Presented to : Prof. Jeusuel Nonnatus N. de Luna |
TABLE OF CONTENTS Contents | Pages | I. Introduction to windows server 2003 Active directory1. What is Directory Service2. 2. Why use Directory Service3. Features of Active Directory4. Active Directory Objects5. Active Directory Components6. Global Category7. Active Directory InfrastructureII. Administrating Domain Name System1. Domain Name System2. DNS Namespace3. Types of DNS Namespace4. Creating DNS Namespace5. DNS Servers6. DNS Records7. How DNS works8. Benefits of DNSIII. Administrating WINS and DHCP1. NetBIOS2. WINS3. WINS Architecture4. WINS Components5. WINS Operation6. Benefits of WINS- Advantage and Disadvantage7. DHCP8. DHCP Terms9. Components of DHCP10. How DHCP works11. Integration of DHCP and DNS12. IP Address Allocation13. Benefits of DHCPIV. Internet Information Service1. Benefits and Features of IIS2. IIS 6.0 Services3. IIS 6.0 Architecture4. IIS 7.0 ArchitectureV. File Transfer Protocol1. FTP Site2. FTP Client3. How FTP works4. FTP modes and security5. Anonymous FTPVI. Simple Mail Transfer Protocol1. SMTP Session2. Message Retrieval Operation3. SMTP Server and Security4. POP and IMAPVII. SNMP1. Basic Components of SNMP2. Basic Commands of SNMP3. SNMP VersionsVIII. TELNET1. TELNET Services2. How Telnet works3. Command line Parameters4. Telnet SecurityIX. Network Security1. Network Security Policy2. Management and Organizational Issues3. Make Security PervasiveX. Data Backup and Disaster Recovery1. Planning for Backup and Recovery2. Types of Backup3. Types of Backup Media4. Backup Tips5. Disaster RecoveryREFERENCES | 44561113141515151920212222242425252829303032343537404143474951525256585959616365656667676970717172727576787981 |
I. INTRODUCTION TO WINDOWS SERVER 2003 ACTIVE DIRECTORY
1. What is Directory Service?
Directory services are software systems that store, organize and provide access to directory information in order to unify network resources. Directory services map the network names of network resources to network addresses and define a naming structure for networks.
Source: http://www.techopedia.com/definition/18887/directory-services
2. Why use Directory Service?
The directory service provides transparency to protocols and network topology, permitting users to access resources without having to be aware of the physical location of the devices. It’s an important component of the network operating system and is a central information repository for a service delivery platform.
Identify every resource such as email address, peripheral devices and computers on the network, and make these resources accessible to users and applications.
Specific directory services called naming services map the names of resources in the network to the respective network address. This directory service relieves users from having to know the physical addresses of network resources. Directory services also define namespaces for networks, which hold one or more objects as name entries.
Directory services hold shared information infrastructure to administer, manage, locate and organize common items and network resources. It is also a vital component of network operating systems.
Source: http://www.techopedia.com/definition/18887/directory-services
3. Features of Active Directory
The following list summarizes the Active Directory features that are available by default on any domain controller running Windows Server 2003. * Multiple selection of user objects. Modify common attributes of multiple user objects at one time. * Drag-and-drop functionality. Move Active Directory objects from container to container by dragging one or more objects to a desired location in the domain hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group. * Efficient search capabilities. Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects. * Saved queries. Save commonly used search parameters for reuse in Active Directory Users and Computers. * Active Directory command-line tools. Run new directory service commands for administration scenarios. * InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password. * Application directory partitions. Configure the replication scope for application-specific data among domain controllers. For example, you can control the replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone replication. * Ability to add additional domain controllers using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media.
* Universal group membership caching. Prevent the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group membership information on an authenticating domain controller. * Secure LDAP traffic. Active Directory administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. * Active Directory quotas. Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and Enterprise Administrators are exempt from quotas.
Source: http://technet.microsoft.com/en-us/library/cc739255(v=ws.10).aspx
4. Active Directory Objects
Active directory may contain all objects listed here and all objects listed that are contained by organizational units (OU). 1. Domain - The core unit in the Active Directory structure. 2. Organizational Unit (automatically published) - Other organizational units may be contained inside organizational units.
Leaf objects are objects such as users and computers which cannot contain other objects.
Organizational Units
Organizational Units are called container objects since they help to organize the directory and can contain other objects including other OUs. The basic unit of administration is now organizational units rather than domains. Organizational units allow the creation of subdomains which are also called logical domains. Microsoft recommends that there should never be more than 10 levels or organizational unit nesting. Since deeper OU nesting slows directory access, normally there should be no more than three or four levels of nesting. Organizational units may contain: a) Organizational Unit (automatically published) - Used to create a heirarchy of AD objects into logical business units. Other organizational units may be contained inside organizational units. b) User (automatically published) - Individual person c) Group (automatically published) - Groups of user accounts. Groups make user management easier. d) Computer (Those in the domain are automatically published) - Specific workstations. e) Contact (automatically published) - Administrative contact for specific active directory objects. f) Connection - A defined one direction replication path between two domain controllers making the domain controllers potential replication partners. These objects are maintained on each server in "Active Directory Sites and Services". g) Shared folder - Used to share files and they map to server shares. h) Printer (Most are automatically published) - Windows NT shared printers are not published automatically. i) Site - A grouping of machines based on a subnet of TCP/IP addresses. An administrator determines what a site is. Sites may contain multiple subnets. There can be several domains in a site. For example, an organization may have branches around the city they are located in. Each location may be a site. j) Site container k) Site link - Defines the connection between sites. Can indicate the cost of sending data across a network in terms of available bandwidth. It is a list of two or more connected sites. Whether the link will use RPC or SMTP for passing data must be determined before creating the link since it cannot be changed l) Site link bridge - Allows one site in a string of sites to replicate through one or two sites to a second or third site. These are only used for fine control of how replication will occur across WAN links. m) Site settings n) Subnet - A part of a network based on addresses which is usually connected using routers. Subnets must be created in each site object before it is really active. A network address and subnet mask is used to define the subnet. o) Subnet container p) Trusted domain
* Pre-installed Container Objects
Pre-installed container objects provide backward compatibility with Windows NT. They look and act like organizational units and include:
Built-in - Build in local groups.
Computers - Computer accounts created using Windows NT. It is a list of workstations
Computer - Used to manage particular workstations.
Domain Controllers - A list of domain controllers.
Foreign Security Principles - Shows trust relationships with other domains.
Users - Windows NT users. * Object Access
Controlling objects in Active Directory controls access only to objects in Active Directory. Objects outside Active Directory may have their own access control. Permissions on corresponding objects in Active Directory do not affect permissions on external objects. Therefore, the user must have both Active Directory and object access.
When setting object permissions, they can be set so the change applies to all children of the object or only to the object itself. You can also set child objects to inherit permissions from their parent object. Access to specific object properties can be controlled. Object permissions for users and groups include:
Full Control - Allows full access to the object and its sub objects, with the ability to take ownership of objects and change permissions of objects and sub objects a) Read - Allows object contents and properties to be displayed. b) Write - Allows object contents and properties to be changed except for modifying permissions, configuring auditing, or taking ownership. c) Create All Child Objects - Allows creation of any child objects. d) Delete All Child Objects - Allows deletion of any child objects.
Object access is controlled using the Active Directory Users and Computers tool by clicking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, and continue. * Permission Combinations
When user and group permissions that the user is in differ for specific objects the least restrictive permissions normally apply. The only exception to this if the user or group is specifically denied one or more specific permissions to the object. When some permissions are denied, the user will have the most restricrictive denials of permissions apply. If the full control permission is denied to a user or group, that user or group will have no permissions. Explicit permissions set at the child object level override permission denial at the parent level even if the child is set to inherit permissions from the parent. * Object Ownership
Ownership can be taken if a user has the take ownership right to the object or if the user is part of the Domain Admins group. Object access is controlled using the Active Directory Users and Computers tool by clisking on "View", "Advanced Features", Click + next to the domain, right click the object, select "Properties", click the "Security" tab, click "Advanced", and continue. * Active Directory Object Administration Delegation
Management of objects listed in Active Directory can be delegated to other administrators. Administrative authority cannot be delegated for objects smaller than the Organizational Unit (OU). There are two ways to delegate object control:
Find the object in the Active Directory Users and Computers tool, right click on the object, and select "Delegate Control". The Delegation of Control Wizard will start.
Perform the same action as is done when configuring permissions by using the "View" menu in the Active Directory Users and Computers tool, and click on "Advanced Features". * Object Identifiers
Object identifiers are strings in a dot notation similar to IP addresses. There are authorities that issue object identifiers. Each of these authorities can give an object identifier on a sublevel to other authorities. The International Standards Organization (ISO) is the root authority. The ISO has a number of 1. When it assigns a number to another organization, that number is used to identify that organization. If it assigned CTDP the number 469034, and CTDP issued 1 to Mark Allen, and Mark Allen assigned 10 to an application, the number of the application would be "1.469034.1.10". * Object Attribute Syntax
Attribute syntax defines the type of data the attribute contains. The following are attribute syntaxes defined by the oMSyntax numbers 2.2.2.0 through 2.5.5.17
Undefined - illegal
Object (DN-DN)
String (Object ID)
Case sensitive string
String not sensitive to case
Printable string
Numeric string
Binary object
Boolean
Integer
Octet string
Time string
Unicode string
Presentation address
DN string object
NT-sec-desc - Windows NT security descriptor
Large integer
Security ID - Windows NT security ID
Source: http://www.comptechdoc.org/os/windows/win2k/win2kadobjects.html
5. Active Directory Components * Logical components: * Domains -
A domain is a collection of objects within the directory that forms a management boundary. Multiple domains can exist within a forest (defined later in this list), each with their own collection of objects and organizational units (also defined later in this list). Domains are named using the industry-standard DNS protocol. * Organizational Unit -
An organizational unit (OU) is a container with objects (discussed next) contained within it. You can arrange OUs in a hierarchical, tree-like fashion and design them in a structure that best fits your organization for boundary delineation or ease of administration. * Trees -
A tree is simply a collection of domains that begins at a single root and branches out into peripheral, "child" domains. Trees can be linked together within forests as well, and trees also share an unbroken DNS namespace. * Forest –
A forest is the largest logical container within Active Directory and encompasses all domains within its purview, all linked together via transitive trusts that are constructed automatically. This way, all domains in a particular forest automatically trust all other domains within the forest.
* Physical Components:
* Domain Controllers -
A domain controller holds the security information and directory object database for a particular domain and is responsible for authenticating objects within its sphere of control. Multiple domain controllers can be associated with a given domain, and each domain controller holds certain roles within the directory, although for all intents and purposes all domain controllers within a domain are "equal" in power. This is unlike the primary and backup labels assigned to domain controllers in Windows NT. * Sites -
A site is a collection of computers that are in distinct geographical locations—or at least are connected via a permanent, adequate-speed network link. Sites are generally used to determine how domain controllers are kept up to date; Active Directory will select its methodology for distributing those updates (a process called replication) based on how you configure a site to keep traffic over an expensive WAN link down to a minimum. * Subnets –
Subnets are defined in Active Directory solely for defining what sites in Active Directory a set of machines belong to. The subnet definitions do not correspond to the actual layer 3 routing within the organization. This is a key misunderstanding – the layer 3 routing design does not have to correspond to the subnet/site definitions in Active Directory at all. Second, Active Directory will match the most specific subnet. This means that if you have defined two subnet objects in Active Directory – 10.1.0.0/16 and 10.1.2.0/24 and a client with an IP of 10.1.2.5, it will match the second subnet object.
6. Global Category
The Global Catalog (GC) is an important component in Active Directory because it serves as the central information store of the Active Directory objects located in domains and forests. Because the GC maintains a list of the Active Directory objects in domains and forests without actually including all information on the objects and it is used when users search for Active Directory objects or for specific attributes of an object, the GC improves network performance and provides maximum accessibility to Active Directory objects.
The GC server functions are discussed in the following section. GC server functions can be summarized as follows: * GC servers are crucial for Active Directory’s UPN functionality because they resolve user principal names (UPNs) when the domain controller handling the authentication request is unable to authenticate the user account because the user account actually exists in another domain. The authenticating domain controller would have no knowledge of the particular user account. The GC server in this case assists in locating the user account so that the authenticating domain controller can proceed with the user’s logon request. * The GC server deals with all search requests of users searching for information in Active Directory. It can find all Active Directory data irrespective of the domain in which the data is held. The GC server deals with requests for the entire forest. * The GC also makes it possible for users to provide Universal Group membership information to the domain controller for network logon requests.
Source: http://www.tech-faq.com/the-global-catalog-server.html
7. Active Directory Infrastructure
II. ADMINISTRATING DOMAIN NAME SYSTEM
1. Domain Name System
The Domain Name System (DNS) is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as Internet Protocol (IP) addresses. DNS allows you to use friendly names, such as www.microsoft.com, to easily locate computers and other resources on a TCP/IP-based network. DNS is an Internet Engineering Task Force (IETF) standard.
Source: http://technet.microsoft.com/en-us/network/bb629410.aspx
2. DNS Namespace
The DNS namespace is an important part of DNS, as it gives an understanding of why domain names look the way they do, and how DNS works. The namespace refers to the hierarchical layout of DNS names; the DNS namespace is laid out in an inverted tree. This means the root of the tree is at the top, and the branches of the tree grow downwards; of course this is all figuratively speaking. At the top of the DNS namespace is the root; all domain names start at the root which is defined by a null character. Note that domain names read from right to left, which is the highest level of the name space, the root, is the furthest right portion of the DNS name.
Source: http://www.vtc.com/products/DNS/HowDoesDNSWork/30845
3. Types of DNS Namespace
Name Type | Description | Example | Root domain | This is the top of the tree, representing an unnamed level; it is sometimes shown as two empty quotation marks (""), indicating a null value. When used in a DNS domain name, it is stated by a trailing period (.) to designate that the name is located at the root or highest level of the domain hierarchy. In this instance, the DNS domain name is considered to be complete and points to an exact location in the tree of names. Names stated this way are called fully qualified domain names (FQDNs). | A single period (.) or a period used at the end of a name, such as “example.microsoft.com.” | Top level domain | A name used to indicate a country/region or the type of organization using a name. | ““.com”, which indicates a name registered to a business for commercial use on the Internet. | Second level domain | Variable-length names registered to an individual or organization for use on the Internet. These names are always based upon an appropriate top-level domain, depending on the type of organization or geographic location where a name is used. | ““microsoft.com. ”, which is the second-level domain name registered to Microsoft by the Internet DNS domain name registrar. | Subdomain | Additional names that an organization can create that are derived from the registered second-level domain name. These include names added to grow the DNS tree of names in an organization and divide it into departments or geographic locations. | ““example.microsoft.com. ”, which is a fictitious subdomain assigned by Microsoft for use in documentation example names. | Host or resource name | Names that represent a leaf in the DNS tree of names and identify a specific resource. Typically, the leftmost label of a DNS domain name identifies a specific computer on the network. For example, if a name at this level is used in a host (A) RR, it is used to look up the IP address of computer based on its host name. | ““host-a.example.microsoft.com.”, where the first label (“host-a”) is the DNS host name for a specific computer on the network. |
* DNS and Internet Domains
The Internet Domain Name System is managed by a Name Registration Authority on the Internet, responsible for maintaining top-level domains that are assigned by organization and by country/region. These domain names follow the International Standard 3166. Some of the many existing abbreviations, reserved for use by organizations, as well as two-letter and three-letter abbreviations used for countries/regions are shown in the following table: * Some DNS Top-level Domain Names (TLDs) DNS Domain Name | Type of Organization | com | Commercial organizations | edu | Educational institutions | org | Non-profit organizations | net | Networks (the backbone of the Internet) | gov | Non-military government organizations | mil | Military government organizations | arpa | Reverse DNS | “xx” | Two-letter country code (i.e. us, au, ca, fr) |
4. Creating DNS Namespace
The namespace refers to the hierarchical layout of DNS names; the DNS namespace is laid out in an inverted tree. This means the root of the tree is at the top, and the branches of the tree grow downwards; of course this is all figuratively speaking. At the top of the DNS namespace is the root; all domain names start at the root which is defined by a null character. Note that domain names read from right to left that is the highest level of the name space, the root, is the furthest right portion of the DNS name.
The root is not normally explicitly specified in user applications, as most applications assume it. It is often explicitly specified in DNS server configuration files and is denoted by a trailing period. Below the root in the DNS namespace, are the top level domains or TLDs. These are the highest names in the name space, for example, .com or .net. These TLDS are maintained by the Internet Corporation for assigned names and numbers, or ICAN, for Internet use. On the Internet, you must use one of the ICAN approve TLDs, if you're using the standard root servers. On a private network though, you can use any TLDs you want. You may see some examples in this course where I use the .tld domain as a TLD. This is not a legal Internet TLD and I do this just for the sake of example. It is bad practice to use illegal TLDs, even on a private network, in case you ever need to connect that network to the Internet. If you did you'd need to change all your illegal domain names. The remainder of the namespace is open for use more or less; there are few names that you can’t use but for the most part of it's wide open. You can register domain names beneath several of the TLDs including .com, .net, .org, .biz and .nam for example. There are also restricted TLDs such as .gov and .mil which can only be used by the US government, and .edu which can only be used educational institutions. You also have the option of country TLDs, based on your country codes, such as .us for the USA and .ca for Canada.
Once you have a domain under a TLD, you can create as many sub-domains as you like, as long as they don't reach more than hundred and twenty seven layers below the root. For example, if you register the domain vtc.com, you can use sub-domains such as east.vtc.com and west.vtc.com without needing the register them. I cover the configurations of sub-domains later on in the course. Here you can see an example of the DNS namespace, with the root at the top; under the root are the TLDs, next come the regular domains, below those are hosts or sub-domains.
5. DNS Servers
A DNS server is any computer registered to join the Domain Name System. A DNS server runs special-purpose networking software, features a public IP address, and contains a database of network names and addresses for other Internet hosts.
DNS Root Servers
DNS servers communicate with each other using private network protocols. All DNS servers are organized in a hierarchy. At the top level of the hierarchy, so-called root servers store the complete database of Internet domain names and their corresponding IP addresses. The Internet employs 13 root servers that have become somewhat famous for their special role. Maintained by various independent agencies, the servers are aptly named A, B, C and so on up to M. Ten of these servers reside in the United States, one in Japan, one in London, UK and one in Stockholm, Sweden.
DNS Servers and Home Networking
Computers on your home network locate a DNS server through the Internet connection setup properties. Providers give their customers the public IP address(es) of primary and backup DNS servers. You can find the current IP addresses of your DNS server configuration via several methods: * on the configuration screens of a home network router * on the TCP/IP connection properties screens in Windows Control Panel (if configured via that method) * from ipconfig or similar command line utility
6. DNS Records
DNS records are stored in zone files and are used for translating domain names to IP addresses. They also contain other data, including the domain name's name server and mail server information. If there are domain name aliases, such as the commonly used "www" preceding the domain name, these will also be listed in the DNS record.
A typical DNS record may look something like this:
; Nameservers
;
IN NS ns1.4servers.com. ; 123.456.789.01 IN NS ns2.4servers.com. ; 123.456.789.02
;
; Domain Mail Handlers
;
yourdomain.com. IN MX 0 mail yourdomain.com. IN MX 10 mail
;
;
; hosts in order
;
yourdomain. IN A Your.IP.XXX www IN A Your.IP.XXX smtp IN CNAME www pop IN CNAME www ftp IN CNAME www mail IN A Your.IP.XXX
;
; end
Since DNS records are made up entirely of text, they are easy to modify when needed. However, one small typo could redirect a domain name to the wrong Web server or prevent it from showing up at all. This is why it is important to enter DNS information accurately and double-check your changes entry before saving the zone file.
7. How DNS works
The Domain Name System (DNS) is a database that handles translating a fully qualified domain name into an Internet Protocol (IP) address. Most computer networks will have at a minimum one DNS server to handle queries which are commonly referred to as the “name server.” It will store a listing of all of the IP addresses stored on the network as well as a cache of the IP addresses recently accessed outside of the network. On any given network, a computer only needs to know the location of one name server. When a computer goes to lookup an IP address that is not stored on the computer, it will check with the Name Server. The Name Server will see if it is addressed locally, but if someone on the network has recently requested the same address the IP address will be retrieved from the server’s cache.
Each of these cases results in little waits for a response. If the address has not been requested recently, then the Name Server will perform a search by querying two or more name servers. These queries can take anywhere from seconds to a minute based on the network speed. If no resolution is found, an error message is returned to the user.
8. Benefits of DNS
There are many benefits of DNS resolution, some of which include 1. Capable of providing security.
Companies that make use of DNS server are able to protect the company related data from being accessed by unwanted people. These DNS servers are monitored on a daily basis and consist of latest security patches. 2. Errors are automatically checked.
Each DNS server is associated with software that is capable of automatically detecting errors. Whenever the users update their DNS server this software checks for the possible errors, which are then reported to the users. This helps users to avoid a DNS failure on their own account. 3. Ease of using.
Every DNS server, account and domains can be managed through a secured and easy-to-use web-based interface, wherein the customers just need to login and can easily manage domains. All that is required is a computer with a web browser and an Internet connection. 4. Flexibility of use.
DNS servers are quite flexible to use. A single DNS server is capable of managing multiple Internet sub domains and domains. 5. Consistent to use.
Organizations can keep a constant naming structure both for external and internal Internet resources. 6. Easy to maintain.
It is extremely easy to maintain the DNS servers. This is because of easy-to-use control DNS software, known as SafeDNS. It is a protected web-based interface that enables the users to be the masters of their domains. The users just need to log in to SafeDNS software and generate, update, and manage one or more than one domain names. The software is capable of pointing more than two domains to a particular website. It is also able to create extraordinary email handling service arrangements with SafeDNS hosting servers.
With so many benefits for the users, DNS has become an inseparable part of the world of internet and is preferred by internet users all over the world
Source: http://benefitof.net/benefits-of-dns/
III. ADMINISTRATING WINS AND DHCP
1. NetBIOS
NetBIOS is a software protocol for providing computer communication services on local networks. Microsoft Windows uses NetBIOS on Ethernet or Token Ring networks.
Software applications on a NetBIOS network locate each other via their NetBIOS names. A NetBIOS name is up to 16 characters long and in Windows, separate from the computer name. Applications on other computers access NetBIOS names over UDP port 137. The Windows Internet Naming Service (WINS) provides name resolution services for NetBIOS.
Two applications start a NetBIOS session when one (the client) sends a command to "Call" another (the server) over TCP port 139 on a remote computer. Both sides issue "Send" and "Receive" commands to deliver messages in both directions. The "Hang-Up" command terminates a NetBIOS session. NetBIOS also supports connectionless communications via UDP datagrams. Applications listen on UDP port 138 to receive NetBIOS datagrams. NetBIOS and NetBEUI are separate but related technologies. NetBEUI extends NetBIOS with additional networking capabilities.
2. WINS
WINS was designed specifically to support NetBIOS over TCP/IP (NetBT). WINS is required for any environment in which users access resources that have NetBIOS names. If you do not use WINS in such a network, you cannot connect to a remote network resource by using its NetBIOS name unless you use Lmhosts files, and you might be unable to establish file and print sharing connections.
3. WINS Architecture
4. WINS Components
WINS servers
The WINS server handles name registration requests from WINS clients, register their names and IP addresses, and responds to NetBIOS name queries submitted by clients, returning the IP address of a queried name if it is listed in the server database.
Also, as the following graphic shows, WINS servers can replicate the contents of their databases (which contain NetBIOS computer name mappings to IP addresses) to other WINS servers. When a WINS-enabled client computer (such as a workstation computer on either Subnet 1 or Subnet 2) starts on the network, its computer name and IP address are sent in a registration request directly to its configured primary WINS server, WINS-A. Because WINS-A is the server that registers these clients, it is said to be theowner for the records of the clients in WINS.
WINS clients
WINS-enabled clients communicate with the WINS server to: * Register client names in the WINS database. * Renew client names with the WINS database. * Release client names from the WINS database. * Resolve names by obtaining mappings from the WINS database for user names, NetBIOS names, DNS names, and IP addresses.
WINS proxies
A WINS proxy is a WINS client computer configured to act on behalf of other host computers that cannot directly use WINS. WINS proxies help resolve NetBIOS name queries for computers located on routed TCP/IP networks.
By default, most computers not able to use WINS use broadcasts to resolve NetBIOS name queries and register their NetBIOS names on the network. You can configure a WINS proxy to listen on behalf of these computers and to query WINS for names not resolved by broadcast.
WINS proxies are only useful or necessary on networks that include NetBIOS broadcast-only (or b-node) clients. For most networks, WINS-enabled clients are common and WINS proxies are typically not needed.
WINS proxies are WINS-enabled computers that listen for b-node NetBIOS name service functions (name registration, name release, and name query) and can respond for those names that are remote and not used on the local network. Proxies communicate directly with a WINS server to retrieve the information necessary to respond to these local broadcasts.
WINS database
The WINS database stores and replicates the NetBIOS name-to-IP address mappings for your network. In the Windows Server 2003 family, the WINS database uses the Extensible Storage Engine (ESE).
Compacting the database
There is no built-in limit to the number of records that a WINS server can replicate or store. The size of the database depends on the number of WINS clients on the network. The WINS database changes over time as clients log on and log off the network.
However, the size of the WINS database is not directly proportional to the number of active client entries. Over time, as some WINS client entries become obsolete and are deleted, the size of the WINS database grows larger than the actual space currently in use by the database. This is because the space used to store obsolete records is not automatically reclaimed by the server once the space is freed and no longer in use.
Compacting the WINS database recovers the unused space. Dynamic database compaction occurs on WINS servers as an automatic background process during idle time after a database update. Compaction can also be done manually offline. Windows NT Server 4.0, Windows 2000, and the Windows Server 2003 family support both dynamic and manual compaction. Windows NT Server 3.51 (or earlier) supports only manual compacting of the WINS server database.
Although dynamic compacting greatly reduces the need for offline compaction, offline compaction reclaims the space better and should be done periodically. How frequently you manually compact the WINS database depends on your network. For large, busy networks with 1,000 or more WINS clients, you should compact offline each month. Smaller networks usually require less frequent manual compaction.
Because the dynamic database compaction occurs while the database is in use, you do not need to stop the WINS server during this process. However, for manual compacting, you must stop the WINS server and take it offline.
Backing up the WINS database
The WINS console provides the tools you need to maintain, view, back up, and restore the WINS server database. You should back up the database whenever you back up other files on the WINS server.
WINS database files
WINS uses the Jet database format for storing its data. Jet produces the J<n>.log and other files in the systemroot\System32\Wins folder to increase the speed and efficiency of data storage.
5. WINS Operation
When a NetBIOS broadcast is to go out, a computer sends over TCP/IP to a WINS server to resolve NetBIOS names. WINS dynamically builds its database. When a client uses WINS it announces to the WINS server over TCP/IP rather than broadcasting to all computers. WINS Message Modes:
Client Name Registration - When a client service is started, the appropriate NetBIOS name for that service, for all NetBIOS processes (Using the hidden 16th byte) is sent to the WINS server. If the registration fails, the client retries every ten minutes. If the primary WINS server fails to respond, the request is sent to the secondary WINS server after three tries. If no WINS server responds, B-node broadcasts are used by the client. When contacted, the WINS server returns a time to live (TTL) field containing the length of time the client may use that name. If a duplicate name is received, the server sends a wait for acknowledgement (WACK) to the registering client. Then a challenge is sent by the server to the registered client. If the current owner responds correctly, the new client request is rejected.
Client Lease Renewal - When the name lease is at 50%, the client sends a name renewal request to the WINS server with its name and IP address. When the lease is 7/8 up, the client will try again then attempt a lease with the secondary WINS server. After 4 attempts with the secondary WINS server, it attempts lease renewal with the primary WINS server again.
Client Name Release - The client sends a name release message with its name and IP address. The server responds with a positive release message. If no confirmation is received by the client a NetBIOS broadcast release is sent up to three times.
Server Name Query and Name Resolution response - With WINS server on the network, resolution is done using H-node on UDP port 137 (NetBIOS Name Service). Name query order: * Local cache * WINS server (primary then secondary, two times). * Broadcast * Lmhosts file * Hosts file * DNS
6. Benefits of WINS
Summary of WINS Benefits
WINS provides the following benefits over other NetBIOS name resolution methods: * WINS name resolution reduces NetBIOS name query broadcast traffic because clients can query a WINS server directly instead of broadcasting queries. * WINS enables the Computer Browser service to collect and distribute browse lists across IP routers. * The WINS dynamic name-to-address database supports NetBIOS name registration and resolution in environments where DHCP-enabled clients are configured for dynamic TCP/IP address allocation. * The WINS database also supports centralized management and replicates name-to-address mappings to other WINS servers. * WINS and DNS can be used in the same environment to provide combined name searches in both namespaces.
Disadvantage
The biggest disadvantage of using static WINS entries is that it complicates administration of name and address changes in your network. For example, if either the IP address or the computer name of a static WINS entry changes, you might have to manually update other configurations also, such as DHCP servers, DNS servers, end systems, and Lmhosts files.
7. DHCP
DHCP stands for "Dynamic Host Configuration Protocol." A network server uses this protocol to dynamically assign IP addresses to networked computers. The DHCP server waits for a computer to connect to it, then assigns it an IP address from a master list stored on the server. DHCP helps in setting up large networks, since IP addresses don't have to be manually assigned to each computer on the network. Because of the slick automation involved with DHCP, it is the most commonly used networking protocol.
8. DHCP Terms Term | Description | DHCP server | Any computer running the Windows 2000 DHCP service. | DHCP client | Any computer that has DHCP settings enabled. | Scope | The full, consecutive range of possible IP addresses for a network. DHCP services can be offered to scopes, which typically define a single physical subnet on a network. DHCP servers primarily use scopes to manage network distribution and assignment of IP addresses and any related configuration parameters. | Superscope | An administrative grouping of scopes that are used to support multiple, logical IP subnets on the same physical subnet. Superscopes contain a list ofmember scopes (or child scopes) that can be activated as a collection. | Exclusion range | Ensures that any IP address listed in that range is not offered by the DHCP server to any DHCP clients. | Address pool | Available IP addresses form an address pool within the scope. Pooled addresses are available for dynamic assignment by the DHCP server to DHCP clients. | Lease | The length of time, specified by the DHCP server, a client computer can use a dynamically assigned IP address. When a lease is made to a client, the lease is considered active. Before the lease expires, the client renews its lease with the DHCP server. A lease becomes inactive when it either expires or is deleted by the server. The lease duration determines when the lease expires and how often the client needs to renew its lease with the DHCP server. | Reservation | Creates a permanent address lease assignment from the DHCP server to the client. Reservations ensure that a specified hardware device on the subnet can always use the same IP address. This is useful for computers such as remote access gateways, WINS, or DNS servers that must have a static IP address. | Option types | Other client configuration parameters a DHCP server can assign when offering an IP address lease to a client. Typically, these option types are enabled and configured for each scope. Most options are predefined through RFC 2132, but you can use DHCP Manager to define and add custom option types as needed. | Option class | A way for the DHCP server to further submanage option types provided to clients. Option classes can be configured on your DHCP servers to offer specialized client support. When an option class is added to the server, clients of that class can be provided class-specific option types for their configuration. |
Source: http://technet.microsoft.com/en-us/library/cc958956.aspx
9. Components of DHCP
This is a list of some DHCP components for BIND 10 DHCP. c/r/s = client/relay/server * Engine to fetch config (data) ('what is configuration parameter X for this client?') (c/r/s) * This is complex! (man dhcpd.conf) * Low-level packet munging (taking packets apart & putting together) (c/r/s) * Image of network topology (s) * Socket handling (DHCPv4 funkiness) (c/r/s) * Configuration DB (s) * Lease DB (s) * Simplified client config language (c) * Client and server on same system (for example: SOHO box with local DHCP server built from DHCP client information) * DHCPv4 server logic (s) * DHCPv6 server logic (s) * DHCPv4 client logic (c) * DHCPv6 client logic (c) * DHCPv4 relay logic (r) * DHCPv6 relay logic (r) * Address allocation handling (s) * Hook definitions (c/r/s) * Integrated relay/server? (Make the server a subset of the relay component - research project) * API framework documenting access to packet/lease/etc at different states/times (c/r/s) * Document how embedded languages can access configuration/server state (with examples) (r/s) * Embedded optimizations (for example compile-time options) (c/r/s) * Flexible client logic (for example non-resident client) (c) * Different state machines (???) (c/r/s) * API for controlling server (like XML-based language) (c/r) * Behavior for administrative interaction (do we have to lock a lease? and so on) (c/s) * Reconfiguration (c/s) * DHCP data store (s) * Define operations * Define data * Define reports * Option definition framework (c/s) * DHCP benchmark tool(s) (c/r/s) * DHCP diagnostic tools * SNMP (MIB defined) * Logging framework (for example log4j-style: log4c) * ISC DHCP pre-BIND 10 support (migration support) * DDNS functionality (c/s) * Failover/HA solution (r/s) * Proposal for method * Implementation * ACL (can guide as well as limit configuration) (s)
Non-functional goals: * Performance * Ease of use * Debugability * Size (small)
10. How DHCP works
DHCP provides an automated way to distribute and update IP addresses and other configuration information on a network. A DHCP server provides this information to a DHCP client through the exchange of a series of messages, known as the DHCP conversation or the DHCP transaction. If the DHCP server and DHCP clients are located on different subnets, a DHCP relay agent is used to facilitate the conversation.
Automatic IP Configuration
DHCP supports Automatic Private IP Addressing (APIPA), which enables computers running Windows 2000, Windows XP, and Windows Server 2003 to configure an IP address and subnet mask if a DHCP server is unavailable at system startup and the Automatic private IP address Alternate Configuration setting is selected. This feature is useful for clients on small private networks, such as a small-business office or a home office.
Local Storage
Windows Server 2003 DHCP supports local storage, which allows clients to store DHCP information on their own hard disks. Local storage is useful because it enables the client to store its last leased IP address, so that when the client starts it first attempts to renew the lease of its previous IP address. Local storage also enables a client to be shut down and restarted and it will use its previously leased address and configuration, even if the DHCP server is unreachable or offline at the time that the client computer is restarted.
Scopes
A scope must be properly defined and activated before DHCP clients can use the DHCP server for automatic TCP/IP configuration. A DHCP scope is an administrative collection of IP addresses and TCP/IP configuration parameters that are available for lease to DHCP clients of a specific subnet. The network administrator creates a scope for each subnet.
DHCP Messages
The following list includes the eight types of messages that can be sent between DHCP clients and servers.
Preventing Address Conflicts
Windows Server 2003 DHCP has both server-side and client-side conflict detection to prevent duplicate IP addresses on your network.
Source: http://technet.microsoft.com/en-us/library/cc780760(v=ws.10).aspx
11. Integration of DHCP and DNS
DNS servers provide domain name resolution for network resources. They associate the TCP/IP address assigned by DHCP to a client with its fully qualified domain name (FQDN). This association, or mapping, of an IP address to a domain name requires that a change in either the address or the name necessitates an update of the information in DNS. The DHCP protocol does not automatically update DNS in the event that the DHCP server changes the IP address of a client. To facilitate this interaction, servers running Windows Server® 2008 and DHCP and clients running DHCP can register with DNS, allowing cooperation between the two. When DHCP changes IP address information, corresponding DNS updates synchronize name-to-address associations for the computer.
When a DHCP server registers and updates DNS pointer (PTR) and address (A) resource records on behalf of its DHCP-enabled clients, it uses the information contained within an additional DHCP option: the Client FQDN option (option 81), which permits a client to provide its FQDN and any instructions to the DHCP server that is used to process DNS dynamic updates on its behalf.
The following reasons or events can trigger a dynamic update: * Added, removed, or modified IP addresses in the TCP/IP properties configuration for any of the installed network connections. * An IP address lease changes or renews any of the installed network connections with the DHCP server. For example, when a computer starts or after use of the ipconfig /renew command. * Upon use of the ipconfig /registerdns command, which manually forces a refresh of the client name registration in DNS.
When one of these events triggers a dynamic update, the DNS Client service (not the DHCP Client service) sends updates. The DNS Client service performs this function for all network connections on the client, including any that are not configured to use DHCP.
When a qualified DNS client (such as a computer running Windows XP Professional or Windows Vista®) issues an update, DHCP servers running Windows Server 2008 process the update to determine in which of three ways the server will initiate updates on behalf of the client: * The DHCP server always registers the client for both the forward (A resource records) and reverse lookup or pointer (PTR resource records) with DNS. * The DHCP server never registers the name-to-address (A resource records) for clients. * The DHCP server registers the client for both forward (A resource records) and reverse lookup or pointer (PTR resource records) when requested to do so by the client.
The ability to register both A and PTR resource records enables a DHCP server to act as a proxy for clients running other operating systems, such as Microsoft Windows Millennium Edition, or Windows 98, for the purpose of DNS dynamic update registration. The DHCP server can automatically differentiate between Windows 2000, Windows XP Professional, Windows Vista, and other clients.
DHCP requires the use of DNS dynamic update to keep name-to-address mapping information synchronized. Using DHCP and DNS together on a network might cause problems when using older, static DNS servers, which cannot interact dynamically when DHCP client configurations change. You can avoid failed DNS lookups for DHCP-registered clients when using static DNS service by doing the following: * If you are using Windows Internet Name Service (WINS) servers on a network, enable WINS lookup for DHCP clients that use NetBIOS. * Assign IP address reservations with an infinite lease duration for DHCP clients that use DNS only and do not support NetBIOS. * Wherever possible, upgrade or replace older static DNS servers with DNS servers that support DNS dynamic updates.
12. IP Address Allocation
When you define which IP addresses will be on which network, you are not only setting a precedent that will be difficult to change, you are limiting the size of your network. This is because IP networks/subnets have limited sizes. For example, a Class C network (like 192.168.1.0 /24) can have up to 254 usable computers. That may be enough for your network today, but it may not be enough for your network next year.
Of course, the ideal time to properly size these IP networks is when you design the network. Your design is only as good as the information you have at hand. Let's say that you expect each network to have 125 computers and not grow beyond 254 computers. When you configure your routers and design an IP address scheme, you will assign a Class C IP address network to this network. If after six months the device count needs to go up to 400, however, you will have to make a change in your design. You will have a couple of choices.
All computers that are on a TCP/IP network must have an IP address on the network to work correctly. You can manually configure IP addresses at each computer, or you can install a Dynamic Host Configuration Protocol (DHCP) server that can assign IP addresses to each client computer or device on the network. No manual configuration is required on the IP phones because the phones can receive only DHCP-assigned IP addresses.
A DHCP client is any network-enabled device that allows you to communicate with a DHCP server to obtain dynamic, leased IP configuration and related, optional information. Unified communications (UC) phones are DHCP clients. * Required Ports
Make sure that the following ports are open to allow a hardware load balancer: * On a Registrar: 5061, 5063 (for SIP connections) * On Web Services: 80 (HTTP) and 443 (HTTPS) * On a hardware load balancer: 444 (for HTTPS between server components), and make sure that source network address translation (SNAT) is allowed through. * User Provisioning
Ensure that users have been provisioned and enabled on Lync Server. This can be done in the Lync Server Control Panel.
In Lync Server Control Panel, go to the Users tab and search for the user. Double-click the user to see if he or she is enabled and have telephony type Enterprise Voice. Both of these values need to be set for the user to be able to connect to Lync Server and make phone calls. * Dial-in Page
After the users have been provisioned, they will go to the dial-in page to set-up their PIN.
A DHCP client and DHCP server are defined as follows. * DHCP client is network host using DHCP to obtain configuration parameters such as a network address. * DHCP server is a network host that returns configuration parameters to DHCP clients.
A list of Domain Name System (DNS) suffixes should be added to use in completing unqualified DNS names that are used to search and submit DNS queries at the client for resolution. For DHCP clients, this can be set by assigning the DNS domain name option (option 15) and providing a single DNS suffix for the client to append and use in searches. In some circumstances it is preferable that a DHCP client be configured with the domain search list. Multiple DNS suffixes are supported with the use of DHCP search option 119. DHCP search option 119 is passed from the DHCP server to the DHCP client to specify the domain search list used when resolving host names with DNS. DHCP search option 119 applies only to DNS; it does not apply to other name resolution mechanisms.
DHCP Options for the Domain Search List DHCP Option | Description | 15 | Specifies the connection-specific DNS domain suffix to be used by the DHCP client | 119 | Specifies the domain search list to be used when resolving host names with DNS |
To enable search option 119 for a Windows Server DHCP server, do the following: 1. Open DHCP server: Click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click DHCP. 2. In the console tree, click the applicable DHCP server. 3. On the Action menu, click Set Predefined Options. 4. In Predefined Options and Values, click Add (Option Class Standard), and click OK. 5. In Name, type DNS Search List. 6. Set Code to 119 and Data Type string (it is not an <ServerRole> pool), and click OK. 7. Right-click Scope Options, click Configure Options, and select the Option 119 DNS Search List check box. 8. Type a list of domain suffixes in your organization separated by a semi-colons (For example, contoso.com; dev.contoso.com). 9. Click OK.
13. Benefits of DHCP
Deploying DHCP on your enterprise network provides the following benefits: * Safe and reliable configuration. DHCP minimizes configuration errors caused by manual IP address configuration, such as typographical errors, as well as address conflicts caused by a currently assigned IP address accidentally being reissued to another computer. * Reduced network administration. * TCP/IP configuration is centralized and automated. * Network administrators can centrally define global and subnet-specific TCP/IP configurations. * Clients can be automatically assigned a full range of additional TCP/IP configuration values by using DHCP options. * Address changes for client configurations that must be updated frequently, such as remote access clients that move around constantly, can be made efficiently and automatically when the client restarts in its new location. * Most routers can forward DHCP configuration requests, eliminating the requirement of setting up a DHCP server on every subnet, unless there is another reason to do so.
Source: http://technet.microsoft.com/en-us/library/cc958943.aspx
IV. INTERNET INFORMATION SERVICE
1. Benefits and Features of IIS
6.0 IIS provides the following benefits and features: * Reliability. IIS 6.0 uses a new request-processing architecture and application isolation environment that enables individual Web applications to function within a self-contained worker process. This environment prevents one application or Web site from stopping another, and it reduces the amount of time that administrators spend restarting services to correct application-related problems. The new environment also includes proactive health monitoring for application pools * Scalability. IIS 6.0 introduces a new kernel-mode driver for Hypertext Transfer Protocol (HTTP) parsing and caching that is specifically tuned to increase Web server throughput and scalability of multiprocessor computers. The result is an increase in the following: * The number of Web sites that a single IIS 6.0 server can host * The number of concurrently active worker processes * The performance for startup and shutdown times for the Web server and for individual Web sites * The number of simultaneous requests that a Web server can service
Also, by configuring the startup and shutdown time limits for worker processes, IIS allocates resources to active Web sites instead of keeping resources on idle requests. * Security. IIS 6.0 provides significantly improved security over IIS 5.0. For example, to reduce the attack surface of systems, IIS 6.0 is not installed by default on Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition. After installing these products, administrators must manually install IIS 6.0. When IIS 6.0 is installed, it is locked down by default so that it can serve only static content. By using the Web Service Extensions node in IIS Manager, Web site administrators can enable or disable IIS functionality based on the individual needs of their organization.
IIS 6.0 includes a variety of security features and technologies to help ensure the integrity of your Web and File Transfer Protocol (FTP) site content, as well as the data that is transmitted through your sites. These security features and technologies include Advanced Digest authentication, improved access control, Secure Sockets Layer (SSL) encryption, centralized certificate storage, and detailed auditing capabilities. * Manageability. To meet the needs of a diverse set of organizations, IIS 6.0 provides a variety of manageability and administration tools. Administrators can configure an IIS 6.0 server by using IIS Manager, by running administration scripts, or by directly editing the IIS metabase. Administrators can also remotely administer IIS servers and Web sites. * Enhanced Development. Compared to Windows 2000 Server, Windows Server 2003 offers an improved developer experience with ASP.NET and IIS integration. ASP.NET runs most Active Server Pages (ASP) code while providing greater functionality for building enterprise-class Web applications that can work as a part of the .NET Framework. Use ASP.NET to fully utilize the features of the common language runtime, such as type safety, inheritance, language interoperability, and versioning. IIS 6.0 also offers support for the latest Web standards including XML, SOAP, and Internet Protocol version 6 (IPv6). * Application Compatibility. According to feedback from thousands of customers and independent software vendors (ISVs), IIS 6.0 is compatible with most of their existing Web applications. Also, to ensure maximum compatibility, you can configure IIS 6.0 to run in IIS 5.0 isolation mode. * HTTP Compression. To make best use of available bandwidth, IIS 6.0 includes the ability to compress both static content and dynamic content. This results in faster transmission time between compression-enabled browsers and IIS regardless of whether your content is served from local storage or a Universal Naming Convention (UNC) resource. The HTTP compression feature is highly customizable to meet the needs of your organization.
2. IIS 6.0 Services
IIS 6.0 offers four Internet services that you can use to create sites or virtual servers, configure properties and security settings, and set up components to customize your system.
When you install IIS 6.0 on a computer that does not contain an earlier version of IIS, IIS 6.0 automatically installs the following two services: * The WWW service, which hosts Internet and intranet content. * The IIS Admin service, which manages the IIS metabase.
You can also choose to install one or more of the following services: * The FTP service for hosting sites from which users can upload and download files. * The NNTP service for hosting discussion groups. * The SMTP service for sending and receiving e-mail messages.
Table 2.2 lists the IIS services, their core components, and their service hosts.
Table 2.2 Basic Services Provided by IIS 6.0 Service Name | Description | Service Short Name | Core Component | Host | World Wide Web Publishing Service (WWW service) | Delivers Web publishing services. | W3SVC | Iisw3adm.dll | Svchost.exe | File Transfer Protocol (FTP) | Allows file uploads and downloads from remote systems. | MSFTPSVC | Ftpsvc2.dll | Inetinfo.exe | Simple Mail Transfer Protocol (SMTP) | Sends and receives electronic messages (e-mail). | SMTPSVC | Smtpsvc.dll | Inetinfo.exe | Network News Transfer Protocol (NNTP) | Distributes network news messages. | NNTPSVC | Nntpsvc.dll | Inetinfo.exe | IIS Admin Service | Manages the metabase. | IISADMIN | Iisadmin.dll | Inetinfo.exe |
* World Wide Web Publishing Service
The World Wide Web Publishing Service (WWW service) provides Web publishing for IIS, connecting client HTTP requests to Web sites running on an IIS-based Web server.
The WWW service manages and configures the IIS core components that process HTTP requests. These core components include the HTTP protocol stack (HTTP.sys) and the worker processes.
The WWW service includes these subcomponents: Active Server Pages (ASP), Internet Data Connector, Remote Administration (HTML), Remote Desktop Web Connection, server-side includes (SSI), Web Distributed Authoring and Versioning (WebDAV) publishing, and ASP.NET.
* FTP Service
IIS provides an FTP service, which you can use to allow users on remote computer systems to copy files to and from your server on a network that uses TCP/IP. The IIS FTP service is an implementation of the File Transfer Protocol, RFC 959, File Transfer Protocol (FTP), and several extensions. The FTP protocol is implemented on top of TCP, which ensures that file transfers are complete and that data transfer is accurate.
You can deploy the FTP service across an arbitrary number of front-end and back-end servers, which increases reliability and availability. By adding virtual directories and servers, you can easily scale FTP without affecting end users.
In IIS 6.0, the FTP service allows you to isolate users at the site level, a feature known as FTP user isolation, to help administrators secure and commercialize their Internet sites. Because of the easy availability and wide adoption of FTP, Internet service providers (ISPs) and application service providers (ASPs) traditionally have used FTP to upload their Web content. IIS 6.0 allows the isolation of users into their own directory, thus preventing users from viewing or overwriting other users Web content. The user's top-level directory appears as the root of the FTP site, thus restricting access by not allowing users to navigate farther up the directory tree or across to other users home directories. Within the users own site, the user can create, modify, or delete files and folders.
* SMTP Service
The SMTP service in IIS processes messages by using the Simple Mail Transfer Protocol (SMTP), which is a TCP/IP protocol that is used to send and receive messages from one computer to another on a network. This protocol is used in intranets and on the Internet to route e-mail.
SMTP is the Internet standard for transporting and delivering electronic messages. Based on specifications in RFCs 2821 and 2822, Microsoft SMTP service is included in the Windows Server 2003 operating system. In Windows Server 2003, the SMTP service is actually a component of IIS and runs as part of Inetinfo.exe. Windows Server 2003 uses SMTP as its native transport protocol to route all messages internally and externally. SMTP is also the default transport for Microsoft® Exchange 2000 Server.
The SMTP component of IIS can send or receive SMTP e-mail messages. You can program the server to automatically send messages in response to events — for example, to confirm a successful form submission by a user. You can also use SMTP to receive messages — for example, to collect feedback from Web site customers.
SMTP does not provide a complete e-mail service. To obtain complete e-mail services for your users, use Microsoft® Exchange Server.
* NNTP Service
IIS provides a Network News Transfer Protocol (NNTP) service, which you can use to distribute network news messages to NNTP servers and to NNTP clients (news readers) on the Internet. NNTP provides for the distribution, inquiry, retrieval, and posting of news articles by using a reliable stream-based transmission of news on the Internet. With NNTP, news articles are stored on a server in a central database from which users select specific items to read. Indexing, cross-referencing, and expiration of aged messages also are provided.
You can host NNTP local discussion groups on a single computer. Because this feature complies fully with the NNTP protocol, users can use any NNTP client to participate in the newsgroup discussions. The IIS NNTP service does not support news feeds or replication. To use news feeds or to replicate a newsgroup across multiple computers, use Microsoft Exchange Server.
* IIS Admin Service
IIS Admin service is a Windows Server 2003 service that manages the IIS metabase. The metabase stores IIS configuration data in a plaintext XML file that you can read and edit by using common text editors. IIS Admin service makes metabase data available to other applications, including the core components of IIS, applications built on IIS, and applications that are independent of IIS, such as management or monitoring tools.
3. IIS 6.0 Architecture
Overview of IIS 6.0 Architecture (IIS 6.0)
IIS 6.0 provides a redesigned World Wide Web Publishing Service (WWW service) architecture that can help you achieve better performance, reliability, scalability, and security for your Web sites, whether they run on a single server running IIS or on multiple servers.
IIS 6.0 runs a server in one of two distinct request processing models, called application isolation modes. Application isolation is the separation of applications by process boundaries that prevents one application or Web site from affecting another and reduces the time that you spend restarting services to correct problems related to applications.
In IIS 6.0, application isolation is configured differently for each of the two IIS application isolation modes. Both modes rely on the HTTP protocol stack (also referred to as HTTP.sys) to receive Hypertext Transfer Protocol (HTTP) requests from the Internet and return responses. HTTP.sys resides in kernel mode, where operating system code, such as device drivers, runs. HTTP.sys listens for, and queues, HTTP requests. For more information about HTTP.sys, see HTTP Protocol Stack.
The new request-processing architecture and application isolation environment enables individual Web applications, which always run in user mode, to function within a self-contained worker process. A worker process is user-mode code whose role is to process requests, such as returning a static page or invoking an Internet Server API (ISAPI) extension or filter. Worker processes use HTTP.sys to receive requests and send responses over HTTP. For more information about worker processes, see Worker Processes.
IIS 6.0 Request Processing Models
Worker process isolation mode is the new IIS request processing model. In this application isolation mode, you can group Web applications into application pools, through which you can apply configuration settings to the worker processes that service those applications. An application pool corresponds to one request routing queue within HTTP.sys and one or more worker processes.
Worker process isolation mode enables you to completely separate an application in its own process, with no dependence on a central process such as Inetinfo.exe to load and execute the application. All requests are handled by worker processes that are isolated from the Web server itself. Process boundaries separate each application pool so that when an application is routed to one application pool, applications in other application pools do not affect that application. By using application pools, you can run all application code in an isolated environment without incurring a performance penalty. For more information about application pools, see How Application Pools Work.
For a visual representation of worker process isolation mode architecture, see Figure 2.1.
Figure 2.1 Architecture of Worker Process Isolation Mode
Worker process isolation mode delivers all the benefits of the new IIS 6.0 architecture, including multiple application pools, health monitoring and recycling, increased security and performance, improved scalability, and processor affinity. For example, the new health monitoring features can help you discover and prevent application failures, and can also help protect your Web server from imperfect applications.
4. IIS 7.0 Architecture
IIS 7 and above have a similar HTTP request-processing flow as IIS 6.0. The diagrams in this section provide an overview of an HTTP request in process.
The following list describes the request-processing flow that is shown in Figure 1:
1. When a client browser initiates an HTTP request for a resource on the Web server, HTTP.sys intercepts the request. 2. HTTP.sys contacts WAS to obtain information from the configuration store. 3. WAS requests configuration information from the configuration store, applicationHost.config. 4. The WWW Service receives configuration information, such as application pool and site configuration. 5. The WWW Service uses the configuration information to configure HTTP.sys. 6. WAS starts a worker process for the application pool to which the request was made. 7. The worker process processes the request and returns a response to HTTP.sys. 8. The client receives a response.
Figure 1: Overview of an HTTP Request
In a worker process, an HTTP request passes through several ordered steps, called events, in the Web Server Core. At each event, a native module processes part of the request, such as authenticating the user or adding information to the event log. If a request requires a managed module, the native ManagedEngine module creates an AppDomain, where the managed module can perform the necessary processing, such as authenticating a user with Forms authentication. When the request passes through all of the events in the Web Server Core, the response is returned to HTTP.sys. Figure 2, below, shows an HTTP request entering the worker process.
Figure 2: Detail of a HTTP request inside the Worker Process
V. FILE TRANSFER PROTOCOL
1. FTP Site
It is a computer that allows downloading (and uploading in some cases) of files by the use of file transfer protocol (FTP) over the internet. There are over a thousand FTP sites with hundreds of thousands of text, graphics, sound, and video files freely available to anyone. However, a FTP site is not a website because its data cannot be displayed like a webpage. See also anonymous FTP. source: http://www.businessdictionary.com/definition/FTP-site.html
2. FTP Client
A File Transfer Protocol client (FTP client) is a software utility that establishes a connection between a host computer and a remote server, typically an FTP server. An FTP client provides the dual-direction transfer of data and files between two computers over a TCP network or an Internet connection. An FTP client works on a client/server architecture, where the host computer is the client and the remote FTP server is the central server.
An FTP client primarily provides a reliable means to transfer data between a local and remote host. It works when the host computer connects to the FTP server by specifying the domain, IP address, username and password of that server. After the user authentication, a connection is established between both systems, and the host computer can upload data onto the FTP server. An FTP client generally supports one or multiple simultaneous file transfers. Moreover, most FTP clients have the ability to connect to multiple FTP servers simultaneously, providing status updates of the uploading process, and notifications about successful and failed transfers. Besides uploading, the host computer can also download files from the FTP server using the FTP client.
3. How FTP works
With most other server client relationships, the client machine opens up a connection to the server on a particular port and the server then responds to the client on that port. When an FTP client connects to an FTP server it opens a connection to the FTP control port 21. Then the client tells the FTP server whether to establish an active or passive connection. The type of connection chosen by the client determines how the server responds and on what ports transactions will occur.
The two types of data connections are: * Active Connections
When an active connection is established, the server opens a data connection to the client from port 20 to a high range port on the client machine. All data from the server is then passed over this connection. * Passive Connections
When a passive connection is established, the client asks the FTP server to establish a passive connection port, which can be on any port higher than 10,000. The server then binds to this high-numbered port for this particular session and relays that port number back to the client. The client then opens the newly bound port for the data connection. Each data request the client makes results in a separate data connection. Most modern FTP clients attempt to establish a passive connection when requesting data from servers.
The two important things to note about all of this in regards to clustering is: * The client determines the type of connection, not the server. This means, to effectively cluster FTP, you must configure the LVS routers to handle both active and passive connections. * The FTP client/server relationship can potentially open a large number of ports that the Piranha Configuration Tool and IPVS do not know about. 1. A Client makes a TCP connection to the server port 21 . This connection remains open for the duration of the session...and thus is called a control session... 2. Then another connection is opened called the data connection... 3. The control connection is used for authenticating , command and administrating (I.e commands etc..) exchanged between the client and the server.. 4. The server responds on the requests with status codes like 200 Ok , 404 error etc etc....
Code: server client
+-------+ +-------+
| comp1 | | comp2 |
+-------+ +-------+ Client
Server initiates a request listens on and initiates port 21 as default a TCP connection
The FTP uses mainly 2 file transfer modes * Binary - The binary mode transmits all eight bits per byte thus have much more transfer rate and reduces the chance of transmission error * ASCII - This is the default transfer mode and transmits 7 bits per byte..
FTP was not designed to be secure …. It is not much secured and has many security weaknesses … * It is currently vulnerable to :- * Sniffers * Bounce attacks * Spoof attacks * Username Protection * Port stealing * Brute forcing
But today several programmers have contributed and made it secure by making add-ons.
* Commands
To connect to a remote machine running a ftp server we can use :-
Code:
ftp machinename
Example Code: aneesh@aneesh-laptop:~$ ftp ftp.freebsd.org
Connected to ftp.freebsd.org.
220 Welcome to freebsd.isc.org.
Name (ftp.freebsd.org:aneesh):
For exiting FTP we can use 'bye'
Example Code: ftp> bye
221 Goodbye.
To upload a file from your computer to the server we can use 'put'
Syntax :-
Code:
put (local_file_path)
Example :
Code:
ftp> put /home/aneesh/articles/crackme.c local: /home/aneesh/articles/crackme.c remote: /home/aneesh/articles/crackme.c
200 PORT command successful. Consider using PASV.
4. FTP modes and security
Modes
There are two different transfer mode in FTP, ASCII and binary mode. By default, TurboFTP uses the Auto mode, whereby any file that matches one of the types (file extensions) specified in [Options | Advanced | Text file mask] will be transferred in ASCII mode, otherwise it will be transferred in binary mode. * ASCII Mode
ASCII transfer mode is an FTP mode used to translate ASCII text files from one format to another. For example, UNIX file system terminates lines in a file with a line feed, while Windows and DOS files terminate lines with a carriage return <CR> and a linefeed <LF>. Selecting this mode will convert files from one format to the other automatically. Remember do not use this mode when transferring binary files, since this will end up with corrupted files.
* Binary Mode
Binary transfer mode is an FTP mode used to transfer files without modification or conversion. Files are transferred without conversion resulting in the same file on the source computer as the destination computer.
Security
File Transfer Protocol (FTP) provides the capability of transferring files between a client (a user on another system) and your server. You need to understand the security risks that you might encounter when you use FTP to ensure that your security policy describes how to minimize the risks.
Here are some options for controlling this security risk: * Put into effect full i5/OS® object security on the system (in other words, change the system's security model from menu security to object security. This is the best and most secure option). * Write exit programs for FTP to restrict access to files that might be transferred through FTP. These exit programs need to provide security that is at least the equivalent as the security that the menu program provides. You might want to make the FTP access controls even more restrictive. This option only covers FTP, not other interfaces such as ODBC, DDM, or DRDA®.
A hacker can mount a denial of service attack with your FTP server to disable user profiles on the system. This is done by repeatedly attempting to log on with an incorrect password for a user profile until the user profile is disabled. This type of attack disables the profile if it reaches the maximum sign on count of three.
What you can do to avoid this risk involves analyzing the trade-offs that you are willing to make to increase security to minimize the attack versus providing users with ease of access. The FTP server normally enforces the QMAXSIGN system value to prevent a hacker from having unlimited attempts to guess a password and therefore mount password attacks. Here are some options that you need to consider using:
1. Use an FTP server logon exit program to reject logon requests by any system user profiles and those user profiles that you designate not be allowed FTP access. (When using such an exit program, logon attempts rejected by the server logon exit point for the user profiles that you block do not get counted against the profile's QMAXSIGN count.) 2. Use an FTP server logon exit program to limit the client machines from which a given user profile is allowed to access the FTP server. For example, if a person from Accounting is allowed FTP access, only allow that user profile FTP server access from computers that have IP addresses in the Accounting department. 3. Use an FTP server logon exit program to log the user name and IP address of all FTP logon attempts. Review these logs regularly, and whenever a profile is disabled by maximum password attempts, use the IP address information to identify the perpetrator and take appropriate measures. 4. Use the intrusion detection system to detect denial of service attacks on the system.
Additionally, you can use FTP server exit points to provide an anonymous FTP function for guest users. Setting up a secure, anonymous FTP server requires exit programs for both the FTP server logon and FTP server request validation exit points.
You can use the Secure Sockets Layer (SSL) to provide secure communications sessions for your FTP server. Using SSL ensures that all FTP transmissions are encrypted to maintain confidentiality for all data that passes between the FTP server and the client, including user names and passwords. The FTP server supports the use of digital certificates for client authentication also.
5. Anonymous FTP
A method for downloading public files using the File Transfer Protocol (FTP). Anonymous FTP is called anonymous because you don't need to identify yourself before accessing files. In general, you enter the word anonymous or ftp when the host prompts you for a username; you can enter anything for the password, such as your e-mail address or simply the word "guest". In many cases, when you access an anonymous FTP site, you won't even be prompted for your name and password.
You can use the Archie system to obtain a list of anonymous FTP sites and files available on each site.
Many FTP sites are protected. Unlike anonymous FTP sites, these restricted FTP sites can only be accessed by individuals who enter a valid username and password.
VI. SIMPLE MAIL TRANSFER PROTOCOL
1. SMTP Session
An SMTP session consists of commands originated by an SMTP client (the initiating agent, sender, or transmitter) and corresponding responses from the SMTP server (the listening agent, or receiver) so that the session is opened, and session parameters are exchanged. A session may include zero or more SMTP transactions. An SMTP transaction consists of three command/reply sequences (see example below.) They are: * MAIL command, to establish the return address, a.k.a. Return-Path, ‹The template Citation needed span is being considered for possible deletion.› 5321.From[citation needed], mfrom, or envelope sender. This is the address for bounce messages. * RCPT command, to establish a recipient of this message. This command can be issued multiple times, one for each recipient. These addresses are also part of the envelope. * DATA to send the message text. This is the content of the message, as opposed to its envelope. It consists of a message header and a message body separated by an empty line. DATA is actually a group of commands, and the server replies twice: once to the DATA command proper, to acknowledge that it is ready to receive the text, and the second time after the end-of-data sequence, to either accept or reject the entire message.
2. Message Retrieval Operation * Message Retrieval
Message Retrieval allows users to access email on another server through the SmarterMail Web interface. Note: This feature is only available to users if their system administrator has enabled message retrieval.
To view your message retrieval settings, click Settings in the main toolbar and then click the Settings navigation pane. Expand the My Settings folder and click Message Retrieval in the left tree view. * POP Retrieval
SmarterMail's POP retrieval service will download email messages from another server via POP3 and deliver them to your SmarterMail mailbox. When creating a new account for POP message retrieval, the following options are available:
1. Server Address - The address for the email server for which you want to connect. 2. Port - The port used to connect to the email server. By default, the port is 110. 3. Username - The identifier used to authenticate with the email server. 4. Password - The corresponding password used to authenticate with the email server. 5. Retrieval Method - The method by which SmarterMail checks for new messages on the server. Note: If you choose to manually retrieve messages, you will have to load the Message Retrieval page and click Retrieve in the actions toolbar to check for new messages. 6. Destination Folder - The folder in which messages downloaded from the server are saved. 7. Enable APOP Authentication - Select this option if the server requires additional login security. 8. Leave Messages on Server - Select this option to keep your messages on the server after they are downloaded to your SmarterMail mailbox. 9. Requires SSL - Select this option if the connection to the server must be SSL. 10. Enable Spam Filtering - Select this option to apply your SmarterMail spam and content filtering settings to any messages downloaded from this server
* IMAP Retrieval
SmarterMail's IMAP retrieval service will download email messages from another server via IMAP and deliver them a your SmarterMail mailbox. When creating a new account for IMAP message retrieval, the following options are available: 1. Server Address - The address for the email server for which you want to connect. 2. Port - The port used to connect to the email server. By default, the port is 143. 3. Username - The identifier used to authenticate with the email server. 4. Password - The corresponding password used to authenticate with the email server. 5. Retrieval Method - The method by which SmarterMail checks for new messages on the server. Note: If you choose to manually retrieve messages, you will have to load the Message Retrieval page and click Retrieve in the actions toolbar to check for new messages. 6. Folder Transfer Method - The method by which SmarterMail imports any email folders from the server. 7. Requires SSL - Select this option if the connection to the server must be SSL.
3. SMTP Server and Security * Server
The SMTP server is the internet address of the mail server that Entourage should connect to when sending your messages. Like a POP or IMAP server, this address might consist of only letters, letters and numbers, or only numbers, and it typically includes three or four parts that are separated by periods (.).
Your ISP will provide you with this information. You can also use YOUR ISP's SMTP for other accounts like your mac.com account or your work account. This is often required to prevent relaying. Since SMTP is for sending it is not required that it match the POP server that is used for receiving.
Examples of SMTP server addresses might be * "smtp.example.com" * "smtp.mail.example.com" * "192.168.7.27".
Other common terms for SMTP server are: * outgoing message server * sending server * SMTP server address.
* Security
You can specify security settings for a Simple Mail Transfer Protocol (SMTP) virtual server on the two security tabs. These settings apply to all domains on the virtual server.
Tab | Settings | Security | Designates the user accounts that have operator permissions to run the SMTP service. Operators have the ability to configure SMTP virtual server properties. | Access | Contains settings to require authentication and the use of Transport Layer Security (TLS) for all incoming connections. You can also grant or deny access to specific computers or networks. |
* Setting Operator Permissions: Describes how to assign and remove operator permission on SMTP virtual servers. * Requiring Authentication for Incoming Connections: Describes how to disable authentication for incoming messages, set clear text authentication for incoming messages, and use integrated Windows authentication to authenticate incoming messages. * Requiring Authentication for Outbound Messages: Describes how to disable authentication for outgoing messages, set Basic authentication for outgoing messages, and set Integrated Windows authentication for outgoing messages. * Setting IP Access Restrictions to Servers: Describes how to set IP address access restrictions. * Configuring SMTP Virtual Server Relay Restrictions: Describes how to add and remove relay restrictions from an SMTP virtual server. * Requiring TLS Encryption: Describes how to create and manage key certificates and how to set TLS encryption levels for the server.
4. POP and IMAP
There are two main ways that users can access their email. POP3 (Post Office Protocol 3) is the standard way which has been around for decades. It is very similar regular mail. Messages are delivered to your computer, put in your mailbox, and are then your responsibility.
The other, newer, method is IMAP (Interactive Mail Access Protocol). As you might guess by the name, it is not like the mailbox on your house. With IMAP mail is delivered to the server, and you connect to the server to see your mail. The mail is not stored on your machine. When a message is marked as read, it is marked as read on the server, not on your computer.
At first this may seem kind of backwards, but what IMAP lets you do is access your mail from different programs, different computers, or even via a web page and your mail will always reflect all your changes.
Advantages of POP3 * Email is available when you are offline * Email is not stored on the server, so your disk usage on the server is less * Just about any email client (software) supports POP3
Advantages of IMAP * Email is available from any machine you happen to use * Email is stored on the server, so your email cannot be deleted/destroyed if your computer should happen to crash, be stolen, or destroyed * You can access IMAP mail via the web, without even needing a mail client installed. This means you can check your mail from someone else's machine or even a public terminal and not have to worry about the security of your passwords. * Some IMAP clients can set up rules for "server side" filtering. This means that you could put all the emails from current customers into one mailbox, and filter other mail (potential new customers) to another mailbox. This can be done automatically by the server instead of setting up manual filters in whatever software you happen to have. This also means that in most IMAP clients you can subscribe to only certain mailboxes. For example, at work you could subscribe to only client mail, at home only to personal mail, and on your laptop to all your mail. All with a single account. * If you read a message on one computer, it is read on any other computer you use to access your mail. If you reply to an email on one computer, that reply is available on any computer you use.
Disadvantages of POP3 * Can be much slower to check mail * Much harder to do server-side filtering * Mail is inaccessible from other machines
Disadvantages of IMAP * Mail is not usually available if you are offline.
VII. SNMP
1. Basic Components of SNMP
There are three key components of an SNMP managed network: * Managed device -- A managed device is a network node that contains an SNMP agent and resides on a managed network. Managed devices collect and store management information and make this information available to network management systems (NMSs) using SNMP. * Managed devices, sometimes called network elements, can be routers and access servers, switches and bridges, hubs, computer hosts, or printers. * Agent -- An agent is a network management software module that resides in a managed device. It has local knowledge of management information and translates that information into a form compatible with SNMP. * Network management system (NMS) -- An NMS executes applications that monitor and control managed devices. They provide the bulk of the processing and memory resources required for network management. One or more NMSs must exist on any managed network.
2. Basic Commands of SNMP * nmpget
The snmpget command provides information about a specific OID.
For instance, to request the name of the device (system.sysName OID, belonging to the SNMPv2-MIB module) we will run the following order:
[root@centos ~]# snmpget -v 2c -c centos-community 192.168.1.10 SNMPv2-MIB::system.sysName.0 * snmptranslate
The snmptranslate command allows to make translations of OIDs from numeric format to variable and vice versa.
[root@centos ~]# snmptranslate .1.3.6.1.2.1.2.2.1.4.2
IF-MIB::ifMtu.2
[root@centos ~]# snmptranslate -On IF-MIB::ifMtu.2
.1.3.6.1.2.1.2.2.1.4.2
* snmpwalk
The snmpwalk command is utilized to perform a series of followed GETNEXTS instructions, and thus to obtain for example all the values of a specific branch.
[root@centos ~]# snmpwalk -v 2c -c centos-community 192.168.1.10 system
SNMPv2-MIB::sysDescr.0 = STRING: Linux server 2.6.18-164.11.1.el5 #1 SMP Wed Jan 20 07:32:21 EST 2010 x86_64
SNMPv2-MIB::sysObjectID.0 = OID: NET-SNMP-MIB::netSnmpAgentOIDs.10
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (342908) 0:57:09.08
SNMPv2-MIB::sysContact.0 = STRING: Root (configure /etc/snmp/snmp.local.conf)
SNMPv2-MIB::sysName.0 = STRING: centos
...
3. SNMP Versions
The different versions of SNMP are the SNMPv1, SNMPv2c, and SNMPv3. The following is a snippet of each version and it is followed by a detailed comparative overview of the versions. * SNMPv1: This is the first version of the protocol, which is defined in RFCs 1155 and 1157. * SNMPv2c: This is the revised protocol, which includes enhancements of SNMPv1 in the areas of protocol packet types, transport mappings, MIB structure elements but using the existing SNMPv1 administration structure ("community based" and hence SNMPv2c). It is defined in RFC 1901, RFC 1905, RFC 1906, RFC2578. * SNMPv3: SNMPv3 defines the secure version of the SNMP. SNMPv3 also facilitates remote configuration of the SNMP entities. It is defined by RFC 1905, RFC 1906, RFC 3411, RFC 3412, RFC 3414, RFC 3415.
The WebNMS SNMP Utilities distribution supports all the three versions of the SNMP. The communication and MIB portions of the WebNMS SNMP Utilities conform to the following Internet RFC specifications. * SNMPv1 - RFC1155 and RFC1157 * SNMPv2c - RFC1901,RFC1907, RFC2578 * SNMPv3 - RFC3411 and RFC3412 * SNMPv3 USM - RFC3414 * SNMPv3 VACM - RFC3415
VIII. TELNET
1. TELNET Services
Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
2. How TELNET works
All Windows versions include Telnet Client and Telnet Server components. Using Telnet Client and Server, you can create a remote command console session on a host. You can run command line programs, shell commands, and scripts in a remote command console session just as though you were locally logged on to the host and using a local command prompt window.
Windows Server 2003 Telnet Client and Server are well suited for troubleshooting and configuring remote computers, especially in mixed environments that require interoperability between different operating systems. For example, you can use Telnet Client to connect to a Telnet server that is running on another operating system such as UNIX. Likewise, you can use a Telnet client that is running on UNIX to connect to a computer running Telnet Server. Windows Server 2003 Telnet Client and Server are also ideal in situations where memory and processor resources are minimal on a client or host or where network bandwidth is limited. This is because computers running Telnet clients and servers use less memory and processor time than other remote management tools, and Telnet clients and servers transmit only plaintext (unencrypted characters) across the network.
Understanding Telnet
Before using the Windows Server 2003 Telnet tools, you should consider the following: * Windows Server 2003 Telnet Client and Server are based on the Telnet protocol, which specifies a method for transmitting and receiving unencrypted ASCII characters (plaintext) across a network. Understanding how the protocol works, and how Telnet clients and servers use the Telnet protocol, helps you manage Telnet connections. * The Windows Server 2003 Telnet tools have several inherent limitations that affect the types of remote management tasks you can perform and the level of security that is in effect when you perform those tasks. Understanding these limitations helps you determine when and when not to use the Telnet tools.
* You can configure Telnet Server settings by using the Windows Server 2003 Telnet administration tool (Tlntadmn.exe) and the registry editor (Regedit.exe). Although the default Telnet Server settings are sufficient for most Telnet client connections, you might need to change the default settings to better suit your organization. Examples of Telnet Server settings include: authentication type, default port assignment for Telnet connections, maximum number of client connections, and maximum number of failed logon attempts. * By default, members of the local administrators group can log on to a Telnet server. However, you might not want all Telnet users to have full administrative control of the host they log on to. In this case, you can use a Telnet clients group to grant users Telnet logon rights without granting them any administrative rights on the host. To configure these user rights from the graphical user interface, you must use the Active Directory Users and Groups snap-in or the Local Users and Groups snap-in. You can also use the Net User and Net Group commands to configure user rights from the command line. * You can configure several optional settings when you use Telnet Client to establish a Telnet session on a host. Depending on the type of Telnet server you are logging on to, and how the Telnet server is configured, you might need to enable or change some of these optional settings. Examples of Windows Server 2003 Telnet Client settings include: client-side logging, terminal type, port assignment, and alternate user name for logon. * You can manage active Telnet sessions on a host by using the Windows Server 2003 Telnet administration tool. Some of the administrative tasks you can perform include: terminating Telnet sessions, sending console messages to users with active Telnet sessions, and listing Telnet session information (for example, user name, logon time, idle time, and client IP address).
3. Command line Parameters
The command-line parameters are described in the following table.
Telnet.exe Command-Line Parameters Parameter | Description | -a | Instructs Telnet.exe to log on to the host using the credentials of the user who is currently logged on to the client. | -eescape_char | Specifies an escape character, which displays the Telnet command prompt. The default escape character is Ctrl+]. | -f log_file | Creates a client-side log file and turns on client-side logging for the current session. The log_file parameter must consist of a path and file name. | -luser_name | Instructs Telnet.exe to log on to the host using the user account that is specified in user_name. The user account specified in user_name must have Telnet logon rights on the host. | -t term | Specifies the terminal type. The default terminal type is ANSI. Other valid terminal types include VT52, VT100, and VTNT. | host | Specifies the host with which you want to create a Telnet connection. The host parameter can be a NetBIOS name, a fully qualified domain name, or an IP address. | port | Specifies the TCP port on which you want to create a Telnet connection. The default Telnet port is 23. |
4. Telnet Security
In 1969 when telnet was initially introduced the use of PC and the internet was not common. Hence the security risks aware limited. However, now the demand for internet and increased bandwidth has led to security threats. Therefore the use of telnet to access remote computers is limited and subject to security constraints. The telnet offers weak security. Data is not encrypted naturally when it is sent over the network. There are security tools to encrypt and decrypt the data in order to make it safe. For this reason password and user Id is recommended. However if any user has access to network router and gateways and the system is based on the telnet protocol he can capture the data packets containing any information and related to anyone. Afterwards he/she can exploit that information. The telnet is commonly used to allow communication between two systems specifically allocated to communicate hence there is no loss of data from it. However what if one wants to use the telnet for LAN network. In that case he has to bear the risk of data loss. Hence with the passage of time the use of telnet was replaced greatly by other network protocols such as secure shell protocol and, transport layer security.
IX. NETWORK SECURITY
1. Network Security Policy
A network security policy is a generic document that outlines rules for computer network access, determines how policies are enforced and lays out some of the basic architecture of the company security/ network security environment. The document itself is usually several pages long and written by a committee. A security policy goes far beyond the simple idea of "keep the bad guys out". It's a very complex document, meant to govern data access, web-browsing habits, use of passwords and encryption, email attachments and more. It specifies these rules for individuals or groups of individuals throughout the company.
Security policy should keep the malicious users out and also exert control over potential risky users within your organization. The first step in creating a policy is to understand what information and services are available (and to which users), what the potential is for damage and whether any protection is already in place to prevent misuse.
2. Management and Organizational Issues
Management Issues * Accounting: registering new users and deleting old ones. * Comfort and convenience. * Support services. * Ethical issues. * Trust management and security. * Planning, implementation, fault diagnosis and performance. * Network documentation; security and administration * Provision and management of common network and application services.
Organizational Issues
It has to deal with the: * collection, * combination, and * allocation of labor and tasks , knowledge and resources, as well as benefits and profits among network members .
3. Make Security Pervasive
10 STEPS Toward Pervasive Security Awareness
Clearly, there are varying levels of security awareness programs within enterprises across the globe. Based on her experience at Cisco, Winter offers this hard-earned wisdom on how to build security awareness in any enterprise: * Get buy-in from upper management * Appoint the right person(s) to lead the charge. Conduct extensive research * Build relationships * Create security ambassadors * Identify the right communications vehicles. * Use credible sources * Keep your messages short and simple * Use rewards and recognition.
X. DATA BACKUP AND DISASTER RECOVERY
1. Planning for Backup and Recovery
The backup and recovery plan establishes guidelines and procedures to prevent problems that might cause data loss or interruptions to your organization’s operations, and to allow recovery as quickly as possible if such events do occur.
Consider planning downtime or outages for the pilot in order to test rollback procedures, and, if applicable, disaster recovery and business continuity plans.
Creating a Backup Plan
The importance of a backup plan cannot be overstated. When you begin rolling out Windows Server 2003 in the business environment, problems might arise that even the most thorough testing could not reveal. By making regular and reliable backups, you ensure that the team can restore the system to its original state if your pilot rollout process changes or fails.
The backup plan should define procedures for: * Backing up baseline configurations (the state of a computer before it is upgraded) so a computer can quickly be restored to its prior state. * Backing up servers before they are upgraded. * Backing up the most recent system and user data before you begin switching systems.
Creating a Recovery Plan
The recovery plan describes the recovery and rollback process, which allows you to return your production system to whatever earlier state you require. Depending on the severity of a problem encountered in the pilot, you might need to return your production system to a baseline configuration or just roll it back to the state it was in at a particular point in time.
Include the following elements in the recovery plan: * A list of scenarios Analyze all of the systems involved in the rollout and identify the situations, or scenarios, under which problems are likely to occur. Determine which systems might be affected and the functional dependencies among them so you have a clear understanding of the larger impact that a single failure might have. Use these scenarios to create strategies that identify when and how to run backups and the types of recovery for which you need to plan. * A definition of acceptable downtime Define how much downtime your organization can accommodate. If your organization cannot afford for systems to go down during normal business hours, you might plan to roll out the pilot, or parts of it, at night or over a weekend. If systems must be operational at all times, you might plan to deploy servers and desktops on new computers and then quickly replace the old ones, instead of upgrading computers. * A list of critical systems and processes In the event that a failure does occur, you need to know which systems are the most critical and must be brought back online first. If resources such as bandwidth are limited, you need to know which systems have the highest priority and which should not take up network traffic. When evaluating how critical a system or process is, consider factors such as its effect on human health and safety, the legal liability it exposes, the risk to corporate confidentiality, and the cost of replacement. * A recovery strategy Your recovery strategy should define how you will recover data or systems in each of the scenarios you define in the recovery plan. This might include restoring data from backup tapes, switching over to redundant systems, rolling back to previous configurations, or other strategies. Include an additional procedure for recovering from severe data corruption in your directory service if that becomes necessary. By having your recovery strategy in place, you can quickly restore your production environment to the required state so that work can continue with minimal interruption. * A rollback strategy The rollback strategy defines how you plan to use backup and recovery procedures to return your pilot or production environment to the state it was in before changes were made. Specify the criteria that a problem should meet to warrant rolling the environment back to its previous state. For example, you might establish a system for classifying the severity of problems and describe which type of response is warranted by certain levels of severity. Also decide whether you need to have different rollback strategies for different types of problems. For example, you might develop one procedure for backing out the entire pilot if the problem is pervasive and another procedure for backing out specific components if the problem is isolated. * The roles and responsibilities for team members Make sure that every task in the plan is assigned to an appropriate team member, and that that person has the information needed to successfully perform required tasks. Consider including training in the plan.
Have the backup and recovery plan reviewed by the project team and by those responsible for potentially affected systems. After the plan has been approved, test it to ensure that the processes you put in place work as expected.
2. Types of Backup
The Backup utility supports five methods of backing up data on your computer or network. * Copy backup
A copy backup copies all the files you select, but does not mark each file as having been backed up (in other words, the archive attribute is not cleared). Copying is useful if you want to back up files between normal and incremental backups because copying does not affect these other backup operations. * Daily backup
A daily backup copies all the files that you select that have been modified on the day the daily backup is performed. The backed-up files are not marked as having been backed up (in other words, the archive attribute is not cleared). * Differential backup
A differential backup copies files that have been created or changed since the last normal or incremental backup. It does not mark files as having been backed up (in other words, the archive attribute is not cleared). If you are performing a combination of normal and differential backups, restoring files and folders requires that you have the last normal as well as the last differential backup. * Incremental backup
An incremental backup backs up only those files that have been created or changed since the last normal or incremental backup. It marks files as having been backed up (in other words, the archive attribute is cleared). If you use a combination of normal and incremental backups, you will need to have the last normal backup set as well as all incremental backup sets to restore your data. * Normal backup
A normal backup copies all the files you select and marks each file as having been backed up (in other words, the archive attribute is cleared). With normal backups, you only need the most recent copy of the backup file or tape to restore all of the files. You usually perform a normal backup the first time you create a backup set.
3. Types of Backup Media
The most common types of backup media available on the market today include: * Tape drives
Tape drives are the most common backup media around due to their low cost. The average capacity of a tape drive is 4 to 10 GB. The drawbacks are that they are relatively slow when compared with other media, and can tend to be unreliable. Magnetic tape cartridges are used to store the data, which leaves it susceptible to loss of information over time or through breaking/stretching the tape. * Disk drives
Disk drives are expensive but very fast compare to tape drives. The disk drive rotates at a very fast pace and has one or more heads that read and write data. If an organization is looking for a fast method of backup and recovery then disk drives are the way to go – the difference in speed between a tape drive and a disk drive is hours compared to minutes, respectively.
* Removable Disks
Using a removable disk such as a ZIP/JAZ drive is becoming increasingly popular for the backup of single systems. They are quite fast, not that expensive and easy to install and carry around. The downside is that the capacity is usually (at the time of writing this article) not more than 2GB in size. * DAT (Digital Audio Tape) drives
DAT drives are similar to a standard tape drive but they have a larger capacity. They are fast becoming popular and are slowly replacing the tape drive. The tapes come in DLT (Digital Linear Tape), SDLT (Super Digital Linear Tape), LTO (Linear Tape Open) and AIT (Advanced Intelligent Tape) format, offering up to 260GB of compressed data. * Optical Jukeboxes
Optical Jukeboxes use magnetic optical disks rather than tapes to offer a high capacity backup solution. They are extremely expensive but offer excellent amounts of secure storage space, ranging from 5 to 20 terabytes. A jukebox is a tower that automatically loads internally stored disks when needed for backup and recovery – you just add a certain amount of CDs or DVDs when you first set it up, so maintenance is relatively low. * Autoloader tape systems
Autoloader tape systems use a magazine of tapes to create extended backup volumes. They have a built-in capability of automatically loading or unloading tapes so you won’t have to sit and wait for the “please insert tape 2” prompt! If you use an autoloader you will need a third party application that knows how to handle it. Autoloaders use DAT tapes that come in DLT, LTO and AIT format. By implementing a type library system with multiple drives you can improve the speed of a backup to hundreds of Gigabytes per hour.
There are a substantial amount of tools and media available for backing up data. When making your selection, there are five fundamental factors that you should base your decision on. * Speed – How fast can you backup and restore data using this media? * Reliability – Can you risk purchasing media that’s known to have reduced reliability to save on costs? * Capacity – Is the media big enough for your backup load? * Extensibility – If the amount of data grows, will the media support this demand? * Cost – Does the solution you want fit into your I.T budget?
4. Backup Tips 1. Draw up a simple (easy to understand) plan of who will do what in the case of an emergency. 2. Be organized! Keep a record of what was backed up, when it was backed up and which backup media contains what data. You can also make a calendar of which type of backup is due on a certain date. 3. Utilize the Volume Shadow Copy service in Windows Server 2003. This feature allows you to create point-in-time copies of data so that they can be restored and reverted to at any given time. For instance, if I created a Word document yesterday and decide I want to revert to it today, I can do so using VSS. 4. Select the option to verify backup, the process will take a little longer but it’s definitely worth the wait. 5. Create a reference point where you know everything is working properly. It will be quicker to restore the changes from tape. 6. Select the option to restrict restoring data to owner or administrator and also set the Domain Group Policy to restrict the Restore privilege to Administrators only. This will help to reduce the risk of someone being able to restore data should the media be stolen. 7. Create a step-by-step guideline (a flowchart for example) clearly outlining the sequence for the retrieval and restoration of data depending on the state of the system.
Source: http://www.windowsnetworking.com/articles-tutorials/windows-2003/Windows-2003-Data-Backup-Recovery-Part1-General-Overview.html
5. Disaster Recovery
To recover your Windows 2003 system after a disaster 1. Boot the primary server (HP ProLiant ML330 G3) using the HP SmartStart CD release 6.40. 2. Follow the HP guidelines to recreate the hardware RAID configuration. 3. Boot the primary server using the Windows 2003 Server distribution CD and follow the on-screen ASR instructions. 4. Press F6 to enable the addition of the SCSI or RAID drivers required, using the device driver floppy disks. 5. Press F2 to begin the Windows ASR process 6. When prompted to insert the Windows ASR Disk, insert the CA ARCserve Backup machine-specific recovery disk created for the ML330 G3 server and press Enter. 7. The option loads a temporary Windows operating system, including the necessary SCSI and RAID drivers you enabled by pressing the F6 key in a previous step. The ASR process may prompt you to insert the disks to install the hardware drivers. 8. In this scenario, we insert the disks and load the drivers for the HP Smart Array 642 Controller and the Emulex LP9000 PCI Fibre Channel HBA. 9. After Windows has loaded the drivers, insert the machine-specific recovery disk again. The option reads the original system disk configuration from the machine-specific recovery disk. 10. The ASR process evaluates the available disk configuration. If ASR requires you to recreate disk partitions, a recovery process screen appears. Press C to recreate your disk partitions or press F3 to quit. If you are not recreating disk partitions, this screen does not appear. 11. The Windows ASR advanced disaster recovery bluescreen mode finishes and the computer reboots. 12. The Windows Install screen appears. The option performs installation tasks for the ASR process. When these tasks are complete, the Advanced Disaster Recovery Wizard appears. Follow the instructions in the Advanced Disaster Recovery Wizard. 13. The Advanced Disaster Recovery Wizard installs the CA ARCserve Backup files and services and connects to the CA ARCserve Backup backup server over the network. 14. When prompted, start the data restore operation. 15. At the end of the data restore process, boot back to your original system.
Source: https://support.ca.com/cadocs/0/CA%20ARCserve%20%20Backup%2015-ENU/Bookshelf_Files/HTML/DR/index.htm?toc.htm?423860.html
REFERENCES 1. http://www.techopedia.com/definition/18887/directory-services 2. https://support.ca.com/cadocs/0/CA%20ARCserve%20%20Backup%2015-ENU/Bookshelf_Files/HTML/DR/index.htm?toc.htm?423860.html 3. http://www.windowsnetworking.com/articles-tutorials/windows-2003/Windows-2003-Data-Backup-Recovery-Part1-General-Overview.html 4. http://www.comptechdoc.org/os/windows/win2k/win2kadobjects.html 5. http://technet.microsoft.com/en-us/library/cc739255(v=ws.10).aspx 6. http://www.techopedia.com/definition/18887/directory-services 7. http://technet.microsoft.com/en-us/library/cc739255(v=ws.10).aspx 8. http://www.tech-faq.com/the-global-catalog-server.html 9. http://technet.microsoft.com/en-us/network/bb629410.aspx 10. http://www.vtc.com/products/DNS/HowDoesDNSWork/30845 11. http://benefitof.net/benefits-of-dns/ 12. http://technet.microsoft.com/en-us/library/cc958956.aspx 13. http://www.businessdictionary.com/definition/FTP-site.html
You May Also Find These Documents Helpful
-
Bibliography: Coney, S. (2010, January 24). Manage Active Directory Replication. Retrieved from Stuart Coney: http://stuartconey.com/wp/?p=532…
- 670 Words
- 2 Pages
Satisfactory Essays -
lower your attack surface, Windows 2008 Server Core would be installed on a group of your servers.…
- 235 Words
- 2 Pages
Satisfactory Essays -
7) Which of the following priority numbers will most likely be assigned to the DNS MX record that is used to identify a smart host? D – 5…
- 408 Words
- 2 Pages
Satisfactory Essays -
DHCP stands for Dynamic Host Configuration Protocol. DNS stands for Domain Name Server. What these two concepts do is get a unique identifier known as a (MAC address) from any computer. When the DHCP gets the MAC address from a computer it provides an IP address for that computer allowing it to access the Internet. When the computer accesses the Internet the DNS memorizes IP addresses of websites that a computer users wishes to. The reason DNS does this is because all of the websites have domain names. Domain names are translated to IP addresses. One example is Facebook. www.facebook.com is 31.13.70.81. Instead of users trying to memorize this IP Address, it just makes it easier to access Facebook or even all the IP addresses that users visit. DNS makes internet surfing easier just using alphabetic letters for easy access.…
- 299 Words
- 1 Page
Satisfactory Essays -
One might think that a hospitals soul operations is to provide doctors and nurses to assist patients with their sickness and diseases. However, there is a ton of operations and systems that go on in the background. At Patton-Fuller Community Hospital, they split up their business information systems in four ways. Patton-Fuller Community Hospital use this system to improve communication and collaboration between senior management, employees, doctors, nurses and patients. In addition, the current system is suppose to improve the efficiency of hospital operations, relationships with current and future patients, and assist senior executives in managing hospital finances.…
- 1212 Words
- 5 Pages
Better Essays -
Match each description to its plan by writing the description's number in the appropriate blank. Some descriptions may apply to two or more plans.…
- 606 Words
- 3 Pages
Good Essays -
Network management in a cisco environment involves a spread of the database, network devices involving auto polling, and an engineering of real time graphical views of network topology changes and traffic of a high end workstations back view of varies tools, applications and devices that help with monitoring and maintenance of the network and its architectures structure.…
- 553 Words
- 3 Pages
Good Essays -
The reliance by companies of all sizes on information technology creates strong demand for system and network administration jobs. Information System majors will increasingly find themselves with opportunities and responsibilities in these areas. However, teaching operating systems and networking to information systems major presents many challenges. We have developed a model for teaching these topics to information systems majors in the context of operating system and network administration. This paper describes our model, the lecture materials used, and a novel lab configuration.…
- 1732 Words
- 7 Pages
Good Essays -
The standards used for the various layers in an Ethernet-based network that is managed by the Internet management protocol are :…
- 923 Words
- 4 Pages
Good Essays -
The arp command is an acronym that stands for address resolution protocol. This command allows technicians to easily find the IP address and physical address of the computer that they are currently on. This command is also a good tool to see which computers are online in a network because if there is more than one network interface that uses arp it will display the machines on it as well by typing “arp a-“Additionally the command prompt text gives some variants of the arp command where you can choose what available information can be viewed. This command is flexible and can be typed in a few different ways to obtain different results. If you wanted just the physical address of the computer you would type “arp eth_addr”. Another useful functionality of this command is that if you type “arp if_addr” you can select an internet address to be modified.…
- 1162 Words
- 5 Pages
Better Essays -
A directory service is the software system that stores, organizes and provides access to information in a directory. In software engineering, a directory is a map between names and values. It allows the lookup of values given a name, similar to a dictionary. As a word in a dictionary may have multiple definitions, in a directory, a name may be associated with multiple, different pieces of information. (Directory Service) A few example of Active Directory services are LDAP [Open Source], ADS [Microsoft], NDS [Novell]. A simple directory service called a naming service, maps the names of network resources to their appointed network addresses. With the name service type of directory, a user doesn 't have to remember the physical address of a network resource because it provides a name and will locate the resource. Each resource on the network is considered an object on the directory server. Information about a unique resource is stored as attributes of that object. Information within objects can be made secure so that only users with the available permissions are able to access it. More sophisticated directories are designed with namespaces as Subscribers, Services, Devices, Entitlements, Preferences, Content and so on. (WikiPedia Directory Sevice)…
- 823 Words
- 4 Pages
Better Essays -
Every company, no matter how big or small, will need careful attention to detail to ensure that an organization’s information will function properly and will be secure. Some of the things to consider are hardware, software, cost analysis, disaster recovery plans, and authentication policies. When creating a network plan for Acme Sensitive Data, these measures were taken. Their company has two adjacent floors with 20 employees. The other floors of the building contain several other companies that cannot gain access to their network.…
- 779 Words
- 4 Pages
Good Essays -
A VLAN (virtual local area network) is a logical grouping of network devices (servers, workstation, laptops, etc.) that generally have something in common, such as the same department or access to a particular server. Although devices in VLANs are virtually separated from each other by being placed on different segments, they can still communicate with each other as if they were on the same segment. VLANs are a feature of network switches and are configured within the switch itself. Implementing a VLAN can provide several benefits for the company’s network. A major benefit of using VLAN is increased performance. By grouping users into virtual networks, broadcast domain are created. This allows broadcast traffic destined for a particular network to be limited to only the broadcast domain/VLAN corresponding to that specific network, instead of being sent throughout the entire network. Additionally, there will also be less traffic to route and reduced router latency. By creating a VLAN and as such a broadcast domain for each department, the company will be able to decrease the bandwidth consumption experienced with all the departments in a single broadcast domain.…
- 1086 Words
- 5 Pages
Better Essays -
2. For terminal applications, an OSI user will use virtual terminal whereas an Internet user will use Telnet.…
- 714 Words
- 3 Pages
Satisfactory Essays -
This is the top layer of TCP/IP protocol suite. This layer includes applications or processes that use transport layer protocols to deliver the data to destination computers.…
- 2788 Words
- 12 Pages
Powerful Essays