or v2)
Kerberos v5**
Certificates IPSec 2000/XP/2003
*EAP is supported only on Windows 2000/XP/2003.
**IPSec requires machine authentication (not user authentication) through either Kerberos or certificates. Use EAP or MS-CHAP to enforce user authentication.
IPSec Facts
IPSec is supported only on Windows 2000/XP/2003. How computers use IPSec to communicate is controlled through IPSec policies. Windows comes with the following three IPSec policies:
Policy Characteristics
Client (Respond Only) Can communicate normally (unsecured).
Contains a default response rule that lets it negotiate with servers that request IPSec.
Server (Request Security) Requests security using Kerberos V5 protocol for all IP traffic.
Allows unsecured communication with clients that do not respond to the request.
Secure Server (Require Security) Requires security using Kerberos V5 protocol for all IP traffic.
Does not allow unsecured communication with clients.
You should also know the following facts about IPSec:
• IPSec is identified by displaying two protocols in the Network Monitor: AH (Authentication Header) and ESP (Encapsulating Security Payload).
• AH is displayed in Network Monitor when IPSec is configured for mutual authentication. AH digitally signs each packet to ensure data integrity. AH does not encrypt data.
• ESP is displayed in Network Monitor when IPSec is configured to encrypt frames. ESP encrypts the data portion of the IP packet.
• Use the IP Security Monitor MMC snap-in to verify IPSec traffic.
• To monitor IPSec negotiations, the audit logon events setting must be enabled. The security log file should be set to at least 10 MB in size.
• To view DNS names in IPSec Monitor, enable DNS name resolution.
• Microsoft recommends that you stop the Routing and Remote Access service before stopping the IPSec service.
• Use the Net stop remoteaccess command at the command line to stop the remote access service.
• Use the Net stop policyagent command at the command line to stop the IPSec service.
• An authentication failure occurs when the authentication methods don't match on both machines that are trying to establish a security association.
• A Bad SPI message can appear when the key lifetime is set too low.
• The Audit Logging feature of Windows Server 2003 can be used to monitor IPSec events.
Preconfigured Templates
Security templates are a collection of settings that configure settings to a predefined state. Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Remember the following tips when applying templates:
• Use the Setup Security.inf template to restore the system to its default state.
• Apply additional templates to add security (just applying the more secure template might not reset custom settings to their default state).
• Use Group Policy to deploy and periodically enforce templates (the template will be applied at normal group policy application times).
• Don't use Group Policy to distribute the Setup Security.inf template because it is very large and will consume a lot of bandwidth and take time as it is applied to the computer.
• You can customize a preconfigured template to meet your needs. After you modify the template, save it with a new file name to preserve the preconfigured settings.
• Secedit.exe allows you to apply only the parts of a template that you need. (A better solution is to customize the template and save it with a different name.)
Template Facts
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
• You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.
Use the following key to decipher the meanings of icons when analyzing the system:
= The system does not match the template
= The system meets or exceeds the template
= The template does not define the value
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) is a tool you can use to scan the local and remote computers for security compliance. The MBSA tool looks for the following operating system vulnerabilities:
• Installed and missing hotfixes
• Guest account status
• Administrator group membership
• Weak passwords on user accounts
• Non-expiring passwords
• Restrict anonymous access settings
• Auto logon
• File system type used on each drive
• Shares
• Automatic update configuration
• Internet Connection Firewall (ICF) configuration
• Unnecessary services
• Auditing
Program vulnerabilities for programs such as Internet Explorer, Media Player, IIS, SQL, Exchange, and Office
MBSA does not come as part of the 2003 Server installation. You can download it from Microsoft's Web site. You should know the following facts about MBSA:
The analyzer runs in both a GUI and command-prompt mode (run Mbsacli.exe to run from the command line).
You can use MBSA to analyze up to 10,000 remote computers at a time. Results of the analysis can be saved to a file for later review.
MBSA can analyze Windows NT/2000/XP/2003 computers.
You must have administrator privileges to scan a local or remote computer.
To scan a local computer, make sure the Workstation and Server services are enabled.
The computer running MBSA to analyze remote computers must be running the Workstation service and have Microsoft Networks turned on.
The computer that you are analyzing must be running the following services:
• Remote Registry
• Server
• File and Print sharing
To analyze only missing hotfixes and updates, run Mbsacli.exe /hf (this command replaces the Hfnetchk.exe utility).
A similar utility Qfecheck.exe, scans Windows 95/2000/XP computers for missing hotfixes. However, this utility can only analyze the local computer.
Security Principles Facts
Use the following guidelines when considering security:
• Design securities strategies according to the rule of least privilege. This means that you give users the fewest rights and privileges possible while still allowing them to do their jobs. (It is easier to add permissions than it is to remove permissions.)
• Disable unnecessary services as well as file and print sharing when they're not needed.
• Implement a firewall and up-to-date anti-virus software.
• Audit the system regularly.
• Use security templates and Group Policy to apply security settings uniformly across the network.
• Use IPsec and SSL to secure network communications.
• Use SUS to control the updates deployed across the network.
• Use Hfnetchk to scan computers for hot fix levels.
• Use Mbsacli to scan remote computers for security and configuration issues.
Services Facts
You should know the following facts about services:
• Services are programs that run continuously in the background.
• The three service startup behaviors are:
• Automatic
• Manual
• Disabled
• You can control service behaviors (including startup behaviors) through Group Policy.
• Services run under the security privileges of a user account. There are three types of built-in accounts (you can also use custom accounts to run services):
• The Local System account provides full access to the system.
• The Local Service account provides access to particular services.
• The Network Service account provides access to services on the network.
• Because services run using a user account, make sure the password is configured correctly, the user account is not locked, and the user account is enabled.
• Take care not to disable a service upon which other services depend.
• You can view dependent services through the services console or by executing the SC.exe command.
• Use Msconfig.exe to troubleshoot services.
SUS Facts
Software Update Services (SUS) allows you to configure the distribution of operating system patches for clients, including ones related to security. You can deploy SUS in the following ways:
The SUS server approves the updates. Clients contact the SUS server for update approvals then retrieve the updates from the Windows Update server. This requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates locally for clients to retrieve. Reduces bandwidth demands since only the SUS server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the Windows Update server. The child SUS servers synchronize updates from the master. If WAN bandwidth between the master and child servers is poor, you may decide against this structure.
In most enterprise implementations, client computers contact local SUS servers to get a list of approved updates and download those updates. In this configuration, SUS client computers must be configured to receive updates from the local SUS server instead of the Windows Update Web site. The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
Notify for Download And Notify For Install
Auto Download And Notify For Install
Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.
WSUS Facts
Microsoft
Advanced Server
Date of course: _____________________________________
Name of Student: ___________________________________
Rev 1.2
Created by Michael March
Contact Information: michaelmarch@gmail.com
Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.
Contents
Network Monitor and System Monitor 5
IP Addressing Facts 6
Troubleshooting TCP/IP 6
DHCP Authorization 7
DHCP Scope Facts 8
DHCP Option Facts 8
DHCP Server Backup and Recovery 10
Troubleshooting DHCP 10
DNS Name Resolution Process 11
DNS facts 11
Zone Types 12
Common Resource Records 13
Dynamic DNS Facts 14
AD-Integrated Zone Facts 15
Root Hint Facts 16
DNS Design Guidelines 18
DNS Solutions 19
DNS Troubleshooting Tools 20
Remote Access Facts 22
Troubleshooting Demand Dial Routing 30
NAT Facts 32
DHCP Relay Agent Facts 32
Common Port Numbers 33
Firewall and Proxy Facts 34
VPN Protocols 35
IPSec Facts 36
Preconfigured Templates 37
Template Facts 38
Microsoft Baseline Security Analyzer 38
Security Principles Facts 39
Services Facts 40
SUS Facts 40
WSUS Facts 41
Network Monitor and System Monitor
Two common tools, Network Monitor and System Monitor, are useful in monitoring your system. While both can be used to gather some information related to network performance, Network Monitor is the tool you will use most often to analyze network traffic and gather information about communication between two computers. The following table compares the features of Network Monitor and System Monitor.
Characteristic Network Monitor System Monitor
Data collected Captures packets (or packet fragments) and their contents.
Reports statistics about network traffic. Monitors system statistics, producing counters and charts of system performance.
Monitors local system components including disk, processor, memory, and network statistics.
Data reports View contents of sent and received packets.
View network traffic statistics. View graphs of system performance and counters.
Event tracking Configure triggers to stop capture or execute a command based on a specific network traffic event (or packet type). Configure alerts to log an entry, send a message, or run a program when a counter reaches a specific threshold.
Identifying captured data Configure filters to capture only specific packets or to display only certain packets. Select objects and counters to identify the statistics you want to track.
You should know the following facts about Network Monitor:
• The free version of Network Monitor that comes with Windows can only monitor traffic to and from the local computer.
• To capture all network packets, use the SMS version of Network Monitor.
• Even when using the SMS version, you cannot capture packets sent to other computers on other segments through a switch. (Switched traffic is only sent to the segment where the destination computer sits.)
• Use Dedicated Capture mode with Network Monitor to ensure you capture all packets.
IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class Address Range Default Mask
A 1.0.0.0 to 126.255.255.255 255.0.0.0
B 128.0.0.0 to 191.255.255.255 255.255.0.0
C 192.0.0.0 to 223.255.255.255 255.255.255.0
D 224.0.0.0 to 239.255.255.255 (multicast addresses)
E 240.0.0.0 to 255.255.255.255 (experimental addresses)
You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses:
The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.
Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and other IP configuration values.
If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the computer could not contact a DHCP server. Use Ipconfig /renew to try contacting the DHCP server again.
Use Ping (Packet Internet Groper) to send small packets to a computer to see if the computer responds. Microsoft recommends the following use of Ping:
• Ping the loopback address (127.0.0.1). This verifies that the TCP/IP protocol stack has been properly installed.
• Ping the local IP address assigned to the machine. This verifies communication to the NIC.
• Ping the default gateway. This verifies connectivity to the default gateway or to another machine on the local network. This verifies that the local network is accessible.
• Ping a remote host. This checks the connectivity between the default gateway and the remote host.
Use Tracert to see the route packets take through an internetwork between two devices.
Use Pathping to view the route of the connection and the connectivity response time. This can help identify where communication latency occurs.
Use the Arp -d * command to remove all dynamic ARP entries from the ARP list. (Arp -d clears the ARP cache.)
Use the Windows system logs to track DHCP service startup and shutdown as well as critical errors.
DHCP Authorization
Be aware of the following facts about DHCP server authorization.
Authorization is required if you are using Active Directory; no authorization is required, however, for a standalone server.
When you authorize a DHCP server, its IP address is added to a list of authorized DHCP server maintained in Active Directory.
When a DHCP server starts, its IP address is compared to the Active Directory list. If it is found, the server is allowed to issue IP addresses. If it is not found, the server is not allowed to issue IP addresses, and the server does not respond to DHCP requests.
Only Windows 2000 or Windows 2003 servers check for authorization.
You can authorize a server before DHCP is installed.
Rogue DHCP servers running other operating systems (like Unix, NetWare, or Windows NT) do not check for authorization before assigning addresses.
A Windows DHCP server checks for authorization when it boots and reauthorizes every five minutes.
You must be a member of the Enterprise Admins group to authorize a server.
In some cases, when you install DHCP on a domain controller, it will be authorized automatically.
When you install DHCP, the server is added automatically to the DHCP console on the local machine. When it is installed on another machine, you must add it manually to the local DHCP console.
DHCP Scope Facts
You should know the following facts about DHCP scopes:
• Use exclusions to prevent the DHCP server from assigning certain IP addresses. For example, exclude any IP addresses for devices that are not DHCP clients.
• Use reservations to make sure a client gets the same IP address each time from the DHCP server. The reservation associates the MAC address with the IP address the client should receive. For example, use a reservation for servers and printers to keep their IP addresses consistent while still assigning the addresses dynamically.
• When using reservations, do not exclude the addresses you want to assign.
• To change the subnet mask used by a scope, you must delete and recreate the scope. You cannot selectively change the subnet mask in an existing DHCP scope.
• The scope must be activated before the DHCP server will assign addresses to clients.
DHCP Option Facts
Through DHCP, you can deliver a wide range of TCP/IP configuration parameters (not just the IP address and mask). Additional parameters are delivered by configuring DHCP options. Options can be set at the following levels:
• Server. Options set on the server are delivered to all clients of that DHCP server.
• Scope. Options set on the scope are delivered to all computers that obtain an IP address from within the scope.
• Class. A class defines a group of computers that share common characteristics. For example, the vendor class can be used to deliver options to Microsoft Windows clients. Class options are delivered to all computers within the class.
• Reserved client. Options set on a reservation are delivered to the specific client.
Options are applied in the order listed above. If conflicting settings are delivered, the last parameters delivered will take precedence over the previous settings.
Common options include:
• 003 Router, the IP address of the default router (the default gateway)
• 006 DNS Servers, the IP address of DNS server or servers
• 015 DNS Domain Name, the domain that the client belongs to; used to update DNS server
• 044 WINS/NBNS Servers, the IP address of WINS server or servers
• 046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS name servers
DHCP Server Backup and Recovery
To move the DHCP service from one server to another, you must perform operations on the source and destination machines.
Source machine:
In DHCP Console, back up DHCP. The backup includes:
• Scopes, exclusions, and reservations.
• DHCP configurations.
• DHCP-related registry settings.
• Stop and disable the DHCP service.
• Copy the DHCP backup files to the destination machine.
On the destination machine:
• Install DHCP.
• Stop the DHCP service.
• In DHCP Console, restore the DHCP backup files.
• Verify the DHCP configuration and start DHCP.
Troubleshooting DHCP
For a Windows 2003 Server DHCP server to deliver IP addresses, the following conditions must be met:
• The server must be authorized.
• The DHCP service must be running (the DHCP server is started).
• The scope must be started.
• There must be IP addresses in the scope that are free to be assigned, or a reservation for the client must be defined.
• The client must be configured to receive its IP address from the DHCP server.
• One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The following table lists the command switches useful in troubleshooting DHCP.
Command Use
Ipconfig /all View TCP/IP configuration including the IP address, mask, default gateway, and any other DHCP-delivered parameters.
In addition, the command shows the IP address of the DHCP server from which configuration information was received.
Ipconfig /renew Renew DHCP configuration for specific or multiple adapters.
Ipconfig /release Releases DHCP configuration and discards IP address configuration for specific or multiple adapters.
An address IP address in the 169.254.0.0 range indicates that the client could not contact the DHCP server and has used APIPA to assign itself an address.
You should recognize the following symptoms of a rogue server:
• Incorrect IP configuration information.
• Duplicate addresses assigned.
• Ipconfig /all shows the DHCP server address incorrectly.
• DHCPNAK messages at the client during lease renewal.
If the client has an address from the wrong server, remove the rogue server, then do Ipconfig /release followed by Ipconfig /renew.
DNS Name Resolution Process
You should be familiar with the DNS name resolution process:
When a DNS name resolution request is forwarded to a DNS server, the DNS server examines its local DNS cache for the IP address.
If the IP address is not in the DNS server's cache, it checks its Hosts file. (Since the Hosts file is a static text file, it is not commonly used.)
If the DNS server is not authoritative and configured for forwarding, the DNS server forwards the request to a higher-level DNS server.
If the DNS server cannot forward the request, or if forwarding fails, the DNS server uses its Root Hints file (also known as Cache.dns). The Root Hints file lists the 13 root DNS servers.
The root DNS server responds with the address of a com, edu, net, or other DNS server type (depending on the request).
The DNS server forwards the request to the high-level DNS server, which can respond with a variety of IP addresses.
DNS facts
DNS translates a hostname to an IP address.
The DNS hierarchy is made up of the following components:
. (dot) domain (also called the root domain)
Top Level Domains (TLDs) (.com, .edu, .gov)
Domains
Hosts
A fully qualified domain name (FQDN) must include the name of the host and the domain, not just the domain.
A forward lookup uses the host name (or the FQDN) to find the IP address.
A reverse lookup uses the IP address to find host name (or FQDN).
A DNS server can forward a DNS request to an upstream DNS server if it cannot resolve a host name to an IP address.
An authoritative server is a DNS server that has a full, complete copy of all the records for a particular domain.
A caching-only DNS server has no zone information; it is not authoritative for any domains.
The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers. A DNS server uses the Root Hints file to forward a request to a Root DNS server as a last resort to resolve a host name to an IP address.
A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers.
Recursion is the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Most client computers do not perform recursion, rather they submit a DNS request to the DNS server and wait for a complete response. Many DNS servers will perform recursion.
Zone Types
The table below lists the types of DNS zones:
Zone Type Description
Standard primary Host name-to-IP address name resolution.
Data is stored in a flat text file.
Read-write copy of the data.
Standard secondary Host name-to-IP address name resolution.
Data is copied from another DNS server.
Read-only copy of the data.
Reverse lookup IP address to host name resolution.
Can be both primary and secondary zones.
Active Directory-integrated Data is stored in Active Directory.
Data is shared between domain controllers.
Data is read-write on all servers with the data.
Provides automatic replication, fault tolerance, and distributed administration of DNS data.
You should also know the following facts about zones:
To configure reverse lookup for a subnetted IP network, enable the Advanced view in the DNS console.
Reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
Common Resource Records
The table below lists the most common resource records.
Record Type Use
A (host address) The A record maps a DNS host name to an IP address. This is the most common resource record type.
CNAME (canonical name) The CNAME record provides alternate names (or aliases) to hosts that already have an A record.
MX (Mail Exchanger) The MX record identifies servers that can be used to deliver mail.
NS (name server) The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone.
PTR (pointer) In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record).
SOA (Start of Authority) The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone. The SOA record includes parameters such as the authoritative server and the zone file serial number.
SRV (service locator) The SRV record is used by Windows 2003 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2003 automatically creates these records as needed.
Dynamic DNS Facts
For a Windows 2000/XP/2003 client, the following process is used to dynamically update the DNS database.
The client boots and receives an IP address from the DHCP server.
The client sends a DNS update request to update the forward lookup record.
The DHCP server sends an update request to update the reverse lookup record.
For non-dynamic update clients, the DHCP server sends both the forward and reverse lookup updates. You can also configure the DHCP server to perform both tasks for Windows clients.
To enable dynamic updates, use the following steps:
On the Windows DNS server, open the Zone Properties dialog box and enable dynamic updates.
In the TCP/IP Properties of the client, make sure dynamic DNS is enabled (enabled is the default setting).
Note: You may also need to enable dynamic updates on the DHCP server if you're doing dynamic updates by proxy.
You should know the following facts about secure dynamic DNS:
Secure dynamic updates are only available for Active Directory-integrated zones.
To use secure DDNS, a client must be a member of the same Active Directory domain as the DDNS server.
Only the original client can alter or remove records when using secure DDNS.
DNS Client Settings
DNS uses fully qualified domain names (FQDN) to identify a computer. FQDNs are composed of the host name and the domain name (also called a suffix). Windows client computers can be identified using two different DNS suffixes:
Primary suffix, set through the System properties.
Connection-specific suffix, configured through the TCP/IP properties for the network adapter.
With dynamic DNS, client computers can update the DNS database with their host name. Keep in mind the following facts about client dynamic updates:
By default, Windows 2000/XP/2003 clients register their DNS name with the DNS server.
In the TCP/IP properties, Advanced settings, DNS tab, the Register this connection's addresses in DNS setting controls whether the client dynamically registers its name with DNS.
With dynamic DNS enabled on the client, the computer will register its full DNS name from the configuration on the Network Identification tab of the System applet (using the primary suffix).
You can configure the client to register two different DNS names with the DNS server. To do this, in the TCP/IP properties, Advanced settings, DNS tab, identify an additional DNS suffix for the client and enable the Use this connection's DNS suffix in DNS registration option. When enabled, the client will register its name with the connection-specific suffix as well as the primary suffix.
You can also configure the client with custom search suffixes.
By default, when you submit a DNS query without using the fully qualified domain name (FQDN), the client computer appends the computer's domain to the name to perform the DNS lookup. The client will also use parent suffixes to try the request multiple times.
Edit the Advanced TCP/IP properties to customize the search suffixes. You can specify search suffixes outside of the parent suffixes, and modify the order in which suffixes are used for searches.
AD-Integrated Zone Facts
Using Active Directory to manage zone information has the following advantages:
No single point of failure. Changes are made to multiple rather than individual servers.
Fault tolerance. Each host server maintains up-to-date zone information.
Single replication topology. Zone transfers occur through Active Directory replication.
Secure dynamic updates. Only authorized computers can update dynamically.
Simplified management. Any authorized computer can initiate changes to the zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you have the following options:
Replication Option Where data is replicated
2000 Default All domain controllers in a domain receive the information whether or not they have DNS installed.
DomainDNSZones All domain controllers with DNS in the domain receive the information.
ForestDNSZones All domain controllers with DNS in the forest receive the information. (Used most effectively when you have very important records that need to be available throughout the forest.)
Application Partitions All domain controllers within the application partition. By using an application partition, you can customize which domain controllers will receive the DNS data.
Root Hint Facts
Keep in mind the following facts regarding root hints.
The Cache.dns file holds the 13 root hint addresses for the Internet root servers. The Cache.dns file can be found in two locations:
%SystemRoot%\system32\dns\Cache.dns (the copy in use)
%SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the backup location)
If you have a root zone configured on a DNS server, the server will act as a root zone server.
A DNS server configured as a root zone server will never use the root hints file (Cache.dns). It considers itself authoritative. Consequently, the server won't access the Internet to forward DNS queries.
If you want the DNS server to access the Internet, delete the root zone in the DNS Console.
You can configure root hints through the properties of a DNS server or by configuring the DNS server's Cache.dns file. If the server is configured to load data from Active Directory, you must configure root hints using the DNS snap-in because the local Cache.dns is not used (the root hints data is stored in AD).
Stub Zones and Forwarding Facts
You should know the following facts about DNS performance:
A stub zone holds copies of the following DNS record types:
NS records for all DNS servers (primary and secondary).
SOA record for the primary server.
DNS A records (also called glue records) for the DNS servers.
A stub zone is dynamic. It will update itself with changes.
Use a stub zone to provide quick access to the name server list and to provide a method of keeping the name server list updated without replicating zone data.
Conditional forwarding allows DNS queries to be forwarded to specific DNS servers that have specific zones.
Conditional forwarding is static. You set up an IP address which handles a specific type of query.
Conditional forwarding must be updated when changes to forwarders are made.
If a DNS server is configured to use forwarders, you can disable recursion on the DNS server. This means the server submits requests to the forwarder and waits for a response.
Zone Transfer Facts
Replication through standard zones takes place through zone transfers. Secondary servers contact their master servers for new zone information. You should know the following facts about zone transfers:
The zone serial number is modified when changes are made to the zone file.
Zone transfer is initiated when a secondary server checks the master server and finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary server when changes have been made.
By default, a DNS server replicates the entire zone database (called a full zone transfer or AXFR).
A partial zone transfer, in which only the changed information is replicated, is also called an incremental zone transfer or IXFR.
To initiate a manual transfer, increment the serial number first. Otherwise, no transfer will occur (a transfer only occurs when the serial number has changed).
You can improve DNS performance by placing multiple DNS servers on your network. For example, you can place a secondary server on the other side of a WAN link to reduce WAN traffic caused by name resolution. However, zone replication traffic must still cross the WAN link.
A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers.
An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when AD replicates.
If a zone is Active Directory-integrated and has no secondary servers, you can disable zone transfers. Zone data will continue to be replicated through Active Directory.
Normally, zone transfers happen automatically at periodic intervals. You can force an update of zone data through the DNS console or by using the Dnscmd command. The following table lists some actions you can take to refresh zone data manually.
DNS Console Action Dnscmd Option Result
Reload Dnscmd /ReloadZone The server reloads zone data from its local copy (it reads the data back in from the zone file on the hard disk).
Transfer from Master Dnscmd /Refresh Initiates a normal zone transfer. The DNS server compares its version number with the version of the zone master. If the version numbers are the same, no zone transfer takes place.
Reload from Master N/A The DNS server dumps its copy of the data and reloads the entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server and then transfer the data from the master, or you can simply reload the data from the master.
DNS Design Guidelines
Keep in mind the following facts about DNS namespace design:
Active Directory requires DNS.
A split-brain DNS solution allows you to run internal DNS and external DNS that don't communicate with one another. This helps to maintain internal security.
Following are three split-brain DNS configuration options:
Set up the same DNS name internally and externally.
Set up different DNS names internally and externally.
Set up the internal DNS as a subdomain of the external DNS.
The purpose of a split-brain DNS solution is to:
Allow external clients to access only external resources.
Allow internal clients to access all resources.
The table below lists the split-brain DNS configurations.
Split-brain DNS Configuration Implementation
Same Internal and External DNS Names Set both DNS servers as primary to prevent zone transfer traffic.
Allow internal client access to external resources by copying external resource records to the internal DNS server.
Different Internal and External DNS Names To allow internal clients to access external resources, set up a forwarder, either a regular forwarder or a conditional forwarder.
Internal DNS Name as Subdomain of External DNS Name One possible advantage is that you can run separate DNS infrastructures (e.g., an external Unix infrastructure and an internal Microsoft infrastructure).
One danger is that outside queries could include the internal namespace. Use the firewall to block these types of queries.
Set up a forwarder to allow internal clients to access external resources.
DNS Solutions
You have a wide variety of tools to help you in designing a DNS solution. The following table lists various zone types and configuration options and when to use each.
Solution Use
Primary zone Select a primary zone to manage zone data on non-domain controllers or non-Windows DNS servers.
Secondary zone Select a secondary zone to copy read-only zone data from another server. For example, your Windows server can be a secondary server to a non-Windows server, or a non-Windows server can be a secondary server to an Active Directory-integrated zone. Secondary zone servers accomplish three tasks:
Fault tolerance
Load balancing
Reduce name resolution traffic over WAN links
Reverse lookup zone Use a reverse lookup zone to find the host name for a given IP address. For example, use a reverse lookup zone if you need to identify the host name of clients who connect to a server or services. Following are reasons to set up reverse lookup zones:
To use Nslookup by using the IP address.
To use IP filtering in IIS.
To accommodate applications that rely on reverse lookups.
Active Directory-integrated zone Use when you have DNS servers that are also domain controllers. AD-I zones allow multi-master updates to the DNS database, automatically replicate data through Active Directory (rather than conventional DNS replication), secures zone updates, and allow secure dynamic client registration.
Caching only server Use to reduce DNS name resolution traffic over WAN links without the zone transfer traffic.
Zone delegation Use to subdivide a zone into multiple zones. This allows other administrators to manage parts of your name space.
Forwarders Use to send DNS queries to other servers when the current server does not hold the data.
Conditional forwarding Use to forward DNS queries based on the domain name characteristics. Without conditional forwarding, all requests are forwarded to the same servers. With conditional forwarding, requests are forwarded based on the domain name.
Stub zone Use when you need to automatically update lists of name servers for a domain but do not want to replicate zone data.
Root zone Use to make your DNS server authoritative for the entire name space. For example, you can configure a root zone to prevent name queries from being forwarded to the Internet root zone servers.
Root hints Root hints point to the root zone servers. Normally root hints point to the Internet root zone servers. If you have a custom root zone, make sure root hints on internal servers point to your root zone servers.
Dynamic DNS Use to allow clients to update DNS records.
Secure updates Use to prevent unauthorized changes to dynamically-created DNS records. When enabled, only domain members can register DNS records, and only the same computer can modify those records. Secure updates are available only on Active Directory-integrated zones.
DNS Troubleshooting Tools
You should know how to use the tools listed in this table:
Tool Use
Nslookup Use the Nslookup tool to perform DNS name resolution. Enter the name of the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd Dnscmd displays the properties of DNS servers, zones, and resource records. You can also use Dnscmd to modify these properties, create and delete zones and resource records, and force replication.
Ping Use Ping to determine if an IP address is accessible. If you can ping an IP address, try to ping the logical name of the host. If the logical name test fails, you should troubleshoot the name resolution system.
Network Monitor Use Network Monitor to analyze and monitor network traffic.
Ipconfig You can use Ipconfig without switches to display the IP address, subnet mask, and default gateway for all adapters. However, the following switches are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache.
/Flushdns, to flush the local DNS cache.
/Registerdns, to force a client to register its DNS information.
DNSLint The DNSLint utility helps you to isolate and diagnose DNS problems. You must use one of the three following switches with DNSLint.
/d, to perform domain name tests
/ad, to perform AD tests
/ql, to perform DNS query tests from a list
To provide fault tolerance for DNS servers, use one of the following strategies:
Use Active Directory-integrated zones. If one DNS server goes down, zone data is still stored in Active Directory. Be sure to analyze the replication scope to make sure you have at least two servers holding the DNS data for each zone.
Create secondary zones. If the primary server goes down, you can change one of the secondary zones to the primary zone.
Back up the DNS database. If you have only one DNS server, be sure to back up the DNS database. For non-Active Directory-integrated zones, you can back up the DNS files or copy them to another location. For Active Directory-integrated zones, you must back up the system state data (because DNS is stored in Active Directory).
Remote Access Facts
Keep in mind the following facts about configuring remote access.
The number of dial-up modem connections permitted depends on the number of modems that are installed on the remote access server. If you have only one modem installed on the server, you can only have one modem connection at a time.
Before shutting a remote access server down, terminate all client idle sessions.
To enable clients to receive their addresses from a DHCP server, configure the remote access server to use DHCP for addressing.
When you use PPP as the WAN protocol, you can use DHCP for addressing and encryption.
To allow remote clients to access resources on both the remote access server and the local network, enable both remote access and LAN routing. To restrict access to only the remote access server, enable only remote access.
When you establish a LAN protocol, the client must be configured with all protocols used by all devices on the private network with which it communicates.
To access resources on a remote network, users must be given the appropriate permissions.
Authentication Protocol Comparison
Authentication protocols ensure that remote users have the necessary credentials for remote access. The following table compares the authentication protocols supported by a Windows 2003 remote access server. Protocols are listed in order, from least secure to most secure. As a rule, select the highest level of authentication supported by the clients.
Protocol Characteristics Client Support
Password Authentication Protocol (PAP) Client sends a username and plain text password for authentication.
Password can be easily intercepted.
Use only when no other form of authentication is supported 2003/XP/2000
NT 3.5/4.0
95/98/ME
Shiva Password Authentication Protocol (SPAP) Used to connect to a Shiva LAN Rover.
Uses an encrypted password for authentication.
Password encryption is easily reversible 2003/XP/2000
NT 3.5/4.0
95/98/ME
Challenge Handshake Authentication Protocol (CHAP) Uses a three-way handshake (challenge/response).
Uses MD5 hashing of the shared secret for authentication. 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAP v1) Similar to MS-CHAP v2, uses challenge/response for authentication.
Server authenticates the client (client cannot authenticate the server).
Encrypts the secret used for authentication 2003/XP/2000
NT 3.5/4.0
95/98/ME
Microsoft Challenge Handshake Authentication Protocol version2 (MS-CHAP v2) Highest level of authentication possible without using EAP.
Uses a challenge/response mechanism for authentication.
Allows both the client and the server to authenticate each other.
Encrypts the secret used for authentication. 2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the latest updates for a VPN connection only)
Extensible Authentication Protocol (EAP) Client and server negotiate the characteristics of authentication.
Used for smart cards or biometric authentication. 2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial authentication to the wireless access point. When using PEAP, select one of the following two options:
PEAP-EAP-TLS. This authentication method uses certificates (either on the local system or on a smart card) to complete the authentication process.
PEAP-MS-CHAP v2. This method uses certificates on the server, but simple passwords on the client. Use this method when the client does not have a certificate.
PEAP support is enabled as follows:
Windows XP SP1, included as a feature of the service pack.
Windows Server 2003.
Windows 2000, supported through a special download and install.
Remote Access Client Configuration
You should know the following facts about remote access client configuration:
The client must be running all networking protocols (such as IP or IPX) that are used on destination computers.
Both the remote access client and the remote access server must use a common WAN protocol (such as PPP).
If your client and server have multiple modems, you can configure both to use multilink. With multilink, multiple physical connections are established to increase the bandwidth of a single connection. When using multilink, enable Bandwidth Allocation Protocol (BAP) to establish and drop links based on link activity.
Callback is a form of security in which the server disconnects the user after authentication then immediately calls the user back. The server can use a preset phone number for each user, or the user can enter a callback phone number after authentication. You cannot use multilink and callback together.
To configure remote clients for DNS, configure them with the IP address of the DNS server on the private network. DNS requests will be automatically routed to the DNS server.
Remote Access Policy Facts
A remote access policy consists of the following components.
Component Description
Conditions Remote access conditions identify which policies apply to incoming connections. The remote access server checks the conditions included with a policy. If all conditions match, the server processes the policy and user account settings to determine what access to allow or deny.
Permissions Permissions determine whether remote access is granted or denied. Permissions come from a combination of settings in the user account and the remote access policy. There are only three possible permission settings:
Grant remote access
Deny remote access
Control access through the remote access policy (only settable in the user account)
Profile A profile is the list of settings that are applied to the connection once access is granted. Profile settings can reject or restrict remote access to connections that:
Use a specific media type
Are initiated during specific days and times
Use specific authentication protocols
Use specific encryption protocols
You should be familiar with the RAPCAP process:
Remote access policies determine the level of access remote clients get to resources.
Authorization for access to resources is determined by three steps:
Conditions
Permissions
Profile settings
Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy in order is checked.
You should put more specific (or restrictive) policies at the top of the list to make sure they're not supplanted by more general policies.
When a match is found, that policy will be used for the connection (no other policies will be checked).
If the connection does not match any conditions in any policy, the connection will be refused.
After a matching policy is found, permissions are checked. If the permissions deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy (unless Control access through Remote Access Policy is selected).
By default, the user account setting for remote access is set to Deny.
The Control access through Remote Access Policy setting is only available in 2000 native mode or Windows 2003 domain functional level.
If the permissions grant access, the policy profile is checked for additional conditions.
If all profile conditions match, the connection is granted. If not, it is refused.
You can establish enough restrictions through the profile to prevent user access.
You should also know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
IAS Facts
If your network includes several remote access servers, you can control remote access from a single location by installing a Remote Authentication Dial-In User Service (RADIUS) server. Internet Authentication Service (IAS) is the service you install on a Windows 2000 server to make it a RADIUS server.
You should know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny access. The IAS server notifies the remote access server whether access is allowed for the remote access client.
To configure a remote access server as a RADIUS client, configure the authentication provider on the remote access server. Point to the IAS server and configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server as the authentication provider. You will need to supply the same shared secret as was configured on the RADIUS client.
Troubleshooting Remote Access
Most remote access problems are caused by misconfiguration. Problems are typically manifested by an error message that describes the nature of the problem. Read the error messages to identify likely causes, and then verify the applicable remote access configuration parameters.
When you try to establish a remote access connection, the following four processes take place:
Opening the port. The system initializes the modem or port used for remote access.
Dialing. The system attempts to connect to the remote system.
Authenticating. After a physical connection with the remote system is made, authentication protocols and credentials are verified.
Registering the computer. The computer is identified on the network and access is granted.
If the connection fails in the first two stages (making the connection):
Verify the hardware and physical connection.
Verify the configuration of the remote access connection object.
Verify that there are free ports on the remote access server to answer the call.
If the connection fails during the last two stages (authenticating and registering the computer):
Verify the username and password against a valid user account.
Check remote access policies.
Verify that authentication protocols match between the client and the server.
Verify remote access addressing.
If a connection can be made, but the client can only access resources on the remote access server (and not on other servers connected to the remote network):
Verify that the client is using all necessary LAN protocols used by servers on the remote network.
Verify that the remote access server is configured for both remote access and LAN routing.
Default and Static Routes
You should know the following facts about routes:
Routes to directly connected networks are automatically created. If a router only needs to communicate with directly-connected networks, no special routes are needed.
Use the Route Print command to view the routing table.
Use the Route Add command to add routes from the command prompt. Use the syntax:
Route add destination_address mask subnet_mask -p
For example, to add a route to network 192.168.1.0 with mask 255.255.255.0, use the command:
Route add 192.168.1.0 mask 255.255.255.0 -p
The -p parameter makes the route permanent. It will be added each time the router reboots.
A default-route is used when no other routes in the routing table are found. You can also add a default-route entry to your routing table.
Keep in mind the following when creating special routes:
For a route to a subnet (network), enter the subnet address and mask.
For a route to a host, enter the host IP address and 255.255.255.255 for the mask.
For the default route, use 0.0.0.0 for the network and 0.0.0.0 for the mask.
Choosing a Routing Solution
The following table lists router solutions and their applications.
Solution Uses
Default routing entries Use when the router has only directly-connected networks.
Static routes Use for small networks (10 subnets or less) that do not change often.
Use to eliminate traffic due to routing updates.
RIP Use for small networks (50 or less subnets) when a dynamic solution is required.
OSPF Use for larger networks (50 or more subnets) when a dynamic solution is required.
Use when you want to minimize (or reduce) traffic due to routing updates.
Windows 2003 supports RIP 1 and RIP 2. RIP has the following characteristics:
RIP uses hop and tick counts to calculate optimal routes.
RIP routing is limited to 15 hops to any location (16 hops indicates the network is unreachable).
At startup, the router advertises itself and information about its directly-connected networks and requests other routers to respond.
RIP broadcasts its entire routing table every 30 seconds.
A RIP broadcast has a limit of 25 network entries. If more networks are in the routing table, additional broadcasts must be made.
At router shutdown, the router advertises that it is going down. Routers receiving this notification remove all routes accessible through the downed router from their tables.
Each route has a timeout value of 180 seconds. Each new broadcast containing information for that route resets the timeout.
Failed routes are detected when the timeout is reached. After the timeout, the route is removed.
RIP 2 supports multicasts, variable subnets, authentication, and next hop addresses.
Demand Dial Routing Facts
The following process is used to establish a demand-dial link:
A host sends a message to a host on the remote network.
The source router identifies the remote network, and initiates a link by calling the destination router.
The destination router answers the call, and verifies the user credentials and permissions.
The destination router identifies the link as a demand-dial link by matching the username with its port name.
Data is transferred to the destination host.
The link stays active until the preconfigured idle disconnect time. If no data has been sent during that time, the link is dropped.
To configure and enable demand-dial routing, complete the following tasks:
Enable demand-dial routing on the server.
Enable the port for use by demand-dial.
Add the port as a demand-dial interface.
Create a user account on the local system or domain that corresponds to the local demand-dial port. (You can use the Demand Dial Interface wizard to create this account automatically.)
Set the credentials for the remote user account that corresponds to the remote demand-dial interface.
Create static routes or configure auto-static updates to add routes to the remote network.
Auto-static updates can be used to populate the routing table with remote routes over a demand dial link. Keep in mind the following about auto-static updates.
A routing protocol is used initially to share routing information. However, the information is sent only once. The routers do not exchange periodic broadcasts.
Because auto-static updates are not performed on a regular basis through the routing protocol's default advertisements, you must either manually perform the update or schedule updates as a scheduled task. When you schedule updates, routing exchanges take place at much longer intervals than the routing protocol's update interval.
You can configure auto-static updates for IP RIP, IPX RIP, and IPX SAP, but not for OSPF.
Troubleshooting Demand Dial Routing
Use the information in the following table to troubleshoot demand dial routing problems:
Problem Cause and Solution
Application and time-out errors Some errors happen with demand-dial routing because the link between the routers is not yet established when data is first sent from a host. The host assumes the link exists and begins sending data. In the meantime, the router must call the remote system and establish the link. The time delay can cause the router buffer to fill, or the delay may lead the application to think the remote system is not responding. In most cases, retrying the request succeeds.
Authentication errors Authentication errors are typically caused by incorrectly configuring the username used by the demand-dial router to contact the remote router. Verify that the username matches the remote port, and that a user account with dial-up permission exists. Also verify the remote access policies and remove any restrictions that incorrectly limit access.
Only one-way communication If one host can connect to the remote router, but a host on the remote network cannot connect back, verify that the username settings for both routers match the remote port name. It is also possible for one router to use an incorrect username, but still be granted a connection if there is a user account with that name. However, the connection will be a remote access connection, not a demand-dial connection.
Endpoint identifier errors Endpoint identifier errors occur when compatible addresses (such as IP addresses on the same subnet) are not assigned to each communicating port. Check to make sure that a DHCP server is available, or that the dial-up line is configured to assign addresses.
Lost auto-static routes If you have configured the server for auto-static routing updates, and the routing table contains data but later is empty, check to make sure that each router can establish a connection with the other. If a connection cannot be made to send the updates, the table will not contain any auto-static routes because they have been deleted. Correct the problem by scheduling auto-static updates or updating routes manually.
NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the Internet without obtaining registered addresses for every host. Private addresses are translated to the public address of the NAT router.
The NAT router maps port numbers to private IP addresses. Responses to Internet requests include the port number appended by the NAT router. This allows the NAT router to forward responses back to the correct private host.
NAT supports a limit of 5,000 concurrent connections.
NAT provides some security for the private network because it translates or hides the private addresses. In addition, outside hosts cannot normally initiate contact with private hosts (unless explicitly configured).
A NAT router can act as a limited-function DHCP server, assigning addresses to private hosts.
A NAT router can forward DNS requests to the Internet.
NAT does not work with IP protocols that embed an IP address in the packet data. For this reason, you cannot create a VPN on two sides of a NAT router. However, special modifications do allow FTP to function with NAT.
DHCP Relay Agent Facts
To properly configure the Relay Agent, you need to perform three tasks:
Add the Relay Agent via the remote access snap-in.
Configure the router's interface to relay DHCP packets.
Configure the Relay Agent with the main DHCP server's IP address.
Instead of configuring a relay agent, you can also enable BOOTP forwarding on the router, or place a DHCP server on the local subnet.
Common Port Numbers
Port numbers identify a specific service running on a computer. As a best practice, configure your firewall to allow only the ports for the services provided on your network (and block all others). The following table lists port numbers for common services.
Port(s) Service
20, 21 File Transfer Protocol (FTP)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
50, 51 IPSec
53 Domain Name Server (DNS)
67, 68 Dynamic Host Configuration Protocol (DHCP)
69 Trivial File Transfer Protocol (TFTP)
80 HyperText Transfer Protocol (HTTP)
88, 749 Kerberos
110 Post Office Protocol (POP3)
119 Network News Transport Protocol (NNTP)
137-139 NetBIOS
143 Internet Message Access Protocol (IMAP4)
161, 162 Simple Network Management Protocol (SNMP)
389 Lightweight Directory Access Protocol (LDAP)
443 HTTP with Secure Sockets Layer (SSL)
500 (UDP), 1701 Layer Two Tunneling Protocol (L2TP)
1723 Point-to-point Tunneling Protocol (PPTP)
For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and 443.
Firewall and Proxy Facts
Keep in mind the following facts about firewalls and proxy servers.
• A firewall prevents invalid communications from entering a network while allowing valid communications to travel in and out.
• TCP/IP Filtering is a form of a very basic firewall.
• TCP/IP Filtering allows you to block ports that you specify.
• TCP/IP Filtering requires you to enable the setting for all NICs or no NICs.
• ICF blocks all externally generated communications. Communications generated internally can pass through the firewall as well as external responses to those communications.
• You can allow external communications through the firewall by enabling the appropriate ports.
• Packet filtering is available in the RAS Console.
• Packet filtering allows you to specify input and output filters for each NIC.
• Packet filtering allows you to restrict access based on ports, protocols, or IP addresses.
• Packet filtering offers a higher degree of control over network traffic.
• An ingress filter allows you to prevent malicious actions like address spoofing.
• An ingress filter will inspect packet headers to verify them.
• Proxy servers speed up Web caching and restrict access to the Internet.
• Through caching, a proxy server can significantly increase bandwidth performance.
• A proxy server allows you to restrict Internet access through user and group accounts.
• Client browsers can either automatically detect the proxy server or access it through a specific proxy IP address.
VPN Protocols
If you are designing a VPN connection, you must identify the tunneling protocol used for the connection. Windows 2003 supports the following tunneling protocols:
Point-to-Point Tunneling Protocol (PPTP), supported by all 32-bit Microsoft clients.
Layer Two Tunneling Protocol (L2TP), supported by Windows 2000/XP/2003 clients.
The tunneling protocol you choose will also effect the authentication and encryption options available. The following table summarizes these choices.
Tunneling Protocol Authentication Protocol Encryption Protocol OS Support
PPTP EAP* or MS-CHAP (v1 or v2) MPPE 2000/XP/2003
NT 4.0
95/98/ME
L2TP EAP or MS-CHAP (v1 or v2)
Kerberos v5**
Certificates IPSec 2000/XP/2003
*EAP is supported only on Windows 2000/XP/2003.
**IPSec requires machine authentication (not user authentication) through either Kerberos or certificates. Use EAP or MS-CHAP to enforce user authentication.
IPSec Facts
IPSec is supported only on Windows 2000/XP/2003. How computers use IPSec to communicate is controlled through IPSec policies. Windows comes with the following three IPSec policies:
Policy Characteristics
Client (Respond Only) Can communicate normally (unsecured).
Contains a default response rule that lets it negotiate with servers that request IPSec.
Server (Request Security) Requests security using Kerberos V5 protocol for all IP traffic.
Allows unsecured communication with clients that do not respond to the request.
Secure Server (Require Security) Requires security using Kerberos V5 protocol for all IP traffic.
Does not allow unsecured communication with clients.
You should also know the following facts about IPSec:
• IPSec is identified by displaying two protocols in the Network Monitor: AH (Authentication Header) and ESP (Encapsulating Security Payload).
• AH is displayed in Network Monitor when IPSec is configured for mutual authentication. AH digitally signs each packet to ensure data integrity. AH does not encrypt data.
• ESP is displayed in Network Monitor when IPSec is configured to encrypt frames. ESP encrypts the data portion of the IP packet.
• Use the IP Security Monitor MMC snap-in to verify IPSec traffic.
• To monitor IPSec negotiations, the audit logon events setting must be enabled. The security log file should be set to at least 10 MB in size.
• To view DNS names in IPSec Monitor, enable DNS name resolution.
• Microsoft recommends that you stop the Routing and Remote Access service before stopping the IPSec service.
• Use the Net stop remoteaccess command at the command line to stop the remote access service.
• Use the Net stop policyagent command at the command line to stop the IPSec service.
• An authentication failure occurs when the authentication methods don't match on both machines that are trying to establish a security association.
• A Bad SPI message can appear when the key lifetime is set too low.
• The Audit Logging feature of Windows Server 2003 can be used to monitor IPSec events.
Preconfigured Templates
Security templates are a collection of settings that configure settings to a predefined state. Windows provides the following predefined security templates:
Template Function
Setup Security.inf Created specifically for each computer during setup
Differs depending on whether installation was a clean installation or an upgrade
Contains default security settings applied during installation
Defines default file permissions for system drive root
Used on workstation or servers (not on domain controllers)
Should not be applied through group policy
DC Security.inf Created when server is upgraded to a domain controller
Gives default security settings for files, registry, and system service
Secure*.inf Secures a system without causing application or compatibility issues
Securews.inf can be applied to a workstation or a server
Securedc.inf can be applied to a domain controller
Hisec*.inf Specifies additional security settings beyond the Secure templates
Hisecws.inf can be applied to a workstation or a server
Hisecdc.inf can be applied to a domain controller
Compatws.inf Forces compatibility across Windows platforms
Should not be applied to domain controllers
Remember the following tips when applying templates:
• Use the Setup Security.inf template to restore the system to its default state.
• Apply additional templates to add security (just applying the more secure template might not reset custom settings to their default state).
• Use Group Policy to deploy and periodically enforce templates (the template will be applied at normal group policy application times).
• Don't use Group Policy to distribute the Setup Security.inf template because it is very large and will consume a lot of bandwidth and take time as it is applied to the computer.
• You can customize a preconfigured template to meet your needs. After you modify the template, save it with a new file name to preserve the preconfigured settings.
• Secedit.exe allows you to apply only the parts of a template that you need. (A better solution is to customize the template and save it with a different name.)
Template Facts
Use the Security Analysis and Configuration snap-in to manage security templates, analyze current settings, create custom templates, or import an existing template. When working with templates:
• Compare an existing system with a template to see how the system compares to the template.
• Clear current settings before importing a new template.
• After applying a secure template, you might need to restore group memberships in the Administrators or Power Users group.
• You can also use the Secedit command to analyze and apply templates.
• You should also know the following facts about security analysis:
• The Microsoft Baseline Security Analyzer will tell you which patches have been installed on a particular computer.
• You should also need to verify that patches have not been manually applied.
• Check the Windows Update log to see if a patch came from the Software Update Server or from the Windows Update website.
Use the following key to decipher the meanings of icons when analyzing the system:
= The system does not match the template
= The system meets or exceeds the template
= The template does not define the value
Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) is a tool you can use to scan the local and remote computers for security compliance. The MBSA tool looks for the following operating system vulnerabilities:
• Installed and missing hotfixes
• Guest account status
• Administrator group membership
• Weak passwords on user accounts
• Non-expiring passwords
• Restrict anonymous access settings
• Auto logon
• File system type used on each drive
• Shares
• Automatic update configuration
• Internet Connection Firewall (ICF) configuration
• Unnecessary services
• Auditing
Program vulnerabilities for programs such as Internet Explorer, Media Player, IIS, SQL, Exchange, and Office
MBSA does not come as part of the 2003 Server installation. You can download it from Microsoft's Web site. You should know the following facts about MBSA:
The analyzer runs in both a GUI and command-prompt mode (run Mbsacli.exe to run from the command line).
You can use MBSA to analyze up to 10,000 remote computers at a time. Results of the analysis can be saved to a file for later review.
MBSA can analyze Windows NT/2000/XP/2003 computers.
You must have administrator privileges to scan a local or remote computer.
To scan a local computer, make sure the Workstation and Server services are enabled.
The computer running MBSA to analyze remote computers must be running the Workstation service and have Microsoft Networks turned on.
The computer that you are analyzing must be running the following services:
• Remote Registry
• Server
• File and Print sharing
To analyze only missing hotfixes and updates, run Mbsacli.exe /hf (this command replaces the Hfnetchk.exe utility).
A similar utility Qfecheck.exe, scans Windows 95/2000/XP computers for missing hotfixes. However, this utility can only analyze the local computer.
Security Principles Facts
Use the following guidelines when considering security:
• Design securities strategies according to the rule of least privilege. This means that you give users the fewest rights and privileges possible while still allowing them to do their jobs. (It is easier to add permissions than it is to remove permissions.)
• Disable unnecessary services as well as file and print sharing when they're not needed.
• Implement a firewall and up-to-date anti-virus software.
• Audit the system regularly.
• Use security templates and Group Policy to apply security settings uniformly across the network.
• Use IPsec and SSL to secure network communications.
• Use SUS to control the updates deployed across the network.
• Use Hfnetchk to scan computers for hot fix levels.
• Use Mbsacli to scan remote computers for security and configuration issues.
Services Facts
You should know the following facts about services:
• Services are programs that run continuously in the background.
• The three service startup behaviors are:
• Automatic
• Manual
• Disabled
• You can control service behaviors (including startup behaviors) through Group Policy.
• Services run under the security privileges of a user account. There are three types of built-in accounts (you can also use custom accounts to run services):
• The Local System account provides full access to the system.
• The Local Service account provides access to particular services.
• The Network Service account provides access to services on the network.
• Because services run using a user account, make sure the password is configured correctly, the user account is not locked, and the user account is enabled.
• Take care not to disable a service upon which other services depend.
• You can view dependent services through the services console or by executing the SC.exe command.
• Use Msconfig.exe to troubleshoot services.
SUS Facts
Software Update Services (SUS) allows you to configure the distribution of operating system patches for clients, including ones related to security. You can deploy SUS in the following ways:
The SUS server approves the updates. Clients contact the SUS server for update approvals then retrieve the updates from the Windows Update server. This requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates locally for clients to retrieve. Reduces bandwidth demands since only the SUS server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the Windows Update server. The child SUS servers synchronize updates from the master. If WAN bandwidth between the master and child servers is poor, you may decide against this structure.
In most enterprise implementations, client computers contact local SUS servers to get a list of approved updates and download those updates. In this configuration, SUS client computers must be configured to receive updates from the local SUS server instead of the Windows Update Web site. The easiest way to configure client settings is to use Group Policy to distribute the server name and other update parameters. The following table lists the Automatic Update policies:
Policy Description
Configure Automatic Updates There are three options for configuring the behavior of the Automatic Updates client:
Notify for Download And Notify For Install
Auto Download And Notify For Install
Auto Download And Schedule The Install
Reschedule Automatic Updates Scheduled Installations If a client machine is turned off during a scheduled installation, by default the installation occurs at the next scheduled time. However, this policy allows you to set the installation to occur between 1 and 60 minutes after the system starts up.
No Auto-Restart For Scheduled Automatic Updates and Installations This policy allows Automatic Updates to disregard a required restart when a user is logged on. The user receives a notification about the required restart but is not required to restart the machine.
Specify Intranet Microsoft Update Service Location This policy allows you to redirect clients from the Microsoft Windows Update server to a SUS server on your network. You can also set logging to occur on any server on the network running IIS. IIS logs are found in %Windir%\System32\Logfiles\W3svc1.
WSUS Facts
0comments
Post a Comment