(70 270) Installing - Configuring.and - Administering.microsoft - Windows.xp - Professional (Text - Book)

PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright 2005 by Microsoft
t Corporation All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number 2004117425 Printed and bound in the United States of America. 1 2 3 4 5 6 7 8 9 QWT 9 8 7 6 5 4
Distributed in Canada by H.B. Fenn and Company Ltd. A CIP catalogue record for this book is available from the British Library. Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/learning/. Send comments to moac@microsoft.com. Microsoft, Active Desktop, Active Directory, ActiveX, Authenticode, IntelliMirror, MSDN, MS-DOS, MSN, NetMeeting, Outlook, PowerPoint, Visual Basic, Win32, Windows, Windows Media, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Acquisitions Editor: Lori Oviatt Project Editor: Denise Bankaitis Technical Editor: James Causey Copy Editor: Ina Chang Production: Elizabeth Hansford Indexer: Julie Kawabata
SubAssy Part No. X11-03252 Body Part No. X11-03253
CONTENTS AT A GLANCE
CHAPTER 1: CHAPTER 2: CHAPTER 3: CHAPTER 4: CHAPTER 5:
Introducing Windows XP Professional . . . . . . . . . . . 1 Installing Windows XP Professional . . . . . . . . . . . .25 Managing Disks and File Systems . . . . . . . . . . . . . .75 Managing Devices and Peripherals. . . . . . . . . . . .119 Configuring and Managing the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147 Configuring and Managing Printers and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 Configuring and Managing NTFS Security . . . . .219 Configuring and Managing Shared Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 Supporting Applications in Windows XP Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Connecting Windows XP Professional to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317 Configuring TCP/IP Addressing and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .353 Managing Internet Explorer Connections and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Managing Users and Groups . . . . . . . . . . . . . . . . .419 Configuring and Managing Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461 Backing Up and Restoring Systems and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491 Managing Performance . . . . . . . . . . . . . . . . . . . . .521
CHAPTER 6:
CHAPTER 7: CHAPTER 8:
CHAPTER 9:
CHAPTER 10:
CHAPTER 11:
CHAPTER 12:
CHAPTER 13: CHAPTER 14:
CHAPTER 15:
CHAPTER 16:
Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
iii
CONTENTS
About This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi Target Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii The Textbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii The Supplemental Course Materials CD-ROM . . . . . . . . . . . . . . . . . . . . . xix Readiness Review Suite Setup Instructions . . . . . . . . . . . . . . . . . . . . xix eBook Setup Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx The Lab Manual. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Notational Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Keyboard Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Coverage of Exam Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii The Microsoft Certified Professional Program . . . . . . . . . . . . . . . . . . . xxvii Certifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii MCP Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix For Microsoft Official Academic Course Support . . . . . . . . . . . . . . . . . xxix Evaulation Edition Software Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxx
CHAPTER 1:
Introducing Windows XP Professional . . . . . . . . . . . 1
Overview of Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Windows XP Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Intelligent User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Hardware Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Comprehensive Help and Support Options . . . . . . . . . . . . . . . . . . . . . . . . 8 Pick a Help Topic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Ask for Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Pick a Task . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Searching and Printing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows XP Security Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Security Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Attachment Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Encrypting File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Security Management Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Windows XP Organizational Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Workgroup Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Domain Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Logging On and Off Windows XP Professional . . . . . . . . . . . . . . . . 19 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
vi
CONTENTS
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Scenario 1.1: Securing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Scenario 1.2: Assisting Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . 24
CHAPTER 2:
Installing Windows XP Professional . . . . . . . . . . . .25
Preinstallation Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Verifying Hardware Compatibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Storage Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 File Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Domain or Workgroup Membership . . . . . . . . . . . . . . . . . . . . . . . . . 31 Performing an Attended Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Windows XP Professional Setup Program . . . . . . . . . . . . . . . . . . . . . 33 Running the Setup Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Running the Setup Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Completing the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Installing over the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Preparing for a Network Installation . . . . . . . . . . . . . . . . . . . . . . . . . 38 Modifying the Setup Process Using Winnt.exe . . . . . . . . . . . . . . . . . 41 Modifying the Setup Process Using Winnt32.exe. . . . . . . . . . . . . . . 42 Automating Installations Using Windows Setup Manager. . . . . . . . . . . 44 Installing Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Using Setup Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Upgrading to Windows XP Professional . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Identifying Client Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Generating a Hardware Compatibility Report. . . . . . . . . . . . . . . . . . 48 Upgrading Compatible Windows 98 Computers . . . . . . . . . . . . . . . 49 Upgrading a Windows 2000 Professional Computer. . . . . . . . . . . . 50 Migrating User Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51 Understanding Remote Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Installing and Configuring RIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Client Requirements for Remote Installation. . . . . . . . . . . . . . . . . . . 55 Creating Boot Floppies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Installing Windows XP Using RIS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Using Disk Duplication to Deploy Windows XP Professional. . . . . . . . . 58 Using the System Preparation Tool to Prepare the Master Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Installing Windows XP Professional from a Master Disk Image . . . 60 Applying System Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Windows Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Slipstreaming Service Packs and Updates . . . . . . . . . . . . . . . . . . . . . . . . . 65 Slipstreaming Service Packs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Slipstreaming Windows Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
CONTENTS
vii
Using Windows Product Activation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 How Windows Product Activation Works . . . . . . . . . . . . . . . . . . . . . 66 Activating Windows XP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 Automating Windows Product Activation . . . . . . . . . . . . . . . . . . . . . 67 Troubleshooting Windows XP Professional Setup . . . . . . . . . . . . . . . . . . 68 Resolving Common Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Setup Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Scenario 2-1: Dual-Booting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Scenario 2-2: Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
CHAPTER 3:
Managing Disks and File Systems . . . . . . . . . . . . . .75
Understanding Disk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Understanding Basic Storage. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Understanding Dynamic Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Working with Simple Volumes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Working with Spanned Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 Working with Striped Volumes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Adding Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 Changing the Storage Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 Using Refresh and Rescan Disks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Managing Disks on a Remote Computer. . . . . . . . . . . . . . . . . . . . . . 84 Managing Removable Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Using the Removable Storage Manager . . . . . . . . . . . . . . . . . . . . . . 85 Managing Compression. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using Compressed Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88 Using NTFS Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Increasing Security with the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 Understanding the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94 Using the Cipher Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Using a Recovery Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Managing Recovery Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Disabling the EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 EFS Best Practices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 Managing Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Understanding Disk Quota Management . . . . . . . . . . . . . . . . . . . . 102 Setting Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Determining the Status of Disk Quotas . . . . . . . . . . . . . . . . . . . . . . 105 Monitoring Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Best Uses for Disk Quotas. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
viii
CONTENTS
Using Disk Defragmenter, Chkdsk, and Disk Cleanup. . . . . . . . . . . . . . 106 Defragmenting Disks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 Using Disk Defragmenter Effectively . . . . . . . . . . . . . . . . . . . . . . . . 108 Using Chkdsk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Using Disk Cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Scenario 3-1: Storage Choices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Scenario 3-2: Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
CHAPTER 4:
Managing Devices and Peripherals. . . . . . . . . . . .119
Using Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Configuring and Troubleshooting Devices . . . . . . . . . . . . . . . . . . . 120 Viewing Hidden and Phantom Devices . . . . . . . . . . . . . . . . . . . . . . 122 Managing and Troubleshooting I/O Devices . . . . . . . . . . . . . . . . . . . . . 123 Scanners and Cameras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Mouse Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Game Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 IrDA and Wireless Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Keyboards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Understanding Automatic and Manual Hardware Installation . . . . . . 128 Confirming Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Troubleshooting Device Installation . . . . . . . . . . . . . . . . . . . . . . . . . 131 Installing Hardware Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Viewing and Configuring Hardware Profiles . . . . . . . . . . . . . . . . . . . . . 134 Understanding Hardware Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 Creating or Modifying a Hardware Profile. . . . . . . . . . . . . . . . . . . . 135 Activating a Hardware Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Viewing Hardware Profile Properties . . . . . . . . . . . . . . . . . . . . . . . . 136 Driver Signing and File Signature Verification . . . . . . . . . . . . . . . . . . . . 136 Configuring Driver Signing Requirements. . . . . . . . . . . . . . . . . . . . 137 Checking System File Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Using the File Signature Verification Tool . . . . . . . . . . . . . . . . . . . . 138 Configuring Computers with Multiple Processors . . . . . . . . . . . . . . . . . 139 Multiprocessor Scaling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Managing ACPI Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140 Forcing Installation of a Specific HAL . . . . . . . . . . . . . . . . . . . . . . . . 141 Troubleshooting ACPI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144 Scenario 4-1: Managing a Hardware Upgrade . . . . . . . . . . . . . . . . 144 Scenario 4-2: Troubleshooting Problems with the HAL. . . . . . . . . 145
CONTENTS
ix
CHAPTER 5:
Configuring and Managing the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147
Configuring and Managing Desktop Components . . . . . . . . . . . . . . . . 148 Configuring Display Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 Using Multiple Displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 The Taskbar and Start Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Configuring Power Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Selecting a Power Scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Configuring Advanced Power Options. . . . . . . . . . . . . . . . . . . . . . . 166 Enabling Hibernate Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Configuring Advanced Power Management. . . . . . . . . . . . . . . . . . 168 Advanced Configuration and Power Interface (ACPI) . . . . . . . . . . 168 Configuring an Uninterruptible Power Supply . . . . . . . . . . . . . . . . 168 Configuring User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Local and Roaming User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 User Profile Storage Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Configuring Multiple Languages and Locations . . . . . . . . . . . . . . . . . . 172 Configuring Accessibility Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring Keyboard Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 Configuring Sound Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Configuring Display Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Configuring Mouse Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Configuring General Tab Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Other Accessibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 The Magnifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 The Narrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Scenario 5-1: Time for Hibernation . . . . . . . . . . . . . . . . . . . . . . . . . 182 Scenario 5-2: Power Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
CHAPTER 6:
Configuring and Managing Printers and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Introduction to Windows XP Professional Printing . . . . . . . . . . . . . . . . 184 Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Adding a Local Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185 Adding a Printer Connected to a Print Server . . . . . . . . . . . . . . . . . . . . 188 Types of Print Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 Connecting to a Printer on a Windows Print Server . . . . . . . . . . . 190 Using the Search Assistant to Find a Printer . . . . . . . . . . . . . . . . . . 191 Adding a Network Interface Printer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Standard TCP/IP Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 LPR Port. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Connecting to an Internet Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 How Internet Printing Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
CONTENTS
Using Windows XP as a Print Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 Requirements for Network Print Services . . . . . . . . . . . . . . . . . . . . 198 Sharing Printers During Installation . . . . . . . . . . . . . . . . . . . . . . . . . 199 Sharing an Existing Printer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Installing Additional Print Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Creating Printer Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201 Managing Printer Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Managing Printer Priority. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Scheduling Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206 Managing Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Assigning Forms to Paper Trays. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Setting a Separator Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Administering Printers with a Web Browser . . . . . . . . . . . . . . . . . . 209 Managing Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Pausing, Restarting, and Canceling a Document . . . . . . . . . . . . . . 210 Troubleshooting Common Printing Problems . . . . . . . . . . . . . . . . . . . . 211 Examining the Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Common Troubleshooting Scenarios . . . . . . . . . . . . . . . . . . . . . . . . 212 Printing Troubleshooters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Additional Troubleshooting Options . . . . . . . . . . . . . . . . . . . . . . . . 214 Configuring and Managing Windows XP Fax Support . . . . . . . . . . . . . 214 The Fax Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Fax Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 Scenario 6-1: Printing in a Small Office . . . . . . . . . . . . . . . . . . . . . . 218 Scenario 6-2: Printer Wars . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
CHAPTER 7:
Configuring and Managing NTFS Security . . . . .219
Understanding the NTFS File System. . . . . . . . . . . . . . . . . . . . . . . . . . . . 220 Understanding NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Components of NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 222 NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 NTFS Permissions Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Managing NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Best Practices for Assigning Permissions . . . . . . . . . . . . . . . . . . . . . 230 Setting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Using Command-Line Tools to View and Modify Permissions . . . 236 Assigning Multiple NTFS Permissions. . . . . . . . . . . . . . . . . . . . . . . . 239 Auditing NTFS Object Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Enabling Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Monitoring Security Event Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Troubleshooting NTFS Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244 Problems with Effective Permissions. . . . . . . . . . . . . . . . . . . . . . . . . 244 Problems with Denied Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 245 Problems with Permission Inheritance . . . . . . . . . . . . . . . . . . . . . . . 245
CONTENTS
xi
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

CHAPTER 8:
Configuring and Managing Shared Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Understanding Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Guidelines for Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . 255 How Shared Folder Permissions Are Applied . . . . . . . . . . . . . . . . . 256 Planning Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Requirements for Sharing Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . 257 Shared Application Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258 Shared Data Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259 Administrative Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260 Sharing a Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Sharing Folders in Computer Management . . . . . . . . . . . . . . . . . . 261 Sharing Folders in Windows Explorer. . . . . . . . . . . . . . . . . . . . . . . . 264 Using the NET Command to Share Folders . . . . . . . . . . . . . . . . . . . 265 Sharing a Folder on a Remote Computer . . . . . . . . . . . . . . . . . . . . 268 Managing Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268 Assigning Shared Folder Permissions . . . . . . . . . . . . . . . . . . . . . . . . 268 Creating Multiple Share Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Modifying Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270 Connecting to Shared Folders. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271 Combining Shared Folder Permissions and NTFS Permissions . . . . . . 273 Monitoring Access to Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . 275 Reasons for Monitoring Network Resources . . . . . . . . . . . . . . . . . . 275 Requirements for Monitoring Network Resources . . . . . . . . . . . . . 275 Monitoring Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276 Using Offline Folders and Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278 Understanding Offline Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Configuring Your Computer to Use Offline Folders and Files . . . 280 Managing Internet Information Services . . . . . . . . . . . . . . . . . . . . . . . . 283 Installing IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Using IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 Sharing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 NTFS Permissions and Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . 287 Using Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Scenario 8-1: Shared Folder Tree. . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Scenario 8-2: Command-Line Nirvana . . . . . . . . . . . . . . . . . . . . . . . 292
xii
CONTENTS
CHAPTER 9:
Supporting Applications in Windows XP Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295
Understanding Windows Installer Technologies . . . . . . . . . . . . . . . . . . 296 Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Windows Installer Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296 Deploying Software Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . 302 Overview of Group Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Software Installation Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Removing Software Installation Policy . . . . . . . . . . . . . . . . . . . . . . . 304 Understanding Application Compatibility . . . . . . . . . . . . . . . . . . . . . . . 305 Windows Logo Program. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Causes of Application Incompatibility . . . . . . . . . . . . . . . . . . . . . . . 306 Application Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Advanced Compatibility Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309 Troubleshooting Application Compatibility Issues . . . . . . . . . . . . . 310 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Scenario 9-1: Windows Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Scenario 9-2: Irreconcilable Differences? . . . . . . . . . . . . . . . . . . . . . 315
CHAPTER 10:
Connecting Windows XP Professional to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317
Configuring TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 The OSI Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 The DARPA Reference Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 The TCP/IP Protocol Suite. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Managing Network Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Troubleshooting TCP/IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 Connecting to a Wireless Ethernet Network. . . . . . . . . . . . . . . . . . . . . . 335 Understanding Wireless Specifications. . . . . . . . . . . . . . . . . . . . . . . 335 Connecting Windows XP to a Wireless Network . . . . . . . . . . . . . . 336 Configuring Other Network Connections . . . . . . . . . . . . . . . . . . . . . . . . 337 Client Service for NetWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Installing the NWLink Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338 Installing Third-Party Clients and Protocols . . . . . . . . . . . . . . . . . . 339 Connecting to Computers UsingDial-Up Networking . . . . . . . . . . . . . 340 Connecting to the Internet Using Dial-Up Networking . . . . . . . . 340 Connecting to a Network at Your Workplace . . . . . . . . . . . . . . . . . 341 Configuring and Troubleshooting Internet Connection Sharing (ICS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 Using Remote Desktop and Remote Assistance. . . . . . . . . . . . . . . . . . . 344 Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344 Remote Assistance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
CONTENTS
xiii
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351 Scenario 10-1: Small Office Networking . . . . . . . . . . . . . . . . . . . . . 351 Scenario 10-2: Help! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
CHAPTER 11:
Configuring TCP/IP Addressing and Security . . .353
Understanding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Binary Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354 Decoding IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Local vs. Remote Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360 Using Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361 Subnetting and Supernetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Securing IP Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Internet Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 Protective Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 Monitoring Internet Communications Security . . . . . . . . . . . . . . . 375 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Case Scenario 11-1: A Growing Enterprise . . . . . . . . . . . . . . . . . . . 380 Case Scenario 11-2: Security on a Shoestring . . . . . . . . . . . . . . . . . 380
CHAPTER 12:
Managing Internet Explorer Connections and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381
Managing Internet Explorer Connections . . . . . . . . . . . . . . . . . . . . . . . . 382 Using the New Connection Wizard. . . . . . . . . . . . . . . . . . . . . . . . . . 382 Managing Connection Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383 Connecting to Resources Using Internet Explorer . . . . . . . . . . . . . . . . . 387 Uniform Resource Locators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387 Connecting to Web Site Resources . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Accessing FTP Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Accessing Web Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Connecting to Web ServerBased Applications . . . . . . . . . . . . . . . 391 Managing Internet Explorer Security Settings . . . . . . . . . . . . . . . . . . . . 391 Overview of Internet Explorer Security Features. . . . . . . . . . . . . . . 391 Managing URL Actions for Web Content Zones. . . . . . . . . . . . . . . 393 Web Content Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Advanced Internet Security Options. . . . . . . . . . . . . . . . . . . . . . . . . 402 Managing Internet Explorer Privacy Settings . . . . . . . . . . . . . . . . . . . . . 404 Cookies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 Pop-Up Blocker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Managing Internet Cache and History Data . . . . . . . . . . . . . . . . . . 408 AutoComplete and Internet Explorer Password Caching . . . . . . . 411 Using Add-On Manager to Control Add-On Programs . . . . . . . . . . . . 412 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
xiv
CONTENTS
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Scenario 12-1: Getting Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416 Scenario 12-2: Managing Internet Explorer Security and Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
CHAPTER 13:
Managing Users and Groups . . . . . . . . . . . . . . . . .419
Overview of User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420 User and Group Account Permissions . . . . . . . . . . . . . . . . . . . . . . . 420 User Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Built-In User Accounts and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . 421 Implicit Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422 Service Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423 Domain User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . 424 Tools for Managing Users and Groups . . . . . . . . . . . . . . . . . . . . . . . 425 Planning User Accounts and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Mapping Out a User and Group Strategy . . . . . . . . . . . . . . . . . . . . 429 User Account Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 430 Setting Requirements for Complex Passwords . . . . . . . . . . . . . . . . 431 Changing the Way Users Log On or Log Off. . . . . . . . . . . . . . . . . . 432 Creating and Managing User Accounts with Local Users and Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434 Managing User Account Properties . . . . . . . . . . . . . . . . . . . . . . . . . 434 Managing User Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436 Managing User Rights Assignment. . . . . . . . . . . . . . . . . . . . . . . . . . 437 Creating and Managing Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Creating and Managing Groups Using Local Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 438 Managing Groups Using Command-Line Tools . . . . . . . . . . . . . . . 441 Creating and Managing User Accounts with the User Accounts Tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 User Account Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442 Creating a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443 Changing an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Best Practices for User Account Management . . . . . . . . . . . . . . . . . . . . 446 Managing User AccountRelated System Policies . . . . . . . . . . . . . . . . . 447 Managing User Rights with Group Policy . . . . . . . . . . . . . . . . . . . . 447 Managing User Account Settings with Group Policy . . . . . . . . . . . 451 Using Cached Credentials in Windows XP . . . . . . . . . . . . . . . . . . . . . . . 454 Understanding Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . 454 Managing Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Troubleshooting Cached Credentials . . . . . . . . . . . . . . . . . . . . . . . . 455 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
CONTENTS
xv
Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Scenario 13-1: Designing Accounts for a Field Office . . . . . . . . . . 458 Scenario 13-2: Protecting Files on a Military System . . . . . . . . . . . 459
CHAPTER 14:
Configuring and Managing Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
Understanding Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Local Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462 Domain Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466 Managing Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Predefined Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467 Creating a Custom Security Policy Management Console . . . . . . 468 Viewing, Modifying, and Creating a Security Template. . . . . . . . . 470 Analyzing and Configuring Security Settings . . . . . . . . . . . . . . . . . 472 Exporting Security Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Managing Security Policy with Secedit.exe . . . . . . . . . . . . . . . . . . . 475 Managing Security Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Actions That Can Be Audited . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476 Planning an Audit Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478 Implementing and Managing an Audit Policy . . . . . . . . . . . . . . . . 479 Monitoring Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 Scenario 14-1: Designing a Security Policy . . . . . . . . . . . . . . . . . . . 487 Scenario 14-2: Security Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
CHAPTER 15:
Backing Up and Restoring Systems and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491
Understanding the Windows Backup Utility. . . . . . . . . . . . . . . . . . . . . . 492 Features of the Backup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 Planning a Backup and Recovery Strategy . . . . . . . . . . . . . . . . . . . . . . . 494 Choosing a Backup Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494 Determining What to Back Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Selecting Backup Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 Choosing a Backup Schedule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Planning for Disaster Recovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 Backing Up the System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Creating a New Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Modifying a Backup Job. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Executing a Backup Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Performing an ASR Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Restoring a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Determining Which Backups to Restore . . . . . . . . . . . . . . . . . . . . . 504 Creating a Restore Job . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Using ASR to Recover a System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
xvi
CONTENTS
Using System Restore to Recover Data and Settings. . . . . . . . . . . . . . . 507 Configuring System Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Creating a Restore Point Manually . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Restoring Settings and Data from a Restore Point . . . . . . . . . . . . . 510 Using Startup and Recovery Tools to Recover a System . . . . . . . . . . . . 511 Using the Recovery Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511 Using the Last Known Good Configuration. . . . . . . . . . . . . . . . . . . 513 Starting a System in Safe Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Scenario 15-1: Backup Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Scenario 15-2: Power Problems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
CHAPTER 16:
Managing Performance . . . . . . . . . . . . . . . . . . . . .521
Designing a System for Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Factors Leading to Poor Performance . . . . . . . . . . . . . . . . . . . . . . . 522 Determining Resource Requirements . . . . . . . . . . . . . . . . . . . . . . . . 523 Monitoring Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 The Performance Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Viewing Performance Charts with System Monitor . . . . . . . . . . . . 526 Using Histograms and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530 Using Performance Logs to Spot Trends . . . . . . . . . . . . . . . . . . . . . 532 Using Performance Alerts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534 Monitoring Performance with Task Manager . . . . . . . . . . . . . . . . . 536 Improving Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539 Memory Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Disk Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 Adding CPUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 Mobile System Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Review Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 Case Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Scenario 16-1: A Slow Application . . . . . . . . . . . . . . . . . . . . . . . . . . 548 Scenario 16-2: Spotting the Cause of Performance Issues . . . . . . 549 Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565
ABOUT THIS BOOK

Welcome to Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270), Second Edition, a part of the Microsoft Official Academic Course (MOAC) series. Through lectures, discussions, demonstrations, textbook exercises, and classroom labs, this course teaches the skills and knowledge necessary to plan, install, configure, and support Windows XP in standalone, small network, and corporate network environments. In 16 chapters, students will learn how to install Windows XP Professional, connect to and share network resources, configure Internet services and applications, manage security settings and auditing, and evaluate system performance.
TARGET AUDIENCE
This textbook was developed for beginning information technology students who want to learn to configure and manage Windows XP in a variety of environments so that they can provide corporate support and implementation of Windows XP on a direct-hire or consulting basis. Students who continue to study Microsoft server operating systems can go on to earn the Microsoft Certified System Administrator (MCSA) or Microsoft Certified Systems Engineer (MCSE) credential.
PREREQUISITES
The prerequisites for taking this course are:
Familiarity with the use of Windows XP, including navigation and operation of major features. A fundamental knowledge of computer hardware, network construction, and operating systems. Prerequisite knowledge and course work as defined by the learning institution and the instructor. Completion of the Supporting Users and Troubleshooting Microsoft Windows XP (Microsoft Learning) course or equivalent experience is recommended.
xvii
xviii
INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL
THE TEXTBOOK
The textbook content has been crafted to provide a meaningful learning experience to students in an academic classroom setting. Key features of the Microsoft Official Academic Course textbooks include the following:
Learning objectives for each chapter that prepare the student for the topic areas covered in that chapter. Chapter introductions that explain why the information is important. An inviting design with screen shots, diagrams, tables, bulleted lists, and other graphical formats that makes the book easy to comprehend and supports a number of different learning styles. Clear explanations of concepts and principles, and frequent exposition of step-by-step procedures. A variety of reader aids that highlight a wealth of additional information, including:
NoteReal-world application tips and alternative procedures, and explanations of complex procedures and concepts CautionWarnings about mistakes that can result in loss of data or that are difficult to resolve ImportantExplanations of essential setup steps before a procedure and other instructions More InfoCross-references and additional resources for students
End-of-chapter review questions that assess knowledge and can serve as homework, quizzes, and review activities before or after lectures. (Answers to the textbook questions are available from your instructor.) Chapter summaries that distill the main ideas in a chapter and reinforce learning. Case scenarios, approximately two per chapter, that provide students with an opportunity to evaluate, analyze, synthesize, and apply information learned during the chapter. Comprehensive glossary that defines key terms introduced in the book.
ABOUT THIS BOOK
xix
THE SUPPLEMENTAL COURSE MATERIALS CD-ROM

This book comes with a Supplemental Course Materials CD-ROM, which contains a variety of informational aids to complement the book content:
An electronic version of this textbook (eBook). For information about using the eBook, see the section titled eBook Setup Instructions later in this introduction. The Microsoft Learning Readiness Review Suite built by MeasureUp. This suite of practice tests and objective reviews contains questions of varying complexity and offers multiple testing modes. You can assess your understanding of the concepts presented in this book and use the results to develop a learning plan that meets your needs. An eBook of the Microsoft Encyclopedia of Networking, Second Edition. Microsoft PowerPoint slides based on textbook chapters, for notetaking. Microsoft Word Viewer and Microsoft PowerPoint Viewer.
A second CD contains a 120-day evaluation edition of Windows XP Professional with Service Pack 2.
NOTE
The 120-day evaluation edition of Windows XP Professional provided with this book is not the full retail product; it is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support evaluation editions.
Readiness Review Suite Setup Instructions

The Readiness Review Suite includes a practice test of 300 sample exam questions and an objective review with an additional 125 questions. Use these tools to reinforce your learning and to identify areas in which you need to gain more experience before taking your final exam for the course, or the certification exam if you choose to do so. Installing the Practice Test 1. Insert the Supplemental Course Materials CD into your CD-ROM drive.
NOTE
If AutoRun is disabled on your machine, refer to the Readme.txt file on the Supplemental Course Materials CD.
2. On the user interface menu, select Readiness Review Suite and follow the prompts.
xx
eBook Setup Instructions

The eBook is in Portable Document Format (PDF) and must be viewed using Adobe Acrobat Reader. Using the eBooks 1. Insert the Supplemental Course Materials CD into your CD-ROM drive.
NOTE
If AutoRun is disabled on your machine, refer to the Readme.txt file on the CD.
2. On the user interface menu, select Textbook eBook and follow the prompts. You also can review any of the other eBooks provided for your use.
NOTE
You must have the Supplemental Course Materials CD in your CD-ROM drive to run the eBook.
THE LAB MANUAL

The Lab Manual is designed for use in either a combined lecture and lab situation, or in a separate lecture and lab arrangement. The exercises in the Lab Manual correspond to textbook chapters and are for use in a classroom setting supervised by an instructor. The Lab Manual presents a rich, hands-on learning experience that encourages practical solutions and strengthens critical problem-solving skills:
Lab Exercises teach procedures by using a step-by-step format. Questions interspersed throughout Lab Exercises encourage reflection and critical thinking about the lab activity. Lab Review Questions appear at the end of each lab and ask questions about the lab. They are designed to promote critical reflection. Lab Challenges are review activities that either cover material in the text or ask students to perform a variation on a task they performed in the Lab Exercises, but without detailed instructions. Troubleshooting Labs appear after a number of regular labs; they consist of medium-length review projects and are based on true-to-life scenarios. These labs challenge students to think like an expert to solve complex problems.
ABOUT THIS BOOK
xxi
Labs are based on realistic business settings and include an opening scenario and a list of learning objectives.
Students who successfully complete the Lab Exercises, Lab Review Questions, Lab Challenges, and Troubleshooting Labs in the Lab Manual will have a richer learning experience and deeper understanding of the concepts and methods covered in the course. They will be better able to answer and understand the test bank questions, especially the knowledge application and knowledge synthesis questions. They will also be much better prepared to pass the associated certification exams if they choose to take them.
NOTATIONAL CONVENTIONS
The following conventions are used throughout this textbook and the Lab Manual:

Characters or commands that you type appear in bold type. Terms that appear in the glossary also appear in bold type. Italic in syntax statements indicates placeholders for variable information. Italic is also used for book titles and terms defined in the text. Names of files and folders appear in Title caps, except when you are to type them directly. Unless otherwise indicated, you can use all lowercase letters when you type a filename in a dialog box or at a command prompt. Filename extensions appear in all lowercase. Acronyms appear in all uppercase. type represents code samples, examples of screen text, or entries that you might type at a command prompt or in initialization files. Square brackets [ ] are used in syntax statements to enclose optional items. For example, [filename] in command syntax indicates that you can type a filename with the command. Type only the information within the brackets, not the brackets themselves. Braces { } are used in syntax statements to enclose required items. Type only the information within the braces, not the braces themselves.
Monospace
xxii
KEYBOARD CONVENTIONS
A plus sign (+) between two key names means that you must press those keys at the same time. For example, Press Alt+Tab means that you hold down Alt while you press Tab. A comma (,) between two or more key names means that you must press the keys consecutively, not at the same time. For example, Press Alt, F, X means that you press and release each key in sequence. Press Alt+W, L means that you first press Alt and W at the same time, and then you release them and press L.
COVERAGE OF EXAM OBJECTIVES

This book is intended to support a course that is structured around concepts and practical knowledge fundamental to this topic area, as well as the tasks that are covered in the objectives for the MCSE 70-270 exam. The following table correlates the exam objectives with the textbook chapters and Lab Manual lab exercises. You might also find this table useful if you decide to take the certification exam. The Microsoft Learning Web site describes the various MCP certification exams and their corresponding courses. It provides up-to-date certification information and explains the certification process and the course options. See http://www.microsoft.com/learning/ for up-to-date information about MCP exam credentials for other certification programs offered by Microsoft.
NOTE Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Installing Windows XP Professional Textbook Chapter Lab Manual Content
Perform and troubleshoot an attended installation of Windows XP Professional. Perform and troubleshoot an unattended installation of Windows XP Professional. Install Windows XP Professional by using Remote Installation Services (RIS).

Chapter 2 Chapter 2 Chapter 2
Labs 1 and 2 Lab 2 Not covered
Install Windows XP Professional by using the System Preparation Tool. Create unattended answer files by using Setup Manager to automate the installation of Windows XP Professional.
Chapter 2 Chapter 2
Not Covered Lab 2
ABOUT THIS BOOK
xxiii
Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Installing Windows XP Professional Textbook Chapter Lab Manual Content
Upgrade from a previous version of Windows to Windows XP Professional. Prepare a computer to meet upgrade requirements. Migrate existing user environments to a new installation. Perform post-installation updates and product activation. Troubleshoot failed installations.
Implementing and Conducting Administration of Resources
Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 2 Chapter 7 Chapter 3 Chapter 7 Chapter 7 Chapter 8 Chapter 8 Chapter 8 Chapter 8 Chapter 6 Chapter 6 Chapter 6 Chapter 6 Chapter 6 Chapter 3 Chapter 3 Chapter 3 Chapter 8
Labs 1 and 2 Labs 1 and 2 Not Covered Lab 2 Lab 2 Lab 7 Lab 7 Lab 7 Lab 3 Lab 8 Lab 8 Lab 8 Lab 8 Lab 6 Lab 6 Lab 6 Lab 6 Lab 6 Lab 3 Lab 3 Lab 3 Lab 8
Monitor, manage, and troubleshoot access to files and folders. Configure, manage, and troubleshoot file compression.

Control access to files and folders by using permissions.
Optimize access to files and folders. Manage and troubleshoot access to shared folders. Create and remove shared folders.

Control access to shared folders by using permissions.
Manage and troubleshoot Web server resources. Connect to local and network print devices. Manage printers and print jobs.

Control access to printers by using permissions. Connect to an Internet printer.
Connect to a local print device. Configure and manage file systems. Convert from one file system to another file system. Configure NTFS, FAT32, or FAT file systems. Manage and troubleshoot access to and synchronization of offline files.
xxiv
Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Lab Manual Content Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers
Implement, manage, and troubleshoot disk devices. Install, configure, and manage DVD and CD-ROM devices.

Chapter 3 Chapter 3 Chapter 3 Chapter 3 Chapter 3 Chapter 5 Chapter 5 Chapter 5 Chapter 4 Chapter 4 Chapter 4
Lab 3 Lab 4 Lab 3 Lab 3 Not Covered Lab 5 Not Covered Labs 4 and 5 Not Covered Lab 4 Lab 4
Monitor and configure disks. Monitor, configure, and troubleshoot volumes.
Monitor and configure removable media, such as tape devices. Implement, manage, and troubleshoot display devices. Configure multiple-display support. Install, configure, and troubleshoot a video adapter. Configure Advanced Configuration Power Interface (ACPI). Implement, manage, and troubleshoot input and output (I/O) devices. Monitor, configure, and troubleshoot I/O devices, such as printers, scanners, multimedia devices, mice, keyboards, and smart card readers.

Monitor, configure, and troubleshoot multimedia hardware, such as cameras. Install, configure, and manage modems. Install, configure, and manage Infrared Data Association (IrDA) devices. Install, configure, and manage wireless devices. Install, configure, and manage USB devices. Install, configure, and manage handheld devices. Install, configure, and manage network adapters.
Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapters 4, 10, and 11
Lab 4 Lab 4 Not Covered Not Covered Lab 4 Not Covered Labs 4, 10, and 11
ABOUT THIS BOOK
xxv
Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Lab Manual Content Implementing, Managing, Monitoring, and Troubleshooting Hardware Devices and Drivers
Manage and troubleshoot drivers and driver signing. Monitor and configure multiprocessor computers. Monitor, optimize, and troubleshoot performance of the Windows XP Professional desktop. Optimize and troubleshoot memory performance.

Chapter 4 Chapter 4
Lab 4 Not Covered
Monitoring and Optimizing System Performance and Reliability
Chapter 16
Lab 16
Chapter 16 Chapter 16 Chapter 16 Chapter 16 Chapter 16 Chapter 16 Chapter 15 Chapter 15 Chapter 15 Chapter 15
Lab 16 Lab 16 Lab 16 Lab 16 Lab 15 Lab 16 Lab 15 Lab 15 Lab 15 Lab 15
Optimize and troubleshoot processor utilization. Optimize and troubleshoot disk performance. Optimize and troubleshoot application performance.
Configure, manage, and troubleshoot scheduled tasks. Manage, monitor, and optimize system performance for mobile users. Restore and back up the operating system, System State data, and user data. Recover System State data and user data by using Windows Backup.

Troubleshoot system restoration by starting in Safe Mode. Recover System State data and user data by using the Recovery Console.
Configuring and Troubleshooting the Desktop Environment
Configure and manage user profiles and desktop settings. Configure support for multiple languages or multiple locations. Enable multiple-language support.

Chapters 5 and 13 Chapter 5 Chapter 5 Chapter 5 Chapter 5 Chapter 5
Labs 5 and 13 Lab 5 Lab 5 Lab 5 Lab 5 Lab 5
Configure multiple-language support for users. Configure local settings. Configure Windows XP Professional for multiple locations.
xxvi
Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Textbook Chapter Configuring and Troubleshooting the Desktop Environment Lab Manual Content
Manage applications by using Windows Installer packages. Configure and troubleshoot the TCP/IP protocol. Connect to computers by using dial-up networking. Connect to computers by using a virtual private network (VPN) connection.

Chapter 9
Lab 9
Implementing, Managing, and Troubleshooting Network Protocols and Services
Chapters 10 and 11 Chapter 10 Chapter 10
Labs 10 and 11 Lab 10 Lab 10
Create a dial-up connection to connect to a remote access server. Connect to the Internet by using dial-up networking.
Chapter 10 Chapter 10 Chapter 10 Chapter 12 Chapter 12 Chapter 10 Chapter 11
Lab 10 Lab 10 Lab 10 Lab 12 Labs 6, 8, and 12 Lab 10 Lab 11
Configure and troubleshoot Internet Connection Sharing (ICS). Connect to resources by using Internet Explorer. Configure, manage, and implement Internet Information Services (IIS). Configure, manage, and troubleshoot Remote Desktop and Remote Assistance. Configure, manage, and troubleshoot an Internet Connection Firewall (ICF).
Configuring, Managing, and Troubleshooting Security
Configure, manage, and troubleshoot the Encrypting File System (EFS). Configure, manage, and troubleshoot a security configuration and local security policy.
Chapter 3 Chapter 14
Lab 3 Lab 14
ABOUT THIS BOOK
xxvii
Textbook and Lab Manual Coverage of Exam Objectives for MCSE Exam 70-270 Objective Configuring, Managing, and Troubleshooting Security Textbook Chapter Lab Manual Content
Configure, manage, and troubleshoot local user and group accounts. Configure, manage, and troubleshoot auditing.

Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 12
Lab 13 Lab 13 Lab 13 Lab 13 Lab 13 Not Covered Lab 12
Configure, manage, and troubleshoot account settings. Configure, manage, and troubleshoot account policy. Configure, manage, and troubleshoot user and group rights.
Troubleshoot cached credentials. Configure, manage, and troubleshoot Internet Explorer security settings.
THE MICROSOFT CERTIFIED PROFESSIONAL PROGRAM

The MCP program is one way to prove your proficiency with current Microsoft products and technologies. These exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions using Microsoft products and technologies. Computer professionals who become Microsoft certified are recognized as experts and are sought after industry-wide. Certification brings a variety of benefits to the individual and to employers and organizations.
MORE INFO For a full list of MCP benefits, go to http:// www.microsoft.com/learning/itpro/default.asp.
Certifications
The MCP program offers multiple certifications, based on specific areas of technical expertise:
Microsoft Certified Professional (MCP) In-depth knowledge of at least one Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.
xxviii
Microsoft Certified Systems Engineer (MCSE) Qualified to effectively analyze the business requirements for business solutions and design and implement the infrastructure based on the Windows and Windows Server 2003 operating systems. Microsoft Certified Systems Administrator (MCSA) Qualified to manage and troubleshoot existing network and system environments based on the Windows and Windows Server 2003 operating systems. Microsoft Certified Database Administrator (MCDBA) Qualified to design, implement, and administer Microsoft SQL Server databases. Microsoft Certified Desktop Support Technician (MCDST) Qualified to support end users and to troubleshoot desktop environments on the Microsoft Windows operating system.
MCP Requirements
Requirements differ for each certification and are specific to the products and job functions addressed by the certification. To become an MCP, you must pass rigorous certification exams that provide a valid and reliable measure of technical proficiency and expertise. These exams are designed to test your expertise and ability to perform a role or task with a product, and they are developed with the input of industry professionals. Exam questions reflect how Microsoft products are used in actual organizations, giving them real-world relevance.
Microsoft Certified Professional (MCP) candidates are required to pass one current Microsoft certification exam. Candidates can pass additional Microsoft certification exams to validate their skills with other Microsoft products, development tools, or desktop applications. Microsoft Certified Systems Engineer (MCSE) candidates are required to pass five core exams and two elective exams. Microsoft Certified Systems Administrator (MCSA) candidates are required to pass three core exams and one elective exam. Microsoft Certified Database Administrator (MCDBA) candidates are required to pass three core exams and one elective exam. Microsoft Certified Desktop Support Technician (MCDST) candidates are required to pass two core exams.
ABOUT THIS BOOK
xxix
ABOUT THE AUTHORS

The textbook, Lab Manual, pretest, testbank, and PowerPoint slides were developed exclusively for an instructor-led classroom environment by two authors, Dave Field and Owen Fowler. Dave Field is an author, trainer, and presenter. An MCSE on Windows NT 4, Windows 2000, and Windows 2003, Dave is an expert on networking technologies and support desk topics. He has written consumer computer books such as How To Do Everything with Windows XP Home Networking (Osborne/McGraw-Hill) and has designed courses for Microsoft and Osborne/McGraw-Hill for the Microsoft MCSE, MCSA, and MCDST certifications. Dave is also the systems engineer at Camp Snoopy, a theme park in the Mall of America in Bloomington, Minnesota. In this role, he has directed the installation of entire network infrastructures using technologies such as Active Directory, Microsoft Exchange, and Microsoft SQL Server. He has been the principal architect of point-of-sale implementations, ERP rollouts, and e-commerce initiatives. Owen Fowler has worked as a Tier II Support Agent for one of the largest electronic tax filing centers in the United States. He has also run his own computer consulting business, covering networking and operating system issues, in Colorado and Washington. In 2003, he assisted Verizon Wireless in consolidating its nationwide network into a single domain. Owen has been an author, technical editor, and development editor on many titles for Microsoft Learning.
FOR MICROSOFT OFFICIAL ACADEMIC COURSE SUPPORT

Every effort has been made to ensure the accuracy of the material in this book and the contents of the CD-ROM. Microsoft Learning provides corrections for books through the World Wide Web at the following address: http://www.microsoft.com/learning/support/ If you have comments, questions, or ideas regarding this book or the companion CD-ROM, please send them to Microsoft Learning using either of the following methods:
xxx
Postal Mail: Microsoft Learning Attn: Installing, Configuring, and Administering Microsoft Windows XP Professional (70-270), Second Edition, Editor One Microsoft Way Redmond, WA 98052-6399 E-mail: moac@microsoft.com Please note that product support is not offered through the above addresses.
EVALUATION EDITION SOFTWARE SUPPORT

A 120-day software evaluation edition of Windows XP Professional with Service Pack 2 is provided with this textbook. This is not the full retail product and is provided only for training and evaluation purposes. Microsoft and Microsoft Technical Support do not support this evaluation edition. It differs from the retail version only in that Microsoft and Microsoft Technical Support do not support it, and it expires after 120 days. For information about issues relating to the use of evaluation editions, go to the Support section of the Microsoft Learning Web site (http://www.microsoft.com/learning/support/). For online support information relating to the full version of Windows XP Professional that might also apply to the evaluation edition, go to http://support.microsoft.com. For information about ordering the full version of any Microsoft software, call Microsoft Sales at (800) 426-9400 or visit http://www.microsoft.com.
CHAPTER 1
INTRODUCING WINDOWS XP PROFESSIONAL

Upon completion of this chapter, you will be able to:
Describe the support features of Windows XP Professional Identify security technologies in Windows XP Professional Identify the role of Windows XP Professional in the enterprise Log on to a Windows XP Professional computer
In this course, we introduce you to the installation, configuration, and management of Windows XP Professional. Students in this course are expected to come from all backgrounds and have varying levels of experience with Windows XP Professional. That said, you will get the most from this course if you have a good understanding of the Windows graphical environment. Those who have completed Supporting Users and Troubleshooting Microsoft Windows XP (Microsoft Official Academic Curriculum Course 70-271) will have a firm basis for understanding this material. We have a lot of information to cover, but plenty of excellent resources are available to help you understand this technology. Many will be provided with this textbook, and many more are available from your instructor or at Microsofts Windows XP Web site at www.microsoft.com/windowsxp.
OVERVIEW OF WINDOWS XP PROFESSIONAL

Windows XP Professional is the Microsoft business-class desktop operating system. It is intended for those who require high performance, security, and reliable computer resources. It differs from the consumer-level Windows XP Home Edition in its support for enterprise computing architectures, multiple processors, advanced security, and manageability. It is found in business, desktop publishing, banking and finance, and manufacturing environments, as well as other areas that require reliable and secure computer performance. In this section, we will examine the features of Windows XP Professional and describe many of the elements of this operating system.
Windows XP Architecture
The Windows XP line of operating systems is based on the Windows NT kernel architecture. This architecture was designed to allow the central processesthose processes requiring the most privilegeto operate in a privileged environment, often referred to as the kernel (shown in Figure 1-1). This environment is insulated from direct manipulation by users or hardware resources. The kernel is also separated from the actual system hardware by the hardware abstraction layer (HAL). The HAL is a layer of code designed to interface the specific hardware with the more generic operating system. At one time, HALs existed for PowerPC and DEC Alpha processors, but today HALs mainly exist to support differing power management versions or multiple processors. User-mode applications run with less privilege, protecting the kernel from instabilities caused by failing or faulty applications. This separation of the critical processes allows the operating system to continue operation even when applications or noncritical hardware devices fail. Critical devicessuch as disk drives or motherboard componentscan still bring a system down, but the system most likely will not fail (for example, if a USB peripheral device fails). In addition, each application can be run in a protected memory space. This prevents a failing application from affecting other applications and the operating system itself.
CHAPTER 1:
32-bit Application
32-bit Application
16-bit Application
16-bit Application Logon Process
NTVDM
User Mode Kernel Mode
Win32 Subsystem
Security Subsystem
I/O Manager IPC Manager File Systems Executive Object Manager Memory Manager Process Manager Plug and Play
Security Reference Monitor
Windows Manager Power Manager Graphics Device Drivers
Device Drivers
Microkernel
Hardware Abstraction Layer (HAL) Hardware
Figure 1-1 The Windows XP architecture

FT01HT01.TIF
Intelligent User Interface

Windows XP represents Microsofts most advanced user interface. Building on the desktop metaphor of earlier Windows operating systems, Windows XP brings together the latest research in intuitive user interface design with new, attractive visual styles. The Start menu The Windows XP Start button (first seen in Windows 95) has been linked to an all-new Start menu that displays a great variety of options within a single space (as shown in Figure 1-2). Users can access frequently used applications, recent documents, favorite applications, system settings, help, and much more within the same menu.
Figure 1-2 Windows XP Professional Start menu

FT01HT02.bmp
The left column in the figure is divided into the pinned items list above and the frequently used programs list below. Initially these lists have a few default programs listed, but as users work with the computer, the frequently used programs list begins to learn which programs are used most frequently and ranks them for quick access. Users also have the option of pinning any program or document to the pinned items list. The right column of the Start menu contains a list of special purpose folders, the Help and Support area, and configuration tools. This list can be customized to hide or expose folders such as My Documents, My Music, and My Recent Documents. The system configuration items can also be customized to show or hide configuration tools, depending on the role of the user who is logged on to the system. Designated administrators can configure and lock down all Start menu settings by using the Group Policy management tools built into Windows XP and Windows Server products. The taskbar The Windows XP taskbar has the ability to group similar applications to reduce clutter. You can then manage these groups together to maximize, minimize, or even close all applications in the group at once. Figure 1-3 shows a user closing a group of Microsoft Office Word 2003 documents.
CHAPTER 1:
Figure 1-3 Closing a group of Microsoft Office Word 2003 documents

FT01HT03.bmp
The taskbar can also hold toolbars such as Quick Launch or Media Player to provide quick access to these useful tools. You can copy icons to the Quick Launch bar so you can quickly launch applications or documents without having to open the Start menu. The Media Player toolbar activates a small Media Player control panel when Windows Media Player is minimized. Figure 1-4 shows the Quick Launch toolbar and the Media Player toolbar in use.
Quick Launch Toolbar

FT01HT04.bmp
Media Player Toolbar
Figure 1-4 Quick Launch and Media Player toolbars
The right side of the taskbar is known as the notification area. This areacalled the system tray in earlier versions of Windowscontains icons that represent operating system alerts, applications, or services that are running in the background on the system. Examples of these include an alert when operating system updates are available from Microsoft or an icon that represents a running antivirus application. Figure 1-5 shows the notification area with several icons displayed.
Figure 1-5 The notification area

FT01HT05.bmp
The desktop Many people who are familiar with the previous versions of Microsoft desktop operating systems have found the default Windows XP desktop (the area above the taskbar in Figure 1-6) surprisingly bare.
Figure 1-6 Windows XP Bliss desktop with a lone Recycle Bin icon
FT01HT06.bmp
Desktops in previous versions of Windows featured icons for My Computer, My Network Places, Internet Explorer, and other applications. Each application that users installed also offered to add its own icons to the desktop. The result was a desktop with dozens of icons. Windows XP, by default, does not place any icon other than the Recycle Bin on the desktop. You can put your icons back on the desktop by customizing the desktop settings. The Windows Classic desktop When Windows XP was first released, many users were uncomfortable with the new desktop technology (code-named Luna). To accommodate these users, Microsoft created a desktop theme that mimics many of the features of the earlier Windows interfaces. In this way, those who cant get a handle on the new interface can actually reinstate the entire Windows Classic theme. You get an interface similar to that of Windows 2000 Professional with all the colors and controls familiar to users of the older operating system (Figure 1-7).
NOTE
We will discuss desktop themes and how to configure them in Chapter 5.
CHAPTER 1:
Figure 1-7 Selecting the Windows Classic theme

FT01HT07.bmp
Hardware Support
Windows XP has better hardware installation and configuration support than previous Windows versions. Microsoft has combined the scalability, reliability, and performance of the corporate family of operating systems with the ease of configuration for many tasks of the consumer family of operating systems and formed a comprehensive driver model with the best traits of each. Enhanced device driver support Windows XP fully implements Microsofts Plug and Play technology to allow simple configuration of supported hardware devices. Driver signing Windows XP can be configured to require device drivers for new hardware to contain a digital signature from Microsofts Windows Hardware Quality Laboratory (WHQL). This ensures that devices and their drivers are tested and approved by an authoritative third party (in this case, Microsoft) before use. Device driver rollback If a driver is installed that causes a problem with the operating system or other hardware, it can be rolled back, effectively uninstalling it and returning the previous driver. This speeds recovery from incorrect driver installation. CD and DVD recording Windows XP natively supports reading and writing to CD-R and CD-RW media. Files and video can be written directly to these media without any third-party burning tools. For example, users can select a folder of images from a digital camera, drag it to the icon representing their CD-R drive, and then create a CD. They can also transfer more and larger files to a single CD instead of copying them to several smaller-capacity floppy disks.
This feature also provides options for original equipment manufacturers (OEMs) and independent software vendors (ISVs). OEMs can create branded applications that generate emergency boot CDs instead of emergency boot floppy disks and, by using function calls to the CD-ROM-burning features of the operating system, software vendors can offer a burn to CD option on their Windows applications. This can be a great feature, for example, in a graphics program that writes many large files to disk. Auto-Configuration for Multiple Network Connectivity The Auto-Configuration for Multiple Network Connectivity feature provides easy access to network devices and the Internet. It also allows a mobile computer user to seamlessly operate both office and home networks without manually reconfiguring Transmission Control Protocol/Internet Protocol (TCP/IP) settings. You can use this feature to specify an alternative configuration for TCP/IP if a Dynamic Host Configuration Protocol (DHCP) server is not found. The alternative configuration is useful when a computer is used on multiple networks, one of which does not have a DHCP server and does not use an automatic private Internet Protocol (IP) addressing configuration.
COMPREHENSIVE HELP AND SUPPORT OPTIONS

Windows XP has an extensive collection of user assistance features. Among these are a new Help and Support Center found on the Start menu, Remote Assistance, and support Troubleshooters. Figure 1-8 shows the user assistance items we will introduce next.
Figure 1-8 Help and Support Center

FT01HT08.bmp
CHAPTER 1:
Microsoft also allows manufacturers of computer systems to create their own custom-branded versions of the Help and Support Center (Figure 1-9). This helps them to promote their brand identity while providing their customers with integrated support options.
Figure 1-9 Custom-branded Help and Support

FT01HT09.BMP
Pick a Help Topic

This area of Help and Support contains topical advice on system usage, configuration, and troubleshooting issues. Users are directed to information on system features, instructions on setting up system components, and wizards to guide more advanced processes.
Ask for Assistance

The Ask for Assistance feature allows users to ask another user for help via the Remote Assistance feature or to communicate directly with Microsoft Product Support Services to resolve an issue. Remote Assistance The Remote Assistance feature allows a helper to remotely view and control a computer for any support task. It also enables chat and file transfers. If a user has a computer problem, another person can be invited to help over the Internet. The remote assistant can accept the invitation, chat with the user about the problem,
10
and view the desktop. With permission, the remote assistant can also get full control of the computer to perform any complex steps needed to fix the problem. The remote assistant can also transfer any files required to fix the problem.
IMPORTANT
Do not confuse Remote Assistance with Remote Desktop. Remote Desktop allows one to connect to, and control, a computer remotely. It does not allow the user at the computer being controlled to see what is happening on the screen. We will present more information on Remote Desktop in Chapter 10.
Microsoft Incident Submission and Management The Microsoft Incident Submission and Management feature allows a user to submit electronic support incidents to Microsoft, collaborate with support engineers, and manage submitted incidents.
Pick a Task
This area of Help and Support contains links to Windows Updates, links for locating compatible hardware and recovering from system problems with System Restore, and a menu of system support tools. Windows Update Microsoft maintains a collection of patches and updates for each recent Windows operating system on the Windows Update Web site. This option connects the user to this site to scan for available updates. Compatible Hardware and Software The Compatible Hardware and Software feature provides up-to-date, comprehensive, user-friendly hardware and software compatibility information to aid users in upgrading equipment, making purchasing decisions, and troubleshooting problems. For example, if you purchase an application that requires a 3-D accelerator card, you might not know which cards are compatible with your computer. You can use Help and Support to run a comprehensive query and find compatible 3-D accelerator cards. You can run queries based on manufacturer, product type, software, or hardware. The Microsoft compatibility teams use data from user interactions, independent hardware vendors (IHVs), and ISVs to improve their products.
CHAPTER 1:
11
My Computer Information My Computer Information provides an easily understood, highly accessible view of personalized software and hardware information about your computer or another computer for which you have administrative permissions. You can view information in five categories, as described in the following sections. View General System Information About This Computer The My Computer Information General category allows you to view information about your computer such as the computer manufacturer, model, basic input/output system (BIOS) version, processor version and speed, operating system, amount of memory, and amount of available disk space. View The Status Of My System Hardware And Software The My Computer Information Status category allows you to examine diagnostic information about your computer, including the following:

Obsolete applications and device drivers System software Hardware: video card, network card, sound card, and universal serial bus (USB) controller Hard disks Random access memory (RAM)
Find Information About The Hardware Installed On This Computer The Computer Information Hardware category allows you to examine descriptive information about your computers hardware, including the local disk, display, video card, modem, sound card, USB controller, network cards, CD-ROM drives, floppy drives, memory, and printers. View A List Of Microsoft Software Installed On This Computer The Software category allows you to view a list of Microsoft products that are installed and registered by product identification (PID) number on your computer, including products that run automatically from Startup. It also shows you the Windows Dr. Watson Crash Information about any software that crashed while running on your computer. View Advanced System Information Advanced System Information allows you to choose from the following options:
12
View Detailed System Information (MSINFO32.exe) This option allows you to view detailed information about hardware resources, components (multimedia, input, network, ports, and storage), software environment, and Internet settings, as shown in Figure 1-10.
FT01HT10.bmp
Figure 1-10 The System Information window
View Running Services This option lets you view the system service processes running on your computer. View Group Policy Settings Applied This option lets you view which settings on your computer are the result of Group Policy control. View The Error Log View errors and messages from the operating system, its services, and installed applications. View Information For Another Computer If you have administrative permissions on a remote computer, you can view My Computer Information on that remote computer. If you click View Computer Information For Another Computer, the Web Page dialog box appears, prompting you to enter the name of the remote computer you want to view. Enter the remote computer name, and then click Open to view the remote computer information.
CHAPTER 1:
13
Searching and Printing Options

Help and Support also supports a full-text search function and gives users the ability to print applicable sections for offline reference. Full-Text Search The Windows Help system uses Hypertext Markup Language (HTML) to format and display information. If you have an Internet connection, you can search for every occurrence of a word or phrase across all Windows-compiled HTML Help files. Because the Windows Help System is also extensible, multiple search engines can plug into the Help and Support Center application using a set of standard interfaces. Users can search for content across multiple remote and online providers. For example, you can search for information resident on your computer or located remotely in the Microsoft Knowledge Base or in a participating OEMs knowledge base.
NOTE
The Microsoft Knowledge Base is a comprehensive database containing detailed articles with technical information about Microsoft products, fix lists, documentation errors, and answers to commonly asked technical support questions. To access the Knowledge Base directly, instead of using the Help And Support application, go to http:// search.support.microsoft.com/kb/c.asp.
Printing The Help and Support Center application allows you to print an entire chapter of Help content with one print commandthat is, it can iteratively print all available topics in a specified node. If some topics are not available because of network connection problems, Windows XP Professional prints only the available content. After you have located the information you want to print, click Print.
WINDOWS XP SECURITY TECHNOLOGIES

Windows XP supports many technologies for securing communications and data. Among these are the Windows Firewall, Security Center, Attachment Manager, Encrypting File System, and policy-based security management.
Windows Firewall
Known prior to Windows XP Service Pack 2 (SP2) as the Internet Connection Firewall, Windows XP SP2 provides the improved Internet firewall known as the Windows Firewall. SP2 enables the Windows Firewall by default to protect
14
Internet-connected computers from malicious access from the Internet. The Windows XP Firewall blocks nearly all incoming TCP/IP traffic by default. It automatically responds to requests by Windows applications for Internet data by opening a port to allow return traffic only from the remote host. When the connection is dropped, the port is closed again to outside traffic. Unless a user chooses to configure service definitions, the Windows Firewall does not respond to any outside connection attempt. This prevents any access from an outside system that is not specifically invited, thus thwarting attempts to hack the system from the Internet.
Security Center
Released with SP2, the Security Center (Figure 1-11) is a centralized, Internet security monitoring center. It has links to maintenance and configuration activities for Internet Firewall, Virus Protection, and Automatic Updates.
Figure 1-11 Windows XP Security Center

FT01HT11.BMP
NOTE The Security Center will be discussed in more depth in Chapter 14.
Attachment Manager
The Attachment Manager, also released in SP2, provides security by controlling which e-mail attachments can be opened from within installed e-mail clients.
CHAPTER 1:
15
Encrypting File System

The Encrypting File System (EFS) stores folders and files in encrypted form, generating file encryption keys for each encrypted file stored on the system. The keys are then encrypted with a key belonging to the files owner and one belonging to a designated recovery agent. Encryption prevents people from getting access to data in these files even if they somehow gain access to the system. Without the users key or the recovery agents key, the data is inaccessible to all other users.
NOTE
We will discuss the EFS in more depth in Chapter 3 and Chapter 14.
Security Management Policies

Windows XP uses security management policies to define security settings on the local computer. These settings can be applied directly to the computer using the Local Security Policy console (as shown in Figure 1-12) or remotely using Group Policy management tools.
Figure 1-12 The Local Security Policy console

FT01HT12.bmp
Using policies, you can devise a standard group of security settings and apply them to multiple computers at once, ensuring consistent security settings throughout the enterprise.
WINDOWS XP ORGANIZATIONAL ROLES

Windows XP Professional is at home both in small offices and international enterprises. With its enormously flexible configuration options, Windows XP can be configured for standalone use, for sharing files with a small network workgroup, or for working in a large network in which files are accessed from servers in a faroff datacenter.
16
Workgroup Networks
A workgroup is a logical collection of computers that share resources with each other, as shown in Figure 1-13. These resources might be files, printers, or applications. A workgroup is also called a peer-to-peer network because all computers in the workgroup can share resources as equals (peers) without a dedicated server. Security in a workgroup is defined by a series of local security databases residing on each of the computers that are sharing resources.
Windows Server 2003 Windows 2000 Server Accounts Accounts
Accounts Windows XP Professional Accounts Windows XP Professional Accounts
Windows Server 2003 Printer
Figure 1-13 A workgroup network

FT01HT13.eps
NOTE Logical vs. Physical Network Structures A logical network structure such as a workgroup or a domain is basically a management tool used by administrators to classify, configure, and support the computers in that network.
A physical network structure is the actual hardware design, including such items as routers, switches, cables, and connectors that make up the actual network. Users of computers in workgroups are given access to resources on each computer by the person in charge of that computer. They have a username and a password for each computer on which they access resources. It is not uncommon for a user to have to keep track of several different usernames and passwords. A workgroup provides the following advantages:
It does not require inclusion of a domain controller in the configuration to hold centralized security information.
CHAPTER 1:
17
It is simple to design and implement. It does not require the extensive planning and administration that a domain requires. It is a convenient networking environment for a limited number of computers in close proximity.
Some disadvantages of workgroups include:
A workgroup becomes impractical in environments with more than 10 computers because each computer has its own security authority and must maintain its own set of usernames and passwords. This greatly increases administrative overhead as the workgroup grows. Workgroups do not provide for centralized management of systems or resources. Workgroups require users to remember and use different usernames and passwords for each resource they need to access. Workgroups usually struggle with computer name resolution across IP subnets and switched networks.
Domain Networks
A domain is a logical grouping of network computers that share a central directory database (as shown in Figure 1-14). A directory database contains user accounts and security information for the domain. This database is known as the directory and is a major portion of Active Directory, the Windows 2000 and Windows Server 2003 directory service. Active Directory can manage much more than just user security, however. It can publish shared data folders, printers, applications, and other resources for ease of location and configuration. Users can be consolidated into organizational units (OUs) based on their roles within the organization. Management responsibilities can be delegated to junior administrators without compromising the security of the entire directory.
18
Windows 2000 Server (Domain Controller) Replication Active Directory Domain Active Directory
Windows 2000 Server (Domain Controller)
Windows XP Professional
Windows XP Professional
Windows Server 2003 (Member Server) Printer
Figure 1-14 A domain network

FT01HT14.eps
In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related aspects of user and domain interactions, centralizing security and administration.
NOTE
You can designate only a computer running one of the Microsoft Windows Server products as a domain controller. If all computers on the network are running Windows XP Professional, the only type of network available is a workgroup.
Users of computers in domains are given access to resources on each computer by a central administration team. Each user has only one username and password to access resources throughout the domain. This method of control greatly simplifies management of user accounts. The benefits of a domain include the following:
Centralized administration, because all user information is stored centrally. A single logon process for users to gain access to network resources (such as file, print, and application resources) for which they have permissions. In other words, you can log on to one computer and use resources on another computer in the network as long as you have appropriate permissions to access the resource. Scalability, so that you can create very large networks.
CHAPTER 1:
19
A typical Windows domain includes the following types of computers:
Domain controllers running Windows 2000 Server or Windows Server 2003. Each domain controller stores and maintains a copy of the directory. In a domain, you create a user account once, which is recorded in the directory. When a user logs on to a computer in the domain, a domain controller authenticates the user by checking the directory for the username, password, and logon restrictions. When there are multiple domain controllers in a domain, they periodically replicate their directory information. Member servers running Windows 2000 Server or Windows Server 2003. A member server is a server that is not configured as a domain controller. A member server does not store directory information and cannot authenticate users. Member servers provide shared resources such as shared folders or printers. Client computers running Windows XP Professional, Windows 2000 Professional, or another Windows client operating system. Client computers run a users desktop environment and allow the user to gain access to resources in the domain.
Logging On and Off Windows XP Professional

The procedure used to log on to Windows XP differs depending on the operating systems role in the network. Users in a workgroup environment might use the Welcome screen or the Log On To Windows dialog box. Domain users are restricted to the Log On To Windows dialog box. The Welcome screen By default, Windows XP Professional uses the Welcome screen to allow users to log on locally (as shown in Figure 1-15). To log on, click the icon for the user account you want to use. If the account requires a password, you are prompted to enter it. If the account is not password protected, you are logged on to the computer. In addition to the Welcome screen, you can also use Fast User Switching (which is on by default). This feature allows you to quickly log another user on to the system while the originally logged on user is placed on standby status. The original users applications are kept running, and they return to the screen when you switch back to the original user.
20
Figure 1-15 Windows XP Welcome screen

FT01HT15.bmp
NOTE If your computer is a member of a domain, the Welcome screen and Fast User Switching will not be available.
You can also use Ctrl+Alt+Delete at the Welcome screen to get the Log On To Windows dialog box. This enables you to log on to the Administrator account, which is not displayed on the Welcome screen when other user accounts have been created. To use Ctrl+Alt+Delete, you must enter the sequence twice to get the logon prompt. A user can log on locally to either of the following:

A computer that is a member of a workgroup A computer that is a member of a domain but is not a domain controller
The User Accounts program in Control Panel includes a Change The Way Users Log On Or Off task, which allows you to configure Windows XP Professional to use the Log On To Windows dialog box instead of the Welcome screen.
CHAPTER 1:
21
The Log On To Windows dialog box To use the Log On To Windows dialog box (shown in Figure 1-16) to log on locally to a computer running Windows XP Professional, you must supply a valid username; if the username is password protected, you must also supply the password. Windows XP Professional authenticates the users identity during the logon process. Only valid users can access resources and data on a computer or a network. Windows XP Professional authenticates users who log on locally to the computer at which they are seated, and one of the domain controllers in a Windows 2000 or Windows Server 2003 domain authenticates users who log on to a domain.
Figure 1-16 Windows XP Log On To Windows dialog box

FT01HT16.bmp
When a user starts a computer running Windows XP Professional that is configured to use the Log On To Windows dialog box, an Options button also appears. This allows the user to expose or hide options such as logging on to a domain instead of the local system, or connecting to the network using dial-up networking.
NOTE
If your computer is not part of a domain, you will not get the Log On To option.
22
INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL
SUMMARY
Windows XP includes the most advanced Microsoft user interface to date. It uses an intuitive user interface and high-resolution graphics to present users with an attractive and useful environment. Windows XP has many hardware interface design features that make using peripheral devices easier; among these are driver signing and device driver rollback. Help and Support is a comprehensive collection of support tools and technologies that make it easier to locate help and assistance. Windows XP supports many security technologies to protect users and their data from malicious programs and hack attempts. Windows XP supports a wide range of uses, including standalone, workgroup, and domain environments. Windows XP provides logon security to ensure that access to the desktop is authenticated.
REVIEW QUESTIONS
1. Which feature of Windows XP Professional allows you to prevent people who gain access to a computers files from reading the contents of the files? (Choose all that apply.) a. Windows Firewall b. Encrypting File System (EFS) c. Group Policy d. Local Security Policy 2. Which feature of Windows XP Professional allows you to recover from installing the incorrect driver for a device? (Choose all that apply.) a. Driver Signing b. Driver Rollback c. Plug and Play d. Windows Hardware Quality Laboratory (WHQL)
CHAPTER 1:
23
3. Which feature in Help and Support allows a user to receive help from another user over a network connection? (Choose all that apply.) a. System Restore b. Microsoft Incident Submission c. Remote Assistance d. Remote Desktop 4. Which of the following statements best describes Windows Firewall? (Choose all that apply.) a. Windows Firewall prevents unauthorized users from accessing system files. b. Windows Firewall protects a computer from high temperatures by shutting it down when it gets too warm. c. Windows Firewall protects a computer from attacks by malicious users or programs on the Internet. d. Windows Firewall encrypts data files on a computers disk drives. 5. Which of the following scenarios depict a workgroup network? (Choose all that apply.) a. A small collection of computers that share files with each other. Each computer has a list of authorized users. b. A large corporate network with hundreds of computers and a central accounts database. c. One computer connected to the Internet via modem. d. A laptop on the hood of a car on a construction site.
24
INSTALLING, CONFIGURING, AND ADMINISTRATING MICROSOFT WINDOWS XP PROFESSIONAL
CASE SCENARIOS
Scenario 1.1: Securing Data
You have been hired by a large pharmaceutical company to support its research department. Many of the users in the department use laptop computers and travel extensively. The company wants to prevent unauthorized access to the contents of the disk on each laptop and is concerned about what will happen to the companys trade secrets if a laptop is stolen. What feature of Windows XP helps you address these two concerns? 1. Encrypting File System (EFS) 2. Remote Assistance 3. User accounts 4. Windows Firewall
Scenario 1.2: Assisting Remote Users

Your boss is staying in a hotel while at a conference. He is logged on to your domain over an Internet connection and is having a problem with his e-mail configuration. You have tried to visualize the error message he is describing, but it would be much simpler to troubleshoot the problem if you could just see his screen. How can you get a view of his screen to help him troubleshoot his problem?
CHAPTER 2
INSTALLING WINDOWS XP PROFESSIONAL

Perform and troubleshoot an unattended installation of Windows XP
Professional
Install Windows XP Professional by using Remote Installation Services (RIS) Install Windows XP Professional by using the System Preparation tool Create unattended answer files by using Setup Manager to automate the
installation of Windows XP Professional

Upgrade from a previous version of Windows to Windows XP Professional Prepare a computer to meet upgrade requirements Migrate existing user environments to a new installation Perform post-installation updates and product activation Troubleshoot failed installations
In this chapter we will discuss the installation of Microsoft Windows XP Professional. Well present the hardware requirements for supporting Windows XP Professional, how to verify hardware compatibility, and how to test your hardware for compatibility before installation. You will learn how to perform attended and unattended installations. We will introduce advanced installation techniques such as Remote Installation Services (RIS) and the System Preparation tool (Sysprep). Finally, youll learn critical post-installation steps such as activation and applying operating system updates.
25
26
PREINSTALLATION TASKS
Before you install Windows XP Professional on a computer, you must perform several steps to ensure a successful installation. Among these are verifying that your hardware will be compatible with the operating system, determining how the system will be configured, and deciding which installation method to use.
Verifying Hardware Compatibility

Although the Windows XP Professional Setup Wizard checks your hardware and software for potential conflicts, before you install Windows XP Professional you should verify that your hardware is listed in the Windows Catalog. Microsoft provides tested drivers for the listed devices only. Using hardware not listed in the catalog can cause problems during and after installation. The most recent version of the Windows Catalog for released operating systems is on the Microsoft Web site at http://www.microsoft.com/windows/catalog.
NOTE
The Windows Catalog only includes hardware that has been tested and certified by the Windows Hardware Quality Laboratory (WHQL). Your hardware might support Windows XP but not be WHQL certified. If this is the case, Windows XP will not include device drivers for your device, but drivers and support should be available directly from the manufacturer, usually on its Web site. This step might be necessary if you want to use the latest and greatest hardware, but using these drivers bypasses an important quality-control certification step and can introduce instability into your system.
Hardware Requirements
You must determine whether your hardware meets or exceeds the minimum requirements for installing and operating Windows XP Professional, as shown in Table 2-1.
Table 2-1
Windows XP Professional Hardware Requirements Minimum Requirements
Component
Central processing unit (CPU) Memory
Pentium (or compatible) 233-megahertz (MHz) or higher; a Pentium II (or compatible) 300-MHz or higher processor is recommended 64 megabytes (MB) minimum; 128 MB recommended; 4 gigabytes (GB) of random access memory (RAM) maximum
CHAPTER 2:
27
Table 2-1
Windows XP Professional Hardware Requirements Minimum Requirements
Component
Hard disk space Networking Display
Other drives
Accessories
NOTE
650 MB free space on a 2-GB hard disk; 2-GB free disk space is recommended Network adapter card and related cable Video display adapter and monitor with Video Graphics Adapter (VGA) resolution or higher; Super VGA and a Plug and Play monitor are recommended CD-ROM drive, 12X or faster recommended (not required for installing Windows XP Professional over a network), or DVD drive A high-density 3.5-inch disk drive as drive A, unless the computer supports starting the Setup program from a CD-ROM or DVD drive Keyboard and mouse or other pointing device
Older systems might require a BIOS update to support the sophisticated power management features of Windows XP. Check with the manufacturer of your system to see if an updated BIOS is available.
Storage Requirements
The Windows XP Professional Setup program examines the hard disk to determine its existing configuration. Setup then allows you to install Windows XP Professional on an existing partition or to create a new partition on which to install it. New Partition or Existing Partition Depending on the hard disk configuration, you might need to do one of the following during installation:
If the hard disk is new or has not previously stored data, you can create a new, appropriately sized partition for Windows XP Professional. If the hard disk is already partitioned and contains enough unpartitioned disk space, you can use the unpartitioned space to create a Windows XP Professional partition. If an existing partition is large enough, you can install Windows XP Professional on that partition. Installing on an existing partition might require you to reformat the partition to create sufficient clean space for the installation.
28
If an existing partition is not large enough, you can delete it to provide more unpartitioned disk space for the creation of the Windows XP Professional partition.
CAUTION
Reformatting or deleting a disk partition destroys the data contained on the partition. Be sure you have backed up any data in the partition before performing either of these two actions.
Microsoft recommends installing Windows XP Professional on a 2-GB or larger partition. Although Windows XP Professional does not require that much disk space for installation, using a larger installation partition provides the flexibility to install Windows XP Professional updates, operating system tools, or other necessary files in the future. Remaining Free Hard Disk Space Although you can use Setup to create other partitions, you should create and size only the partition on which you will install Windows XP Professional. After you install Windows XP Professional, you can use more advanced tools such as the Disk Management administrative tool to partition any remaining space on the hard disk.
NOTE
Managing disks and partitions is discussed in more detail in Chapter 3.
File Systems
After you create the installation partition, Setup prompts you to select the file system with which to format the partition. Like Microsoft Windows NT and Microsoft Windows 2000 Professional, Windows XP Professional supports both the NT file system (NTFS) and the file allocation table (FAT) file system. Both Windows 2000 Professional and Windows XP Professional also support FAT32. Figure 2-1 summarizes some of the features of these file systems.
NOTE
We will examine the differences between NTFS and FAT file systems more closely in Chapter 3.
CHAPTER 2:
29
FAT
DOS and Windows 2 or 4 GB max size1 No file- or folder-level security
FAT32
Windows 95 R2 and later 32 GB max size2 No file- or folder-level security
NTFS
Windows NT 4.0 and later3 16 EB max size File- and folder-level security Compression Encryption Disk quotas Mounted volumes 1 Depending on OS version 2 OS limit imposed by Microsoft 3 Windows NT family operating systems
Figure 2-1 A file system comparison

FT02HT01.VSD
NTFS supports the following features:
File- and folder-level security files and folders.

NOTE
NTFS allows you to control access to
There are many reasons to choose NTFS over FAT for Windows XP installations, but security is by far the most important. Chapter 7 is dedicated to understanding and managing NTFS security. NTFS compresses files to store more data on the
Disk compression partition.
Disk quotas NTFS allows you to control disk usage on a per-user basis. Encryption NTFS allows you to encrypt file data on the physical hard disk, using the Microsoft Encrypting File System (EFS). See Chapter 14 for additional information about EFS.
The version of NTFS (NTFS 5) in Windows XP Professional supports remote storage, dynamic volumes, and mounting volumes to folders. Windows Server 2003, Windows XP, and Windows 2000 are the only operating systems that can natively access data on a local hard disk formatted with NTFS 5.
30
FAT and FAT32 FAT and FAT32 file systems offer backward compatibility with older Windows operating systems. If you plan to dual boot between Windows XP Professional and another operating system that requires FAT or FAT32, you must format the system partition with FAT or FAT32.
NOTE
The terms system partition and boot partition might appear to be switched at birth. After all, the computer boots from the system partition and loads the operating system from the boot partition. You can think of the terms in this way: When a system starts, it makes its operating system selection from configuration files in the system partition. As the chosen operating system loads (boots), it loads from the boot partition.
The FAT and FAT32 file systems do not offer many of the features (for example, file-level security, compression, and encryption) that NTFS supports. Therefore, in most situations, you should format the hard disk with NTFS. The only reason to use FAT or FAT32 is to support dual booting with another operating system that does not support NTFS. If you are setting up a computer for dual booting, you must format only the system partition as FAT or FAT32. For example, if drive C is the system partition, you can format it as FAT or FAT32 and format drive D as NTFS.
CAUTION
Keep in mind that formatting a drive with NTFS makes the data it contains inaccessible to operating systems that are not NTFS compatible.
Converting a FAT or FAT32 Volume to NTFS Windows XP Professional provides the Convert command for converting a partition to NTFS without reformatting the partition and losing all the information on it. The Convert command runs from the Windows XP command prompt and manages the file system conversion. The following example demonstrates the syntax for the Convert command:
Convert volume /FS:NTFS [/V] [/CvtArea:filename] [/Nosecurity] [/X]
IMPORTANT
After a partition has been converted to NTFS, you cannot convert the partition back to a FAT partition without reformatting it (erasing all data from the partition). After reformatting with FAT, data must be restored from backup.
Table 2-2 describes the options available with the Convert command.
CHAPTER 2:
31
Table 2-2
Convert Command Options Function Required
Switch
Volume
/FS:NTFS /V /CvtArea:filename
/NoSecurity /X
Specifies the drive letter (followed by a colon), volume mount point, or volume name that you want to convert Specifies converting the volume to NTFS Runs the Convert command in verbose mode Specifies a contiguous file in the root directory to be the placeholder for NTFS system files Sets the security settings to make converted files and directories accessible to everyone Forces the volume to dismount first if necessary; all open handles to the volume are thereby invalid
Yes
Yes No No
No No
NOTE
For help with any command-line program, at the command prompt type the command followed by /? and press ENTER. For example, to receive help on the Convert command, type Convert /? and press ENTER.
Domain or Workgroup Membership

During installation, you must choose whether the computer will join a domain or a workgroup. Figure 2-2 shows the requirements for joining a domain or a workgroup.
tailspintoys.com
Domain
Workgroup
Joining a domain requires: A domain name A computer account An available domain controller and a DNS server
FT02HT02.FH10
Joining a workgroup requires: A new or an existing workgroup name
Figure 2-2 Domain or workgroup membership requirements
32
Joining a Domain When you install Windows XP Professional on a computer, you can add that computer to an existing domain. This process is referred to as joining a domain. A computer can join a domain during or after installation. Joining a domain during installation requires the following:
A domain name Ask the domain administrator for the Domain Name System (DNS) name for the domain that the computer will join. An example of a DNS-compatible domain name is microsoft.com, in which microsoft is the name of the organizations DNS identity.
NOTE
You can join a domain using the NetBIOS name of the domain if your network is still supporting NetBIOS name resolution. Examples of a NetBIOS name are MICROSOFT or CONTOSO. Ask your administrator to make sure.
A computer account Before a computer can join a domain, you must create a computer account in the domain. If you create the computer account during installation, Setup prompts you for the name and password of a user account with authority to add domain computer accounts. You can ask a domain administrator to create the computer account before installation or, if you have been given permission, you can create the computer account yourself during installation. An available domain controller and a server running the DNS service (called the DNS server) At least one domain controller in the domain that you are joining and one Active Directorycompatible DNS server must be online when you install a computer in the domain.
Joining a Workgroup When you install Windows XP Professional on a computer, you can add that computer to an existing workgroup or create a new workgroup. This process is referred to as joining a workgroup. If you are not using the default workgroup name WORKGROUP during installation, you must assign a workgroup name to the computer. The workgroup name you assign can be the name of an existing workgroup or the name of a new workgroup that you create during installation. The act of assigning a workgroup name that did not previously exist on the network is all that is required to create a new workgroup. The computer browser service that maintains lists of computers in My Network Places will group computers by their workgroup affiliations.
CHAPTER 2:
33
NOTE
Being in a workgroup does not confer any security or administrative control to a computer that joins. Workgroups are merely collections of computers. Chapter 1 discusses the difference between domains and workgroups in more detail.
PERFORMING AN ATTENDED INSTALLATION

In this section we will examine attended installations using the Windows XP Professional product CD-ROM and also installing from a network location. You will learn the steps in the installation process and ways to control the eventual configuration of the system.
Windows XP Professional Setup Program

The installation process for Windows XP Professional combines the Setup program with wizards and informational screens. Installing Windows XP Professional from a CD-ROM to a clean hard disk consists of four stages:
Running the Setup program Setup prepares the hard disk for the later installation stages and copies the files necessary to run the Setup Wizard. Running the Setup Wizard The Setup Wizard requests setup information about the computer, such as names and passwords. Installing Windows XP Professional networking components After gathering information about the computer, the Setup Wizard prompts you for networking information and then installs the networking components that allow the computer to communicate with other computers on the network. Completing the installation Setup copies files to the hard disk and configures the computer. It also cleans up installation files not required to operate the computer. The system restarts after installation is complete.
The following sections cover the four stages in more detail.
Running the Setup Program

To start the Setup program, insert the Windows XP Professional installation CDROM in your CD-ROM drive and start your computer.
NOTE
If your system cannot boot from the CD-ROM, you can make setup boot disks. Microsoft Knowledge Base article 310994 describes how to download and use a program that is used to create these disks.
34
Figure 2-3 shows the six steps involved in running the Setup program.
Boot 1 Load Setup program into memory 2 Start text-based Setup program 3 Create the Windows XP Professional partition 4 Format the Windows XP Professional partition 5 Copy setup files to the hard disk 6
F02HT03.FH10
Restart the computer Setup Wizard
Figure 2-3 Steps in running the Setup program
After the computer starts, a minimal version of Windows XP Professional is copied into memory. This version of Windows XP Professional starts the text-mode portion of the setup process. You are then prompted by the Setup program to perform the following steps:

Read and accept a licensing agreement. Select the partition on which to install Windows XP Professional. You can select an existing partition, delete an existing partition on the hard disk, or create a new partition by using unpartitioned space on the hard disk. Select a file system for the new partition. The Setup program then formats the partition with the selected file system.
NOTE
Setup provides the option to perform a quick format of the partition. A quick format is essentially a standard format that does not scan the disk for bad sectors. If you are certain the disk is not damaged, you can speed your installation using this option. If the disk has never been formatted or if you want to be sure the scan for bad sectors is performed, use the standard NTFS format option.
Setup copies files to the hard disk and saves configuration information. After that, Setup restarts the computer. Following the restart, the Windows XP Professional Setup Wizard is launched and installation continues.
Running the Setup Wizard

The GUI-based Windows XP Professional Setup Wizard leads you through the next stage of the installation process. It gathers data about you, your organization, and your computer, including the following information:
CHAPTER 2:
35
Regional settings Customize language, locale, and keyboard settings. You can configure Windows XP Professional to use multiple languages and regional settings.
MORE INFO You can add another language or change the locale and keyboard settings after installation is complete. See Chapter 5 for more information.
Name and organization Enter the name of the person and the organization to which this copy of Windows XP Professional is licensed. Computer name Enter a computer name of up to 15 characters. The computer name must be different from all other computer, workgroup, or domain names on the network. The Setup Wizard displays a default name (a hash of the organization name you entered earlier in the process).
NOTE
To change the computer name after installation is complete, right-click My Computer and select Properties. In the System Properties dialog box, select the Computer Name tab, and then click Change. Take care when changing a computer name. Changing the name creates a new computer account in the domain with that name, possibly requiring an administrator to manage permissions that were previously given to the original computer name.
Product key You will be prompted to enter the product key from the Windows XP packaging. Password for Administrator account Specify a password for the Administrator user account, which the Setup Wizard creates during installation. The Administrator account provides the administrative privileges required to manage the computer.
IMPORTANT
Be sure to choose a complex password for the Administrator account. Using combinations of letters, numbers, and special symbols and making the password long can defeat attempts to guess the password.
Time and date Select the time zone, adjust the date and time settings if necessary, and determine whether you want Windows XP Professional to automatically adjust for daylight savings time.
36
Installing Windows XP Professional Networking Components After gathering information about your computer, the Setup Wizard guides you through installing the Windows XP Professional networking components (Figure 2-4).
Networking 1 Detect network adapter cards 2 Select networking components 3 Join a workgroup or domain 4
F02HT04.FH10
Install components Complete setup
Figure 2-4 Installing Windows networking components
Detect network adapter cards The Windows XP Professional Setup Wizard detects and configures any network adapter cards installed on the computer. Select networking components The Setup Wizard prompts you to choose typical or customized settings for the networking components it installs. Custom allows you to specify any settings and optional clients or protocols you desire. You can install other clients, services, and network protocols at this time, or you can wait until after the installation has completed. The typical installation includes the following options:
Client For Microsoft Networks Allows your computer to access network resources such as shared folders and printers on a Microsoft Windows network. File And Printer Sharing For Microsoft Networks Allows other computers to access file and print resources on your computer. QoS Packet Scheduler QoS Packet Scheduler manages bandwidth usage on the network, giving priority to traffic requiring constant bandwidth. Internet Protocol (TCP/IP) Allows your computer to communicate over local area networks (LANs) and wide area networks (WANs). Transmission Control Protocol/Internet Protocol (TCP/IP) is the default networking protocol used in Windows networking.
Join a workgroup or domain If you choose to join a domain for which you have administrative privileges, you can create the computer account during installation. The Setup Wizard prompts you for the name and password of a user account with authority to add domain computer accounts.
CHAPTER 2:
37
Install components The Setup Wizard installs and configures the Windows networking components you selected.
Completing the Installation

After installing the networking components, the Setup Wizard starts the final step in the installation process (Figure 2-5).
Complete setup 1 Copy files 2 Configure the computer 3 Save the configuration 4 Remove temporary files 5 Restart the computer Setup complete
Figure 2-5 The final steps to complete the installation

F02HT05.FH10
To complete the installation, the Setup Wizard performs the following tasks:

Installs Start Menu items The Setup Wizard sets up shortcuts that will appear on the Start Menu. Registers components The Setup Wizard applies the configuration settings that you specified earlier. Saves configuration settings The Setup Wizard saves your configuration settings to the local hard disk. The next time you start Windows XP Professional, the computer uses this configuration automatically. Removes temporary files To save hard disk space, the Setup Wizard deletes any files used for installation only. Restarts the computer The Setup Wizard restarts the computer. This finishes the installation.
IMPORTANT
After the installation has completed, be sure to apply any system updates currently available. This is critical for system security because unpatched systems contain known security vulnerabilities and can be exploited by hackers. Unpatched systems should not be connected to any public networks until they have been patched. See the section titled Applying System Updates later in this chapter.
38
INSTALLING OVER THE NETWORK

In this section, you will learn how to install Windows XP Professional across a network connection. This process is similar to the CD-ROM installation, except that the installation media is located on a networked computer and must be accessed over the network. This means you must have some level of connectivity between the computer installing Windows XP and the server hosting the installation files.
Preparing for a Network Installation

In a network installation, the Windows XP Professional installation files are found in a shared location on a network file server called a distribution server. From the computer on which you want to install Windows XP Professional (the target computer), connect to the distribution server and then run the Setup program. Figure 2-6 shows the requirements for a network installation.
Installation files
Distribution server
Target computer
Requirements for a network installation: Distribution server FAT partition on the target computer Network client
Figure 2-6 Requirements for a network installation

F02HT06.FH10
Performing a Windows XP Professional network installation requires you to do the following:
Locate a distribution server. The distribution server contains the installation files from the i386 folder on the Windows XP Professional CD-ROM. These files reside in a common network location in a shared folder that allows computers on the network to access the installation files. Contact a network administrator to obtain the path to the installation files on the distribution server.
NOTE
After you have created or located a distribution server, you can use the over-the-network method to concurrently install Windows XP Professional on multiple computers.
CHAPTER 2:
39
Create a FAT partition on the target computer. The target computer requires a formatted partition to which to copy the installation files. Create a partition containing at least 1.5 GB of disk space, and format it with the FAT file system. Install a network client. A network client is software that allows the target computer to connect to the distribution server. On a computer without an operating system, you must boot from a client disk that includes a network client that enables the target computer to connect to the distribution server.
Installing Windows XP Professional over the network differs from a CD-ROM installation in that the Setup program copies the installation files to the target computer and begins to run the installation. From this point, you install Windows XP Professional as you would from a CD-ROM. The process for installing Windows XP Professional over the network (shown in Figure 2-7) is as follows:
Boot 1 Boot the network client 2 Connect to the distribution server 3 Run Winnt.exe or Winnt32.exe 4 Install Windows XP Professional Setup
Figure 2-7 Installing Windows XP Professional over the network

F02HT07.FH10
1. Boot the network client. On the target computer, boot from a floppy disk that includes a network client or start another operating system that can be used to connect to the distribution server.
NOTE
Network boot disks are complex to create and require the use of real-mode network card drivers. Windows NT 4 includes a utility for creating client boot disks, but no utility currently exists for this purpose in Windows XP Professional. Other third-party utilities exist for boot disk creation, but they are not supported by Microsoft for creating network installation boot disks. Microsoft Enterprise customers can make use of the Windows Preinstallation Environment (WinPE) to manage network installations, but WinPE is available only to subscribers of the Select or OEM licensing programs. Many organizations, preferring to use network installation points for upgrades, use Windows Server Remote Installation Services (RIS), other deployment tools such as Altiriss Deployment Solution, or disk imaging tools such as Ghost or DriveImage to perform installations.
40
2. Connect to the distribution server. After you start the network client on the target computer, connect to the shared folder on the distribution server that contains the Windows XP Professional installation files. 3. Run Winnt.exe or Winnt32.exe to start the Setup. Winnt.exe and Winnt32.exe reside in the shared folder on the distribution server.
Use Winnt.exe for an installation using MS-DOS or Windows 3 or later versions on the source system. Use Winnt32.exe when upgrading from Windows 95, Windows 98, Windows Me, Windows NT 4, or Windows 2000 Professional. Winnt32.exe is a 32-bit Windows application. As such, it makes full use of 32-bit multithreading and multitasking. This allows it to both copy and execute setup tasks simultaneously. The end result is a quicker installation than can be achieved using Winnt.exe.
NOTE
Running Winnt.exe or Winnt32.exe from the shared folder does the following:

Creates the $Win_nt$.~ls temporary folder on the target computer Copies the Windows XP Professional installation files from the shared folder on the distribution server to the $Win_nt$.~ls folder on the target computer
4. Install Windows XP Professional. Setup restarts the local computer and begins the actual process of installing Windows XP Professional. The rest of the installation progresses in the same way as the attended installation discussed earlier.
IMPORTANT
After the installation is complete, be sure to apply any available system updates. See the section titled Applying System Updates later in this chapter.
CHAPTER 2:
41
Modifying the Setup Process Using Winnt.exe

You can modify an over-the-network installation by changing how Winnt.exe runs Setup. Table 2-3 describes the switches you can use with Winnt.exe.
Table 2-3
Winnt.exe Switches Function
Switch
/a /r[:folder] /rx[:folder]
/s[:sourcepath]
/t[:tempdrive]
/u[:script_file]
/udf:id[,UDF_file]
Causes Winnt.exe to install accessibility options. Specifies an optional folder to be copied and saved. The folder remains after Setup finishes. Specifies an optional folder to be copied. This folder can be used to deliver other applications or data to the system for use during the installation. The folder is deleted after Setup finishes. Specifies the source location of Windows XP Professional files. This must be a full path in the form x:\[path] or \\server\share\[path]. The default is the current folder location. Specifies a drive to contain temporary setup files and directs Setup to install Windows XP Professional on that drive. If you do not specify a drive, Setup attempts to locate the drive with the most available space. Performs an unattended installation by using an optional script file. Unattended installations also require using the /s switch. The answer file provides answers to some or all of the prompts that the end user normally responds to during Setup. Indicates an identifier (id) that Setup uses to specify how a Uniqueness Database File (UDF) modifies an answer file. The /udf parameter overrides values in the answer file, and the identifier determines which values in the UDF are used. If you do not specify a UDF_file, Setup prompts you to insert a disk that contains the $UNIQUE$.UDB file. UDFs are used only during an unattended installation.
42
Modifying the Setup Process Using Winnt32.exe

You can modify an over-the-network installation by changing how Winnt32.exe runs Setup. Table 2-4 describes the switches you can use with Winnt32.exe.
Table 2-4
Winnt32.exe Switches Function
Switch
/checkupgradeonly
Checks your computer for upgrade compatibility with Windows XP Professional. If you use this option with the /unattend option, no user input is required. Otherwise, the results are displayed on the screen and you can save them under the file name you specify. For Windows 98 or Windows Me upgrades, the default report file name is Upgrade.txt in the %systemroot% folder (the folder that contains the Windows XP Professional system files). For Windows NT 4 or Windows 2000 upgrades, the default report file name is Ntcompat.txt in the %systemroot% folder.
/cmd:command_line
/cmdcons
/copydir:foldername
/copysource:foldername
For more information about generating a compatibility report, see Upgrading to Windows XP Professional later in this chapter. Specifies a specific command that Setup is to run. This command is run after the computer restarts and after Setup collects the necessary configuration information. This option is useful for running a configuration script or other command as part of the installation. Copies to the hard disk the additional files necessary to load a command-line interface, the Recovery console, which is used for repair and recovery. The Recovery console is installed as a Startup option. You can use the Recovery console to stop and start services and to access the local drive, including drives formatted with NTFS. You can use this option only after you install Windows XP Professional. Creates an additional folder within the %systemroot% folder, which contains the Windows XP Professional system files. For example, if your source folder contains a folder called My_drivers, type /copydir:My_drivers to copy the My_drivers folder to your system folder. You can use the /copydir switch to create as many additional folders as you want. Creates an additional folder within the %systemroot% folder. Setup deletes folders created with /copysource after installation is complete.
CHAPTER 2:
43
Table 2-4
Switch
/debug[level] [:file_name]
/dudisable
/dushare: pathname
/duprepare: pathname
/m:foldername
/makelocalsource
/noreboot
Creates a debug log at the specified level. The log includes the following levels: 4 (detailed information for debugging) 3 (information) 2 (warnings) 1 (errors) 0 (severe errors only) Each level includes the level below it. By default, the debug log file is C:\Winnt32.log and the default level is 2. Prevents Dynamic Update from running. Without Dynamic Update, Setup runs only with the original Setup files. This option disables Dynamic Update even if you use an answer file and specify Dynamic Update options in that file. Specifies a share on which you previously downloaded Dynamic Update files (updated files for use with Setup) from the Windows Update Web site. When run from your installation share and used with /duprepare, it prepares the updated files for use in networkbased client installations. When used without /duprepare and run on a client, it specifies that the client installation will use the updated files on the share specified in pathname. Prepares an installation share for use with Dynamic Update files that you downloaded from the Windows Update Web site. You can use this share for installing Windows XP Professional for multiple clients (used only with /dushare). Instructs Setup to copy replacement files from an alternative location. Directs Setup to look in the alternative location first and, if files are present, to use them instead of the files from the default location. Instructs Setup to copy all installation source files to the local hard disk. Use this switch when installing from a CD-ROM to provide installation files when the CD-ROM is not available later in the installation. Prevents Setup from restarting the computer after completing the file-copy phase. This allows you to execute another command.
44
Table 2-4
Switch
/s:sourcepath
/syspart:[drive_letter]
/tempdrive:drive_letter /unattend[number]: [answer_file]
/udf:id[,udb_file]
Specifies the source location of Windows XP Professional installation files. To simultaneously copy files from multiple paths, use a separate /s switch for each source path. If you type multiple /s switches, the first location specified must be available or the installation will fail. You can use a maximum of eight /s switches. Copies Setup startup files to a hard disk and marks the drive as active. You can then install the drive in another computer. When you start that computer, Setup starts at the next phase. Using /syspart requires the /tempdrive switch. You can use /syspart on computers running Windows NT 4, Windows 2000, Windows XP Professional, or Windows 2000 Server. You cannot use it on computers running Windows 95, Windows 98, or Windows Me. Places temporary files on the specified drive and installs Windows XP Professional on that drive. Performs an unattended installation. The answer file provides your custom specifications to Setup. If you dont specify an answer file, all user settings are taken from the previous installation if you are performing a reinstallation. You can specify the number of seconds between the time that Setup finishes copying the files and when it restarts with number. You can specify the number of seconds only on computers running Windows 98, Windows Me, Windows NT 4, or Windows 2000 that are upgrading to a newer version of Windows XP Professional. Indicates an identifier (id) that Setup uses to specify how a UDF modifies an answer file. The UDF overrides values in the answer file, and the identifier determines which values in the UDF are used. For example, /udf:RAS_user, OUR_COMPANY.UDF overrides settings that are specified for the RAS_user identifier in the OUR_COMPANY.UDF file. If you do not specify a UDF, Setup prompts you to insert a disk that contains the $UNIQUE$.UDF file.
AUTOMATING INSTALLATIONS USING WINDOWS SETUP MANAGER

Businesses and other organizations that maintain dozens, hundreds, or even thousands of computers need a way to automate the Windows XP installation process to save time and expense. One way to do this is by creating an answer file to provide the answers to the installation dialog boxes. The setup process is run
CHAPTER 2:
45
specifying the answer fileand the installation process continues unattended by reading the answers from the file. Using answer files also allows the organization to send installations out to remote offices to be installed by less experienced personnel, eliminating travel expenses and giving senior IT staff time for other projects. Windows Setup Manager allows you to quickly create a script for a customized installation of Windows XP Professional without concern for cryptic text file syntax. Windows Setup Manager enables you to create scripts to perform customized installations on workstations and servers that meet the specific hardware and network requirements of your organization.
MORE INFO Answer files and UDFs use a special syntax to direct the unattended installation process. Examples of this are displayed in the slides accompanying this chapter, and an example Unattend.txt file can be found in the i386 folder on the Windows XP CD-ROM. A more complete reference to the Unattend.txt syntax is available in the Windows XP preinstallation reference (ref.chm) located in the Windows XP deployment tools package (described in the next section).
Installing Setup Manager

Windows Setup Manager is part of the deployment tools package that ships with Windows XP. This toolkit assists with corporate deployment issues such as largescale deployment and mass configuration. You use it as follows: 1. Start Windows Explorer, and create the folder C:\Deploy.
NOTE
The C:\Deploy folder is used to contain the files extracted from DEPLOY.CAB on the Windows XP Professional CD-ROM.
2. Navigate to the Support\Tools\Deploy folder on the Windows XP CD-ROM. Windows XP Professional displays the contents of DEPLOY.CAB. 3. Select all of the files listed in DEPLOY.CAB by selecting any file in the window and pressing CTRL+A. 4. Choose Extract from the shortcut menu. The Select A Destination dialog box appears. 5. Go to My Computer, select Local Disk (C:), select Deploy, and then click the Extract button. 6. Select C:\Deploy to view its contents. The files in C:\Deploy should include the following:
46
Deploy.chm Compiled Hypertext Markup Language (HTML) help file containing the Microsoft Windows Corporate Deployment Tools Users Guide. Readme.txt Text document containing late-breaking information about the deployment tools. Ref.chm Compiled HTML help file containing the Windows XP preinstallation reference. This is an excellent resource for understanding unattended installations. Setupmgr.exe Sysprep.exe Microsoft Setup Manager Wizard. The Sysprep tool (discussed later in this chapter).
7. Double-click Readme. Take a moment to view the topics covered in the Readme.txt file, and then close Notepad.
Using Setup Manager

You can create or modify an answer file, typically named Unattend.txt, by using Windows Setup Manager. You could create Unattend.txt files with a simple text editor such as Notepad, but using Setup Manager reduces errors in syntax. Setup Manager does the following:
Provides a wizard with an easy-to-use graphical interface with which you can create and modify answer files (Unattend.txt). Makes it easy to create UDFs (Unattend.udb). A UDF contains the configuration settings that make each computer installation unique. The UDF modifies a standard answer file by overriding values in the answer file. When you run Setup with Winnt.exe or Winnt32.exe, you use the /udf:id[,UDB_file] switch. Entries in the UDF override values in the answer file, and the identifier (id) determines which values in the UDF are used.
NOTE
Makes it easy to specify computer-specific or user-specific information. Simplifies the inclusion of application setup scripts in the answer file. Creates the distribution folder that you use for the installation files.
NOTE
If you are upgrading systems to Windows XP Professional, you can add any application upgrades or update packs to the distribution folder and enter the appropriate commands in the Additional Commands page of the Windows Setup Manager Wizard. These upgrades or update packs are then applied to the application as part of the upgrade.
CHAPTER 2:
47
When you start Setup Manager, it displays the Welcome To The Windows Setup Manager Wizard page. When you click Next, you are presented with two options:
Create A New Answer File Build a new unattended installation answer file based on settings you provide. This creates a new Unattend.txt file. Modify An Existing Answer File answer file. Edit the contents of an existing
If you select Create A New Answer File, you then must choose the type of answer file you want to create. Setup Manager can create the following types of answer files:
Windows Unattended Installation Builds an unattended installation package consisting of an Unattend.txt file and possibly a UDF. Sysprep Install Builds a file that controls the mini-installation that follows the installation of Windows XP Professional from a Sysprep disk image. Remote Installation Services (RIS) Provides a way to automate the answer file for completing an installation using Remote Installation Services (RIS) with Windows 2000 Server or Windows Server 2003 to install Windows XP Professional.
NOTE
Sysprep is discussed in more detail in the section titled Using Disk Duplication to Deploy Windows XP Professional later in this chapter. RIS is discussed later in this chapter in the section titled Understanding Remote Installation.
The remaining steps of the Windows Setup Manager Wizard allow you to specify the level of user interaction with the Setup program and to enter all the information required to complete the setup.
UPGRADING TO WINDOWS XP PROFESSIONAL

You can upgrade many earlier versions of Windows operating systems directly to Windows XP Professional. Before upgrading, however, you must ensure that the computer hardware meets the minimum Windows XP Professional hardware requirements. Check the Windows Catalog or test the computer for hardware compatibility using the Windows XP Professional Compatibility tool. Using compatible hardware prevents problems with driver incompatibility and results in a more stable system.
48
NOTE
Older systems might require a BIOS update to support the sophisticated power management features of Windows XP. Check with the manufacturer of your system to see if an updated BIOS is available for your system.
Identifying Client Upgrade Paths

You can upgrade most client computers running earlier versions of Windows directly to Windows XP Professional. However, computers running some earlier versions of Windows (including Windows 95, Microsoft Windows NT 3.1, and Microsoft Windows NT 3.5) require an additional step. Table 2-5 lists the Windows XP Professional upgrade paths for various client operating systems.
Table 2-5
Upgrade Paths for Client Operating Systems Upgrade to
Upgrade from
Windows 98 Windows Me Windows NT Workstation 4 Windows 2000 Professional Windows 95 Windows NT 3.1, 3.5, or 3.51
Windows XP Professional Windows XP Professional Windows XP Professional Windows XP Professional Windows 98 and then Windows XP Professional Windows NT 4 Workstation and then Windows XP Professional
Generating a Hardware Compatibility Report

Before you upgrade a client computer to Windows XP Professional, make sure that it meets the minimum hardware requirements by using the Windows XP Compatibility tool to generate a hardware and software compatibility report. This tool runs automatically during system upgrades, but running it before beginning the upgrade should identify any hardware and software problems and allow you to fix compatibility problems ahead of time. To run the Windows XP Compatibility tool and generate a compatibility report, perform the following steps: 1. Insert the Windows XP Professional CD-ROM into the CD-ROM drive. 2. At the command prompt, type d:\i386\winnt32 /checkupgradeonly.
NOTE
d:\ represents the drive letter of the CD-ROM drive. If your drive letter differs, use that letter instead.
CHAPTER 2:
49
3. Press ENTER.
NOTE
Generating the upgrade report can take several minutes. The tool checks only for compatible hardware and software and generates a report that you can analyze to determine the system components that are compatible with Windows XP Professional.
Reviewing the Report Winnt32 /checkupgradeonly generates a report that appears as a text document, which you can view in the tool or save as a text file. The report documents the system hardware and software that are incompatible with Windows XP Professional. It also specifies whether you need to obtain an upgrade pack for software installed on the system and recommends additional system changes or modifications to maintain functionality in Windows XP Professional.
Upgrading Compatible Windows 98 Computers

For client systems that test as compatible with Windows XP Professional, run Winnt32.exe to complete the upgrade. To upgrade a Windows 98 computer, complete the following procedure: 1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive. 2. The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen.
NOTE
To customize how the installation runs, exit the Welcome screen and run the Winnt32.exe Setup program (discussed earlier) with any appropriate switches.
3. Click Install Windows XP. 4. Accept the license agreement. 5. Enter your 25-character product key, which is located on the back of the Windows XP Professional CD-ROM case. 6. If the computer is to be a member of a domain, create a computer account in that domain. 7. Provide upgrade packs for applications that need them. (Upgrade packs update the software to work with Windows XP Professional; they are available from the software vendor and would be identified as a result of the compatibility check.)
50
8. Upgrade to NTFS when prompted. Select the upgrade if you do not plan to set up the client computer to dual boot. 9. Continue with the upgrade if the Windows XP Professional Compatibility tool generates a report showing that the computer is compatible with Windows XP Professional. The upgrade finishes without further intervention and adds your computer to a domain or workgroup.
IMPORTANT
After the installation, be sure to apply any currently available system updates. See the section titled Applying System Updates later in this chapter.
Upgrading a Windows 2000 Professional Computer

The upgrade process for computers running Windows 2000 Professional is similar to the upgrade process for computers running Windows 98, except that the computers should already be members of a domain. Before you perform the upgrade, use the Windows XP Professional Compatibility tool to verify that the system is compatible with Windows XP Professional and to identify any potential problems. Windows 2000 Professional computers that meet the hardware compatibility requirements can upgrade directly to Windows XP Professional. To start the upgrade process, complete the following procedure. 1. Insert the Windows XP Professional CD-ROM in the CD-ROM drive. The Autorun program on the Windows XP Professional CD-ROM displays the Welcome To Microsoft Windows XP screen.
NOTE
If you do not want to use any switches with Winnt32.exe, click Install Windows XP and follow the prompts on your screen. These steps are the same as for Windows 98, skipping the computer account creation.
2. Click Exit to close the Welcome To Microsoft Windows XP screen. 3. Click Start, and then click Run. 4. Type d:\i386\winnt32 /switch (where d is the drive letter for your CD-ROM and /switch represents one or more switches that you want to use with the Winnt32 command), and then press ENTER. The Welcome To Windows page appears. 5. In the Installation Type drop-down list, select Upgrade, and then click Next. The License Agreement page is displayed.
CHAPTER 2:
51
6. Read the license agreement, click I Accept This Agreement, and then click Next. Setup displays the Product Key page. 7. Enter your 25-character product key, which is located on the back of the Windows XP Professional CD-ROM case. 8. After copying installation files, the Restarting The Computer page appears and the computer restarts. The upgrade finishes without further intervention.
IMPORTANT
After the installation, be sure to apply any currently available system updates. See the section titled Applying System Updates later in this chapter.
Migrating User Settings

Windows XP Professional provides the Files And Settings Transfer Wizard to simplify the task of moving data files and personal settings from your old computer to your new one. You dont have to configure all of your personal settings on your new computer because you can move your old settingsincluding display settings, Microsoft Internet Explorer and Microsoft Outlook Express options, dialup connections, and your folder and taskbar optionsto your new computer. The wizard also helps you move specific files and folders to your new computer. The Files And Settings Transfer Wizard has three options for transferring files and/or settings. They are listed in Table 2-6.
Table 2-6
Files And Settings Wizard Transfer Options Files and Settings That Will Be Transferred
Option
Settings Only
Settings: Accessibility Command Prompt Settings Display Properties Internet Explorer Settings Microsoft Messenger Microsoft NetMeeting Mouse And Keyboard MSN Explorer Network Printer And Drives Outlook Express Regional Settings Sounds And Multimedia Taskbar Options Windows Media Player Windows Movie Maker
52
Table 2-6
Files And Settings Wizard Transfer Options Files and Settings That Will Be Transferred
Option
Files Only
Both Files And Settings
Folders: Desktop Fonts My Documents My Pictures Shared Desktop Shared Documents Files: Media and document files with the following extensions will be migrated: .asf (Windows Media Audio/Video file) .asx (Windows Media Audio/Video shortcut) .au (AU format sound) .avi (video clip) .cov (fax cover page file) .cpe (fax cover page file) .doc (WordPad document) .eml (Internet e-mail message) .m3u (M3U file) .mid (MIDI sequence) .midi (MIDI sequence) .mp2 (Movie File MPEG) .mp3 (MP3 Format Sound) .mpa (Movie File MPEG) .mpeg (Movie File MPEG) .mswmm (Windows Movie Maker Project) .nws (Internet News Message) .rft (Rich Text Format) .snd (AU Sound Format) .wav (Wave Sound) .wm (Windows Media Audio/Video file) .wma (Windows Media Audio file) .wri (Write document) You can select the Let Me Select A Custom List Of Files And Settings When I Click Next check box if you dont want all the default folders, file types, and settings to be transferred.
CHAPTER 2:
53
UNDERSTANDING REMOTE INSTALLATION

Remote installation is the process of connecting to a server running Remote Installation Services (RIS), called the RIS server, and starting an automated installation of Windows XP Professional on a local computer. Remote installation enables administrators to install Windows XP Professional on client computers throughout a network from a central location. This reduces the time spent by administrators visiting all the computers in a network, thereby reducing the cost of deploying Windows XP Professional. RIS provides several benefits:
It enables remote installation of Windows XP Professional. An installation image is placed on the RIS server and is provided to clients that connect to the server using the Preboot Execution Environment (PXE) boot process supported by certain network adapters. The server is able to recognize clients by their globally unique identifier (GUID), which is unique to each computer, can be preset for certain configurations in the Active Directory, and can be configured to provide additional configuration information (such as computer name) to the client during the installation process. Clients that are not PXE-compatible can be started with boot disks that include the necessary programs and settings to locate the server and begin the installation. It simplifies system image management. This is accomplished by eliminating hardware-specific images and by detecting Plug and Play hardware during setup. After the installation of the client, it performs a full Plug and Play analysis of its hardware, installing the appropriate drivers. It supports recovery of the operating system and computer in the event of computer failure. A failed client can boot from the RIS server again and restore the exact installation image it received the first time. It reduces total cost of ownership (TCO). It accomplishes this by allowing either users or technical staff to install the operating system on individual computers. The PXE boot process and subsequent installation of Windows XP Professional is scripted and requires no direct intervention.
54
Installing and Configuring RIS

Before beginning a rollout of Windows XP Professional using RIS, you should become familiar with the prerequisites for the service and you must install the service using the Remote Installation Services Setup Wizard. Examining the Prerequisites The ability to act as a RIS server is available only on computers running Windows 2000 Server or Windows Server 2003. The RIS server can be a domain controller or a member server. Table 2-7 lists the network services required for RIS and their RIS function. These network services do not have to be installed on the same computer as RIS, but they must be available somewhere on the network.
Table 2-7
Network Services Requirements for RIS RIS Function
Network Service
DNS service
DHCP service Active Directory
RIS relies on the DNS server for locating the directory service (for the purpose of looking up client computer accounts). Client computers that can perform a network boot receive an IP address from the DHCP server. RIS relies on the Active Directory service in Windows XP Professional for locating existing client computers as well as existing RIS servers.
Remote installation requires that RIS (included on the Windows 2000 Server or Windows Server 2003 CD-ROM) be installed on a volume that is shared over the network. This shared volume must meet the following criteria:
It cannot be on the same drive that is running Windows Server. RIS installs its installation images in a Single Instance Store (SIS) on an NTFS partition. This formatting is not compatible with other types of storage and therefore cannot be used on a partition containing any other data. It must be large enough to hold the RIS software and the various Windows XP Professional images. The space required by several different installation images can be considerable. Some care must be taken to ensure sufficient disk space for all the images that are planned for deployment. It must be formatted with the Windows NTFS file system version 5 or later. Only NTFS version 5 or later supports SIS data structures.
CHAPTER 2:
55
Using the Remote Installation Services Setup Wizard When your network meets the prerequisites for RIS, you can run the Remote Installation Services Setup Wizard, which does the following:

Installs the RIS software Creates the remote installation folder and copies the Windows XP Professional installation files to the server Adds .sif files, which are a variation of an Unattend.txt file Configures the Client Installation Wizard screens that appear during a remote installation Updates the registry Creates the SIS volume Starts the required RIS services
MORE INFO Managing RIS on a server is beyond the scope of this course. More information on installing and managing RIS is available in the Microsoft Windows Server 2003 Resource Kit (ISBN 0-7356-1471-7) from Microsoft Learning.
Client Requirements for Remote Installation

Client computers that support remote installation must have one of the following configurations:
A configuration meeting the Net PC or PC98 specification These configurations are specified by Intel and Microsoft for their Wired for Management initiative and are designed to simplify the installation and management of business desktop computers. A network adapter card with a PXE boot ROM This is the configuration that allows the computer to start without an operating system by retrieving a basic operating system from the RIS server. The computers motherboard and BIOS must also support starting from the PXE boot ROM. A supported network adapter card and a remote installation boot disk As a last resort, you can create a boot disk for certain supported network adapters that will locate the RIS server and begin the installation. These disks are created by the Remote Boot Disk Generator (covered later in this chapter).
56
Net PCs The Net PC is a highly manageable platform with the ability to perform a network boot, manage upgrades, and prevent users from changing the hardware or operating system configuration. Additional requirements for the Net PC are as follows:
The network adapter must be set as the primary boot device within the system BIOS. The user account that will be used to perform the installation must be assigned the user right Log On As A Batch Job. See Chapter 13 for more information on assigning user rights. Users must be assigned permission to create computer accounts in the domain they are joining.
NOTE
Even the Administrator group does not have the right to log on to a batch job by default; it must be assigned this right before attempting a remote installation. Best practices for security dictate that you set up an installation user account to manage installations. This prevents the need to give regular user accounts privileges that they do not require for daily use. These user account requirements apply to any RIS installation, including those using the nonNet PC and boot disk installation methods detailed in the next section.
Computers That Do Not Meet the Net PC Specification Computers that do not directly meet the Net PC specification can still interact with the RIS server. To enable remote installation on a computer that does not meet the Net PC specification, perform the following steps: 1. Install a network adapter card with a PXE boot ROM. 2. Set the motherboards BIOS to start from the PXE boot ROM.
Creating Boot Floppies

If the network adapter card in a client is not equipped with a PXE boot ROM or the BIOS does not allow starting from the network adapter card, create a remote installation boot disk. The boot disk simulates the PXE boot process. Windows 2000 and Windows Server 2003 ship with the Remote Boot Disk Generator (Figure 2-8), which allows you to create a boot disk easily.
CHAPTER 2:
57
Figure 2-8 Windows Server Remote Boot Disk Generator

FT02HT08TR.BMP
Run Rbfg.exe to start the Windows 2000 Remote Boot Disk Generator. The Rbfg.exe file is located in the \RemoteInstall\Admin\i386 folder on the RIS server. These boot floppies support only the Peripheral Component Interconnect (PCI)-based network adapters listed in the Adapter List. To see the list of the supported network adapters, select Adapter List, as shown earlier in Figure 2-8.
Installing Windows XP Using RIS

RIS pre-setup is accomplished in advance by a network administrator and might include a standard operating system (OS) image or a specific system image created using the Riprep.exe utility included with RIS to copy the configuration of a fully customized system. The steps at the client-level include:
PXE boot The target system is booted using the PXE boot features of the system BIOS or by using the remote boot disks generated with Rbfg.exe. System installation RIS automatically installs the operating system according to the setup requirements stored in the RIS server for the client system. Two options are available:
Risetup Installs the client as an unattended installation using an answer file created using Setup Manager Riprep Installs a system image created using the Riprep.exe utility
58
USING DISK DUPLICATION TO DEPLOY WINDOWS XP PROFESSIONAL

When you install Windows XP Professional on several computers with identical hardware configurations, the most efficient installation method to use is disk duplication. By creating a disk image of a Windows XP Professional installation and copying that image onto multiple destination computers, you save time in the rollout of Windows XP Professional. This method also creates a convenient baseline that you can easily recopy onto a computer that is experiencing significant problems. One tool you will use for disk duplication is the System Preparation tool (Sysprep.exe). This utility is part of the deployment tools that ship with Windows XP Professional. Knowing how to use the System Preparation tool can help you prepare master disk images for efficient mass installations. A number of thirdparty disk-imaging tools are available for copying the image to other computers. In this section, you will learn how to use the System Preparation tool to prepare the master image. To install Windows XP Professional using disk duplication, you first need to install and configure Windows XP Professional on a test computer. You must then install and configure any applications and application update packs on the test computer. Finally, you use the System Preparation tool to prepare the master image for copying.
Using the System Preparation Tool to Prepare the Master Image

The System Preparation tool (Sysprep) was developed to eliminate problems encountered in disk copying. To support unique permission structures and computer identification in Active Directory, every computer in a domain network must have a unique security identifier (SID). If you were to copy an existing disk image to other computers, all of those computers would have the same SID. To prevent this problem, Sysprep adds a system service to the master image that creates a unique local domain SID the first time the computer to which the master image is copied is started. Sysprep also allows you to add a Mini-Setup Wizard to the master copy. This wizard runs the first time the computer to which the master image is copied is started. The wizard guides the user through entering the user-specific information such as the following:
CHAPTER 2:
59
End-user license agreement Product ID Regional settings User name Company name Network configuration Whether the computer is joining a workgroup or domain Time zone selection
NOTE
The Mini-Setup Wizard can be scripted using Windows Setup Manager (discussed earlier) so this user-specific information can be entered automatically.
The hard drive controller device driver and the hardware abstraction layer (HAL) on the computer on which the disk image was generated and on the computer to which the disk image was copied must be identical. The other peripherals, such as the network adapter, the video adapter, and sound cards on the computer on which the disk image was copied, need not be identical to the ones on the computer on which the image was generated.
NOTE
Any other variations between systems, beyond which disk controller driver and HAL to use, will be discovered and configured during the Plug and Play phase of the installation.
Sysprep can also be customized. Table 2-8 describes some of the switches you can use to customize Sysprep.exe.
Table 2-8
Switches for Sysprep.exe Description
Switch
/quiet /nosidgen
Runs with no user interaction because it does not show the user confirmation dialog boxes. Does not regenerate SID on reboot. Use this when you want to run Sysprep without removing the original SID (useful when packaging a system with a mini-setup to allow customization by an end user but retaining the existing SID for security settings already in place on the domain).
60
Table 2-8
Switches for Sysprep.exe Description
Switch
/pnp /reboot /noreboot /forceshutdown

NOTE
Forces Setup to detect Plug and Play devices on the destination computers on the next reboot. Restarts the source computer after Sysprep.exe has completed. Shuts down without a reboot. Forces a shutdown instead of powering off.
For a complete list of the switches for Sysprep.exe, start a command prompt, change to the Deploy folder or the folder where you installed Sysprep.exe, type sysprep.exe /?, and press ENTER.
Installing Windows XP Professional from a Master Disk Image

After running Sysprep on your test computer, you are ready to run a third-party disk image copying tool to create a master disk image. Save the new disk image on a shared folder or CD-ROM, and then copy this image to the multiple destination computers. End users can then start the destination computers. The Mini-Setup Wizard prompts the user for computer-specific variables, such as the administrator password for the computer and the computer name. If a Sysprep.inf file was provided, the Mini-Setup Wizard is bypassed and the system loads Windows XP Professional without user intervention.
APPLYING SYSTEM UPDATES

The first step to be accomplished after initial installation of Windows XP is the application of system updates and patches. The vast majority of these updates and patches relate to security vulnerabilities discovered in the system of its associated applications. Systems being connected to the Internet without first being patched can be penetrated and infected or controlled by malicious users and applications within minutes. Make sure these updates are applied before you connect the system to any public network. System updates are supplied in two ways: updates and service packs.
CHAPTER 2:
61
Windows Updates
Updates to the operating system and its associated applications are made available to Microsoft customers for free via the Windows Update service. This is a browser-based scanning and delivery system designed to scan a system for uninstalled updates and make them available for download. Figure 2-9 shows the Windows Update Welcome screen.
Figure 2-9 Windows Update Web site

FT02HT09TR.BMP
Users can connect to Windows Update in one of three ways:
From the Start menu, choose All Programs, and then click Windows Update from near the top of the list of available applications. In Internet Explorer, choose Windows Update from the Tools menu. Navigate to www.windowsupdate.com or windowsupdate.microsoft.com.
NOTE
Windows Update undergoes continuous improvements and might appear different from the screens depicted in this book. The basic design and functionality remain unchanged.
Using Windows Update When you connect to Windows Update, an ActiveX control is loaded by Internet Explorer. This control scans the system and reports on the available patches. Users can then choose which patches to install. Figure 2-10 shows an Optional Software Update selected for installation.
62
FT02HT10TR.BMP
Figure 2-10
Windows Update with an Optional Software Update selected for
installation
Patches come in three types:
High Priority Updates Security updates and patches for critical system components Optional Software Updates and associated applications Recommended updates for Windows
Optional Hardware Updates Updated drivers for hardware detected by the system
IMPORTANT
Installing updates from Windows Update requires the user to have permission to install software on the local machine. This typically requires the user to be a member of the Administrators or Power Users local security group.
After scanning the computer, Windows Update displays the available updates. Critical fixes are preselected for installation and should be installed first. The Windows Update application manages the download and application of the fixes and might ask to restart the computer when the application is complete. Figure 2-11 shows a download in progress.
CHAPTER 2:
63
Figure 2-11 Windows Update download in progress

FT02HT11TR.BMP
Following any restart, you can return to the Windows Update site and scan for Windows XP or Driver Updates. These are not as critical and can be installed at your leisure. They usually offer enhanced functionality or stability.
Service Packs
Service packs are available from Windows Update or via CD-ROM from Microsofts Web site. Installing a service pack is akin to installing a cumulative collection of all updates and patches released for the operating system to date. Service packs should be installed at your earliest convenience. Their effect on your systems and applications should be tested on a representative computer and, when found to be safe, rolled out to the rest of your computers.
NOTE
Subscribers to Microsofts TechNet CD-ROM or DVD-ROM subscription service receive these disks as part of their subscription.
Applying a Service Pack from Download or CD-ROM Applying a service pack takes some time. Plan for at least an hour. If you are downloading it, you will have an express installation option. This downloads only the parts needed to update your system. 1. After identifying an available service pack, either download it or obtain the CD-ROM.
64
2. Execute the downloaded service pack file to run the extraction and installation program.
NOTE
CD-ROM versions have an Autorun program that guides you through the service pack installation.
3. Choose whether to create an uninstallation folder. If you have a concern about the stability of the service pack, you can choose to retain the ability to uninstall it. 4. The service pack will install and restart the computer. Installing a Service Pack from Windows Update Downloading a service pack from Windows Update works in much the same way as installing a Windows Update patch. Much of the procedure is automated, as with Windows fixes. The downloaded file launches the Service Pack Installation Wizard, which queries the system. It then downloads the files required to update the system.
NOTE
Microsoft made a change to service pack distribution with Windows XP Service Pack 2, allowing the entire service pack to be downloaded via Automatic Updates and applied after the download is complete.
Automatic Updates
Automatic Updates are configured in the System Properties dialog box. From the Start menu, right-click on My Computer and select Properties. Select the Automatic Updates tab to display the Configuration dialog box (Figure 2-12).
Figure 2-12 Configuring automatic updates in Windows XP

FT02HT12TR.BMP
CHAPTER 2:
65
NOTE
If your Automatic Updates settings appear different, you most likely do not have Windows XP Service Pack 2 (SP2) installed. This update includes several improvements to Automatic Updates and other security-related technologies. Installing SP2 at your earliest opportunity will help protect your computer and make this material more understandable.
1. After locating System Properties, locate and select the Automatic Updates tab. Note that Automatic Updates should already be activated. (This is new with SP2.) 2. Select from the options displayed in Table 2-9.
Table 2-9
Automatic Update Options Setting
Option
Automatic (recommended)
Download updates for me, but let me choose when to install them Notify me but dont automatically download or install them Turn off Automatic Updates
This setting uses the Background Intelligent Transfer Service (BITS) to download the updates using your unused Internet bandwidth. You will be notified when they are available. If you choose not to install them at that time, they will be applied at the time you specify in the dialog box. This setting downloads the updates using BITS. When they are downloaded, you will receive a notification bubble telling you they are ready. You can install, defer, or reject them at that time. This setting causes Automatic Updates to notify you only of the existence of updates. When you choose to install them, they will be downloaded and installed in the foreground. Disables Automatic Updates.
SLIPSTREAMING SERVICE PACKS AND UPDATES

Organizations that use a network installation process for Windows XP can apply updates and service packs to their network installation point to reduce the amount of time it takes to update clients after they are installed. This is accomplished through a process called slipstreaming.
Slipstreaming Service Packs

Service packs can be slipstreamed into an installation point. This is accomplished in two steps. First the service pack is extracted to a temporary folder, and then the
66
Update.exe program within the service pack folder is run to update the installation point. After downloading the service pack, execute it with the /x command-line switch.
C:\ WindowsXP-KB835935-SP2-ENU.exe /x:c:\<temporary folder>
After the files are extracted, use the update.exe command with the /s switch. (c:\i386 is the folder containing the Windows XP installation files.) This updates the installation files.
C:\<temporary folder>\update\update.exe /s:c:\i386
Slipstreaming Windows Updates

Many Windows updates can be slipstreamed into an installation point using a command-line switch. The /integrate switch causes the update to integrate with the installation point. (c:\i386 is the folder containing the Windows XP installation files.)
KB123456.EXE /integrate:C:\i386
MORE INFO For more information on slipstreaming updates, see Microsoft Knowledge Base article 828930, How to Integrate Software Updates into Your Windows Installation Source Files.
USING WINDOWS PRODUCT ACTIVATION

Microsoft Windows Product Activation is an anti-piracy technology designed to prevent copying and hard-disk loading of Windows XP. It applies to all retail versions of Windows XP. OEM and volume-licensed versions of Windows XP are either preactivated (OEM) or do not require activation (volume).
How Windows Product Activation Works

Users must activate Windows XP with their unique product keys within the defined grace period. For the retail version, this is 30 days from the time the system is installed. After expiration, Windows does not allow interactive logons until the system is activated. The activation program, however, still functions so that the activation can be performed. After activation, the system is returned to interactive status. During activation, Windows XP scans the systems hardware and uses the results of the scan to create a hash value. This scan is repeated during each system startup
CHAPTER 2:
67
after activation. Each hardware component that is replaced changes the hash, some (motherboards, for example) more than others (mice). If excessive changes are made to the hardware configuration of the computer, the hash value falls outside the allowable limits and Windows Product Activation requires you to reactivate your system. This prevents people from making copies of a Windows XP installation and giving or selling them to others for use with different system hardware.
Activating Windows XP
Windows XP can be activated in two ways. It can be activated online over the Internet, and it can be activated via telephone. Both methods use the same application. Telephone activation is provided as a fallback for online activation or when the user prefers for privacy reasons to conduct the activation offline. The Windows Product Activation Wizard launches when you click on the activation reminder balloon that pops up every few days or when you click Activate Windows at the top of All Programs on the Start menu. Online Activation Within 30 days of installation, you can activate Windows XP using the Internet. Windows XP combines your product key with an arithmetic hash created from the results of a hardware scan to create an Installation ID. This is sent to Microsoft, and Windows XP is activated. Telephone Activation If you cannot access the Internet or do not wish to transmit the product information over the Internet, you can use telephone activation. Windows XP provides you with a telephone number to dial and shows the Installation ID on the screen. After providing the Installation ID to the Microsoft activation line, you receive a confirmation ID. Key this into the Activation dialog box, and click Next. Windows XP is activated.
Automating Windows Product Activation

Most mass installations of Windows XP use volume or OEM licensing and do not require activation. However, for retail versions, activation can be automated as a step in the unattended installation answer file. The unattended installation file can cause the system to launch the Activation Wizard and perform an online activation. Settings for an Internet proxy can be configured into this file as well.
68
TROUBLESHOOTING WINDOWS XP PROFESSIONAL SETUP

Your installation of Windows XP Professional should complete without any problems. However, this section covers some common issues you might encounter during installation.
Resolving Common Problems

Table 2-10 lists some common installation problems and offers solutions.
Table 2-10
Troubleshooting Tips Solution
Problem
CD-ROM drive is not supported
Insufficient disk space
Replace the CD-ROM drive with a supported drive. If replacement is impossible, try another installation method, such as installing over the network. After you complete the installation, add the adapter card driver for the CD-ROM drive, if it is available. You can do one of the following: Use the Setup program to create a partition by using existing free space on the hard disk.

Delete and create partitions as needed to create a partition that is large enough for installation.
Dependency service fails to start
Reformat an existing partition to create more space or install a larger hard drive. In the Windows XP Professional Setup Wizard, return to the Network Settings dialog box and verify that you installed the correct protocol and network adapter. Verify that the network adapter has the proper configuration settings, such as transceiver type, and that the local computer name is unique on the network.
CHAPTER 2:
69
Table 2-10
Troubleshooting Tips Solution
Problem
Setup cannot connect to the domain controller
Do the following: Verify that the domain name is correct.
Verify that the server running the DNS service and the domain controller are both running and online. If you cannot locate a domain controller, install Windows XP Professional into a workgroup and then join the domain after installation. Verify that the network adapter card and protocol settings are set correctly. Verify that there is a computer account on the domain. If you are reinstalling Windows XP Professional and are using the same computer name, delete the computer account and re-create it.
Windows XP Professional fails to install or start
Make sure you are using an account with rights to add computer accounts to the domain. Verify the following: Windows XP Professional is detecting all of the hardware. All of the hardware is in the Windows Catalog. If upgrading, try running Winnt32 /checkupgradeonly to verify that the hardware is compatible with Windows XP Professional. Test the CD-ROM on another computer. If you can copy the files using a different CD-ROM drive on a different computer, use the CD-ROM to copy the files to a network share or to the hard drive of the computer on which you want to install Windows XP Professional.
Computer is unable to copy files from the CD-ROM (media errors occur)
Setup Logs
During Setup, Windows XP Professional generates a number of log files containing installation information that can help you resolve any problems that occur after setup is completed. The action log and the error log are especially useful for troubleshooting.
70
Action Log The action log records in chronological order the actions that the Setup program performs. It includes actions such as copying files and creating registry entries. It also contains entries that are written to the Setup error log. The action log is stored in Setupact.log. This file is placed in the %Windir% folder (usually C:\Windows). Error Log The error log describes errors that occur during setup and their severity. If errors occur, the log viewer displays the error log at the end of setup. The error log is stored in Setuperr.log. This file is placed in the %Windir% folder (usually C:\Windows). Additional Logs Setup creates a number of additional logs, including the following:
% windir%\comsetup.log Outlines installation for Optional Component Manager and COM+ components. % windir%\setupapi.log Receives an entry each time a line from an .inf file is implemented. If an error occurs, this log describes the failure. % windir%\debug\NetSetup.log join domains or workgroups. Logs activity when computers
% windir%\repair\setup.log Provides information that is used by the Recovery console. (In Windows NT 4, this is used by the Emergency Repair Process.) For more information about the Recovery console, see Chapter 15.
CHAPTER 2:
71
SUMMARY
Preinstallation tasks include verifying hardware requirements and compatibility, determining file system type and partition size, and domain or workgroup membership. The Windows Catalog lists all systems and hardware that have been certified to be compatible with Windows XP. Methods to set up Windows XP include CD-ROM, network-based, Remote Installation Services (RIS), and installation from disk images. Disk image installations are accomplished with the help of the Sysprep utility, which prepares a system for imaging. Installation via CD-ROM and RIS can be automated to reduce administration costs. This automation is accomplished through the use of answer files and Uniqueness Database Files (UDFs) that control the installation process. Most configuration settings can be reconfigured after setup is completed. Several switches for Winnt.exe and Winnt32.exe allow you to modify the installation process. Some of these control unattended setup or the inclusion of additional folders to be copied to the system during the installation. Before you upgrade a client computer to Windows XP Professional, you should ensure that it meets the minimum hardware requirements. User settings and files can be migrated to a new system by using the Files And Settings Transfer Wizard. This tool copies files and settings into a file for transport to a new system. Updates to Windows XP can be installed manually via Windows Update, slipstreamed into a network installation point, or installed by Automatic Updates. Use setup logs to determine the cause of installation failures.
72
PART 1:
PART TITLE [BOOK TITLE IF NO PARTS]
REVIEW QUESTIONS
1. List the client requirements for using Remote Installation Services (RIS), and explain why they are important. 2. Which of the following statements about file systems are correct? (Choose all that apply.) a. File- and folder-level security are available only with NTFS. b. Disk compression is available with FAT, FAT32, and NTFS. c. Dual-booting between Windows 98 and Windows XP Professional is available only with NTFS. d. Encryption is available only with NTFS. 3. Which of the following statements about joining a workgroup or a domain are correct? (Choose all that apply.) a. You can add your computer to a workgroup or a domain only during installation. b. If you add your computer to a workgroup during installation, you can join the computer to a domain later. c. If you add your computer to a domain during installation, you can join the computer to a workgroup later. d. You cannot add your computer to a workgroup or a domain during installation. 4. Which of the following configurations can you change after installing Windows XP Professional? (Choose all that apply.) a. Language b. Locale c. Keyboard settings d. All of the above
CHAPTER 2:
73
5. Describe how the /unattend and /UDF command-line switches for Winnt32.exe work together to automate an installation. 6. Which of the following operating systems can be upgraded directly to Windows XP Professional? (Choose all that apply.) a. Windows NT Workstation 4 b. Windows NT 3.51 c. Windows 2000 Professional d. Windows NT Server 4 7. Automatic Updates are used to apply which of the following types of updates? a. Optional Hardware Updates b. Optional Software Updates c. High Priority Updates d. Application Updates 8. If you encounter an error during setup, which of the following log files should you check, and why? (Choose all that apply.) a. Setuperr.log b. W3svc.log c. Setup.log d. Setupact.log
74
PART 1:
PART TITLE [BOOK TITLE IF NO PARTS]
CASE SCENARIOS
Scenario 2-1: Dual-Booting
You are planning to dual-boot a computer with Windows 2000 Professional and Windows XP Professional. You have determined that there is plenty of disk space for a partition for each operating system. You are running the setup program and deciding which file system to use to format the partitions. Answer the following questions regarding this dual-boot setup: 1. Which of the following file systems can you use for the system partition of this computer? a. CDFS b. NTFS c. FAT32 d. UFS 2. Which file system is the best choice for a secure installation? a. CDFS b. NTFS c. FAT32 d. UFS
Scenario 2-2: Automatic Updates

You are setting up Automatic Updates for a computer that will run unattended for long periods of time. You are concerned that no users will be around to manually install updates. Which of the available options for applying automatic updates is the best choice for this scenario, and how can you manage the application of service packs to this system?
CHAPTER 3
MANAGING DISKS AND FILE SYSTEMS

Monitor and configure disks Monitor, configure, and troubleshoot volumes Monitor and configure removable media such as tape devices Install, configure, and manage DVD and CD-ROM devices Configure NTFS, FAT, and FAT32 file systems Convert from one file system to another Use disk optimization utilities: Disk Defragmenter, Chkdsk, and Disk Cleanup
This chapter deals with management and operation of storage technologies in Microsoft Windows XP. You will learn about installation and management of disks and removable media devices such as CD-ROMs, DVD-ROMs, and tape drives. We will explore management of basic and dynamic disks, volume management, and configuration and management of file systems. You will also use Disk Management to manage partitions and volumes on hard disks, mount volumes to NTFS folders, and manage remote systems. This chapter also shows you other disk management tools such as Disk Defragmenter and Chkdsk. You will learn how to use Disk Cleanup to reclaim disk space and learn best practices for disk management and optimization of storage.
75
76
UNDERSTANDING DISK MANAGEMENT

Whether you are setting up unused free space on a hard disk on which you installed Windows XP Professional or configuring a new hard disk, you must perform certain tasks. Before you can store data on a new hard disk, you must perform the following tasks to prepare the disk:
Initialize the disk with a storage type. Initialization defines the fundamental structure of a hard disk. Windows XP Professional supports basic storage and dynamic storage. A physical disk can be either basic or dynamic; you cant use both storage types on one disk. Divide the disk into partitions or volumes. Basic disks are divided into partitions, or discrete storage sections. Similar divisions of dynamic disks are called volumes. Format the disk. After you create a partition or volume, you must format it with a file system, either file allocation table (FAT), FAT32, or NTFS.
Understanding Basic Storage

The traditional industry standard is basic storage. All versions of MS-DOS, Windows, Windows NT, Windows 2000, and Windows XP support basic storage. For Windows XP Professional, basic storage is the default storage type. Basic storage dictates the division of a hard disk into partitions. A partition is a portion of the disk that functions as a physically separate unit of storage. Windows XP Professional recognizes primary and extended partitions. A disk that is initialized for basic storage is called a basic disk. A basic disk can contain primary partitions, extended partitions, and logical drives (as shown in Figure 3-1).
Primary Partitions C: C:
Primary Partitions D: D:
Primary Partitions E: E:
Primary Partition F:
FT03HT01.VSD
Extended Partition
F: G: H:
Logical Drives
Figure 3-1 Basic and dynamic storage types
CHAPTER 3:
77
Table 3-1 compares some of the characteristics of primary partitions and extended partitions.
Table 3-1
Primary and Extended Partitions Extended Partitions
Primary Partitions
A basic disk can contain a maximum of four primary partitions, or up to three primary partitions if there is also an extended partition. Can be marked as the active partition. The system BIOS looks to the active partition for the boot files to start the operating system (only one active partition per hard disk). Each primary partition can be formatted and assigned a drive letter.
A basic disk can contain only one extended partition.
An extended partition cant be marked as the active partition.
Divided into logical drives, each of which can be formatted and assigned a drive letter.
NOTE
The Windows XP Professional system partition is the active partition that contains the hardware-specific files required to load the operating system. The Windows XP Professional boot partition is the primary partition or logical drive where the operating system files are installed. The boot partition and the system partition can be the same partition. However, the system partition must be on the active partition, typically drive C, whereas the boot partition can be on another primary partition or an extended partition.
Understanding Dynamic Storage

Windows 2000 and Windows XP Professional support dynamic storage, which is a standard that creates a single partition encompassing the entire disk. A disk that you initialize for dynamic storage is a dynamic disk. You divide dynamic disks into volumes, which can consist of a portion, or portions, of one or more physical disks. When you have converted a basic disk to dynamic storage, you can create Windows XP Professional volumes. Consider which of the following volume types (Figure 3-2) best suit your needs for efficient use of disk space and performance.
Simple volume fault tolerant.
Contains disk space from a single disk and is not
Spanned volume Includes disk space from multiple disks (up to 32). Windows XP Professional writes data to a spanned volume on the first disk, completely filling the space, and continues in this manner through each disk that you include in the spanned volume. These volumes are not fault tolerant. If any disk in a spanned volume fails, the data in the entire volume is lost.
78
Or
C: D: E:
Multiple System Volumes
Single hard disk
Simple Volume (C:)
232 hard disks or portions of disks
Spanned Volume (C:)
232 disks or portions of disks Striped Volume (C:)
Figure 3-2 Dynamic disks in Windows XP

FT03HT02.VSD
Striped volume Combines areas of free space from multiple hard disks (up to 32) into one logical volume. In a striped volume, Windows XP Professional optimizes performance by adding data to all disks at the same rate. If a disk in a striped volume fails, the data in the entire volume is lost.
NOTE
Windows 2000 Server and Windows Server 2003 provide fault tolerance on dynamic disks. Fault tolerance is the ability of a computer or an operating system to respond to some catastrophic events without loss of data. The server products provide mirrored volumes and RAID-5 volumes that are fault tolerant. Windows XP Professional does not provide fault tolerance.
Creating multiple volumes on a single hard disk allows you to efficiently organize data for such tasks as backing up data. For example, you can create a volume for the operating system, one for applications, and one for data. When you back up your data, you can back up the entire data volume on a daily basis and back up the application and operating system volumes on only a monthly or quarterly basis.
CHAPTER 3:
79
Working with Simple Volumes

A simple volume contains disk space from a single disk. You can extend a simple volume to include unallocated space on the same disk. You can create a simple volume and format it with NTFS, FAT, or FAT32. You can extend a simple volume only if it is formatted with NTFS. Simple volumes can be designated with a drive letter, left disconnected, or mounted as a folder on any existing NTFS volume. Mounting makes the volumes space available as part of the normal file system. You can disconnect the mounted volume at any time and reconnect it elsewhere, all without losing the data on the mounted volume.
NOTE
A volume mounted to an NTFS folder must itself be formatted as NTFS.
Working with Spanned Volumes

A spanned volume consists of disk space from multiple dynamic disks. Spanned volumes enable you to combine the available free space on these disks. They cant be part of a striped volume and are not fault tolerant. Only NTFS-spanned volumes can be extended, and deleting any part of a spanned volume deletes the entire volume. You can combine various-sized areas of free space from 2 to 32 dynamic disks into one large logical volume. Windows XP Professional organizes spanned volumes so data is stored in the space on one disk until it is full, and then, starting at the beginning of the next disk, data is stored in the space on the second disk, and so forth. You can extend existing spanned volumes formatted with NTFS by adding free space. Disk Management formats the new area without affecting any existing files on the original volume. You cant extend volumes formatted with FAT or FAT32, and you cant extend the system volume or a boot volume.
NOTE
Windows NT and Windows 2000 support a technology similar to XP spanned volumes called volume sets. You cannot import volume sets into Windows XP without first upgrading the basic disks to dynamic disks. You must do this before upgrading the operating system to Windows XP. Windows NT systems do not support dynamic disks, so they must be upgraded first to Windows 2000 Professional and then to Windows XP. Alternatively, you can back up the disks and then restore them after the upgrade.
80
Working with Striped Volumes

Striped volumes offer the best performance of all the Windows XP Professional disk management strategies. In a striped volume, data is written evenly across all physical disks in 64-KB units. Because all the hard disks that belong to the striped volume perform the same functions as a single hard disk, Windows XP can issue and process concurrent I/O commands simultaneously on all hard disks. In this way, striped volumes can increase system I/O speed. You create striped volumes by combining areas of free space from multiple disks (from 2 to 32) into one logical volume. With a striped volume, Windows writes data to multiple disks, similar to spanned volumes. However, on a striped volume, Windows XP writes files across all disks so data is added to all disks at the same rate. Like spanned volumes, striped volumes dont provide fault tolerance. If a disk in a striped volume fails, the data in the entire volume is lost. You cannot extend striped volumes. Windows NT and Windows 2000, which use basic disks, support an equivalent technology called stripe sets. You cannot import stripe sets into Windows XP without first upgrading the basic disks to dynamic disks. You must do this before upgrading the operating system to Windows XP.
NOTE
Windows NT systems do not support dynamic disks, so they must be upgraded first to Windows 2000 Professional and then to Windows XP. Alternatively, you can back up the disks and then restore them after the upgrade.
Adding Disks
When you install new disks in a computer running Windows XP Professional, they are added as basic storage. To add a new disk, install or attach the new physical disk (or disks), and then choose Rescan Disks from the Action menu of the Disk Management snap-in in Computer Management (Figure 3-3). You must use Rescan Disks every time you remove or add a disk to a computer. You shouldnt need to restart the computer when you add a new disk. However, you might need to restart the computer if Disk Management doesnt detect the new disk after you run Rescan Disks. Viewing Disk Properties By right-clicking the physical disk in the lower pane of Disk Management and selecting Properties, you can view and configure properties and settings for the physical disk.
CHAPTER 3:
81
Figure 3-3 The Disk Management snap-in in Computer Management

FT03HT03.BMP
These are the tabs of the disk Properties dialog box:
General Lists the device type, manufacturer, and physical location of the device, including the bus number or the Small Computer System Interface (SCSI) identifier. Lists the device status and provides access to the troubleshooter for the device. Policies Allows you to set the following options for write caching and safe removal:
Optimize For Quick Removal and in Windows
Disables write caching on the disk
Optimize For Performance Enables write caching in Windows to improve disk performance Enable Write Caching On This Disk Enables write caching to improve disk performance, but a power outage or equipment failure might result in data loss or corruption
Volumes Lists the volumes contained in this disk. Driver Allows you to get detailed information about the driver, update the driver, roll back the driver, and uninstall the driver.
Disks are separated into partitions (basic disks) or volumes (dynamic disks). You can view or configure properties for a volume or partition by right-clicking the volume or partition in Disk Management and selecting Properties.
82
Viewing Volume or Partition Properties By right-clicking the partition or volume (sometimes called the logical disk) in the upper pane of Disk Management and selecting Properties, you can view and configure properties and settings for the volume or partition. The tabs of the volume Properties dialog box are:
General Lists the volume label, type, file system, used space, free space, and total disk capacity. It also allows you to run Disk Cleanup, and on NTFS volumes it allows you to compress the drive and choose to have the Indexing Service index the disk for fast file searching. Tools Allows you to check the partition or volume for errors, defragment it, and back it up. Hardware Shows you all drives on the computer and allows you to view the properties of each device, including the manufacturer, location, and status of the device. It also allows you to access the troubleshooter for the device. Sharing Allows you to share the drive, set permissions on the share, and determine the type of caching for the share. Security Allows you to set the NTFS permissions. This tab is available only if the partition or volume is formatted with the NTFS file system. Quota Allows you to enable and configure quota management. This tab is available only if the partition or volume is formatted with the NTFS file system.
NOTE
Dynamic disks store information about their configuration in a small space at the end of the disk. As a result, you can take a disk that might be part of a spanned volume and import it into another system. Disk Management on the new system will actually recognize the imported disk as part of a spanned volume and ask for the rest of the disks! Users can thus move storage from one system to another system without losing their data.
Changing the Storage Type

You can upgrade a disk from basic storage to dynamic storage at any time without loss of data. However, any disk to be upgraded must contain at least 1 MB of unallocated space for the upgrade to succeed. Before you upgrade disks, close any programs that are running on those disks.
IMPORTANT
Always back up the data on a disk before converting the
storage type.
CHAPTER 3:
83
Table 3-2 shows the results of converting a disk from basic storage to dynamic storage. Partitions and volumes are converted to their equivalent under the dynamic storage architecture.
Table 3-2
Basic Disk and Dynamic Disk Organization Dynamic Disk Organization
Basic Disk Organization
System partition Boot partition Primary partition Extended partition
Logical drive Volume set Stripe set
Simple volume Simple volume Simple volume Simple volume for each logical drive and an additional simple volume for remaining unallocated space Simple volume Spanned volume Striped volume
To upgrade a basic disk to a dynamic disk, in the Disk Management snap-in, right-click the basic disk that you want to upgrade, and then choose Upgrade To Dynamic Disk (Figure 3-4). The system will verify your intentions and begin the upgrade. The upgrade process requires that you restart your computer afterward.
Figure 3-4 Initiating an upgrade from basic to dynamic disk

FT03HT04NEW.BMP
If you find it necessary to convert a dynamic disk to a basic disk, you must remove all volumes from the dynamic disk before you can change it to a basic disk. To convert a dynamic disk to a basic disk, right-click the dynamic disk, and then choose Revert To Basic Disk.
CAUTION
All data on a dynamic disk will be lost when you revert it to a
basic disk.
84
Using Refresh and Rescan Disks

If you need to update the information displayed in Disk Management, you can use the Refresh and Rescan commands. The Refresh command updates the drive letter, file system, volume, and removable media information, and it determines whether unreadable volumes are now readable. It does not scan for new disk hardware. To refresh disk information, choose Refresh from the Action menu. Rescan Disks updates hardware information. When Disk Management rescans disks, it scans all attached disks for disk configuration changes. It then performs the Refresh command. Rescanning disks can take several minutes, depending on the number of hardware devices installed. To rescan disks, choose Rescan Disks from the Action menu.
Managing Disks on a Remote Computer

In a domain environment, users with local administrator privileges, such as members of the Domain Admins group or the Server Operators group, can manage disks on remote computers. In a workgroup environment, you can manage disks on a remote computer running Windows XP Professional if you have an account with the same username and password set up on both the local and remote computer (as shown in Figure 3-5).
Figure 3-5 The Computer Management console connecting to a remote computer

FT03HT05.BMP
To manage disks on a remote computer, take the following steps: 1. Open Computer Management and focus it on the remote computer by right-clicking Computer Management (Local) and selecting Connect To Another Computer.
CHAPTER 3:
85
2. Type the name of the other computer, and click OK. If you have permissions to manage the remote system, you can use Computer Management to manage it. If you do not, you can view only limited information. 3. Locate Disk Management under the Storage section.
MANAGING REMOVABLE STORAGE

Removable Storage is a simple way to manage and access all removable storage media on a system. It is a set of device and media management application programming interfaces (APIs) that together form a structure for managing media allocation, tracking, and utilization. Some functions that are supported by removable storage are:

Injecting and ejecting media Maintaining media pools and media libraries to consolidate media tracking Brokering application access to media Providing a storage management interface for administrators
Using the Removable Storage Manager

The Removable Storage Manager (RSM) interface is located inside the Computer Management console. In this application, an administrator or operator can view media pools, media allocation, and work queues. Figure 3-6 shows a CD-ROM and a smart media card mounted in the RSM.
Figure 3-6 The RSM showing a CD-ROM and a smart media card
FT03HT06.BMP
86
Managing Media Pools A media pool manages a collection of media. The media in the pool must be of the same type and configuration. An example of a media pool is a collection of tapes used for a backup rotation, which are assigned on successive days to back up system files. By organizing them into pools, you can protect them from use by other applications. This protects their data from accidental deletion. Media pools can be created and managed in the RSM. A media pool serves as a container for the media allocated to a specific application. It is not available for another application until it is released to the Free media pool or moved to the media pool belonging to the other application. There are four default media pool types:
Free Contains all media that have been detected by the system but not allocated to any application. Import Contains media that are recognized but known to contain data from another application. They are placed here for protection until they can be placed in an appropriate media pool. Unrecognized Contains media that the system does not recognize. Typically these are media of a type not known to the system, but they can also be corrupted media of a known type. Application-Specific Applications such as Backup create media pools to manage their own media.
NOTE
If you open the RSM and do not see your media pools, select Removable Storage and, from the View menu, select Full. This provides the full view of all removable storage resources.
Managing the Work Queue During a backup it might be necessary to insert additional media or respond to media errors to allow a backup to be completed. When this happens, you may receive a message to check the RSM console. Figure 3-7 shows Removable Storage displaying work queues. If you select Work Queue in the RSM, you will see a list of completed, active, and pending requests. If you are having problems with media allocation or are troubleshooting a failure of your CD-ROM to eject, check here to see if there is an active request on your media. Working with Mounted Media When you are using the RSM, you can find your mounted media by clicking the library that contains the media or by selecting the media folder. Once your media is selected, if it supports Eject commands you can eject it right from the RSM. This comes in handy when you must eject media on a remote system.
CHAPTER 3:
87
Figure 3-7 Removable Storage Manager displaying work queues

FT03HT07.BMP
Working with Media on a Remote Computer To work with media on a remote computer, right-click the root folder in Computer Management and choose to connect to a remote computer. Working with Libraries All media devices are classified as libraries in the RSM. This allows all applications on the system that communicate with the removable storage APIs to access data on any media that is visible to Removable Storage. The APIs built into Removable Storage make device differences transparent to the applications. All the application has to know is how to work with Removable Storage. Removable Storage then manages the device and media, providing data storage to the application (as shown in Figure 3-8).
Photo Editing Application
Backup
Windows Explorer
Media Player
Removable Storage Service
Tape
FT03HT08.VSD
USB
DVD
Diskette
Figure 3-8 Removable Storage service providing access to data on various media types
88
MANAGING COMPRESSION
Windows XP Professional supports two types of compression: NTFS compression and compressed folders. NTFS compression enables you to compress files, folders, or an entire drive. NTFS compressed files and folders occupy less space on an NTFS-formatted volume, which enables you to store more data. Each file and folder on an NTFS volume has a compression state, which is either compressed or uncompressed. The Compressed Folders feature allows you to create a compressed folder so that all files you store in that folder are automatically compressed.
Using Compressed Folders

The Compressed Folders feature, which is new in Windows XP Professional, allows you to create compressed folders and view their contents. It also allows you to compress large files so that you can store more files on a floppy disk or a hard drive. The compressed folders are in reality Zip-compatible archives and can be read by any operating system or application that can read .zip files. To create a compressed folder, start Windows Explorer and then choose File | New | Compressed Folder. This creates a compressed folder in the current folder. You can drag and drop files into the compressed folder, and the files will be compressed automatically. If you copy a file from the compressed folder to another folder that is not compressed, that file will no longer be compressed. A zipper icon denotes a compressed folder (as shown in Figure 3-9), and these folders are labeled Compressed Folder.
Figure 3-9 A compressed folder showing the zipper icon

FT03HT09.BMP
CHAPTER 3:
89
Benefits of using compressed folders generated with the Compressed Folders feature include the following:
You can create and use compressed files and folders on both FAT and NTFS volumes. You can open files directly from the compressed folders, and you can run some programs directly from compressed folders. You can move these compressed files and folders to any drive or folder on your computer, the Internet, or your network, and they will be compatible with any program that can read Zip archiv,es. You can encrypt compressed folders that you created using this feature.
NOTE
You can compress individual files only by storing them in a compressed folder. If you move or extract the files into an uncompressed folder, they will be uncompressed.
Using NTFS Compression

NTFS compressed files can be read and written to by any application. When an application (such as Microsoft Word or Excel) or an operating system command (such as Copy) requests access to a compressed file, NTFS uncompresses the file before making it available. When you close or explicitly save a file, NTFS compresses it again. Some benefits of NTFS compression include:
You can open files and run applications directly from the compressed folders. NTFS compression is integrated directly with NTFS and can be applied by modifying the compression attribute on files and folders. NTFS handles all compression and decompression on the fly. NTFS compressed files can be made to appear in an alternative text color to indicate their compressed status.
NTFS allocates disk space based on uncompressed file size. If you copy a compressed file to an NTFS volume with enough space for the compressed file but not enough space for the uncompressed file, you might get an error message stating that there is not enough disk space for the file, and the file will not be copied to the volume. Compressing Files and Folders Using NTFS Compression You can set the compression state of folders and files, and you can change the color that is used to display compressed files and folders in Windows Explorer.
90
If you want to set the compression state of a folder or file, right-click the folder or file in Windows Explorer, choose Properties, and then click Advanced. In the Advanced Attributes dialog box, shown in Figure 3-10, select the Compress Contents To Save Disk Space check box. Click OK, and then, in the Properties dialog box, click Apply.
NOTE
NTFS encryption and compression are mutually exclusive. For that reason, if you select the Encrypt Contents To Secure Data check box, you cannot compress the folder or file.
Figure 3-10 The Advanced Attributes dialog box

FT03HT10.BMP
IMPORTANT To change the compression state for a file or a folder, you must have Write permission for that file or folder.
The compression state for a folder does not reflect the compression state of the files and subfolders in that folder. A folder can be compressed while all of the files in that folder are uncompressed. Alternatively, an uncompressed folder can contain compressed files. When you compress a folder that contains one or more files, folders, or both, Windows XP Professional displays the Confirm Attribute Changes dialog box, shown in Figure 3-11.
Figure 3-11 The Confirm Attribute Changes dialog box

FT03HT11.BMP
CHAPTER 3:
91
The Confirm Attribute Changes dialog box has two additional options:
Apply Changes To This Folder Only that you have selected
Compresses only the folder
Apply Changes To This Folder, Subfolders, And Files Compresses the folder and all subfolders and files that are contained within it and are subsequently added to it
Compressing a Drive or Volume Using NTFS Compression You can set the compression state of an entire NTFS drive or volume. To do so, in Windows Explorer, right-click the drive or volume, and then choose Properties. In the Properties dialog box, select the Compress Drive To Save Disk Space check box, as shown in Figure 3-12, and then click OK.
Figure 3-12 The Local Disk (C:) Properties dialog box

FT03HT12.BMP
Displaying NTFS compressed files and folders in a different color Windows Explorer makes it easy for you to quickly determine whether a file or folder is compressed. By default, it displays the names of compressed files and folders in a different color to distinguish them from those that are uncompressed. To display compressed files and folders in a different color: 1. In Windows Explorer, choose Tools | Folder Options. 2. On the View tab, clear the Show Encrypted Or Compressed Files In Color check box to turn off displaying the names of compressed files and folders in a different color or select it to display the names in a different color. Copying and Moving NTFS Compressed Files and Folders There are rules that determine whether the compression state of files and folders is retained when you copy or move them within and between NTFS and FAT volumes. The following list describes how Windows XP Professional treats the
92
compression state of a file or folder when you copy or move a compressed file or folder within or between NTFS volumes or between NTFS and FAT volumes.
Copying a file within an NTFS volume When you copy a file within an NTFS volume (shown as A in Figure 3-13), the file inherits the compression state of the target folder. For example, if you copy a compressed file to an uncompressed folder, the file is uncompressed. Moving a file or folder within an NTFS volume When you move a file or folder within an NTFS volume (shown as B in Figure 3-13), the file or folder retains its original compression state. For example, if you move a compressed file to an uncompressed folder, the file remains compressed. Copying a file or folder between NTFS volumes When you copy a file or folder between NTFS volumes (shown as C in Figure 3-13), the file or folder inherits the compression state of the target folder. Moving a file or folder between NTFS volumes When you move a file or folder between NTFS volumes (shown as C in Figure 3-13), the file or folder inherits the compression state of the target folder. Because Windows XP Professional treats a move as a copy and a delete, the files inherit the compression state of the target folder. Moving or copying a file or folder to a FAT volume Windows XP Professional supports compression only for NTFS files. When you move or copy a compressed NTFS file or folder to a FAT volume, Windows XP Professional uncompresses the file or folder. Moving or copying a compressed file or folder to a floppy disk When you move or copy a compressed NTFS file or folder to a floppy disk, Windows XP Professional uncompresses the file or folder.
A B
Copy Inherits NTFS Volume

C
Move Retains
NTFS Volume
Move or Inherits Copy NTFS Volume

FT03HT13.FH10
NTFS Volume
Figure 3-13 The effects of copying and moving compressed folders and files
CHAPTER 3:
93
NOTE When you copy a compressed NTFS file, Windows XP Professional uncompresses the file, copies the file, and then compresses the file again as a new file. This might cause performance degradation when many large files are copied at once.
NTFS Compression Guidelines The following list provides best practices for using compression on NTFS volumes:
Because some file types compress more than others, select file types to compress based on the anticipated resulting file size. For example, because Windows bitmap files contain more redundant data than application executable files, this file type compresses to a smaller size. Bitmaps often compress to less than 50 percent of the original file size, whereas application files rarely compress to less than 75 percent of the original size. Do not store compressed files, such as PKZip files, in a compressed folder. Windows XP Professional will attempt to compress the file, wasting system time and yielding no additional disk space. Compress static data rather than data that changes frequently. Compressing and uncompressing files incurs some system overhead. By choosing to compress files that are infrequently accessed, you minimize the amount of system time dedicated to compression and uncompression activities. NTFS compression can cause performance degradation when you copy and move files. When a compressed file is copied, it is uncompressed, copied, and then compressed again as a new file. You should compress data that is not copied or moved frequently.
INCREASING SECURITY WITH THE EFS

Encryption is the process of making information indecipherable to protect it from unauthorized viewing or use. The Encrypting File System (EFS) provides encryption for data in NTFS files stored on disk. This encryption is public keybased and runs as an integrated system service, making it easy to manage, difficult to attack, and transparent to the file owner. If a user who attempts to access an encrypted NTFS file has the private key to that file, the file can be decrypted so that the user can open the file and work with it transparently as a normal document. A user without the private key is denied access. Windows XP Professional also includes the Cipher command, which provides the ability to encrypt and decrypt files and folders from a command prompt. Windows XP Professional also let you specify a recovery agent. If the owner loses
94
the private key, the person designated as the recovery agent can still recover the encrypted file.
Understanding the EFS

The EFS allows users to encrypt NTFS files by using a strong public keybased cryptographic scheme that encrypts all files in a folder. Users with roaming profiles can use the same key with trusted remote systems. No administrative effort is needed to begin, and most operations are transparent. Backups and copies of encrypted files are also encrypted if they are in NTFS volumes. Files remain encrypted if you move or rename them, and temporary files created during editing and left unencrypted in the paging file or in a temporary file do not defeat encryption. You can set policies to recover EFS-encrypted data when necessary. The recovery policy is integrated with overall Windows XP Professional security policy. Control of this policy can be delegated to individuals with recovery authority, and you can configure different recovery policies for different parts of the enterprise. Data recovery discloses only the recovered data, not the key that was used to encrypt the file. Several protections ensure that data recovery is possible and that no data is lost in the case of total system failure. The EFS is implemented from Windows Explorer or from the command line. You can enable or disable it for a computer, domain, or organizational unit (OU) by setting recovery policy in the Group Policy console in the Microsoft Management Console (MMC).
NOTE
To be subject to Group Policy for the domain or for an OU, your computer must be part of an Active Directory domain.
You can use EFS to encrypt and decrypt files on remote file servers but not to encrypt data that is transferred over the network. Windows XP Professional supports secure network protocols, such as Internet Protocol Security (IPSec), to encrypt data over the network. Here are the key features provided by the EFS:
Transparent encryption In the EFS, file encryption does not require the file owner to decrypt and re-encrypt the file on each use. Decryption and encryption happen transparently on file reads and writes to disk. Strong protection of encryption keys Public key encryption resists all but the most sophisticated methods of attack. Therefore, in the EFS, the file encryption keys are encrypted using a public key from
CHAPTER 3:
95
the users certificate (X.509 v3 certificates in the case of Windows XP Professional and Windows 2000). The list of encrypted file encryption keys is stored with the encrypted file and is unique to it. To decrypt the file encryption keys, the file owner supplies a private key, which only he or she has.
Integral data-recovery system If the owners private key is unavailable, the recovery agent can open the file using the agents private key. You can have more than one recovery agent, each with a different public key, but at least one public recovery key must be present on the system to encrypt a file. Secure temporary and paging files Many applications create temporary files while you edit a document, and these temporary files can be left unencrypted on the disk. On computers running Windows XP Professional, the EFS can be implemented at the folder level, so any temporary copies of an encrypted file are also encrypted, provided that all files are on NTFS volumes. The EFS resides in the Windows operating system kernel and uses the nonpaged pool to store file encryption keys, ensuring that they are never copied to the paging file.
Encrypting The recommended method for encrypting files is to create an NTFS folder and then encrypt the folder. To encrypt a folder, in the Properties dialog box for the folder, click the General tab. On the General tab, click Advanced, and then select the Encrypt Contents To Secure Data check box (Figure 3-14). All files placed in the folder are encrypted, and the folder is marked for encryption. Folders that are marked for encryption are not actually encrypted; only the files within the folder are encrypted.
NOTE
Compressed files cannot be encrypted, and encrypted files cannot be compressed with NTFS compression.
Figure 3-14 Encrypting files

FT03HT14.BMP
96
After you encrypt the folder, when you save a file in that folder, the file is encrypted using file encryption keys, which are fast symmetric keys designed for bulk encryption. The file is encrypted in blocks, with a different file encryption key for each block. All of the file encryption keys are stored and encrypted in the Data Decryption Field (DDF) and the Data Recovery Field (DRF) in the file header.
CAUTION
If an administrator removes the password on a user account, the user account loses all EFS-encrypted files, personal certificates, and stored passwords for Web sites or network resources. Each user should make a password reset disk to avoid this situation. To create a password floppy disk, open User Accounts and, under Related Tasks, click Prevent A Forgotten Password. The Forgotten Password Wizard steps you through creating the password reset disk. Store the password reset disk in a secure location to prevent fraudulent use.
Decrypting To decrypt a folder or file, you clear the Encrypt Contents To Secure Data check box in a folder or files Advanced Attributes dialog box, which you access from that folder or files Properties dialog box. Once decrypted, the file remains unencrypted until you select the Encrypt Contents To Secure Data check box (Figure 3-15).
Figure 3-15 Decrypting files

FT03HT15.BMP
Using the Cipher Command

The Cipher command lets you encrypt and decrypt files and folders from a command prompt. The following example shows the available switches for the Cipher command, described in Table 3-3:
cipher [/e | /d] [/s:folder_name] [/a] [/i] [/f] [/q] [/h] [/k] [file_name [...]]
CHAPTER 3:
97
Table 3-3
Cipher Command Options Description
Switch
/e /d /s /a
/i
/f
/q /h /k
file_name
Encrypts the specified folders. Folders are marked so any files that are added later are encrypted. Decrypts the specified folders. Folders are marked so any files that are added later are not encrypted. Performs the specified operation on files in the given folder and all subfolders. Performs the specified operation on files as well as folders. Encrypted files can be decrypted when modified, if the parent folder is not encrypted. To avoid this, encrypt the file and the parent folder. Continues performing the specified operation even after errors have occurred. By default, Cipher stops when an error is encountered. Forces the encryption operation on all specified files, even those that are already encrypted. Files that are already encrypted are skipped by default. Reports only the most essential information. Displays files with the hidden or system attributes, which are not shown by default. Creates a new file encryption key for the user running the Cipher command. Using this option causes the Cipher command to ignore all other options. Specifies a pattern, file, or folder.
If you run the Cipher command without parameters, it displays the encryption state of the current folder and any files that it contains. You can specify multiple file names and use wildcards. You must put spaces between multiple parameters.
Using a Recovery Agent

If you lose your file encryption certificate and associated private key through disk failure or any other reason, a person designated as the recovery agent can open the file using her own certificate and associated private key. If the recovery agent is on another computer in the network, send the file to her for recovery on her system. She can bring her private key to the owners computer, but it is not good security practice to copy a private key onto another computer.
98
NOTE The default recovery agent is the administrator of the local computer, unless the computer is part of a domain. In a domain, the domain administrator is the default recovery agent. You can designate alternative EFS recovery accounts for computers grouped by OUs. Before you can designate accounts to other recovery agents in a Windows 2000 or Windows Server 2003 domain, you must deploy Certificate Services to issue recovery agent certificates. For more information about Certificate Services, see Chapter 16 in the Microsoft Windows 2000 Server Resource Kit Distributed System Guide.
It is good security practice to rotate recovery agents. However, if the agent designation changes and the original agents recovery keys are deleted without files having been decrypted and then re-encrypted with the new keys, access to the files is denied to all users. For this reason, you should keep the recovery agents certificates and private keys until all files that are encrypted with them have been decrypted and re-encrypted with the new recovery agents keys. To recover an encrypted file: 1. If the file was lost due to disk failure, use Backup or another backup tool to restore a backup version of the encrypted file or folder to the computer where the recovery agents file recovery certificate is located. If the user key was lost due to the user clearing his password but the file is otherwise intact, proceed to step 2. 2. The recovery agent should log on to the system and locate the restored file. 3. In Windows Explorer, the recovery agent should open the Properties dialog box for the file or folder. On the General tab, click Advanced. 4. Clear the Encrypt Contents To Secure Data check box. 5. Return the decrypted file or folder to the user.
Managing Recovery Agents

To ensure that an agent is available to decrypt files when the users key is lost, you must designate a recovery agent before using EFS. This involves generating the recovery agents key and importing it into her certificate store. After designating a recovery agent, you have other management tasks to perform. This section lists a series of procedures you can use to manage recovery agents and recovery keys. To generate a recovery agent certificate: 1. Log on as an administrator. 2. At a command prompt, type cipher /r:filename. This creates a recovery agent certificate and decryption key.
CHAPTER 3:
99
To designate a recovery agent: 1. Log on as the person who will be the recovery agent. 2. Open an empty Microsoft Management Console (MMC) session by typing mmc at a command prompt. 3. On the File menu, choose Add/Remove Snap-in to open the Add/ Remove Snap-in dialog box (Figure 3-16).
FT03HT16.BMP
Figure 3-16 Adding a snap-in to an empty MMC session.
4. Click Add to open the Add Standalone Snap-in dialog box. 5. Select the Certificates snap-in, and click Add. 6. When you are asked to specify which account this snap-in will manage, select My User Account. 7. Close the Add Standalone Snap-in dialog box, and click OK to close the Add/Remove Snap-in dialog box. 8. Right-click the Personal folder in the Certificates snap-in, and choose Import from the All Tasks menu. This starts the Certificate Import Wizard. (You can also start the Certificate Import Wizard by doubleclicking a certificate file.) Enter the name of your certificate file (generated earlier with Cipher), and complete the wizard to import the .cer file containing the recovery agent certificate. 1. Log on as a local administrator, and launch the Group Policy console by typing gpedit.msc at a command prompt. 2. Expand Computer Configuration, Windows Settings, Security Settings, and Public Key Policies.
100
3. Right-click Encrypting File System, select Add Data Recovery Agent (Figure 3-17), and complete the Add Data Recovery Agent Wizard, selecting the new recovery agent.
FT03HT17.BMP
Figure 3-17 Adding a data recovery agent
To remove a recovery agent: 1. In the Group Policy console, expand Computer Configuration, Windows Settings, Security Settings, Public Key Policies, and Encrypting File System. 2. Select the recovery agent to remove and delete the certificate. Managing Recovery Keys You can use the Certificate Export Wizard to export the recovery agents certificate and recovery key to a disk. To export a certificate: 1. Open the Certificates snap-in, and then expand the Personal folder. 2. Double-click Certificates, and then right-click the recovery agents certificate. 3. Select All Tasks, and then select Export. 4. Select Yes, Export The Private Key. You have the option of exporting and then deleting the recovery key; if you delete it, you will be required to import it to decrypt any files that require the recovery agents services.
CHAPTER 3:
101
5. Select an option, and then click Next. 6. Enter a strong password to protect your exported key. 7. Click Next, and enter a file name for the exported certificate and private key. 8. Click Next, review the final information, and then click Finish. The exported key will have a .pfx extension. To import recovery certificates and keys: 1. Start the Certificate Import Wizard by double-clicking a certificate file. 2. Enter the password that protects the private key. 3. Designate a location for the certificate. The default location is the personal certificate store.
Disabling the EFS

You can disable EFS for a domain, OU, or computer by applying an empty Encrypted Data Recovery Agent policy setting. Until Encrypted Data Recovery Agent settings are configured and applied through Group Policy, there is no policy, so the EFS uses the default recovery agents. The EFS must use the recovery agents listed in the Encrypted Data Recovery Agents Group Policy agent if the settings have been configured and applied. If the policy that is applied is empty, the EFS does not operate.
EFS Best Practices
Teach users to export their certificates and private keys to removable media and store the media securely when it is not in use. This protects against attackers who physically obtain the computer and try to access the private key. Teach users to encrypt folders rather than files. Encrypting files at the folder level helps ensure that files are not unexpectedly decrypted. The private keys that are associated with recovery certificates are extremely sensitive. These keys must be exported and stored in a secure location when they are not in use. Do not destroy recovery keys when recovery agents are changed. Keep them until all files that might have been encrypted with them have been encrypted with new keys. Designate two or more recovery agents. This provides redundancy for file recovery.
102
MANAGING DISK QUOTAS

You use disk quotas to manage storage growth in distributed environments. Disk quotas allow you to allocate disk space to users based on the files and folders they own. You can set disk quotas, quota thresholds, and quota limits for all users and for individual users. You can also monitor the amount of hard disk space that users have used and the amount that they have left against their quota.
Understanding Disk Quota Management

Windows XP Professional disk quotas track and control disk usage on a per-user, per-volume basis. Windows XP Professional tracks disk quotas for each volume, even if the volumes are on the same hard disk. Because quotas are tracked on a per-user basis, every users disk space is tracked regardless of the folder in which he stores files. Some characteristics of disk quotas:
Disk usage is based on file and folder ownership. Windows XP Professional calculates disk space usage for users based on the files and folders they own. When a user copies or saves a new file to an NTFS volume or takes ownership of a file on an NTFS volume, Windows XP Professional charges the disk space for the file against the users quota limit. Disk quotas do not use compression. Windows XP Professional ignores compression when it calculates hard disk space usage. Users are charged for each uncompressed byte, regardless of how much hard disk space is actually used. This is done partially because file compression produces different degrees of compression for different types of files. Different uncompressed file types that are the same size might end up being very different sizes when they are compressed. Free space for applications is based on a quota limit. When you enable disk quotas, the free space that Windows XP Professional reports to applications for the volume is the amount of space remaining within the users disk quota limit.
NOTE
Disk quotas can be applied only to NTFS 5 volumes (Windows 2000, Windows XP , and Windows Server 2003).
You use disk quotas to monitor and control hard disk space usage. System administrators can do the following:
Set a disk quota limit to specify the amount of disk space for each user.
CHAPTER 3:
103
Set a disk quota warning to specify when Windows XP Professional should log an event, indicating that the user is nearing his limit. Enforce disk quota limits and deny users access if they exceed their limit, or allow them continued access. Log an event when a user exceeds a specified disk space threshold. The threshold can be when the user exceeds his quota limit or when he exceeds his warning level.
After you enable disk quotas for a volume, Windows XP Professional collects disk usage data for all users who own files and folders on the volume. This allows you to monitor volume usage on a per-user basis. By default, only members of the Administrators group can view and change quota settings. However, you can allow users to view quota settings.
Setting Disk Quotas

You can enable disk quotas and enforce disk quota warnings and limits for all users or for individual users. To enable disk quotas, in Disk Management open the Properties dialog box for a partition or volume, click the Quota tab, and configure the options that are described in the following list and displayed in Figure 3-18:
Enable Quota Management Select this check box to enable disk quota management. Deny Disk Space To Users Exceeding Quota Limit Select this check box so that when users exceed their hard disk space allocation, they receive an out of disk space message and cannot write to the volume. Do Not Limit Disk Usage Select this option when you do not want to limit the amount of hard disk space for users. Limit Disk Space To Configures the amount of disk space that users can use. Set Warning Level To Configures the amount of disk space that users can fill before Windows XP Professional logs an event, indicating that a user is nearing his limit. Log Event When A User Exceeds Their Quota Limit Select this option if you want Windows XP Professional to log an event in the Security log every time a user exceeds his quota limit. Log Event When A User Exceeds Their Warning Level Select this option if you want Windows XP Professional to log an event in the Security log every time a user exceeds the warning level.
104
Quota Entries Click this button to open the Quota Entries For dialog box, where you can add a new entry, delete an entry, and view the per-user quota information.
Figure 3-18 The Quota tab of the Properties dialog box for a disk
FT03HT18.BMP
To enforce identical quota limits for all users: 1. In the Limit Disk Space To text box and the Set Warning Level To text box, enter the values for the limit and warning levels, respectively, that you want to set. 2. Select the Deny Disk Space To Users Exceeding Quota Limit check box. Windows XP Professional will monitor usage and will not allow users to create files or folders on the volume when they exceed the limit. To enforce different quota limits for one or more specific users: 1. In Computer Management, open the Properties dialog box for a volume or partition, click the Quota tab, and then click Quota Entries. 2. In the Quota Entries dialog box, shown in Figure 3-19, double-click the user account for which you want to set a disk quota limit or create an entry by choosing New Quota Entry from the Quota menu.
FT03HT19.BMP
Figure 3-19 The Quota Entries dialog box
3. Configure the disk space limit and the warning level for each individual user.
CHAPTER 3:
105
Determining the Status of Disk Quotas

You can determine the status of disk quotas in the Quota Entries dialog box for a disk by checking the traffic-light icon and reading the status message to its right (Figure 3-19). The color shown on the traffic light icon indicates the status of disk quotas:

A red traffic light indicates that disk quotas are disabled. A yellow traffic light indicates that Windows XP Professional is rebuilding disk quota information. A green traffic light indicates that the disk quota system is active.
Monitoring Disk Quotas

You use the Quota Entries dialog box (shown earlier in Figure 3-19) to monitor usage for all users who have copied, saved, or taken ownership of files and folders on the volume. Windows XP Professional scans the volume and monitors the amount of disk space in use by each user. You can use the Quota Entries dialog box to view the following:

The amount of hard disk space that each user uses Users who are over their quota warning threshold, signified by a yellow triangle Users who are over their quota limit, signified by a red circle The warning threshold and the disk quota limit for each user
Best Uses for Disk Quotas

Use the following guidelines for using disk quotas:
If you enable disk quota settings on the volume where Windows XP Professional is installed and your user account has a disk quota limit, log on as Administrator to install additional Windows XP Professional components and applications. In this way, Windows XP Professional will not charge the disk space that you use to install applications against the disk quota allowance for your user account. You can monitor hard disk usage and generate hard disk usage information without preventing users from saving data. To do so, clear the Deny Disk Space To Users Exceeding Quota Limit check box when you enable disk quotas.
106
Set more restrictive default limits for all user accounts, and then modify the limits to allow more disk space to users who work with large files. If multiple users share computers running Windows XP Professional, set disk quota limits on computer volumes so that disk space is shared by all users who share the computer. Generally, you should set disk quotas on shared volumes to limit storage for users. Set disk quotas on public folders and network servers to ensure that users share hard disk space appropriately. When storage resources are scarce, you might want to set disk quotas on all shared hard disk space. Delete disk quota entries for users who no longer store files on a volume. You can delete quota entries for a user account only after all files that the user owns have been removed from the volume or another user has taken ownership of the files.
USING DISK DEFRAGMENTER, CHKDSK, AND DISK CLEANUP

Windows XP Professional saves files and folders in the first available space on a hard disk and not necessarily in an area of contiguous space. The parts of the files and folders are scattered over the hard disk rather than being in a contiguous area. This scattering of files and folders across a hard disk is known as fragmentation. When your hard disk contains numerous fragmented files and folders, your computer takes longer to access them because it requires several additional reads to collect the various pieces. Creating new files and folders also takes longer because the available free space on the hard disk is scattered. Your computer must save a new file or folder in various locations on the hard disk. Temporary files, Internet cache files, and unnecessary programs also take up space on your computers hard drive. Sometimes file system errors occur, and sometimes sectors on your hard disk go bad; these events can cause you to lose data stored on your hard disk. This section introduces three Windows XP Professional toolsDisk Defragmenter, Chkdsk, and Disk Cleanupthat help you organize your hard disks, recover readable information from damaged areas on your hard disk, mark bad sectors to prevent future data loss, and clean up any temporary files and unnecessary programs that are taking up space on your hard drive.
Defragmenting Disks
The process of finding and consolidating fragmented files and folders is called defragmenting. Disk Defragmenter locates fragmented files and folders and defragments
CHAPTER 3:
107
them by moving the pieces of each file or folder to one location so they occupy a single, contiguous space on the hard disk. Your system can thus access and save files and folders more efficiently. By consolidating files and folders, Disk Defragmenter also consolidates free space, making it less likely that new files will be fragmented. Disk Defragmenter can defragment FAT, FAT32, and NTFS volumes. You access Disk Defragmenter by choosing Start | All Programs | Accessories | System Tools | Disk Defragmenter. The Disk Defragmenter window has three areas, as shown in Figure 3-20.
Figure 3-20 The Disk Defragmenter window

FT03HT20.BMP
The upper pane of the window lists the volumes that you can analyze and defragment. The middle pane provides a graphic representation of how fragmented the selected volume is. The lower pane provides a dynamic representation of the volume that continuously updates during defragmentation. The display colors indicate the condition of the volume:

Red indicates fragmented files. Blue indicates contiguous (nonfragmented) files. Green indicates system files, which Disk Defragmenter cannot move. White indicates free space on the volume.
By comparing the Analysis Display band to the Defragmentation Display band during and after defragmentation, you can easily see the improvement in the volume. You can also open Disk Defragmenter by selecting a drive you want to defragment in Windows Explorer or My Computer. Choose File | Properties, click the Tools tab, and click Defragment Now. Then select one of these options:
Analyze Analyzes the disk for fragmentation. After the analysis, the Analysis Display band provides a graphic representation of how fragmented the volume is.
108
Defragment Defragments the disk. After defragmentation, the Defragmentation Display band provides a graphic representation of the defragmented volume.
Figure 3-21 shows the Disk Defragmenter window after you have analyzed drive C. Windows XP Professional displays a message dialog box indicating that you need to defragment the volume. You can view a report showing more details about the fragmentation on your volume, close the dialog box and run the defragmenter at a later time, or defragment the volume right then.
Figure 3-21 The Disk Defragmenter window showing a completed analysis

FT03HT21.BMP
If there is not enough fragmentation to require you to defragment the volume, Windows XP Professional displays a Disk Defragmenter dialog box indicating that there is currently no need to defragment the volume.
Using Disk Defragmenter Effectively

The following list provides some guidelines for using Disk Defragmenter:
Run Disk Defragmenter when the computer will receive the least usage. During defragmentation, data is moved around on the hard disk, and that process is disk intensive. The defragmentation process adversely affects access time to other disk-based resources. Educate users to defragment their local hard disks at least once a month to prevent accumulation of fragmented files. Third-party disk defragmenter tools allow remote management and scheduling to ensure that monthly defragmentation takes place. Analyze the target volume before you install large applications, and defragment the volume if necessary. Installations complete more
CHAPTER 3:
109
quickly when the target volume has adequate contiguous free space. Also, accessing the application after installation is faster.
When you delete a large number of files or folders, your hard disk might become excessively fragmented; be sure to analyze it afterward.
Using Chkdsk
Chkdsk attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors and mark them to prevent their future use. All files on the volume or partition must be closed for this program to run. To access Chkdsk, select the drive you want to check in Windows Explorer or My Computer. Choose File | Properties, click the Tools tab, and click Check Now. Select one of the options in the Chkdsk dialog box (shown in Figure 3-22).
Figure 3-22 The Chkdsk dialog box

FT03HT22.BMP
Here are the execution options for Chkdsk:
Automatically Fix File System Errors Select this check box to have Windows XP Professional attempt to repair file system errors found during disk checking. All files must be closed for this program to run. If the drive is currently in use, a message asks if you would like to reschedule the disk checking for the next time you restart your computer. Your drive is not available to run other tasks while the disk is being checked. Scan For And Attempt Recovery Of Bad Sectors Select this check box to have Windows XP Professional attempt to repair file system errors found during disk checking, locate bad sectors, and recover any readable information located in those bad sectors. All files must be closed for this program to run. If the drive is currently in use, a message asks if you would like to reschedule the disk checking for the next time you restart your computer. Your drive is not available to run other tasks while the disk is being checked. If you select this check box, you do not need to select Automatically Fix File System Errors because Windows XP Professional attempts to fix any errors on the disk.
110
NOTE
Chkdsk runs in five phases: file verification, index verification, security descriptor verification, file data verification, and free space verification.
You can also use the command-line version of Chkdsk. The command-line syntax for Chkdsk is as follows:
Chkdsk [volume[[path]filename]]] [/f] [/v] [/r] [/x] [/i] [/c] [/l[:size]]
The switches used by Chkdsk are described in Table 3-4.

Table 3-4
Chkdsk Options Description
Switch
filename
path
size
volume
/c /f
/i /l /r
/v
/s /?
Specifies the file or set of files to check for fragmentation. You can use the wildcards * and ?. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Specifies the location of a file or set of files within the folder structure of the volume. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Changes the log file size. You must use the /l switch with this switch. This switch is valid only on volumes formatted with NTFS. Specifies the drive letter (followed by a colon), mount point, or volume name. This switch is valid only on volumes formatted with FAT12, FAT16, and FAT32 file systems. Skips the checking of cycles within the folder structure. This switch is only valid on volumes formatted with NTFS. Fixes errors on the volume. If Chkdsk cannot lock the volume, you are prompted to have Chkdsk check it the next time the computer starts. Performs a less vigorous check of index entries. This switch is valid only on volumes formatted with NTFS. Displays the current size of the log file. This switch is valid only on volumes formatted with NTFS. Locates bad sectors and recovers readable information. If Chkdsk cannot lock the volume, you are prompted to have Chkdsk check it the next time the computer starts. On volumes formatted with FAT12, FAT16, or FAT32, displays the full path and name of every file on the volume. On volumes formatted with NTFS, displays any cleanup messages. Forces the volume to dismount first, if necessary. Displays this list of switches.
CHAPTER 3:
111
Used without parameters, Chkdsk displays the status of the disk in the current volume.
Using Disk Cleanup

You can use Disk Cleanup to free up disk space by deleting temporary files and uninstalling programs. Disk Cleanup lists the temporary files, Internet cache files, and unnecessary programs that you can safely delete. To access Disk Cleanup, select the drive you want to check in Windows Explorer or My Computer. Choose File | Properties, click the General tab, and click Disk Cleanup. The Disk Cleanup dialog box (shown in Figure 3-23) has the following options.
Figure 3-23 The Disk Cleanup dialog box

FT03HT23.BMP
Downloaded Program Files Select this check box to delete the ActiveX controls and Java applets that were downloaded automatically from the Internet when users viewed certain pages. These files are temporarily stored in the Downloaded Program Files folder on the computers hard disk. Temporary Internet Files Select this check box to delete the files in the Temporary Internet Files folder on the computers hard drive. These files are Web pages stored on the hard disk for quick viewing. Users personalized settings for Web pages are not deleted. Recycle Bin Select this check box to delete the files in the Recycle Bin. When you delete a file from your computer, it is not permanently removed from the computer until the Recycle Bin is emptied (when the files in the Recycle Bin are deleted).
112
Temporary Files Select this check box to delete any Temporary files on this volume. Programs sometimes store temporary information in a Temp folder. Before a program closes, it usually deletes this information. You can safely delete temporary files that have not been modified in more than a week. WebClient/Publisher Temporary Files Select this check box to delete any temporary WebClient/Publisher files. The WebClient/ Publisher service maintains a cache of accessed files on this disk. These files are kept locally for performance reasons only and can be safely deleted. Compress Old Files Select this check box to compress files that have not been accessed in a while. No files are deleted, and all files are still accessible. Because files compress at different rates, the value displayed for the amount of space you will recover is an approximation. Catalog Files For The Content Indexer Select this check box to delete any old catalog files left over from previous indexing operations. The Indexing Service speeds up and enriches file searches by maintaining an index of the files on this disk.
For additional ways to free up space on your hard disk using Disk Cleanup, click the More Options tab in the Disk Cleanup dialog box (shown in Figure 3-24).
Figure 3-24 The More Options tab of the Disk Cleanup dialog box
FT03HT24.BMP
CHAPTER 3:
113
The other options for Disk Cleanup are:
Windows Components Click Clean Up under Windows Components to launch the Windows Components Wizard, which allows you to add and remove Windows components from your installation. These components include Accessories and Utilities, Fax Services, Indexing Services, Microsoft Internet Explorer, Internet Information Services (IIS), Management and Monitoring Tools, Message Queuing, MSN Explorer, Networking Services, Other Network File and Print Services, and Update Root Certificates. Installed Programs Click Clean Up under Installed Programs to launch Add Or Remove Programs, which allows you to install programs and to uninstall programs that are no longer in use. The list of programs available to be uninstalled depends on what programs are installed on your computer. System Restore Click Clean Up under System Restore to delete all but the most recent restore points. For more information about restore points and System Restore, see Chapter 15.
114
SUMMARY
The Disk Management snap-in provides a central location for disk information and management tasks, such as creating and deleting partitions and volumes; formatting them with the FAT, FAT32, or NTFS file systems; and assigning them drive letters. The Disk Management snap-in provides a way to manage disks locally and on remote computers. A disk that is initialized for basic storage is called a basic disk; it can contain primary partitions, extended partitions, and logical drives. A disk that is initialized for dynamic storage is called a dynamic disk; dynamic storage allows for greater flexibility with regard to configuration. It can be divided into volumes, which can consist of a portion, or portions, of one or more physical disks. In Windows XP Professional, NTFS compression allows you to compress files, folders, or an entire volume. NTFS encryption and compression are mutually exclusive. To create a compressed folder using the Compressed Folders feature, start Windows Explorer, choose File | New, and then click Compressed Folder. Use Windows XP Professional disk quotas to allocate disk space usage to users. You can set disk quotas, quota thresholds, and quota limits for all users and for individual users. You can apply disk quotas only to NTFS 5 volumes. The EFS allows users to encrypt NTFS files by using a strong public keybased cryptographic scheme that encrypts all files in a folder. Disk Defragmenter, a Windows XP Professional system tool, locates fragmented files and folders and defragments them, enabling your system to access and save files and folders more efficiently. Chkdsk attempts to repair file system errors, locate bad sectors, and recover readable information from those bad sectors. Disk Cleanup frees up disk space by locating temporary files, Internet cache files, and unnecessary programs that you can safely delete, and it also deletes temporary files and uninstalls programs.
CHAPTER 3:
115
REVIEW QUESTIONS
1. Which of the following statements are true for a disk that uses dynamic storage? (Choose all correct answers.) a. The system partition for Windows NT is never on a dynamic disk. b. A dynamic disk can be partitioned into four primary partitions or three primary partitions and one extended partition. c. The Convert command allows you to convert a basic disk into a dynamic disk. d. A dynamic disk has a single partition that includes the entire disk. 2. Which of the following does Windows XP Professional allow you to compress using NTFS compression? (Choose all correct answers.) a. A FAT volume b. An NTFS volume c. A bitmap stored on a floppy disk d. A folder on an NTFS volume 3. Which of the following types of files or data are good candidates for NTFS compression? (Choose all correct answers.) a. Encrypted data b. Frequently updated data c. Bitmaps d. Static data 4. Which of the following statements about disk quotas in Windows XP Professional is correct? a. Disk quotas track and control disk usage on a per-user, per-disk basis. b. Disk quotas track and control disk usage on a per-group, per-volume basis. c. Disk quotas track and control disk usage on a per-user, per-volume basis. d. Disk quotas track and control disk usage on a per-group, per-disk basis.
116
5. Which of the following files and folders does Windows XP Professional allow you to encrypt? (Choose all correct answers.) a. A file on an NTFS volume b. A folder on a FAT volume c. A file stored on a floppy disk d. A folder on an NTFS volume 6. Which of the following functions does Chkdsk perform? (Choose all correct answers.) a. Locate fragmented files and folders and arrange them contiguously. b. Locate and attempt to repair file system errors. c. Locate bad sectors and recover readable information from those bad sectors. d. Delete temporary files and offline files.
CASE SCENARIOS
Scenario 3-1: Storage Choices
You are configuring a computer that will be used as a graphics workstation. You have specified the fastest processor available, 4 GB of RAM, a top-of-the-line graphics processor, and a very fast network adapter. You are deciding what disk configuration to specify for data storage. Of the following available configurations, which offers the fastest read/write performance with this computer? a. Four disks using dynamic storage, configured as a spanned volume b. Four disks using basic storage, configured as separate volumes c. Four disks using dynamic storage, configured as a striped volume d. Four disks using dynamic storage, configured as separate volumes
CHAPTER 3:
117
Scenario 3-2: Disk Quotas

You have configured a computer for your accounting department with the following settings:

Two NTFS volumes (one system, one data). Disk quotas on the data volume permit 1GB per user. Users each have a personal folder for their own files, and all users share a folder for community projects.
A user reports that she cannot save a file to her disk and that she received an insufficient disk space error. She is puzzled by this because she has only 457 MB used in her My Documents folder. After investigating, you learn that she is also responsible for maintaining the community files and that several are owned by her user account. The total files under her ownership, according to the Quota Entries dialog box, is 998.57 MB. What is the best way to allow her to continue saving files on this system? a. Tell her to delete some files to make more space available. b. Increase the disk quota available to her account. c. Take ownership of some files yourself to give her more free quota space. d. Increase the disk quota available to all users of this computer.
CHAPTER 4
MANAGING DEVICES AND PERIPHERALS

Implement, manage, and troubleshoot input and output (I/O) devices Manage and troubleshoot drivers and driver signing Configure and monitor multiprocessor computers Configure Advanced Configuration and Power Interface (ACPI) settings
and support
In this chapter, we begin to work with system hardware and how to install, configure, and troubleshoot it. We will discuss many types of I/O devices, configure settings for driver signing, and cover multiprocessor and ACPI configuration. To get the most from this chapter, you should be familiar enough with PC hardware to be able to identify different types of hardware and perform basic installation of I/O cards and peripherals.
119
120
USING DEVICE MANAGER

Device Manager provides you with a graphical view of the hardware installed on your computer and helps you manage and troubleshoot it. You can use Device Manager to disable, uninstall, and update device drivers. Device Manager also helps you determine whether the hardware on your computer is working properly. It lists devices with problems, and each device that is flagged is displayed with the corresponding status information.
NOTE
Windows XP Professional also provides the Hardware Troubleshooter to troubleshoot hardware problems. To access the Hardware Troubleshooter, choose Start | Help And Support. In the Help and Support Center, under Pick A Help Topic, click Hardware. In the Hardware list, click Fixing A Hardware Problem. Under Fixing A Hardware Problem, click Hardware Troubleshooter.
Configuring and Troubleshooting Devices

When you change device configurations manually, Device Manager can help you avoid problems by allowing you to identify free resources and assign a device to that resource, disable devices to free resources, and reallocate resources used by devices to free a required resource. You must be logged on as a member of the Administrators group to change resource settings. Even if you are logged on as Administrator, if your computer is connected to a network, policy settings on the network might prevent you from changing resources.
CAUTION
Improperly changing resource settings on devices can disable your hardware and cause your computer to stop working.
The Plug and Play (PnP) basic input/output system (BIOS) automatically identifies PnP devices and arbitrates their resource requests. However, the resource allocation among PnP devices is not permanent. If another PnP device requests a resource that has already been allocated, the BIOS again arbitrates the requests to satisfy all of them. After startup, Windows XP takes over management of devices and might again change one or more assignments to suit its own requirements. You should not manually change resource settings for a PnP device because Windows XP Professional will then be unable to arbitrate the assigned resources if they are requested by another PnP device. In Device Manager, PnP devices have a Resources tab in their Properties dialog box. To free the resource settings you manually assigned and allow Windows XP Professional to again arbitrate the resources, select the Use Automatic Settings check box on the Resources tab.
CHAPTER 4:
121
NOTE
Devices supported by Windows NT 4 have fixed resource settings. These are usually defined during an upgrade from Windows NT 4 to Windows XP Professional, but you can also define them by using the Add New Hardware Wizard in Control Panel.
To configure or troubleshoot a device using Device Manager: 1. Click Start, right-click My Computer, and then click Manage. The Computer Management console opens (Figure 4-1).
FT04HT01.bmp
Figure 4-1 The Computer Management console
2. Under System Tools, click Device Manager. 3. In the Details pane, double-click the device type, and then double-click the device you want to configure. A Properties dialog box for the device appears (Figure 4-2).
FT04HT02.bmp
Figure 4-2 A Properties dialog box for the Netelligent 10/100TX PCI UTP
Controller
4. To configure a device, click the appropriate tab. To troubleshoot, on the General tab, click the Troubleshoot button.
122
The tabs in the Properties dialog box will vary depending on the device selected, but they should include some of the ones listed here:
Advanced or Advanced Properties depending on the device selected.
The properties listed vary
General Displays the device type, manufacturer, and location. It also displays the device status and provides a troubleshooter to help you troubleshoot any problems you are having with the device. The troubleshooter steps you through a series of questions to determine the problem and provide a solution. Device Properties device selected. The properties listed vary depending on the
Driver Displays the driver provider, driver date, driver version, and digital signer. This tab also provides the Driver Details, Uninstall, and Driver Update buttons, which allow you to get additional information on the driver, uninstall the driver, or update the driver with a newer version, respectively. Port Settings Available in a communications port (COM1) Properties dialog box, this tab allows you to configure settings for bits per second, data bits, parity, stop bits, and flow control. Properties Determines how Windows uses the device. For example, for a CD-ROM, these settings determine how Windows uses the CDROM for playing CD music (for example, volume and enabling digital CD playback instead of analog playback). Resources Displays the resource type and setting, whether there are any resource conflicts, and whether you can change the resource settings.
Viewing Hidden and Phantom Devices

By default, Device Manager does not display all devices. The devices that are not displayed include hidden (non-PnP) devices and phantom (disconnected) devices. Non-PnP devices are fixed system devices that have drivers installed; they typically are not managedthey are permanently installed as part of the systems hardware. To display hidden devices: 1. In Device Manager, choose View | Show Hidden Devices. Phantom devices are devices that have been installed but are not currently connected. Examples of phantom devices are disconnected USB keychain drives, PC Card devices, and Bluetooth peripherals. When these devices are disconnected, they usually disappear from Device Manager.
CHAPTER 4:
123
To display phantom devices: 1. Click Start | Run. In the Open text box, type cmd, and click OK. 2. At the command prompt, type set DEVMGR_SHOW_NONPRESENT_DEVICES=1. 3. Press ENTER. 4. Open Device Manager. It will display phantom devices.
NOTE
The command set DEVMGR_SHOW_NONPRESENT_DEVICES=1 is an example of an environment variable. You can set an environment variable for the active session by using this command, or you can set it globally by using the Environment Variables dialog box (accessed via the Advanced tab of the System Properties dialog box). We will expand on the discussion of environment variables in Chapter 13.
MANAGING AND TROUBLESHOOTING I/O DEVICES

The list of devices that can be installed is too long to include here. This section describes some of the most common devices and how they are installed, configured, and managed.
Scanners and Cameras

Most digital cameras, scanners, and other imaging devices are PnP devices that Windows XP Professional installs automatically when you connect them to your computer. If your imaging device is not installed automatically when you connect it, or if it does not support PnP, use the Scanner and Camera Installation Wizard to install it. To manually install a scanner or camera or other imaging device: 1. In Control Panel, click Printers And Other Hardware, and then click Scanners And Cameras. 2. In the Scanners And Cameras window, double-click Add An Imaging Device to start the Scanners And Camera Installation Wizard. 3. Click Next, and follow the on-screen instructions to install your imaging device. 4. In Device Manager, select the appropriate device, and then click Properties. The standard color profile for Image Color Management (ICM 2.0) is sRGB, but you can add, remove, or select a different color profile for a device. To change the color profile, click the Color Management tab of the devices Properties dialog box.
124
NOTE
Image Color Management (ICM) is a framework that allows scanners, cameras, printers, and monitors to share data about color values. This ensures the colors scanned by the scanner are reliably displayed on the monitor and properly depicted when printed. ICM uses color space profiles to control its color management functions. Examples of color space profiles are sRGB (Red, Green, and Blue), and CMYK (Cyan, Magenta, Yellow, and Black). The profile you choose depends on the type of devices you are using and the type of output you are generating. More information on color space profiles is available from the International Color Consortium at http://www.color.org.
5. If you have any problems with your scanner or camera, click Troubleshoot in the Scanners And Cameras Properties dialog box.
Mouse Devices
Click the Mouse icon in the Printers And Other Hardware window of Control Panel to configure and troubleshoot your mouse. The following list describes the options available:
Buttons Allows you to configure your mouse for a left-handed or righthanded user. It also allows you to set a single mouse click to select or open, and it allows you to control the double-click speed. (See Figure 4-3.)
FT04HT03.bmp
Figure 4-3 The Buttons tab of the Mouse Properties dialog box
Pointers Allows you to select or create a custom scheme for your pointer. You can adjust the speed and acceleration of your pointer and set the Snap To Default option, which moves the pointer to the default button in dialog boxes. Hardware Allows you to access the Troubleshooter if you are having problems with your mouse. This tab also has a Properties button that allows you to perform advanced configuration of your mouse. This includes uninstalling or updating your mouse driver, viewing or changing
CHAPTER 4:
125
the resources allocated to your mouse, and increasing or decreasing the sensitivity of your mouse by varying the sample rate, which defines how often Windows XP Professional determines the position of your mouse.
Modems
Click Phone And Modem Options in the Printers And Other Hardware window of Control Panel to install, configure, or troubleshoot your modem. To install a new modem: 1. Click Add on the Modems tab. The Add Hardware Wizard steps you through the installation process. 2. To configure an installed modem, click the Modems tab, select the modem from the list of installed modems, and click Properties. 3. Click the appropriate tab for the configuration changes you want to make. For example: a. Click the Modem tab (Figure 4-4) to set the maximum port speed and whether to wait for a dial tone before dialing. b. The Diagnostics tab allows you to query the modem and to view the modem log. c. If you need additional help in troubleshooting the modem, you can use the General tab to access the Troubleshooter.
FT04HT04.bmp
Figure 4-4 Configuring modem settings
The Phone and Modem Options dialog box has two other tabs:
Dialing Rules tab Lists all the locations you have configured on the computer. Click Add on this tab to add a new location, or click Edit to edit an existing location.
126
Advanced tab Shows the telephony providers installed on this computer (Figure 4-5). It also allows you to add or remove telephony providers and to configure those already installed.
FT04HT05.bmp
Figure 4-5 Configuring modem settings
MORE INFO
We will cover modem configuration as it pertains to dialing and communications in Chapter 10.
Game Controllers
Click Game Controllers in the Printers And Other Hardware window of Control Panel to install, configure, or troubleshoot your game controller. To install a game controller: 1. Attach the game controller to the computer (for example, if it is a universal serial bus [USB] game controller, attach it to a USB port). 2. If the game controller does not install properly, in Device Manager, look under Human Interface Devices. If you do not see an icon for your game controller, check to make sure your system has detected its USB controllers and root hubs (Figure 4-6). 3. Missing USB controllers may be an indication that your USB ports are not activated in the BIOS. If the USB host controller is not listed, check to make sure USB is enabled in the BIOS. When prompted during system startup, enter BIOS setup and enable USB. 4. If USB is enabled in the BIOS, contact the manufacturer or vendor for your computer and obtain the current version of the BIOS.
CHAPTER 4:
127
FT04HT06.BMP
Figure 4-6 Viewing installed USB controllers and root hubs
IrDA and Wireless Devices

Most internal Infrared Data Association (IrDA) devices should be installed during Windows XP Professional setup or when you start Windows XP Professional after adding one of these devices. If you attach an IrDA transceiver to a serial port, you must install it using the Add Hardware Wizard. To configure an IrDA device: 1. In Control Panel, click Wireless Link. 2. On the Hardware tab, click the device you want to configure, and then click Properties. The Properties dialog box (Figure 4-7) shows the status of the device, driver files, and any power management settings.
FT04HT07.BMP
Figure 4-7 Configuring IrDA device settings
NOTE
The Wireless Link icon appears in Control Panel only if you have already installed an infrared device on your computer.
128
Keyboards
Click Keyboard in the Printers And Other Hardware window of Control Panel to configure or troubleshoot a keyboard.
On the Speed tab (Figure 4-8), you can configure the character repeat delay and the character repeat rate. You can also control the cursor blink rate. The Hardware tab shows you the device properties for the installed keyboard and allows you to access the Troubleshooter if you are having problems with your keyboard. You can also install a device driver, roll back to a previous device driver, or uninstall a device driver.
FT04HT08.BMP
Figure 4-8 Configuring keyboard speed settings
UNDERSTANDING AUTOMATIC AND MANUAL HARDWARE INSTALLATION

Windows XP Professional supports PnP devices. For most devices that are PnP-compliant, if the appropriate driver is available and the BIOS on the computer is a PnP BIOS or an ACPI BIOS, Windows XP Professional automatically detects, installs, and configures the device. When Windows XP Professional detects a new piece of hardware that cannot be installed automatically, it displays the Found New Hardware Wizard (Figure 4-9). When a hardware device is not detected, you must initiate installation manually. You can also use the Add Hardware Wizard to do this.
CHAPTER 4:
129
Figure 4-9 The Found New Hardware Wizard

FT04HT09.bmp
To install hardware using the Add Hardware Wizard: 1. Click Start | Control Panel | Printers And Other Hardware. 2. Click Add Hardware to start the Add Hardware Wizard. 3. On the Welcome To The Add Hardware Wizard page, click Next. Windows XP Professional searches for new devices and does one of the following:

If it detects any new PnP hardware, it installs the new hardware. If it detects new hardware but cannot locate the correct drivers, it starts the Found New Hardware Wizard (Figure 4-9). If it cannot find a new device, youll see the wizards Is The Hardware Connected? page. If you have already connected the new device, click Yes, I Have Already Connected The Hardware, and then click Next. The wizard displays the The Following Hardware Is Already Installed On Your Computer page (Figure 4-10). To add hardware that is not in the list, click Add A New Hardware Device.
NOTE
To use the Add Hardware Wizard to troubleshoot a hardware device, click the device in the list of installed hardware devices, and then click Next. The Completing The Add Hardware Wizard page appears. Click Finish to launch a troubleshooter to help solve any problems you might be having with that hardware device. For more on troubleshooting devices, see the Troubleshooting Device Installation section later in this chapter.
130
FT04HT10.bmp
Figure 4-10 Adding hardware or troubleshooting with the Add Hardware
Wizard
Confirming Hardware Installation

After installing hardware, you should confirm the installation using Device Manager. To start Device Manager, do the following: 1. Right-click My Computer, and select Properties. 2. Click the Hardware tab, and then click Device Manager, where you can view the installed hardware (Figure 4-11).
NOTE
You can also launch Device Manager from the Computer Management console. It is a snap-in located under System Tools.
FT04HT11.bmp
Figure 4-11 Device Manager, showing devices listed by type
CHAPTER 4:
131
Windows XP Professional uses icons in the Device Manager window to identify each installed hardware device. If Windows XP Professional does not have an icon for the device type or cannot identify a device, it displays a question mark. Expand the device tree to locate the newly installed hardware device. The device icon indicates whether the hardware device is operating properly. Three icons display the hardware status:

Normal
Hardware is operating properly.
Stop sign Windows XP Professional disabled the hardware device because of hardware conflicts. To correct this, right-click the device icon and then choose Properties. Research the actual settings configured on the device and set the hardware resources in the system manually to match the actual device settings.
NOTE
To get the actual device settings, you might need to physically view the device and look at its settings, or review its configuration in your system BIOS. This may involve examining switches or jumpers (groups of pins that can be electrically connected to alter hardware configuration).
Exclamation point The hardware device is configured incorrectly or its drivers are missing.
Troubleshooting Device Installation

Plenty of things can go wrong when you install a hardware device. Be sure to carefully follow the manufacturers instructions to ensure a trouble-free installation. If you do see any of the icons that indicate an abnormally functioning hardware device, try the following:
Open the Properties dialog box for the device. The General tab lists the status of the device and lets you launch a device troubleshooter. Consult the manufacturers instructions to verify that you have performed all necessary steps to configure the device. Right-click the device and select Uninstall. Restart Windows, and allow it to detect the device again. Double-check the devices resource settings (if non-PnP) and ensure that they match those configured on the Resources tab.
132
Installing Hardware Manually

To manually install hardware, first determine which hardware resource is required by the hardware device. Next you must determine the available hardware resources. In some cases, you will have to modify hardware resource settings on other devices to free up an I/O port or interrupt request (IRQ). Finally, you might have to troubleshoot any problems you encounter.
NOTE Windows XP installed on an ACPI system with the ACPI hardware abstraction layer (HAL) will not allow you to change resource settings. It might appear to accept your changes, but it will revert to its prior settings, even if you attempt to change the settings using the system BIOS configuration tools. To permit manual configuration of device resource settings, you must have installed a Standard PC HAL during installation. For more information, see the section titled Managing ACPI Support later in this chapter.
Determining which hardware resources are required When installing new hardware, you need to know what resources the hardware can use. You can check the product documentation to determine the resources that a hardware device requires. Here are the resources that hardware devices use to communicate with an operating system:
Interrupts Hardware devices must get the processors attention to send messages. The microprocessor knows this process as an interrupt request (IRQ). The microprocessor uses this information to determine which device needs its attention and the type of attention that it needs. Modern computers have a minimum of 15 IRQs, numbered 0 to 15, that are assigned to devices. For example, most computers assign IRQ 1 to the keyboard. Computers with Advanced Programmable Interrupt Controllers (APICs) can have up to 24 IRQs, which can be controlled by Windows XP. The computers BIOS manages IRQ assignment on the Peripheral Component Interconnect (PCI) bus during the boot process. During startup, Windows XP takes over management of IRQs.
NOTE
Older bus designs such as the 16-bit Industry Standard Architecture (ISA) bus require users to manually set I/O cards to nonconflicting IRQs.
Input/output (I/O) ports I/O ports are a section of memory that a hardware device uses to communicate with the operating system. When a microprocessor receives an interrupt request via an IRQ, the operating system checks the I/O port address to retrieve additional information about what the hardware device wants it to do. An I/O
CHAPTER 4:
133
port is represented as a hexadecimal number. Windows XP device drivers use I/O port settings to locate and access hardware resources.
NOTE
Do not confuse I/O ports with communication ports such as COM ports or USB ports. The latter are physical ports that accept data from peripheral devices but are not directly addressed by the CPU.
Direct memory access (DMA) channels DMA channels allow a hardware device, such as a floppy disk drive, to access memory directly, without interrupting the microprocessor. DMA channels speed up access to memory. Modern computers have eight DMA channels, numbered 0 through 7. DMA channels are managed by the motherboards chipset or by devices that have their own DMA controller.
Determining available hardware resources After you determine which resources a hardware device requires, you can look for an available resource. Device Manager provides a list of all hardware resources and their availability (Figure 4-12).
Figure 4-12 Device Manager showing resources listed by connection

FT04HT12.bmp
To view the hardware resource lists, do the following: 1. In the System Properties dialog box, click the Hardware tab, and then click Device Manager. 2. On the View menu, choose Resources By Connection. Device Manager displays the resources that are currently in use (for example, IRQs). 3. To view a list of resources for another type of hardware resource, click the type of hardware resource you want to see on the View menu.
134
When you know which hardware resources are available, you can install the hardware manually by using the Add Hardware Wizard.
NOTE
If you select a hardware resource during manual installation, you might need to configure the hardware device so that it can use the resource. For example, for a network adapter to use IRQ 5, you might have to set a jumper, change a firmware setting on the adapter, or change a setting in the system BIOS and configure Windows XP Professional so that it recognizes that the adapter now uses IRQ 5.
Changing hardware resource assignments You might need to change hardware resource assignments. For example, a hardware device might require a specific resource presently in use by another device. You might also encounter two hardware devices requesting the same hardware resource, resulting in a conflict. To change a resource setting: 1. On the Hardware tab of the System Properties dialog box, click Device Manager. 2. Expand the device list, right-click the specific device, and then choose Properties. 3. In the Properties dialog box for the device, click the Resources tab.
NOTE
When you change a hardware resource, you can print the content of Device Manager. This provides you with a record of the hardware configuration. If you encounter problems, you can use the printout to verify the hardware resource assignments.
From this point, follow the same procedures that you used to choose a hardware resource during a manual installation.
NOTE
Changing the resource assignments for non-PnP devices in Device Manager does not change the resources used by that device. You use Device Manager only to instruct the operating system on device configuration. To change the resources used by a non-PnP device, consult the device documentation to see how to configure the device.
VIEWING AND CONFIGURING HARDWARE PROFILES

Control Panel contains applications that you can use to customize selected aspects of the hardware and software configuration for a computer. You can configure hardware settings by creating and configuring hardware profiles. Windows XP Professional uses these hardware profiles to determine which drivers to load when system hardware changes.
CHAPTER 4:
135
Understanding Hardware Profiles

A hardware profile stores configuration settings for a set of devices and services. Windows XP Professional can store different hardware profiles to meet a users various needs. Hardware profiles are used primarily for portable computers. For example, a portable computer can use different hardware configurations depending on whether it is docked or undocked. The user can create a hardware profile for each state (docked and undocked) and choose the appropriate profile when starting Windows XP Professional.
Creating or Modifying a Hardware Profile

To create or modify a hardware profile, in Control Panel, click Performance And Maintenance. In the Performance And Maintenance window, click System, and in the System Properties dialog box, click the Hardware tab. Click Hardware Profiles to view the Available Hardware Profiles list (Figure 4-13).
Figure 4-13 Available Hardware Profiles list in the Hardware Profiles dialog box
FT04HT13.bmp
Windows XP Professional creates an initial profile during installation, listed as Profile 1 (Current). You can create a new profile with the same configuration as another profile. To create a new profile, in the Available Hardware Profiles list, select the profile that you want to copy, and then click Copy. The order of the profiles in the Available Hardware Profiles list determines the default order at startup. The first profile in the list becomes the default profile. To change the order of the profiles, use the Up and Down arrow buttons.
136
Activating a Hardware Profile

If the Available Hardware Profiles list contains two or more profiles, Windows XP Professional prompts the user to make a selection during startup. You can configure how long the computer waits before starting the default configuration. Some items to consider as you configure these settings:
To adjust this time delay, click the Select The First Profile Listed If I Dont Select A Profile In option and then specify the number of seconds in the Seconds text box in the Hardware Profiles Selection group. To configure Windows XP Professional to automatically choose the default profile without prompting the user, you set the number of seconds to 0.
NOTE
To override the default during startup, press SPACEBAR during the operating system selection prompt (on multiboot systems) or just after the BIOS screens disappear and before you see the Windows XP logo screen.
You can also select the Wait Until I Select A Hardware Profile option to have Windows XP Professional wait for you to select a profile.
When you use hardware profiles, be careful not to disable one of the boot devices using the Devices program in Control Panel. If you disable a required boot device, Windows XP Professional might not start. It is a good idea to make a copy of the default profile and then make changes to the new profile. Then you can use the default profile again if a problem occurs.
Viewing Hardware Profile Properties

To view the properties for a hardware profile, in the Available Hardware Profiles list, select a profile, and then click Properties. This displays the Properties dialog box for the profile. If Windows XP Professional identifies your computer as a portable unit, the This Is A Portable Computer check box is selected. If Windows XP Professional determines that your portable computer is docked, it selects that option. You cannot change this docked option setting after Windows XP Professional selects it.
DRIVER SIGNING AND FILE SIGNATURE VERIFICATION

Windows XP Professional drivers and operating system files have been digitally signed by Microsoft to ensure their quality. In Device Manager, you can look on the Driver tab of a devices Properties dialog box to verify that the digital signer of the installed driver is correct.
CHAPTER 4:
137
Some applications overwrite existing operating files as part of their installation process, which can cause system errors that are difficult to troubleshoot. Microsoft has greatly simplified the tracking and troubleshooting of altered files by signing the original operating system files and allowing you to easily verify these signatures.
Configuring Driver Signing Requirements

The Microsoft Windows Hardware Quality Laboratory (WHQL) tests and certifies devices and drivers for compatibility with Windows XP. The approved drivers are signed with a digital certificate. Drivers provided by third-party developers might not have passed this process.
CAUTION
Handle unsigned drivers at your own risk. They have not passed Microsoft quality testing.
To configure how the system responds to unsigned files, in Control Panel click System in the Performance And Maintenance section, and then click the Hardware tab. On the Hardware tab, in the Device Manager box, click Driver Signing (Figure 4-14).
Figure 4-14 Configuring driver signing in the Driver Signing Options dialog box
FT04HT14.bmp
The following three settings are available to configure driver signing:
Ignore Allows any files to be installed regardless of their digital signature or lack thereof. Users are not alerted to the existence of an unsigned driver, and the driver is installed without delay.
CAUTION
Setting Ignore causes Windows XP to silently accept third-party drivers. Do not use this setting lightly. It poses a risk that a user can accept an unsuitable driver. It is almost always better to be alerted to the fact that a driver has not passed certification testing so you can make an informed decision about the drivers suitability before proceeding with the installation.
138
Warn This option, the default, displays a warning message before allowing the installation of an unsigned file. The user has to option to continue installing the driver or to cancel the installation. Block Prevents the installation of unsigned files. Organizations for whom system reliability must be assured will want to set this option to prevent installation of any driver that had not been fully tested.
If you are logged on as Administrator or as a member of the Administrators group, you can select the Make This Action The System Default check box to apply the driver signing configuration to all users who log on to the computer.
Checking System File Signatures

Windows XP Professional also provides System File Checker (SFC), a commandline tool that you can use to check the digital signature of files. The syntax of the SFC tool is as follows:
Sfc [/scannow] [/scanonce] [/scanboot] [/revert] [/purgecache] [/cachesize=x]
Table 4-1 explains the SFC optional parameters.

Table 4-1
System File Checker Optional Parameters Description
Parameter
/scannow /scanonce /scanboot /revert /purgecache /cachesize=x
Causes the SFC tool to scan all protected system files immediately Causes the SFC tool to scan all protected system files once at the next system restart Causes the SFC tool to scan all protected system files every time the system restarts Causes the SFC settings to be returned to the default settings Purges the file cache Sets the file cache size
Using the File Signature Verification Tool

The File Signature Verification tool (Figure 4-15) allows you to view the files name, location, modification date, file type, and version number. To use it, click Start, click Run, type sigverif, and then press ENTER. Once the File Signature Verification tool begins, you can click Advanced to configure it (Figure 4-16).
CHAPTER 4:
139
Figure 4-15 File signature verification

FT04HT15.bmp
Figure 4-16 Configuring advanced file signature verification settings

FT04HT16.bmp
CONFIGURING COMPUTERS WITH MULTIPLE PROCESSORS

This section explains how to configure a system with multiple processors. It covers scaling and upgrading your computer from a single processor to a multiprocessor system. During installation, Windows XP detects the type and number of processors on the system board and installs the appropriate HAL to support the systems processor(s). In addition, each processor has a device driver just like any other hardware device on the system. This allows the replacement of processors with models that have different speeds and capabilities.
Multiprocessor Scaling
Adding processors to your system is one way to improve performance. This is more of an issue for Windows Server products than it is for Windows XP
140
Professional because multiprocessor configurations are typically used for processor-intensive applications, such as those found on database servers or Web servers. However, any application that performs heavy computation and is designed for multiple processors, such as certain scientific or financial applications or applications that do complex graphic rendering (like computer-aided design programs), will benefit from multiprocessor systems (although most applications will get a boost).
NOTE
Upgrading to multiple processors can increase the load on other system resources. You might need to increase other resources such as disks, memory, and network components to get the maximum benefit from adding a second CPU. In addition, to make full use of multiple processors, applications must be designed to support multi-threaded operation. Most 32-bit applications use multiple threads to some extent but have not been optimized for multiple CPUs.
To add a second processor: 1. Shut down the system. 2. Install the second CPU according to the CPU manufacturers instructions. 3. Start the system. Windows XP detects the second CPU and forces a Found New Hardware installation routine. The HAL is changed to support multiple processors.
MANAGING ACPI SUPPORT

Advanced Configuration and Power Interface (ACPI) is a computer industry specification that defines how motherboards, operating systems, and programs interface with power components and peripheral devices. It consolidates features of PnP with features of Advanced Power Management (APM) to allow the operating system to control system power, processor performance states, and power to peripheral devices.
NOTE
ACPI supersedes PnP and APM and is designed to control devices that are built to those standards as well as newer devices that support ACPI.
When Windows XP is installed on a computer, it checks the version of the system BIOS against a list of known good ACPI BIOS releases. If it finds the BIOS in the list, it installs an ACPI HAL. If the BIOS cannot be verified to be a known good version, Windows XP installs a non-ACPI HAL to enable basic power management and PnP operation.
CHAPTER 4:
141
In future versions of ACPI, the system hardware will be able to negotiate ACPI settings with the operating system during installation to provide the most comprehensive feature set possible under the circumstances.
CAUTION
Microsoft does not support changing from an ACPI HAL to a non-ACPI HAL, or vice versa, because of the great differences in how each specification detects and installs devices. Changing the HAL will likely cause system instability and failure to start, requiring a reinstallation of Windows XP to restore proper operation.
To see which HAL is loaded on your system: 1. Open the System Properties dialog box. 2. Click the Hardware tab. 3. Click Device Manager to launch the Device Manager console. 4. Expand the Computer object. The HAL installed on your system will be displayed as shown in Figure 4-17.
FT04HT17.bmp
Figure 4-17 Device Manager displaying the HAL version
Forcing Installation of a Specific HAL

You can force Windows XP to install a specific HAL during operating system installation. You should do this only under the advice of a representative of the hardware manufacturer or Microsoft Product Support Services (PSS). To force Windows XP to install a specific HAL: 1. Just after booting from the Windows CD-ROM or soon after starting the Windows XP setup program, you are presented with the option to press F6 if you need to install a SCSI or RAID controller (Figure 4-18). Press F5 instead.
142
FT04HT18.tif
Figure 4-18 Press F5 here to install an alternative HAL.
2. On the screen that appears, shown in Figure 4-19, select the appropriate hardware abstraction layer.
FT04HT19.tif
Figure 4-19 Selecting a HAL
NOTE
You can skip HAL selection and force use of a non-ACPI HAL by pressing F7 in step 1 above instead of F5.
TROUBLESHOOTING ACPI
Most ACPI problems stem from not having the correct HAL for the system experiencing trouble. Using an ACPI HAL with a non-ACPI compliant system can result in resource arbitration issues. This can manifest itself as problems with shutting down properly, I/O errors during operation, and problems with hibernation or standby operation. To use a different HAL, you must reinstall Windows XP, forcing the installation of the correct HAL if necessary. You should do this only under the advice of a representative of the hardware manufacturer or Microsoft PSS.
CHAPTER 4:
143
SUMMARY
Windows XP can install and manage hardware devices automatically using the PnP and ACPI specifications. Manually configuring a device prevents Windows XP from managing its settings and hinders automatic resource arbitration. Hardware profiles allow Windows XP to maintain more than one configuration to support systems that experience repetitive hardware changes such as docking and undocking a notebook computer. The Microsoft Windows Hardware Quality Laboratory (WHQL) tests and certifies devices and drivers for compatibility with Windows XP. The approved drivers are signed with a digital certificate. Windows XP can prohibit installation of unsigned device drivers. Windows XP is provided with digitally signed system files and can verify and restore these files if they are overwritten by applications. Adding a second CPU in Windows XP causes Windows XP to install a multiprocessor HAL to enable multiprocessor support. Advanced Configuration and Power Interface (ACPI) controls device and power management in Windows XP. Changing between ACPI and non-ACPI hardware abstraction layers (HALs) will cause system instability and can result in failure to start. You can select a version of the HAL during system installation and reinstallation.
REVIEW QUESTIONS
1. Which of the following settings does Windows XP configure on Plug and Play peripheral devices? (Choose all correct answers.) a. IRQ b. I/O address c. voltage d. performance level
144
2. Which of the following settings does Windows XP configure on ACPI peripheral devices? (Choose all correct answers.) (knowledge application) a. IRQ b. I/O address c. bus type d. bandwidth 3. To make full use of a second CPU, an application must support __________ operation. (knowledge demonstration) 4. Device drivers that are tested and accepted by the Microsoft Hardware Quality Laboratory (WHQL) are digitally __________. (knowledge demonstration) a. approved b. accepted c. signed d. encrypted 5. Which of the following technologies do you use to block the installation of unsigned device drivers? (knowledge application) a. File Signature Verification b. Driver signing c. System File Checker d. Sigverif
CASE SCENARIOS
Scenario 4-1: Managing a Hardware Upgrade
You are upgrading a graphics workstation to improve performance. You are adding a second CPU and additional memory. Which of the following choices provides for correct installation of both new components? a. Install a multiprocessor HAL for the processor, and take no action for the memory. b. Take no action for the processor or for the memory.
CHAPTER 4:
145
c. Reinstall Windows XP to support the processor, and take no action for the memory. d. Take no action for the processor, and run the Add New Hardware Wizard for the memory.
Scenario 4-2: Troubleshooting Problems with the HAL

You are troubleshooting a system that will not boot. The user of the system says that he replaced the ACPI HAL with a non-ACPI HAL. How do you solve this problem? a. Run System Restore to replace the original HAL b. Change the HAL back to the original c. Reinstall Windows XP d. Restore the original HAL from a backup
CHAPTER 5
CONFIGURING AND MANAGING THE USER EXPERIENCE

Configure and manage desktop components Configure display options Configure multiple displays Configure power management options Manage users profiles and data Configure regional and language settings Manage accessibility settings
In this chapter, you will learn how to manage the Microsoft Windows XP user experience. We will explore desktop components and their settings; configure power management options; manage user profiles, user profile folders, and data folders; and configure accessibility options. We will also discuss regional settings and language options, and how to configure and manage multiple displays in Windows XP.
147
148
CONFIGURING AND MANAGING DESKTOP COMPONENTS

The desktop environment is the workspace of the Windows XP user. It offers a metaphor for organization that allows users to personalize their work area to suit their requirements and offers a space to store documents, frequently used program shortcuts, and links to Web sites. You can even embed Web site views directly into the background wallpaper. In this section, we will explore desktop configuration, including the configuration of components such as the taskbar, the Start menu, and the notification area. We will explore display settings such as wallpaper selection, screen savers, screen resolution, and color settings. We will conclude by discussing multiple monitor support and troubleshooting.
Configuring Display Settings

Windows XP supports a wide range of display options and an amazing array of hardware and configurations. To view or modify the display, open Control Panel, click Appearance And Themes, and then click Display to open the Display Properties dialog box. Alternatively, you can access the dialog box by right-clicking the desktop and selecting Properties.
NOTE
The Windows XP Control Panel supports two modes of operation: Category view (the default) and Classic view. In Classic view, the Display icon is typically in plain view. We present the Category view navigation path here because it is the default experience for most users.
The Display Properties dialog box has five tabs: Themes, Desktop, Screen Saver, Appearance, and Settings. We will examine them in turn.
IMPORTANT
You can enable Group Policy settings that restrict access to display options. For example, in the Display Properties dialog box, you can choose to remove the Appearance tab or the Settings tab. For more information about Group Policy, see Chapter 13 and Chapter 14.
Themes tab On the Themes tab (Figure 5-1), you can select a complete set of configuration settings to set a theme for colors, wallpapers, sounds, icons, and other elements. You can choose from included themes such as Windows Classic or Windows XP, or you can choose themes published online or as part of Microsoft Plus! For Windows XP.
CHAPTER 5:
149
Figure 5-1 The Themes tab of the Display Properties dialog box
FT05HT01.BMP
Desktop tab The Desktop tab is where you select desktop wallpaper and background colors (Figure 5-2). You can select one of the available wallpaper options or a solid background color, or you can browse for a graphic image in a folder on your hard drive.
Figure 5-2 The Desktop tab of the Display Properties dialog box
FT05HT02.BMP
You can also use this tab to access settings that control which default icons are displayed on the desktop and their appearance. Click Customize Desktop to open the Desktop Items dialog box (Figure 5-3). You can choose to include or exclude an icon for My Documents, My Computer, My Network Places, and Microsoft Internet Explorer on your desktop, as well as customize the icons used to represent these items. You can also configure the frequency with which the Desktop Cleanup Wizard (Figure 5-4) is run. The default setting for running the wizard is every 60 days. Click Clean Desktop Now to run the Desktop Cleanup Wizard immediately.
150
Figure 5-3 Managing desktop icons in the Desktop Items dialog box
FT05HT03.BMP
Figure 5-4 Removing unused icons with the Desktop Cleanup Wizard
FT05HT04.BMP
The wizard removes icons from the desktop that have not been used in the last 60 days and places them in the Unused Desktop Shortcuts folder, which is placed on the users desktop; it does not remove any programs from your computer. You can also embed Web site content in your desktop. To include Web content on your desktop, in the Desktop Items dialog box, click the Web tab (Figure 5-5). You are presented with a list of Web pages. You can add any Web page to your desktop by checking the box next to it or by clicking New and entering the URL. You can also click Delete to remove a Web page from the list. Click Properties to view the Properties dialog box for the embedded Web page. This dialog box (Figure 5-6) allows you to make the Web page available offline, to synchronize immediately or schedule the synchronization of this offline Web page
CHAPTER 5:
151
with the content on the Internet, and to specify whether you want Microsoft Internet Explorer to download more than just the top-level page of this Web site.
Figure 5-5 Managing desktop Web content

FT05HT05.BMP
Figure 5-6 Viewing settings for an embedded Web page

FT05HT06.BMP
NOTE
If you want Internet Explorer to download more than just the top-level page, you can configure the Web component to include all of the content linked up to three levels deep when synchronizing the page.
Screen Saver tab The Screen Saver tab (Figure 5-7) allows you to choose a screen saver. Screen savers prevent damage to monitors by preventing an image from getting burned into the screen. Newer monitors are not as likely to burn in as early monitors, but long-term display of fixed objects can still cause some damage. You can select the time the system will remain idle before the screen saver appears. The default is 15 minutes. You can use even use a picture of your own as a screen
152
saver by uploading it from a digital camera or scanner, copying it from the Internet, or copying it from an e-mail attachment.
Figure 5-7 Configuring screen saver settings

FT05HT07.BMP
The Screen Saver tab also lets you configure the system to prompt you for a password before clearing the screen saver. This is a great security feature that essentially locks your system if you get called away and cannot return to your system in a timely manner. Finally, on this tab you can adjust system power profiles and settings to help save energy. We will discuss power management in more detail in the next section. Appearance tab The Appearance tab (Figure 5-8) allows you to configure the style of windows and buttons, the color scheme, and font size.
Figure 5-8 The Appearance tab of the Display Properties dialog box
FT05HT08.BMP
CHAPTER 5:
153
Click Effects to configure the following options (Figure 5-9):

Use The Following Transition Effect For Menus And Tooltips Use The Following Method To Smooth Edges For Screen Fonts Use Large Icons Show Shadows Under Menus Show Windows Contents While Dragging Hide Underlined Letters For Keyboard Navigation Until I Press The Alt Key
Figure 5-9 Configuring menu and text effects

FT05HT09.BMP
Settings tab The Settings tab allows you to configure display options, including the number of colors, video resolution, font size, and refresh frequency (Figure 5-10).
Figure 5-10 Settings tab of the Display Properties dialog box

FT05HT10.BMP
154
Lets explore the options on the Settings tab for configuring display settings.
Color Quality Displays the current color settings for the monitor attached to the display adapter listed under Display. This option allows you to change the color quality for the display adapter. Screen Resolution Displays the current screen resolution settings for the monitor attached to the display adapter listed under Display. This option allows you to set the resolution for the display adapter. As you increase the number of pixels, you display more information on the screen, but you decrease the size of the information. Troubleshoot Opens the Video Display Troubleshooter to help you diagnose display problems. Advanced Opens the Properties dialog box for the display adapter, as described in Table 5-1.
Display Adapter Advanced Options Option Description
Table 5-1
Tab
General
Display (DPI Setting) Compatibility
Provides Normal, Large, or Other display font options. Use the Other option to choose a custom font size. Determines the action that Windows should take when you make changes to display settings. After you change the color settings, you must choose one of the following options:
Restart The Computer Before Applying The New Display Settings Apply The New Display Settings Without Restarting Ask Me Before Applying The New Display Settings
NOTE
Some display adapter drivers install their own custom tabs for this dialog box. If you see additional manufacturer-specific tabs, check your manufacturers documentation for details on configuring options in those tabs.
CHAPTER 5:
155
Table 5-1
Display Adapter Advanced Options (Continued) Option Description
Tab
Adapter
Adapter Type
Provides the manufacturer and model number of the installed adapter. Clicking Properties displays the Properties dialog box for your adapter (Figure 5-11):
The General tab of the Properties dialog box provides additional information, including device status, resource settings, and any conflicting devices. The Driver tab of the Properties dialog box provides details about the display adapters device driver and allows you to update the driver, roll back to the previously installed driver, or uninstall the driver.
Adapter Information
List All Modes
The Resources tab of the Properties dialog box displays the hardware resources (such as IRQs or device I/O ports) being used by the adapter. Provides additional information about the display adapter, such as video chip type, digital-to-analog converter (DAC) type, memory size, and BIOS version. Displays all compatible modes for your display adapter and lets you select resolution, color depth, and refresh frequency in one step.
Figure 5-11 The Properties dialog box for a display adapter

FT05HT11.BMP
156
Table 5-1
Display Adapter Advanced Options (Continued) Option Description
Tab
Monitor
Monitor Type
Monitor Settings
Provides the manufacturer and model number of the currently installed monitor. The Properties button opens the hardware Properties dialog box for your monitor, which lists device and driver information and allows you to manage the device drivers for your monitor. It also gives access to the Video Display Troubleshooter to help resolve problems with this device. Configures the refresh rate frequency. This option applies only to high-resolution drivers. Do not select a refresh rate and screen resolution combination that is unsupported by the monitor. If you are unsure, refer to your monitor documentation or select the lowest refresh rate option. When you use a Plug and Play display, unsupported settings are unavailable. You would have to actually clear the Hide Modes This Monitor Cannot Display check box to see unsupported settings. If you select an unsupported refresh rate, your monitor will most likely go blank for 15 seconds as Windows displays a confirmation dialog box. By waiting for the dialog box to expire, you can decline to apply the settings permanently, and the prior settings will be returned. Lets you progressively decrease your display hardwares acceleration features to help you isolate and eliminate display problems. Lets you select whether to use write combining, which improves video performance by collecting video display writes in the CPU and then bursting them to the video display memory in large blocks. Write combining on unsupported hardware can lead to screen corruption, however. If you experience trouble with your display, try clearing the Enable Write Combining check box. Specifies the color profile for your monitor.
Troubleshoot Hardware Acceleration
Color Management
CHAPTER 5:
157
Using Multiple Displays

Windows XP Professional supports multiple display configurations. Multiple displays allow you to extend your desktop across more than one monitor (Figure 5-12). Windows XP Professional supports the extension of your display across a maximum of 10 monitors.
ALF
ALF
Figure 5-12 A document viewed on multiple displays

FT05HT12.TIF
IMPORTANT You must use Peripheral Component Interconnect (PCI) or Accelerated Graphics Port (AGP) display adapters when configuring multiple displays.
If one of the display adapters is built into the motherboard, note these additional considerations:
The motherboard adapter always becomes the secondary adapter. It must be multiple-display compatible. You must set up Windows XP Professional before installing another display adapter. Windows XP Professional Setup disables the motherboard adapter if it detects another display adapter. In some systems, the BIOS completely disables the on-board adapter on detecting an add-in adapter. If you are unable to override this detection in the BIOS, you cannot use the motherboard adapter with multiple displays. Typically, the system BIOS selects the primary display based on PCI slot order. However, on some computers, the BIOS allows the user to select the primary display device.
158
You cannot disable the primary display. This is an important consideration for laptop computers with docking stations. For example, some docking stations contain a display adapter; these often disable, or turn off, a laptops built-in display. Multiple-display support does not function in these configurations unless you attach multiple adapters to the docking station.
Configuring Multiple Displays Before you can configure multiple displays, you must install additional display adapters in your PC. Then you must enable each one for operation in a multipledisplay environment. To install multiple monitors, complete the following steps: 1. Turn off your computer, and insert one or more additional PCI or AGP display adapters into available slots on your computer. Follow the instructions provided by the adapter manufacturer(s). 2. Plug an additional monitor into each PCI or AGP display adapter that you installed. 3. Turn on your computer and allow Windows XP Professional to detect the new adapters and install the appropriate device drivers. You might be required to insert driver disks and configure additional settings as specified in the manufacturers installation instructions. To configure your display in a multiple-display environment, complete the following steps: 1. In Control Panel, click Appearance And Themes, and then click Display. 2. In the Display Properties dialog box, click the Settings tab (Figure 5-13).
FT05HT13.BMP
Figure 5-13 Configuring multiple-display support
CHAPTER 5:
159
3. Click the monitor icon for the primary display device. 4. Select the display adapter for the primary display, and then select the color depth and resolution. 5. Click the monitor icon for the secondary display device. 6. Select the display adapter for the secondary display, and then select the Extend My Windows Desktop Onto This Monitor check box. 7. Select the color depth and resolution for the secondary display. 8. Repeat steps 5 through 7 for each additional display. Windows XP Professional uses the virtual desktop concept to determine the relationship of each display. The virtual desktop uses coordinates to track the position of each individual display desktop. The coordinates of the top-left corner of the primary display always remain 0, 0. Windows XP Professional sets secondary display coordinates so that all the displays adjoin each other on the virtual desktop. This allows the system to maintain the illusion of a single, large desktop where users can cross from one monitor to another without losing track of the mouse. To change the display positions on the virtual desktop, select the Settings tab and click Identify, and drag the display representations to the desired position. The positions of the icons dictate the coordinates and the relative positions of the displays. Troubleshooting Multiple Displays If you encounter problems with multiple displays, follow the troubleshooting guidelines in Table 5-2.
Table 5-2
Troubleshooting Tips for Multiple Displays Possible Solutions
Problem
You cannot see any output on the secondary displays.
Activate the device in the Display Properties dialog box. Confirm that you chose the correct video driver. Restart the computer to confirm that the secondary display initialized. If it didnt, check the status of the display adapter in Device Manager. Check that both display adapters are compatible with multiple-monitor support. If the primary adapter is not compatible, multiple-display support will not be activated.
160
Table 5-2
Troubleshooting Tips for Multiple Displays (Continued) Possible Solutions
Problem
The Extend My Windows Desktop Onto This Monitor check box is unavailable.
In the Display Properties dialog box, select the display onto which you want to extend your desktop. Confirm that the secondary display adapter is supported.
An application fails to display on the secondary display.
Confirm that Windows XP Professional can detect the secondary display. Run the application on the primary display.
Run the application in full-screen mode (MS-DOS) or maximized (Windows). Disable the secondary display to determine whether the problem is specific to multiple-display support.
The Taskbar and Start Menu

In addition to modifying your display settings, you can customize the behavior of the taskbar and the Start menu. In this section, we will explore the settings for these two desktop components. Configuring the taskbar The taskbar allows you to tell at a glance which applications are loaded and access these applications even if another application has the focus on the desktop or is maximized. When the taskbar icons start to get too crowded, they can group themselves into stacks based on the type of application. You can control this behavior (and other settings) in the Taskbar And Start Menu Properties dialog box (Figure 5-14), which you open by right-clicking on the taskbar or the Start menu and then selecting Properties.
Figure 5-14 The Taskbar And Start Menu Properties dialog box
FT05HT14.BMP
CHAPTER 5:
161
NOTE
The Taskbar And Start Menu Properties dialog box previews the appearance of changes you specify. If you want to see what some of these settings look like, just watch the picture of the taskbar in the dialog box as you choose them. You will see how the taskbar would look with these settings applied.
Lets explore the settings in this dialog box:
Lock The Taskbar This setting locks the position and size of the taskbar, preventing you from inadvertently moving it to another edge of the screen or resizing docked toolbars (such as Quick Launch or Media Player) or the taskbar itself. Auto-Hide The Taskbar This setting causes the taskbar to retreat to the edge of the screen whenever it is not the focus of an operation. This gives an additional portion of screen space to other applications. Keep The Taskbar On Top Of Other Windows This setting prevents other application windows from covering the taskbar. (Covering the taskbar prevents the user from accessing other applications by clicking their taskbar icons.) Group Similar Taskbar Icons This option causes the icons for similar applications to stack themselves into groups when the taskbar starts to get too cluttered. Disabling this option causes the icons to get smaller and smaller as more are added, until they can no longer be read.
NOTE
If you are running many different types of applications at once, it is still possible to overcrowd the taskbar.
Show Quick Launch This option displays the Quick Launch toolbar on the taskbar. This toolbar allows you to add icons to quickly launch applications without searching for them on the Start menu.
Configuring the notification area The notification area (formerly known as the system tray in earlier versions of Windows) includes the system clock display and notification icons for any background applications running on your system. The notification area has two options:

Show The Clock
Enables or disables the clock display.
Hide Inactive Icons Allows you to hide notification icons that are not currently active. You can also designate certain icons that will always show by using the Customize button (Figure 5-15).
162
Figure 5-15 Customizing the notification area

FT05HT15.BMP
Configuring the Start menu The Start menu is the most-used menu in Windows XP. It contains program shortcuts, configuration settings, recently used document lists, frequently used programs, and pinned programs, which are programs that are fixed to the Start menu for rapid access. You can customize the Start menu through the Taskbar And Start Menu Properties dialog box (Figure 5-16).
Figure 5-16 Customizing the Start menu

FT05HT16.BMP
You can click the Customize button to open the Customize Start Menu dialog box (Figure 5-17), where you can customize several features of the Start menu. The dialog box has two tabs: General and Advanced.
CHAPTER 5:
163
Figure 5-17 Customizing the Windows XP Start menu

FT05HT17.BMP
Options on the General tab of the Customize Start Menu dialog box are as follows:
Select An Icon Size For Programs Specifies large or small icons on the Start menu. You can use this option to prevent the Start menu from getting too large when there are too many icons. Programs Controls the number of recent programs that are displayed. You can also clear the list here. Show On Start Menu Specifies which programs to display on the Start Menu as the default tools for accessing the Internet via the World Wide Web and communicating via e-mail. You can also disable the display of applications for these categories by clearing the selection box next to each program.
The following options are available on the Advanced tab of the Customize Start Menu dialog box (Figure 5-18):
Start Menu Settings This portion of the dialog box controls the behavior of two aspects of Start menu operation:
Open Submenus When I Pause On Them With My Mouse Controls navigation of the Start menu. If you disable this setting, you must click each submenu to expand it. Highlight Newly Installed Programs Causes the Start menu to draw attention to new applications by highlighting their submenus and shortcuts.
164
Start Menu Items Controls which submenus are displayed on the Start menu and their appearance. This selection include options to display Control Panel, the My Documents folder, and My Computer. Recent documents Activates the display of the My Recent Documents list. Clicking the Clear list button clears the contents of this list.
Figure 5-18 Configuring Start menu advanced items

FT05HT18.BMP
Restoring the Classic Start menu You can choose the Classic Start Menu option in the Taskbar And Start Menu Properties dialog box to configure Windows XP with the appearance of Windows 2000 Professional. Clicking Customize opens the Customize Classic Start Menu dialog box (Figure 5-19), where you can add or remove items from the Classic Start menu and enable or disable optional submenus.
Figure 5-19 Customizing the Classic Start menu

FT05HT19.BMP
CHAPTER 5:
165
CONFIGURING POWER OPTIONS

You can configure Windows XP Professional to turn off the power to your monitor and your hard disk or put the computer in hibernate mode. In Control Panel, click Performance And Maintenance, and then click Power Options. Alternatively, you can use the Screen Saver tab of the Display Properties dialog box.
Selecting a Power Scheme

Power schemes allow you to configure the conservation settings for your system. In the Power Options Properties dialog box (Figure 5-20), click the Power Schemes tab.
Figure 5-20 The Power Schemes tab of the Power Options Properties dialog
FT05HT20.BMP
box for a notebook computer
Windows XP Professional provides the following six built-in power schemes:
Home/Office Desk Designed for a desktop computer. After 20 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off. Portable/Laptop Optimized for portable computers that run on batteries. After 15 minutes of inactivity, the monitor is turned off; after 30 minutes of inactivity, the hard disks are turned off. The system will go on standby (low power) after 20 minutes and hibernate (if enabled) after 1 hour.
NOTE
When notebook computers are running on batteries, the settings for power schemes change. In the Portable/Laptop scheme, for example, the time drops to 5 minutes for monitor, hard disk, and system standby, with hibernation in 10 minutes. This section presents the on battery settings for Portable/Laptop and Maximize Battery. The rest are for a desktop computer or a laptop on AC power.
166
Presentation Designed for use with presentations for which the computer display must always remain on. The monitor and the hard disks are never turned off. Always On Designed for use with personal servers. After 20 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off. Minimal Power Management Disables some power management features, such as timed hibernation. After 15 minutes of inactivity, the monitor is turned off, but the hard disks are never turned off. Max Battery Designed to conserve as much battery power as possible. After 1 minute of inactivity, the monitor is turned off; the hard disks are turned off after 3 minutes. The system goes on standby after 2 minutes and hibernates after 5 minutes.
Configuring Advanced Power Options

To configure your computer to use advanced power options, you use the Advanced tab of the Power Options Properties dialog box (Figure 5-21).
Figure 5-21 Advanced power options on a notebook computer

FT05HT21.BMP
This tab offers the following options:
Select the Always Show Icon On The Taskbar check box to add an icon to the taskbar for quick access to Power Management. Select the second check box, Prompt For Password When Computer Resumes From Standby, to be prompted for your Windows password when your computer comes out of standby mode. (On older systems, this check box might not appear unless the system is set to hibernate.)
CHAPTER 5:
167
The lower half of this tab configures actions the system will take if the power button is pressed, or (for laptops only) when the lid is closed or the sleep button is pressed. Options for these settings include: Shut Down, Stand By, Hibernate, Do Nothing, and Ask Me What To Do.
Enabling Hibernate Mode

When your computer hibernates, it saves the current system state to your hard disk, and then your computer shuts down. When you start the computer after it has been hibernating, it returns to its previous state, which includes any programs that were running when it went into hibernate mode, and even any local network connections that were active at the time.
NOTE Dial-up and VPN connections are not preserved during a hibernate
action. To configure your computer to use Hibernate mode: 1. Select the Hibernate tab in the Power Options Properties dialog box (Figure 5-22). 2. Select the Enable Hibernation check box.
FT05HT22.BMP
Figure 5-22 Enabling hibernation on a Windows XP system
IMPORTANT
You must have free disk space equivalent to the amount of RAM on your system to allow the systems state to be written to disk during hibernation. If the Hibernate tab is unavailable, your computer does not support this mode.
168
Configuring Advanced Power Management

Windows XP Professional supports Advanced Power Management (APM), which helps reduce the power consumption of your system. To configure your computer to use APM, you use the APM tab of the Power Options Properties dialog box. If the APM tab is unavailable, your computer is compliant with Advanced Configuration and Power Interface (ACPI), a specification that supersedes APM support. To enable APM, select the Enable Advanced Power Management Support check box on the APM tab.
NOTE
You must be logged on as a member of the Administrators group to configure APM.
Advanced Configuration and Power Interface (ACPI)

If your laptop has an ACPI-based BIOS, you can insert and remove PC cards on the fly, and Windows XP Professional will detect and configure them without requiring you to restart your machine. This is known as dynamic configuration of PC cards. There are two other important features for mobile computers:
Hot and warm docking/undocking Hot and warm docking/ undocking means you can dock and undock from the Windows XP Professional Start menu without turning off your computer. Windows XP Professional automatically creates two hardware profiles for laptop computers: one for the docked state and one for the undocked state. (For more information about hardware profiles, see Chapter 4.) Hot swapping of Integrated Device Electronics (IDE) and floppy devices Hot swapping of IDE and floppy devices means you can remove and swap devices such as floppy drives, DVD/CD drives, and hard drives without shutting down your system or restarting your system; Windows XP Professional automatically detects and configures these devices.
Configuring an Uninterruptible Power Supply

An uninterruptible power supply (UPS) is a device connected between a computer or another piece of electronic equipment and a power source, such as an electrical outlet. The UPS ensures that the electrical flow to the computer is not interrupted because of a blackout and, in most cases, it protects the computer from potentially damaging events such as power surges and brownouts. Different UPS models offer different levels of protection.
CHAPTER 5:
169
To configure your UPS, click the UPS tab of the Power Options Properties dialog box, which shows the current power source, the estimated UPS run time, the estimated UPS capacity, and the UPS battery condition. Click Details to display the UPS Selection dialog box, which lists manufacturers so you can select the manufacturer of your UPS.
NOTE
Unlike desktop systems, notebook computers do not enable the UPS tab in the Power Options Properties dialog box (because they dont need it).
NOTE Check the Windows Catalog to make sure the UPS you are consid-
ering is compatible with Windows XP Professional before you purchase it. If you want to configure a UPS not listed by manufacturer and model: 1. In the Select Manufacturer list box, select Generic. 2. In the Select Model list box, select Generic, and then click Next. You can configure the conditions that trigger the UPS device to send a signal in the UPS Interface Configuration dialog box (Figure 5-23). These conditions include power failures, a low battery, and the UPS shutting down. You should select Positive if your UPS sends a signal with positive polarity when the power fails and the UPS is running on battery. Select Negative if your UPS sends a signal with negative polarity.
CAUTION Be sure to check your UPS documentation before you configure
signal polarity.
FT05HT23.BMP
Figure 5-23 The UPS Interface Configuration dialog box
After you have configured the UPS service for your computer, you should test the configuration to ensure that your computer is protected from power failures. Disconnect the main power supply to simulate a power failure. During your test,
170
the computer and the devices connected to the computer should remain operational. You should let the test run long enough for the UPS battery to reach a low level so that you can verify that an orderly shutdown occurs.
CAUTION
Do not test your UPS on a production computer. You could lose valuable data. Use a spare computer for the test.
CONFIGURING USER PROFILES

Typically, the use of user profiles is considered part of user account management and does not extend beyond defining the users profile folder. We will cover user account management in Chapter 13, but here we will discuss how user profiles configure the user experience, including how roaming user profiles enable IntelliMirror technologies. IntelliMirror is a set of technologies that, taken together, provide a framework for managing the user experience. IntelliMirror technologies provide three main functions:
User data management A user profile contains files and folders that are stored locally on a computer (local user profiles) or remotely on the network (roaming user profiles). These files include the users Start menu, My Documents folder, desktop, and any registry settings that are specific to the user. Other folders and files might also be part of a users profile, as required by applications managed for the user. User settings management Also stored in the users profile is a set of registry entries that configure user-specific settings for the users applications and system configuration preferences. Software installation and maintenance Software installation and settings are managed by policies such as Active Directory Group Policy Objects or local computer policies that define which applications are installed for the user and the configuration settings those applications will have.
User profiles in IntelliMirror are specific to the user.
Local and Roaming User Profiles

There are two types of user profiles:
Local profile Windows XP Professional creates a local user profile the first time a user logs on to a computer and stores the profile on that computer.
CHAPTER 5:
171
Roaming profile If the domain administrator designates a user profile folder for a user, that users local profile is copied to the specified folder, making it available wherever she logs on. A roaming user profile is especially helpful because it follows the user around, setting up the same desktop environment no matter which computer the user logs on to in the domain.
The portability of the roaming user profile is the basis for the IntelliMirror experience.
NOTE
A read-only roaming user profile is called a mandatory user profile. When the user logs off, Windows XP Professional does not save any changes made to the desktop environment during the session, so the next time the user logs on, the profile is exactly the same as the last time she logged on.
User Profile Storage Locations

On the local computer, user profiles are stored in the Documents And Settings folder tree on the boot partition (usually drive C). If you browse this folder hierarchy, you will see a folder for each user that contains such subfolders as Desktop, Start Menu, Favorites, and My Documents. If you save a file to one of these folders, it should show up on the appropriate menu or desktop for the user whose profile you are working with (Figure 5-24).
Figure 5-24 User profile folders

FT05HT24.BMP
In addition to the user-specific folders, there is a folder for All Users. Placing a program shortcut in All Users\Desktop makes it available to all users of the computer you are working with. Similarly, an icon in All Users\Start Menu makes it available to each user on her Start menu.
172
CONFIGURING MULTIPLE LANGUAGES AND LOCATIONS

Windows XP can support many different language styles and regional options for currency, time, and even punctuation. To access regional options and language settings, in Control Panel click the Date, Time, Language, And Regional Options icon (Figure 5-25).
Figure 5-25 The Date, Time, Language, And Regional Options icon in Control Panel
FT05HT25.BMP
You can manage date and time settings and number and date formats or add other languages. Choosing any option to format date and time or manage regional or language options launches the Regional And Language Options dialog box (Figure 5-26).
Figure 5-26 Configuring regional and language options

FT05HT26.BMP
The Regional Options tab allows you to configure standards and formats for each language. For example, you can configure the format for displaying numbers, currency, time, and dates. If you have configured multiple locations, you can also
CHAPTER 5:
173
choose your preferred location. Windows XP Professional has support for many locales including Galician, Gujarati, Kannada, Kyrgyz, Mongolian (Cyrillic), Punjabi, Divehi, Arabic (Syrian), and Telugu.
NOTE
If some of the languages mentioned here do not appear on your system, you might need to add support for that type of language. Two check boxes are available in the Text Services And Input Languages dialog box. The first is Install Files For Complex Script And Right-To-Left Languages. These files are required for Arabic, Armenian, Georgian, Hebrew, Indic, Thai, and Vietnamese. The second is Install Files For East Asian Languages. These files are required for Chinese, Japanese, and Korean.
To configure multiple languages: 1. On the Languages tab of the Regional And Languages Options dialog box, click Details. The Text Services And Input Languages dialog box appears. 2. Click Add to open the Add Input Language dialog box (Figure 5-27).
FT05HT27.BMP
Figure 5-27 The Text Services And Input Languages dialog box and the
Add Input Language dialog box
3. To configure additional languages, scroll through the list of languages and select the one you want to add. If you added at least one language to the one already installed on your computer, your computer now supports multiple languages. If you experience any problems with the way multiple languages or locales are working, double-check your settings. You can also try uninstalling the multiplelanguage support or multiple-locale support. Make sure everything is working correctly with only one language or locale, and then reconfigure and reinstall the multiple-language or multiple-locale support.
174
CONFIGURING ACCESSIBILITY OPTIONS

Windows XP Professional lets you configure accessibility options through the Accessibility Options icon in Control Panel.
Configuring Keyboard Options

To configure keyboard options, in Control Panel, click Accessibility Options. In the Accessibility Options window, click Accessibility Options to display the Accessibility Options dialog box. The Keyboard tab of the dialog box, shown in Figure 5-28, allows you to configure the keyboard options StickyKeys, FilterKeys, and ToggleKeys.
Figure 5-28 The Keyboard tab of the Accessibility Options dialog box
FT05HT28.BMP
StickyKeys Turning on StickyKeys allows you to press a multiple-key combination, such as CTRL+ALT+DELETE, one key at a time. This option is useful for people who have difficulty pushing more than one key at a time. This is a check box selection, so it is either on or off. You can configure StickyKeys by clicking Settings to open the Settings For StickyKeys dialog box (Figure 5-29). You can configure a shortcut key for StickyKeys. The default shortcut for turning on StickyKeys is pressing SHIFT five times. Two other options can also be configured for StickyKeys: Press Modifier Key Twice To Lock and Turn StickyKeys Off If Two Keys Are Pressed At Once. The modifier
CHAPTER 5:
175
keys are CTRL, ALT, SHIFT, and the Windows logo key. If you select the modifier key option, pressing one of the modifier keys twice will cause that key to remain active until you press it again. If you choose to use the second option, StickyKeys is disabled if two keys are pressed simultaneously.
Figure 5-29 The Settings For StickyKeys dialog box

FT05HT29.BMP
You can configure two notification settings for StickyKeys: Make Sounds When Modifier Key Is Pressed and Show StickyKeys Status On Screen. The first setting causes a sound to be made when any of the modifier keysCTRL, ALT, SHIFT, or the Windows logo keyis pressed. The second notification setting causes a StickyKeys icon to be displayed in the taskbar when StickyKeys is turned on. FilterKeys The Keyboard tab also allows you to configure FilterKeys. Turning on FilterKeys causes the keyboard to ignore brief or repeated keystrokes. This option also allows you to configure the keyboard repeat rate, which is the rate at which a key continuously held down repeats the keystroke. This is a check box selection, so it is either on or off. You can configure FilterKeys by clicking Settings to open the Settings For FilterKeys dialog box (Figure 5-30). You can configure a shortcut key for FilterKeys. The default shortcut for turning on FilterKeys is holding down the RIGHT SHIFT key for eight seconds. Two other Filter options can also be configured for FilterKeys: Ignore Repeated Keystrokes and Ignore Quick Keystrokes And Slow Down The Repeat Rate. Ignore Repeated Keystrokes is inactive by default, and Ignore Quick Keystrokes And Slow Down The Repeat Rate is active by default. Only one of these two filter options can be active at a time. You configure them by clicking Settings.
176
Figure 5-30 The Settings For FilterKeys dialog box

FT05HT30.BMP
Two Notification settings can be configured for FilterKeys: Beep When Keys Pressed Or Accepted and Show FilterKey Status On Screen. The first setting causes a beep when you press a key and another beep when the keystroke is accepted. The second option causes a FilterKeys icon to be displayed on the taskbar when FilterKeys is turned on. These settings are check boxes, so one of the settings, both of the settings (the default), or neither of the settings can be selected. ToggleKeys You can also configure ToggleKeys on the Keyboard tab. Turning on ToggleKeys causes the computer to make a high-pitched sound each time the CAPS LOCK, NUM LOCK, or SCROLL LOCK options are activated (with the appropriate key). Enabling ToggleKeys also causes the computer to make a low-pitched sound each time any of these options is deactivated. You can configure a shortcut key for ToggleKeys by clicking Settings. The default shortcut for turning on ToggleKeys is to hold down NUM LOCK for five seconds.
NOTE
There is one more check box on the Keyboard tab: Show Extra Keyboard Help In Programs. When selected, it causes other Windowsbased programs to display additional keyboard help if it is available.
Configuring Sound Options

The Sound tab of the Accessibility Options dialog box provides the Use Sound Sentry check box, which allows you to generate visual warnings when your computer makes a sound. The Sound tab also provides the Use ShowSounds check
CHAPTER 5:
177
box, which allows you to configure Windows XP Professional programs to display captions for the speech and sounds they produce.
Configuring Display Options

The Display tab of the Accessibility Options dialog box provides a High Contrast check box, which allows you to use color and fonts designed for easy reading. You can click Settings to specify whether to use a shortcut, LEFT ALT+LEFT SHIFT+PRINT SCREEN, which is enabled by default. Clicking Settings also allows you to select a high-contrast appearance scheme. The Display tab also provides cursor options that allow you to set the blink rate and the width of the cursor.
Configuring Mouse Options

The Mouse tab of the Accessibility Options dialog box provides the Use MouseKeys check box, which allows you to control the pointer with the numeric keypad on your keyboard. You can click Settings to configure MouseKeys in the Settings For MouseKeys dialog box (Figure 5-31).
Figure 5-31 The Settings For MouseKeys dialog box

FT05HT31.BMP
MouseKeys uses a shortcut, LEFT ALT+LEFT SHIFT+NUM LOCK, which is enabled by default. You can also configure the pointer speed and acceleration speed. There is even a check box, Hold Down Ctrl To Speed Up And Shift To Slow Down, that allows you to temporarily increase or decrease the mouse pointer speed when you are using MouseKeys. To speed up the mouse pointer movement, hold down CTRL while you press the numeric keypad directional keys. To slow down the mouse pointer movement, hold down SHIFT while you press the numeric keypad directional keys.
178
Configuring General Tab Options

The General tab of the Accessibility Options dialog box (Figure 5-32) allows you to configure Automatic Reset. This feature turns off all the accessibility features except the SerialKey devices after the computer has been idle for a specified amount of time.
Figure 5-32 The General tab of the Accessibility Options dialog box
FT05HT32.BMP
The General tab includes the Notification feature, which allows you to produce a warning message when a feature is activated and to make a sound when turning a feature on or off. The General tab also allows you to activate the SerialKey Devices feature, which configures Windows XP Professional to support an alternative input device (also called an augmentative communication device) to your computers serial port. The Administrative Options feature provides two check boxes, Apply All Settings To Logon Desktop and Apply All Settings To Defaults For New Users, that allow you to apply all configured accessibility options to this user at logon and to apply all configured accessibility options to all new users.
OTHER ACCESSIBILITY TOOLS

In addition to display and sound options, two utilities are available that assist users who have visual impairments: the Magnifier and the Narrator.
CHAPTER 5:
179
The Magnifier
The Magnifier magnifies a portion of the screen to make it easier to read. It follows the mouse pointer and allows the user to control which text is magnified. Settings control the level of magnification.
The Narrator
The Narrator feature reads aloud system menus and dialog boxes. It can be used to help with system dialog box navigation and control.
NOTE
Many of these accessibility options are limited in functionality but give you an idea of what is possible. More sophisticated tools exist, and you can get more information about them at the Microsoft Accessibility Web site at www.microsoft.com/enable.
180
SUMMARY

Windows XP supports a vast array of display technologies. The Windows XP user experience can be tailored to support the preferences and needs of most users. Key to this is the ability to configure desktop preferences, the taskbar and Start menu, roaming user profiles, and accessibility options. Windows XP includes sophisticated power management capabilities, including the ability to adapt power management preferences from a dedicated desktop PC to a low-power notebook computer. It includes support for low-power standby and hibernation and also includes the ability to communicate with uninterruptible power supplies for powerloss notification. Windows XP supports roaming user profiles as part of its support for Microsofts IntelliMirror technologies. This support allows administrators to provide a consistent user experience on all configured desktops in an enterprise. Windows XP includes accessibility settings to assist physically challenged users with system and application operation. Capabilities include keystroke assistance with StickyKeys, FilterKeys, and MouseKeys, text-to-speech functions such as the Narrator, and visual aids such as high-contrast colors and the Magnifier.
REVIEW QUESTIONS
1. A user is familiar with the layout of the Windows 2000 Start menu. How can you configure Windows XP to enable this user to be more at home in Windows XP? (Choose two answers.) a. Enable Windows 95 application compatibility mode b. Enable the Windows Classic desktop theme c. Enable the Windows Classic Start menu setting d. Enable the legacy menu setting in Windows Explorer 2. You are configuring multiple-monitor support on a laptop computer with a docking station. The computer has an internal AGP display adapter and a PCI display adapter in the docking station. When you dock the computer, it does not enable multiple-monitor support. How do you enable multiple monitors for this computer?
CHAPTER 5:
181
a. Configure the laptops BIOS to enable the on-board display. b. Click Extend The Desktop Onto This Display on the Settings tab of the Display Properties dialog box. c. Add an additional display adapter to the docking station. d. Switch the laptop to its outboard display port. 3. You are attempting to add an icon to the desktop for all users of a computer. How do you do this? a. Add the icon to C:\Documents and Settings\All Users\Start Menu. b. Add the icon to C:\Documents and Settings\<username>\Start Menu for each user. c. Add the icon to C:\Documents and Settings\All Users\Desktop. d. Add the icon to C:\Documents and Settings\<username>\Desktop for each user. 4. You have sustained an injury to your right arm, which will be in a sling for a time. How can you perform keystroke combinations such as CTRL+ALT+DEL without the use of your right hand? a. Enable FilterKeys b. Enable MouseKeys c. Enable OptionKeys d. Enable StickyKeys 5. You are attempting to configure Advanced Power Management settings on your computer, but you cannot locate the Configuration tab. What is the problem? a. You must log on as Administrator. b. APM is not enabled. On the View tab of the Folder Options dialog box (available from the Tools menu in Windows Explorer), select the checkbox next to Enable APM Configuration Settings. c. You are looking in the wrong place. Locate the Advanced Power Management icon in Control Panel. d. Your system may support Advanced Configuration and Power Interface (ACPI). Check to see whether your system supports ACPI.
182
6. You are configuring a system for a bilingual text newsletter, which is published in English and Punjabi (an Indic language). How do you enable these two languages to be used? (Choose all correct answers.) a. In the Text Services And Input Languages dialog box, add Punjabi. b. In the Regional And Language Options dialog box, select English. c. On the Languages tab of the Regional And Language Options dialog box, select the Install Files For Complex Script And RightTo-Left Languages (Including Thai) check box. d. On the Languages tab of the Regional And Language Options dialog box, select the Install Files For East Asian Languages check box.
CASE SCENARIOS
Scenario 5-1: Time for Hibernation
You are configuring a computer to hibernate when it has been idle for an extended period of time. The computer has the following features and statistics:

Supports Advanced Configuration and Power Interface (ACPI) 768 MB of free disk space Windows XP Professional with Service Pack 2 Uninterruptible power supply with capacity to operate computer for 25 minutes 1 GB of physical RAM
Can this computer be configured to hibernate? If not, how can you enable it to hibernate?
Scenario 5-2: Power Problems

A user is attempting to connect the signal cable from a new uninterruptible power supply to a computer that was previously connected to a UPS. He reports that the computer immediately initiates a shutdown whenever the cable is connected. What is most likely causing this behavior? How can you configure Windows XP to eliminate this problem?
CHAPTER 6
CONFIGURING AND MANAGING PRINTERS AND FAX DEVICES

Connect to local and network print devices Manage printers and fax devices Manage print jobs Control access to printers Connect to an Internet printer
In Chapter 4, you learned how to install and manage hardware devices. In this chapter, we will focus on two specific types of devices: printers and fax devices. Desktop publishing has long been a principal use of personal computers. Programs such as Aldus (now Adobe) PageMaker and Quark XPress set type for newspapers and magazines, books, and newsletters. The PostScript printing language allowed these programs to produce output similar, if not identical, in quality to standard typography. As adoption of personal computers increased, businesses began to use them to produce daily reports and colorful charts. Laser and inkjet printers, rather than expensive typesetting equipment, now produce the vast majority of todays printed material. In this chapter, you will learn how to connect, configure, and manage printers and fax devices. Youll learn how to manage print jobs and control access to printers using permissions. Finally, well discuss connecting to remote printers using the Internet.
183
184
INTRODUCTION TO WINDOWS XP PROFESSIONAL PRINTING

With Microsoft Windows XP Professional, you can share printing resources across an entire network and administer printing from a central location. You can easily set up printing on client computers running Windows XP, Windows 2000 Professional, Windows NT 4, Windows Me, Windows 98, and Windows 95.
Terminology
Before you set up printing, you should be familiar with Windows XP Professional printing terminology to understand how the different components fit together (Figure 6-1).
Printer driver Local print device Network interface print device Print server
Figure 6-1 Printing terminology

FT06HT01.VSD
Print Device A hardware device that puts text or images on paper or on other print media. Windows XP Professional supports the following print devices:
Local print devices, which are connected to a physical port on the local computer. Network interface print devices, which are connected to a print server through the network instead of a physical port. Network interface print devices require their own network interface cards and have their own network address or else they are attached to an external network adapter.
Printer The software interface through which a computer communicates with a print device. Windows XP Professional supports the following interfaces: line printer (LPT), COM, universal serial bus (USB), IEEE 1394 (FireWire), Infrared Data Access (IrDA), Bluetooth, and network-attached devices such as the HP JetDirect and Intel NetPort or network printing services such as LPR, standard TCP ports, and Internet Printing Protocol (IPP).
NOTE
Windows XP Professional treats a FireWire card as a network connectivity device as well as a peripheral connectivity device. FireWire is used to connect digital camcorders, scanners, and other high-bandwidth devices to computers.
CHAPTER 6:
185
Print server The computer that manages one or more printers on a network. The print server receives and processes documents from client computers, and prints them on locally attached or network print devices. Printer driver One file or a set of files containing information that Windows XP Professional requires to convert print commands into a specific printer language, such as Adobe PostScript. This conversion makes it possible for a print device to print a document. A printer driver is specific to each print device model and can support printing to that print device over a wide variety of port types.
ADDING A LOCAL PRINTER

Many Windows XP systems use print devices connected directly to the system. These print devices use a variety of interfaces: parallel ports, USB ports, FireWire ports, and most recently Bluetooth. The Add Printer Wizard progresses through the following steps to help you add a printer:
NOTE
You must be a member of the local Administrators or Power Users security group to install and manage printers.
Local or Network Printer Specify whether the printer you are installing is locally attached to a hardware port on your system or attached to a point on the network. Locally attached printers can also be detected through Plug and Play (PnP). Your system scans its ports for a print device and helps automate device driver selection (Figure 6-2).
FT06HT02.BMP
Figure 6-2 Local or Network printer page of the Add Printer Wizard
186
NOTE If you have a PnP-compatible print device that connects through
a USB port, an IEEE 1394 interface, or any other port (such as IrDA or Bluetooth) that supports automatic detection of devices, you do not need to use the Add Printer Wizard. Simply plug the printer cable into your computer and bring the device within range, or point the printer toward your computers infrared port and turn on the print device. Windows then installs the printer for you.
Select a Printer Port If you do not choose to use PnP, the Select A Printer Port page is presented (Figure 6-3). Choose the port to which you have connected your print device.
FT06HT03.BMP
Figure 6-3 The Select A Printer Port page
Install Printer Software Select the printer driver software (Figure 6-4). If the driver for your print device is not listed, you can provide a manufacturers driver by selecting Have Disk.
FT06HT04.BMP
Figure 6-4 Install Printer Software page
CHAPTER 6:
187
NOTE If you use PnP to detect your print device, the wizard will usually
skip the Select A Printer Port page and Install Printer Software page. The exception to this is when PnP fails to detect the device or cannot find the driver software.
Name Your Printer Enter a descriptive name for your printer (Figure 6-5). You can also specify whether the printer is to be the default printer for applications on your system.
FT06HT05.BMP
Figure 6-5 The Name Your Printer page
Printer Sharing Specify whether to share this printer with other systems on the network (Figure 6-6). Doing so makes your system a print server. If you choose to share the printer, you can enter information about the printer in the Location And Comment page.
FT06HT06.BMP
Figure 6-6 The Printer Sharing page configured to share a printer
188
Print Test Page Specify whether to print a Windows test page from your newly installed print device to verify that the printer is properly configured (Figure 6-7).
FT06HT07.BMP
Figure 6-7 The Print Test Page page
Completing The Add Printer Wizard This page (Figure 6-8) details all the configuration settings you have chosen for this printer. If everything is correct, you can click Finish and the printer will be installed. Windows will copy the chosen printer driver to your system, share the printer (if directed), and print the test page (if selected).
FT06HT08.BMP
Figure 6-8 Completing The Add Printer Wizard page
ADDING A PRINTER CONNECTED TO A PRINT SERVER

Most organizations use print servers to manage printing. Print servers allow you to control who prints to which device and manage documents sent to the server. Documents can be spooled to a print queue, which allows management of
CHAPTER 6:
189
printing priority, queuing of large documents on the server instead of the client to improve performance, and reprinting of failed documents. We will discuss using Windows XP as a print server later in this chapter; for now, we will concentrate on configuring Windows XP as a client.
Types of Print Servers

In addition to Windows Server operating systems, an organization can use Novell NetWare or UNIX/Linux to manage printing or use a dedicated print serving device to manage print spools. We will discuss these in turn, beginning with Windows servers. Windows Server Operating Systems The most widely used print servers today are based on Windows Server operating systems. Windows 2000 Server and Windows Server 2003 can manage many print devices simultaneously and manage hundreds of print jobs on different printers attached to these devices.
IMPORTANT
Pay close attention to the terminology in use here. A printer is actually a print queue attached to a print device. With Windows Server, you can create multiple printers that use the same device. Thus administrators can control access to the device by specifying groups of users, giving different groups different priority, and even allowing access at different times of day.
Windows 2000 Server and Windows Server 2003 can also advertise their printers in Active Directory. Users can then browse or search for a device that can print their particular job. They can search by location, speed, resolution, type of paper, duplexing or stapling capability, or even whether the device can print color output. They can simply connect to the desired printer, and it becomes available for their use (assuming, of course, that they have permission to use it!). NetWare Print Servers Novell NetWare can also provide print server functionality. This network operating system can manage print devices in queues and can provide access to Windows XP systems either as an LPD server or through the use of Client Services for NetWare (an optional Windows XP networking client). Novell also provides its own Windows XP client, but its setup and configuration are beyond the scope of this course.
MORE INFO To learn more about installing and using Client Services for NetWare, see the Windows XP Professional Resource Kit, Second Edition (ISBN 0-7356-1974-3) from Microsoft Learning.
190
UNIX/Linux Print Servers Printers that are on print servers running on UNIX or Linux and running the Samba server service can be advertised in Active Directory. Samba allows these servers to function as member servers in the Active Directory domain. Clients can browse and connect to these printers as if the printers were on Windows servers.
Connecting to a Printer on a Windows Print Server

There are many ways to connect to a printer on a Windows Server:
Add Printer Wizard You can use this wizard to connect to a network printer on a Windows Server. On the Select A Printer Port page, select A Network Printer, Or A Printer Attached To Another Computer to get to the Specify A Printer page (Figure 6-9).
FT06HT09.BMP
Figure 6-9 The Specify A Printer page of the Add Printer Wizard
This page allows you to enter the printer address, if you know it, or browse for it in Active Directory (as shown later in Figure 6-10). By selecting criteria for your search, you can find printers that have the features you require for your job.
NOTE
If you are using a computer that is not a member of an Active Directory domain, the Specify A Printer page will show Browse For A Printer instead of Find A Printer In The Directory.
Connect option In My Network Places, you can locate a printer, right-click its icon, and select Connect. If you have permission to use the printer, it will be installed on your system.
CHAPTER 6:
191
NET USE command Windows computers can use the following command to connect to a network printer, where x is the number of the printer port you want to designate for this printer, server_name is the name of the print server hosting the printer, and printer_name is the name of the printer you want to use.
Net use lptx: \\server_name\printer_name
Using the Search Assistant to Find a Printer

You can search for printers in Active Directory when you are logged on to an Active Directory domain by using the Search Assistant. On the Start menu, click Search. In the Search Assistant, click Printers, Computers, Or People and then choose Find Printers to open the Find Printers dialog box. The dialog box has three tabs to help you locate a printer (Figure 6-10).
Figure 6-10 Finding a printer in Active Directory

FT06HT10.BMP
Printers tab Allows you to search for specific information, such as the name, location, and model of the printer. Features tab Allows you to select from a prepared list of additional search options, such as whether the printer can print double-sided copies or print at a specific resolution. Advanced tab Allows you to use custom fields and Boolean operators to define complex searches, such as searches on printers that support collation and a specific printer language (such as PostScript).
If you want to search for all available printers, you can leave all search criteria blank and click Find Now. All of the printers in the domain are listed. You can then connect to the printer of your choice. Locate a printer and make a connection to it by double-clicking it or by right-clicking it and then selecting Connect.
192
NOTE
The Find Printers feature is not available in the Search Assistant unless you are logged on to an Active Directory domain. If you are using a standalone computer that is in a workgroup, the Find Printers feature is not available.
ADDING A NETWORK INTERFACE PRINTER

Connecting to and installing a network interface printer is similar to installing a local printer. The principal difference is in the selection of the port. A network interface printer uses a network interface device to provide connectivity and is accessed as if it were locally attached.
Standard TCP/IP Port

You can access a network interface printer as a local port by selecting Standard TCP/IP Port or (if Print Services for UNIX is installed) LPR Port. Selecting Standard TCP/IP Port launches the Standard TCP/IP Printer Port Wizard, which guides you through the steps necessary to connect to a TCP/IP print server. You enter the name or IP address of the print device (Figure 6-11). The wizard scans the address and attempts to determine what type of device it is communicating with. If it cannot determine the device type or the device is not responding, the wizard presents the Additional Port Information Required page (Figure 6-12), where you can manually select the device type from a drop-down list. In addition, you can configure a custom device if you know its settings.
Figure 6-11 Selecting a standard TCP/IP port

FT06HT11.BMP
If the device has more than one available port, the wizard prompts you to select the correct port on the device.
CHAPTER 6:
193
Figure 6-12 The Additional Port Information Required page

FT06HT12.BMP
The wizard completes and exits. If the port was installed as part of the Add Printer Wizard, you are presented with the Install Printer Software window and installation proceeds as for a local printer.
LPR Port
If Print Services for UNIX is installed on your system (discussed in more detail later), you can connect to UNIX LPD servers as a client, using the LPR port.
NOTE
UNIX and Linux systems traditionally use the Line Printer Daemon (LPD) service to share printers with other UNIX/Linux systems. This service opens a port to the network and listens for print commands. The Line Printer Remote (LPR) service is the client portion of the LPD/LPR service pair. It connects to the LPD service over the network and sends the print commands to the print device attached to the LPD system. Microsofts Print Services for UNIX allows you to make your computer an LPD server and also an LPR client.
To connect to an LPR port: 1. On the Select A Printer Port page of the Add Printer Wizard (Figure 6-13), select the LPR port. This opens a dialog box that asks for the name or address of the LPD server and the name of the printer queue on the remote system (Figure 6-14).
194
FT06HT13.BMP
Figure 6-13 Selecting an LPR port
FT06HT14.BMP
Figure 6-14 Configuring an LPR port
NOTE
If the LPR Port selection is not available, you must install Print Services for UNIX. This is an additional network service available in Add/ Remove Programs under Windows Components.
2. Enter the address and queue name, and click OK. The dialog box is closed, and installation of the printer continues as a local printer with the Install Printer Software page.
NOTE
It is technically possible to use the Standard TCP/IP Printer Port Wizard to configure an LPR port, but it is recommended that you use Print Services for UNIX and its LPR port option when connecting to an actual LPD server.
CONNECTING TO AN INTERNET PRINTER

Windows XP can also connect to printers using Internet Printing Protocol (IPP). This protocol transmits print commands to IPP-enabled Web servers by encapsulating them within Hypertext Transfer Protocol (HTTP). All that is required to print in this manner is the Uniform Resource Locator (URL) of the Internet print
CHAPTER 6:
195
server and permission to print there. For an example of a Internet printer URL, see Figure 6-15.
How Internet Printing Works

Windows Internet printing relies on the services of a Microsoft Internet Information Services (IIS) server. This server can authenticate clients, accept print jobs from them, and print the jobs locally using one of its connected print devices. When IIS is installed on a Windows XP Web server, it creates the /printers virtual folder to manage the IPP feature. You can manage this folder like any other in IIS; the site administrator can also require authentication before allowing access to it.
NOTE
Microsofts IIS Lockdown tool for securing Web servers disables Internet printing by default. If you intend to use Internet printing, you must configure IIS Lockdown to override this disabling action. For more information, see Microsoft Knowledge Base article 325864, How to Install and Use the IIS Lockdown Tool.
To add an Internet printer using the Add Printer Wizard: 1. Enter the URL for the server in the Add Printer Wizard (Figure 6-15). The server authenticates the client in accordance with the authentication type defined for the /printers folder. This can be anonymous access, Integrated Windows authentication, or Basic (clear text) authentication.
FT06HT15.BMP
Figure 6-15 Entering the URL for Internet printing
196
2. If you have permission to print, the server packages a driver into a cabinet (.cab) file and sends it to you. Windows automatically installs the driver as it completes the Add Printers Wizard. You can now print to the Internet printing server. Windows computers that have Internet printing enabled provide access to the printers via a Web page on the server. You can access this page by entering http:// <servername>/printers in your Web browser address bar. On this page, you can browse printers, view their properties, select a printer that supports the type of print job you want to send, and manage print jobs. To connect to a printer using the /printers Web page: 1. Connect to the /printers site (Figure 6-16) and select a printer.
FT06HT16.BMP
Figure 6-16 Connecting to /printers
2. Click Connect to install the printer. Windows verifies that you intend to install this printer (Figure 6-17).
FT06HT17.BMP
Figure 6-17 Confirming installation of an Internet printer
3. The server packages a driver and sends it to the client (Figure 6-18).
CHAPTER 6:
197
FT06HT18.BMP
Figure 6-18 Installing an Internet printer
4. After installation, the printer appears in Printers and Faxes as an Internet printer. Note the address in Figure 6-19.
FT06HT19.BMP
Figure 6-19 An installed Internet printer
USING WINDOWS XP AS A PRINT SERVER

Windows XP can operate as a print server by simply sharing printers with network users. Using the full power of the print-sharing features, however, requires careful planning and implementation. In this section, we will discuss planning and configuring print serving, including managing permissions, schedules, and printer priorities. You will learn how to manage print jobs and troubleshoot printing problems.
198
Requirements for Network Print Services

Careful planning is required before you share printers on the network. The requirements for setting up print serving on a network include:
At least one computer to operate as the print server If the print server will manage many heavily used printers, Microsoft recommends a dedicated print server. The computer can run either of the following:
Windows 2000 Server or Windows Server 2003; these operating systems can handle a large number of connections and support Apple Macintosh, UNIX/Linux, and Novell NetWare clients. Windows XP Professional, which is limited to 10 concurrent connections from other computers for file and print services. It does not support Macintosh computers or NetWare clients but does support UNIX computers.
Sufficient random access memory (RAM) If a print server will manage a large number of printers or many large documents, the server might require additional RAM beyond what Windows XP Professional or Windows Server 2003 requires for other tasks. If a print server does not have sufficient RAM for its workload, printing performance will deteriorate. Sufficient disk space on the print server Enough disk space on the print server is required to ensure that the print server can store documents sent to it until it sends the documents to the print device. This is critical when documents are large or likely to accumulate. For example, if 10 users send large documents to print at the same time, the print server must have enough disk space to hold all of the documents until it can send them to the print device. If there is not enough space to hold all of the documents, users will get error messages and will be unable to print until the printing load subsides.
Planning for Print Serving Before you set up network printing, develop a network-wide printing strategy to meet users printing needs without unnecessary duplication of resources or delays in printing. Some items to consider while planning a print server installation include:
Determine users printing requirements Determine the number of users who will print, the printer features they will need, and the printing workload. For example, people in a billing department who continually print invoices and envelopes will have a larger printing
CHAPTER 6:
199
workload and might require more printers with more paper options and more print servers than software developers who do all their work on the Internet and rarely print.
Determine the companys printing requirements The printing needs of your company will include the number and types of printers required. Consider the type of output that each printer will handle. What print speed or special features will be required to support all your users? Also consider the reliability of the printer you are considering. Can it handle the workload? Dont use a personal printer for network printing. Determine the number of print servers required This will be the number of print servers needed to handle the number and types of printers that your network will employ. Print servers can spool a certain number of documents before performance degrades. You might have to consider the size and quantity of documents your users produce. Will one server be up to the task, or do you need additional servers? Determine where to locate printers Printers should be in a location where users can easily pick up their printed documents.
Sharing Printers During Installation

You can share printers during installation by choosing the appropriate configuration setting in the Add Printers Wizard: 1. On the Printer Sharing page of the Add Printer Wizard, enter a Share Name and click Next. You can assign a shared printer name even though you already supplied a printer name. The shared printer name identifies a printer on the network and must conform to a naming convention. This name can differ from the printer name that you entered previously. 2. The wizard displays the Location And Comment page. Enter descriptive information about the printer and its location. This information provides a more detailed description of the printer.
NOTE
If the computer running Windows XP Professional is part of a domain, Windows displays the values that you enter on the Location And Comment page when a user searches Active Directory for a printer. Entering this information is optional, but it can help users locate the printer more easily.
200
3. The rest of the installation proceeds normally. When you complete the wizard, the printer is installed and shared.
IMPORTANT
Sharing printers using the Add Printers Wizard makes them available to all network users. To manage permissions on the printer, you must use the printers Properties dialog box. (Right-click the printer in the Printers folder, and select Properties.)
Sharing an Existing Printer

If the printing demands on your network increase and your system has an existing, nonshared printer, you can share that printer so users can use it. When you share a printer, you assign the printer a share name, which appears in My Network Places. Use an intuitive name to help users when they browse for a printer. You can also add printer drivers for other versions of Windows XP, Windows 2000, Windows NT, Windows 98, and Windows 95. To share an existing printer, take the following steps: 1. In Printers and Faxes, right-click the icon for the printer you want to share, and then choose Sharing. 2. On the Sharing tab of the printers Properties dialog box (Figure 6-20), click Share This Printer.
FT06HT20.BMP
Figure 6-20 Sharing an existing printer
3. In the Share Name text box, type a share name and then click OK. Windows XP Professional puts an open hand under the printer icon, indicating that the printer is shared.
CHAPTER 6:
201
Installing Additional Print Drivers

After you share a printer, you can install additional print drivers to allow users of other operating systems to access and print to the print device. You do this by using the Additional Drivers dialog box, which is accessed via the Sharing tab of the printers Properties dialog box (Figure 6-21).
Figure 6-21 Installing additional drivers

FT06HT21.BMP
When you specify additional drivers, Windows XP asks for a disk containing the drivers. These drivers must be native Windows drivers. They do not have to be the ones packaged with Windows (although that helps), but they should conform to the Windows driver model. These drivers will include an .inf file that contains specific information about the driver. Third-party drivers that install from executable programs will not be recognized or installed. After installation, the new drivers are stored on the print server computer and, when a client specified under Alternate Drivers connects to the server, the driver is automatically provided to the client instead of the Windows XP driver.
NOTE
Windows 95, Windows 98, and Windows Me systems do not automatically download drivers. When a user connects to a printer with one of these systems, the client operating system launches its Add Printers Wizard to manage the installation of drivers.
Creating Printer Pools

A printer pool consists of two or more printers that are connected to one print server and act as a single printer. The printers can be local or network interface printers. Although the printers should be identical, you can use printers that are not identical but use the same printer driver. In this scenario, you can only
202
support print features that are supported by the common print driver. After you install a printer, you can create a printer pool using the Ports tab of the Properties dialog box for that printer. Select the Enable Printer Pooling check box, and select additional ports on the printer server (Figure 6-22).
Figure 6-22 Enabling printer pooling

FT06HT22.BMP
When you create a printer pool, users can print documents without checking which printer is available. The document prints to the first available printer in the printing pool. A printing pool offers the following advantages:
In a network with a high volume of printing, it decreases the time that documents wait on the print server. It simplifies administration because you can administer multiple printers simultaneously.
Before you create a printer pool, be sure to connect the printers to the print server. Then take the following steps: 1. On the Ports tab of the printers Properties dialog box, select the Enable Printer Pooling check box. This enables to pooling of the printers and allows you to select multiple printer ports. 2. Select the check box for each port to which a printer that you want to add to the pool is connected.
IMPORTANT
When you set up a printer pool, place the printers in the same physical area so users can easily retrieve their documents.
CHAPTER 6:
203
Managing Printer Permissions

Windows XP Professional allows you to control printer usage and administration by assigning permissions. With printer permissions, you can control who can use a printer. You can also assign printer permissions to control who can administer a printer and the level of administration, which can include managing printers and managing documents. For security reasons, you might need to limit user access to certain printers. You can also use printer permissions to delegate responsibility for specific printers to users who are not administrators. Windows XP Professional provides three levels of printer permissions: Print, Manage Documents, and Manage Printers. Table 6-1 lists the capabilities of each level of permission.
Table 6-1
Printing Capabilities of Windows XP Professional Printer Permissions Print Permission Manage Documents Permission Manage Printers Permission
Capabilities
Print documents Pause, resume, restart, and cancel the users own document Connect to a printer Control job settings for all documents Pause, resume, restart, and cancel all other users documents Cancel all documents Share a printer Change printer properties Delete a printer Change printer permissions
You can allow or deny these levels of printer permissions. Denied permissions always override allowed permissions. For example, if you select the Deny check box next to Manage Documents for the Everyone group, no one can manage documents, even if you grant this permission to another user account or group. This is because all user accounts (including Administrators) are members of the Everyone group.
204
Assigning Printer Permissions By default, Windows XP Professional assigns Print permission for each printer to the built-in Everyone group, allowing all users to send documents to the printer. You can also assign printer permissions to users or groups. (See Figure 6-23.)
Figure 6-23 Assigning printer permissions

FT06HT23.BMP
To assign printer permissions, take the following steps: 1. In the Printers and Faxes window, right-click the appropriate printer icon, and then choose Properties to open the printers Properties dialog box. 2. Click the Security tab, and then click Add.
NOTE
If the computer running Windows XP Professional is in a workgroup environment and you do not have a Security tab in your printers Properties dialog box, close the Properties dialog box. In Explorer, on the Tool menu, click Folder Options and click the View tab. Clear the Use Simple File Sharing (Recommended) check box, and then display your Printers Properties dialog box.
3. In the Select Users, Groups, Or Computers dialog box, enter the appropriate user account or group, and then click Add. Repeat this step for all users or groups you want to add. Click OK. If you do not remember the exact user or group name, you can use the Advanced button to launch an advanced version of the Select Users, Groups, Or Computers dialog box. This dialog box allows you to search Active Directory for users and groups that meet certain criteria. 4. Select the new user account or group. In the bottom part of the dialog box, click the permissions you want to assign.
CHAPTER 6:
205
NOTE
It might occasionally be necessary to assign advanced permissions to a user. To do this, click Advanced and assign additional printer permissions that do not fit into the predefined permissions on the Security tab. This is not normally required and is done only for very specific purposes by an experienced administrator.
5. Click OK to close the Properties dialog box. Modifying Printer Permissions You can change the default printer permissions in Windows XP Professional or the printer permissions that you previously assigned for any user or group. To do this, simply make the appropriate changes on the Security tab in the printers Properties dialog box.
Managing Printer Priority

Lets say you are in an organization where some users (such as executives or members of a high-priority support team) need to have their documents print before those of other users. Whatever the reason, you need to find a way to ensure that their documents move to the head of the line. By assigning priorities to printers, you can ensure that some users documents print before those of users with lower priority. To make this work, you need to add two or more printers for each print device. Each printer receives a priority relative to the others, with users requiring the higher priority using the high-priority printer. Printer priorities range from 1 (the lowest) to 99 (the highest). Users ability to print to the high-priority printer is controlled through the use of permissions. To set priorities among printers: 1. Add a printer and share it. 2. Add a second printer and point it to the same print device or port. The port can be a physical port on the print server or a port that points to a network interface print device. 3. Set a different priority for each printer pointing to the print device. Have different groups of users print to different printers, or have users send different types of documents to each printer. For example, User1 sends documents to a printer with the lowest priority, 1, and User2 sends documents to a printer with the highest priority, 99. In this example, User2s documents always print before User1s. Printer priority is managed on the Advanced tab of the printers Properties dialog box (Figure 6-24).
206
Figure 6-24 Managing printer priority

FT06HT24.BMP
Scheduling Printers
Suppose you have a user who prints many large documents that require other users to wait for extended periods for their own documents to print. If there is no urgency for these documents to be printed during business hours, you can create a printer that directs documents to the same print device but restricts the times the device is available to the printer. The user can send large documents to the printer all day long, but they will begin to print only after business hours. To create a scheduled printer: 1. Create a second printer connected to the same print device. 2. On the Advanced tab of the printers Properties dialog box, configure a schedule for when the printer will be available (Figure 6-25).
FT06HT25.BMP
Figure 6-25 Creating a printer schedule
CHAPTER 6:
207
MANAGING PRINTERS
In addition to adding and removing printers and print devices for your systems, managing printers also involves assigning forms to paper trays and setting separator pages. Also, you can pause, resume, and cancel a document if a problem occurs on a printer. If a print device is faulty or you add printers to your network, you might need to redirect documents to a different printer. You might also need to change which users have administrative responsibility for printers, which involves changing ownership.
Assigning Forms to Paper Trays

If a printer has multiple trays that regularly hold different paper sizes, you can assign a form to a specific tray. A form defines a paper size. Users can then select the paper size from within their application. When the user prints, Windows XP Professional routes the print job to the tray that holds the correct form. Examples of forms include Legal, A4, Envelopes #10, and Letter Small. You make paper tray assignments by selecting the appropriate form for each paper tray on the Device Settings tab of the printers Properties dialog box (Figure 6-26).
Figure 6-26 Assigning forms to paper trays

FT06HT26.BMP
After you set up a paper tray, users specify the paper size from within their Windows-based applications. Windows XP Professional then uses the paper tray configurations to determine which paper tray holds the form.
208
Setting a Separator Page

A separator page is a file that contains print device commands. Separator pages have two functions:
To identify and separate printed documents Users might be better able to identify their own documents if they are separated from others by a distinguishable page. To switch print devices between print modes Some print devices can switch between print modes that take advantage of different device features. You can use separator pages to specify the correct page description language. For example, you can specify PostScript or Printer Control Language (PCL) for a print device that can switch between different print modes but cannot automatically detect which language a print job uses.
Windows XP Professional includes four separator page files, which are located in the %systemroot%\System32 folder.
Sysprint.sep Prints a page before each document; compatible with PostScript print devices Pcl.sep Switches the print mode to PCL for HP-series print devices and prints a page before each document Pscript.sep Switches the print mode to PostScript for HP-series print devices but does not print a page before each document Sysprtj.sep A version of Sysprint.sep that uses Japanese characters
If you want to use a separator page, choose one and then use the Separator Page dialog box (Figure 6-27), which is accessible from the Advanced tab of the printers Properties dialog box, to specify that the separator page should be printed at the beginning of each print job.
Figure 6-27 Configuring a separator page

FT06HT27.BMP
CHAPTER 6:
209
Administering Printers with a Web Browser

Windows XP Professional enables you to manage printers from any computer running a Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed. All management tasks that you perform with Windows XP Professional management tools are the same when you use a Web browser. The difference is the interface, which is a Webbased interface. To access a printer using a Web browser, a print server running Windows 2000 Server, Windows Server 2003, or Windows XP Professional must have Microsoft Internet Information Services (IIS) installed. The following are the advantages of using a Web browser, such as Microsoft Internet Explorer, to manage printers:
It allows you to administer printers from any computer running any Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed. This allows administration using HTTP, which can pass most firewalls. It allows you to customize the interface. For example, you can create your own Web page containing a floor plan with the locations of the printers and the links to the printers. It provides a summary page listing the status of all printers on a print server. It can report real-time print device data, such as whether the print device is in power-saving mode, if the printer driver makes such information available. This information is not available in the Printers and Faxes window.
CAUTION
As with any other administrative tool, security considerations should govern how you use this tool. Do not make this tool available to users you do not trust, and control access to this tool from the Internet.
Accessing Printers Using a Web Browser You can access all printers on a print server by using a Web browser (Figure 6-28). In the Address text box, type http://print_server_name/printers. This command displays a page listing all the printers on the print server. Click the name of the printer you want to manage. If you know the share name of the printer, you can enter it directly in the browser. Type http://server_name/printer_share_ name in the Address box. From the printers URL page, you can view information about the printer, such as its model, its location, and the number of documents
210
waiting to print. You can manage any document you have sent to the printer, and if you have Manage Printers permission for the printer, you can also pause or resume operation of the printer.
Figure 6-28 Using Internet Explorer to access all printers on a print server
FT06HT28.BMP
MANAGING DOCUMENTS
In addition to managing printers, Windows XP Professional allows you to manage documents. Managing documents includes pausing, resuming, restarting, and canceling documents. In addition, you can set a specific document to notify the user when it has finished printing, adjust document priority to allow a critical document to print before other documents, or specify a specific time for a document to print.
Pausing, Restarting, and Canceling a Document

If there is a printing problem with a specific document, you can pause and resume printing of that document. You can also restart or cancel a document. You must have Manage Documents permission for the appropriate printer to perform these actions. Because the creator of a document has the default permissions to manage that document, users can perform any of these actions on their own documents. To manage a document, right-click the icon representing the printer for the document in the Printers and Faxes window, and then click Open. Select the appropriate documents, click the Document menu, and then click the appropriate command (Figure 6-29).
CHAPTER 6:
211
Figure 6-29 Managing documents

FT06HT29.BMP
Here are some of the document management tasks and how to perform them:
Pause printing of a document Select the documents for which you want to pause printing, and then click Pause. (The status changes to Paused.) Resume printing a document Select the documents you want to resume printing, and then click Resume. (The status changes to Printing.) Restart printing of a document Select the documents for which you want to restart printing, and then click Restart. Restart causes printing to start from the beginning of the document. Cancel printing of a document Select the documents for which you want to cancel printing, and then click Cancel. You can also cancel printing of a document by pressing the DELETE key.
TROUBLESHOOTING COMMON PRINTING PROBLEMS

During setup and configuration of a printer, problems can occur. This section introduces a few common problems that you might encounter and suggests some solutions. You will also learn about the built-in Printer Troubleshooter and some of the other troubleshooting features included in Windows XP Professional.
Examining the Problem

When you detect a printing problem, always verify that the printer is plugged in, turned on, and connected to the print server. For a network interface printer, verify that there is a network connection between the printer and the print server. To determine the cause of a problem, first try printing from a different program to verify that the problem is with the printer and not with the program. If the problem is with the printer, ask the following questions:
Can other users print normally? If so, the problem is most likely caused by insufficient permissions, no network connection, or client computer problems.
212
Does the print server use the correct printer driver for the printer? Is the print server operational and is there enough disk space for spooling? Does the client computer have the correct printer driver?
Common Troubleshooting Scenarios

Table 6-2 lists some of the common setup and configuration problems that you might encounter. It also gives probable causes of the problems and possible solutions.
Table 6-2
Common Printer Problems and Possible Solutions Probable Cause Possible Solution
Problem
Test page does not print. You have confirmed that the printer is connected and turned on. Test page or documents print incorrectly as garbled text. Pages are only partially printing.
The selected port is not correct.
The installed printer driver is not correct.
Configure the printer for the correct port. For a printer that uses a network interface printer, make sure that the network address is correct. Reinstall the printer with the correct printer driver. Add memory to the print server. Replace the printers toner cartridge. On the print server, add the appropriate printer drivers for the client computers. Use the client computer operating system CD-ROM or a printer driver from the vendor. On the client computer, remove the printer, and then add the correct printer.
There is not enough memory to print the document. The printer does not have enough toner. Printer drivers for Users report an error the client computers message that asks them to install a printer are not installed on driver when they print the print server. to a print server running Windows XP Professional. The client computer Documents from one client computer do not is connected to the wrong printer. print, but documents from other client computers do.
CHAPTER 6:
213
Table 6-2
Common Printer Problems and Possible Solutions (Continued) Probable Cause Possible Solution
Problem
Documents print correctly on some printers in a printer pool, but not all of them. Printing is slow because the print server is taking a long time to render the job. Printing is slow, and print jobs are taking a long time to reach the top of the queue. Documents do not print in the right priority.
The printers in the printer pool are not identical.
The print servers disk needs defragmenting or is getting close to capacity. If you are using a printing pool, you might not have enough printers in the pool. The printing priorities among printers are set incorrectly.
Verify that all printers in the printer pool are identical or that they use the same printer driver. Remove inappropriate devices. Defragment the print servers disk and check whether there is adequate space for temporary files on the hard disk. Add printers to the printing pool.
Adjust the printing priorities for the printer device associated with the printers.
Printing Troubleshooters
Windows XP Professional helps you interactively troubleshoot problems you encounter. To troubleshoot problems with a printer, choose Start | Control Panel | Printers And Other Hardware. In the Printers And Other Hardware window, under Troubleshooters, click Printing. The Help and Support Center window appears, with the Printing Troubleshooter displayed (Figure 6-30).
Figure 6-30 Printing Troubleshooter

FT06HT30.BMP
214
Notice the series of questions on the page. As you respond to these questions, the troubleshooter asks additional questions and makes suggestions to resolve your problem based on the answers you provide.
Additional Troubleshooting Options

Check Event Viewer for system or application events related to a documents failure to print. You can look up these events in the Microsoft Knowledge Base to get more information on the potential cause. Windows XP Professional provides a number of ways to help you resolve problems with your computer. On the Start menu, click Help And Support. If your problem is a printing problem, click Printing And Faxing to enter the help section on Printing and Faxing (Figure 6-31).
Figure 6-31 The Printers and Faxing area in the Help and Support Center
FT06HT31.BMP
The Help and Support Center also allows you to use Remote Assistance to invite another person to help you over the Internet. The expert can accept this invitation, chat with you, and view your desktop. She can also transfer any files required to fix the issue or perform any complex procedures that need to be performed. You can also visit the Windows XP newsgroups or try Microsoft Online Assisted Support, which is accessible from the Help and Support Center.
CONFIGURING AND MANAGING WINDOWS XP FAX SUPPORT

Windows XP Professional can provide complete fax services from your computer. You can send and receive faxes using a locally attached fax device or using a remote fax device connected to your network. You can track and monitor fax
CHAPTER 6:
215
activity as well. However, the fax component of Windows XP Professional is not installed by default. You install it by installing Fax Services in the Windows Components section of Add/Remove Programs (Figure 6-32).
Figure 6-32 Installing Fax Services

FT06HT32.BMP
If you have a fax device (such as a fax modem) installed when you install the Fax Service, a Fax icon is added to Control Panel. You use the Fax icon to add, monitor, and troubleshoot fax devices, including fax modems and fax printers.
The Fax Console

Installing Windows XPs fax support installs the Fax console as well. The Fax console manages the sending and receiving of faxes. The console has tools for designing cover pages and for viewing or printing received faxes. To access this utility, choose Start | All Programs | Accessories. Select Fax Console to launch the Fax console.
Fax Printers
Windows XP fax support installs the fax device to operate as a printer. This enables you to print to the fax device and send the results as a fax. Once printing is complete, the Fax service asks for addressing information to direct the fax to its destination. You are also prompted to select a cover page, and you can edit information on the cover page before sending the fax. The fax can be sent immediately or scheduled for a later time.
216
SUMMARY
Local printers are connected to a physical port on the print server, and network interface printers are connected to a printer through the network. Network interface printers require their own network interface cards and have their own network address, or else they are attached to an external network adapter. Windows XP Professional supports the following printer ports (software interfaces): LPT, COM, USB, and network-attached devices such as the HP JetDirect and Intel NetPort. Sharing a local printer makes it possible for multiple users on the network to use it. To set up and share a printer for a local print device or for a network interface print device, use the Add Printer Wizard. To share an existing printer, use the Sharing tab of the Properties dialog box for the printer and select Share This Printer. Windows XP Professional allows you to control printer use and administration by assigning permissions. On client computers running Windows XP Professional, Windows 2000, or Windows Server 2003 that are members of an Active Directory domain, you can find a printer using Active Directory search capabilities. On client computers running Windows NT 4, Windows 95, or Windows 98, the Add Printer Wizard allows you only to enter a UNC name or to browse Network Neighborhood to locate the printer. A printer pool consists of two or more identical printers that are connected to one print server and act as a single printer. You can set priorities on virtual printers so users can send critical documents to a high-priority printer and noncritical documents to a lowerpriority printer, even when there is only one physical printer. Setting a specific time for a document to print allows large documents to print only during off hours, such as late at night. Windows XP Professional enables you to manage printers from any computer running a Web browser, regardless of whether the computer is running Windows XP Professional or has the correct printer driver installed.
CHAPTER 6:
217
Windows XP Professional helps you interactively troubleshoot problems you encounter. To troubleshoot printing problems, use the Printing Troubleshooter.
REVIEW QUESTIONS
1. To have a print server on your network, do you have to have a computer running one of the Windows Server products? Why? 2. Windows XP Professional printing supports which of the following types of computers? (Choose all correct answers.) a. Macintosh computers b. UNIX computers c. NetWare clients d. Windows 98 computers 3. Which of the following operating systems running on a client computer allow you to connect to a network printer by using Active Directory search capabilities? (Choose all correct answers.) a. Windows Server 2003 b. Windows Me c. Windows NT 4 d. Windows XP Professional 4. Which of the following tabs do you use to assign printer permissions to users and groups? a. Security tab of the Properties dialog box for the printer b. Security tab of the Properties dialog box for the user or group c. Permissions tab of the Properties dialog box for the printer d. Permissions tab of the Properties dialog box for the user or group 5. If a printer has multiple trays that regularly hold different paper sizes, how do you assign a form to a paper tray? 6. Briefly describe how to enable Internet printing on a print server.
218
CASE SCENARIOS
Scenario 6-1: Printing in a Small Office
You are the system administrator in a small architectural drafting office that uses four UNIX and six Windows XP Professional workstations. You are asked to establish printing to two wide-format plotters from all systems. The plotters do not have any network connectivity, but you have print drivers for both Windows XP and UNIX. What is the best way to establish printing in this scenario?
Scenario 6-2: Printer Wars

You are the network analyst for a trading office. The office has only one printer. Users are complaining to you about printing conflicts. The traders need their print jobs printed immediately, but these jobs often wait behind large reports being printed by the accountants. The office staff and accountants also need to print e-mails and spreadsheets, but these are not urgent jobs. Using a combination of printing schedules, printer priorities, and permissions, how can you make everyone happy?
CHAPTER 7
CONFIGURING AND MANAGING NTFS SECURITY

Understand the structure of NTFS security Control access to files and folders by using permissions Optimize access to files and folders by using NTFS best practices Audit NTFS security Troubleshoot access to files and folders
In this chapter, well explore the configuration and management of security in the NTFS file system. You will learn how NTFS manages users access to resources and how to analyze and configure access control lists (ACLs). Youll see how user group membership controls access to resources and how individual permissions are grouped into standard permissions. Finally, we will discuss how you can combine security groups and permissions to control access.
219
220
UNDERSTANDING THE NTFS FILE SYSTEM

To understand how the NTFS file system controls access to files, folders, and other objects, you need to understand the basic workings of the NTFS file system. In this course, you have already learned how the hard disk is divided into volumes or partitions. The file systems job is to provide some structure to the volume or partition to allow it to store, track, and secure data that is stored on it. The NTFS file system can be described as a collection of files. The files are classified into two types, normal files (data files) and metadata files (files that contain data that describes data). The Master File Table (MFT), itself a metadata file, points to each of the other files, both normal and metadata, while including pointers to the appropriate entry in the $Secure file to control who has access to the files. Lets look more closely at the metadata files:
Master File Table (MFT) A metadata repository containing pointers to the actual storage sites of data on the physical disk. The MFT (Figure 7-1) also contains directory indexes and stores attributes of files and folders in MFT records. The MFT can expand as more data is stored, allowing for the storage of vast amounts of data. In addition, a mirror copy of a portion of the MFT is maintained on each NTFS volume to ensure recoverability of the file system if the main MFT is damaged.
$Boot MFT Data1 Data2
ta M $Secure Data4 NTFS-formatted Disk
MFT Records Data1 Abc.doc Timestamps NTFSSID1 LCN Data1 123.doc Timestamps NTFSSID1 LCN Data1 Data1 MFT record header Xyz.xls 987.txt Timestamps NTFSSID1 LCN Timestamps NTFSSID1 LCN Standard Location information on disk attributes Security index reference ($SII)
File name attribute
FT07HT01.vsd
Figure 7-1 MFT structure
CHAPTER 7:
221
NOTE The MFT is placed in an area on disk called the MFT zone, which is an area of disk set aside for expansion of the MFT. As the disk fills, this zone is reduced in size as required. If the zone gets small enough that the MFT no longer fits, the MFT can become fragmented because it has to be recorded in other areas of the disk. MFT fragmentation severely reduces file system performance and is one of the deleterious effects of filling up an NTFS volume.
Consolidated security NTFS maintains another metadata repository for tracking security information. Replacing the individual security descriptors (lists of users and groups with access to the file or folder stored separately for each file or folder) of earlier versions of NTFS, the $Secure metadata file (Figure 7-2) contains a set of common security descriptors that can be referenced over and over again by a single index attribute stored in the MFT for a file or folder. As each file or folder is assigned security settings, these settings are compared against settings assigned to other files and folders. If they match, both resources are assigned the same security entry in the $Secure metadata file. This reduces the amount of resources devoted to maintaining what could be thousands of separate security descriptor attributes on files and folders. Instead, a fairly small number (by comparison) of unique security descriptors are stored in the $Secure metadata file with index pointers to these entries stored in the file or folders MFT record.
$Boot MFT Data1 Data2
M $Secure ta
NTFS-formatted Disk
MFT Records NTFSSID1 NTFSSID2 NTFSSID3 NTFSSID4 S-1-5-21-646518322-1873620750Permissions for Data1 619646970-1110 S-1-5-21-646518322-1873620750Permissions for Data2 619646970-1110 S-1-5-21-646518322-1873620750Permissions for Data3 619646970-1110 S-1-5-21-646518322-1873620750Permissions for Data4 619646970-1110
User or group security IDs (SIDs) NTFS security ID index ($SII) attribute from MFT
FT07HT02.vsd
Figure 7-2 Security organization in NTFS
222
Transaction logging By logging changes to files, NTFS ensures data consistency by reversing unfinished transactions when recovering from a crash. Quota tracking NTFS has the ability, through quota tracking, to keep track of the amount of data each user has stored on a volume and to limit further disk writes to prevent exceeding the limit.
NOTE
Quota management is covered in Chapter 3.
UNDERSTANDING NTFS PERMISSIONS

The NTFS security descriptors described above contain access control lists (ACLs) which are, in essence, a list of user or group security IDs (SIDs) matched up with permission settings for each SID. These individual entries are called access control entries (ACEs).
Components of NTFS Permissions

NTFS permission assignment involves three components: ACLs, ACEs, and users or groups. Access control lists (ACLs) The ACL is the fundamental construct of security in the Microsoft Windows NT family of operating systems. Objects from files and folders all the way up to group policy objects in Active Directory are secured by using ACLs. ACLs come in two types:
System access control lists (SACLs) SACLs are defined by the operating system and are controlled administratively, either by policies or by system administrators. They control auditing of access to objects. Discretionary access control lists (DACLs) DACLs are commonly referred to simply as ACLs. These are the lists of users or groups that have been granted access to an object. Because access is granted at the discretion of the objects owner, this type of ACL is classified as discretionary.
Each objects security descriptor contains a DACL that defines the users and groups that have access permissions to the object. NTFS stores this DACL in the $Secure metadata file and records the descriptors index attribute in the objects standard information attributes in the MFT.
CHAPTER 7:
223
Access control entries (ACEs) ACLs consist of one or more access control entries (ACEs). These entries consist of a user or group security identifier (SID) paired with permissions assigned to this SID. ACEs can be one of three types:
Allow ACE An ACE that allows access to the listed SID for the listed operations (Read, Write, Modify, etc.). Deny ACE listed SID. An ACE designed to deny the specified operation to the
System Audit ACE A component of a SACL, a System Audit ACE lists the operations to be audited for an object.
When more than one ACE exists on an ACL, the cumulative effects of all the ACEs are taken into account to determine what operations are permitted for a specific user. The rule governing this can be stated in the following way: Permission assigned to a user who has more than one ACE for an object is the most lenient of the accumulated permissions, unless one of the permissions is Deny, which overrides all other permissions for the specified operation. An example of this rule is the case where a user might be a member of more than one security group with access to a file. If one group has Allow Read permission and the other has Allow Modify, the user has permission to modify the file. If the permissions are Allow Modify and Deny Read, the user cannot open the file, thereby negating the Modify permission.
NOTE
We will discuss permissions in more detail in the upcoming section titled NTFS Permissions.
Users and groups Users and groups, which are identified by the SID in the ACE, are the final part of the NTFS permissions scheme. By placing users into security groups and assigning the groups access to NTFS objects, you can easily control object access. Simply by placing a user into a security group, you confer all permissions granted to the group. This chapter discusses both built-in security groups and administratively created security groups, which differ in a few important ways:
Built-in security groups Groups that are included with the operating system by default. Examples of these groups are the Users group, Power Users group, and Administrators group. By default, Administrators have Full Control access to NTFS folders and files so they can administer permissions.
224
Assigned security groups Groups created by administrators to make it easier to manage access to resources. An example of an assigned group is an Applications group that you might create to manage access to executable applications. Special groups Also referred to as implicit groups, these are groups whose membership changes based on the circumstances of a users access to a file. Examples of special groups are:
CREATOR OWNER group A group made up of the creator or owner(s) of a resource.

NOTE
We will pay special attention to the CREATOR OWNER group in this chapter. As you will see, you can use this group to manage access to public data.
INTERACTIVE group A group of users who access an object while logged on to a systems console. NETWORK group A group of users who access a resource over a network connection. Everyone group Any user identifiable by username who attempts to access resources on a system. This group includes users who have not authenticated themselves to any authority recognized by the system. Authenticated Users group Users who have been authenticated by an authority recognized and trusted by the system. This is an important consideration for security because members of the Authenticated Users group are more trusted than users belonging only to the Everyone group.
NTFS Permissions
You use NTFS permissions to specify which users and groups can access files and folders and what they can do with the contents of the files or folders. NTFS permissions are available only on NTFS volumes. They are not available on volumes formatted with file allocation table (FAT) or FAT32 file systems. NTFS security applies whether a user accesses the file or folder at the local computer or over the network. The permissions you assign for folders are different from the permissions you assign for files. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders.
CHAPTER 7:
225
NTFS folder permissions You assign folder permissions to control the access that users have to folders and to the files and subfolders within the folders. Folder permissions differ from file permissions in that some folder-level operations, such as listing folder contents, do not apply directly to files. The standard folder permissions are:
Read See files and subfolders in the folder and view folder ownership, permissions, and attributes (such as Read-Only, Hidden, Archive, and System) Write Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions List Folder Contents See the names of files and subfolders in the folder Read & Execute Move through folders to reach other files and folders, even if you dont have permission for those folders, and perform actions permitted by the Read permission and the List Folder Contents permission Modify Delete the folder plus perform actions permitted by the Write permission and the Read & Execute permission Full Control Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS folder permissions
You can deny any individual permission to a user account or group. To deny all access to a user account or group for a folder, deny the Full Control permission.
CAUTION
Take care when denying permissions. This action, if not properly documented, can cause hard-to-trace permission issues when users are members of more than one group or change group membership later on.
NTFS file permissions You assign file permissions to control the access that users have to files. The standard file permissions are:

Read Read the file and view file attributes, ownership, and permissions Write Overwrite the file, change file attributes, and view file ownership and permissions Read & Execute Run applications, plus perform the actions permitted by the Read permission
226
Modify Modify and delete the file, plus perform the actions permitted by the Write permission and the Read & Execute permission Full Control Change permissions and take ownership, plus perform the actions permitted by all other NTFS file permissions
Special permissions The previous section mentioned standard permissions. NTFS actually has 14 discrete permissions that apply to folders and 13 that apply to files. These permissions are grouped together into standard permissions for convenience, but you can assign them separately to provide very granular control of access permission for objects stored in the file system. These discrete permissions are called NTFS special permissions. The NTFS special permissions are as follows:

Full Control
Applies all permissions to the user or group.
Traverse Folder/Execute File Traverse Folder applies only to folders. It allows or denies moving through folders to access other files or folders, even when the user has no permissions for the traversed folder (the folder that the user is moving through). Traverse Folder is not applied if the user or group has the Bypass Traverse Checking user right granted in Group Policy (discussed in Chapter 13). By default, the Everyone group has Bypass Traverse Checking granted, so you must modify the Group Policy if you want to use the Traverse Folder permission. Execute File applies only to files. It allows or denies running executable files (application files).
List Folder/Read Data List Folder applies only to folders. It allows or denies viewing file names and subfolder names within the folder. Read Data applies only to files. It allows or denies viewing the contents of a file. Read Attributes Allows or denies the viewing of the attributes of a file or folder. These attributes are defined by NTFS. Attributes are items such as time stamps, compression, or encryption. Read Extended Attributes Allows or denies the viewing of extended attributes of a file or a folder. These attributes are defined by programs. These can be items such as Author, Subject, and Source. Create Files/Write Data Create Files applies only to folders. It allows or denies the creation of files within a folder.
CHAPTER 7:
227
Write Data applies only to files. It allows or denies the making of changes to a file and the overwriting of existing content.
Create Folders/Append Data Create Folders applies only to folders. It allows or denies the creation of folders within the folder. Append Data applies only to files. It allows or denies making changes to the end of the file, but not changing, deleting, or overwriting existing data.
Write Attributes Allows or denies the changing of the NTFS attributes (such as time stamps and compression attributes) of a file or folder. Write Extended Attributes Allows or denies the changing of the extended attributes (such as Author, Subject, and Source) of a file or a folder. Delete Subfolders and Files Allows or denies the deletion of subfolders or files within a folder, even if the Delete permission has not been granted on the particular subfolder or file. Delete Allows or denies the deletion of a file or folder. A user can delete a file or folder even without having the Delete permission granted on that file or folder if the Delete Subfolder and Files permission has been granted to the user on the parent folder. Read Permissions Allows or denies the reading of the permissions assigned to the file or folder. Change Permissions Allows or denies the changing of the permissions assigned to the file or folder. You can give other administrators and users the ability to change permissions for a file or folder without giving them Full Control permission over the file or folder. In this way, the administrator or user cant delete or write to the file or folder but can assign permissions to the file or folder. Take Ownership Allows or denies taking ownership of the file or folder. The owner of a file can always change permissions on a file or folder, regardless of the permissions set to protect the file or folder.
NOTE
There is one other special permission that you will not see very often: Synchronize. Synchronize allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that might signal it. This permission applies only to multithreaded, multiprocess programs.
Mapping NTFS special permissions to standard permissions Figure 7-3 shows how the NTFS special permissions combine to make up the NTFS standard permissions.
228
READ List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions
MODIFY Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete
WRITE Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes
FULL CONTROL LIST FOLDER CONTENTS Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions Create Files/Write Data Create Folders/Append Data Write Attributes Write Extended Attributes Delete Change Permissions Take ownership
READ & EXECUTE

FT07HT03.VSD
Traverse Folder/Execute File List Folder/Read Data Read Attributes Read Extended Attributes Read Permissions
Figure 7-3 Mapping NTFS special permissions to NTFS standard permissions
NTFS Permissions Inheritance

By default, permissions that you assign to the parent folder are inherited by and propagated to the subfolders and files contained in the parent folder, as well as for any new files and subfolders that are created in the folder. However, you can prevent permissions inheritance. You can prevent permissions assigned to a parent folder from being inherited by subfolders and files that are contained within the folder. You might want to do this if a certain subfolder needs permissions that differ from the rest of the subfoldersfor instance, if you have a parent folder called Data but want the Engineering Data subfolder to have slightly different permissions. To block permissions inheritance: 1. In the Advanced Security Settings dialog box, clear the Inherit From Parent The Permission Entries That Apply To Child Objects check box. 2. Windows XP prompts you to copy existing permissions, remove all permissions and start with an empty ACL, or cancel.
CHAPTER 7:
229
The folder for which you prevent permissions inheritance becomes the new parent folder. The subfolders and files contained within this new parent folder inherit the permissions assigned to it. Copying or moving NTFS objects When you copy or move an object on an NTFS volume or between NTFS volumes (Figure 7-4), it might inherit permissions from its new parent folder, depending on the type of operation performed.
An object moved within an NTFS volume retains its permissions All other operations, move or copy, inherit permissions from destination folder XCOPY.EXE with the /O or /X option will copy permissions to the new location Permissions
NTFS Move or Copy Folder A XCOPY.EXE
NTFS
Folder C
COPY XCOPY.EXE MOVE FAT
Folder B
Folder D
Figure 7-4 Copying and moving NTFS objects

FT07HT04.VSD
Moving NTFS objects within an NTFS volume The only situation in which permissions are retained (ACLs copied with objects) is when an object such as a file or folder is moved within an NTFS partition. Moving NTFS objects between NTFS volumes When objects are moved between volumes, they inherit the permissions of whichever target folder they are placed in on the target volume. Moving NTFS objects to a non-NTFS volume Moving an object to a volume that does not support NTFS permissions removes all permissions from the object. Copying NTFS objects within an NTFS volume When you copy an object within an NTFS volume, it inherits the permissions of the target folder.
230
Copying NTFS objects to another NTFS volume When you copy an object to another NTFS volume, it inherits the permissions of the target folder. Copying NTFS objects to a non-NTFS volume Copying an object to a volume without NTFS security removes all permissions from the object.
There are two ways to cause Windows XP to retain permissions even when an object is copied or moved to another NTFS volume:
Using Xcopy.exe with the /O or the /X command-line switch copies permissions to the new destination. Modifying the HKEY_CURRENT_USER\SOFTWARE\Microsoft\ Windows\CurrentVersion\Policies\Explorer registry key. Adding the DWORD value ForceCopyAclwithFile with a value of 1 causes Windows XP to always copy the ACL with the object.
MORE INFO For more on these methods of copying permissions, see Microsoft Knowledge Base article 310316.
MANAGING NTFS PERMISSIONS

To assign NTFS permissions, you must fully understand the use and consequences of each permission. It is also important to understand how permissions from multiple group memberships work together to create effective permissions. In this section, you will learn how to plan for NTFS permission assignment and how to assign permissions. We will also explore how to determine effective permissions and how the system uses this determination to grant or deny access to objects.
Best Practices for Assigning Permissions

The following are best practices for implementing NTFS permissions. These guidelines will help you avoid permission problems.
Assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks. Observe the principle of least privilege. Assign all permissions at the folder level, not at the file level. Group files for which you want to restrict user access in a separate folder, and then assign restricted access to that folder.
CHAPTER 7:
231
Assign permissions to groups whenever possible, not to individual users. You can manage permissions for a group once, and then make users members of that group to give them access to the files or folders. Avoid changing the default permissions on system files and folders. This can cause unexpected and difficult-to-diagnose problems. Do not deny access to the Everyone group. Administrators are members of Everyone as well, and they would also be restricted. Instead, remove the Everyone group from the ACL and replace it with appropriate groups requiring access. If all users require access, use the Authenticated Users group. For all application executable files, assign Read & Execute and Change Permissions to the Administrators group and assign Read & Execute to the Users group. Damage to application files usually results from accidents and viruses. By assigning Read & Execute to Users and Read & Execute and Change Permissions to Administrators, you can prevent users or viruses from modifying or deleting executable files. To update files, members of the Administrators group can assign Full Control to their user account to make changes and then reassign Read & Execute and Change Permissions. For public folders, assign Full Control to CREATOR OWNER and Read and Write to the Authenticated Users group. This gives users full access to the files that they create, but members of the Authenticated Users group can only read files in the folder and add files to the folder. If you dont want a user or group to access a particular folder or file, dont assign permissions. If you do not grant permission, the user will not have access to the object. You should deny permissions only in the following special cases (which should be very well documented):
To exclude a person (or persons) who belongs to a group with Allowed permissions. For example, in a department where users have full control over files, you can deny permission to modify data to new employees who are in a probationary period. To exclude one special permission from a standard permission group. For example, you can deny the Delete special permission to users who have the Modify standard permission.
Setting NTFS Permissions

Administrators, users with the Full Control permission, and the owners of files and folders can assign permissions to user accounts and groups.
232
To assign or modify NTFS permissions for a file or folder, on the Security tab of the Properties dialog box for the file or folder, configure the options shown in Figure 7-5.
Figure 7-5 Assigning NTFS permissions

FT07HT05.BMP
Here are the options on the Security tab:
Group Or User Names Allows you to select the user account or group for which you want to change permissions or that you want to remove from the list. Permissions For Administrators Allows or denies permissions. Select the Allow check box to allow a permission. Select the Deny check box to deny a permission. This selection creates an Allow or Deny ACE in the ACL for the object. Add Opens the Select Users Or Groups dialog box, which you use to select user accounts and groups to add to the Group Or User Names list (shown in Figure 7-6). Remove Removes the selected user account or group and the associated permissions for the file or folder. This removes the ACE for this user or group from the associated ACL for the object. Advanced Opens the Advanced Security Settings dialog box for the selected folder so that you can grant or deny special permissions (shown in Figure 7-7).
Adding users or groups Click Add to display the Select Users Or Groups dialog box (Figure 7-6), where you can add users or groups so that you can assign them permissions for accessing a folder or file.
CHAPTER 7:
233
Figure 7-6 The Select Users Or Groups dialog box for a folder
FT07HT06.BMP
The options in the Select Users Or Groups dialog box are:
Select This Object Type Allows you to select the types of objects you want to look for, such as built-in security principals (users, groups, and computer accounts), user accounts, or groups. From This Location Indicates where you are currently lookingfor example, in the domain or on the local computer. Locations Allows you to select where you want to lookfor example, in the domain or on the local computer. Enter The Object Names To Select Allows you to type in a list of built-in security principals, users, or groups to be added. Check Names Verifies the selected list of built-in security principals, users, or groups to be added against the location selected in the From This Location field. Advanced Allows you access to advanced search features, including the ability to search for deleted accounts, accounts with passwords that do not expire, and accounts that have not logged on for a certain number of days.
Granting or denying special permissions On the Security tab of the Properties dialog box, click Advanced to display the Advanced Security Settings dialog box (Figure 7-7), which lists the users and groups and the permissions they have on this object. The Permissions Entries box also shows where the permissions were inherited from and where they are applied. You can use the Advanced Security Settings dialog box to change the special permissions set for a user or group. To change the permissions set for a user or group, select a user and click Edit to display the Permission Entry For dialog box (Figure 7-8). You can then select or clear the specific permissions that you want to change.
234
Figure 7-7 The Permissions tab of the Advanced Security Settings dialog box for a folder
FT07HT07.BMP
Figure 7-8 The Permission Entry dialog box for a folder

FT07HT08.BMP
NOTE
For more information on each of the NTFS special permissions, see the NTFS Permissions section earlier in the chapter.
Taking ownership of files and folders You can transfer ownership of files and folders from one user account or group to another. You can give someone the ability to take ownership and, as an administrator, you can take ownership of a file or folder (Figure 7-9). The following rules apply for taking ownership of a file or folder:
The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or any member of the group to take ownership.
CHAPTER 7:
235
An administrator can take ownership of a folder or file, regardless of assigned permissions. If an administrator takes ownership, the Administrators group becomes the owner and any member of the Administrators group can change the permissions for the file or folder and assign the Take Ownership permission to another user account or group.
Figure 7-9 Taking ownership of a folder

FT07HT09.BMP
For example, if an employee leaves the company, an administrator can take ownership of the employees files and assign the Take Ownership permission to another employee, and then that employee can take ownership of the former employees files.
NOTE
You cannot assign anyone ownership of a file or folder. The owner of a file, an administrator, or anyone with Full Control permission can assign Take Ownership permission to a user account or group, allowing them to take ownership. To become the owner of a file or folder, a user or group member with Take Ownership permission must explicitly take ownership of the file or folder.
To take ownership of a file or folder: 1. On the Security tab of the Properties dialog box for the file or folder, click Advanced. 2. In the Advanced Security Settings dialog box, on the Owner tab, select your name in the Change Owner To list. 3. Select the Replace Owner On Subcontainers And Objects check box to take ownership of all subfolders and files that are contained within the folder, and then click OK.
236
Preventing permissions inheritance As we discussed earlier, subfolders and files inherit permissions that you assign to their parent folder. This is indicated in the Advanced Security Settings dialog box (shown earlier in Figure 7-7) when the Inherit From Parent The Permission Entries That Apply To Child Objects check box is selected. To prevent a subfolder or file from inheriting permissions from a parent folder, clear the check box. You are then prompted to select one of the following options:
Copy Copy the permission entries that were previously applied from the parent to the child, and then deny subsequent permissions inheritance from the parent folder. Remove Remove the permission entries that were previously applied from the parent to the child, and retain only the permissions that you explicitly assign here. Cancel Cancel the dialog box.
Using Command-Line Tools to View and Modify Permissions

Microsoft offers two command-line tools for viewing and setting NTFS permissions in Windows XP: CACLS.exe (for Change ACLs) and XCACLS.exe (for Extended CACLs). CACLS is included in Windows XP, and XCACLS is available for download from Microsoft. The principal difference is that CACLS can set only standard NTFS permissionsRead, Write, Change (Modify), and Full Controlwhile XCACLS offers more (but not full) control over special permissions such as Delete, Change permissions, and Take Ownership. In this section, we will discuss viewing and setting permissions with CACLS.
MORE INFO For more information on using XCACLS, see Microsoft Knowledge Base article 318754.
Understanding CACLS CACLS has the following command-line switches:
/T Changes the ACLs of specified files in the current directory and all subdirectories. /E Edits existing ACLs instead of replacing them. /C Causes CACLS to continue on access denied errors. The default behavior is to stop when the first error is encountered.
CHAPTER 7:
237
/G user:perm Grants permissions to the specified user. The permissions you grant can be one of the following: Read, Write, Change (the same as Modify), or Full Control. /R user Actually removes the ACE for the specified user. If this is the only ACE the users access token is a match with, access is denied to the specified user. If the user belongs to a group with access, the user continues to have access based on the groups permissions. This switch can be used only in conjunction with the /E switch. /P user:perm Replaces the specified users access permissions with the new permissions given. This has the same effect as revoking the users permissions and granting new permissions. The permissions you grant can be one of the following: None (the same as Deny Full Control), Read, Write, Change (the same as Modify), or Full Control. /D user The same as setting Deny Full Control for the specified user. This switch has the same effect as /P used with the N permission.
Using CACLS to view and change permissions CACLS used without any switches displays permissions assigned to the specified resource (Figure 7-10).
Figure 7-10 CACLS showing permissions for a folder

FT07HT10.BMP
NOTE In Figure 7-10, the CACLS display shows Special Access permissions FILE_APPEND_DATA and FILE_WRITE_DATA. Even though CACLS cannot modify these permissions, it reports on their use.
To change permissions, you must first decide whether you are changing permissions for one user, a group, or all users at once. The /E switch allows you to manipulate existing ACEs, add new ones, and remove individual ACEs. If you do not specify the /E switch, all ACEs are removed and replaced by the new ACE you have defined with CACLS.
238
CAUTION Failure to use the /E switch with CACLS results in the removal of all previously existing ACEs.
If you want to add permission for a user or group, you can do so by simply using the /G switch. The following command grants Jack the Full Control permission to the Syllabi folder:
CACLS.EXE Syllabi /E /G Jack:F
To revoke the ACE for Jack, issue the CACLS command with the /R switch:
CACLS.EXE Syllabi /E /R Jack
NOTE
In the Revoke ACE scenario above, the user will still have any access granted by group memberships.
To deny access to Jack, in spite of any other permissions he might have:

CACLS.EXE Syllabi /E /D Jack
Finally, to grant the built-in Users group permission to modify files in the folder:
CACLS.EXE Syllabi /E /G Users:C
CACLS power play The true power of a tool such as CACLS is the ability to use it in batch files to change permissions for many users or folders at once. By issuing a series of CACLS commands in a batch file, you can automate changes to lock users out of data folders during backup operations and let them back in afterward. You can also use CACLS to dump permission listings into a file by using the > commandline redirect:
CACLS.EXE Syllabi > permissions.txt
Doing this daily allows you to analyze changes being made to permissions over a long period of time. You can use a program such as Windiff.exe to spot changed lines in the files. It might therefore be possible to spot nefarious activity by other administrators or users of the system.
NOTE
Windiff.exe is one of more than 100 support tools included with Windows XP. You can install them by running the Setup program in the \Support\Tools folder on the Windows XP Professional CD-ROM. For more information on installing support tools, see Microsoft Knowledge Base article 306794 at http://support.microsoft.com.
CHAPTER 7:
239
Assigning Multiple NTFS Permissions

You can assign multiple permissions to a user account and to each group the user belongs to. To assign permissions, you must understand the rules and priorities by which NTFS assigns and combines multiple permissions and assigns NTFS permissions inheritance. When a user attempts to access an object, the users application initiates an access request and attaches the users access token, which is generated when the user logs on. The access token contains the users SID and the SIDs of any security groups the user belongs to. It is compared with ACEs on the objects DACL. If a SID in the access token matches the SID listed in an ACE, the permissions in the ACE are evaluated to see if access can be granted. If all the ACEs are evaluated and at least one grants access (and none are found that explicitly deny access), the object is opened. If no ACEs are found referencing any of the users SIDs or one is found that denies the operation, access is denied. Example A User A wants to access a folder to read a file (Figure 7-11). The users SID and the SIDs for the groups the user is a member of are part of the access token that is created when the user logs on. Each SID is evaluated to see if it matches an ACE on the DACL for the object. User A is a member of Groups A, B, and D. The users SID does not match any ACE on the DACL. Group B and Group D each match an ACE on the folders DACL. Membership in Group B grants the user Modify access to the folder. Membership in Group D grants the user Full Control access to the folder. The users effective access level is Full Control. The Read operation requested by the user succeeds.
A User A requests access to read file
SIDs User A Group A Group B Group D
Access Token No ACE
Folder DACL User B (Allow Read) Group A (Allow Modify)
No ACE
Group C (Deny Read) Group D (Allow Full Control)
Effective Permission is Full Control
Figure 7-11 User A opens a file to read.

FT07HT11.VSD
240
Example B User B wants to access the same folder to read a file (Figure 7-12). The users SID and the SIDs for the groups the user is a member of are part of the access token that is created when the user logs on. Each SID is evaluated to see if it matches an ACE on the DACL for the object. User B is a member of Groups A, C, and D. The users SID matches a Read ACE on the DACL. Groups B, C and D also match an ACE on the folders DACL. Membership in Group B grants the user Modify access to the folder. Membership in Group D grants the user Full Control access to the folder. Membership in Group C denies the user Read access to the folder. The users effective access level is Deny Read. The Read operation requested by the user fails.
B User B requests access to read file
SIDs User B Group A Group C Group D
Access Token
Folder DACL User B (Allow Read) Group A (Allow Modify) Group C (Deny Read) Group D (Allow Full Control)
Effective Permission is Deny Read
Figure 7-12 User B fails to open a file to read.

FT07HT12.VSD
Effective permissions A users effective permissions for a resource are the sum of the NTFS permissions that you assign to the individual user account and that you assign to all of the groups to which the user belongs. If a user has Read permission for a folder and is a member of a group with Write permission for the same folder, the user has both Read and Write permissions for that folder. If the application a user is using wants to open a file to modify it, it requests Append Data access to the object. If any ACEs match the users access token, they are examined to see if the required permission is allowed. If it is not explicitly allowed, access is denied. If no ACEs match the users access token, access is denied. To view effective permissions for an object: 1. In the objects Properties dialog box, on the Security tab, click Advanced to access the Advanced Security Settings dialog box.
CHAPTER 7:
241
2. Click the Effective Permissions tab, and use the Select button to browse for and select a user or group. 3. View the effective permissions on the object for the selected user or group (Figure 7-13).
FT07HT13.BMP
Figure 7-13 Effective permissions for user group
Overriding folder permissions with file permissions NTFS file permissions take priority over NTFS folder permissions. If you have access to a file, you can access the file if you have the Bypass Traverse Checking user right (granted by an administrator via Group Policy) even if you dont have access to the folder containing the file. You can access the files for which you have permissions by using the full Universal Naming Convention (UNC) path or local path to open the file from its respective application. Using Deny Access to Override Permissions You can deny permission to a user account or group for a specific file, although this is not the recommended method of controlling access to resources. Denying permission overrides all instances in which that permission is allowed. Even if a user has permission to access a file or folder as a member of a group, denying permission to the user blocks any other permissions the user might have.
AUDITING NTFS OBJECT ACCESS

Auditing allows you to track user activities on a computer. You can specify that Windows XP Professional write a record of an event to the security log, which maintains a record of valid and invalid logon attempts and events related to
242
creating, opening, or deleting files or other objects. An audit entry in the security log contains the following information:

The action that was performed The user who performed the action The success or failure of the event and when the event occurred
Enabling Auditing
To track the activities of individuals responsible for security breaches, you can set up auditing for files and folders on NTFS partitions. To audit user access to files and folders, you must first set your audit policy to audit object access, which includes files and folders. We will discuss this in more detail in Chapter 13. When you set your audit policy to audit object access, you enable auditing for specific files and folders and specify which types of access to audit and by which users or groups. NTFS object access auditing is configured on the Auditing tab of the Advanced Security Settings dialog box (Figure 7-14), where you can add, remove, or change audit events.
Figure 7-14 Audit Settings tab of the Advanced Security Settings dialog box
FT07HT14.BMP
Events can be described for both success and failure of the audited action. If you choose to add or edit an audited event, the Auditing Entry dialog box opens (Figure 7-15).
CHAPTER 7:
243
Figure 7-15 Auditing Entry dialog box

FT07HT15.BMP
These are the actions you can audit for success and failure:
Traverse Folder/Execute File Running a program or gaining access to a folder to change directories List Folder/Read Data Displaying the contents of a file or folder
Read Attributes Reading the attributes of a file or folder Read Extended Attributes or folder Reading the extended attributes of a file
Create Files/Write Data Changing the contents of a file or creating new files in a folder Create Folders/Append Data Write Attributes Creating folders in a folder
Changing attributes of a file or folder
Write Extended Attributes Changing extended attributes of a file or folder Delete Subfolders And Files Deleting a file or subfolder in a folder (applies to folders only) Delete Deleting a file or folder Read Permissions Viewing permissions for the file owner for a file or folder Change Permissions Changing permissions for a file or folder Take Ownership Taking ownership of a file or folder
244
NOTE
Enabling auditing of a folder or file creates an SACL in the objects security descriptor. This SACL is used by the system when the object is accessed to determine which operations are audited and whether the operations should be recorded for success or failure.
Monitoring Security Event Logs

Once auditing is enabled for NTFS objects, the results of the auditing can be monitored in the security event log for the system being audited. This log is visible in the Event Viewer console either in Computer Management or by executing eventvwr.msc from the command line. We will cover the use and administration of auditing in more detail in Chapter 13.
TROUBLESHOOTING NTFS PERMISSIONS

Occasionally you will have a user who cannot access files that should be allowed, or who is found to have access that he shouldnt have. These problems can almost always be traced to improper effective permissions, either from membership in an incorrect security group or from incorrectly assigned permissions to one or more groups of which the user is a member.
Problems with Effective Permissions

To locate improper effective permissions, you can use the Effective Permissions tab of the Advanced Security Settings dialog box (Figure 7-16) for the resource in question. Select the user to list the permissions calculated from the users own permissions and those of any groups the user belongs to. If you find a discrepancy, select each of the users groups in turn to locate the one that is contributing the discrepancy to the effective permissions.
Figure 7-16 Displaying effective permissions for a user

FT07HT16.BMP
CHAPTER 7:
245
Problems with Denied Permissions

When you use the Deny permission ACEs, it is easy to lose track of them. Their use is more the exception than the rule, so administrators will rarely suspect a denied permission at first. You can analyze effective permissions to see whether a checkmark is missing from one or more special permissions that should be checked. Locate the Deny access ACE and remove it to restore access to the affected user(s).
Problems with Permissions Inheritance

Blocking permissions inheritance can cause unintended consequences for effective permissions. Suppose a user is a member of a group with access to a folder through inheritance from a parent folder. If an administrator removes inheritance without copying the permissions from the parent and sets new permissions that do not give the original user access, the user will be denied access. You can analyze effective permissions to see whether you need to add the appropriate security group(s) with the appropriate permissions.
246
SUMMARY
NTFS permissions are available only on NTFS volumes and are used to specify which users and groups can access files and folders and what these users can do with the contents of those files or folders. NTFS folder permissions are Read, Write, List Folder Contents, Read & Execute, Modify, and Full Control. The NTFS file permissions are Read, Write, Read & Execute, Modify, and Full Control. Administrators, the owners of files or folders, and users with Full Control permission can assign NTFS permissions to users and groups to control access to files and folders. The command-line tools CACLS.exe and XCACLS.exe can be used to automate permission changes. NTFS stores security descriptors (which include ACLs) for all files in a central metadata file. An index attribute is stored in the files MFT record to identify the security descriptor. Multiple files can designate the same security descriptor, optimizing use of space. A user attempting to gain access to a resource must have permission for that type of access. This access type is requested by the users application and compared with ACEs in the objects ACL. If the requested access is not allowed, access to the file or folder is denied. You can assign multiple permissions to a user account by assigning permissions to her individual user account and to each group she belongs to. A users effective permissions for a resource are based on the NTFS permissions that you assign to the individual user account and to all of the groups the user belongs to. NTFS file permissions take priority over NTFS folder permissions. By default, when you format a volume with NTFS, the Full Control permission is assigned to the Everyone group. To assign or modify NTFS permissions for a file or a folder, you use the Security tab of the Properties dialog box for the file or folder. By default, subfolders and files inherit permissions that you assign to their parent folder. To stop subfolders and files from inheriting permissions that you assign to their parent folder, clear the Inherit From Parent The
CHAPTER 7:
247
Permission Entries That Apply To Child Objects check box in the Advanced Security Settings dialog box.
The current owner or any user with Full Control permission can assign the Full Control standard permission or the Take Ownership special access permission to another user account or group, allowing the user account or a member of the group to take ownership. You cannot assign (give) anyone ownership of a file or folder. When you move a file or folder within a single NTFS volume, the file or folder retains its original permissions. When you move a file or folder between NTFS volumes, the file or folder inherits the permissions of the destination folder. When you copy files or folders from one folder to another or from one volume to another, Windows XP Professional treats the copied file or folder as a new file or folder. It therefore takes on the permissions of the destination folder. You should assign the most restrictive NTFS permissions that still enable users and groups to accomplish necessary tasks. You should assign permissions at the folder level, not the file level. You should assign Full Control to CREATOR OWNER for public folders and Read and Write to the Authenticated Users group. Allow permissions wherever possible rather than deny permissions. The only exceptions should be to except users who belong to an assigned group, or to except permissions from a standard permission group.
REVIEW QUESTIONS
1. Which of the following statements correctly describe NTFS file and folder permissions? (Choose all correct answers.) a. NTFS security is effective only when a user gains access to the file or folder over the network. b. NTFS security is effective when a user gains access to the file or folder on the local computer. c. NTFS permissions specify which users and groups can gain access to files and folders and what they can do with the contents of the file or folder. d. NTFS permissions can be used on all file systems available with Windows XP Professional.
248
2. Which of the following NTFS folder permissions allows you to delete the folder? a. Read b. Read & Execute c. Modify d. Change 3. Which of the following users can assign permissions to user accounts and groups? (Choose all correct answers.) a. Administrators b. Power Users c. Users with the Full Control permission d. Owners of files and folders 4. What is an access control list (ACL) and what is the difference between an ACL and an access control entry (ACE)? 5. What are a users effective permissions for a resource? 6. By default, what inherits the permissions that you assign to the parent folder? 7. Which of the following tabs of the Properties dialog box for the file or folder do you use to assign or modify NTFS permissions for a file or a folder? a. Advanced b. Permissions c. Security d. General 8. Which of the following statements about copying a file or folder are correct? (Choose all correct answers.) a. When you copy a file from one folder to another folder on the same volume, the permissions on the file do not change. b. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change. c. When you copy a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder. d. When you copy a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions are lost.
CHAPTER 7:
249
9. Which of the following statements about moving a file or folder are correct? (Choose all correct answers.) a. When you move a file from one folder to another folder on the same volume, the permissions on the file do not change. b. When you move a file from a folder on an NTFS volume to a folder on a FAT volume, the permissions on the file do not change. c. When you move a file from a folder on an NTFS volume to a folder on another NTFS volume, the permissions on the file match those of the destination folder. d. When you move a file from a folder on an NTFS volume to a folder on the same volume, the permissions on the file match those of the destination folder. 10. You are attempting to copy a large number of files from one NTFS volume to another and want to avoid having to re-create all the original permissions once the copy operation is completed. How can you accomplish this with minimal effort?
CASE SCENARIOS
Scenario 7-1: Permission Soup
You are designing NTFS security for a system that will store public data and applications for users to share. Users will access all files locally from the system you are configuring. You have been presented with the following requirements:
Create a place for all users to place public files. They should be able to add files and maintain their own files, but they should not be able to do more than read any other users files. Set up a place for users from the HR department to place personnel policies. Only HR personnel should be able to modify these files, but all users should be able to read them. Provide a place for executable application files for users from the Accounting department. Only users from Accounting should be able to see these files. Create a folder for personnel reviews. Only managers should be able to access this folder, and each manager should be able to create and modify her own files only. Besides the manager who creates each file,
250
only HR personnel should be able to read these files, and administrators should not have access to any of these files. In addition, provide a way for managers to know if an administrator has accessed any file in this folder. Answer the following questions about this scenario: 1. What user groups should be defined to support this scenario? 2. What folders should you create to support this scenario? 3. Which NTFS standard permissions should you give to the Users group for the Public folder? How can you ensure that the creators of files can modify and delete them? 4. What permissions should the HR users have for the personnel policy files? Where should this permission be assigned? 5. How do you ensure that only Accounting has permission to access the accounting applications? 6. Detail the steps to take to secure the personnel review folders. How will you report on access to any of these files by administrators?
Scenario 7-2: Effective Permissions

You are newly employed by a small distillery. One of your first tasks is to straighten out permission issues that have left some users unable to access files containing mash recipes. The previous administrator attempted to restrict some users from accessing these recipes but ended up locking out the blending crew (group name Blenders). Answer the following questions about this scenario: 1. How can you determine what the blending crews effective permissions are? a. Use the Effective Permissions tab of the Sharing Permissions dialog box for the Mash Recipes folder. Display effective permissions for the Blenders group. b. Use the Effective Permissions tab of the Advanced Security Settings dialog box for the Mash Recipes folder. Display effective permissions for the Blenders group. c. Use the CACLS command-line program with the /E:Blenders switch to display permissions for the Mash Recipes folder. d. Use the CACLS command-line program without any switches to view all permissions for the folder. Determine the Blender groups permissions by combining the permissions for all groups they belong to.
CHAPTER 7:
251
2. Which of the following CACLS command lines can you use to grant the Blenders group access to read these files? a. CACLS Mash Recipes /G Blenders:R b. CACLS Mash Recipes /E /G Blenders:R c. CACLS Mash Recipes /D Blenders d. CACLS Mash Recipes /R Blenders
CHAPTER 8
CONFIGURING AND MANAGING SHARED FOLDER SECURITY

Create and remove shared folders Control access to shared folders by using permissions Analyze and troubleshoot combined share and NTFS permissions Manage and troubleshoot offline files Manage and troubleshoot Web server resources
In Chapter 7, you learned about NTFS permissions. NTFS permissions are more than sufficient to protect files and folders stored on a system. There are times, however, when it is necessary to deploy a system that will support users across a network. To enable us to use files over a network connection, we must share the folders that contain them. The process of sharing folders makes them available to networked client systems. In this chapter, you will learn how to share folders. You will explore share permissions and how they interact with NTFS permissions. We will discuss the setup and management of offline files. Finally, we will discuss Web sharing and how it differs in its application from standard shares.
253
254
UNDERSTANDING SHARED FOLDERS

You use shared folders to provide network users with access to file resources. When a folder is shared, users can connect to the folder over the network and access the files it contains. However, to access the files, users must have permissions to access the shared folders (Figure 8-1).
Server Computer Data Folder Network Connection A User A accesses folder locally (access is controlled by NTFS permissions)
FT08HT01.TIF
Client Computer
B User B accesses folder over the network (access is controlled by Share and NTFS permissions)
Figure 8-1 Accessing folders locally and remotely
Shared Folder Permissions

A shared folder can contain application data, user documents, and even software. To control how users gain access to a shared folder, you assign shared folder permissions. Each type of data requires different shared folder permissions. The following list explains what each of the shared folder permissions allows a user to do:
Read Display folder names, file names, file data, and attributes; run program files; and change folders within the shared folder. Change Create folders, add files to folders, change data in files, append data to files, change file attributes, delete folders and files; also allows the user to perform actions permitted by the Read permission. Full Control Change file permissions, take ownership of files, and perform all tasks permitted by the Change permission.
As with NTFS permissions, you can allow or deny shared folder permissions. Generally, it is best to allow permissions and to assign permissions to a group rather than to individual users. Deny permissions only when it is necessary to override permissions that are otherwise appliedfor example, when it is necessary to deny permission to a specific user who belongs to a group to which you have given the permission. If you deny a shared folder permission
CHAPTER 8:
255
to a user, the user wont have that permission when accessing the folder across the network. For example, to deny all access to a shared folder, deny the Full Control permission.
NOTE
A user with no share permissions assigned, either as an individual or as a member of a security group, will not have access to the shared folder.
The following are characteristics of shared folder permissions:
Shared folder permissions apply to folders, not individual files. Because you can apply shared folder permissions only to the entire shared folder and not to individual files or subfolders in the shared folder, they provide less detailed security than NTFS permissions. Shared folder permissions dont restrict access to users who gain access to the folder at the computer where the folder is stored. They apply only to users who connect to the folder over the network. Shared folder permissions are the only way to secure network resources on a FAT volume. NTFS permissions arent available on FAT volumes. The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder.
NOTE
The Everyone: Read permission allows all users accessing a system to read documents in a folder. This includes those who have not been specifically authenticated as a user on the system. You should always remove this permission from shares and use Authenticated Users instead (or even more specific user groups). We will discuss the reasons for this in more detail in Chapter 13.
Guidelines for Shared Folder Permissions

The following list provides some general guidelines for managing your shared folders and assigning shared folder permissions:
Determine which groups need access to each resource and the level of access that they require. Document the groups and their permissions for each resource. Assign permissions to groups instead of user accounts to simplify access administration.
256
Assign to a resource the most restrictive permissions that still allow users to perform required tasks. For example, if users only need to read information in a folder and they will never delete or create files, assign the Read permission. Organize resources so that folders with the same security requirements are located within a folder. For example, if users require Read permission for several application folders, store those folders within the same folder. Then share this folder instead of providing each individual application folder with its own share. Use intuitive share names so users can easily recognize and locate resources. For example, for the Application folder, use Apps for the share name. You should also use share names that all client operating systems can use. Microsoft operating systems prior to Windows 2000 might shorten the shared folder name to 12 or fewer characters. Do not deny access to the Everyone group. Instead, completely remove the Everyone group from the permissions. Denying access to Everyone denies access even to administrators.
How Shared Folder Permissions Are Applied

Applying shared folder permissions to user accounts and groups affects access to a shared folder over the network. Denied permissions take precedence over allowed permissions. The following list describes the effects of applying permissions:
Multiple permissions A user can be a member of multiple groups, each with different permissions that provide different levels of access to a shared folder. When you assign permission to a user for a shared folder and that user is a member of a group to which you assigned a different permission, the users effective permissions are a combination of the user and group permissions. For example, if a user has Read permission and is a member of a group with Change permission, the users effective permission is Change (which includes Read). Deny permissions Denied permissions take precedence over any permissions that you otherwise allow for user accounts and groups. If you deny a shared folder permission to a user, the user wont have that permission, even if you allow the permission for a group the user belongs to.
CHAPTER 8:
257
NTFS permissions Shared folder permissions are sufficient to gain access across the network to files and folders on a FAT volume but not on an NTFS volume. On a FAT volume, users can gain access to a shared folder for which they have permissions, as well as all of that folders contents. When users gain access to a shared folder on an NTFS volume, they need the shared folder permission and also the appropriate NTFS permissions for each file and folder to which they gain access. A users effective permission for a shared folder on an NTFS volume is the more restrictive of the shared and NTFS permissions. Moving, renaming, copying, or deleting a shared folder When you copy a shared folder, the original folder is still shared but the copy is not. When you rename or move a shared folder, it is no longer shared. When a folder is deleted, the folder share is deleted as well.
PLANNING SHARED FOLDERS

When you plan shared folders, you can reduce administrative overhead and ease user access by putting resources into folders according to common access requirements. Determine which resources you want shared, organize resources according to function and use, and decide how you will administer the resources. Shared folders can contain applications and data. By consolidating data and applications into shared folders according to function, you gain the following benefits:
Ease of use By centralizing files in just a few shared folders, you make them easier for users to find. Simpler configuration When files are consolidated into common folders, it is easier to apply permissions. Centralized administration If data folders are centralized, you can back up them up more easily and you can upgrade application software more easily.
Requirements for Sharing Folders

In Windows XP Professional, members of the built-in Administrators and Power Users groups can share folders. By default, in a Windows Server domain, members of the Domain Admins and Server Operators groups can share folders on any machine in the domain.
NOTE
If the folder to be shared resides on an NTFS volume, users must also have at least the Read permission for that folder to be able to share it.
258
Shared Application Folders

Shared application folders are used for applications that are installed on a network server and that can be used from client computers. The main advantage of sharing applications is that you dont need to install and maintain most components of the applications on each computer. Although program files for applications can be stored on a server, configuration information for most network applications is often stored on each client computer. The exact way in which you share application folders will vary depending on the application and your particular network environment and company organization. When you share application folders, consider the following points:
Create one shared folder for applications, and organize all of your applications under this folder. This designates one location for installing and upgrading software. Assign the Administrators group Full Control permission for the applications folder so members of this group can manage the application software and control user permissions. Assign Change permission to groups that are responsible for upgrading and troubleshooting applications.
NOTE
If you are in an environment where viruses are a possibility, you might want to assign administrators and others who maintain the applications the Read permission. This will prevent a virus from attacking your application files. Permission can be raised temporarily during maintenance (usually by taking ownership) and lowered again afterward. For more information on taking ownership of files, see Chapter 7.
Remove any permissions for the Everyone group, and assign Read permission to the Users group. Create a separate shared folder outside your application folder hierarchy for any application for which you need to assign different permissions. Then assign the appropriate permissions to that folder.
NOTE
If you support an application that must write to a data file on the application share, it might be necessary to grant Change permission to allow this operation to take place. If this is the case, consider separating this application from those that will operate effectively with the Read permission.
CHAPTER 8:
259
Shared Data Folders

Users on a network use data folders to exchange public and working data. Working data folders are used by members of a team who need access to shared files. Public data folders are used by larger groups of users who all need access to common data.
NOTE
Create and share common data folders on a separate volume from the operating system and applications. Data files should be backed up frequently, and keeping data folders on a separate volume makes this convenient. With this system administration scheme, if the operating system requires reinstallation, the volume containing the data folder remains intact.
Public data When you share a common public data folder, do the following:

Use centralized data folders so data can be backed up easily. Assign Change permission to the Users group for the common data folder (Figure 8-2). This provides users with a central, publicly accessible location for storing data files that they want to share with other users. Users can access the folder and can read, create, or change files in it.
Public data Users C Public Working data Administrators FC Accountants Accountants FC Back up centralized data folders consistently. Share lower-level folders. Data
FT08HT02.FH10
Figure 8-2 Public data and working data shared folders
Working data When you share a working data folder, do the following:
Assign Full Control permission to the Administrators group for a central data folder so administrators can perform maintenance.
260
Share lower-level data folders below the central folder by assigning Change permission to the appropriate groups when you need to restrict access to those folders.
Figure 8-2 above shows an example of these practices. To protect data in the Accountants folder, which is a subfolder of the Data folder, share the Accountants folder and assign the Change permission to the Accountants group so that only members of that group can access the Accountants folder.
CAUTION
Users accessing the folder tree via the upper-level shared folder receive different permissions to the lower-level shared folder because they access it through the upper-level share point. In the example above, administrators have Full Control access to the Accountants folder because they access it through the Data share point. Keep this in mind whenever you need to restrict access to a down-level folder. It might be necessary to separate the folders into two different trees.
Administrative Shared Folders

Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from users who view shared resources in My Network Places. The root of each lettered volume, the system root folder, the connection point for interprocess communication (IPC), and the location of the printer drivers are hidden shared folders that you can directly access across the network (if you have sufficient permission). The following list describes the purpose of the administrative shared folders that Windows XP Professional provides automatically:
C$, D$, E$, etc. The root of each volume on a hard disk is automatically shared, and the share name is the drive letter with a dollar sign ($). When you connect to this folder, you have access to the entire volume. You use the administrative shares to remotely connect to the computer to perform administrative tasks. Windows XP Professional assigns Full Control permission for this share to the Administrators group. Access to other file system objects through this share depends on the NTFS permissions assigned on those objects.
NOTE
Removable media are not automatically given an administrative share. To share the contents of a CD-ROM drive, you must create a manual share.
Admin$ The system root folder, which is C:\Windows by default, is shared as Admin$. Administrators can access this shared folder to administer Windows XP Professional without knowing which folder on
CHAPTER 8:
261
the hard disk Windows XP Professional is installed in. Only members of the Administrators group have access to this share. Windows XP Professional assigns Full Control permission for this share to the Administrators group.
IPC$ This hidden share is used to manage connections for IPC, which lets processes running on two different systems create communication channels with each other to pass data and control messages. Print$ When you install the first shared printer, the %systemroot%\ System32\Spool\Drivers folder is shared as Print$. This folder provides access to printer driver files for clients. Only members of the Administrators and Power Users groups have Full Control permission for this share. The Everyone group has Read permission for this share.
NOTE Hidden shared folders arent limited to those that the system creates automatically. You can share additional folders and add a dollar sign to the end of the share name. Only users who know the folder name and have the proper permissions can access it.
SHARING A FOLDER
When you share a folder, you can give it a share name, provide comments to describe the folder and its content, control the number of users who have access to the folder, assign permissions, and share the same folder multiple times. There are three ways to share folders in Windows XP: the Computer Management console, Windows Explorer, and the NET SHARE command.
IMPORTANT
If you have enabled Windows Firewall on your system, the act of sharing a folder opens the Windows network basic input/ output system (NetBIOS) file-sharing ports on your machine to the local network. If you are using an Internet connection, this might expose your system to potential Internet attacks. Be sure that you are protected by an additional layer such as a firewall or router between your local network and the Internet before you share folders.
Sharing Folders in Computer Management

You can work with shared folders using the Shared Folders console in Computer Management or by adding the Shared Folders snap-in to a blank Microsoft Management Console session. Either method allows the creation, management, and removal of shared folders. We will discuss management in a later section; this section discusses the creation of a shared folder.
262
To share a folder in Computer Management: 1. Log on with a user account that is a member of a group that can share folders. 2. Open the Computer Management console by right-clicking My Computer and selecting Manage. 3. Locate the Shared Folders item in the Computer Management console (Figure 8-3). Expand it by clicking the small plus sign next to it.
FT08HT03.BMP
Figure 8-3 Computer Management administering shared folders
4. View any existing shares (by clicking the Shares item) to ensure that the share you are creating is unique. 5. Begin the process of adding a new share by right-clicking the Shares item and selecting New File Share. 6. Complete the first page of the Create Shared Folder Wizard by selecting a folder to share and providing a share name and description (Figure 8-4).
FT08HT04.BMP
Figure 8-4 The Shared Folder Wizard configuring a shared folder
7. Complete the Create Shared Folder Wizard by assigning permissions to the new share and clicking Finish (Figure 8-5).
CHAPTER 8:
263
FT08HT05.BMP
Figure 8-5 Setting permissions in the Shared Folder Wizard
8. You will be presented with a success dialog box (Figure 8-6). If you do not want to share any more folders, click No to close it.
FT08HT06.BMP
Figure 8-6 Completing the Shared Folder Wizard
NOTE
The same method of creating a shared folder also applies if you are using a Shared Folder snap-in you have added to a blank Microsoft Management Console (MMC) session. We will discuss customizing the MMC with snap-ins in Chapter 9.
To stop sharing a folder in Computer Management: 1. Right-click the folder, and select Stop Sharing (Figure 8-7).
FT08HT07.BMP
Figure 8-7 Removing a shared folder
2. Confirm the selection. The folder will no longer be shared.
264
CAUTION
Be sure no users have files open on the shared folder before you remove it. Stopping a share with open files might lead to data corruption. See Disconnecting users from open files later in this chapter for more information.
Sharing Folders in Windows Explorer

Using Windows Explorer is perhaps the simplest way to share folders. Sharing is managed in the Properties dialog box for the folder, right alongside the Security settings for NTFS. To share a folder in Windows Explorer: 1. Log on with a user account that is a member of a group that is able to share folders. 2. Right-click the folder that you want to share, and then choose Sharing And Security to open the folders Properties dialog box. 3. On the Sharing tab, click Share This Folder and configure the options shown in Figure 8-8. These are the options:
FT08HT08.BMP
Figure 8-8 The Sharing tab of a folders Properties dialog box
Share Name The name that users from remote locations use to connect to the shared folder. You must enter a share name. By default, this is the same name as the folder. You can type a different name up to 80 characters long.
NOTE
Be sure to use share names that all client operating systems can read. Microsoft operating systems prior to Windows 2000 might shorten the shared folder name to 12 or fewer characters.
Comment An optional description for the share name. The comment appears in addition to the share name when users at client
CHAPTER 8:
265
computers browse the server for shared folders. This comment can be used to identify the contents of the shared folder.
User Limit The number of users who can concurrently connect to the shared folder. If you click Maximum Allowed as the user limit, Windows XP Professional supports up to 10 connections. Permissions The shared folder permissions that apply only when the folder is accessed over the network. On an NTFS volume, these permissions interact with the NTFS permissions for the data being accessed to determine the final level of access. By default, the Everyone group is assigned Read permission for all new shared folders.
NOTE
For security purposes, it is best to remove the Everyone group and replace it with the Users group or Authenticated Users group.
Caching The settings to configure offline access to this shared folder. See Using Offline Folders and Files later in this chapter for more information.
To stop sharing a folder in Windows Explorer: 1. On the Sharing tab of the folders Properties dialog box (Figure 8-9), select the Do Not Share This Folder option. 2. Click Apply.
FT08HT09.BMP
Figure 8-9 Stopping the sharing of a folder in Windows Explorer
Using the NET Command to Share Folders

In addition to the graphical methods of sharing folders, you can share folders from the command line by using the NET command. This method is great if you need to create or remove many shared folders at once or you need to script the
266
creation of shares into a batch file to automate system installation and configuration tasks. When used without options, NET SHARE lists information about all resources being shared on the computer. The syntax of the NET command allows you to perform any shared folder management task you would perform with either the Computer Management console or Windows Explorer. The syntax for NET SHARE includes the NET SHARE command pair followed by options from the following list. (Note the three syntax options used to create a share, change a share, and delete a share.) To create a shared folder:
NET SHARE sharename=drive:path [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents| Programs | None ]
To change a shared folder:

NET SHARE sharename [/USERS:number | /UNLIMITED] [/REMARK:"text"] [/CACHE:Manual | Documents | Programs | None]
To remove a shared folder or printer:

NET SHARE {sharename | devicename | drive:path} /DELETE
Here are the switches for the NET SHARE command:
sharename The network name of the shared resource. You can also type NET SHARE with a share name to display information about only that share. drive:path Specifies the absolute path of the directory to be shared. An example is C:\Deploy. /USERS:number Sets the maximum number of users who can simultaneously access the shared resource. For Windows XP, this limit never exceeds 10 users due to restrictions on Microsoft client operating systems. /UNLIMITED Specifies that an unlimited number of users can simultaneously access the shared resource. For Windows XP, this limit never exceeds 10 users due to restrictions on Microsoft client operating systems. /REMARK:text Adds a descriptive comment about the resource. Enclose the text in quotation marks. devicename Specifies the device that is being shared (usually a printer port). /DELETE Stops sharing the resource.
CHAPTER 8:
267
/CACHE Controls how caching for offline files is managed for this folder. The following options are available for this argument:
/CACHE:Manual Enables manual client caching of programs and documents from this share. /CACHE:Documents this share. Enables automatic caching of documents from
/CACHE:Programs Enables automatic caching of documents and programs from this share. /CACHE:None
NOTE
Disables caching from this share.
The /CACHE settings refer to offline files and folders. We will discuss these settings in more detail in the Using Offline Folders and Files section later in this chapter.
To share a folder using the NET SHARE command: 1. Log on with a user account that is a member of a group that can share folders. 2. Open a command prompt session by clicking Start | Run, typing cmd.exe in the Run dialog box, and clicking OK (Figure 8-10). The Windows XP command-line console opens (Figure 8-11).
FT08HT10.BMP
Figure 8-10 Opening the command-prompt session
3. Execute the NET.EXE command with the SHARE argument (Figure 8-11). To share the C:\Deploy folder with default settings:
NET SHARE Deploy=C:\deploy
FT08HT11.BMP
Figure 8-11 Sharing a folder at the command line
268
To stop sharing a folder using the NET command: Issue the NET SHARE command with the /DELETE switch: NET SHARE Deploy /DELETE
Sharing a Folder on a Remote Computer

You can direct Computer Management to configure a remote computer by rightclicking Computer Management (Local) and selecting Connect To Another Computer (Figure 8-12). Once connected, you can configure shared folders on the remote computer as if the computer were local.
Figure 8-12 Connecting to a remote computer

F08HT12.BMP
NOTE To manage shared folders on a remote system, you must have an account with rights to manage shares on that system.
MANAGING SHARED FOLDERS

Although you can configure shared folder permissions using both the Computer Management console and the NET SHARE command, we will concentrate for the rest of this chapter on configuring shared folders in Windows Explorer. The tasks you might carry out when managing shared folders include assigning folder permissions, creating additionaldifferently namedshares on the same folder, and changing the name of the shared folder.
Assigning Shared Folder Permissions

When you assign the permissions for a shared folder, make sure you have considered the permissions required for each group of users. If you have not
CHAPTER 8:
269
already done so, read the Planning Shared Folders section earlier in this chapter. To assign shared folder permissions in Windows Explorer: 1. On the Sharing tab of the Properties dialog box for the shared folder, click Permissions. 2. In the Permissions dialog box, ensure that the Everyone group is selected and then click Remove. This clears the permissions that apply to all users to make way for more specific permissions. 3. In the Permissions dialog box, click Add. 4. In the Select Users Or Groups dialog box (Figure 8-13), browse for or type the name of the users or groups to which you want to assign permissions.
NOTE
If you want to enter more than one user account or group at a time, separate the names with a semicolon. If you want to ensure that the names are correct, click Check Names.
FT08HT13.BMP
Figure 8-13 The Select Users Or Groups dialog box
5. Click OK. 6. In the Permissions dialog box for the shared folder, click the user account or group and then, under Permissions, select the Allow check box or the Deny check box as needed for the user account or group (Figure 8-14). 7. Click Apply or OK to complete the permissions assignment.
IMPORTANT
Be sure to remove the default Everyone permissions to ensure that the permissions you have configured are not overridden by any more lenient permissions.
270
FT08HT14.BMP
Figure 8-14 Assigning permissions to users
Creating Multiple Share Names

You might want to set different permissions on a shared folder. You can create multiple share names for the same folder and assign each a different set of permissions. To share a folder with multiple share names, click New Share in the folders Properties dialog box. In the New Share dialog box (Figure 8-15) you can assign a new share name, limit the number of connections to the share, and click Permissions to set the permissions for the shared folder.
Figure 8-15 The New Share dialog box

FT08HT15.BMP
Modifying Shared Folders

To change the name of a shared folder, you must stop sharing it and then share it again with the original permissions. Before you do this, be sure to document the permissions.
CHAPTER 8:
271
CAUTION
If you stop sharing a folder while a user has a file open, the user might lose data. If you click Do Not Share This Folder and a user has a connection to the shared folder, Windows XP Professional displays a dialog box notifying you of that fact. You should notify users and ask them to close any open files. You can then use Shared Folders in Computer Management to verify that the files have been closed before you proceed. For more on monitoring shared folders, see the section titled Monitoring Access to Shared Folders later in this chapter.
CONNECTING TO SHARED FOLDERS

Once you have configured your shared folders, you can configure client computers to connect to them. You can access a shared folder from a client computer by using My Network Places, mapping a drive in My Computer, typing a path in the Run dialog box, or mapping a drive with the NET USE command. Browsing the My Network Places might be a simple way of locating files, but it takes time. If you map a drive letter to a folder, it cuts the time it takes to access files in the future. To map a drive, you must know the Universal Naming Convention (UNC) path to the folder. This is an address formatted as \\Server\share. An example using the folder from previous demonstrations would be \\BEHEMOTH\Deploy (where BEHEMOTH is the servers name). To connect to a shared folder using My Network Places: 1. Open Windows Explorer by choosing Start | All Programs | Accessories | Windows Explorer. 2. Find My Network Places in the tree view on the left side of the screen. 3. Expand My Network Places, and browse for the computer that is sharing folders on your network. If you are on a large network, you might have to expand Entire Network and browse for the appropriate workgroup or domain. 4. When you locate the share to which you want to connect, expand it by clicking its plus sign. You can navigate the share and its files to select the resources you want to use (Figure 8-16).
FT08HT16.BMP
Figure 8-16 Navigating My Network Places
272
To map a drive using My Computer: 1. Click Start | My Computer. 2. On the Tools menu, choose Map Network Drive. Windows XP Professional displays the Map Network Drive dialog box (Figure 8-17), which allows you to assign a drive letter to the connection. By default, the drive letter displayed is Z or the last letter of the alphabet that is currently unassigned.
FT08HT17.BMP
Figure 8-17 The Map Network Drive dialog box
3. In the Folder text box, type \\server\sharename or click Browse to browse for a share. By default, Reconnect At Logon is selected. 4. Clear the Reconnect At Logon check box unless you want to have Windows XP Professional create a connection to this share each time you log on to your computer.
NOTE
If you are connecting to a folder to which your logged-on user does not have the appropriate permission, you can choose the Connect Using A Different User Name option to select another username and password to use for the connection.
5. Click Finish to establish the connection. The newly mapped drive opens in a new My Computer window.
NOTE
You will find Map Network Drive in other places as well. It is available as a right-click menu option in My Computer on the Start menu and Windows Explorer, and you can find it by right-clicking My Network Places.
CHAPTER 8:
273
To map a drive using the NET USE command: 1. Open a command prompt session by clicking Start | Run, entering cmd.exe in the Run dialog box, and clicking OK. The Windows XP command-line console opens (Figure 8-18).
FT08HT18.BMP
Figure 8-18 Mapping a drive with Net Use
2. Execute the NET.EXE command with the USE argument. To map a drive to the \\BEHEMOTH\Deploy folder:
NET USE Y: \\BEHEMOTH\deploy
To connect to a shared folder using the Run dialog box: 1. Click Start | Run, and then type \\computer_name in the Open text box. Windows XP Professional displays shared folders for the computer. 2. Double-click the shared folder to which you want to connect.
NOTE
You can also type the full UNC path to the folder you want to use.
COMBINING SHARED FOLDER PERMISSIONS AND NTFS PERMISSIONS

You share folders to provide network users with access to resources. If you are using a FAT volume, which has no security of its own, the shared folder permissions are the only resource available to provide security for the folders you have shared and the folders and files they contain. If you are using an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in each shared folder. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission. One strategy for providing access to resources on an NTFS volume is to share folders by giving the Authenticated Users group Full Control and then controlling access by assigning NTFS permissions.
274
NOTE
Always avoid sharing a folder to the Everyone group. Authenticated Users is an acceptable alternative and ensures that users are known and authenticated.
Shared folder permissions provide limited security for resources. You gain the greatest flexibility by using NTFS permissions to control access to shared folders. Also, NTFS permissions apply whether the resource is accessed locally or over the network. When you use shared folder permissions on an NTFS volume, the following rules apply:
You can apply NTFS permissions to files and subfolders in the shared folder. You can even apply different NTFS permissions to each file and each subfolder in a shared folder. In addition to shared folder permissions, users must have NTFS permissions to the files and subfolders in shared folders to access those files and subfolders. This is in contrast to FAT volumes, in which permissions for a shared folder are the only permissions protecting files and subfolders in the shared folder. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission.
In Figure 8-19, the Users group has the shared folder Full Control permission for the Public folder and the NTFS Read permission for FileA. Because the effective combined permission is the more restrictive of the two, the Users groups effective permission for FileA is the more restrictive Read permission. The effective permission for FileB is Full Control because both the shared folder permission and the NTFS permission allow this level of access.
Public FC NTFS permission Users R NTFS permission FC File B File A
NTFS volume Apply NTFS permissions to files and subfolders. The most restrictive permission is the effective permission.
Figure 8-19 Combining shared folder permissions and NTFS permissions

FT08HT19.FH10
CHAPTER 8:
275
MONITORING ACCESS TO SHARED FOLDERS

The Computer Management console in Windows XP Professional includes the Shared Folders snap-in, which allows you to easily monitor access to network resources and send administrative messages to users. You monitor access to shared folders to determine how many users currently have a connection to each folder. You can also monitor open files to determine which users are accessing the files, and you can disconnect users from one open file or from all open files.
Reasons for Monitoring Network Resources

It is important to understand why you should monitor the network resources in your computer environment. Some of the reasons it is important to assess and manage network resources include:
Maintenance You should determine which users are currently using a resource so you can notify them before making the resource temporarily or permanently unavailable. Security You should monitor user access to resources that are confidential or need to be secure to verify that only authorized users are accessing them. Planning You should determine which resources are being used and how much they are being used so you can plan for future system growth.
When you use the Shared Folders snap-in in the Computer Management console, you can monitor the resources on the local computer or on a remote computer.
Requirements for Monitoring Network Resources

Not all users can monitor access to network resources. The following list describes the group membership requirements for monitoring access to network resources using the Shared Folders snap-in:
By default, in a Windows Server domain, the Domain Admins and Server Operators groups can manage share folders residing on any machines in the domain. The Power Users group is a local group that can share only folders residing on the standalone server or folders on a computer running Windows XP Professional on which the group exists. In a Windows workgroup, the Administrators and Power Users groups can share folders on the Windows Server standalone server or the computer running Windows XP Professional on which the group exists.
276
Monitoring Shared Folders

You use the Shares folder in the Shared Folders snap-in to view a list of all shared folders on the computer and to determine how many users have a connection to each folder. In Figure 8-20, the Shares folder has been selected in the Computer Management console tree, and all the shared folders on that computer are shown in the details pane.
Figure 8-20 Shares folder of the Shared Folders snap-in

FT08HT20.BMP
The following list explains the information provided in the details pane shown in Figure 8-20.
Shared Folder The shared folders on the computer. This is the name that was given to the folder when it was shared. Shared Path The path to the shared folder. Type The type of network connection: Windows, Novell NetWare, or Apple Macintosh.
NOTE
Because Windows XP does not support clients from non-Windows operating systems, the Type field would always show Windows for the local system. If you were viewing a Windows Server 2003 system remotely with Computer Management, you might see other clients if the appropriate service to support them has been installed.
# Client Connections The number of clients who have made a remote connection to the shared folder. Comment Descriptive text about the folder. This comment was provided when the folder was shared.
CHAPTER 8:
277
NOTE
Windows XP Professional does not update the list of shared folders, open files, and user sessions automatically. To update these lists, on the Action menu, click Refresh.
Determining how many users can access a shared folder concurrently You can use the Shared Folders snap-in to determine the maximum number of users who are permitted to access a folder. In the Shared Folders details pane, click the shared folder for which you want to determine the maximum number of concurrent users. On the Action menu, click Properties. In the Properties dialog box for the shared folder, the General tab shows the user limit. In Windows XP Professional, the maximum is 10, but you can set this to a lower value. You can also use the Shared Folders snap-in to determine if the maximum number of users permitted to access a folder has been reached.
NOTE
Connection limits might be one reason a user cant connect to a share. To check this, determine the number of connections to the share and the maximum connections allowed. If the maximum number of connections has already been made, the user cannot connect to the shared resource.
Monitoring open files Use the Open Files folder in the Shared Folders snap-in to view a list of open files that are located in shared folders and the users who have a current connection to each file (Figure 8-21). You can use this information when you need to contact users to notify them that you are shutting down the system. You can also determine which users have a current connection and should be contacted when another user is trying to access a file that is in use.
Figure 8-21 Open Files folder of the Shared Folders snap-in

FT08HT21.BMP
278
The following list describes the information available in the Open Files folder:

Open File
The names of the open files on the computer. The username of the user who has the file open.
Accessed By
Type The operating system running on the computer where the user is logged on. # Locks The number of locks on the file. Programs can request that the operating system lock a file to gain exclusive access and prevent other programs from making changes to the file. Open Mode The type of access that the users application requested when it opened the file, such as Read or Write.
Disconnecting users from open files You can disconnect users from one open file or from all open files. You might want to do this, for example, when you make changes to the NTFS file system permissions for a file that is currently opened by a user. The new permissions will not affect the user until she closes and then attempts to reopen the file. You can force these changes to take place immediately by doing one of the following:
Disconnect all users from all open files In the Shared Folders snap-in console tree, click Open Files. On the Action menu, click Disconnect All Open Files. Disconnect all users from one open file In the Shared Folders snap-in console tree, click Open Files. In the details pane, select the open file. On the Action menu, click Close Open File.
CAUTION
Disconnecting users from open files can result in data loss. It is always safer to notify the user to save and close the file normally rather than disconnecting the user.
USING OFFLINE FOLDERS AND FILES

When the network is unavailable or when you are on the road and your laptop is undocked, offline folders and files allow you to continue working on files that are stored on shared folders on the network. These network files are cached on your local disk so they are available even if the network is not. When the network becomes available or when you dock your laptop, your connection to the network is reestablished and the cached files and folders on your local disk are synchronized with those stored on the network.
CHAPTER 8:
279
Understanding Offline Files

To make shared folders available offline, copies of the files are stored in a reserved portion of disk space on your computer called a cache. Because the cache is on your hard disk, the computer can access it regardless of whether it is connected to the network. By default, the cache size is set to 10 percent of the available disk space. You can change the size of the cache on the Offline Files tab of the Folder Options dialog box. You can also see how much space the cache is using by opening the Offline Files folder and choosing Properties from the File menu. When you share a folder, you can allow others to make the shared folder available offline by clicking Caching in the folders Properties dialog box. In the Caching Settings dialog box (Figure 8-22), use the Allow Caching Of Files In This Shared Folder check box to turn caching on or off.
Figure 8-22 The Caching Settings dialog box

FT08HT22.BMP
The Caching Settings dialog box contains three caching options:
Manual Caching Of Documents Users must manually specify all files they want available when working offline. This option, the default, is recommended for a shared network folder containing files that are to be accessed and modified by several people. To ensure proper file sharing, the network version of the file is always opened. Automatic Caching Of Documents This option makes every file that a user opens from your shared folder available to that person offline. Files that arent opened are not available offline. Each time a file is opened, the older copy of the file is deleted. To ensure proper file sharing, the network version of the file is always opened.
280
Automatic Caching Of Programs And Documents This option provides offline access to shared folders containing files that are read, referenced, or run but that will not be changed in the process. This setting reduces network traffic because offline files are opened directly without accessing the network versions in any way, and generally they start and run faster than the network versions. This option is recommended for folders containing read-only data or applications that are run from the network.
Configuring Your Computer to Use Offline Folders and Files

Before you can use offline folders and files, you must enable offline file support on your system: 1. In My Computer, choose Folder Options from the Tools menu. 2. On the Offline Files tab of the Folder Options dialog box, select the Enable Offline Files check box and the Synchronize All Offline Files Before Logging Off check box (Figure 8-23).
FT08HT23.BMP
Figure 8-23 The Offline Files tab of the Folder Options dialog box
IMPORTANT
Offline files are disabled if you have Fast User Switching enabled on your system. You must use the User Accounts tool to disable Fast User Switching before you can enable offline files.
On the Offline Files tab, you can also click Delete Files to delete the locally cached copy of a network file. Click View Files to view the files stored in the Offline Files folder; these are the locally cached files that you have stored on your system. Click Advanced to configure how your computer responds when a network connection is lost. For example, when a network connection is lost, you can configure your computer to notify you and allow you to begin working offline.
CHAPTER 8:
281
Synchronizing files File synchronization is straightforward if the copy of the file on the network does not change while you are editing a cached version of the file. Your edits are simply incorporated into the copy on the network. However, another user might edit the network version of the file while you are working offline. If both your cached offline copy of the file and the network copy of the file are edited, you must decide what to do. You have a choice of retaining your edited version and not updating the network copy with your edits, of overwriting your cached version with the version on the network, or of keeping a copy of both versions of the file. In the last case, you must rename your version of the file, and both copies will exist on your hard disk and on the network. Configuring the Synchronization Manager To configure the Synchronization Manager, in Windows Explorer choose Tools | Synchronize. Notice that you can manually synchronize your offline files with those on the network by clicking Synchronize. You can also configure the Synchronization Manager by clicking Setup. In configuring the Synchronization Manager, you have three sets of options. The first set of options is on the Logon/Logoff tab (Figure 8-24). You can configure synchronization to occur when you log on, when you log off, or both. You can also specify that you want to be prompted before synchronization occurs. You can specify the items to be synchronized at logon or logoff, or both, and you can specify the network connection.
Figure 8-24 The Logon/Logoff tab of the Synchronization Settings dialog box
FT08HT24.BMP
282
The second set of options in configuring the Synchronization Manager is on the On Idle tab (Figure 8-25). These are similar to the options on the Logon/ Logoff tab.
Figure 8-25 Configuring the settings on the On Idle tab in

FT08HT25.BMP
Synchronization Manager
The following items are configurable on the On Idle tab:
When I Am Using This Network Connection Allows you to specify the network connection and which items to synchronize Synchronize The Following Checked Items which items to synchronize Allows you to specify
Synchronize The Selected Items While My Computer Is Idle Allows you to turn synchronization on or off during idle time
Click Advanced on the On Idle tab (Figure 8-26) to configure the following options:
Automatically Synchronize The Specified Items After My Computer Has Been Idle For X Minutes While My Computer Remains Idle, Repeat Synchronization Every X Minutes Prevent Synchronization When My Computer Is Running On Battery Power
CHAPTER 8:
283
Figure 8-26 Configuring advanced On Idle settings

FT08HT26.BMP
The third set of options for scheduling synchronization is on the Scheduled tab (Figure 8-27), where you can add, edit, and remove scheduled synchronization tasks.
Figure 8-27 The Scheduled tab in Synchronization Manager

FT08HT27.BMP
MANAGING INTERNET INFORMATION SERVICES

Windows XP includes Internet Information Services (IIS) to enable users to create Web servers for personal or small business intranet use. Enabling and using IIS to share files is slightly different than standard file sharing. File sharing allows clients to connect to and use files by using tools such as Windows Explorer and My Computer; IIS serves files to clients using Web browsers such as Microsoft
284
Internet Explorer and Mozilla. IIS also includes a feature called Web Distributed Authoring and Versioning (WebDAV), which you might also see referred to as Web folders. Most Web serving of document files is read-only via HTML-based Web pages, but you can share Microsoft Office documents via IIS as well. In this section, we will discuss the installation and configuration of IIS for document serving.
Installing IIS
IIS is installed as a Windows component in Add/Remove Programs in Control Panel: 1. Click Start | Control Panel. 2. Click Add/Remove Programs to launch the Add/Remove Programs application. 3. Click Add/Remove Windows Components to launch the Windows Components Wizard. 4. Select Internet Information Services (IIS), and click the Details button. 5. Optional components of the IIS installation are displayed. Choose the default options. 6. Complete the rest of the Windows Components Wizard to complete the installation of IIS.
IMPORTANT
IIS is designed for Internet communications. Be aware that installing it on your system increases the systems attack surfacethe portion of the system exposed to Internet probes and attacks. Make sure you have enabled the protections of Windows Firewall and Automatic Updates before activating IIS. We will discuss Internet security topics in more depth in Chapter 11. Also be careful to not install unnecessary services. IIS includes many components, such as FTP services and Internet e-mail (SMTP) services. To minimize your attack surface, do not install any of these services unless they are absolutely neccessary.
NOTE
Using IIS
After installing IIS, you can manage it via the IIS console (Figure 8-28). This console presents the major administrative functions in a single interface for ease of administration.
CHAPTER 8:
285
Figure 8-28 The IIS console

FT08HT28.BMP
You can start the IIS console in the following ways:

Open IIS from Administrative Tools in Control Panel. Type IIS.msc at a command prompt. Select the Internet Information Services item in Computer Management.
You can use the IIS console to add virtual folders to the Web server, restart the IIS server services, manage Web server security settings, and manage server certificates for Secure Sockets Layer (SSL).
MORE INFO Extensive security and configuration of IIS is beyond the scope of this course, but you can find additional resources at the Microsoft Internet Information Services Web site at www.microsoft.com/ iis. The IIS Web site is targeted toward IIS 6, but it contains many useful resources for the administration of IIS 5.1 (the version included with Windows XP).
Sharing Web Folders

You can make your documents available for Internet use by configuring Web folders. When you view the Properties dialog box for a folder after IIS is installed, you will note the addition of a Web Sharing tab (Figure 8-29). If you select the Share This Folder option, you will see the Edit Alias dialog box (Figure 8-30). Use this dialog box to choose the permissions this folder will have for Web users.
286
Figure 8-29 The Web Sharing tab of a folders Properties dialog box
FT08HT29.BMP
Figure 8-30 The Edit Alias dialog box

FT08HT30.BMP
Access permissions By configuring access permissions, you can enable users to read, write, and edit scripts contained in the published folder. The available options are:

Read Allows users to read documents in the folder. Write Allows users to post and modify documents in the folder. Script Source Access Allows users to access the source code of scripts in this folder. If Write is enabled, this setting also allows users to modify and upload scripts. Directory Browsing Allows users to view the contents of the folder. When this option is disabled, the user must know the exact names of files to request them. This is fine for serving Web pages because the links to the files are embedded into URLs in the pages themselves. But when you serve documents, you might want to enable this option to let users browse available files.
CHAPTER 8:
287
Application permissions Application permissions control the access that remote browsers have to execute code and scripts on the local system. These permissions are not required for simple document sharing, but they come into play when you are serving Active Server Pages (ASP) or other server-side scripts.

None Allows the browser to access only static files such as Web pages. Scripts Allows only the execution of scripts, such as Active Server Pages (ASP). Execute (Includes Scripts) All file types can be accessed or executed.
IMPORTANT
When you enable Write permission on a Web Folder, you receive a warning about enabling Write with either Script or Execute permission enabled. Doing so can open your server to the upload and execution of malicious code. If you are document sharing over the Internet, be sure to allow only the None application permission on Web folders.
After configuring options in the Edit Alias dialog box, click Accept to enable Web sharing for the folder. Users can locate the folder at http://servername/foldername with their Web browsers. You can also construct a default Web page for your server to link to the Web folders you have published.
IMPORTANT
As with all Internet-facing features, it is wise to be proactive about any patches and protections related to Web folders. Ensure that Windows Firewall is enabled and that Automatic Updates are properly configured so the latest patches will be downloaded and deployed as soon as they are available.
NTFS Permissions and Web Folders

You can also use NTFS permissions to control access to Web folders. You can set the permissions as you would normally, and then enable Windows authentication in the Internet Manager console. To enable Windows authentication: 1. Right-click the default Web site in Internet Manager, and select Properties. 2. On the Directory Security tab of the Properties dialog box for the default Web site, click the Edit button under Anonymous Access And Authentication Control. 3. In the Authentication Methods dialog box (Figure 8-31), choose the appropriate options. Choosing integrated Windows authentication allows NTFS permissions to be used. Choosing basic authentication
288
does as well, but basic authentication poses some security risks (discussed below). If you choose to disable anonymous access, unauthorized users cannot connect to the folder.
FT08HT31.BMP
Figure 8-31 Setting directory security in Internet Manager
NOTE
This dialog box includes options to enable basic authentication (to support non-Microsoft browsers), but passwords are sent as clear text and might compromise security by revealing the users passwords.
Using Web Folders

Users can navigate to a Web folder using their Web browser with the URL http: //servername/foldername. This allows read-only access to the documents in the folder. Users can also, with Internet Explorer 5 or later, connect to the folder as a Web folder. They can then use the documents in the folder as if they were opening them in Windows Explorer. They can drag and drop additional files into the folder, delete files (given the appropriate permissions in NTFS, of course), and save documents using Office applications.
MORE INFO Other browsers are available for WebDAV folders. You can obtain additional information about WebDAV support as www.webdav.org/ projects.
To open a Web folder: 1. On the File menu in Internet Explorer, click Open. 2. Enter the URL of the Web Folder, and select the Open As Web Folder option. Internet Explorer opens the folder with a My Computerlike interface.
CHAPTER 8:
289
SUMMARY
You can make a folder and its contents available to other users over the network by sharing the folder. Using shared folder permissions is the only way to secure file resources on FAT volumes. Shared folder permissions apply to folders, not individual files. To access a shared folder, users must connect to it and have the appropriate permissions. Shared folder permissions restrict access to users who connect to the folder over the network, not to users who gain access to the folder at the computer where the folder is stored. The three shared folder permissions are Read, Change, and Full Control. The default shared folder permission is Read, and it is assigned to the Everyone group when you share the folder. Best practices for security include removing the Everyone group from Shared Folders and using another group, such as Users or Authenticated Users, instead to prevent unauthorized access to files and folders. Windows XP Professional automatically shares folders for administrative purposes. These shares are marked with a dollar sign ($), which hides them from users who browse the computer. In Windows XP Professional, members of the built-in Administrators and Power Users groups can share folders. You can access a shared folder on another computer by using My Computer, My Network Places, the Run command, or the NET USE command. On an NTFS volume, you can assign NTFS permissions to individual users and groups to better control access to the files and subfolders in the shared folders. When you combine shared folder permissions and NTFS permissions, the more restrictive permission is always the overriding permission. Use the Shared Folders snap-in to monitor access to network resources on local or remote computers. Offline files are network files that are cached on your local disk so they are available even if the network is not.
290
Before you can use offline files, you must choose Folder Options from the Tools menu of My Computer or Windows Explorer to configure your computer to use offline files. You must use the User Accounts tool to disable Fast User Switching before you can enable offline files. You use Synchronization Manager to configure synchronization of the offline files you are using and the copies on the server. You can use Synchronization Manager to configure synchronization to occur when you log on, when you log off, or both, and you can specify that you want to be asked before synchronization occurs. Web folders offer a way to enable Internet file sharing via WebDAV.
REVIEW QUESTIONS
1. If you are using NTFS permissions to specify which users and groups can access files and folders and what these permissions allow users to do with the contents of the file or folder, why would you need to share a folder or use shared folder permissions? 2. Which of the following are valid shared folder permissions? (Choose all correct answers.) a. Read b. Write c. Modify d. Full Control 3. _______________ (Denied/Allowed) permissions take precedence over ____________ (denied/allowed) permissions on a shared folder. 4. When you copy a shared folder, the original folder is _______________ (no longer shared/still shared) and the copy is ____________________ (not shared/shared). 5. When you move a shared folder, the folder is _____________________ (no longer shared/still shared). 6. When you rename a shared folder, the folder is ___________________ (no longer shared/still shared). 7. The system root folder, which is C:\Windows by default, is shared as ____________.
CHAPTER 8:
291
8. To assign permissions to user accounts and groups for a shared folder, which of the following tabs do you use? a. The Permissions tab of the Properties dialog box for the shared folder b. The Sharing tab of the Properties dialog box for the shared folder c. The General tab of the Properties dialog box for the shared folder d. The Security tab of the Properties dialog box for the shared folder 9. By default, how much of the available disk space is allocated for the cache for making shared folders available offline? a. 20 percent b. 15 percent c. 10 percent d. 5 percent 10. Which of the following statements about combining shared folder permissions and NTFS permissions are true? (Choose all correct answers.) a. You can use shared folder permissions on all shared folders. b. The Change shared folder permission is more restrictive than the Read NTFS permission. c. You can use NTFS permissions on all shared folders. d. The Read NTFS permission is more restrictive than the Change shared folder permission. 11. Which of the following statements about shared folder permissions and NTFS permissions are true? (Choose all correct answers.) a. NTFS permissions apply only when the resource is accessed over the network. b. NTFS permissions apply whether the resource is accessed locally or over the network. c. Shared folder permissions apply only when the resource is accessed over the network. d. Shared folder permissions apply whether the resource is accessed locally or over the network.
292
12. How do you determine which users have a connection to open files on a computer and which files they have a connection to? 13. How can you disconnect a specific user from a file? 14. Which of the following statements are true about Web folders? (Choose all correct answers.) a. Web folders are designed to allow Internet file sharing. b. Web folders work with all browsers. c. Web folders use the FTP protocol to transfer files. d. Web folders use WebDAV to transfer files.
CASE SCENARIOS
Scenario 8-1: Shared Folder Tree
You are designing security for a small office workgroup network. You have decided to create a tree for data folders for all the departments in the office. The departments (and the folders you will create) are: Accounting, Operations, Manufacturing, and Facilities. Answer the following questions about the configuration of these folders: 1. To allow each department to have access only to its own folder but to promote ease of administration for you, how should you arrange these folders? 2. The operations department wants to allow all others to read their files but not modify them. How can you assign permissions to the Accounting folder to enable this? 3. If you have Full Control permission to the folder containing all the department folders, what is your permission to the Accounting folder?
Scenario 8-2: Command-Line Nirvana

You are the administrator of a large network in a law office. Your office has just joined with a larger law group, and you need to set up access to allow attorneys from the other group to access your firms files. Your boss doesnt want to give them full access to all files just yet and has asked you to give them only the ability to read files for now. You are creating a group of folders for users, and you want to
CHAPTER 8:
293
automate folder creation by using the NET SHARE command. Answer the following questions about this scenario: 1. You are sharing the Pending Briefs folder, which is located at D:\PendingBriefs. What NET SHARE command should you use? a. NET SHARE Briefs=D:\Data\PendingBriefs /REMARK: Pending Briefs b. NET SHARE Briefs /DELETE c. NET SHARE D:\Data\PendingBriefs=Briefs /REMARK: Pending Briefs d. NET SHARE Briefs=\\Server\PendingBriefs /REMARK: Pending Briefs 2. After you share the Pending Briefs folder, what is the permission for attorneys from the larger office? 3. After some time, you boss decides that the other attorneys can be trusted and should have greater access to the files in the Pending Briefs folder. He wants them to be able to modify documents there but not delete them. How can you implement this?
CHAPTER 9
SUPPORTING APPLICATIONS IN WINDOWS XP PROFESSIONAL

Manage applications using Windows Installer packages Manage distribution of applications using Group Policy Verify application compatibility Manage application compatibility settings Troubleshoot application compatibility
Microsoft Windows XP supports a wide array of software, ranging from legacy 16-bit MS-DOS and Windows-based applications to modern 32-bit and 64-bit applications. In this chapter, you will learn how to install, manage, and configure applications in Windows XP. We will explore application installation using Windows Installer technologies, managing application installation using Group Policy, and application compatibility, including Windows Logo compatibility and application compatibility features included with Windows XP Professional.
295
296
UNDERSTANDING WINDOWS INSTALLER TECHNOLOGIES

Organizations that operate large numbers of desktop computers need ways to manage installed software effectively. They are also concerned with security. In the past, these two concerns conflicted when it came to automating software installation. Software was distributed on CD-ROM, shared in a network installation folder, or pushed with logon scripts. In all these instances, the software was installed with default settings in the environment of the user who was currently logged on to the system. This caused problems for organizations that restricted users security permissions. If these organizations restricted a user, the user would not have the required permissions to execute the setup routines. If they relaxed security enough to allow the user to run the installers, the user would have more permissions than the administrators wanted them to have. They needed a solution to accommodate restricted user security while allowing for automated installation of software.
Windows Installer
The Windows Installer was created as a solution to the installation issues facing enterprise customers. It runs as a system service (at elevated privileges) and receives instructions from an installation executable controlled from the user environment. This executableMsiexec.exeis called by the user or by automated installation settings placed into group policy objects (GPOs) stored in Active Directory. It manages the installation of an application and also allows for sophisticated management capabilities by applying any customizations and updates required at installation time or afterward. It can even allow installations to be scripted to completely automate custom configurations and settings according to the organizations requirements.
Windows Installer Packages

Windows Installer executes installation instructions placed into Windows Installer packages. These packages contain all the components and configuration information required to completely install the packaged application. They can be distributed by the software manufacturer or created as a customized installation of a specific application by an administrator.
CHAPTER 9:
297
Components of Windows Installer packages Windows Installer packages consist of a central installation package with associated transform files that can modify the installation. In addition, patch files are used to install updates to the Installer packages. The main components of the Windows Installer packages are:
Windows Installer Packages (.msi) Windows Installer packages contain the entire application being installed, sometimes packaged into a single .msi file, which is a database of application objects along with installation settings. Large applications might be stored in a folder, with the installation being directed by a smaller .msi file stored in the folder with it. Transform (.mst) Transforms contain custom installation parameters and settings. When specified along with the Windows Installer package, the transform modifies the installation according to the settings contained within. These settings override any similar settings contained in the original package. Patch (.msp) Patch packages are used to install application updates or patches. These files are designed to apply fixes to Windows Installer packages by modifying settings and cabinet files contained in the original package.
Using Msiexec to execute Windows Installer packages The Msiexec.exe application is associated with the .msi file extension in Windows XP system settings. When an .msi file is executed, the Msiexec.exe application, in concert with the Windows Installer, reads the .msi file and performs the package installation. If an .mst file is specified, it is also processed to include the appropriate customizations in the installation. Msiexec.exe can also be called directly to perform an installation action. Here is an example of syntax for the Msiexec.exe application:
msiexec /I c:\sample\package.msi transform.mst
In this example, we are installing the package application, with custom settings specified by the Transform.mst file. A complete list of command-line options appears in Table 9-1.
298
Table 9-1
Msiexec.exe Command-Line Options Parameters Description
Option
/I /f
Package|ProductCode [p|o|e|d|c|a|u|m |s|v] Package| ProductCode
Installs or configures a product. Repairs a product using the original source files. The default argument list for this option is omus. The options are: p Reinstalls only if the file is missing.

o Reinstalls if the file is missing or an older version is installed. e Reinstalls if the file is missing or an identical or older version is installed. d Reinstalls if the file is missing or a different version is installed. c Reinstalls if the file is missing or the stored checksum does not match the calculated value. a Forces all files to be reinstalled. u Rewrites all required user-specific registry entries. m Rewrites all required computerspecific registry entries. s Overwrites all existing shortcuts.
/a
Package
/x /j
/L
t Applies transform to advertised package. [i|w|e|a|r|u|c|m| Writes logging information into a logfile at the o|p|v|x|+|!|*] specified path. Flags indicate which information to Logfile log. If no flags are specified, the default is iwearmo. i Status messages.

Package|ProductCode [u|m]Package [u|m]Package /t Transform List [u|m]Package /g LanguageID
v Runs from the source and recaches the local package. Installs a product on the network. This option is used to create administrative installation points for installation from shared folders on the network. Uninstalls a product. Advertises a product. u Advertises to the current user.

Advertises to all users of machine.
g Language identifier.
w Nonfatal warnings. e All error messages.
CHAPTER 9:
299
Table 9-1
Msiexec.exe Command-Line Options (Continued) Parameters Description

Option
a Startup of actions. r Action-specific records. u c o User requests. Initial UI parameters. Out-of-disk-space messages.
m Out-of-memory or fatal exit information. p Terminal properties. v Verbose output. x Extra debugging information. Only available on Windows Server 2003. + Append to existing file. ! Flush each line to the log.
/m
filename
* Wildcard. Log all information except for the v and x options. To include the v and x options, specify /l*vx. Generates an SMS status .mif file. Must be used with the install (-i), remove (-x), administrative installation (-a), or reinstall (-f) option. Ismif32.dll is installed as part of SMS and must be on the path. The fields of the status .mif file are filled with the following information: Manufacturer Author

Product Version
Revision number Subject
Locale Template Serial Number Not set Installation Set by Ismif32.dll to DateTime InstallStatus Success or Failed Description Lists error messages in the following order: 1. Any error messages generated by installer. 2. Resource error message from Msi.dll if installation could not commence or user exited.
300
Table 9-1
Option
3. Any system error message. 4. A formatted message: Installer error %i, where %i is error returned from Msi.dll. Applies a patch. Sets user interface level. q No UI.

/p /q
PatchPackage [;patchPackage2 . . .] n|b|r|f
qn No UI. qb Basic UI. Use qb! to hide the Cancel button. qr Reduced UI with no modal dialog box displayed at the end of the installation. qf Full UI and any authored FatalError, UserExit, or Exit modal dialog boxes at the end. qn+ No UI except for a modal dialog box displayed at the end. qb+ Basic UI with a modal dialog box displayed at the end. The modal dialog box is not displayed if the user cancels the installation. Use qb+! or qb!+ to hide the Cancel button. qb- Basic UI with no modal dialog boxes. Note that /qb+- is not a supported UI level. Use qb-! or qb!- to hide the Cancel button.
/? or /h
Note that the ! option is available with Windows Installer 2 and works only with basic UI. It is not valid with full UI. Displays syntax help and copyright information for Windows Installer.
CHAPTER 9:
301
Table 9-1
Option
/y
Module
Calls the system function DllRegisterServer() to self-register modules passed in on the command line. Specify the full path to the DLL. For example, for My_file.dll in the current folder, you can use:
msiexec /y .\MY_FILE.DLL
/z
module
This option is used only for registry information that cannot be added using the registry tables of the .msi file, and for modules capable of self-registration. Calls the system function DllUnRegisterServer() to unregister modules passed in on the command line. Specify the full path to the DLL. For example, for My_file.dll in the current folder, you can use:
msiexec /z .\MY_FILE.DLL
/c
/n
ProductCode
This option is used only for registry information that cannot be removed using the registry tables of the .msi file and for modules capable of unregistering themselves. Advertises a new instance of the product. Must be used in conjunction with /t. Available starting with the Windows Installer version that ships with Windows Server 2003 and Windows XP SP1. Specifies a particular instance of the product. This option can be used to identify an instance of an application installed using multiple instance support. Available starting with the Windows Installer version shipped with Windows Server 2003 and Windows XP SP1.
NOTE
Msiexec options are not case sensitive. In the preceding table, /I and /L are capitalized for clarity.
Advantages of Windows Installer packages Software packaged using the Windows Installer technologies is tailor-made for automated installation. You can advertise (or publish) it for installation using the Msiexec.exe command-line command, and you can install it or publish it using
302
Group Policy in Active Directory. You get amazing control and management abilities, essentially for free, just by taking advantage of these features.
NOTE
We will discuss publishing applications later in this chapter.
Another advantage of the Windows Installer technologies is the prospect of selfhealing applications. Simply reinstalling from Add/Remove Programs or executing the appropriate Msiexec.exe command causes the application to examine all its files against the original installation source, replacing or repairing any missing or corrupt files. Applications such as Microsoft Office can even launch this process from within the application to provide automatic self-repair.
DEPLOYING SOFTWARE USING GROUP POLICY

Weve alluded to group policy objects (GPOs) several times in this chapter. Group Policy is one component of Microsofts Intellimirror technologies, and it is used to manage system and application configuration and software installation. We will now examine the role of Group Policy in application management and support.
Overview of Group Policy

Group Policy allows you to manage configuration of computers and user settings in an Active Directory environment. Using Group Policy, you can control settings for software configuration, manage registry settings, configure security, install software updates, manage user profiles, and carry out many other tasks. Group Policy settings are stored in group policy objects that are attached to Active Directory domains, sites, or organizational units (OUs). GPOs can store settings for users and/or computers, allowing administrators to configure many settings at once.
MORE INFO There is obviously much more to Group Policy and Active Directory that falls beyond the scope of this course. For more information on Active Directory and Group Policy, see Microsoft Official Academic Course 70-294: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
Software Installation Policies

Software installation policies are one facet of GPOs. They allow administrators to specify .msi packages that are to be advertised or installed on systems. These applications can be installed for specific users in the domain or for individual
CHAPTER 9:
303
computers themselves. We will examine the two methods of making software available with GPOs: publishing and assigning (Figure 9-1).
Published Assigned Installed on demand* Installed on first use* *or first use of associated document Software Installation Policy Installed on next restart
Figure 9-1 Managing software installation policy

FT09HT01.TIF
Publishing software Publishing software is like advertising the availability of an application. The application appears in the Add/Remove Programs area as available for installation; you can also install it on demand the first time a user executes an associated application extension. Because published applications require action from a user to be installed, they can be made available only to users (rather than being assigned to computers). Assigning software Software can be assigned to the user or directly to the computer. If an application is assigned to the user, an icon for the application appears on the desktop or on the Start menu, and the application is installed the first time the icon is activated or the first time an associated file is opened. Software assigned to the computer (Figure 9-2) installs on the system before the next user logon. It is thus ready when any user of the system needs it. If userspecific options need to be installed, as specified by the .msi file, they are quickly installed the first time the user runs the application.
Figure 9-2 Software assigned to a computer

FT09HT02.BMP
304
Upgrading or patching software with Group Policy In addition to directing installation of software, you can configure GPOs to install application updates. You can configure these updates to upgrade the existing application or even replace it (Figure 9-3).
Figure 9-3 Installing an application upgrade with Group Policy

FT09HT03.BMP
Removing Software Installation Policy

When a software installation policy for an application no longer applies to the computer or user, you can manage the application in either of two ways (Figure 9-2):
Uninstall the application when it falls out of the scope of management This removes the application if the computer or user to which it is attached leaves the domain or OU the GPO is assigned to. It also removes the application if the GPO or its software installation policy is deleted. This option is an excellent way to ensure that software licensed by your company is uninstalled if a PC is ever lost or stolen. If a user removes the computer from the company domain, the software is uninstalled. Leave the application in place when it falls out of the scope of management The software remains in place if the user or computer falls out of management, either through changing domains or OUs or the policy being deleted.
NOTE
You explicitly select the Uninstall When It Falls Out Of The Scope Of Management option when you configure a software installation policy. Leaving the application in place is the result of not explicitly selecting that option.
CHAPTER 9:
305
UNDERSTANDING APPLICATION COMPATIBILITY

Windows XP brought together the stability of the Windows NT family of operating systems and the hardware compatibility of the Windows 9x family of operating systems. The Windows XP designers were faced with hard choices. Users and corporations needed the security and reliability features of the Windows NT operating systems but wanted to be able to use all the legacy applications they had acquired over the years. Some of these applications were incompatible with the strict requirements of the Windows NT line. Microsoft therefore designed application compatibility technologies into Windows XP. Users can customize settings to emulate the environments that legacy systems require to operate effectively. In this section, we will explore these application compatibility technologies and how to configure them.
Windows Logo Program

Before we discuss application incompatibility, lets take a look at application compatibility. Microsoft operates the Windows Logo Program Qualification Service (Winqual) to test and certify products for compliance with Windows operating systems. Software manufacturers submit their products to the Winqual service for testing and obtain logo certification for their products, entitling them to submit their products to the Windows Catalog and use one of the Windows logos in their advertising and on product packaging. The Windows Logo Program specifies three levels of application compatibility:
Compatible with Windows XP This level indicates that the application will perform its primary function without crashing your system. Designed for Windows XP Applications with this logo will not interfere with other applications in use on your system, will install and uninstall properly, and will not overwrite files that are needed by the operating system. These applications will support Fast User Switching and will not require a reboot unnecessarily. Designed for Windows XP applications are eligible for inclusion in the Windows Catalog (http://www.microsoft.com/windows/catalog). Users can browse listings of compatible applications in the Windows Catalog (Figure 9-4) and be confident that those applications have been certified for Windows compatibility.
Optimized for Windows XP These applications meet the Designed for Windows XP logo requirements as well as take advantage of
306
advanced Windows XP technologies for gaming, multimedia, or accessibility. They might also be certified for compatibility with future Windows versions. They might even integrate the new Windows XP visual styles or enable the ability to traverse network address translation (NAT) firewalls in their Internet communications.
FT09HT04.BMP
Figure 9-4 The Windows Catalog displaying Designed for Windows applications
Causes of Application Incompatibility

Legacy applications might be incompatible with Windows XP for a number of reasons, including the following:
Changes in data formats The legacy application might fail to run if the updated data access technologies in Windows XP do not support access methods used by the application. An example of this would be changes in Microsoft Data Access Components (MDACs) that require programs using older versions to be updated to remain compatible. Different user profile formats and locations Windows XP places all user profiles in the Documents and Settings folder on the system volume. If the application was specifically programmed to store user data in the C:\WINNT\Profiles or C:\Windows\Profiles folders (the locations in Windows NT and Windows 9x, respectively), it might fail to properly store data files or application settings.
NOTE
Systems upgraded from Windows NT Workstation and Windows 9x will still use the former user profile folders.
CHAPTER 9:
307
Windows reports wrong version number Some applications that were designed for Windows 95 or Windows 98 will not run on other operating system versions. Even if there is no functional reason for them not to run, they simply wont continue with the wrong operating system version. Application cannot operate with large amount of resources The application might not know how to operate with greater than 2 GB of free disk space or too much RAM. The application will assume that resources are insufficient for proper operation and will present an error and/or shut down. Application uses direct hardware access methods For stability reasons, operating systems in the Windows NT family do not allow applications to directly access hardware resources. Applications must access hardware through a device driver. This causes incompatibility with applications designed for Windows 9x that might have accessed hardware directly. An example of this might be an application that manipulates system memory directly.
Application Compatibility Tools

The developers of Windows XP recognized the challenges presented by legacy software and designed several application compatibility technologies into Windows XP. During Windows XP setup, existing applications are compared against a list of known incompatible applications stored in the Migdb.inf file (Windows 9x) or Ntcompat.inf file (Windows NT/2K). These files allow Setup to warn users about incompatibilities during setup, long before the incompatible application would be used. Compatibility fixes Some incompatible applications can be supported if you modify how Windows XP responds to the application or if you create an emulated environment that the application will find suitable. You do this by using shim technology to insert code between the application and the operating system to fool the application into believing it is running in its preferred environment. These compatibility fixes are stored in the application compatibility system databases sysmain.sdb and apphelp.sdb. These databases are stored in the application compatibility database folder (/AppPatch) in the Windows main system folder (usually C:\Windows).
308
Compatibility modes Applications written for older applications often took advantage of specific (and sometimes undocumented) features. If these features are no longer available in Windows XP (for security or stability reasons), those applications will normally not run in Windows XP. However, by mimicking the older operating system, Windows XP can still execute the application. Windows XP accomplishes this by using compatibility modes. These are collections of compatibility fixes that, taken together, mimic the earlier operating system. There are three kinds of application compatibility modes:
End-user modes These are the compatibility modes included with Windows XP and displayed when a user browses the Compatibility tab of an applications Properties dialog box (Figure 9-5). They apply a collection of compatibility fixes designed to mimic the earlier operating system. Application compatibility modes are available to mimic Windows 95, Windows 98, Windows Me, Windows NT 4, and Windows 2000. In addition, users can choose to revert display settings to VGA resolution (256-color, 640480) and to disable visual themes and advanced device input.
FT09HT05.BMP
Figure 9-5 Setting the compatibility mode for an application
System modes These modes are accessible to system administrators and include, in addition to the end-user modes, fixes to enable users with limited accounts to operate applications and fixes to support user profile interaction changes in Windows XP. These modes are configured with the Compatibility Administrator tool (discussed later). Custom modes Customized modes, consisting of fixes designed for a specific application, can be created and applied with the Compatibility Administrator tool.
CHAPTER 9:
309
You select end-user compatibility modes on the Compatibility tab of the Properties dialog box for an application executable (Figure 9-5). Program Compatibility Wizard The Program Compatibility Wizard (Figure 9-6) is designed to allow end users to manage their own application compatibility settings. The wizard walks you through setting compatibility modes or display settings and allows you to test compatibility. You launch the wizard from Help and Support Center by searching on application compatibility.
Figure 9-6 Managing application compatibility with the Program Compatibility Wizard
FT09HT06.BMP
Advanced Compatibility Tools

System administrators can use two additional tools to manage compatibility fixes for applications: the Compatibility Analyzer and the Compatibility Administrator. They can scan for known application compatibility issues with installed software, apply specific fixes to an application, and evaluate the results. You can obtain them by downloading the Application Compatibility Toolkit from the MSDN Web site at http://msdn.microsoft.com/compatibility. Compatibility Analyzer The Compatibility Analyzer tool (Figure 9-7) scans the computer for applications and reports their compatibility status. It can also maintain a database of installed software from data collected on computers around the enterprise, allowing administrators to assess application compatibility issues on all their systems from a central location.
310
Figure 9-7 The Compatibility Analyzer tool

FT09HT07.BMP
Compatibility Administrator The Compatibility Administrator tool (Figure 9-8) lets you customize fixes for a specific application. Of the hundreds of available fixes, you might apply one or more to an incompatible application and test the results. If the program is made compatible, you can store the compatibility settings in a database and apply them to other systems in the organization.
Figure 9-8 The Compatibility Administrator tool

FT09HT08.BMP
Troubleshooting Application Compatibility Issues

When youre faced with an incompatible application, you should eliminate any potential installation mistakes before you call the software vendor. If reinstalling
CHAPTER 9:
311
the application according to the manufacturers instructions does not solve the problem, you might consider the following steps:
Check the vendors Web site for application updates After your company acquired the application, the applications vendor might have solved the compatibility issues with the application and made an updated version available for download. Some software manufacturers also make their updates available via the Windows Update Web site (http://windowsupdate.microsoft.com). Install the application using an administrator-level account Some applications cannot store required files or make the necessary registry modifications when they are installed by a limited user account. Reinstalling the application as an administrator might solve the problem. Make sure no other users are logged on to the system If Fast User Switching is enabled, other users might be logged on to the computer. This might interfere with the installation or operation of a program that was not designed to operate in this environment. Analyze the program with the Program Compatibility Wizard The wizard can apply compatibility modes to the program and test the results. This might enable a legacy program to operate. Manage the program with the Compatibility Administrator tool This tool can apply individual or multiple compatibility fixes and evaluate the results.
312
SUMMARY
Windows Installer runs as a system service (at elevated privileges) and receives instructions from Msiexec.exe. It manages the installation of an application and allows for sophisticated software installation management. It can completely automate custom configurations and settings according to the organizations requirements. Windows Installer packages consist of a central installation package (.msi) with associated transform files (.mst) that might modify the installation. The Msiexec.exe application is associated with the .msi file extension. In concert with the Windows Installer, it reads the .msi file and any .mst transforms and performs the package installation. Group Policy allows you to manage configuration of computers and user settings in an Active Directory environment. Software installation policies allow administrators to specify .msi packages that are to be advertised or installed on systems. These applications can be installed for specific users or for the computer itself. Microsoft operates the Windows Logo Program Qualification Service (Winqual) to test and certify products for compliance with Windows operating systems. Legacy applications might have used features of older operating systems that are not available in Windows XP. By mimicking the older operating system, Windows XP can still execute the application. You accomplish this by defining compatibility modes. The Program Compatibility Wizard helps users set compatibility modes or display settings and allows them to test compatibility. The Compatibility Analyzer tool scans for applications and reports their compatibility status to an administrator. The Compatibility Administrator tool allows you to customize fixes for a specific application and package those fixes for distribution to multiple Windows XP systems.
REVIEW QUESTIONS
1. You are installing an application that should be available to specific users wherever they use a computer. The application should be installed when they execute it for the first time or open an associated application. You are planning to implement a software installation
CHAPTER 9:
313
policy, and you have placed the users into an organizational unit. What method of software policy implementation should you use to ensure that only the users in this OU receive the application? a. Assign the software to the users in the OU b. Publish the software to the users in the OU c. Assign the software to the computers in the OU d. Publish the software to the computers in the OU 2. You are distributing an application to all computers in your organization. You want to install it with different settings for one department in your home office. How can you configure software installation Group Policy settings to accomplish this? a. Create an OU for users requiring the special settings. Create a transform for the special settings. Assign the Windows Installer package to the users in the domain. Assign the package, along with the transform for the special settings, to users in the special settings OU. b. Create an OU for users requiring the special settings. Create two Windows Installer packages to support the different settings. Assign the default package to the domain users, and assign the other to the users in the special settings OU. c. Create an OU for users requiring the special settings. Assign the applications Windows Installer package to the computers in the domain. Create a transform for the special settings, and assign it to the users in the special settings OU. d. Create a transform for the special settings. Assign the Windows Installer package to the computers in the domain. Instruct the users who require special settings in how to reinstall the application with the special settings transform. 3. Which of the following Msiexec.exe commands would uninstall the program.msi package? a. msiexec /r program.msi b. msiexec /x program.msi c. msiexec /i program.msi d. msiexec /f program.msi
314
4. You are purchasing a new accounting application for your small business. You want to make sure the application is compatible with Windows XP. Which of the following compatibility logos would you look for? a. Designed for Windows 98 b. Designed for Windows XP c. Compatible with Windows XP d. Designed for Windows Server 2003 5. You are configuring a legacy business application to run on Windows XP. It presents several errors on startup, and you have tried several compatibility modes in your attempt to find a solution. Windows 95 mode works best but still has a few issues. The manufacturer has gone out of business, and you cannot find any other information about compatibility upgrades. Which of the following tools might help you? a. Compatibility Analyzer b. Program Compatibility Wizard c. Compatibility Administrator d. Msiexec.exe
CASE SCENARIOS
Scenario 9-1: Windows Installer
You are planning the implementation of a complex business application to systems in a mid-size company. The application supports Microsoft Installer technology and is packaged into a single .msi file. All users of the application will use the applications default settings, but some will make use of features that other users will not need. The business owner has asked you to install the application so that users have only the features of the application they require. The users have been grouped into three groups based on the functionality they require. The groups are Finance, Sales, and Production. You know you can perform a custom installation from CD-ROM, but you want to automate the installations in the interest of time and consistency. You discover a list
CHAPTER 9:
315
of available installer transforms for different configurations. You select three that seem like a good fit for users in the organization: Accounting.mst, Salesforce.mst, and Manufacturing.mst. Answer the following questions about this scenario: 1. If the users are maintained in an Active Directory domain environment, how do you automate the installation of the application to the three groups of users? 2. If Active Directory isnt available, how do you automate this installation? 3. Which of the following Msiexec command lines installs the application for the Finance group? a. Msiexec /I Application.msi Finance.mst b. Msiexec /a Application.msi Accounting.mst c. Msiexec /x Application.msi d. Msiexec /I Application.msi Accounting.mst
Scenario 9-2: Irreconcilable Differences?

You have been contracted by a small company to see if there is any way to make their legacy business applications work with Windows XP. They have three applications in particular that are causing trouble. After some research, you discover the following:
Application A has the Designed for Windows 98 logo and runs on Windows XP. Errors occur when you attempt to access data files, however. The manufacturer no longer produces or supports the application. Application B was written by a former employee that the business has lost contact with. When the application is executed, it returns the error This application requires Windows 95. It then terminates. Application C does not run at all. The manufacturer is still in business and has a version compatible with Windows XP. When one user attempted to install it, the installation program returned the error Unable to write to program folder.
316
Answer the following questions about this scenario: 1. Which of the following actions will most likely help Application A operate effectively? a. Operate the application in Windows 98compatibility mode b. Run the application as an administrator c. Remove and reinstall the application d. Change the permissions on the application data files 2. What is most likely the cause of Application Bs error? How can you configure Application B to operate? 3. What is the most likely cause of Application Cs failure during installation? How can you install this application?
CHAPTER 10
CONNECTING WINDOWS XP PROFESSIONAL TO A NETWORK

Configure and troubleshoot the TCP/IP protocol Connect to a wireless network Connect to the Internet using dial-up networking Connect to a virtual private network (VPN) Configure and troubleshoot Internet Connection Sharing (ICS) Configure and manage Remote Desktop and Remote Assistance
We have so far concentrated on installing and supporting Microsoft Windows XP and its applications. In the next few chapters we will explore networks and connecting Windows XP to them. In this chapter, we will discuss making the basic network connections. You will learn about the properties of the TCP/IP protocol. Youll explore dial-up networking and use it to connect to networks. You will also learn how to connect your Windows XP system to the Internet and how to share that connection with other systems on your network. Finally, we will configure and use Remote Desktop and Remote Assistance to enable remote control.
317
318
CONFIGURING TCP/IP
A protocol is a set of rules and conventions for sending information over a network. Windows XP Professional relies on the Transmission Control Protocol/ Internet Protocol (TCP/IP) for logon, file and print services, replication of information between domain controllers, and other common functions. This section presents the skills and knowledge necessary to install, configure, and troubleshoot TCP/IP. It also discusses the process for configuring network bindings, which are links that enable communication among network protocols and services.
The OSI Reference Model

Most discussions of network architecture begin with an overview of the Open Systems Interconnection (OSI) model for networking (Figure 10-1). This reference model for designing networks was proposed in 1979 by the American National Standards Institute (ANSI) to the subcommittee on Open Systems Interconnection of the International Organization for Standardization (ISO). It was published in 1984 as a standard for designing open network applications.
The OSI Reference Model Application Application Presentation Session Transport Transport Network Data Link Network Physical Internet The DARPA Model
Figure 10-1 The OSI and DARPA reference models

FT10HT01.VSD
The seven layers designate discrete steps in a network communication, beginning at the Application layer and progressing until the data is placed on the physical network medium. Each layer adds its own information for use by its counterpart in the destination stack. Data received at the next system passes up through the protocol stack to the application at the top. Each layer in the upward progression reads its information from the stack and passes the encapsulated data up to the next layer. When the application layer receives the data, it recognizes it and processes it. This process repeats for each communication over the network.
CHAPTER 10:
319
Applications designed strictly using the seven-layer model were found to be ungainly and difficult to configure. Protocols were created to enable faster communication, and they evolved into the TCP/IP and IPX/SPX protocols in use today. The seven layers of the OSI model are:
Application (layer 7) Applications themselves are placed in this layer. The application is responsible for communicating with the user. An example of an application at this layer is a Web browser. Presentation (layer 6) Converts the information entered by the user into something meaningful to the application. This layer is also responsible for making different data formats or character sets compatible, such as an ASCIIto-EBCDIC translator. Other tasks performed in this layer include certain types of compression and encryption. Session (layer 5) Provides a session or channel for communication between two computers or users. A Session layer protocol is responsible for establishing and breaking down communication sessions. An example of this is a streaming video session. Transport (layer 4) Aids the Session layer in preparing data for transmission. This layer is responsible for breaking up the data into manageable units. It is also responsible for sequencing packets and ensuring that lost packets are retransmitted so no data is lost during the communication sequence.
NOTE
There has always been some overlap between the Session and Transport layers, which is one reason why applications that follow the OSI model strictly can be ungainly. Protocols such as Transmission Control Protocol (TCP) actually operate in both layers to ensure guaranteed communication.
Network (layer 3) Routes the information within individual networks and across networks. It maintains a routing table of possible destinations and directs packets to the desired destination. Data Link (layer 2) Connects the Network layer to the physical media. This layer consists of device drivers and low-level protocols (such as Ethernet and Token Ring) for communication with network adapters. It begins the process of converting the data packets into frames made up of binary signals (1s and 0s). The Data Link layer exists partially in the device drivers and partially in the network adapter firmware.
320
NOTE
Frame formation encapsulates data in a structure that provides the correct signals for communication on the wire. Frames begin with a preamble or unique sequence of bits that indicate the start of the packet, and they end with a cyclical redundancy check or checksum at the end of the packet. In between are addressing information and data. Other systems on the wire can examine Ethernet frames to determine if those frames are intended for them. Frames received by the final destination system are unpacked and sent up the protocol stack.
Physical (layer 1) This layer consists of the network hardware and the physical network medium. It transmits the electrical or optical signal from one system to the next.
NOTE
As you study networking, you will see references to layer 3 switches or layer 2 devices. This is industry terminology for devices that have capabilities on the named layer. A layer 3 switch, for example, can perform some of the functions of a router (a layer 3 Internet device).
The DARPA Reference Model

Around the same time that the OSI model was being conceived, the U.S. Department of Defense (DoD), in cooperation with a consortium of universities, was creating its own model for communication (see Figure 10-1, shown earlier). This model, called the DARPA (for Defense Advanced Research Projects Agency) model or the DoD model, is simpler and more applicable to the protocols in use today. Both models are excellent tools for understanding networkingwe will refer to them as we discuss the topics in this chapter.
NOTE
The OSI and DARPA models are shown side by side in Figure 10-1 to give an approximate comparison of which layers in one correspond to layers in the other. When you refer to these models, try to keep this relationship in mind so it will be less confusing when you hear someone speak of layer 3 devices, for example. When we refer to numbered layers, we are referring to the OSI model (layer 3 being the Network layer). Understanding the relationship between models will help you understand which TCP/IP function would be happening at the respective layer (Internet layer). Knowing this helps you understand that a layer 3 switch can actually perform routing functions.
The layers of the DARPA model are more simplified than the OSI model. Internet protocols and applications also work more closely with these layers (Figure 10-2).
CHAPTER 10:
321
The DARPA Model
TCP/IP Protocol Suite
Application
Telnet FTP SNMP DNS
Transport
TCP ICMP IGMP
UDP
Internet
IP ARP
Network
Ethernet
Frame Token Relay Ring
Figure 10-2 The DARPA reference model compared with the TCP/IP protocol suite
FT10HT02.VSD
The layers of the DARPA model are:
Application layer Designates communication processes that are typically internalized by the actual applications that end users use to do their work. It receives user input and processes it for transmission through the Transport layer. Examples of applications at this layer include Telnet, FTP, and DNS. Applications that make use of Winsock or NetBIOS access this layer. Transport layer Determines the transport method, usually at the urging of the application. This layer uses TCP or User Datagram Protocol (UDP) as the situation warrants. Protocols in this layer can provide ports or connecting points for multiple applications at once. When a client application connects to a port, a socket is formed consisting of the IP address and port. Systems can maintain many socket connections at once. Examples of Transport layer protocols include:
TCP Provides connection-oriented, reliable communication for applications that typically transfer large amounts of data at once or require an acknowledgment for data received. TCP is connection oriented, so a connection must be established before hosts can exchange data. TCP provides reliable communication by assigning a sequence number to each segment of data that is transmitted so the receiving host can send an acknowledgment (ACK) to verify that the data was received. If an ACK is not received, the data is retransmitted. TCP guarantees the delivery of packets, ensures proper sequencing of the data, and provides a checksum feature that validates both the packet header and its data for accuracy.
322
UDP Provides connectionless communication but does not guarantee the delivery or the correct sequence of packets. Applications that use UDP typically transfer small amounts of data at once. Reliable delivery is the responsibility of the application.
Internet layer The layer responsible for addressing and routing. The four Internet layer protocols are:
IP IP is primarily responsible for addressing and routing packets between hosts. It provides connectionless packet delivery for all other protocols in the suite. Does not guarantee packet arrival or correct packet sequence. Does not try to recover from errors such as lost packets, packets delivered out of sequence, duplicated packets, or delayed packets. Packet acknowledgment and the recovery of lost packets are the responsibility of a higher-layer protocol, such as TCP. ARP Provides IP address mapping to the media access control (MAC) address of the network device at the destination system. IP address resolution is required when IP packets are sent on shared access networking technology, such as Ethernet. IP broadcasts a special Address Resolution Protocol (ARP) inquiry packet containing the IP address of the destination system. The system that owns the IP address replies by sending its physical address to the requester. ICMP Provides special communication between hosts, allowing them to share status and error information. Higher-level protocols use this information to recover from transmission problems. Network administrators use this information to detect network trouble. The Ping tool uses ICMP packets to determine whether a particular IP device on a network is functional. One instance in which ICMP provides special communication between hosts occurs when IP is unable to deliver a packet to the destination host; ICMP sends a Destination Unreachable message to the source host. IGMP Informs neighboring multicast routers of the host group memberships present on a particular network. An IP multicast group is a set of hosts that listen for IP traffic destined for a specific IP multicast address.
NOTE
Multicast networking is a form of networking that allows a host to direct information to a multicast address that is shared by multiple computers. By joining a multicast group, a computer essentially signs up for traffic sent to that address. A typical use of multicast networking is for streaming broadcasts of live audio or video streams.
CHAPTER 10:
323
Network layer The layer at the base of the model. It puts data on the wire and pulls data off the wire. This layer comprises device drivers and physical devices used for data transmission. Examples are Ethernet network adapters and their associated drivers, along with the physical cabling used to transmit Ethernet data frames.
The TCP/IP Protocol Suite

TCP/IP is an industry-standard suite of protocols that enables enterprise networking and connectivity on Windows XP Professionalbased computers. Using TCP/IP with Windows XP Professional offers the following advantages:
A routable networking protocol supported by most operating systems Most large networks rely on TCP/IP to be the glue that holds disparate systems together. It enables programmers to use it as the lingua franca of network communications due to its nearly universal acceptance. A technology for connecting dissimilar systems You can use many standard connectivity tools to access and transfer data across dissimilar systems. Windows XP Professional includes several of these standard tools, such as FTP, Telnet, and Microsoft Internet Explorer. You can connect using Internet Explorer to another system running UNIX/Linux that is serving Web pages and never know a thing about the underlying operating system. The user experience is separated from the inner workings of the underlying operating system due to the compatibility of the network protocols. A robust, scalable, cross-platform client/server framework TCP/IP supports the Microsoft Windows Sockets (Winsock) interface, which is ideal for developing client/server applications for Windows-based systems. It also eases the porting of any TCP/IP sockets-based application and the development of tools that work with sockets applications on other platforms. A method of gaining access to Internet resources The TCP/IP suite of protocols provides a set of standards for how computers communicate and how networks are interconnected. They form the backbone for Internet addressing and routing of data from one network to another.
Understanding IP Addresses
Each IP address consists of a network ID and a host ID. The network ID, also known as the network address, identifies the systems that are located on the same physical network. All computers in the same physical network must have the
324
same network ID, and the network ID must be unique to the internetwork. The host ID, also known as the host address, identifies each TCP/IP host within a network. IP addresses are logical 32-bit numbers that are broken down into four 8-bit fields known as octets. Microsoft TCP/IP supports class A, B, and C addresses. The class of an address defines which bits are used for the network ID and which bits are used for the host ID. Classful addressing uses these classes to determine whether a host is on a local or remote IP network based on the network portion of its address. Table 10-1 summarizes class A, B, and C IP addresses. Figure 10-3 graphically represents the network and host ID portions of the different classes.
Table 10-1
TCP/IP Address Classes Description
Class
Addresses in which the first binary digit of the first octet is 0. This results in network IDs from 1.0.0.0 to 126.0.0.0 and allows for 126 networks and 16,777,214 hosts per network. The class A address 127.x.y.z is reserved for loopback testing and interprocess communication on the local computer. For class A addresses, the network ID is always the first octet in the address and the host ID is the last three octets. Addresses in which the first two binary digits of the first octet are 10. This results in network IDs from 128.0.0.0 to 191.255.0.0 and allows for 16,384 networks and 65,534 hosts per network. For class B addresses, the network ID is always the first two octets in the address and the host ID is the last two octets. Addresses in which the first two binary digits of the first octet are 11. This results in network IDs from 192.0.0.0 to 223.255.255.0 and allows for 2,097,152 networks and 254 hosts per network. For class C addresses, the network ID is always the first three octets in the address and the host ID is the last octet.
Classful Addressing
12.123.123.123
B 134.123.123.123 C 213.123.123.123 Network

FT10HT03.VSD
Host
Figure 10-3 Network and host IDs of classful IP addresses
CHAPTER 10:
325
NOTE
Classful IP addressing is wasteful of IP addresses and is less widely used than classless interdomain routing (CIDR) addressing (covered in Chapter 11). CIDR provides the ability to split up the network and host IDs into more manageable portions.
Using a static IP address By default, Windows client computers obtain TCP/IP configuration information automatically from the DHCP Service, which is a service configured to automatically hand out IP addresses to client systems. However, even in a DHCP-enabled environment, you should assign a static IP address to selected network computers. For example, the computer running the DHCP Service cannot be a DHCP client, so it must have a static IP address. If the DHCP Service is not available or is not used in your organization, you can also configure TCP/IP to use a static IP address. For each network adapter card that uses TCP/IP in a computer, you can configure an IP address, subnet mask, and default gateway, as shown in Figure 10-4.
Figure 10-4 Configuring a static TCP/IP address

FT10HT04.BMP
The following list describes the options used in configuring a static TCP/IP address:
IP address A logical 32-bit address that identifies a TCP/IP host. Each network adapter card in a computer running TCP/IP requires a unique IP address, such as 192.168.0.108. Each address has two parts: a network ID, which identifies all hosts on the same physical network, and a host ID, which identifies a host on the network. In this example, the network ID is 192.168.0 and the host ID is 108. Subnet mask Subnets divide a large network into multiple physical networks connected with routers. A subnet mask blocks out part of the IP address so TCP/IP can distinguish the network ID from the host ID. When TCP/IP hosts try to communicate, the subnet mask determines whether the destination host is on a local network or a remote network.
326
To communicate on a local network, computers must have the network address as defined by the subnet mask.
Default gateway The intermediate device (usually a router) on a local network that stores network IDs of other networks in the enterprise or Internet. To communicate with a host on another network, you configure an IP address for the default gateway. TCP/IP sends packets for remote networks to the default gateway (if no other route is configured), which then forwards the packets to the destination system, either directlyif it is connected to the remote systemor through other gateways until the packet is delivered to a gateway connected to the specified destination. To configure TCP/IP to use a static IP address:
1. Click Start | Control Panel | Network And Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), verify that the check box to its left is selected, and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure10-4), on the General tab, click Use The Following IP Address, type the TCP/IP configuration parameters, and then click OK. 5. Enter any assigned DNS server addresses, and click OK to close the Local Area Connection Properties dialog box. Close the Network Connections window.
CAUTION
IP communication can fail if duplicate IP addresses exist on a network. Therefore, you should always check with the network administrator to obtain a valid static IP address.
Obtaining an IP address automatically If a server running the DHCP Service is available on the network, it can automatically assign TCP/IP configuration information to the DHCP client, as shown in Figure 10-5. You can then configure client computers and DHCP-compatible network devices to obtain TCP/IP configuration information automatically from the DHCP Service. This can simplify administration and ensure correct configuration information.
NOTE
Windows XP Professional does not include the DHCP Service. Only the Windows Server products provide the DHCP Service.
CHAPTER 10:
327
DHCP Server
1 Request
2 IP address
DHCP Client
Figure 10-5 A server running the DHCP Service assigning TCP/IP addresses
FT10HT05.VSD
You can use the DHCP Service to provide clients with TCP/IP configuration information automatically. However, you must configure a computer as a DHCP client before it can interact with the DHCP Service. To configure a DHCP client: 1. Click Start | Control Panel | Network And Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), verify that the check box to its left is selected, and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box (Figure 10-6), on the General tab, click Obtain An IP Address Automatically. Click OK. 5. Click OK to close the Local Area Connection Properties dialog box, and then close the Network Connections window.
FT10HT06.BMP
Figure 10-6 Configuring Windows XP to obtain an IP address automatically
328
Using Automatic Private IP Addressing (APIPA) The Windows XP Professional implementation of TCP/IP supports automatic assignment of IP addresses for simple LAN-based network configurations. This addressing mechanism is an extension of dynamic IP address assignment for LAN adapters, enabling configuration of IP addresses without using static IP address assignment or installing the DHCP Service. APIPA is enabled by default in Windows XP Professional so home users and small business users can create a functioning, single-subnet, TCP/IP-based network without having to configure the TCP/IP protocol manually or set up a DHCP server. APIPA can assign a TCP/IP address to DHCP clients automatically. However, it does not generate all the information that typically is provided by DHCP, such as the address of a default gateway. Consequently, computers enabled with APIPA can communicate only with computers on the same subnet that also have addresses of the form 169.254.x.y.
NOTE
APIPA address assignment carries with it certain disadvantages. While it allows local communication, it does not specify a default gateway and is not routable on the Internet. Systems configured by APIPA in the absence of a DHCP server cannot communicate with other properly configured systems on the same network until they regain a DHCP-assigned address.
APIPA at startup The process for the APIPA feature (Figure 10-7) is as follows: 1. Windows XP Professional TCP/IP attempts to find a DHCP server on the attached network to obtain a dynamically assigned IP address. 2. In the absence of a DHCP server during startup (for example, if the server is down for maintenance or repairs, or if one does not exist), the client cannot obtain an IP address. 3. APIPA generates an IP address in the form of 169.254.x.y (where x.y is the clients unique identifier) and a subnet mask of 255.255.0.0.
DHCP Server 2
1 Request
3 APIPA: Client assigns its own IP Address DHCP Client
Figure 10-7 APIPA

FT10HT07.VSD
CHAPTER 10:
329
NOTE
The Internet Assigned Numbers Authority (IANA) has reserved the nonroutable range 169.254.0.0 through 169.254.255.255 for APIPA. As a result, APIPA provides an address that is guaranteed not to conflict with routable addresses.
After the computer generates the address, it broadcasts to this address to see if any other system is already using it; it assigns the address to itself if no other computer responds. The computer continues to use this address until it detects and receives configuration information from a DHCP server. It looks for the DHCP server every 5 minutes until it returns online, at which time it obtains a valid DHCP-assigned address. APIPA with a previous address If the computer is a DHCP client that has previously obtained a lease from a DHCP server and the lease has not expired at boot time, the sequence of events is slightly different. The client tries to renew its lease with the DHCP server. If the client cannot locate a DHCP server during the renewal attempt, it attempts to ping the default gateway listed in the lease. If pinging the default gateway succeeds, the DHCP client assumes that it is still on the same network where it obtained its current lease, so it continues to use the lease. By default, the client attempts to renew its lease when 50 percent of its assigned lease time has expired. If pinging the default gateway fails, the client assumes that it has been moved to a network that has no DHCP services currently available and it autoconfigures itself as previously described. Once autoconfigured, it continues to try to locate a DHCP server every 5 minutes.
NOTE
Windows 98, Windows Me, Windows 2000, Windows Server 2003, and Windows XP Home Edition also support APIPA.
Disabling APIPA By default, APIPA is enabled. However, you can disable it by specifying an alternative configuration to use if a DHCP server cannot be located (Figure 10-8), as discussed in the next section.
Figure 10-8 Specifying an alternative TCP/IP configuration

FT10HT08.BMP
330
Specifying an alternative configuration for TCP/IP Auto-Configuration for Multiple Networks Connectivity provides easy access to network devices and the Internet. You can configure Auto-Configuration for Multiple Networks Connectivity by specifying an alternative configuration for TCP/IP to use if a DHCP server is not found. The alternative configuration is useful if a computer is used on multiple networks, one of which does not have a DHCP server and does not use an APIPA configuration. It also allows a mobile computer user to seamlessly operate both office and home networks without having to manually reconfigure TCP/IP settings. To configure Auto-Configuration for Multiple Network Connectivity: 1. Click Start | Control Panel | Network and Internet Connections. 2. In the Network And Internet Connections window, click Network Connections, double-click Local Area Connection, and then click Properties. 3. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then click Properties. 4. In the Internet Protocol (TCP/IP) Properties dialog box, choose the Alternate Configuration tab. 5. Specify the alternative TCP/IP configuration (Figure 10-8).
Managing Network Bindings

Binding is the process of linking network components on different levels to enable communication between those components. A network component can be bound to one or more network components above or below it. The services that each component provides can be shared by all other components that are bound to it. For example, in Figure 10-9, TCP/IP is bound to both File and Printer Sharing for Microsoft Networks and to the Client for Microsoft Networks. Note also that in Figure 10-9, NWLink is not bound to the Microsoft Networking components. It is installed in this scenario to support Client Service for NetWare and is not required to communicate with the Microsoft network. If you experience delays when you access network resources, check the binding order and unbind unused protocols. Binding order controls the order in which protocols are used when you support multiple protocols or clients. If a particular network supports TCP/IP only and NWLink is bound first to the network client, it will attempt to locate a server first using NWLink. Only if that fails will it attempt to locate a server using TCP/IP.
CHAPTER 10:
331
Figure 10-9 Managing network bindings

FT10HT09.BMP
To configure network bindings: 1. Click Start | Control Panel | Network and Internet Connections. 2. In the Network And Internet Connections window, click Network Connections. 3. In the Network Connections window, on the Advanced menu, click Advanced Settings. 4. In the Advanced Settings dialog box, under Client for Microsoft Networks, do one of the following:
To bind the protocol to the selected adapter, select the check box to the left of the adapter. To unbind the protocol from the selected adapter, clear the check box to the left of the adapter.
CAUTION
Only an experienced network administrator familiar with the requirements of the network software should attempt to change binding settings.
Troubleshooting TCP/IP
Microsoft provides several tools for troubleshooting TCP/IP connectivity. These commonly used tools, which are executed from a command line, offer insight into the nature of the failure. The following list describes their use:
Ping Ping is an ICMP testing tool that transmits ICMP ECHO packets to a destination computer and waits for a reply. If the remote system replies, the connection is verified. Some systems are configured to not
332
reply to ICMP packets for security reasons, so Pings value as a troubleshooting tool is becoming somewhat limited.
ARP Displays the ARP resolution cache table, which displays which systems on the local network have communicated with your system. This is useful when you troubleshoot connectivity or investigate security incidents in progress.
NOTE
Addresses in the ARP cache are maintained for 2 minutes unless they are used a second time. If used a second time, they are retained for 10 minutes after the final use of the address.
Ipconfig Displays the current TCP/IP configuration. Ipconfig can also be used to refresh the IP address and register your system with Dynamic DNS (DDNS) servers. Nbtstat Displays statistics and connections for the NetBIOS-overTCP/IP protocol. It is useful when you troubleshoot file and print connectivity issues. Netstat Displays current TCP/IP sessions and gives statistics about each connection. It is useful for connectivity testing and security investigations. Route Displays or modifies the local routing table. Hostname Returns the local computers host name.
Tracert Checks the route to a remote system by issuing ICMP ECHO requests with varying time-to-live (TTL) values. As the values are incremented, the router that has the packet when TTL expires drops it and returns a notification to the client. In this way, the client can trace the route to a destination system across the Internet. Pathping Similar to Tracert, except Pathping issues multiple ICMP ECHO requests to each hop and records the resulting packet loss. This tool is helpful when you investigate sporadic connectivity problems. Each of these tools has a help option that you can use to display syntax and usage information. To display this help, type <command> /? at a command line, where <command> is the name of the tool.
NOTE
Testing a TCP/IP configuration After configuring TCP/IP and restarting the computer, you should use the Ipconfig and Ping command-prompt tools to test the configuration and connections to other TCP/IP hosts and networks. Such testing helps ensure that TCP/IP is functioning properly.
CHAPTER 10:
333
Using Ipconfig You use the Ipconfig tool to verify the TCP/IP configuration parameters on a host. It helps you determine whether the configuration is initialized or if a duplicate IP address exists. Use the Ipconfig tool with the /all switch (Figure 10-10) to verify configuration information.
Figure 10-10 Output of the Ipconfig command

FT10HT10.BMP
NOTE
Type ipconfig /all | more to prevent the Ipconfig output from scrolling off the screen; to scroll down and view additional output, press SPACEBAR.
The result of the Ipconfig /all command is as follows:
If a configuration has been initialized, the Ipconfig tool displays the IP address and subnet mask, and, if assigned, the default gateway. If a duplicate IP address exists, the Ipconfig tool indicates that the IP address is configured; however, the subnet mask is 0.0.0.0. If the computer is unable to obtain an IP address from a server running the DHCP Service on the network, the Ipconfig tool displays the IP address provided by APIPA.
Using Ping After you have verified the TCP/IP configuration, use the Ping tool to determine whether a particular TCP/IP host is available and functional. To test connectivity, use the Ping tool with the following syntax:
ping 127.0.0.1
By default, the following message appears four times in response to a successful Ping command:
Pinging 127.0.0.1 with 32 bytes of data: Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Reply from 127.0.0.1: bytes=32 time<10ms TTL=128 Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 4, Lost = 0 <0% loss>, Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
334
Using Ipconfig, Ping, and Pathping together to test connectivity Figure 10-11 shows the steps for verifying a computers configuration and for testing router connections.
1 Display TCP/IP configuration using Ipconfig 2 Ping the loopback address (127.0.0.1) 3 Ping the local IP address 4 Ping the address of the default gateway 5 Ping the address of a remote host 6 Ping the hostname of a remote host 7 Pathping a remote host to test packet loss
Figure 10-11 Using Ipconfig and Ping together to test connectivity

FT10HT11.VSD
The following are the steps outlined in Figure 10-11: 1. Use the Ipconfig tool to verify that the TCP/IP configuration has been initialized. Note the local address and the address of the default gateway. 2. Use the Ping tool with the loopback address (ping 127.0.0.1) to verify that TCP/IP is correctly installed and bound to your network adapter card. 3. Ping the IP address of the local computer to verify that it was added to the network correctly. If the routing table is correct, this simply forwards the packet to the loopback address of 127.0.0.1. 4. Use the Ping tool with the IP address of the default gateway to verify that the default gateway is operational and that your computer can communicate with the local network. 5. Use the Ping tool with the IP address of a remote host to verify that the computer can communicate through a router. 6. Use the Ping tool with the host name of a remote host to test name resolution with a DNS server. 7. Use Pathping with the name and/or address of a remote host to test for dropped packets. This might expose a failing router between you and the remote system.
CHAPTER 10:
335
NOTE
If you ping the remote host by name (step 6) and the ping is successful, steps 1 through 5 are usually successful by default. If the ping is not successful, ping the IP address of another remote host before completing the entire diagnostic process because the selected host might be turned off. Use step 7 if there is any indication of unreliable connectivity between the hosts.
CONNECTING TO A WIRELESS ETHERNET NETWORK

Wireless Ethernet networks have exploded onto the scene in the last few years. Beginning with Service Pack 1 and with further improvements in Service Pack 2, Microsoft offers close support and autoconfiguration tools for 802.11 wireless Ethernet networking.
Understanding Wireless Specifications

802.11 is an IEEE standard that defines protocols and configurations for wireless communication. It operates in one of two frequency bands (2.4 GHz and 5.8 GHz) and can operate at speeds from 1 Mbps to 108 Mbps (depending on signal quality and vendor implementation of the 802.11 standard). There are three main 802.11 specifications:
802.11a This specification operates in the 5.8-GHz band and can achieve speeds of 54 Mbps. It is less susceptible to radio interference than the other two bands (being on a regulated frequency), but it is more susceptible to signal attenuation than the 2.4-Ghz specifications. It has an effective range of about 60 feet indoors. 802.11b The most widely used specification, 802.11b operates at 2.4 Ghz with an effective range of up to 300 feet. It can achieve transfer rates of 11 Mbps (22 Mbps with proprietary channel-bonding enhancements). It is used in a wide variety of networked media devices and PCs. 802.11g This specification is backward compatible with 802.11b and pushes the transfer rates up to 54 Mbps (108 Mbps with proprietary channel-bonding enhancements).
NOTE
Range and transfer rates of wireless networks depend heavily on their environment. Attenuators such as water, metal, and concrete can reduce signal strength. Distance can also adversely affect speed. These specifications are designed to fall back to slower, more reliable signaling techniques to try to preserve connectivity. They step all the way down to 1 Mbps before giving up and breaking the connection.
336
Wireless network terminology Here are a few terms related to setting up or configuring a wireless network:
Mode Wireless networks operate in one of two modes: Adhoc, a peer-to-peer mode in which computers and devices communicate directly with each other; and Infrastructure, a mode in which a network access point manages network communication. Windows XP supports both modes with Wireless Network Configuration (Figure 10-12).
FT10HT12.BMP
Figure 10-12 Wireless network configuration
Service Set Identifier (SSID) SSID is a name used to distinguish one wireless network from another. It is configured into an infrastructure device such as an access point, and systems not configured with the same SSID are not allowed to communicate on that network. Wired Equivalent Privacy (WEP) WEP is an encryption method for wireless communication that uses a fixed encryption key to encrypt the network traffic. The key is entered into each device during configuration. WiFi Protected Access (WPA) Newly ratified as the encryption standard 802.11i, WPA is a newer encryption method that uses changeable encryption keys to thwart key cracking. It initializes a key when a connection is established and uses the Temporal Key Integrity Protocol (TKIP) to manage key rotation.
Connecting Windows XP to a Wireless Network

When Windows XP detects a wireless network adapter, it enables an option to view wireless networks from the first page of the New Connection Wizard (Figure 10-13).
CHAPTER 10:
337
Figure 10-13 New Connection Wizard displaying option to view wireless networks
FT10HT13.BMP
Clicking this link launches the Wireless Network Setup Wizard (Figure 10-14), which steps you through configuring the wireless network connection. It asks for the SSID and the WEP key (if applicable) and creates your connection. If your network uses 802.11i WPA, you might be asked to provide authentication information or an initial key value (depending on how the network was set up by the administrator). During the setup, you are also prompted to save your settings in a USB flash drive. Doing so makes setting up additional systems or restoring your settings easier.
Figure 10-14 The Wireless Network Setup Wizard

FT10HT14.BMP
CONFIGURING OTHER NETWORK CONNECTIONS

When you install Windows XP, by default it sets up TCP/IP and the Client for Microsoft Networks. This is most often how you would configure Windows XP for use on a network. Occasionally, however, you will need to connect a
338
Windows XP computer to a network that uses a different protocol or requires a different network client.
Client Service for NetWare

In addition to Microsoft networking, Windows XP supports connections to Novell NetWare networks using the Client Service for NetWare (CSNW). This network client can communicate with NetWare networks running Bindery or Novell Directory Services (NDS). You can install additional network clients by navigating to the Properties dialog box for your local area connection and clicking the Install button. You are prompted to choose Client, Service, or Protocol. If you choose Client, you can select Client Service for NetWare (Figure 10-15).
Figure 10-15 Installing Client Service for NetWare

FT10HT15.BMP
When installing Client Service for NetWare, you are prompted for a preferred server (Bindery) or default tree and context (NDS). When you set up this type of connection, you need to work with a Novell administrator to obtain these settings. Installing Client Service for NetWare also installs the NWLink IPX/SPX NetBIOS-compatible transport protocol.
NOTE
Novell also provides a NetWare client for Windows XP. Most Novellcentric networks use it for its additional functionality. In mixed server environments, however, you achieve greater stability by using the two Microsoft-provided clients.
Installing the NWLink Protocol

Most Novell shops use TCP/IP networking due to the protocol suites universal connectivity. However, some still use the Novell IPX/SPX protocol suite. IPS/SPX forms a complete network protocol stack and can be used instead of or in addition to TCP/IP. In this suite, IPX is roughly equivalent to IP, and it manages
CHAPTER 10:
339
addressing and routing. SPX is equivalent to TCP and manages session information such as packet sequencing and guaranteed delivery. Like TCP/IP, applications can make use of IPX without using SPX if guaranteed delivery is not required or is managed by the application.
NOTE
Both NWLink and TCP/IP can be used to access Microsoft and Novell servers. You can also use just one of them to access servers from both companies. Using NWLink exclusively does have disadvantages, however, including not being able to communicate with Internet resources without the services of a protocol bridge.
NWLink is Microsofts implementation of IPX/SPX. It is capable of detecting the type of IPX frames in use on the network and configures itself to communicate with the systems on the network. You install NWLink from the Properties dialog box for the local area connection. Click Install, choose Protocol, and click Add. You can then select NWLink IPX/ SPX NetBIOS Compatible Transport Protocol (Figure 10-16).
Figure 10-16 Installing NWLink IPX/SPX/NetBIOS Compatible Transport Protocol

FT10HT16.BMP
Installing Third-Party Clients and Protocols

By selecting Have Disk in the Select Network Client dialog box (Figure 10-15) or the Select Network Protocol dialog box (Figure 10-16), you can install third-party network clients or protocols (such as a client for LANtastic networks or the NetBEUI protocol, which is installable from the Windows XP CD-ROM).
NOTE
Installation of third-party clients and protocols should be done only by administrators who are experienced with the operation of the client or protocol in question. Security exposures or network instability can result when these features are configured incorrectly.
340
CONNECTING TO COMPUTERS USING DIAL-UP NETWORKING

Windows XP can connect to remote networks with a variety of technologies. It can connect to the Internet via cable or DSL modem, dial-up modem, wireless metropolitan area network (MAN), and even via cell phone. You can also use many of these technologies when you connect to corporate networks. In addition, virtual private networks (VPNs) allow you to use the Internet as a medium for tunneling into a corporate network. One thing these network connections all have in common is the Dial-Up Networking component of Windows XP. Windows XP provides the New Connection Wizard (see Figure 10-13, shown earlier) for the purpose of configuring new network connections. Choices are available for connecting to the Internet, making a connection to a network at your workplace or school, setting up a home or small office network, and creating a direct connection to another system using a direct connection cable. We will examine the first two options in this section.
Connecting to the Internet Using Dial-Up Networking

The first option in the New Connection Wizard allows you to configure a dial-up connection to an Internet service provider (ISP). Select Connect To The Internet on the Network Connection Type page, and click Next. The New Connection Wizard displays the Getting Ready page, which has the following three options:
Choose From A List Of Internet Service Providers (ISPs) If you select this option and then click Next, the wizard displays the Completing The New Connection Wizard page. You can select Set Up Internet Access Using MSN Explorer (U.S. Only) or Select From A List Of Other ISPs and then click Finish. Set Up My Connection Manually If you select this option and then click Next, the wizard displays the Internet Connection page. The following three options are available on that page:
Connect Using A Dial-Up Modem Select this option if your connection uses a modem and a regular or Integrated Services Digital Network (ISDN) phone line. If you select this option and click Next, you are prompted to enter a connection name, connection phone number, and username and password (provided by your ISP).
CHAPTER 10:
341
Connect Using A Broadband Connection That Requires A User And Password Select this option if your high-speed connection uses a Digital Subscriber Line (DSL) or cable modem. This type of connection is also known as Point-to-Point Protocol over Ethernet (PPPoE). Use of this connection type also requires username and password information from your ISP. Connect Using A Broadband Connection That Is Always On Select this option if your high-speed connection uses a cable modem, DSL, or LAN connection that does not require a username and password. If you select this option and click Next, the New Connection Wizard displays the Completing The New Connection Wizard page because the connection should already be configured and working.
Use The CD I Got From An ISP If you select this option and then click Next, the wizard displays the Completing The New Connection Wizard page. You are instructed to click Finish and then insert the CD-ROM you received from your ISP. The Setup program on the CD-ROM should start automatically to assist you in connecting to the Internet.
Connecting to a Network at Your Workplace

If you choose Connect To The Network At My Workplace, you are given two options:
Dial-Up Connection Select this option if you want to connect to the network at your office using a modem and phone line or an ISDN phone line. If you select Dial-Up Connection and click Next, you are prompted to enter the connection phone number. You are prompted for your username and password when you initiate your connection. Virtual Private Network (VPN) Connection This option configures a VPN connection to your workplace. It asks for a company name to use as the connection name and prompts you to choose the public network connection to use (Figure 10-17). It then prompts you to enter your VPN server address. The wizard finishes, and you can use the new connection. You are prompted for a username and password on first use of the new connection.
NOTE
To use the VPN option, you must have first established your primary Internet connection.
342
FT10HT17.BMP
Figure 10-17 Choosing the public network connection for a VPN
CONFIGURING AND TROUBLESHOOTING INTERNET CONNECTION SHARING (ICS)

Internet Connection Sharing (ICS) allows you to share an Internet connection with other systems on your network. You can use it to give home computers concurrent access on a single Internet connection or to connect a small office to the Internet. It allows you to mask TCP/IP addressing on your internal network from the Internet by implementing network address translation (NAT). NAT allows client systems to browse the Internet using the public address of the ICS computer. Internet hosts see only the public address. The internal network structure is hidden from public view, adding a layer of protection against those who might attempt to penetrate your systems.
NOTE NATs ability to hide the structure of a private network makes it
more difficult for hackers to discover the hosts inside, but you should not rely on it as the sole protection for the network. Use other strategies, such as firewalls and intrusion detection systems (IDSs), in any comprehensive security solution. We will discuss Internet security in more detail in Chapter 11. ICS enables limited addressing services on the ICS computer, changing its address to 192.168.0.1. Other systems on the network configured for DHCP addressing receive compatible addresses from the ICS system when they are restarted. Any hosts with static IP addresses have to be manually configured to an address in the 192.168.0 network to get access to the Internet.
CAUTION
Enabling ICS on a network served by a DHCP server causes disruptions in address assignment. Make sure your network is not using DHCP before you activate ICS.
CHAPTER 10:
343
To enable ICS: 1. Choose Start | My Computer | My Network Places | View Network Connections. The Network Connections window opens. 2. Double-click the dial-up, LAN, PPPoE, or VPN Internet connection that you want to share, and select Properties. 3. On the Advanced tab of the Properties dialog box, select the Allow Other Network Users To Connect Through This Computers Internet Connection check box (see Figure 10-18, below). The following two additional check boxes are available when you enable ICS:
Establish A Dial-Up Connection Whenever A Computer On My Network Attempts To Access The Internet Allows you to enable on-demand dialing for the shared connection. This causes your computer to dial your ISP whenever a client computer in your network attempts to access an Internet resource. Once the connection is established, the connection to the Internet resource is established on behalf of the internal client. Allow Other Network Users To Control Or Disable The Shared Internet Connection Allows you to enable client control for this shared Internet connection. Users on client computers can automatically discover and control the Internet connection using a feature called Internet Gateway Device Discovery and Control (IGDDC).
MORE INFO For more information on IGDDC, search on IGDDC in the Windows Help and Support.
FT10HT18.BMP
Figure 10-18 Enabling ICS on a dial-up connection
344
IMPORTANT
The Advanced tab of a network connections Properties dialog box also allows you to enable Windows Firewall. Windows Firewall is a critical component for protection against Internet attacks. We will explore Windows Firewall in Chapter 11.
You can allow inbound connections to systems in your network. To select the services running on your network that Internet users can access, click Settings. You can then select the service and the system in your network that will host the service (Figure 10-19).
Figure 10-19 Enabling inbound Remote Desktop to 192.168.1.100

FT10HT19.BMP
CAUTION
If you enable any of the services, you allow anyone accessing the Internet to contact a service or computer on your private network. Your ICS computer will act as a conduit to the system on your internal network, and the internal system will be accessible to any Internet system that requests a connection. Therefore, you should protect the internal system as if it were directly connected to the Internet.
USING REMOTE DESKTOP AND REMOTE ASSISTANCE

Windows XP includes two useful remote control features for work or troubleshooting: Remote Desktop and Remote Assistance.
Remote Desktop
Users can use Remote Desktop to control their office computer from home, to catch up on work, and to access any resources available to the office system (including printers, disk drives, network applications, and mapped drives). It is just like being there. Users can also enable Remote Desktop to use disk drives and printers attached to the controlling system to copy files to or from the remote system and to print remotely created documents locally (and locally created documents on remote printers).
CHAPTER 10:
345
To enable Remote Desktop: 1. Right-click any instance of My Computer, and choose Properties. 2. In the System Properties dialog box, on the Remote tab (Figure 10-20), enable or disable Remote Desktop and grant remote users permission to control your system.
NOTE
By default, members of a systems local Administrators group have access to Remote Desktop.
FT10HT20.BMP
Figure 10-20 Enabling Remote Desktop
To control a remote system with Remote Desktop: 1. Choose Start | All Programs | Accessories | Communications. 2. Click Remote Desktop Connection to launch the Remote Desktop client. 3. Enter the name or address of the system you want to control. 4. To modify display settings or connect local drives or printers (Figure 10-21), click the Options button. 5. When you are satisfied with the settings you have chosen, click Connect. 6. The remote system prompts you with a logon dialog box. Enter your username and password to log on.
NOTE
If the remote system is using Windows Firewall, you must configure an exception to allow inbound connections to Remote Desktop on that system. We will discuss firewall exceptions in Chapter 11.
346
FT10HT21.BMP
Figure 10-21 Connecting local drives and printers in a Remote Desktop session
Remote Assistance
Remote Assistance allows a user to take over the session of a second user at the second users invitation. Both users can see the display and, if the local user gives permission, the remote user can control the local users keyboard and mouse. To enable Remote Assistance: 1. Right-click any instance of My Computer, and choose Properties. 2. In the System Properties dialog box (shown earlier in Figure 10-20), on the Remote tab, specify whether Remote Assistance invitations can be sent from your system. Remote Assistance invitations Remote Assistance can send invitations in three ways:
Windows Messenger The user requesting assistance can send an invitation as an instant message using Windows Messenger. The recipient can then respond to the invitation, connecting to the local system. E-mail The requestor can send an e-mail request for assistance.
File The requestor can save the request in a file that can be opened by the recipient. To request Remote Assistance:
1. In the Help and Support Center, choose Invite A Friend To Connect To Your Computer With Remote Assistance. 2. On the Remote Assistance page, choose Invite Someone To Help You.
CHAPTER 10:
347
3. Complete the appropriate invitation option (Figure 10-22).
FT10HT22.BMP
Figure 10-22 Requesting Remote Assistance
To offer Remote Assistance: 1. In the Help and Support Center, choose Pick A Task | Use Tools To View Your Computer Information And Diagnose Problems. 2. On the Tools menu, choose Offer Remote Assistance (Figure 10-23).
FT10HT23.BMP
Figure 10-23 Offering Remote Assistance
348
SUMMARY
Windows XP Professional includes many standard connectivity tools to access and transfer data between dissimilar systems. The TCP/IP suite of protocols maps to a four-layer conceptual model: network interface, Internet, transport, and application. Microsofts implementation of TCP/IP enables a TCP/IP host to use a static IP address, to obtain an IP address automatically from a DHCP server, or to use automatic assignment of IP addresses. Computers enabled with Automatic Private IP Addressing (APIPA) can communicate only with computers on the same subnet that also have addresses of the form 169.254.x.y. Binding is the process of linking network protocols to network clients or services. You can configure all outbound connections in Windows XP Professional with the New Connection Wizard. Remote Desktop allows the remote control of a Windows XP system by a Remote Desktop or Terminal Services client. Remote Assistance allows a user to invite another user to observe or take control of a system over a network.
REVIEW QUESTIONS
1. Which of the following statements correctly describe IP? (Choose all correct answers.) a. Guarantees packet arrival and correct packet sequence b. Provides connection-oriented, reliable communication for applications that typically transfer large amounts of data at one time c. Primarily responsible for addressing and routing packets between hosts d. Provides connectionless packet delivery for all other protocols in the suite 2. The two DARPA transport layer protocols are ____________________ and __________________.
CHAPTER 10:
349
3. Which of the following statements correctly describe TCP? (Choose all correct answers.) a. Provides connectionless communication but does not guarantee that packets will be delivered b. Provides connection-oriented, reliable communication for applications that typically transfer large amounts of data at one time c. Provides services that allow the application to bind to a particular port and IP address on a host d. Provides and assigns a sequence number to each segment of data that is transmitted 4. Which of the following statements about IP addresses are true? (Choose all correct answers.) a. IP addresses are logical 64-bit addresses that identify a TCP/IP host. b. Each host on a TCP/IP subnet requires a unique IP address. c. 192.168.0.108 is an example of a class C IP address. d. The host ID in an IP address is always the last two octets in the address. 5. You are consulting for a company that wants to set up a wireless network. The company is concerned about security and has not yet purchased the equipment. Which wireless security technology would you suggest to them? a. 802.11g b. WEP c. WPA d. 802.11i 6. Which of the following statements about obtaining an IP address automatically are true? (Choose all correct answers.) a. Windows XP Professional includes the DHCP Service. b. Windows XP Professional includes an Automatic Private IP Addressing feature, which provides DHCP clients with limited network functionality if a DHCP server is unavailable during startup.
350
c. The Internet Assigned Numbers Authority (IANA) has reserved 169.254.0.0 through 169.254.255.255 for Automatic Private IP Addressing. d. You should always disable Automatic Private IP Addressing in small workgroups. 7. Which of the following connection types can you use to connect to a workplace network from home? (Choose all correct answers.) a. Dial-up b. Remote Desktop c. VPN d. Ethernet 8. When you manually configure a dial-up connection to an ISP, which of the following do you need to configure? (Choose all correct answers.) a. Username b. IP address c. Connection name d. Password 9. Remote Desktop allows users to do which of the following tasks? (Choose all correct answers.) a. Transfer files b. Print to remote printers c. Power on a computer d. Print to local printers 10. Remote Assistance allows users to do which of the following tasks? (Choose all correct answers.) a. Transfer files b. Print to remote printers c. Open remote documents d. Print to local printers
CHAPTER 10:
351
CASE SCENARIOS
Scenario 10-1: Small Office Networking
You are hired by a small firm to help with an office network. The firm has nine computers currently on the network. The network consists of a single hub that connects all computers to each other in a single segment. One system on the network has a DSL Internet connection that it shares with the rest of the network. Answer the following questions about this scenario: 1. Does this network require a DHCP server? 2. If you install a Network-Attached Storage (NAS) device, what IP address should you give it so other systems on the network can see it? 3. What type of logical network architecture has been implemented here? a. Workgroup b. Domain c. Wide area network (WAN) d. Local area network (LAN)
Scenario 10-2: Help!

A friend calls you one evening to ask for help with his computer. He has deleted some critical files and can no longer run his favorite video game. Answer the following questions about this scenario: 1. Which remote control technology do you use to let him show you which files he deleted? 2. You determine that you need to copy some files to his system from your own. How can you accomplish this?
CHAPTER 11
CONFIGURING TCP/IP ADDRESSING AND SECURITY

Understand IP addressing Manage IP subnetting and subnet masks Understand IP security terminology Manage Internet security features of Windows XP Configure and troubleshoot Windows Firewall
In Chapter 10, we discussed the TCP/IP protocol suite and explored its architecture. In this chapter, well explore Internet Protocol (IP) addressing and IP security. We will describe the process of dividing IP networks into subnets and determining whether a given address is local or remote in relationship to your own. You will learn the terms used by Internet security professionals and become familiar with the Internet security tools included with Windows XP. Finally, we will configure Windows Firewall and explore how it secures your system while still letting you share system resources over the Internet.
353
354
UNDERSTANDING IP ADDRESSES
In Chapter 10, we discussed the format of IP addresses, the 32-bit binary addresses that uniquely identify hosts on the Internet. In this chapter, we will dissect these addresses and show you how they are used to route packets to their ultimate destination. Lets begin by examining binary numbers and their use in IP addresses.
Binary Numbers
Those who have studied computer science will be familiar with binary numbersthe 0s and 1s that signify on/off states in transistor logic. By themselves, binary numbers can reflect only one of two statesoff or on, 0 or 1, false or true. As binary numbers are strung together, however, they begin to form the meaningful values we use for data storage and addressing. Binary data as it pertains to IP addressing is organized into bits and bytes or octets.
Bit A single binary digit. A bit is the smallest unit of storage and equates to an on or off state of a transistor or switch. Its value can also be used to signify true or false. Typical values used in conjunction with bits are:
0 Values equated with 0 are the number 0, the condition off, and the Boolean false. 1 Values equated with 1 are the number 1, the condition on, and the Boolean true.
Byte A sequence of bits (usually 8). Having a sequence of bits allows you to begin encoding data into the binary stream. Bytes are used to signify character values such as letters, numerals, and punctuation marks. Most mass storage is rated in bytes, kilobytes (1024 bytes), megabytes (1,048,576 bytes), or gigabytes (1,073,741,824 bytes). Octet A sequence of 8 bits in an IP address. An example of an octet is the value 11111111, which is 255 when converted from binary to decimal.
When we begin to build a sequence of binary numbers, we use the base 2 number system. This system uses powers of 2 instead of powers of 10 when recording values. The example in Figure 11-1 shows how the binary numbering system is used to store a decimal number.
CHAPTER 11:
355
Binary Value 10110011 Equals Decimal Value 179 1 x 128 0 x 64 1 x 32 1 x 16 0 x 8 0 x 4 1 x 2 1 x 1 x Binary Place Value Binary Number 1 x 128 = 128 0 x 1 x 1 x 0 x 0 x 128 + 0 + 32 + 16 + 0 + 0 + 2 + 1 = 179 or 1 x 1 x 64 32 16 8 4 2 1 = = = = = = = 0 32 16 0 0 2 1 179
Figure 11-1 The decimal number 179 represented in binary, showing place values
FT11HT01.VSD
Converting decimal numbers to binary IP addresses are almost always expressed in dotted decimal notation, which is a series of four decimal values separated by periods (or dots). Heres an example: 192.168.23.142 Each decimal value in the above sequence equates to a binary octet. To be meaningful to the TCP/IP protocol suite, the numbers must be converted to their binary values. Windows XP does this automatically, but you can do it manually to better understand how these values are used. To convert the above values to their binary equivalents, we can perform a series of tests. Each number is tested against a place value in a binary octet, beginning with the 128 place. To convert the first octet (192): 1. Is 192 greater than 128? Yes, so there is a 1 in the 128 place in the binary number.
1 _ _ _ _ _ _ _ _
2. We then subtract 128 from 192 (result 64). We then continue with the 64 place. Since the result of our subtraction is exactly 64, we place a 1 in the 64 place and finish the octet with zeros for the remaining place values.
1 1 0 0 0 0 0 0
3. The final value (11000000) is placed in its proper position on the binary version of the address.
1 1 0 0 0 0 0 0 . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _
356
To convert the next octet (using the same process): 1. Is 168 greater than 128? Yes, there is a 1 in the 128 place in the binary number.
1 _ _ _ _ _ _ _ _
2. We then subtract 128 from 168 (result 40). We then continue with the 64 place. Since the result of our subtraction is less than 64, we place a 0 in the 64 place and continue to the 32 place.
1 0 _ _ _ _ _ _
3. There is more than 32 remaining, so we put a 1 in the 32 place.

1 0 1 _ _ _ _ _
The remainder from subtracting 32 from 40 is 8. This means we have a zero for the 16 place and a one in the 8 place.
1 0 1 0 1 _ _ _
4. Completing the octet:

1 0 1 0 1 0 0 0
5. The final value (10101000) is placed in its proper position on the binary version of the address.
1 1 0 0 0 0 0 0 . 1 0 1 0 1 0 0 0 . _ _ _ _ _ _ _ _ . _ _ _ _ _ _ _ _
6. We continue this process until all four octets have been converted to their binary values (Figure 11-2).
192.168.23.142 192 1 x 128 1 x 0 x 0 x 0 x 0 x 0 x 0 x 64 32 16 8 4 2 1 168 1 x 128 0 x 1 x 0 x 1 x 0 x 0 x 0 x 64 32 16 8 4 2 1 23 0 x 128 0 x 0 x 1 x 0 x 1 x 1 x 1 x 64 32 16 8 4 2 1 142 1 x 128 0 x 0 x 0 x 1 x 1 x 1 x 0 x 64 32 16 8 4 2 1
11000000
10101000
00010111
10001110
11000000.10101000.00010111.10001110
F11HT02.VSD
Figure 11-2 Converting 192.168.23.142 to binary octets
CHAPTER 11:
357
IMPORTANT
When you convert decimal numbers to binary values, if the value you are converting is less than 128, be sure to fill all eight positions in the binary octet (with a zero, if necessary). If places are left empty, the resulting complete value will not be a full 32-bit number. The completed binary address should be four complete octets separated by periods (or dots).
Using Calculator to convert decimal numbers to binary A somewhat simpler way to convert decimal numbers to binary values is to use Calculator, which records the result in full binary notation. 1. Open Calculator by choosing Start | All Programs | Accessories | Calculator. 2. Place Calculator in scientific mode by clicking View | Scientific. 3. Enter the decimal number. 4. Click the Bin button to convert the number to binary format (Figure 11-3).
NOTE
Be sure to fill in any leading zeros to make the number eight digits long.
5. Convert each additional decimal value in turn. 6. Record the resulting binary values.
F11HT03.BMP
Figure 11-3 Converting decimal numbers to binary using Calculator
Converting binary numbers to decimal Converting a binary number to its decimal equivalent is simply a reversal of the process we used to convert the decimal number to binary. Beginning with the 128 place, multiply each position by its place value.
358
To convert 1100000000 to decimal, multiply each bit by its base 2 place value: 1. Multiply the 128 place first.
1 x 128 = 128
2. Continue with the 64 place.

1 x 64 = 64
3. Complete the octet.

0 0 0 0 0 0 x x x x x x 32 = 0 16 = 0 8 = 0 4 = 0 2 = 0 1 = 0
4. Finally, total the resulting values to obtain the decimal number.

128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192
5. Continue the process until the entire address is converted (Figure 11-4).
11000000.10101000.00010111.10001110 11000000 1 x 128 1 x 0 x 0 x 0 x 0 x 0 x 0 x 192 64 32 16 8 4 2 1 10101000 1 x 128 0 x 1 x 0 x 1 x 0 x 0 x 0 x 168 192.168.23.142
F11HT04.VSD
00010111 0 x 128 0 x 0 x 1 x 0 x 1 x 1 x 1 x 23 64 32 16 8 4 2 1
10001110 1 x 128 0 x 0 x 0 x 1 x 1 x 1 x 0 x 142 64 32 16 8 4 2 1
64 32 16 8 4 2 1
Figure 11-4 Obtaining a dotted decimal value from a binary octet value
Using Calculator to obtain a decimal result is also a reverse of the procedure outlined above. Beginning with binary values, convert each to its decimal equivalent and record the result. 1. Open Calculator by choosing Start | All Programs | Accessories | Calculator. 2. Place Calculator in scientific mode by choosing View | Scientific. 3. Enter the binary number into Calculator. 4. Click the Dec button to convert the number to decimal format (Figure 11-5).
CHAPTER 11:
359
5. Convert each additional binary value in turn. 6. Record the resulting decimal values.
F11HT05.BMP
Figure 11-5 Converting binary numbers to decimal using Calculator
Programmers have created subnet calculators to make these conversions easier. One such calculator is the SolarWinds Subnet Calculator, available at www.solarwinds.net. Sometimes you will not have access to these tools, however, so it is important to understand how to convert addresses manually or by using Windows Calculator.
NOTE
Decoding IP Addresses
Converting the decimal numbers of the dotted decimal notation to their binary equivalent is the first step in determining how your system fits into the IP networking picture in your organization. Beginning with the leftmost bits, the address gets progressively more system specific. In the addressing scheme of the Internet, the leftmost bits designate large networks. These large network address ranges, or netblocks, are assigned to the large Internet service providers (ISPs) by the Internet Assigned Numbers Authority (IANA). The ISPs, in turn, divide their netblocks into smaller networks (see Figure 11-6). Some of these smaller networks are assigned to large corporate customers; some are assigned to yet smaller ISPs. These corporate customers or smaller ISPs can then further divide these networks to serve their offices or clients. As we progress from left to right, the digits get more location-specific. This lets Internet routers zero in on an address by starting on the left and following the routing information from the large network to the smaller one. Each step in the route gets more specific as each router knows in more detail where the designated system is. The last router in the route has the address of the designated system in its routing tables.
360
NOTE
A routing table is a database of known networks and the best route for finding each of them. Internet routers share data with other routers about routes they know in order to build this database. This allows the routers to keep track of the best way to get data from one location to another. Routers can even route packets around a downed network if they have enough time to update their routes. This reconstruction of the networks routes is known as convergence.
12.56.176.23
Contoso Corporation (A large network service provider) Contoso North America (a division of Contoso Corporation) Northwind Traders Corporate Headquarters (12.56.176.0 netblock assigned by Contoso North America) www.nwtraders.com
Figure 11-6 Division of large netblocks into smaller networks

F11HT06.VSD
IP octets Each IP address can be examined by octet. If you look at the IP address assigned to your system, you will notice that it has the same first two or three octets as other, nearby systems. In the simplest IP networks, these octets are used to designate the network your system is operating on. They help your system determine whether it can speak to these nearby systems directly or if it will require the services of a gateway to communicate with them. We will explore subnets and subnet masks later in the chapter to clarify this concept.
Local vs. Remote Systems

When a system using TCP/IP wants to connect to another system, it needs the IP address of the destination system. It might get this IP address from a DNS server as the result of a name resolution, or the user or application might provide it directly. By taking a close look at this address, the system can tell if it can talk to this system directly or if it must relay its communications through a router. Figure 11-7 depicts three systems. System A wants to communicate with systems B and C. By looking at the address of system B, it sees the same octet values in the portions of the IP addresses that correspond to 255s in the subnet mask. It knows that this is a local system, so it can communicate with it directly. When system A looks at the address for system C, however, it sees a different network address. It checks its routing table to see if it has an entry for that network. If it does not, it forwards its communication request to the networks default gateway.
CHAPTER 11:
361
192.168.99.0 Network
192.168.100.0 Network
192.168.99.1 192.168.99.123
192.168.100.1 Gateway (Router) 192.168.100.14
192.168.99.123
Figure 11-7 Determining whether a system is local or remote

F11HT07.VSD
USING SUBNET MASKS

The classful IP addressing scheme we discussed in Chapter 10 was a great way to assign IP addresses when there were only several thousand systems connected to the Internet and there was plenty of room to spare. However, it eventually became apparent that the classful addressing scheme had a few flaws. Only a few networks can be defined when only Class A, B, and C netblocks are used. Organizations requiring more than 65,534 addresses were assigned Class A netblocks. They often wasted a significant number of addresses. (Have you ever seen a corporation with 1.7 million publicly accessible computers?) The Class A netblocks were taken almost immediately. The Class B networks were given to organizations requiring more than the 254 addresses available in a Class C netblock. Some smaller corporations needing more than 254 addresses were assigned entire Class B networks, even if they needed only 300 addresses! Class B network addresses became scarce, so some organizations began to buy several Class C netblocks to serve their needs. This required them to maintain routing table entries for each netblock, adding to the number of routing table entries on Internet routers. Internet engineers devised a way to further define networks so an organization could carve out a niche just large enough for its purposes without wasting valuable addresses. By going to the basic binary structure of the IP address, they were able to define network masks (commonly known as subnet masks) that could be used to split large networks or combine smaller networks.
362
Subnetting and Supernetting

The subnet mask for a system might look something like 255.255.0.0, for example. By itself, it does not appear very interesting. How can a few 255s and some 0s solve the Internets addressing problems? Lets convert that subnet mask to binary octets: decimal 255 is equivalent to the binary octet value 11111111. If we complete the conversion, we see that 255.255.0.0 is equivalent to 11111111.11111111.00000000.00000000. Still not impressed? Well, remember from Chapter 10 that the subnet mask defines which part of the address belongs to the network and which part belongs to the host. If you superimpose this subnet mask over an IP address (in binary form), you can see immediately which part of the address belongs to the network and which belongs to the host. By moving the division between the ones and zeros either left or right, you can gradually change the number of addresses available on a given network. This process also changes the number of available networks. By providing this feature, called classless interdomain routing, or CIDR (pronounced see-duhr), Internet engineers were able to preserve a significant amount of address space on the Internet. With a slight modification of the subnet mask, an organization needing only 300 addresses would no longer have to use 65,534. By moving the subnet mask one bit to the left, it could combine two Class C networks and have 510 addresses. Likewise, a company with a Class A network could divide the network into many smaller networks and sell them to other organizations or return them to IANA. The ability to increase a networks size by modifying the subnet mask is called supernetting. Breaking a network into smaller networks is called subnetting.
NOTE
CIDR uses a special notation to designate subnet masks. After counting the subnet mask bits, you can append the notation /n, where n is the number of subnet mask bits. For example, the CIDR notation /24 would be the equivalent of a Class C subnet (255.255.255.0). This shorthand helps eliminate the need for tedious binary conversion when recording subnet masks.
Breaking up larger networks Subnetting is the more common use of subnet masks. By creating many smaller networks, an owner of a netblock can divide his available address space according to the needs of his customers. For example, an ISP with a Class B netblock can divide it into 254 Class C addresses. Or it can keep going to the right and create as many as 16,384 networks of two addresses each!
CHAPTER 11:
363
Lets take a look at how this is possible. In Figure 11-8, we see a single Class B netblock. Suppose you are an ISP with two clients that each need 8000 addresses. You could find them two Class B netblocks, or you could split the one you have into smaller blocks.
2n (23) or 8 new networks 131.107.0.0
10000011.01101011.00000000.00000000 A 11111111.11111111.00000000.00000000 255.255.0.0
B 11111111.11111111.11100000.00000000
255.255.224.0
(CIDR /19)
10000011.01101011.00000000.00000000 10000011.01101011.00100000.00000000 10000011.01101011.01000000.00000000 10000011.01101011.01100000.00000000 C 10000011.01101011.10000000.00000000 10000011.01101011.10100000.00000000 10000011.01101011.11000000.00000000 10000011.01101011.11100000.00000000
131.107.0.0/19 131.107.32.0/19 131.107.64.0/19 131.107.96.0/19 131.107.128.0/19 131.107.160.0/19 131.107.192.0/19 131.107.224.0/19
131.107.0.0/19 131.107.64.0/19 131.107.128.0/19 131.107.192.0/19
131.107.32.0/19 131.107.96.0/19 131.107.160.0/19 131.107.224.0/19
Figure 11-8 Subnetting a Class B network

F11HT08.VSD
If you modify the default Class B subnet value of 255.255.0.0 (shown in Figure 11-8 as A) by adding three more subnet mask bits, the resulting subnet mask value, 255.255.224.0 (B in the figure), provides three more address bits for designation of network IDs. (The subnet mask value for B in the figure is /19 in CIDR notation.) By analyzing the new bits, you can see 2n (where n is the number of new subnet mask bits) additional new networks are made available. In this scenario, the three
364
additional subnet bits create 23 or 8 new networks (C in the figure), each with more than 8000 addresses each.
NOTE
You can calculate the number of addresses available in a newly subnetted network by using the equation 2n2 (where n is the number of host bits available). We subtract 2 to allow for the network ID designation (host address all zeros) and a broadcast address (host address all ones). The example above yields 8190 addresses in each netblock.
Splicing networks together Figure 11-9 shows eight Class C networks. To be able to communicate with hosts on all eight networks, you need to maintain a router with eight routing table entries (one for each network). To combine these netblocks and make a router unnecessary in this scenario, you can combine the networks into a single, larger netblock by supernetting them.
NOTE
Supernetting is also used to reduce the number of entries in Internet routing tables by combining smaller networks into larger net blocks that can be addressed by one entry.
2
1 192.168.96.0 3 192.168.98.0 5 192.168.100.0 7 192.168.102.0
192.168.97.0 4 192.168.99.0 6 192.168.101.0 8 192.168.103.0 192.168.96.0/21
1 11000000.10101000.01100000.00000000 A 8 11000000.10101000.01100111.00000000
11111111.11111111.11111111.00000000 B 11111111.11111111.11111000.00000000
255.255.255.0
(CIDR /24)
255.255.248.0
(CIDR /21)
C
F11HT09.VSD
11000000.10101000.01100000.00000000
192.168.96.0/21
Figure 11-9 Determining the network ID
CHAPTER 11:
365
By looking closely at the third octet, you can see that all eight network IDs are identical up until the last three digits (step A in the figure). By moving the subnet mask left three digits (step B), you place the unique portion of the address into the host address portion, making the network portion of each netblock the same. By converting the new network ID to decimal numbers (step C), we get 192.168.96.0. All eight networks are now combined into one: one network, one routing table entry, and no router required within the organization.
SECURING IP COMMUNICATIONS
Everyone has heard about security problems plaguing the Internet. Computer viruses have been around since 1975, but more recently other pathogens have gained prominence. Armies of bots infect computers and coordinate all-out assaults on e-commerce sites. Spyware can spy on a users Web browsing habits, monitor his e-mail communications, even record keystrokesand send all this information to someone who may use it for a variety of nefarious uses, including identify theft. Trojan horses, once opened by users, load backdoor programs onto their systems. Worms scan Internet addresses to look for systems with specific vulnerabilities to infect. These vulnerabilities might be in the communications protocols, the applications the system uses for communication, or even the operating system itself. Many of these rogue applications come under the category of malware, short for malicious software. Microsoft Windows XP and the Microsoft Server operating systems and applications have been a primary target for malware authors. One reason for this is the widespread availability of authoring tools for these systems. Some hackers even make toolkits available for building viruses and worms. Another reason for the targeting of Windows is the huge pool of potential victims. If a worm programmer becomes aware of a specific, exploitable vulnerability, she can safely assume that an enormous collection of vulnerable systems are on the Internet. Many of the users of these systems are unaware of the vulnerability, let alone what to do about patching their systems. All the worm author has to do is seed enough systems to gain a foothold, and the worm will take it from there.
Internet Threats
Internet threats can take many forms, including viruses, worms, and direct hacks. Viruses and worms are basically autonomous. They are programmed to seek out vulnerable systems or users and to deliver a payload. The payload might be as harmless as a funny song or as serious as a backdoor application that allows the attacker to take control of your system.
366
Direct hacking is an attempt to penetrate your system from the Internet. Attackers might take advantage on a known vulnerability to gain access to your system and plant applications or store files on it. Some applications planted by direct attack are designed to operate in concert with other systems controlled by the hacker to coordinate attacks against high-profile targets. Direct hacks can take many forms, ranging from attempts to guess your passwords to attempts to overwhelm your defenses in order to slip through them.
NOTE
This list of Internet threats is by no means complete, but it illustrates the importance of Internet protection. Microsoft recognizes the importance of protecting systems and patching vulnerabilities. To that end, it released Windows XP Service Pack 2 in 2004 with updated Internet security components and improved Automatic Update features. This chapter covers Internet communications security. For a review of Automatic Updates, see Chapter 2.
Protective Technologies
Windows XP has several built-in tools to help users protect their systems and data. Among these are Windows Firewall, Internet Connection Sharing (ICS) with network address translation (NAT), Windows XP Security Center (released with Service Pack 2), and Automatic Updates. Third-party vendors also produce antivirus applications that detect and defeat viruses, worms, Trojan horses, and other malware.
Windows Firewall An update to the Internet Connection Firewall, which shipped with Windows XP. Windows Firewall is a host-based stateful packet inspection firewall, which means it maintains a state table on all outbound communications traffic and does not accept inbound communications that are not in response to the initial outbound traffic. It is integrated with Windows XP networking, enabled by default on any Internet connection from system startup to system shutdown, and, most importantly, it ships with Windows XP. You can configure and control it centrally using Group Policy settings in Active Directory, and it interfaces with Windows services such as Remote Desktop and File and Printer Sharing to automatically allow traffic on local networks for these uses without you having to manually configure exceptions. Internet Connection Sharing (ICS) ICS allows the secure sharing of an Internet connection with multiple systems on your local network. It translates local network addresses, effectively hiding their existence
CHAPTER 11:
367
from Internet attackers. Those scanning your system see only a single IP address. This lowers the number of systems that can be targeted directly.
Desktop antivirus products Microsoft works with third parties to enable them to produce desktop antivirus products that can detect and clean infected applications and data files on your system or in your e-mail. Some antivirus vendors also produce security suites that include firewall functionality. These programs can disable Windows Firewall and put their own firewall in its place. Security Center Windows XP SP2 introduced the Security Center. This console monitors the installation of Windows Firewall and compatible third-party firewalls, checks for antivirus applications, and reports the status of the Automatic Updates service. Users can use this single console to quickly check the status of their protection. Automatic Updates We covered Automatic Updates in Chapter 2. The importance of Automatic Updates cannot be stressed enough. Any update or fix to Windows XP or its components is made available by this method. Configuring Automatic Updates greatly improves a systems chances of defeating attempts to penetrate it.
Understanding Windows Firewall Windows Firewall is relatively simple to enable and configure. You can access controls for Windows Firewall in the Properties dialog box for any network connection on your system or by double-clicking the Windows Firewall icon in the Security Center. (To launch the Security Center, open Control Panel and click Security Center.) As we discuss Windows Firewall, we will use some of the following terms:
Packet filtering The process of inspecting packet headers to determine whether they are allowed to enter the network. Those that do not conform to established rules for address, port, or protocol type are dropped. Stateful packet filtering A more advanced form of packet filtering where inbound packets must be received in response to an initial communication from the system. With stateful packet filtering, outbound traffic is tracked in a state table and inbound packets must conform to expected reply traffic to those communications.
368
Exceptions Rules that allow some inbound traffic to enter your system. You might use exceptions to allow Remote Desktop to enter your system so you can access your system from work or school. To allow this, you would enable an exception. Allowed traffic Packet traffic that is allowed to pass the firewall.
Rejected traffic Packet traffic that has not met acceptance rules and is dropped. Logging The process by which firewalls maintain a history of acceptance and rejection events. Logging is often used to discover penetration attempts or troubleshoot connectivity issues.
Enabling Windows Firewall Windows Firewall is enabled by default in Window XP. You can verify its status by launching the Security Center from Control Panel (Figure 11-10). The Security Center displays the status of Windows Firewall or a compatible third-party firewall product.
Figure 11-10 The Security Center displaying the status of the firewall, virus protection, and Automatic Updates
F11HT10.BMP
Windows Firewall is enabled and disabled in the Windows Firewall dialog box (Figure 11-11), which you can launch by clicking on the Windows Firewall icon in the Security Center. Notice the Dont Allow Exceptions option. If this is selected, you can override any exceptions that have been defined for the stateful packet filtering rules.
CHAPTER 11:
369
Figure 11-11 Enabling Windows Firewall

F11HT11.BMP
Managing firewall exceptions Firewall exceptions allow access to your system from outside for specific purposes. In Figure 11-12, exceptions have been made for Remote Assistance and Remote Desktop.
Figure 11-12 Managing Windows Firewall exceptions

F11HT12.BMP
If you select an exception and click Edit, you can modify the scope of the exception (as shown later in Figure 11-14) by designating which network connections are included in the exception rule. This is an important aspect of Widows Firewall security. You can create exception rules to allow some programs to communicate locally but restrict traffic on those same ports that might be coming from the Internet.
370
Windows XP can also automatically modify exceptions. For instance, when you enable File and Printer Sharing, Windows XP automatically configures Windows Firewall exceptions for any local network connections for File and Printer Sharing while still blocking inbound traffic from the Internet. To add a new Windows Firewall program exception: 1. Open the Windows Firewall dialog box by clicking the Windows Firewall icon in the Security Center. 2. If you are configuring an exception for a program installed on your system, click the Exceptions tab and select Add Program. This launches the Add A Program dialog box (Figure 11-13). You can select from one of the programs listed or browse for an unlisted program. Windows Firewall works with the program to enable the exception rule.
F11HT13.BMP
Figure 11-13 Adding a program exception in Windows Firewall
To also specify a scope for your program, click the Change Scope button (Figure 11-14).
F11HT14.BMP
Figure 11-14
Defining a network scope for a port exception in Windows Firewall
CHAPTER 11:
371
To add a new Windows Firewall port exception: Sometimes a program exception is not effective. If you know the ports required by your program, you can open them manually be defining a port exception: 1. Open the Windows Firewall dialog box by clicking the Windows Firewall icon in the Security Center. 2. Select the Exceptions tab, and select Add Port to launch the Add A Port dialog box (Figure 11-15).
F11HT15.BMP
Figure 11-15 Adding a port exception in Windows Firewall
If you want to also specify a scope for your port exception, click the Change Scope button. (See Figure 11-14.) Windows Firewall advanced configuration The Advanced tab of the Windows Firewall dialog box (Figure 11-16) gives you additional configuration opportunities:
Figure 11-16 Windows Firewall advanced settings

F11HT16.BMP
372
Network Connection Settings You can select which connections are protected by Windows Firewall. For each connection, you can click the Settings button to modify settings for inbound Internet services such as HTTP and SMTP as well as ICMP communications such as Ping and Tracert:
Services tab This tab (Figure 11-17) allows you to configure inbound rules for services on your system or on another system on your internal network. When you select a rule, you are presented with a dialog box that allows you to select the internal IP address of the system running that service. If you are also using ICS, you can use its built-in NAT feature to pass traffic to an internal server on behalf of an external client. The rule you configure actually creates a connection that passes communication from the system running Windows Firewall to the system defined on the service entry. If you are not using ICS, you can still use this setting to open the applicable port on your computer to provide services directly to Internet clients.
F11HT17.BMP
Figure 11-17 Configuring a service entry in Windows Firewall
ICMP tab This tab allows you to configure ICMP exceptions for this connection. These exceptions are discussed below under the global ICMP settings.
Security Logging You can enable logging of Windows Firewall packet filters for security analysis and troubleshooting (Figure 11-18).
CHAPTER 11:
373
The packet filter log format can be understood by several third-party security analysis tools.
NOTE
Note the location of Pfirewall.log. If you are responding to a security event, you will need to quickly locate this file.
F11HT18.BMP
Figure 11-18 Configuring security logging in Windows Firewall
ICMP This option (Figure 11-19) allows you to set ICMP settings for all enabled connections at once.
F11HT19.BMP
Figure 11-19 Configuring ICMP options in Windows Firewall
Here are some ICMP options you might enable:
Allow Incoming Echo Request Received ICMP packets request an echo from your system to be returned to the sending system. This option is used for troubleshooting tools such as Ping and Tracert.
374
Allow Incoming Timestamp Request A message is returned to the sending computer, telling it when the data was received. Allow Incoming Mask Request Tells this computer to respond to queries for subnet mask information. This type of information is typically sent to diskless workstations when they boot to allow them to configure their TCP/IP protocol stacks. Allow Incoming Router Request This ICMP request allows systems to share routing information. It is typically used by routers to alert other routers to their presence. Allow Outgoing Destination Unreachable Allows Internet routers to tell your system why they were unable to reach an intended recipient. Allow Outgoing Source Quench Allows the system to tell other systems on the Internet to slow their transmission rate to avoid overwhelming its capabilities. Allow Outgoing Parameter Problem Allows your system to report a malformed or bad header to the sending system. Allow Outgoing Time Exceeded Allows your system to report to a sending system that the timeout was reached for reassembly of some inbound packets. Allow Redirect Allows Internet routers to alert your system to a better route for its data. Allow Outgoing Packet Too Big Allows your system to report to sending systems that the packets they are sending are too big (used with the IPv6 protocol).
NOTE
By default, Windows Firewall does not respond to ping attempts from Internet sources. To test your connection with Ping, you should enable ICMP echo long enough to complete the test and then disable it again. The goal is for your system to respond to as few outside communications as possible, to ensure maximum security.
Default Settings This option restores all Windows Firewall default settings at once.
Windows Firewall with third-party firewalls Windows Firewall comes with a Windows Management Instrumentation (WMI) hook for third-party firewall vendors. This allows them to disable Windows Firewall during installation of their products to prevent conflicts. Figure 11-20
CHAPTER 11:
375
shows the Security Center displaying the status of a third-party firewall. In this figure, the third-party firewall has disabled Windows Firewall to prevent conflicts.
Figure 11-20 The Security Center displaying the status of a third-party firewall
F11HT20.BMP
NOTE
Third-party firewalls might not turn on Windows Firewall when they are uninstalled. Be sure to check the status of Windows Firewall when you remove a third-party firewall to ensure that a lapse in protection doesnt occur.
Monitoring Internet Communications Security

Because Internet security tools and utilities are so important, you must ensure they are operating properly and are doing what they were intended to do. Most Internet protection applications can log their operation and might also issue pop-up alerts when a particular item needs attention. Microsoft products are no exception. Windows Firewall alerts and logs help ensure that your firewall is operating effectively. You should be familiar with their format and the entries you would expect to see during normal operation so you can quickly recognize when something is out of place. Windows Firewall alerts When an application tries to open an inbound port for communication with remote systems, if that application does not already have a configured exception, Windows Firewall presents the user with an alert (Figure 11-21).
376
Figure 11-21 A Windows Firewall alert

F11HT21.BMP
The alert in the figure describes the application and gives the user three choices:
Keep Blocking Permanently blocks this application from Internet communication. This option is useful when the application you are working with should not accept communications from Internet systems. An example might be a local communications application that you want to manage with a scoped exception. Unblock Creates a permanent exception for this application. You might use this option to allow an instant messaging program to receive communications from its Internet servers. Ask Me Later Causes Windows Firewall to deny the communication for now. The next time the application initializes, Windows Firewall will alert you again. You might use this option to cancel an alert until you have time to better research whether to allow the application to access the Internet.
NOTE
Many of the dialog boxes included with the Security Center and Windows Firewall have links to further information about their function. The When Should I Unblock A Program? link in the Windows Security Alert dialog box presents the user with more information about the options in the dialog box.
Windows Firewall logs Windows Firewall logs packet filter events in the Pfirewall.log file stored by default in the %SYSTEMROOT% folder (usually C:\Windows). You can browse this file in Notepad or import it into a third-party intrusion detection system (IDS) for analysis. Figure 11-22 shows an excerpt from Pfirewall.log. Note the Fields line. It lists the name of each data field in the order you see it on the actual log lines. Do you see the three attempts to connect to the local systems
CHAPTER 11:
377
Web server? This system is not running any public Web server, so these lines are an indication of a random scan to locate vulnerable Web servers. The action taken by Windows Firewall was to silently drop the packets. Any system scanning this network will not be aware that a system even exists at this address.
Figure 11-22 Windows Firewall log displaying dropped packets

F11HT22.BMP
Protocol and service logs Internet services such as those provided by Microsoft Internet Information Services (IIS) maintain their own log files. These log files are useful for analyzing the types of attempted attacks these services are experiencing. By becoming familiar with these logs, you will begin to spot irregularities in their content. Figure 11-23 shows an excerpt of the W3SVC (WWW service) log for a system. Note the 403 (authentication) and 404 (file not found) errors.
Figure 11-23 An IIS WWW service log file

F11HT23.BMP
A large number of 403 errors can indicate that someone is attempting to crack a password to gain access to sensitive information. Multiple 404s, especially for certain types of files, might indicate an attempt by an Internet worm to locate vulnerable Web server applications. If you spot these types of events, you might be able to take action to block the source of the attack or notify its ISP.
378
SUMMARY
IP addresses comprise four binary octets separated by periods (or dots). These values can be converted to decimal numbers to represent the address in dotted decimal notation. The IP address of a destination system is compared to that of the local system to determine if it is on the local network. If the portion of the address covered by the subnet mask is identical, the system is local and can be addressed directly. If there is no match, the sending computer checks to see if it has a route to the destination. If it does not, the communication is sent to the sending computers default gateway. Classless interdomain routing (CIDR) permits large networks to be split (or subnetted) or smaller networks to be combined (or supernetted). It accomplishes this by modifying the subnet mask at the binary level, gradually increasing or decreasing it. Internet threats include worms, viruses, bots, spyware, and direct hack attempts. Windows Firewall is a host-based stateful packet inspection firewall. Internet Connection Sharing (ICS) can protect a network by hiding its actual IP addresses from external systems. Windows Firewall can be configured with exceptions to allow inbound communication with specified programs. Windows Firewall alerts and logs let you monitor its operation and alert you to possible penetration attempts or configuration issues.
REVIEW QUESTIONS
1. Convert the IP address 131.107.125.234 to its binary octet values. Which of the following answers is correct? a. 01111101.11101010.10001001.1101011 b. 10000011.1101011.1111101.11101010 c. 1101011.1111101.10001001.11101010 d. 10000011.01101011.01111101.11101010
CHAPTER 11:
379
2. A host with the IP address 131.107.182.12/16 is trying to communicate with a host with the address 131.107.87.18/16. Does this communication require a router? Why or why not? 3. Which of the following subnets would you use to supernet the networks 192.168.100.0 and 192.168.101.0? a. 255.255.255.224 b. 255.255.248.0 c. 255.255.254.0 d. 255.255.0.0 4. Which of the following malware types can scan the Internet for victims? a. Virus b. Worm c. Spyware d. Trojan horse 5. Which of the following are uses for Windows Firewall? (Choose all correct answers.) a. Protecting a system from Internet worms b. Connecting multiple systems to the Internet c. Blocking malicious connection attempts d. Preventing a virus from infecting your system 6. A user wants to set up a Web server on a Windows XP Professional computer on your network. You have a Windows XP Professional system connected to the Internet that uses ICS with Windows Firewall enabled to securely share its Internet connection with the rest of the network. Which feature of Windows Firewall do you configure to allow inbound connections to that Web server while still retaining Windows Firewall security for all other communications? a. Exception b. ICMP rule c. Service entry d. Packet filter
380
CASE SCENARIOS
Scenario 11-1: A Growing Enterprise
You are consulting for a company that has a growing office in your area. It has a Class C network (192.168.12.0) that is running out of addresses. The company has defined two additional Class C networks and has begun to add hosts to them. Hosts in 192.168.12.0 cannot communicate with hosts in 192.168.10.0. Answer the following questions about this scenario. 1. Why cant hosts in 192.168.12.0 communicate with hosts in 192.168.10.0? 2. Name two ways to allows hosts on 192.168.12.0 to communicate with hosts on 192.168.10.0. 3. Which method listed in the answer to question 2 is least expensive?
Scenario 11-2: Security on a Shoestring

You are volunteering for a charity by configuring its network and Internet operations. You have used IIS in Windows XP for the Web server and the Simple Mail Transfer Protocol (SMTP) server. You set up a computer to connect to the Internet with a DSL connection. You want to put the Web server and SMTP server on the Internet, as well as allow office users to use the Internet with Internet Explorer. Answer the following questions about this scenario. 1. How can you connect the entire office to the Internet inexpensively? 2. How can you allow inbound access to the Web server and the mail server?
CHAPTER 12
MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY

Configure Internet connections in Internet Explorer Connect to resources using Internet Explorer Configure and manage Internet Explorer security settings Configure and manage Internet Explorer privacy settings Audit and control add-on programs and browser helper objects with
Add-On Manager
In this chapter, we will configure and manage Microsoft Internet Explorer, beginning with initial connection, configuration, and progressing to advanced security settings. You will learn how to configure Web content zones and how to manage sites in these zones. You will also be introduced to the privacy features of Internet Explorer and how to configure privacy settings. Finally, we will explore the management of add-on programs and browser helper objects.
381
382
MANAGING INTERNET EXPLORER CONNECTIONS

You can connect Internet Explorer to the Internet in a variety of ways, including direct access from an Internet-connected local area network (LAN), by dialing up to an ISP, connecting through an Internet proxy server, or a combination of these methods. We will discuss these connection methods and how to configure them.
Using the New Connection Wizard

You can configure connectivity for Internet Explorer using the New Connection Wizard (as described it in Chapter 10). You launch the wizard by choosing Tools | Internet Options in Internet Explorer. On the Connections tab (Figure 12-1) of the Internet Options dialog box, click the Setup button.
Figure 12-1 The Connections tab of the Internet Options dialog box
FT12HT01.BMP
To configure a connection to an Internet service provider (ISP), select the Connect To The Internet option (Figure 12-2) and then click Next.
Figure 12-2 The New Connection Wizard

FT11HT02.BMP
CHAPTER 12:
383
On the Getting Ready page (Figure 12-3), you will see three options:
Choose From A List Of Internet Service Providers (ISPs) Configures a connection based on settings ISPs have given to Microsoft for inclusion in this wizard. Set Up My Connection Manually in one of the following ways:
Allows a connection to be created
Connect Using A Dial-Up Modem Allows you to manually create a connection by entering settings provided to you by your ISP. Connect Using A Broadband Connection That Requires A User And Password Allows configuration of a connection using Point-toPoint Protocol over Ethernet (PPPoE). Settings for this type of connection are provided by your ISP. Connect Using A Broadband Connection That Is Always On Allows a basic LAN connection to be configured. This option assumes that all settings are assigned from a DHCP server or Internet gateway device.
Use The CD I Got From An ISP Searches the CD-ROM drive for a disk provided by your ISP. The required settings are programmed into an application on the disk.
Figure 12-3 The Getting Ready page of the New Connection Wizard
FT12HT03.BMP
Managing Connection Settings

You can use the New Connection Wizard to configure most settings required by Internet Explorer to enable Internet connectivity. After you define the dial-up connection, you can manage it by using the Connections tab of the Internet Options dialog box (shown earlier in Figure 12-1). You can add or remove dial-up
384
connections and select which connection will be dialed by default. You can also manage advanced settings for dial-up connections or access settings for connections using a LAN. We will first examine the options for dial-up settings. Dial-up settings In addition to adding new connections and deleting those that are no longer required, you can specify advanced settings for each dial-up connection, such as the use of a proxy server. You select the dial-up connection to configure and then click the Settings button. This opens the Settings dialog box for the selected connection (Figure 12-4).
Figure 12-4 Configuring settings for a dial-up connection

FT12HT04.BMP
The dialog box includes the following:
Automatic Configuration This section of the dialog box includes settings that allow Internet Explorer to automatically detect and manage settings for connectivity. The options are:
Automatically Detect Settings When this is selected, Windows XP attempts to detect the required settings for this connection by querying a DHCP or DNS server using the Web Proxy Auto-Discovery (WPAD) protocol. This service is configured by a network administrator to notify browsers of the location of proxy servers on the network.
NOTE
You configure WPAD on the server side by configuring specific DHCP server options to provide configuration information about proxy servers. If a DHCP server is not configured for WPAD, Internet Explorer clients attempt to locate a proxy server by using Service Location Protocol (SLP), which is designed to allow clients to locate and configure connections to servers, printers, video cameras, and other networked services.
CHAPTER 12:
385
Use Automatic Configuration Script This option allows you to specify an automatic configuration script that contains additional configuration information for the browser. These scripts are typically used by administrators to make changes to settings after deployment. The browser checks the file periodically to look for updated settings.
Proxy Server Allows the manual configuration of proxy server settings. The Advanced button opens the Proxy Settings dialog box (Figure 12-5), where you can specify the following additional settings:
Servers Allows you to designate separate proxy server addresses or ports for proxies of different Internet protocols. Exceptions Allows you to designate addresses or networks for which Internet Explorer will bypass the proxy server. This option is typically used to designate safe networks that do not require the services of a proxy server during the connection.
FT12HT05.BMP
Figure 12-5 Configuring advanced proxy settings
NOTE
Using the Automatically Detect Settings option can cause proxy settings to be overridden when another proxy server is configured with WPAD. If you do not want manually configured proxy settings to change, be sure to disable automatic detection by clearing the Automatically Detect Settings check box.
Dial-Up Settings This section of the Settings dialog box allows you to enter username and password information for this connection. It also includes two buttons:
Properties Opens the Properties dialog box for the connection itself (Figure 12-6). This is the same dialog box you would access from the
386
Network Connections window by right-clicking the connection and choosing Properties. Here you can specify the connections phone number, dialing options, and security settings. You can also choose which protocols and clients will be bound to this connection and whether Internet Connection Sharing or Windows Firewall will be used on this connection.
Figure 12-6 Dial-up connection properties

FT12HT06.BMP
Advanced Opens the Advanced Dial-Up dialog box for the connection (Figure 12-7). Here you can override dial-up settings from the configured connection when you use Internet Explorer with this connection. This is useful if you are using a connection for multiple purposes and need different settings for idle disconnect when using Internet Explorer to avoid dropping the connection during periods of inactivity.
Figure 12-7 Advanced settings for a dial-up connection

FT12HT07.BMP
LAN settings Click the LAN Settings button on the Connections tab of the Internet Options dialog box to open the Local Area Network (LAN) Settings dialog box (Figure 12-8). This dialog box is similar to the Dial-Up Settings dialog box, minus dial-up
CHAPTER 12:
387
options such as username and password or connection properties. The options in this dialog box are:
Automatic Configuration The same options for automatic configuration of a proxy server that we discussed for dial-up connections are available to LAN connections. Proxy Server Allows you to manually configure proxy server settings. The same options we discussed previously are available here as well.
Figure 12-8 The Local Area Network (LAN) Settings dialog box
FT12HT08.BMP
CONNECTING TO RESOURCES USING INTERNET EXPLORER

You can do more with Internet Explorer than merely browse Web sites. You can use it to connect to a wide variety of network and Internet resources including:

Web servers File Transfer Protocol (FTP) servers Web folders (using WebDAV) Microsoft .NET server applications Applications that use ActiveX or Java programs and scripts
We will look at the procedures for accessing these resources and discuss any special steps or extra components required to make use of them.
Uniform Resource Locators

Most people are familiar with the format of Uniform Resource Locators (URLs) from publications and television. Lets look at the parts of a URL (Figure 12-9) more closely.
388
http://www.contoso.com:5680/docfiles/document_list.html#finance
Protocol
FT12HT09.VSD
Hostname
Port
Path
Document
Named anchor
Figure 12-9 Parts of a URL
Protocol indicator This indicates the Internet protocol that Internet Explorer should use to access the resource. Some resources, prefaced by indicators such as http:// and ftp://, are opened directly in Internet Explorer. Other resources, prefaced by indicators such as mailto: and news:, are passed to Microsoft Outlook Express or another e-mail or Usenet application for processing. Other protocol indicators you may see are:
https:// Hypertext Transfer Protocol Secure. Uses Secure Sockets Layer (SSL) to provide encrypted HTTP connections. file:// Local file system resources. (For example, file:///c:/deploy opens the C:\Deploy folder on the local system.) telnet:// An address resource for the Telnet protocol. ipp:// Internet Printing Protocol address (used to connect to Internet printers). ldap:// Lightweight Directory Access Protocol.
NOTE
This list is by no means complete. IANA maintains a registered list of URL protocol schemes at http://www.iana.org/assignments/ uri-schemes.
Host name Designates the host name or IP address of the system hosting the URL. Port An optional portion of the address. Most protocols use wellknown port numbers, such as 80 for HTTP, to identify their ports. This value must be specified only if the host is using a nonstandard port (for the indicated protocol) number to host this resource. Path Designates the directory path on the host relative to the root of the directory serving the document. Document The actual file name of the document on the host system. Some documents, such as HTML documents, are interpreted by the browser and displayed, while others are simply downloaded to the client system. Other types of files might be scripts or applications that will be hosted in the browser windows during operation.
CHAPTER 12:
389
Named anchor Allows the programmer of the site to provide shortcuts to specific points within documents. By inserting anchor tags into the document code, the programmer can allow clients to rapidly find certain passages in a very large file.
NOTE
Other special characters and syntax can be used in URLs to pass information into an application on the server end. An example of this would be the query syntax you see displayed in the address box when you are viewing the results of a search engine query.
Connecting to Web Site Resources

By far the most common use of Internet Explorer is for entering a URL in the Address bar to open the requested document in the Internet Explorer window. Users enter the URL as a string (such as www.microsoft.com), and Internet Explorer opens the default document from that address (Figure 12-10).
Figure 12-10 The microsoft.com site in Internet Explorer

FT12HT10.BMP
Other ways to access Web site resources include clicking on a hyperlink in another Web document or in an e-mail. The hyperlink is interpreted by the system, Internet Explorer (or the default Web browser) opens, and the document is requested from the specified host.
Accessing FTP Resources

You can also use Internet Explorer to access remote FTP servers (instead of using the command-line FTP program included with Windows XP). If you enter ftp:// servername/directoryname/filename, Internet Explorer opens the FTP site and
390
requests the named document or opens the named folder. Some FTP sites require users to enter a username and password to access FTP resources on that site. If you need to enter a username and password, choose File | Login As to open the Log on As dialog box (Figure 12-11).
Figure 12-11 Logging on to an FTP server

FT12HT11.BMP
Once a folder is open on an FTP site, Internet Explorer presents a folder view similar to a standard Windows XP folder view. A user who has the appropriate permissions can save, edit, or delete files from the FTP folder.
Accessing Web Folders

Using a technology called Web Distributed Authoring and Versioning (WebDAV), Internet servers can make document repositories available to clients. Windows XP and Internet Explorer can access shared resources on WebDAV servers. To access a Web folder using Internet Explorer, take the following steps: 1. In Internet Explorer, choose File | Open. 2. Enter the URL of the Web folder, and select the Open As Web Folder option. 3. Internet Explorer opens the Web folder in a standard Windows XP folder view. Web folders behave exactly like file system folders; they allow users with the appropriate permissions to open, edit, save, and delete documents in the folder.
CHAPTER 12:
391
Connecting to Web ServerBased Applications

Many specialized applications exist on Web servers that use more than just plain HTML to perform their functions. For example, some applications written using the .NET Framework can leverage sophisticated back-end programs developed in one of several compatible languages, such as Visual Basic or C#, and present the interface to a client running Internet Explorer. No special accommodations are needed on the client end to access these applications. The client typically sees only the URL used to access the application while the application runs within the browser window.
NOTE
Some .NET applications use both client-side and server-side components to accomplish their tasks.
Other programs written in languages such as Java might require installation of a Java Virtual Machine (JVM) provided as part of the Java Runtime Environment (JRE) (which is available for free from Sun Microsystems).
NOTE
Java-based server-side applications do not require a JVM on the client system.
MANAGING INTERNET EXPLORER SECURITY SETTINGS

Internet users can have heated debates on the relative merits and deficiencies of the various browser platforms. The fact remains that Internet Explorer is the browser most closely integrated with Windows XP Professional. In addition to supporting all major W3C browser standards, it can be customized, and even branded, by computer manufacturers and ISPs; managed remotely using Group Policies; and updated for known security vulnerabilities via Microsofts Automatic Updates feature.
Overview of Internet Explorer Security Features

Other browsers without ActiveX support might initially appear to be more secure than Internet Explorer, but they fall short in terms of functionality and manageability. Internet Explorer also has much stronger security features in Windows XP Service Pack 2, including the ability to block pop-up windows and the ability to manage browser helper objects (BHOs) and other add-ons with Add-On Manager (Figure 12-12).
392
Figure 12-12 Add-On Manager displaying loaded add-ons on a Windows XP

FT12HT012.BMP
SP2 system
You can also use Web content zones (Figure 12-13) in Internet Explorer to restrict the level of privilege a remote application has on the local system. For instance, you can limit ActiveX support to downloading and running approved ActiveX controls in the Internet zone, blocking the downloading of suspicious controls.
Figure 12-13 Internet Explorer Web content zones

FT12HT13.BMP
You can manage Internet Explorer security configuration using Local Security Policy or Group Policy to implement security best practices across one or thousands of systems. Administrators thus have the ability to apply security configurations consistently and comprehensively.
CHAPTER 12:
393
Managing URL Actions for Web Content Zones

Before we launch into a discussion of Web content zones, lets examine the settings that are configured for each zone. You can view these settings, called URL actions, by choosing Tools | Internet Options in Internet Explorer. On the Security tab of the Internet Options dialog box, click Custom Level for any Web content zone. You will see a list of URL actions (Figure 12-14) with Disable and Enable options and occasionally Administrator Approved and Prompt options.
Figure 12-14 URL actions for the Internet zone

FT12HT14.BMP
Lets look at the individual URL actions that can be configured in each zone. .NET Framework settings This category of options configures the behavior of Internet Explorer with Web components designed to support the .NET Framework, an environment for building and running Web services and applications. You can manage the following .NET Framework settings:
Run Components Not Signed With Authenticode Controls whether Internet Explorer will run a .NET Framework component that has not been signed with an Authenticode code-signing certificate. Unsigned applications can pose a risk because the user has no assurance that the author is who he claims to be or that the program has not been modified by a hacker. The options available for this setting are Disable, Enable, and Prompt.
394
NOTE
The options Disable, Enable, and Prompt must be taken in the context of the description of the settings. When you manage these settings, consider each option as preceding the settings. For example, (Disable) Run components not signed with Authenticode makes more sense than Run components not signed with Authenticode (Disable). Prompt configures Internet Explorer to prompt the user when a controlled component is requested by the Web page.
Run Components Signed With Authenticode Enables or disables the running of Authenticode-signed components. By disabling both signed and unsigned components, you can completely disable .NET Framework components. The options available for this setting are Disable, Enable, and Prompt.
ActiveX controls and plug-ins ActiveX controls are powerful tools for distributing Web applications and services. They do pose a risk, however, because malicious controls can be used to load backdoor programs or damage data on the systems of unsuspecting users. The ActiveX settings you can manage are:
Automatic Prompting For ActiveX Controls Specifies whether Internet Explorer will notify users that the Web page they are loading contains an ActiveX control. If this setting is enabled, a prompt opens when a Web page attempts to load an ActiveX control that has not yet been installed on the system. If this setting is disabled, the control is blocked and the Internet Explorer Information Bar is presented to ask the user what to do.
NOTE
The Information Bar is a new feature of Internet Explorer in Windows XP SP2. It alerts users to blocked downloads, pop-ups, and controls and gives the user an opportunity to accept or reject the blocked content.
Binary And Script Behaviors Binary behaviors and script behaviors are prepackaged bits of code that can be called by HTML commands on a Web page. An example of a behavior is any Windows Media behavior that can be called with the appropriate HTML commands. The options for this setting are to allow only administrator-approved behaviors, disable behaviors, or enable behaviors. You can authorize Administrator-approved behaviors by using the Group Policy Management console (Gpedit.msc). Look for the Binary Behavior Security Restriction policy (Figure 12-15).
CHAPTER 12:
395
FT12HT15.BMP
Figure 12-15 Configuring the Binary Behavior Security Restriction setting in the Group Policy Management console
Download Signed ActiveX Controls Enables or disables downloading of signed ActiveX controls. The options available for this setting are Disable, Enable, and Prompt. Download Unsigned ActiveX Controls Enables or disables downloading of unsigned ActiveX controls. The options available for this setting are Disable, Enable, and Prompt. Initialize And Script ActiveX Controls Not Marked As Safe Enables or disables scripting of ActiveX controls. When enabled, this option allows any ActiveX control to be initialized and scripted. This option is not recommended for security reasons, but you can use it on highly secure zones where ActiveX controls can be trusted. The options available for this setting are Disable, Enable, and Prompt. Run ActiveX Controls And Plug-ins Enables or disables running of ActiveX controls for the specified zone. The options available for this setting are Administrator Approved, Disable, Enable, and Prompt.
NOTE
You manage Administrator-approved ActiveX controls using Group Policy in the same way that you manage administrator-approved behaviors.
Script ActiveX Controls Marked Safe For Scripting Specifies whether ActiveX controls that have been marked as safe for scripting can be called on by scripts in Web pages in the specified zone. The options available for this setting are Disable, Enable, and Prompt.
396
Downloads You can prevent users from downloading files using Internet Explorer by configuring the Download options:
Automatic Prompting For File Downloads Specifies whether Internet Explorer prompts users when the Web page is attempting to push a file to Internet Explorer. When this option is enabled, users are prompted for all downloads they initiate. The options available for this setting are Disable and Enable. File Download Enables or disables file downloads. The options available for this setting are Disable and Enable. Font Download Specifies the response to a Web page attempting to download HTML fonts to the browser. The options available for this setting are Disable, Enable, and Prompt.
Miscellaneous settings These settings that do not fit one of the other main categories.
Access Data Sources Across Domains Specifies whether a Web page will instruct Internet Explorer to access data in another site using Microsoft data access technologies. The options available for this setting are Disable, Enable, and Prompt. Allow META REFRESH Specifies whether a Web page will be allowed to redirect your browser to another site through the use of a META REFRESH tag. The options available for this setting are Disable and Enable. Allow Scripting Of Internet Explorer Webbrowser Control Specifies whether scripts can control the Webbrowser ActiveX control. This control is a component of Internet Explorer that can be used by developers to provide Web browsing features in another application. By default, the control is not marked as safe for scripting, which means it cannot be called by scripts. The options available for this setting are Disable and Enable. Allow Script Initiated Windows Without Size Or Position Constraints Specifies whether Web page scripts can open pop-ups and windows that do not display title and status bars. By default, this action is not allowed. The options available for this setting are Disable, Enable, and Prompt. Allow Web Pages To Use Restricted Protocols For Active Content Specifies whether Internet Explorer can use a protocol that has been restricted by an administrator through use of the Network Protocol Lockdown Group Policy. The options available for this setting are Disable, Enable, and Prompt.
CHAPTER 12:
397
Display Mixed Content Specifies whether users will receive a message during a secure browsing session if they are receiving nonsecure content. Enabling this setting blocks the message This page contains both secure and non-secure items. Do you want to display the non-secure items? The options available for this setting are Disable, Enable, and Prompt. Dont Prompt For Client Certificate Selection When No Certificates Or One Certificate Exists Specifies whether users will be prevented from being prompted when they have only one certificate to choose from or have no certificates for client authentication. When a user accesses a Web site that uses digital certificates to authenticate users, the user might be prompted to indicate which certificate to use to authenticate to the Web site. The options available for this setting are Disable and Enable. Drag And Drop Or Copy And Paste Files Specifies whether users can use drag-and-drop or copy-and-paste operations to save files from the zone to their system. The options available for this setting are Disable, Enable, and Prompt. Installation Of Desktop Items Specifies whether users can install Active Desktop Web components using sites or pages from the specified zone. The options available for this setting are Disable, Enable, and Prompt. Launching Programs And Files In An IFRAME Specifies whether programs or scripts can be executed inside of inline frames, which are essentially free-form frames inside Web pages. The options available for this setting are Disable, Enable, and Prompt. Navigate Sub-Frames Across Different Domains Specifies whether Web pages can call subframes that are hosted by domains other then the Web page. The options available for this setting are Disable, Enable, and Prompt. Open Files Based On Content, Not File Extension Specifies whether Internet Explorer will attempt to detect the type of file it is opening by examining its binary signature instead of its file extension. Enabling this setting prevents file extension spoofing. The options available for this setting are Disable and Enable. Software Channel Permissions Controls the response of Internet Explorer to software updates distributed over software update channels. Software update channels are subscription-based notification channels that third-party software publishers can use to notify their users about news and updates. The options for this setting are Low Safety, Medium
398
Safety, and High Safety. Low Safety allows the software to be automatically downloaded and installed. Medium Safety allows software to be downloaded but not installed automatically. High Safety prevents automatic download of software.
Submit Non-Encrypted Form Data Specifies whether users can submit data from nonencrypted Web forms. The options available for this setting are Disable, Enable, and Prompt. Use Pop-Up Blocker Specifies whether Pop-Up Blocker is activated for the specified zone. The options available for this setting are Disable and Enable. Userdata Persistence Specifies whether Internet Explorer will retain user data information for successive visits to a page. Data persistence allows code in a Web page to store user data in an XML repository on the client to be used on later visits. This data can consist of configuration preferences, form fields, even online game settings and scores. Disabling this setting clears user data when the browser is closed, requiring user data to be reentered again the next time a page is visited. Web Sites In Less Privileged Web Content Zone Can Navigate Into This Zone Specifies whether Web sites in more restrictive zones can open less restricted sites. Enabling this setting creates the potential for zone elevation, so it is best to disable it. The options available for this setting are Disable, Enable, and Prompt.
NOTE
Many of the settings discussed here are designed to prevent cross-site scripting attacks and zone elevation attacks. Cross-site scripting happens when a malicious user places scripts or tags into content on a site that will call up forms or pages from the attackers Web server. These pages can obtain privacy information from victims who think they are entering data into the legitimate site. Zone elevation is the use of one site to leverage scripts or controls from a site in a less restrictive zone to carry out malicious actions.
Scripting settings Settings in this category control how Internet Explorer responds to scripts in Web pages.
Active Scripting Enables or disables all Web page scripts. The options available for this setting are Disable, Enable, and Prompt. Allow Paste Operations Via Script Controls a scripts ability to copy or paste data using the Windows Clipboard. The options available for this setting are Disable, Enable, and Prompt.
CHAPTER 12:
399
Scripting Of Java Applets Specifies whether scripts are allowed to access Java applets. The options available for this setting are Disable, Enable, and Prompt.
User Authentication This setting controls how browser authentication is performed. The single setting in this category, Logon, has four options:
Anonymous Logon Disables HTTP authentication. Internet Explorer will not transmit any username or password. Prompt For User Name And Password Queries users for user IDs and passwords for sites in all zones. These values can be used silently for the remainder of the session. Automatic Logon Only In Intranet Zone Allows automatic authentication using the current username and password for sites in the Intranet zone. Queries users for user IDs and passwords for sites in all other zones. Once provided, these values can be used silently for the remainder of the session. Automatic Logon With Current User Name And Password Attempts logon using Windows NT challenge/response (NTLM) authentication. If Windows NT challenge/response is not supported by the server, the user is queried to provide a username and password.
Web Content Zones

The URL action settings would be hopelessly complex to administer if there were not some way to consolidate them and apply them to specific sites. For this purpose, Microsoft has designed Web content zones. You can use these zones, also known as security zones, to configure your browsers response to a group of sites with similar levels of trust. Lets explore these zones from most restrictive (least privileged) to least restrictive (most privileged).
Restricted Sites zone Contains sites that are suspected of containing malicious code. Default settings for this zone are very restrictive to eliminate the possibility that malicious content will be activated. Internet zone Contains all sites not otherwise designated. The settings defined for this zone balance security with functionality. Most security-related settings will be configured to prompt the user for acceptance of questionable content. Local Intranet zone Defines domains, sites, and a host that have an elevated level of trust. The default settings for this zone relax the
400
requirements somewhat because sites in this zone are more trusted than those in the Internet and Restricted Sites zones.
Trusted Sites zone Contains sites explicitly trusted by the user. Most prompts are turned off, and most content is executed by default. Locked-Down Local Machine zone A special zone that adds an extra measure of security by locking down the Local Machine zone. When settings for this zone do not match those of the standard Local Machine zone, the user is prompted to choose which setting to use. Local Machine zone Defines objects that exist on the local system. These might include HTML-formatted documents and tools located on the local system. This zone does not apply to content accessed from the browser cache. Cached content is activated in the zone of the site from which it was downloaded.
NOTE
The Local Machine and Locked-Down Local Machine zones are not visible on the Security tab. This protects these very privileged zones from inadvertent misconfiguration. You can manage these zones by using Group Policy settingseither locally with Local Security Policy or remotely using Active Directory group policy objects.
Managing Web content zones You can manage individual settings for Web content zones by clicking the Custom Level button for the zone. This opens the Security Settings dialog box (Figure 12-16). You can select options to create a custom security configuration for that zone.
Figure 12-16 Setting URL actions in the Internet Web content zone
FT12HT16.BMP
CHAPTER 12:
401
URL action templates To make setting multiple options simpler for users and administrators, Microsoft has defined templates that can apply all settings at once to achieve a specific level of security. Available templates are:
Low Used mostly for Web content zones that contain trusted sites. This is the default security level for the Trusted Sites zone. Medium-low For Web content zones that contain sites that are probably safe. This is the default security level for the Intranet zone. Medium For zones with sites that require a balance between safety and functionality. This is the default security level for the Internet zone. High For zones that contain sites that can be expected to try to harm your system. This is the default security level for the Restricted Sites zone.
To assign a template to a Web content zone, you can move the slider control on the Security tab to your preferred setting (Figure 12-17).
Figure 12-17 Setting the Internet Web content zone to the High template setting
FT12HT17.BMP
Adding sites to Web content zones You can add Web sites to the Restricted, Intranet, and Trusted Sites zones. The Internet zone comprises Internet sites that are not assigned to any other zone. The Local Machine and Locked-Down Local Machine zones are restricted to Web content that originates on the local system, so sites cannot be added to these zones. To add a site to a Web content zone, take the following steps: 1. Choose Tools | Internet Options | Security. 2. Select the zone you want to administer.
402
3. Click the Sites button to open the dialog box for that zone. The Intranet zone will prompt for network settings (Figure 12-18) that Internet Explorer can use to decide which sites are intranet sites.
FT12HT18.BMP
Figure 12-18 Defining inclusion settings for the Local Intranet Web content zone
4. Click Advanced to open the sites list for this zone (Figure 12-19).
FT12HT19.BMP
Figure 12-19 Adding sites to the Intranet Web content zone
5. In the Add This Web Site To The Zone dialog box, type the URL for the site you want to add. Click Add.
NOTE
The Trusted Sites and Restricted Web content zones do not display the Inclusion Settings dialog box shown in Figure 12-18.
Advanced Internet Security Options

In addition to the security settings on the Security tab in the Internet Options dialog box, youll find more security settings on the Advanced tab. These settings control additional security-related options for Internet Explorer. There are many possible combinations of settings. When you configure these settings, you must keep in mind what the system is being used for because these settings are not one-size-fits-all.
Allow Active Content From CDs To Run On My Computer Allows active HTML content on a CD-ROM to run without prompting the user.
CHAPTER 12:
403
Allow Active Content To Run In Files On My Computer active content on the local system to run.
Allows
Allow Software To Run Or Install Even If The Signature Is Invalid Allows the user to run an application that does not have a valid code-signing certificate or digital signature. Check For Publishers Certificate Revocation Checks a software publishers certificate against published revocation lists to see if the certificate has been revoked. Check For Server Certificate Revocation (Requires Restart) Checks the Web servers SSL certificate against published revocation lists to see if the certificate has been revoked. Check For Signatures On Downloaded Programs Checks downloaded applications for digital certificates. If one exists, the user can view the certificate. Do Not Save Encrypted Pages To Disk Causes Internet Explorer to maintain SSL pages in memory and not commit them to the Internet cache on disk. This provides additional security when access to the disk might reveal passwords or other private information. Empty Temporary Internet Files Folder When Browser Is Closed Causes Internet Explorer to delete the contents of its cache when the user closes the browser. Enable Integrated Windows Authentication (Requires Restart) Causes Internet Explorer to authenticate the user to server resources using Integrated Windows Authentication. When this option is selected, Internet Explorer uses the username and password of the user to access the resource. Enable Profile Assistant Enables Profile Assistant, the feature of Internet Explorer that maintains user information to automate completion of Web forms. Use SSL 2.0 Enables use of the SSL version 2 secure sockets specification to access secure Web servers. Use SSL 3.0 Enables use of the SSL version 3 secure sockets specification to access secure Web servers. SSL 3 is more secure than SSL 2. Use TLS 1.0 Requires use of Transport Layer Security (TLS) version 1, an enhancement to the secure sockets specification for accessing secure Web servers. If this option is selected, TLS 1.0 will be required by Internet Explorer. If a secure site does not support it, pages will not load.
404
Warn About Invalid Site Certificates Causes Internet Explorer to prompt the user when a site she is connecting to does not have a valid site certificate. Warn If Changing Between Secure And Not Secure Mode Directs Internet Explorer to warn the user when he is leaving a secure site. Warn If Forms Submittal Is Being Redirected Causes Internet Explorer to warn the user if a form is being directed to a site other than the one from which it was opened.
MANAGING INTERNET EXPLORER PRIVACY SETTINGS

Privacy is important for Internet users. Many criminals make a good living stealing private information and using it in fraudulent transactions. Systems can fall victim to malicious invasions of privacy that range from social engineering (also referred to as phishing) attacks (in which users are tricked into entering private information into a form or an e-mail) to spyware thats designed to watch user navigation or log users keystrokes. In this section, we will discuss the privacy features of Internet Explorer. You will learn about the settings you can use to protect users privacy and how to manage private data stored on the system.
Cookies
Cookies track data about a user, her preferences, and often even her password on a site. These small text files are placed on your system by your browser in cooperation with a remote Web site. The Web site instructs your browser to store certain items of data in the file to allow the site to query your system on future visits to obtain, and thus honor, your preferences. This is a great tool for Web designers who are interested in providing a customized experience to visitors. It does, however, raise a few privacy issues. Types of cookies Cookies are classified by how long they last and by the identity of the issuer:
Session cookies These cookies are destroyed when you close your browser. They are used to track information that pertains only to the current connection to a site, such as shopping cart data on an e-commerce site.
CHAPTER 12:
405
Persistent cookies These cookies are stored on your hard disk and can be recalled by the Web site that stores them until they have reached a preset expiration date. This type of cookie is useful for managing user preferences for site display settings or for identifying a user on subsequent visits to the site. First-party cookies These cookies are saved by the site you are visiting. Most users allow first-party cookies because they are used for legitimate usability purposes for the site. Third-party cookies These cookies are usually saved by a third party that has an ad banner or other frame on the page you have loaded. This allows the third party to see if you appear on other sites it has banners on and thus follow your click stream and compile demographic information about your Internet surfing habits.
Managing cookies You can manage cookies by adjusting the privacy slider on the Privacy tab of the Internet Options dialog box (Figure 12-20).
Figure 12-20 Configuring privacy settings

FT12HT20.BMP
Options available for the privacy slider are:
Block All Cookies Blocks all sites from saving cookies on your system. If any cookies are already on your system, sites will not be allowed to read them. High Blocks any cookies from Web sites that do not have a computer-readable privacy statement called a compact policy. Cookies from first-party Web sites that use your personal information without your explicit permission are blocked.
406
Medium High Blocks cookies from third-party Web sites that do not have a compact policy or that use your personal information without your explicit permission. Cookies from first-party sites that use your personal information without your implicit permission are also blocked. Medium Blocks cookies from third-party Web sites that do not have a compact policy or that use your personal information without your implicit permission. Cookies from first-party sites that use your personal information without your implicit permission are deleted from your computer when you close Internet Explorer. Low Blocks cookies from third-party Web sites that do not have a compact policy. Cookies from third-party Web sites that use your personal information without your implicit consent are deleted from your computer when you close Internet Explorer. Accept All Cookies Saves all cookies on your computer. Existing cookies on your computer can be read by the Web sites that created them.
In addition to the slider settings for cookies, this section of the Privacy tab has four other options:
Sites button Opens the Per Site Privacy Actions dialog box, where you can specify sites to allow or block. Import button Allows you to import Internet Explorer privacy preferences based on the Platform for Privacy Preferences (P3P) specification.
NOTE
P3P is an open standard that allows users to specify their privacy preferences and apply them to their Web communications. Users answer questions to create a privacy profile that can be imported into their Web browser. The browser then uses those settings to adjust its own privacy controls for the sites the user visits. Allows you to override cookie handling.
Advanced option
Default button Returns default settings.
Deleting cookies Occasionally you might want to delete cookies that have been stored on your system by Web sites. You can do this by clicking the Delete Cookies button on the General tab of the Internet Options dialog box (Figure 12-21).
CHAPTER 12:
407
Figure 12-21 Deleting cookies in Internet Explorer

FT12HT21.BMP
CAUTION
Deleting cookies also deletes persistent cookies you might want to keep. You will learn how to delete individual files later in the chapter.
Pop-Up Blocker
The ability to block pop-up ads was added in Windows XP SP2. You can configure the Pop-Up Blocker feature to block potentially harmful content. Options for managing Pop-Up Blocker include the Pop-Up Blocker Settings dialog box (Figure 12-22), which you can access from the Privacy tab of the Internet Options dialog box or from the Tools menu in Internet Explorer.
Figure 12-22 Configuring Pop-Up Blocker

FT12HT22.BMP
Pop-Up Blocker offers three filter levels:
High Blocks all pop-ups. This is the most restrictive setting. You can display individual pop-ups by holding down the CTRL key while the window is opening.
408
Medium Blocks most pop-ups. Low Allows pop-ups to be displayed on sites using SSL security. This setting assumes that you are on a secure site and would most likely accept pop-ups as required by the site.
When a pop-up is blocked, you can choose to play a sound or activate the Information Bar to notify the user. To configure Pop-Up Blocker to allow pop-ups from a site: 1. Choose Tools | Pop-Up Blocker | Settings. 2. In the Address Of Web Site To Allow field of the Pop-up Blocker Settings dialog box, type the address of the site you want to allow. 3. Click Add.
Managing Internet Cache and History Data

Internet Explorer maintains a cache of recently loaded Web content to allow the same content to load more quickly on subsequent attempts. This data can often reveal of what types of data you have been viewing and can be used by someone who is looking for information on your interests and browsing habits. The Internet Explorer History section can also provide a trail of activity that exposes browsing patterns or personal associations you would rather keep private. In this section, you will learn how to configure Internet cache and history settings to prevent unwanted access to this type of data. Configuring Internet caching You can configure Internet caching by clicking the Settings button (Figure 12-23) on the General tab of the Internet Options dialog box.
Figure 12-23 The General tab of the Internet Options dialog box
FT12HT23.BMP
CHAPTER 12:
409
Clicking the Settings button opens the Settings dialog box (Figure 12-24).
Figure 12-24 The Settings dialog box for the Temporary Internet Files folder
FT12HT24.BMP
This dialog box includes the following settings:
Check For Newer Version Of Stored Page Allows the user to select one of four options:
Every Visit To The Page Checks whether the page has been updated with newer content on every visit to the page. Every Time You Start Internet Explorer Causes Internet Explorer to check for newer content once for each browsing session. Automatically Causes Internet Explorer to check for newer content once for each browsing session initially, and then less often if page content is not being renewed. Never Causes Internet Explorer to never check for newer content.
NOTE
Internet Explorer always loads the latest version of a page when you click the Refresh button or press the F5 button.
Temporary Internet Files Folder A section of the Settings dialog box where you can configure the size and location of the Temporary Internet Files folder. You can also view and manage the contents of the folder by clicking the View Files button or the View Objects button. Settings in this section include:
Amount Of Disk Space To Use Allows you to control the size of the Temporary Internet Files folder. Drag the slider to the left or right to select the desired size. Move Folder button Allows you to browse to a new location for the Temporary Internet Files folder.
410
View Files button Opens the Temporary Internet Files folder in a window where you can browse and delete individual files. This is where you can find and delete individual cookies. View Objects button Presents a list of objects (such as ActiveX controls) that have been downloaded during browser operation.
Deleting temporary Internet files To delete the contents of the Temporary Internet Files folder, you click the Delete Files button on the General tab of the Internet Options dialog box. This opens the Delete Files dialog box (Figure 12-25), where you can also select the option to delete any files your system has downloaded for offline browsing.
NOTE
Offline browsing differs from Internet caching in that the files required for offline browsing are synchronized with the site while online whether the site is visited or not and are available for use offline. Cached files, on the other hand, are only stored when a site is visited. Offline files are stored separately from cached files to prevent their unintentional deletion. This is why you must choose to delete these files by checking the appropriate option in the Delete Files dialog box.
Figure 12-25 Deleting temporary Internet files

FT12HT25.BMP
Configuring Internet Explorer history settings Internet Explorer maintains a list of the Web pages visited. By default, 20 days of browsing history are maintained (Figure 12-26).
Figure 12-26 Internet Explorer history settings

FT12HT26.BMP
CHAPTER 12:
411
You can configure the number of days to maintain the history by selecting a number from 0 (no history) to 999. You can click the Clear History button to clear the currently displayed history. This will clear both the items in the History Folder and the Address bars history of sites visited (Figure 12-27).
History folder contents Sites Visited history in the Address bar
Figure 12-27 Internet Explorer History folder and Address bar history
FT12HT27.BMP
AutoComplete and Internet Explorer Password Caching

The AutoComplete feature of Internet Explorer and Internet Explorer password caching can expose your private information under certain circumstances. These features retain the items entered into fields in online forms and password boxes. Those with the right tools (and access to your computer) can read the contents of these repositories and find any private data you have entered into Web forms such as your banking password, Social Security number, government ID, credit card number, and so on. For this reason, knowing your configuration options for AutoComplete is important to your privacy and security. Configuring AutoComplete You can use AutoComplete to fill in Web addresses as you type them, fill in fields in forms, and even fill in password fields to help you authenticate to Web sites. The information you enter is stored on your system and can be retrieved by a hacker. The options for managing AutoComplete include disabling it entirely or allowing it to remember Web addresses, form entries, and passwords. You can also clear form entries and passwords.
412
To configure AutoComplete settings, take the following steps: 1. In Internet Explorer, choose Tools | Internet Options and then select the Content tab. 2. Click the AutoComplete button to open the AutoComplete Settings dialog box (Figure 12-28). 3. Choose the appropriate settings for your privacy needs or clear forms or passwords as appropriate.
FT12HT28.BMP
Figure 12-28 Managing AutoComplete and password cache settings
USING ADD-ON MANAGER TO CONTROL ADD-ON PROGRAMS

Internet Explorer uses add-on programs and browser helper objects (BHOs) to enhance your Web surfing experience. Some browser add-ons and browser helper objects can be classified as spyware and can be difficult to detect or manage without a special anti-spyware tool. Many add-on programs, such as the Shockwave Flash Object, are used to display dynamic content in the browser. Others assist with forms or special graphic effects. Add-on programs can also, however, track your Internet usage or even send your private data on to nefarious individuals. BHOs are applications that enhance the browsing experience by interfacing closely with Internet Explorer and providing a service. An example of a helpful BHO might be a virus scanner that scans files as they are downloaded. Unfortunately, BHOs are not always helpful. Some hijack your browser and direct you to sites or search engines as they detect keywords in your addresses or search
CHAPTER 12:
413
queries. Often they direct you to sites that pay them commissions based on the number of users they send to the site.
MORE INFO
For more information on how BHOs have been used to hijack Internet Explorer, read TechNet article 322178. Spyware protection tools such as Spybot S&D and Ad-Aware also offer excellent information on BHOs and other spyware on their Web sites.
You can manage add-ons and BHOs using Add-On Manager (Figure 12-29), which was added to Internet Explorer in Windows XP SP2. This tool allows you to view the add-ons and BHOs that are installed or loaded on your system.
Figure 12-29 You can manage browser helper objects and add-ons with Add-On
FT12HT29.BMP
Manager.
To manage add-ons and BHOs: 1. Open Add-On Manager by choosing Tools | Manage Add-Ons. 2. Select the add-on or BHO you want to manage. 3. You can choose to disable, enable, or update the object you have selected.
NOTE
If you need to isolate a problem add-on or BHO, you can disable add-ons and BHOs one by one until you have isolated the one causing undesirable effects on your system.
414
SUMMARY
Internet Explorer can connect to the Internet in a variety of ways, including dial-up to a corporate network or ISP, broadband Point-toPoint Protocol over Ethernet (PPPoE) connection, direct LAN connection, or through a proxy server. You can use the New Connection Wizard to configure most Internet connections. Most Internet resources are accessed by entering the appropriate URL in the Internet Explorer Address bar or clicking on a hyperlink from another site. Internet Explorer allows access to resources on Web or FTP servers. You can also use it to access other server types, through the use of add-ons. Internet Explorer security is divided into content zones. Each zone can have settings appropriate to that zone. Settings can be applied all at once using URL action templates, or they can be customized one setting at a time. Internet Explorer allows comprehensive cookie management and includes other privacy features such as pop-up blocking and the ability to control password and content caching. Add-On Manager allows users to view and disable add-ons and browser helper objects (BHOs) that might be causing problems on their systems.
REVIEW QUESTIONS
1. When you type a URL in the Address bar of Internet Explorer, what appears in the browser is not the Web site you have entered but a search site that displays results related to the URL. You suspect that you might have contracted a malicious BHO. How can you know for sure? 2. You are annoyed by the large number of pop-up ads on the Web sites you visit. What technology in Internet Explorer can you use to reduce or eliminate these on your system? a. Add-On Manager b. Pop-Up Blocker
CHAPTER 12:
415
c. Privacy slider d. Web content zones 3. You are giving your computer to a relative and want to be sure you leave no obvious personal information on the system. What should you do to be sure Internet Explorer retains no personal data? (Choose all correct answers.) a. Clear browsing history b. Delete Temporary Internet Files c. Clear AutoComplete data d. Clear Recently Used Documents 4. You want to block all cookies that you have not personally accepted. Which privacy setting should you select to achieve this? a. Block All Cookies b. High c. Medium d. Low 5. You are doing research for a novel that is a computer security thriller. You need to explore some sites that you expect might harm your system. Which Internet Explorer Web content zone should you place these sites in? a. Restricted Sites b. Internet c. Trusted Sites d. Local Intranet 6. You want to access a file named review.html that is located in the Examprep folder on a server located at www.adatum.com. Which URL should you choose to access this document? a. www.adatum.com/review.html b. www.adatum.com/Examprep/review.html c. www.adatum.com/Examprep d. www.adatum.com/review
416
CASE SCENARIOS
Scenario 12-1: Getting Online
You work at a small office with eight other employees, and you are exploring options for connecting the office to the Internet. The office has a local area network, and all systems are connected with static IP addresses. You have discovered a device that will provide Internet access and Web filtering. It acts as a hardware proxy server and a DHCP server, and it proxies DNS queries to an Internet DNS server. It does not support either Web Proxy Auto-Discovery (WPAD) or Service Location Protocol (SLP). Answer the following questions about this scenario. 1. Which option in the New Connection Wizard should you use to set up your Internet connection? a. Connect Using A Dial-Up Modem. b. Connect Using A Broadband Connection That Requires A User And Password. c. Connect Using A Broadband Connection That Is Always On. d. None of the above. 2. Which of the following options do you use to manually configure a proxy server connection for a local area network? a. On the Connections tab of the Internet Options dialog box, click LAN Settings and configure a proxy server in the Local Area Network (LAN) Settings dialog box by selecting the Automatically Detect Settings option. b. On the Connection tab of the Internet Options dialog box, select a dial-up connection and click Settings to open the Settings dialog box for the connection. Select the Automatically Detect Settings option to configure a proxy server. c. On the Connections tab of the Internet Options dialog box, click LAN Settings and configure a proxy server in the Local Area Network (LAN) Settings dialog box by entering the proxy server address and assigned port number. d. On the Connection tab of the Internet Options dialog box, select a dial-up connection and click Settings to open the Settings dialog box for the connection. Configure a proxy server by entering the proxy server address and assigned port number.
CHAPTER 12:
417
Scenario 12-2: Managing Internet Explorer Security and Privacy

You are representing a company that is beginning to market a new family of pharmaceutical drugs. Many aspects of your companys technology are not yet patented and must be kept out of the wrong hands. You are configuring a laptop computer for a trip to a trade show. You have enabled Encrypting File System (EFS) and have exported the recovery agents key and deleted it from the system. You have also purchased a hardware lock that requires an electronic key for removal. You are concerned that information in your browser could compromise your product line if the system fell into the wrong hands. Answer the following questions about this scenario. 1. Which of the following settings in Internet Explorer can help ensure no private data is accessible to Internet Explorer after you close the browser? (Choose all correct answers.) a. Do Not Save Encrypted Pages To Disk. b. Empty Temporary Internet Files Folder When Browser Is Closed. c. Set The Days To Keep Pages In History Settings To 0. d. Set The Default Home Page To Use Blank. 2. You are concerned about attackers penetrating your system when you use it on the trade show network. Which of the following strategies can help prevent this? (Choose all correct answers.) a. Download and install all critical updates. b. Enable Windows Firewall with no exceptions enabled. c. Disable your network connection. d. Set the security level for the Internet zone to High.
CHAPTER 13
MANAGING USERS AND GROUPS

Configure and manage user accounts Manage user account properties Manage user and group rights Configure user account policy Manage and troubleshoot cached credentials
This chapter covers user accounts and how to create, manage, delete, and troubleshoot issues arising from the management of these accounts. You will also learn how to manage policies affecting users and how to manage rights that users have on systems. Finally, we will briefly discuss cached credentials as a way to authenticate users, especially mobile users, when a domain controller is not available.
419
420
OVERVIEW OF USER ACCOUNTS

Almost all security settings in Windows XP Professional are assigned based on the identity of those who need to access resources or services. The identity of a person is based on a username and a correct password, both of which are required to gain access to resources. Windows XP includes an authentication framework and offers tools and utilities to allow administrators to manage user accounts, place users into groups based on common resource access requirements, and assign access to resources to individual users or to groups.
Users and Groups

User accounts are the basic token of identity used in Windows XP. All tasks and processes execute with the permissions, rights, and privileges of a user account. Users can be collected into groups to simplify administration. User accounts help identify a user to the system and to other users and can be used to grant access to resources and to audit activity. In Active Directory implementations, the user account can also hold sophisticated directory and demographic information about a user. User accounts can be consolidated into groups to simplify the process of managing security; individually, they provide very granular access to sensitive data. Groups consolidate users for the purpose of assigning permissions to resources. In Active Directory, they can also act as distribution lists for e-mail. By adding users to a group, you can immediately grant them access to any resources that have been opened to that group. This greatly simplifies management of resource security.
User and Group Account Permissions

Depending on the permissions granted to them, users and groups can:

Access file and print resources Manage access to files and printers Manage computer systems Manage other users and groups
By using NTFS and share-level permissions, you can provide access to resources while protecting them from individuals who are not authorized to access them. For example, in the Properties dialog box for a printer you can assign permission to users or groups to print, manage documents, and manage printers.
CHAPTER 13:
421
Placing users into the Power Users or Administrators group on a system gives them permission to manage aspects of system configuration and operation. Placing users into the Administrators group also gives them the ability to manage other users.
IMPORTANT
One of an administrators principal tasks is adding user accounts to a system for granting access to system resources. Many organizations assign this task to junior administrators, but the ramifications of certain user security configuration choices should not be taken lightly.
User Rights
In addition to granting permissions to users and groups to access resources, you can assign rights. These rights can include, for example, the right to shut down a system or the right to log on to a system locally or remotely. We will discuss these rights in more detail later in this chapter.
User Profiles
When user accounts are created, you can also designate storage locations for user settings and documents. These settings are organized into user profiles and stored in designated locations. User profiles allow individual users to retain familiar menus and desktop preferences even when multiple users use the same system.
Built-In User Accounts and Groups

Several built-in user accounts and groups are installed during system setup (or later, when certain services or applications are installed). These accounts are designed for administration of the system or for the associated application to log on to the system. Built-in user accounts Windows XP has two principal built-in user accounts that can be used for logging on interactively:
Administrator The main administrative account for the system. It has permission to perform any configuration or administration task on the system. It can assign permissions and take ownership of resources even if it has not been explicitly given permission to them. Guest Allows limited access to the system to perform basic tasks involving file and print usage or application usage. This account is
422
disabled by default. It does not have permission to perform any administrative tasks.
NOTE
A third built-in account, the System account, has the permissions assigned to the Administrator account but cannot be used to log on to a system interactively. It is used by the operating system itself to access the files it must use to operate. By default, System is assigned full-control access to all resources on the system. Restricting access to this account can have undesirable consequences.
Built-in groups Built-in groups allow you to assign users to specific security or administration roles in a uniform manner.
Administrators A group that has permission to manage all aspects of system operation and configuration. These accounts have all rights and privileges that a computer administrator requires to manage and configure a system.
NOTE
Built-in accounts that are default members of built-in groups cannot be removed from those groups. The Administrator account can be renamed, but it can never be removed from the Administrators group.
Backup Operators A group of user accounts with access to files that they normally would not be able to access, in order to back up those files to archive media. They cannot open or read these files in any other application, however. Power Users A group with limited administrative privileges on a system. Users in this group can install applications, add users and modify users they create, and create shared folders for use over a network. Remote Desktop Users A group with permission to connect to the system using Remote Desktop. Users A group with basic system access; by default, it includes all users added to the system. Guests A group with very low-level, temporary access to the system.
Implicit Groups
Windows XP has a number of groups whose membership depends on environmental or usage factors. These groups are used to grant access that depends on how or where resources are accessed. They do not appear in Local Users
CHAPTER 13:
423
and Groups in Computer Management. The most common of these implicit groups are:
Interactive Includes any user logged on to the local system. This group is used to control access that remote users have to a resource. Network Includes all users who access the system across a network. This group is used to control access that remote users have to a resource. Everyone Includes all interactive and network users. This group is used to grant broad access to a system resource. Authenticated Users Includes all users who have to be authenticated by a security authority recognized by the system. Although the differences might seem slight, the Authenticated Users group is preferred over the Users built-in group because Users can access anonymous (or null) sessions (which do not require authentication), and it is preferred over the Everyone implicit group because Everyone might allow access to the Guest account.
NOTE
Anonymous (or null) sessions are used by systems to exchange lists of advertised resources or to create secure channels for user authentication. They are typically not expected to access resources, but hackers have devised methods for using these sessions to access files. Using Authenticated Users prevents this unauthorized use, by ensuring that the entity accessing the resource is an actual user.
Creator Owner Includes the person who created a specific file or folder (or other resource). This group is used to manage permissions granted to the creator of that file or folder.
Service Accounts
Service accounts are used to provide access to defined services. A service will access system resources using the appropriate service account, and you can restrict that access only to files and other resources required by the service in question. These accounts are managed differently than normal user accounts; they are often set so passwords will not expire and cannot be changed by the service. This protects against the service being hijacked and used against sensitive files, which can happen if a malicious user gains control of the service through a vulnerability in the services programming and attempts to cause damage to the system or to data.
424
Service accounts installed by system Setup Setup installs three kinds of service accounts:
Service The account that represents the operating system. The system requires access to folders and files for normal operation. It has permissions similar to those of the Administrator account and is used by system utilities and services to manage the system. Local Service An account that allows you to restrict the access that local applications and services have on the system. It can be assigned to services to allow access to resources without giving the full authority of the Service account. Network Service An account that lets you restrict the access that network services have to local resources for additional protection against network attacks.
Accounts commonly installed by services and applications Many applications install their own service account. Among the more familiar service accounts are:
ASPNET The service account used to run processes for ASP.NET applications in Microsoft Internet Information Services (IIS). IUSR_<system name> The default account (named after the machine on which it exists) that accesses local resources on behalf of anonymous Internet users. IIS uses this account to open files and folders required by anonymous user requests. IWAM_<system name> An account used to run worker threads and processes called by IIS and standard ASP applications.
Domain User Accounts and Groups

In Active Directory, user accounts and groups are organized in a slightly different fashion. In this section, we will explore the user accounts and groups on a Windows XP system that is a member of a domain. Domain built-in groups Domains also have built-in groups. Some of these groups are, by default, made members of local groups when a Windows XP system is joined to a domain. The principal built-in groups are:
Domain Admins A group that is placed into the Administrators local group by default and inherits the ability to perform any task performed by local administrators.
CHAPTER 13:
425
Domain Users A group that belongs to the Users group and gains access to any resources granted to the Users group. Domain Guests A member of the local Guests group.
Coordinating domain and local groups for assigning permissions and rights You can add groups from an Active Directory domain to local groups that you create on your system. By doing so, you can configure access to a resource and have all users from the domain group gain access to that resource. This simplifies management because users can be maintained at a central location and you can simply insert the appropriate group into your access control list (ACL).
Tools for Managing Users and Groups

Users and groups can be managed in several ways. We will explore the most common user account and group management tools in this section. Computer Management Computer Management, which is used for many management tasks in Windows XP (Figure 13-1), does not disappoint when it comes to managing users and groups. It includes the Local Users and Groups snap-in, which manages users and groups for the local system. We will use Computer Management in many of our examples in this chapter. You can also add your own snap-in to a standalone Microsoft Management Console.
Figure 13-1 Computer Management can be used to manage local users and groups.
FT13HT01.BMP
To create a custom user management console: 1. Open a new Microsoft Management Console. 2. Choose Start | Run, and type mmc in the Run dialog box. Click OK. 3. In the blank MMC session, choose File | Add/Remove Snap-In.
426
4. In the Add/Remove Snap-In dialog box, click Add. 5. In the Add Standalone Snap-In dialog box, choose the Local Users and Groups snap-in (Figure 13-2).
FT13HT02.BMP
Figure 13-2 Adding the Local Users and Groups snap-in to a blank
Microsoft Management Console
6. When prompted to choose the local computer or another computer, choose Local computer. Click OK. 7. Choose File | Save As. Give your new console a descriptive name. This creates a console with just Local Users and Groups in it. You can add additional computers to this console to have a master console for managing users on several systems (Figure 13-3). This is an excellent way to manage user accounts on multiple computers in a workgroup environment.
FT13HT03.BMP
Figure 13-3 A user management console with several systems added
CHAPTER 13:
427
User Accounts tool in Control Panel The User Accounts tool (Figure 13-4) in Control Panel simplifies the creation and management of users. However, it lacks the ability to manage group memberships and user profile information.
Figure 13-4 User Accounts tool

FT13HT04.BMP
NOTE User Accounts is the only user management tool available for use with Windows XP Home.
Active Directory Users and Computers You can use Active Directory Users and Computers (Figure 13-5) to manage user and computer accounts, security groups, distribution groups, organizational units, and Group Policy settings in Active Directory domain environments.
Figure 13-5 Active Directory Users and Computers

FT13HT05.BMP
428
NOTE
Domain security groups are Active Directory user groups that can be used domain-wide (domain local groups) or in multiple domains (global groups). They are not used in our scenarios in this course, but you will become more familiar with them as you advance to the Windows Server 2003 courses.
NET USER command If you prefer command-line administration tools, you can use the Net.exe command with the User option to automate adding or managing many users at once. The syntax for this command can take one of three forms:
Maintenance To modify a user account, use the NET USER command without the /ADD or /DELETE switch. Username is the logon name of the user, and password is the password the user account is to have. If you do not want to change the password, simply leave it out of the command to change other aspects of the account.
NET USER username password <options>
Adding a user /ADD switch:
To add a user, use the appropriate options with the
NET USER username password /ADD <options>
Removing a user To remove a user, use the /DELETE switch:

NET USER username /DELETE
Options for the NET USER command Available options for the NET USER command include:
/Active: Yes | No Designates whether the user account is enabled or disabled. Yes enables the user account, and No disables the user account. /Comment: text Specifies a comment that can be read by administrators. It must be enclosed in quotation marks. /Expires: Date | Never Designates a date beyond which the user will be deactivated. This is useful when you are creating an account that will be used for only a short time. /Fullname: name Specifies the users full name. Enter the full name in quotation marks (example: NET USER dfield /Fullname: David Field). /Homedir: path Sets the path to the users home directory folder. This becomes the default destination for documents for the user. /Passwordchg: Yes | No When set to Yes, forces the user to change his password at the next logon. The default is Yes.
CHAPTER 13:
429
/Passwordreq: Yes | No Specifies whether a password is required for this user. The default is Yes. /Profilepath: path Sets a path for the users profile (menus, documents, and preferences). /Scriptpath: path Defines the logon script to run when this user logs on. Logon scripts are script or batch files that run to set certain options during a user logon. Examples include scripts to map network drives or launch certain applications. /Times: times | All Sets allowed logon times. The times option must be carefully formatted. The format is start day-end day, start time-end time. The day can be spelled out or abbreviated, and the time can be a range using a 12-hour or 24-hour clock. Multiple entries can be separated by semicolons (example: NET USER Dave /times:M-F,9:00am-5:00pm;Saturday,9:00-17:00;Su,9:00-17:00). Setting All allows all logon times, and leaving the setting blank sets no logon times, effectively disabling the account. /Usercomment: text Configures a user comment for this user.
PLANNING USER ACCOUNTS AND GROUPS

You might think that the simplest way to start configuring your organization is to compile a list of users and proceed from there, but experienced administrators begin their work by listing the resources to control and the users who will need access to those resources. You can then define user groups that you can use to consolidate users. If you also carefully plan usernames, profile locations, and logon scripts, you can save yourself a lot of work and make the user experience much better. In this section, we will discuss the planning process and how to create an effective strategy for managing users and groups.
Mapping Out a User and Group Strategy

If you work to consolidate resources that require the same access controls and combine users into groups with those access levels, you can greatly simplify the management of resources. Determining resource access requirements If you have a collection of documents used by the Finance department, it makes sense to combine them into a folder structure so you have a single place to control permissions to the entire collection (Figure 13-6). Any documents that are added
430
to the collection will be included in the access control scheme, and users with access to the collection will automatically have access to the new documents.
Consolidate users into groups Consolidate documents into folders
Grant groups permissions to folders
New User
Figure 13-6 Gathering documents into folders to simplify security

FT13HT06.VSD
Simplifying user rights and permission management If you collect users into groups according to their access requirements, you can easily grant a new user access to an entire collection (or several collections) of resources by simply making her a member of a group that has access to the collection (or collections) (Figure 13-6). This principle is commonly used by administrators of large enterprises, but it translates well to the smallest organizations. Creating user account templates It is common to have multiple users (from several to hundreds) who need exactly the same security configuration. To speed up the creation of new, identically configured user accounts, you can create an account template. This is simply a user account that is configured with the correct properties for a specific task that you copy when creating new users.
NOTE
The ability to copy accounts is available only in Active Directory Users and Computers. You can create template accounts with special characters in the first position of the username so they can be sorted first in a list of users and thus be easily found. If you want to add several nearly identical accounts to a Windows XP computer, consider scripting the creation of those accounts by using NET USER commands.
User Account Naming Conventions

In an organization with up to a few dozen users, it is easy to come up with unique usernames. But organizations with hundreds or thousands of users need a standard way of generating usernames. These naming conventions must be determined
CHAPTER 13:
431
in advance to eliminate the confusion of changing formats after you already have users in the field. Possible naming conventions include using the persons first initial and last name or using the first name and last initial. These conventions work well for smaller organizations. But what happens if you have a John Smith, a Jeff Smith, and a Jeff Stammler? You cannot assign two people JeffS or JSmith. You might have to consider additional conventions such as appending numbers to duplicate names (JSmith2) or using a middle initial (JASmith). Here are some other aspects of naming conventions to consider:
Names can be no longer than 20 characters. User account names can contain up to 20 uppercase or lowercase characters. The field accepts more than 20 characters, but Windows XP Professional recognizes only the first 20. Logon names are not case sensitive. User logon names are not case sensitive, but Windows XP Professional preserves the case for display purposes. Avoid characters that are not valid. not valid: / \ [ ] : ; | = , + * ? < > The following characters are
Some organizations also identify temporary employees in their user accounts. For example, you can add a T and a dash in front of the users logon name, as in T-johne, or use parentheses at the end, as in johne(Temp).
Setting Requirements for Complex Passwords

Simple passwords are easy for a hacker to guess. Anyone who knows the name of the users children or pets has about a 50-percent chance of guessing that persons password. It is up to the system administrator to prevent this from happening. Some argue that if you make passwords too complex, users will simply write them down on a sticky note and stick the note on their monitor or under their keyboard. To prevent this, you must educate your users about creating and remembering complex passwords. (Instructors used to tell students to use the password password during class, and many of those students went on to set up all their new systems with that password!) Here are two ways to create strong passwords:
Create passphrases. You can create an easily remembered password by using the first letter of each word in a phrase or sentence. For example, you can use the sentence My dog has been barking since
432
6 AM to create the password Mdhbbs6A, which would be hard for a hacker to crack.
Mix uppercase letters with lowercase letters, numbers, and nonalphanumeric characters (such as ~ and &). Passwords are case sensitive, so mixing cases can help you create a strong password.
NOTE
You can enforce complex passwords by configuring the appropriate settings in a computers Local Security Policy or by configuring the appropriate Group Policy settings in an Active Directory domain. We will discuss these settings later in this chapter and in Chapter 14.
Changing the Way Users Log On or Log Off

Administrators can change the way users log on or log off the computer. In the User Accounts tool in Control Panel, two options are available for controlling how all users log on and log off the computer:
Use The Welcome Screen Allows users to click their user account on the Welcome screen to log on to the computer (Figure 13-7). This check box is selected by default. When it is cleared, users must type their username and password at a classic Windows logon prompt to log on (Figure 13-8).
FT13HT07.BMP
Figure 13-7 The Windows XP Welcome screen
CHAPTER 13:
433
FT13HT08.BMP
Figure 13-8 The classic Windows logon prompt
Use Fast User Switching Allows users to quickly switch to another user account without first logging off and closing all programs. When you are finished, you can switch to the first user account. This check box is selected by default.
You configure these options as follows: 1. Choose Start | Control Panel | User Accounts. 2. In the User Accounts window, click Change The Way Users Log On Or Off. The Select Logon And Logoff Options window (Figure 13-9) appears.
FT13HT09.BMP
Figure 13-9 Setting the logon options
3. Select or clear the appropriate check boxes.
434
CREATING AND MANAGING USER ACCOUNTS WITH LOCAL USERS AND GROUPS
After planning the relationships between users and resources, you need a plan for the user accounts and groups you will use. In this section, you will learn how to use Computer Management to create user accounts and groups and how to manage the rights and permissions assigned to these users and groups.
Creating User Accounts

You can create user accounts in the Local Users and Groups snap-in located in Computer Management or in your custom user management console. To use Local Users and Groups to add a user account: 1. Locate and select Local Users And Groups in your console. If you are using the Computer Management console, you might have to expand System Tools to see it. 2. In the details pane, right-click Users, and then click New User. The New User dialog box opens (Figure 13-10).
FT13HT10.BMP
Figure 13-10 The New User dialog box
3. Fill in the appropriate text boxes, click Create, and then click Close.
Managing User Account Properties

After a user is added to the system, you can modify her propertiessuch as which groups she belongs to or her home and profile folders. This step completes the
CHAPTER 13:
435
creation of a user account, and you can revisit the users properties later to make changes. To modify a users properties: 1. Locate the user in the Users folder within Local Users and Groups. 2. Right-click the users name, and click Properties. The users Properties dialog box opens (Figure 13-11).
FT13HT11.BMP
Figure 13-11 A users Properties dialog box
3. You can modify the users properties on the following tabs:
General You can configure the username and description, manage the password status for the account, and enable or disable the account (Figure 13-11). Member Of You can configures a users group memberships. To add the user to a group, click the Add button and select the appropriate group in the Select Groups dialog box (Figure 13-12).
FT13HT12.BMP
Figure 13-12 Selecting security groups for a user account
436
Profile You can specify the users profile path, logon script, and home folder (Figure 13-13).
FT13HT13.BMP
Figure 13-13 Managing a users profile configuration
Managing User Permissions

Once a user account has been created and placed in the appropriate groups, you can assign permissions to the user or to the groups to which she belongs. You do this in the Security dialog box for the resource being managed. For example, on the Security tab for a file system folder (Figure 13-14), you can use users and groups to assign permission to access files and folders and printers, and you can use them in ACLs for other system objects (such as Group Policies).
Figure 13-14 Configuring security for a file system folder

FT13HT14.BMP
CHAPTER 13:
437
MORE INFO For more information on managing security for files or printers, see Chapters 6, 7, and 8. We will discuss setting security on Group Policies in Chapter 14.
Managing User Rights Assignment

You have a user who is required to change tapes in a system that stores files for your network. One evening, he accidentally shuts down the system instead of logging off. To prevent this from happening again, you can remove this persons right to shut down the system. User rights are managed in a systems Local Security Policy console (Figure 13-15). By choosing the appropriate right and adding or removing the user or group from that right, you can control some of the operations the user or group is allowed to perform on the system.
Figure 13-15 The Local Security Policy console displaying User Rights Assignment
FT13HT15.BMP
Lets say the user in our example is a member of the Backup Operators local group. If you open the Shut Down The System user right, you see the allowed groups listed (Figure 13-16). If you remove the Backup Operators local group from the list in this dialog box, users who are members of this group alone can no longer shut down the computer. Administrators, Power Users, and Users will still have this right.
NOTE
In the example above, users who are members of the Users group will still be able to shut down the system. Be sure to consider all group memberships when configuring user rights.
438
Figure 13-16 Groups allowed to shut down the system

FT13HT16.BMP
NOTE
We will discuss many more security management scenarios in Chapter 14.
CREATING AND MANAGING GROUPS

User groups are an important part of any effort to simplify management. They allow the administrator to consolidate user accounts that have common access requirements. In Windows XP, you manage groups with the Local Users and Groups snap-in in Computer Management or in a standalone user management console that you have created (as explained earlier). You can also use the Net.exe commandline command with the localgroup option. We will discuss both of these methods next.
Creating and Managing Groups Using Local Users and Groups

The Local Users and Groups snap-in (Figure 13-17) provides a graphical way to create and manage user groups. You can manage group membership directly by configuring the properties for the chosen group or indirectly by managing specific user accounts. We will explore both scenarios. When you create a group using Local Users and Groups, you have the option to add users to the group at that time or afterward.
CHAPTER 13:
439
Figure 13-17 The Computer Management console displaying local groups

FT13HT17.BMP
To create a group: 1. Select Local Users And Groups in your console. If you are in the Computer Management console, you might have to expand System Tools to see it. 2. In the details pane, right-click Groups, and then click New Group to open the New Group dialog box (Figure 13-18).
FT13HT18.BMP
Figure 13-18 The New Group dialog box
3. Fill in the appropriate text boxes, and use the Add button to add any users you want to initially assign to this group. Click Create, and then click Close.
440
To add users to an existing group: 1. Open the groups Properties dialog box by double-clicking the group in Local Users and Groups. 2. Click the Add button to open the Select Users dialog box (Figure 13-19). Enter the appropriate usernames.
FT13HT19.BMP
Figure 13-19 Selecting users for group membership
To search for users to add, click the Advanced button to open the Advanced mode of the Select Users dialog box (Figure 13-20).
FT13HT20.BMP
Figure 13-20 Advanced options for locating users
3. After you specify or select the users, click OK to add them to the group.
NOTE
You can also add users to groups by adding the appropriate groups to the Member Of tab in the users Properties dialog box.
CHAPTER 13:
441
To remove a group: 1. Locate and select Local Users And Groups in your console. You might have to expand System Tools in the Computer Management console to see it. 2. Select Groups. In the details pane, right-click the group you want to delete and choose Delete.
Managing Groups Using Command-Line Tools

The Net.exe command has many powerful management and configuration options, including the ability to manage users and groups. In this section, you will learn how to use the Net Localgroup command to add a group and how to manage the groups membership. Using Net Localgroup to manage groups Net Localgroup has many options for managing groups from a command line. This is an excellent way to script group management to make many additions or deletions at once.
NOTE A related command (Net Group) is used to manage global group creation and membership in an Active Directory domain environment.
Modifying a group Use the Net command with the appropriate option switches. (Groupname is the name of the group you are configuring.)
NET LOCALGROUP groupname <options>
Adding a group
Use the appropriate options with the /ADD switch:
NET LOCALGROUP groupname /ADD <options>
Adding users to the group You can also use the /ADD switch to add users to the group. The Net Localgroup command recognizes the existence of the group and understands the /ADD switch as an addition of users to the group.
NET LOCALGROUP groupname user1 user2 user3 /ADD
Removing a user Use the /DELETE switch:

NET LOCALGROUP groupname username /DELETE
Deleting a group Use the /DELETE switch:

NET LOCALGROUP groupname /DELETE
442
Options for the Net Localgroup command Options for the Net Localgroup command include:
/Comment: text Specifies a comment that can be read by administrators. It must be enclosed in quotation marks. /domain Causes the command to manage an Active Directory domain local group.
NOTE
Domain local groups are groups that can control resources in systems throughout a domain. They can contain users and global groups from the domain and global groups from other domains.
CREATING AND MANAGING USER ACCOUNTS WITH THE USER ACCOUNTS TOOL
Some organizations use the User Accounts tool (Figure 13-21) in Control Panel to create, modify, and delete local user accounts. This tool is wizard-driven and simpler for some users to master. It is the same tool used in Windows XP Home Edition.
Figure 13-21 The User Accounts tool

FT13HT21.BMP
User Account Types

If you use the User Accounts tool, you will notice immediately that users are placed in one of two classes: Computer Administrators or Limited Accounts. Table 13-1 summarizes the privileges each type of user account has on the system.
CHAPTER 13:
443
Table 13-1
User Account Types and Capabilities Computer Administrator Limited Account
Capability
Change your own picture Create, change, or remove your password Change other users pictures, passwords, account types, and account names Have full access to other user accounts Create user accounts on this computer Access and read all files on this computer Install programs and hardware Make system-wide changes to the computer
NOTE
Accounts that are members of groups other than Administrators and Users might appear in the User Accounts tool as Unknown account type. These users must be managed using Local Users and Groups.
Creating a New User Account

In the User Accounts tool, only administrators can create new user accounts, and they can do it only on the Pick A Task screen if they are logged on with a user account that is a member of the Administrators group. To create a new user account, take these steps: 1. Click Start | Control Panel | User Accounts. 2. In the User Accounts window, click Create A New Account. The Name The New Account window appears (Figure 13-22).
FT13HT22.BMP
Figure 13-22 Using the User Accounts tool to create a new user account
444
3. In the Type A Name For The New Account box, type a user logon name (up to 20 characters), and then click Next. The Pick An Account Type window appears (Figure 13-23).
FT13HT23.BMP
Figure 13-23 Selecting a user account type
4. Select the appropriate account type, and then click Create Account. 5. After the account is created, select the new account and use Create A Password to assign a password to the new user. You can also set other options, such as the account picture, at this time.
Changing an Account
If you are logged on with an account that is a member of the Administrators group, you can use the Pick A Task portion of the User Accounts tool to perform the following tasks:

Change an account (including deleting the account) Create a new user account Change the way users log on or log off
If you are an administrator, you can use the Change An Account task (Figure 13-24) to make changes to any user account on the computer.
CHAPTER 13:
445
Figure 13-24 Changing a user account

FT13HT24.BMP
Some of the actions an administrator can perform are:
Change The Name Changes the user account name of an account on the computer. You see this option only if you are logged on as an administrator because only an administrator can perform this task. Create A Password Creates a password for an account. You see this option only if the user account does not have a password. Only an administrator can create passwords for other users accounts. Change The Password Changes the password for an account. You see this option instead of the Create A Password option if the user account already has a password assigned to it. Only an administrator can change passwords for other users accounts. Remove The Password Removes the password for the account. You see this option only if the user account already has a password assigned to it. Only an administrator can remove passwords for other users accounts. Change The Picture Changes the picture that appears on the Welcome screen. Only an administrator can change the pictures for other users accounts. Change The Account Type Changes the account type for a specified account. Only an administrator can change the account type for a user account. Delete The Account Deletes a specified user account. You see this option only if you are logged on as an administrator because only an administrator can perform this task.
446
NOTE
Users who view their own options (including the administrator viewing her own account) will see a few differences, such as the rephrasing of the action items to use My instead of The.
A user or administrator looking at her own account will also see the Set Up My Account To Use A .NET Passport option. Choosing this option starts the Add A .NET Passport To Your Windows XP Professional Account Wizard. A .NET Passport allows you to have online conversations with family and friends, create your own personal Web pages, and sign in instantly to all .NET-enabled sites and services. You can set up only your own account to use a .NET Passport.
NOTE
When you delete a local user account, Windows XP Professional displays the Do You Want To Keep local_user_accounts Files window. If you click Keep Files, Windows XP Professional saves the contents of the local user accounts desktop and My Documents folder to a new folder called local_user_account on your desktop. However, it cannot save the local user accounts e-mail messages, Internet Favorites, or other settings.
To change your account while logged on with a limited user account: 1. Click Start | Control Panel | User Accounts. The Pick A Task window appears. 2. Click the option for the modification you want to make, and then follow the prompts on the screen. To change an account while logged on as an administrator: 1. Click Start | Control Panel | User Accounts. 2. In the User Accounts window, click Change An Account. The Pick An Account To Change window appears. 3. Click the account you want to change. The What Do You Want To Change About account_name Account window appears. 4. Click the option for the modification you want to make, and then follow the prompts on the screen.
BEST PRACTICES FOR USER ACCOUNT MANAGEMENT

The following list presents best practices for managing user accounts:
Provide administrators with a standard user account for their nonadministrative tasks. This prevents them from inadvertently executing
CHAPTER 13:
447
any virus or other malware with Administrator privileges. Executing a virus as an administrator can have devastating consequences.
IMPORTANT
Limited user accounts should be used for any task that does not require administrator-level permissions.
Limit the number of users in the Administrators group. The role of administrator should be reserved for experienced users who have an administrative role in the organization. Giving this role to untrained users can lead to system configuration mistakes and support issues. Rename or disable the Administrator account. By renaming Administrator, you make less identifiable the one account that hackers know must be on your system. Many penetration attempts begin with attacks on common Administrator passwords. Rename and disable the Guest account. The Guest account does not require a password, and it gives anyone a basic level of access to your system. It is best to rename this account and leave it disabled and to create accounts with guest privileges by placing them in the Guests group. Observe the principle of least privilege. Grant users and groups only the lowest level of privileges they need to carry out their tasks.
MANAGING USER ACCOUNTRELATED SYSTEM POLICIES

In this section, we will discuss the Group and Local Policy settings you can configure that affect users on a Windows XP system. You will learn how to manage user rights assignment using Group Policy and how to manage settings such as user profiles and logon scripts that run when a user logs on to a system.
Managing User Rights with Group Policy

We discussed user rights briefly earlier in the chapter. User rights are privileges that are separate from access permissions (such as those defined by ACLs) and apply to the role a user performs on the system. User rights are divided into two categories: privileges and logon rights. User Privileges The privileges Windows XP supports include:
Act As Part Of The Operating System Allows a process to be authenticated like a user and thus gain access to the same resources as
448
a user. Only low-level authentication services should require this privilege. Note that potential access is not limited to what is associated with the user by default; the calling process might request that arbitrary additional privileges be added to the access token. The calling process might also build an access token that does not provide a primary identity for tracking events in the audit log.
NOTE
Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than a separate user account with this privilege specially assigned.
Back Up Files And Directories Allows the user to circumvent file and directory permissions to back up the system. The privilege is selected only when an application attempts access through the NTFS backup application programming interface (API). Otherwise, normal file and directory permissions apply. Bypass Traverse Checking Allows the user to pass through folders to which she otherwise would have no access, while navigating an object path in the NTFS file system or in the registry. This privilege does not allow the user to list the contents of a folder; it allows her only to traverse its directories. This can be useful when a user wants to share a file located in his own personal folder. If he grants permission to the file and sends the exact UNC path to another user, the other user can open it even though she does not have permission to the folder containing the file. Change The System Time Allows the user to set the time for the internal clock of the computer. Create A Pagefile Allows the user to create and change the size of a pagefile (by specifying a paging file size for a particular drive under Performance Options on the Advanced tab of the System Properties dialog box). Debug Programs Allows the user to attach a debugger to any process. This privilege provides powerful access to sensitive and critical operating system components. Force Shutdown From A Remote System Allows a user to shut down a computer from a remote location on the network. (See also the Shut Down The System privilege.) Generate Security Audits Allows a process to generate entries in the Security log. The Security log is used to trace unauthorized system access. (See also the Manage Auditing And Security Log privilege.)
CHAPTER 13:
449
Increase Scheduling Priority Allows a process that has Write Property access to another process to increase the execution priority of that other process. A user with this privilege can change the scheduling priority of a process in Task Manager. Load And Unload Device Drivers Allows a user to install and uninstall Plug and Play (PnP) device drivers. This privilege does not affect the ability to install drivers for non-PnP devices. Drivers for non-PnP devices can be installed only by Administrators.
NOTE
Avoid assigning the Load And Unload Device Drivers privilege to users other than administrators. Device drivers run as trusted (or highly privileged) programs. A user who has the Load And Unload Device Drivers privilege might unintentionally misuse it by installing malicious code masquerading as a device driver. Administrators generally exercise greater care and install only drivers with verified digital signatures.
Manage Auditing And Security Log Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, and registry keys. Object access auditing is not actually performed unless you have enabled it in Audit Policy (under Security Settings | Local Policies). A user who has this privilege also can view and clear the security log from Event Viewer. Remove Computer From Docking Station Allows the user of a portable computer to undock the computer by choosing Eject PC from the Start menu. Restore Files And Directories Allows a user to circumvent file and directory permissions when restoring backed-up files and directories and to set any valid security principal as the owner of an object. (See also the Back Up Files And Directories privilege.) Shut Down The System Allows a user to shut down the local computer. Take Ownership Of Files Or Other Objects Allows a user to take ownership of any securable object in the system, including Active Directory objects, NTFS files and folders, printers, registry keys, services, processes, and threads.
NOTE
User rights, such as Take Ownership Of Files And Folders, override even Deny permissions in NTFS. This allows Administrators to gain access to files that might have been locked out.
450
User logon rights In addition to the privileges listed above, Windows XP provides the following user logon rights:
Access This Computer From A Network Allows a user to connect to the computer over the network. Allow Logon Through Terminal Services Allows a user to log on to this computer through a Remote Desktop connection. Log On As A Batch Job facility.
NOTE
Allows a user to log on using a batch-queue
If IIS is installed, the Log On As A Batch Job right is automatically assigned to a built-in account for anonymous access to IIS. Allows a user to log on at the computers console.
Log On Locally
Log On As A Service Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem, LocalService, or NetworkService accounts, which have a built-in right to log on as a service. Any service that runs under a separate user account must be assigned this right. Deny Access To This Computer From Network Prohibits a user or group from connecting to the computer from the network. Deny Local Logon Prohibits a user or group from logging on directly at the console. Deny Logon As A Batch Job Prohibits a user or group from logging on through a batch-queue facility. Deny Logon As A Service Prohibits a user or group from logging on as a service. Deny Logon Through Terminal Services Prohibits a user or group from logging on as a Terminal Services client. To configure user rights assignments in Windows XP:
1. Open the Group Policy Management console by clicking Start | Run and entering Gpedit.msc in the Run dialog box. Click OK. 2. Navigate to the User Rights Assignment item (Figure 13-25) by choosing Computer Configuration | Windows Settings | Security Settings | Local Policies | User Rights Assignment. You will see the available user rights and their current assignments.
CHAPTER 13:
451
FT13HT25.BMP
Figure 13-25 Managing user rights assignment using Group Policy
3. Double-click the right you want to assign. This opens the Properties dialog box for the user right (Figure 13-26). You can add or remove users or groups as needed for the right you are assigning.
FT13HT26.BMP
Figure 13-26
Local Security Setting granting users and groups the right to shut down the local system
Managing User Account Settings with Group Policy

Local Security Policy allows you to manage settings such as the complexity of passwords that are allowed, the number of incorrect logon attempts allowed, and the logon script that runs after the user logs on. In an Active Directory environment, administrators have even more control of user account managementthey can control the management of roaming profiles and override Local Security Policy with domain-level policies.
452
Password Policy You can manage the complexity of users passwords by using the Password Policy settings under Account Policies (Figure 13-27).
Figure 13-27 Managing password policy settings

FT13HT27.BMP
The settings are:
Enforce Password History Configures the number of passwords Windows XP remembers when requiring a user to select a unique password. If you configure this setting to 32, the user will not be allowed to use any of her last 32 passwords when setting a new password. Maximum Password Age Sets the password expiration interval for user accounts. When an accounts password reaches the age specified in this setting, the user is prompted to change his password. Minimum Password Age Prevents a user from changing passwords too frequently. If you set this value to 32, a user must change her password 32 times before going back to the one she was using when she started. A minimum password age of 1 day would mean a minimum of 32 days to do this. Minimum Password Length Prevents users from choosing passwords that are too short to have any real strength. Many organizations set this value to 6, 8, or even 14. Password Must Meet Complexity Requirements Implements several strength requirements for a new password. It must not contain all or part of the users account name, must be at least six characters in length, and must contain characters from three of the following four categories:
English uppercase characters (A through Z)
CHAPTER 13:
453
English lowercase characters (a through z) Base 10 digits (0 through 9) Nonalphanumeric characters (such as !, $, #, %)
Store Password Using Reversible Encryption Causes Windows XP to store the users password using a type of encryption that can be easily reversed for use by programs that require the users password.
CAUTION
Enabling the Store Password Using Reversible Encryption setting weakens a systems security. It is only slightly better than storing the password as plaintext. You should avoid this setting if at all possible because it drastically weakens security.
Account Lockout Policy Strong passwords are part of a strong defense against penetration of the system. The ability to sense when someone is attempting to penetrate a system and lock out the applicable account completes the equation. Account lockout policies (Figure 13-28) provide this control.
Figure 13-28 Managing account lockout policy settings

FT13HT28.BMP
Windows XP has the following policies that control account lockouts:
Account Lockout Duration Controls how long an account is locked out after the lockout threshold value has been met. Settings of 30 minutes or more will thwart most hack attempts. Account Lockout Threshold Controls the number of invalid logon attempts against an account before it is locked out. Many organizations set this value to 3.
454
Reset Account Lockout Counter After Controls the amount of time that invalid logon attempts will accumulate toward the lockout threshold. If the time set here expires, the lockout counter is reset.
USING CACHED CREDENTIALS IN WINDOWS XP

Windows XP operating in a standalone environment contains all the security properties for users within its own security management database. When it is a member of a domain, however, it relies on the domains Active Directory to authenticate users during logon and while performing tasks that require authentication. The requirement of having Active Directory available for authentication would pose a problem for mobile users or workstation users when a domain controller is not available if it were not for the ability of Windows XP to cache a users authentication credentials for use while offline. Cached credentials are also used to make logging on quicker by allowing a user to be authenticated locally before network services are fully launched during startup.
Understanding Cached Credentials

By default, Windows XP caches the logon credentials of the last 10 users who have logged on to a system. A user can continue to log on and use a system that might not be able to communicate with a domain controller, such as a notebook computer away from the home office or a workstation during an outage of a domain controller at the users site. When cached credentials are in use, the user cannot access data stored in his home folder and the system will not run logon scripts that might be used to connect him to additional network resources.
Managing Cached Credentials

Cached credentials are encrypted and stored in a hidden portion of the registry. You can control the number of logons that are cached by using Local Security Policy (Figure 13-29). You can change the value of the Interactive Logon: Number Of Previous Logins To Cache setting. Setting it to 0 disables cached credentials.
CHAPTER 13:
455
Figure 13-29 Managing cached credentials

FT13HT29.BMP
Troubleshooting Cached Credentials

Issues arising from the use of cached credentials can take the following forms:
Cached credentials are out of date If a users credentials are out of datefor instance, if her password has been changedshe might attempt to access resources that already know about the new password. In this case, she is presented with an additional logon dialog box before she can access the resource. User does not have credentials cached If the user has not logged on to a system before and a domain controller is not available, she will not be allowed to log on because her credentials are not yet cached. In this case, a domain controller must be made available to the system before the user can log on. Cached credentials are disabled on a notebook computer If a traveling user is using a notebook computer that has had cached credentials disabled, she will not be able to log on because the notebook computer will not have credentials cached for her.
456
SUMMARY
User accounts are used to control access to resources in Windows XP. You can collect user accounts into groups and control permissions to resources by group to simplify resource management. User rights are used to control the tasks that users can perform with the Windows XP operating system. Rights differ from permissions in that they typically relate not to access control but to a users ability to perform certain tasks. Plan user accounts and resource permissions by gathering resources, such as files, into collections. Assign permissions to user groups based on their access requirements. Use a naming convention to ensure that usernames are uniform and meaningful to your organization. This might deciding to handle potential duplicate usernames by adding a middle initial or a number. Require complex passwords to strengthen security. Passwords can be strengthened by increasing their length and complexity. Methods of increasing complexity might involve mixing uppercase and lowercase letters, numbers, and nonalphanumeric characters. User accounts can be managed with Local Users and Groups in Computer Management or in a custom user management console. You can also manage them using the User Accounts application in Control Panel and at the command line using the NET USER command. Cached credentials allow users to access local resources during periods when domain controllers are not available. They are stored in the registry. Before cached credentials can be used to access a system, the user must have logged on while the system was in communication with a domain controller.
REVIEW QUESTIONS
1. You are configuring users and groups on a Windows XP system that is used as a file and print server. Using built-in groups, which group would you place users in to allow them to add users and install applications? a. Administrators b. Power Users c. Users d. Backup Operators
CHAPTER 13:
457
2. A user accessing files on your system across the network is a member of which implicit group(s)? (Choose all correct answers.) a. Creator Owner b. Everyone c. Interactive d. Network 3. Which of the following command-line commands will change Andy Ruths password? a. NET USER ARuth /Passwordchg:Brahman~234 b. NET USER ARuth Brahman~234 c. NET USER ARuth Brahman~234 /D d. NET USER /U:ARuth /P:Brahman~234 4. Which of the following tools can you use to add, manage, and remove local user accounts in Windows XP? (Choose all correct answers.) a. Computer Management b. User Manager c. NET USER d. Active Directory Users and Computers 5. Which of the following Net.exe commands adds the users CGarcia, RWalters, and LMather to the Finance Local Group? a. Net Group Finance CGarcia RWalters LMather /Add b. Net Localgroup Finance CGarcia RWalters LMather c. Net Group Finance CGarcia RWalters LMather d. Net Localgroup Finance CGarcia RWalters LMather /Add 6. Which of the following tasks can you perform with the User Accounts tool in Control Panel? (Choose all correct answers.) a. Add users b. Add groups c. Rename users d. Change users passwords
458
7. Which of the following user rights are required to allow a user to log on to a system and back up files and folders to tape? (Choose all correct answers.) a. Access This Computer From A Network b. Log On Locally c. Backup Files And Directories d. Restore Files And Directories 8. A notebook computer user calls you from a hotel room. Her notebook computer was assigned to her for this trip, and she didnt have time to log on and check it before she left. She cannot log on, and she gets an error message that says a domain controller cannot be found. What could be causing her problem? (Choose all correct answers.) a. Her user account was not added in Local Users and Groups. b. Cached credentials are disabled for that computer. c. She never completed a domain logon to cache her logon credentials. d. Her notebook computer is not a domain controller.
CASE SCENARIOS
Scenario 13-1: Designing Accounts for a Field Office
You have been hired to set up user accounts for a small sales office for a heavy equipment manufacturer. The office has four salespeople, a manager, and two part-time receptionists. The system used for file storage has three folders set up for document storage. See Figure 13.30 for an illustration.
Sales Reports
Sales
Marketing Materials
Receptionists
Management Documents
F13HT30.VSD
Manager
Figure 13-30 Sales office in need of user account management
CHAPTER 13:
459
The receptionists help the sales force with sales reports and are also responsible for maintaining documents in the Marketing Materials folder as they come in from the home office. The salespeople need to be able to work on their own reports and print marketing materials as needed. The office manager needs access to all folders and is also responsible for maintaining documents in the Marketing Materials folder as they come in from the home office. Answer the following questions about this scenario: 1. List the user groups you would set up in this scenario. 2. Which groups should have access to modify the contents of the Marketing Materials folder? 3. What level of permission should the receptionists have to each folder? a. Modify permission to all folders b. Modify permission to Sales Reports and Marketing Materials, none to Management Documents c. Modify permission to Sales Reports and Marketing Materials, Read permission to Management Documents d. Modify permission to Sales Reports, Read permission to Marketing Materials, none to Management Documents
Scenario 13-2: Protecting Files on a Military System

You are hired as a civilian contractor on a military installation. You are assigned to manage the commanding generals computer. He wants to be sure that documents on the computer are accessible only by him, and not even by administrators. Answer the following questions about this scenario: 1. If all the sensitive files are in a single folder, what permissions should you give to that folder? 2. Administrators can use their ownership privileges to change permissions even when they do not have access, so how can you assure the general that the files can never be seen by administrators? (Choose the two answers that form the correct response.) a. Remove the Administrators groups privilege to take ownership of files on that computer. b. Remove all users from the Administrators group. c. Have the general take ownership of the folder. d. Assign the Administrators group Deny Take Ownership on the folder.
CHAPTER 14
CONFIGURING AND MANAGING COMPUTER SECURITY

Configure and manage Local Security Policy Manage security configuration with templates Establish and monitor a security audit policy
This chapter expands on the security topics discussed in earlier chapters. You will learn more about the Local Security Policy console and the related Domain Security Policy console. We will explore security policy templates and their use in configuring multiple systems to a standard security profile. Finally, we will discuss implementing a security audit policy and monitoring security audit logs.
461
462
UNDERSTANDING SECURITY POLICY

Policy-based management has been a goal for the Windows desktop and server operating systems for a long time. Beginning with Windows 2000, policy management was unified under a single model that was applicable to any level of a network infrastructure. Using Group Policy, you could apply a security policy to a domain and have it apply to every computer in the domain. This dramatically simplified security configuration for many organizations. In this section, we will discuss policy-based management of security configurations. We will begin by exploring Local Security Policy. You will learn how to configure security settings on an individual system and then see how that method can be applied to hundreds or even thousands of systems by just changing the scope of control. You will learn how you can set default security policy for an entire enterprise in just a few hours.
Local Security Policy

Local Security Policy is a subset of the Group Policy structure for a system. You configure it in the Security Settings section of the Group Policy console (Gpedit.msc). This section is located under Windows Settings in Computer Configuration (Figure 14-1).
Figure 14-1 The Security Settings section of the Group Policy console
FT14HT01.BMP
You can also display Local Security Policy directly by opening the Local Security Policy console (Figure 14-2). This console has only settings directly related to computer security, so it is favored by administrators who want to concentrate solely on security. You can launch this console from the Administrative Tools menu or by executing Secpol.msc.
CHAPTER 14:
463
Figure 14-2 The Local Security Policy console

FT14HT02.BMP
The Account Policies section of Local Security Policy includes settings related to passwords and account lockout (discussed in Chapter 13). The Local Policies section is for configuring security auditing, assigning user rights, and Windows XP security configuration:
Audit Policy Specifies activities that will be audited and recorded in the systems Security event log. These can include successful and unsuccessful logons, use of resources, and use of privileges. We will discuss these options in more detail later in this chapter. User Rights Assignment Specifies which tasks or roles a user can perform on a system. User rights (covered in Chapter 13) include the ability to shut down the system or to log on to the system interactively. Security Options Includes more than 60 security options, some relating to use in an Active Directory domain but most of them directly affecting local system operation. (See Figure 14-2 above.)
Security options The most important system-related security options are:
Accounts: Administrator Account Status Allows an Administrator to disable the local Administrator account. Disabling the account means it cannot be used in attempts to penetrate the system. Accounts: Guest Account Status Allows you to enable the Guest account, which is disabled by default. Enabling this setting prevents it from being enabled by using Local Users and Groups. Accounts: Rename Administrator Account Allows you to rename the Administrator account. This prevents attempts to use the Administrator
464
account by name. Attempts to access the Administrator account by using its security identifier (SID), however, can still work.
Accounts: Rename Guest Account Allows you to rename the Guest account. Attempts to access the Guest account by using its SID can still work. Audit: Shut Down System Immediately If Unable To Log Security Audits Specifies a system shutdown if the security audit log becomes full. This prevents hackers from disguising their activities by overflowing the Security log. It also ensures that all auditable events are recorded. Use this setting carefully, howeveryou want to avoid unintended system shutdowns. This setting is typically used only in systems where security concerns override availability considerations. Devices: Prevent Users From Installing Printer Drivers Blocks system users from installing untrusted printer drivers. If this setting is enabled, only administrators and power users are allowed to install printer drivers. Devices: Restrict CD-ROM Access To Locally Logged-On User Only Prevents users from accessing the contents of a CD-ROM disk across the network while a user is logged on to the system locally. This avoids contention for the CD-ROM drive. Devices: Restrict Floppy Access To Locally Logged-On User Only Prevents users from accessing the contents of a floppy disk across the network while a user is logged on to the system locally. This avoids contention for the floppy drive. Devices: Unsigned Driver Installation Behavior Administratively configures the unsigned driver settings in Device Manager. The available options are:

Silently Succeed Warn But Allow Installation Do Not Allow Installation Not Defined
NOTE
For a review of the implications of using unsigned drivers, see the section on driver signing in Chapter 4.
Interactive Logon: Do Not Display Last User Name Causes Windows XP to clear the Username field in the Log On To Windows dialog box. This setting prevents unauthorized users from seeing the previous
CHAPTER 14:
465
users username. Not having a username to crack makes it much harder to mount an attack.
Interactive Logon: Do Not Require CTRL+ALT+DEL Disables the requirement to use the CTRL+ALT+DEL sequence to log on to Windows. (This secure sequence prevents a program from mimicking a logon dialog box to capture usernames and passwords.) Use this setting to allow those with accessibility concerns to more easily log on to Windows. Interactive Logon: Message Text For Users Attempting To Log On Allows an administrator to configure a logon banner that can display a legal warning or other banner message prior to logon. This can make the prosecution of an attacker more successful because there can be no question about your policy regarding unauthorized access. Interactive Logon: Number Of Previous Logons To Cache (In Case Domain Controller Is Not Available) Configures the number of previous logons to cache for use with cached credentials (as covered in Chapter 13). Interactive Logon: Prompt User To Change Password Before Expiration Specifies display of a warning to users when their password is nearing expiration, to give them time to construct another complex password. Interactive Logon: Require Smart Card Requires a user to present a smart card for authentication. This allows an organization to enforce smart card use if its systems are configured for smart card authentication. (Smart card authentication requires a public key infrastructure [PKI] to support the use of smart card certificates.) Interactive Logon: Smart Card Removal Behavior Configures how the system responds when a user removes her smart card. Available options are:

No Action Lock Workstation Force Logoff Not Defined
Network Access: Let Everyone Permissions Apply To Anonymous Users Reverses the removal of anonymous users from the Everyone user group. If you enable this setting, anonymous users (users who have not provided identity information to enumerate shares and account names in the system) are placed in the Everyone group on the system, potentially increasing the security exposure of your system.
466
Shutdown: Allow System To Be Shut Down Without Having To Log On Allows a user to access the Shut Down command in the Log On To Windows dialog box. If this setting is disabled, a user has access to this command only if she is first authenticated by the system and then granted the right to shut down the system. You can use this setting in concert with the Shut Down The System user right to protect against shutdowns by unauthorized users. Shutdown: Clear Virtual Memory Page File Ensures that any sensitive information in the virtual memory page file cannot be accessed by booting the computer into another operating system. When this setting is enabled, the page file is cleared each time the system is shut down. Enabling this setting increases shutdown times.
Domain Security Policy

The Domain Security Policy console (Figure 14-3) is nearly identical to the Local Security Policy console. The principal difference is in the scope of the policy it manages. Domain Security Policy is applied at the domain level and applies to every computer that is part of the domain. Domain Security Policy overrides even Local Security Policy, ensuring every system has consistent security settings.
Figure 14-3 Domain Security Policy console

FT14HT03.BMP
NOTE You can also define security policy at the organizational unit (OU) level. OU-level policies override domain-level policies, allowing domain administrators to create exceptions for a certain class or group of computers. An example of this practice can be found in the Domain Controllers OU in Active Directory.
CHAPTER 14:
467
MANAGING SECURITY POLICY

One great advantage of using Group Policy to implement security settings is that you can collect a group of settings into a single template. You can create or change templates using the Security Templates Microsoft Management Console snap-in, and you can use templates with the Security Configuration and Analysis snap-in to configure Local Security Policy. We will discuss how to manage templates with both tools.
NOTE
Domain administrators can also use security templates to configure Domain Security Policy, which means they can quickly configure security policy for an entire enterprise.
Predefined Security Templates

Windows XP ships with predefined security templates and creates a baseline security template during installation for the purpose of returning any misconfigured settings to their original installation values. The security templates included with Windows XP are:
Setup security.inf Stores all the security configuration settings that were in effect when the system was installed. By importing portions of this template, you can restore faulty security configurations to their initial settings. This is a large template, so you should not use it in a domain setting to apply security configurations to a large number of systems.
CAUTION
Do not modify Setup security.infyou might need to revert to these settings someday. If you want to work with this template, copy it and make modifications to the copy.
Compatws.inf Relaxes certain file system and registry settings to allow programs not compatible with Windows XP to operate without the need to elevate users to power user status. This template also removes all users from the Power Users group. (Some users might really belong in the Power Users group, so be sure to restore them after applying this template.) Securews.inf Configures security settings that are least likely to affect application compatibility. They include:

Stronger password, account lockout, and audit settings Strong authentication for connections to servers Restricts anonymous access to enumerating shares and usernames
468
The Securedc.inf template is similarly configured but is intended for use with domain controllers.
Hisecws.inf A template designed for maximum workstation security. It removes all but the Local Administrator and Domain Admins from the Administrators group and removes all users from the Power Users group. It also requires strong authentication between clients and servers. Hisecdc.inf is the equivalent template for domain controllers. Rootsec.inf Applies default root file system security settings to a workstation. This template is useful when the initial installation permissions might have been modified.
Creating a Custom Security Policy Management Console

To view, create, and modify security templates, you use the Security Templates Microsoft Management Console snap-in. To analyze and apply security settings from a template, you use the Security Configuration and Analysis snap-in. To make all these management tasks easier, you can create a custom Security Policy Management console that includes these two snap-ins. You can do so by modifying an existing custom Microsoft Management Console session or creating a new console. In this section, we will construct a new custom console. To create the custom console, take these steps: 1. Open a blank Microsoft Management Console session by choosing Start | Run and entering mmc in the Run dialog box. Click OK to launch the Microsoft Management Console (Figure 14-4).
FT14HT04.BMP
Figure 14-4 Opening a blank Microsoft Management Console session
CHAPTER 14:
469
2. Choose File | Add/Remove Snap-in to open the Add/Remove Snap-in dialog box. Click Add to open the Add Standalone Snap-In dialog box (Figure 14-5).
FT14HT05.BMP
Figure 14-5 Choosing a standalone snap-in
3. Select Security Templates, and click Add. This adds the snap-in used to modify security configuration templates. 4. Select Security Configuration And Analysis. Click Add to add it to the new console as well. 5. Click Close to close the Add Standalone Snap-In dialog box, and click OK to close the Add/Remove Snap-In dialog box. This leaves you with a console you can use to design and apply security templates (Figure 14-6).
FT14HT06.BMP
Figure 14-6 Your new Security Policy Management console
6. Save the new console with a descriptive name, such as Security Policy Management Console.msc.
470
Viewing, Modifying, and Creating a Security Template

To view, modify, or create a security template, expand the Security Templates snap-in in your custom console. You will see the Security Templates folder listed; this is where security templates are stored.
Viewing a template Expand the Security Templates folder to see the default templates. Expand a template to see its Local Security Policy settings (Figure 14-7).
FT14HT07.BMP
Figure 14-7 Viewing a security template
Modifying a template After expanding a template in the Security Templates folder, double-click any Local Security Policy setting you want to manage (Figure 14-8). Specify the settings you want, and save your modified template by right-clicking the template name and choosing Save or Save As (Figure 14-9). Your settings will apply to any computer or domain to which this template is applied. The newly saved template appears with the other templates in the Security Templates snap-in for future modification (Figure 14-10).
FT14HT08.BMP
Figure 14-8 Configuring a setting in the Compatws.inf template
CHAPTER 14:
471
FT14HT09.BMP
Figure 14-9 Saving a custom security template
FT14HT10.BMP
Figure 14-10 The new template
Creating a new template Instead of using a standard template as a baseline for a new template, you can also begin with a new, blank template. Right-click the Security Templates folder and choose New Template (Figure 14-11). This creates a new template with no settings defined. You can name it and then open it to configure security policy settings.
FT14HT11.BMP
Figure 14-11 Creating a new security template
472
Analyzing and Configuring Security Settings

Once you have created or modified a template, you can compare its settings to settings on a live system and apply your settings to the systems Security Policy. You do this using the second tool in our custom console: the Security Configuration and Analysis snap-in (Figure 14-12). This snap-in allows you to manage a database of security configuration settings and compare them with security templates. You can thus see how a template would change security on the system you are evaluating.
Figure 14-12 The Security Configuration and Analysis snap-in

FT14HT12.BMP
Creating a security configuration database To begin analyzing security for a system, you must first create a security analysis database. This database holds the security template settings and allows them to be compared against actual system configuration. 1. Right-click the Security Configuration And Analysis item in your custom console and choose Open Database (Figure 14-13). In the Open Database dialog box, type a name for the database. Click Open.
FT14HT13.BMP
Figure 14-13 Creating a security configuration database
CHAPTER 14:
473
2. In the list of security templates you can import, choose the appropriate template (Figure 14-14). Click Open.
FT14HT14.BMP
Figure 14-14 Importing a security template
The template you select will be used for comparison with actual system settings. If you have previously imported a template, select the Clear This Database Before Importing check box to remove any previous items. Analyzing and configuring security settings in the template Using the security configuration database you have created, you can analyze or configure the security settings in your template. Analyzing security settings means comparing your existing settings with those in the security template you have imported. Configuring the security settings means actually applying those settings in the template.
CAUTION
Do not configure the security settings in the template until you are certain they are correct for your application. You cannot undo security settings by removing a template. The only way back to your original settings would be to import the settings from the Setup Security template or perform a System Restore from a restore point saved before the template was applied. The Setup Security template changes settings back to those originally installed on the system. This might remove desirable settings that you configured in the interim.
To analyze or configure security settings in a template, take these steps: 1. Right-click Security Configuration And Analysis in your custom console, and choose Analyze Computer Now (Figure 14-15). When asked, specify a logfile for errors. The analysis continues.
474
FT14HT15.BMP
Figure 14-15 Analyzing computer security settings
2. When the analysis is complete, you see a screen showing the results. Browse to the settings you want to evaluate (Figure 14-16). You will see a red circle with a white X next to settings that are not consistent with the template, and a green check mark for settings that are consistent with the template.
FT14HT16.BMP
Figure 14-16 Security analysis results
3. If you want the items marked with the red circle and white X to conform to the security template, right-click Security Configuration And Analysis and choose Configure Computer Now.
Exporting Security Templates

If you have already applied the exact security configuration you need to your entire system, you can export those security settings to a template file. You can import this template into Domain Security Policy or the security policy for an OU to define security settings for all systems in that domain or unit.
CHAPTER 14:
475
To export a security template, take these steps: 1. Right-click Security Configuration And Analysis in your custom console and choose Export Template (Figure 14-17).
FT14HT17.BMP
Figure 14-17 Exporting a security template
2. In the Export Template To dialog box, specify a name for the template and then click Save. You can now use the exported template to configure security on other systems.
Managing Security Policy with Secedit.exe

You can also configure security from a command prompt, by using the Secedit.exe command (Figure 14-18).
Figure 14-18 Using Secedit.exe to analyze system configuration against a security

FT14HT18.BMP
template
This command supports four options:
/Analyze Analyzes current configuration against a specified template. The syntax for Secedit allows you to specify a database file and a template file. Analysis occurs in much the same way as with the Security Configuration and Analysis tool.
476
/Configure Configures system security to conform to the specified template. /Export Exports the current security configuration as a template file.
/Validate Validates the structure and syntax of the specified template file. This is useful before you import the template file to make sure it contains no errors related to improper file format or syntax.
NOTE
For more on the syntax and use of Secedit.exe, search on Secedit in the Windows XP Help and Support Center.
MANAGING SECURITY AUDIT POLICY

Perhaps the most important aspect of security planning and implementation is determining whether your efforts have been successful. Unwatched, a hacker can gain access to sensitive documents, copy them, and exit your systems without your knowledge. Only by monitoring the actions of users working with sensitive data can you know whether security has been compromised.
Actions That Can Be Audited

The auditing of each type of action can detect a different type of suspicious activity. You can configure audit policies to record events in the systems security log for the following actions:
Successful and unsuccessful account logon events An account logon event is generated each time a user tries to use credentials from a logon at a local system to gain access to resources on a remote system. These pass-through logon attempts can be recorded to see if any users are attempting to access documents or resources they have no legitimate need to access. Successful and unsuccessful user account management An event of this type is generated each time an administrator manages another users account. Auditing these events helps ensure that administrators are not working in collusion with other users to commit theft or espionage by elevating their access temporarily and then returning it to normal. Directory service access This type of event is generated for each attempt to access objects in Active Directory that have system access control lists (SACLs) defined. You can define SACLs on certain Active Directory objects to see who is accessing them. This policy activates the actual logging of the access events.
CHAPTER 14:
477
Note that this is a two-part setting. To successfully audit access, you must activate auditing with this policy and then establish SACLs in the objects you want to audit. You do this on the Security tab of the Properties dialog box for the object in question.
Successful and unsuccessful logon events This event logs attempts to log on to the local system, either interactively or over the network. Unsuccessful attempts to access the system might indicate a penetration attempt. This policy differs from the account logon event because it logs local logon attempts rather than attempts to access remote resources. You can track attempted logon events in both directions for additional corroboration. Successful and unsuccessful object access This type of event tracks attempts to access resources on the system. These resources can be files, folders, printers, or even registry keys. To track this action, you must enable auditing with a security policy and configure a SACL on the object or objects you want to audit. Policy changes This event tracks whether policies themselves (including audit policies) have been changed. This is another important action to audit if administrator collusion in theft or espionage is suspected. Use of user rights and privileges This event monitors use of user rights such as Shut Down The System to determine whether any users are abusing their rights. For example, you can monitor the use of the Take Ownership user privilege to help detect improper access of certain sensitive documents. Audit process tracking This event helps developers monitor the behavior of their programs. This group of options enables auditing for process startup, object accesses by the process, process failures, and process shutdowns. System events such as startups and shutdowns This series of events helps you track who is restarting the system or shutting it down. This helps you detect whether an administrator is installing unauthorized software or restarting the system to cover certain suspicious activities.
In addition to the audit types, which are configured under Audit Policies, three settings are configured in the Security Options area of Local Security Policy. (The first two generate large volumes of audit log entries, so keep audit log management considerations in mind if you are considering using them.)
478
Audit The Access Of Global System Objects Enables the auditing of attempts to access portions of the kernel such as threads and mutexes. Suspicious programs might try to access these features to attempt to work around security. Audit The Use Of Backup And Restore Privilege Tracks the use of the Backup and Restore Objects privilege for the backup and restoration of objects by users who do not normally have permission to read or write those objects. This can expose attempts to use backup privileges to copy files for malicious purposes, such as espionage. Shut Down The System Immediately If Unable To Log Security Audits Shuts down the system if the security log becomes full, to prevent any security events from being missed. In this way, no auditable event will be missed. For full reliability of audit logs, this setting also requires that the Security event log be configured to allow growth to a maximum size and not allow security log entries to be overwritten.
Planning an Audit Policy

Effective auditing requires careful planning. You need to know auditing goals and what type of information you require from the process. You must make an administrator responsible for managing the event log and reporting suspicious activity to the proper people. Determining audit requirements Before setting up auditing on a system, you must fully understand the types of threats you are looking for. Are you mainly concerned about attempts to access the system from the keyboard? Or are you more concerned about unauthorized access over the Internet? Knowing the answer to this question will help you choose meaningful events to audit and keep you from logging unnecessary events. Sit down and define the likely threats. Determine which audits can best detect these threats, and then implement the appropriate instance of these audits. Do not audit successful object accesses if you only need to know when someone is attempting to access items he does not have permission to access. Consider whether success or failure logging is more appropriate. Selecting objects for auditing One you have determined what types of suspicious activity you are looking for, decide which objects need to be audited. Do you want to enable auditing of every object in a certain directory tree, or would you be better served by setting a trap and only auditing certain attractive files?
CHAPTER 14:
479
Assigning responsibility for monitoring Assign an administrative user the task of monitoring the audit logs. If events occur and the logs are ignored, they might as well have never been audited. If you are concerned about missing a critical entry, set a maximum security log size and configure Windows to shut down when the file is full.
CAUTION
Configuring Windows to shut down when the security audit log is full exposes the system to shutdown by an attacker who deliberately generates events to fill the logfile. This setting is typically used only on systems where audit entries must never be lost. This is a requirement only on highly secure systems.
Implementing and Managing an Audit Policy

In this section, we will present common audit scenarios and show you how to configure auditing for each scenario. We will begin by introducing the Security event log and its configuration. Configuring the Security event log The first task to perform when setting up an auditing infrastructure is to configure the size and behavior of the Windows Security event log. By doing so, you can ensure that security audit events are processed according to your needs. 1. Launch Event Viewer by selecting it in Computer Management or executing Eventvwr.msc. 2. Right-click the Security log (Figure 14-19), and select Properties. The Security Properties dialog box opens, showing the current size of the security log and allowing you to manage settings related to the log.
FT14HT19.BMP
Figure 14-19 Opening the Properties dialog box for the Security log in Event Viewer
480
3. Set the maximum log size, and specify the action to take when the log reaches its maximum size (Figure 14-20).
FT14HT20.BMP
Figure 14-20 The Security Properties dialog box in Event Viewer
The available options are:
Log Size Sets the upper size limit for the Security log. Experience will determine the size you need to support your auditing. Watch the current size, and increase this value if necessary to make sure the log does not overflow. Overwrite Events As Needed Allows events to be overwritten, the oldest first, to enable newer events to be written when the log becomes full. This option increases the risk of attacks by hackers who create a large number of spurious events that cause the hacking activity to be overwritten. Overwrite Events Older Than X Days Ensures that events less than X days old are not overwritten. This gives you time to detect problems but causes the log to fill up and stop logging events if the maximum log size is reached before the oldest entries reach the deletion threshold. Do Not Overwrite Events (Clear Log Manually) Ensures that no events are overwritten. This option requires you to pay close attention to the log because it will stop logging audit events once it is full. (In fact, if you have also enabled the policy to shut down the system when security events cannot be logged, the system will shut down when this log gets full.)
CHAPTER 14:
481
NOTE
If you are managing a security log manually, you can use the Clear Log button to remove events that have already been evaluated.
Monitoring NTFS object access Once the Security event log is configured for auditing, you can enable auditing on the NTFS objects that you have determined need auditing. Configuring auditing on NTFS objects is a two-step process: 1. Enable auditing in Local Security Policy for object access (Figure 14-21) by double-clicking the policy and choosing Success or Failure. Successful object access events are numerous on normal systems, so usually such events are audited for just one specific file or folder rather than multiple objects. Failure events, which indicate attempts to open files the user does not have permission to open, are usually more useful in a security audit.
FT14HT21.BMP
Figure 14-21 Enabling object access auditing in Local Security Policy
2. On the Security tab of the Properties dialog box for the object you want to audit, click Advanced to open the Advanced Security Settings dialog box for the object (Figure 14-22). 3. On the Auditing tab, click Add to select the users or groups you want to monitor. 4. Click OK to open the Auditing Entry dialog box (Figure 14-23). 5. Select the operations to monitor, and then click OK. This creates the SACL for the object that will be used to control the auditing function.
482
Figure 14-22 The Auditing tab for an NTFS folder object

FT14HT22.BMP
Figure 14-23 Configuring an SACL for an NTFS folder object

FT14HT23.BMP
Monitoring user account administration events Monitoring user account administration is not as complex as configuring object access monitoring. All you do is enable the audit policy in Local Security Policy (Figure 14-24).
Figure 14-24 Auditing account management

FT14HT24.BMP
CHAPTER 14:
483
Auditing both successes and failures will detect both excessive administration (which might indicate administrator collusion in theft or espionage) and failed attempts at administration (which might be a sign of hackers attempting to elevate their privileges). Monitoring shutdown and restart events Suppose you have received reports of unusual downtimes on certain systems. You see a restart event in the system log, but you do not know who is responsible. To find out, you can enable system event auditing (Figure 14-25) to cause an event log entry to be written for each shutdown or restart event.
Figure 14-25 Auditing system events

FT14HT25.BMP
Auditing both successes and failures detects shutdown and restart attempts by authorized users and attempts to restart the system by those who do not have the right to do so.
Quis Custodiet Ipsos Custodes? (Who Will Guard the Guardians?) An administrator who manages the Security event log itself can erase his own trail, so if you need to monitor the administrator, you have to look for gaps in the log where it might have been cleared to remove suspicious activity. If you find gaps, you can establish external monitoring by using Event Viewer (or a thirdparty log analyzer) remotely from another computer to view and archive the logs frequently.
Monitoring Audit Logs

You can monitor audit logs with the Security event log in Event Viewer. (For a large system, you might opt for an external log analyzer such as Microsoft Operations Manager 2005 or another third-party log analyzer.) 1. Open Event Viewer via Computer Management or by executing Eventvwr.msc.
484
2. Select the Security log by clicking in it in the console tree. 3. Browse events to locate suspicious activity. Open records by doubleclicking them. Each record displays the date and time of the event and provides additional details about the event (Figure 14-26).
Figure 14-26 Displaying an NTFS object access success event

FT14HT26.BMP
Event Viewer also provides tools to find or filter events to locate specific events. The Find dialog box (Figure 14-27), which you open by choosing View | Find, allows you to enter event IDs or other event traits to search on in the event log.
Figure 14-27 Using the Find dialog box to locate events

FT14HT27.BMP
CHAPTER 14:
485
You can also use the Filter tab of the Security Properties dialog box (Figure 14-28) to filter out all but the events you specify, thereby giving you a cleaner display.
Figure 14-28 Using the Filter tab of the Security Properties dialog box to isolate specific events
FT14HT28.BMP
486
SUMMARY
By using Local Security Policy or Domain Security Policy, you can configure many aspects of a computers security configuration in a single place. You can collect security policy settings into security templates that can be applied to many systems at once using Group Policy. You use the Security Templates and Security Configuration and Analysis snap-ins to manage security policy assignment with templates. Security auditing is an important part of overall system security. Only through auditing can you detect actual and attempted security breaches. Auditing is enabled using Local Security Policy and monitored with Event Viewer.
REVIEW QUESTIONS
1. Local Security Policy is a subset of __________. a. Security Configuration and Analysis b. Domain Security Policy c. Group Policy d. Audit policy 2. Which of the following audit policies do you enable to record attempts to access resources on your system from the network? a. Logon events b. Account logon events c. Object access events d. System events 3. You are configuring a highly secure workstation and need to ensure that no potential attack is missed in the audit logs. What two settings must you configure to accomplish this? a. Set up security log archiving b. Configure audit policy to shut down the system if the security log becomes full c. Configure the security log to not overwrite events d. Store event logs on a secure data storage unit
CHAPTER 14:
487
4. Which command-line tool can be used to configure security policy? a. Secpol.msc b. Eventvwr.msc c. Secedit.exe d. Gpedit.msc 5. Which of the following security templates can you use to restore security configuration settings in the event of a configuration problem? a. Compatws.inf b. Hisecws.inf c. Setup security.inf d. Rootsec.inf 6. You are concerned about a data folder that all users of your network have access to. Someone has been deleting files, and you want to find out who it is. Which audit policy and setting will detect this action? a. Logon events (successful) b. Logon events (failed) c. Object access (successful) d. Object access (failed)
CASE SCENARIOS
Case Scenario 14-1: Designing a Security Policy
You are designing security for a group of workstations configured in a workgroup network environment. All the systems run identical applications and have similar requirements for security. These security requirements include:
Users need to run a legacy application that does not run well unless the users are placed in the Power Users group. You want to find a way to allow the application to run for nonPower Users. You want to implement a logon banner to warn potential hackers that your organization pursues legal action against anyone who attempts to defeat system security. You want to clear the username entered in the Log On To Windows dialog box after each logon.
488
Answer the following questions about this scenario: 1. Which of the following security options will fulfill the security requirements? (Choose all correct answers.) a. Accounts: Rename Guest Account b. Interactive Logon: Do Not Display Last User Name c. Interactive Logon: Do Not Require CTRL+ALT+DEL d. Interactive Logon: Message Text For Users Attempting To Log On 2. Which security template should you use as a baseline for this configuration? a. Setup Security.inf b. Compatws.inf c. Securews.inf d. Rootsec.inf 3. Which utility can you use to create a security template for this configuration? a. Notepad.exe b. Local Security Policy c. The Security Configuration and Analysis snap-in d. The Security Templates snap-in
Case Scenario 14-2: Security Auditing

You are hired by a small office supply shop to find out who has been stealing money from its computerized cash register system, which runs Windows XP. The manager suspects that the system administrator is colluding with several cashiers to falsify the register journals. She has sent the administrator to a training course for a few days, and she wants you to configure auditing to track his activities. You soon discover that no security auditing is being done and no Local Security Policy has been configured on any of the registers. Answer the following questions about this scenario: 1. The manager tells you she has never seen the administrator actually log on to any register, and that he spends a lot of time on his computer in the back office. You want to leave the administrators system untouched so he does not become suspicious. What audit policy can you configure to see if the administrator is accessing the registers over
CHAPTER 14:
489
the stores local area network, and on which systems should you configure it? a. Account logon events on each register b. Account logon events on the administrators computer c. Logon events on the administrators computer d. Logon events on each register 2. You want to be sure your activity does not affect the operation of the registers. Which security log settings can you apply to keep the lowest profile? (Choose all correct answers.) a. Configure The Log To Overwrite The Oldest Events First b. Configure The Log To Overwrite Events Over 7 Days Old c. Manually Clear Logs d. Shut Down The System When The Log File Gets Full
CHAPTER 15
BACKING UP AND RESTORING SYSTEMS AND DATA

Back up and restore the operating system Back up and restore user data Back up and restore system state data Use Automated System Recovery (ASR) to recover a system Use System Restore to recover system configuration Use startup and recovery tools to recover a system
Despite all precautions, sometimes a user will inadvertently delete an important document or find a way to render the system inoperative. At these times, it is good to have a plan in place to recover the system, an application, or the users data quickly and reliably. This chapter introduces the Windows Backup utility and other system recovery tools. You will learn how to back up your system and use the backups at a later date to recover missing or corrupted files. You will explore the features of the Recovery Console and discuss how to use recovery tools to reverse improper configurations and recover systems that will not boot.
491
492
UNDERSTANDING THE WINDOWS BACKUP UTILITY

The centerpiece of recovery technologies in Windows XP is the Windows Backup utility. You can use it to back up and restore anything from a single file to the entire operating system. It can back up data to a variety of backup media, including CD-RW or DVD-RW media, a network share, or a tape device connected to the system. In this section, we will explore the features and menus of the Backup utility. Later we will describe the use of this utility to back up and restore user and system data.
Features of the Backup Utility

You can launch the Backup utility by choosing Start | All Programs | Accessories | System Tools and then selecting Backup, or by executing Ntbackup.exe from a command line or the Run dialog box. This utility has two modes:
Wizard Mode Presents the Backup Or Restore Wizard, which steps you through the process of creating a backup or restore job (Figure 15-1). The wizard prompts you to select the scope of the backup or recovery action, and then it creates the required settings.
FT15HT01.BMP
Figure 15-1 The Backup Or Restore Wizard
Advanced Mode Allows an experienced user to select the specific tasks and data to back up (Figure 15-2). This mode also allows you to create a one-time backup job or a repetitive schedule to perform the backup during times of low system activity.
CHAPTER 15:
493
FT15HT02.BMP
Figure 15-2 Using the Backup utilitys Advanced Mode
NOTE
This chapter covers the operation of the Backup utility in Advanced Mode to expose the full functionality of this tool.
Volume shadow copy Backing up open files has always been a challenge for backup tools. If a user or the operating system has a file open at the time of the backup, that file might be skipped and not saved on the backup medium. This results in the file not being available if the system needed to be restored. This situation is not acceptable for true disaster recovery, so administrators of systems prior to Windows XP have been left to find strategies for backing up open files. Beginning with Windows XP, Microsoft has included an operating system feature called volume shadow copy, which takes a snapshot of open files, allowing them to be backed up. Backup utilities created for Windows XP can use Volume Shadow Copy to manage copying and backup of open files.
NOTE
Use of Volume Shadow Copy requires NTFS. Backups made from FAT volumes do not take advantage of this feature.
Volume Shadow Copy creates a snapshot of open files by working with applications to create an offline version of the file. This shadow copy is used by the Backup utility instead of the actual file. The Volume Shadow Copy service monitors open files during the backup, creating additional shadow copies of files that might be opened during the course of the backup. This ensures that a best-effort copy of all files is stored on the backup media.
NOTE
Applications that are not designed for use with Volume Shadow Copy will not help it create a shadow copy. The file is still copied, but it is copied as isas it would be if a system crash or power outage were to occur when the file was open. We call this state crash-consistent.
494
Automated System Recovery Automated System Recovery (ASR) creates a floppy disk that stores configuration data about the operating system. An administrator can then reinstall the operating system in Automated System Recovery mode and use the disk to manage the recovery of the systems identity. After the ASR installation, the administrator can use a current backup to fully recover the system. ASR greatly simplifies the restoration of a system by managing most of the configuration and restoration for you. This can reduce the time required to completely restore from a failure. In contrast, you can use a simple backup to tape or removable media only after installing a new operating system. This requires additional time and configuration and does not ensure that the restored system will be completely consistent with its former configuration.
PLANNING A BACKUP AND RECOVERY STRATEGY

Any task involving the Windows XP operating system will go more smoothly if you have a clear plan. Backing up data is no exception. By identifying the data you want to protect, you can define the scope of the backup job. By understanding the features and capabilities of the Backup utility and associated tools, you can create a comprehensive plan for managing your backups.
Choosing a Backup Type

The Backup utility supports several types of data backups. Each has a specific role in a disaster recovery scenario. Most backup types rely on the archive attribute (Figure 15-3), the attribute set on each file by the operating system to indicate whether the file has been modified since its last backup.
Figure 15-3 The archive attribute is found in the Advanced Attributes dialog box for a file system object.
FT15HT03.BMP
CHAPTER 15:
495
NOTE
You can also display files ready for archiving by using the command prompt Dir command with the /A:A option, as shown in Figure 15-4. To view files with the archive attribute not set, use Dir /A:-A. (The hyphen reverses the switch.)
Figure 15-4 Viewing files with the archive attribute by using the Dir command
FT15HT04.BMP
Normal backup During a normal backup, all selected files and folders are backed up. A normal backup does not rely on archive attributes to determine which files to back up. During a normal backup, any existing archive attributes are cleared, marking each file as having been backed up. Normal backups speed up the restore process because the backup files are the most current and you do not need to restore multiple backup jobs. But because normal backups back up all files, they are the largest backups, and they take the longest to complete. This can be undesirable when you have limited time to complete the backup. Copy backup During a copy backup, all selected files and folders are backed up. A copy backup neither looks for nor clears archive attributes. Use a copy backup if you do not want to clear archive attributes. For example, use a copy backup between a normal and an incremental backup to create an archival snapshot of network data. Incremental backup An incremental backup backs up only those files and folders that have the archive attribute set, and then it clears the archive attributes on those files and folders. Because an incremental backup clears archive attributes, if you do two consecutive incremental backups on a file and nothing has changed in the file, the file is not backed up the second time. Differential backup A differential backup backs up only selected files and folders that have the archive attribute set, but it does not clear archive attributes. If you do two consecutive differential backups on a file and nothing has changed in the file, the entire file is backed up both times.
496
Daily backup A daily backup backs up all selected files and folders that have changed during the day. This backup neither looks for nor clears archive attributes. If you want to back up all files and folders that change during the day, use a daily backup. Backing up system state System state means the files and configuration settings that make the system uniquethe registry, boot and system files, user and group information, the Microsoft Internet Information Services (IIS) metabase, files included in Windows File Protection, and the COM+ Class Registration database. Saving the system state allows you to restore a systems identity after a full operating system reinstallation.
Determining What to Back Up

Many users run original equipment manufacturer (OEM) installations of Windows XP. Instead of going through the trouble of backing up the entire operating system, can you reinstall it from the Windows XP CD-ROM? Or, better yet, from the OEMs system recovery disk? If your system came with a recovery disk, you can use it to completely restore the system to the condition it was in when you unpacked it. You can then restore any programs and data files from a recent backup. If you dont have a recovery disk, you can consider other options. Take a close look at the configuration of the system. If you can substantially restore the operation of the system by using the Windows XP installation CD-ROM, you can save a lot of time and space on the backup media by backing up only program files, data files, and the system state. When it comes time to recover the system, you can restore these items once the installation is complete. This will take longer because a complete installation is typically not as fast as a system recovery. You should also consider ASR. With an ASR backup and a current backup of your data, you can restore your system faster than you could reinstall Windows. This approach will also more completely restore your original configuration.
NOTE
Continually evaluate your current backup methods as you become more familiar with the backup technologies described in this chapter to make sure you are not leaving out any critical steps.
Selecting Backup Media

Once you have determined how much data to back up, you can make an intelligent decision about what type of backup media to employ. In this section, we will examine the media options for use with the Windows XP Backup utility.
CHAPTER 15:
497
Backing up to a hard disk Hard disk drives allow the quickest backups, whether internal disk drives or disk drives attached to the system with a USB, SCSI, or FireWire interface. Backup stores the backup as a single file on the backup disk. During the restore process, this file is read by Backup as data is restored.
NOTE
Use a hard disk drive as your backup medium only if you are confident that the storage disk will not be damaged or destroyed by a system failure. If it is damaged, the backup files will be unusable for restoration purposes.
Using removable media In addition to using a hard disk, you can use a removable mediuma CD-RW or DVD-RW diskto store backup files. This method is excellent for frequent smaller backups, but it is limited for backups of very large file systems. Backing up to a network share You can also store backup files in a shared folder on a network server. This option can allow many systems to consolidate their backups to a single system. The backup server can then back up the files to its own large tape archive for longterm archival. Backing up to a tape drive For periodic large backups, nothing beats a tape drive. Tapes still offer the lowest cost per megabyte of any storage technology, and they can store massive amounts of data, with some tape libraries even reaching the terabyte range. Choose a tape drive that offers the best performance and storage combination for your system. Options for tape drives include internal and external installation options; USB, FireWire, IDE and SCSI interfaces; and choices of several recording technologies.
NOTE
Consider storing one or more of your backup tapes at an offsite location. If a disaster destroys your location, you will still have a copy of your data to restore systems from. Some organizations have a cooperative arrangement with other organizations whereby they store tapes for each other. Companies that require more security tend to use options such as digital vaults and storage services.
Choosing a Backup Schedule

Choosing how frequently to back up your data is as important as selecting what data to back up. If you back up weekly and your failure occurs on the sixth day,
498
you will lose almost a weeks worth of data. Planning the type and frequency of backup operations is extremely important. Here are some potential backup schedules to consider:
Weekly normal backup and daily differential backups A normal backup on Monday and differential backups Tuesday through Friday. Differential backups do not clear archive attributes, which means that each backup includes all changes since Monday. If data becomes corrupt on Friday, you only need to restore the normal backup from Monday and the differential backup from Thursday. This strategy takes more time and space to back up but less time to restore. Weekly normal backup and daily incremental backups A normal backup on Monday and incremental backups Tuesday through Friday. Incremental backups clear archive attributes, which means that each backup includes only the files that changed since the previous backup. If data becomes corrupt on Friday, you must restore the normal backup from Monday and all incremental backups from Tuesday through Friday. This strategy takes less time and space to back up but more time to restore. Mixing normal, differential, and copy backups This strategy is the same as the first one, except that on Wednesday you perform a copy backup. Copy backups include all selected files and do not clear archive attributes or interrupt the usual backup schedule. Therefore, each differential backup includes all changes since Monday. The copy backup done on Wednesday is not part of the Friday restore. Copy backups are helpful when you need to create a snapshot of your data for archival purposes. Daily normal backup Although this backup method takes the most time, it ensures that all files are available on the most recent backup medium (if it has sufficient space). This both speeds recovery time and ensures that you have multiple recent backups of every file. If yesterdays medium is corrupt, you can choose the previous day and lose only one days data, not an entire weeks data.
Planning for Disaster Recovery

Amazingly, many organizations that regularly back up data have no idea how they would restore it in the case of an actual loss of a system. Every organization should develop a comprehensive disaster recovery policy that dictates the actions
CHAPTER 15:
499
to be taken to recover from each potential failureranging from the loss of a single file or e-mail to the loss of a site. You should test the disaster recovery plan by restoring a system in a lab environment or by restoring recently deleted files just to see if you can. This will give you confidence and a familiarity with the tools and methods used to recover your systems.
BACKING UP THE SYSTEM

After you determine the number and type of backup jobs you need to support your disaster recovery policy, you can use the Backup utility to create the required jobs. This involves choosing the files and folders to backup, setting the backup type, and scheduling the backup job to run at the correct time.
Creating a New Backup Job

You create new backup jobs on the Backup tab of the Backup utility. We will create a full system backup in this section. To create a backup of the entire system, which you can execute immediately or schedule for later, take these steps: 1. On the Backup tab of the Backup utility (Figure 15-5), select all local drives and System State.
FT15HT05.BMP
Figure 15-5 Making backup selections
2. Choose the backup medium or backup file you want to use for backing up the system. 3. Click Start Backup to open the Backup Job Information dialog box (Figure 15-6), where you can manage media labels and description.
500
You can also specify whether to overwrite existing backups on the medium or add yours to the end of the last previous backup.
FT15HT06.BMP
Figure 15-6 The Backup Job Information dialog box
4. Click the Advanced button to open the Advanced Backup Options dialog box (Figure 15-7), where you can specify the backup type and whether to verify the contents of the backup after completion. (You can also choose Tools | Options to change these options.) Click OK to close the Advanced Backup Options dialog box.
FT15HT07.BMP
Figure 15-7 Configuring advanced backup options
5. Click Start Backup in the Backup Job Information dialog box to begin the backup immediately, or choose Schedule to set a backup schedule for this job. If you choose Schedule, you will be prompted to save the backup job for later use. 6. After the backup job completes, you can save your selections for use again later; on the File Menu, select Save Selections. In the Save As dialog box, enter a file name and click Save. Your selections will be saved as a file with the BKS extension.
CHAPTER 15:
501
NOTE
By modifying your selections, you can back up as little as a single file using the procedure described above.
Modifying a Backup Job

If you need to modify the settings or selections of a saved backup job, choose File | Load Selections (Figure 15-8) and browse for the backup job you want to modify. You can then change file and folder selections.
Figure 15-8 Opening an existing backup job

FT15HT08.BMP
Choose Tools | Options to modify other settings, and choose File | Save Selections to save your changes.
Executing a Backup Job

You can execute any saved backup job by choosing File | Load Selections and then clicking Start Backup. In the Backup Job Information dialog box, enter the appropriate settings and click Start or schedule the job for later.
IMPORTANT
To back up files, you must have at least Read permission to the files or be assigned the Backup Files And Directories user right. For more information on user rights, see Chapter 13.
Performing an ASR Backup

ASR saves create a backup set with a floppy disk and the actual backup. Administrators can then use the ASR floppy disk during a Windows XP system installation to restore the operating system to full operation.
502
To perform an ASR system backup, take these steps: 1. Launch the Backup utility, and choose the Automated System Recovery Wizard on the Welcome tab (Figure 15-9). (You can also launch the wizard from the Tools menu within the Backup utility.)
FT15HT09.BMP
Figure 15-9 Initiating the Automated System Recovery Wizard
2. The wizard prompts you for backup media (Figure 15-10).
FT15HT10.BMP
Figure 15-10
Choosing backup media for the Automated System Recovery Preparation Wizard
3. The wizard presents the completion window (Figure 15-11). Click Start to begin the backup job.
CHAPTER 15:
503
FT15HT11.BMP
Figure 15-11 Completing the Automated System Recovery Prepara-
tionWizard
4. The entire system is saved to the backup medium (Figure 15-12).
FT15HT12.BMP
Figure 15-12 Executing the ASR backup job
5. After the backup is complete, you are prompted to insert a floppy disk (Figure 15-13).
FT15HT13.BMP
Figure 15-13 Inserting a floppy disk to save ASR data
6. The ASR Wizard completes and instructs you to label the disk and store it in a safe place.
504
RESTORING A SYSTEM
What you hoped would never happen has occurred. A virus has deleted all Microsoft Office document files from the system. You now need to restore them as quickly as possible. This section covers how to restore files and folders from backup media. We will discuss determining which backups to restore and the process for restoring data. We will conclude by examining the process for restoring an ASR backup.
Determining Which Backups to Restore

Before undertaking a restore operation, you must determine which backup contains the most recent version of the files you are missing. This requires knowledge of the backup strategy in use and careful tracking of the backup media used. For instance, if you are using a weekly normal backup with daily differential backups, you need the most recent weekly tape and the tape from the last successful backup.
Creating a Restore Job

You create a restore job by using the Restore And Manage Media tab of the Backup utility. You select the restore medium and locate the backup set on it. Then you can select the files and folders to restore. To create a restore job, take these steps: 1. On the Restore And Manage Media tab of the Windows Backup utility, browse to the device where your backup medium is stored. You will see a facsimile of the files and folders on your system at the time of the backup (Figure 15-14).
FT15HT14.BMP
Figure 15-14 Selecting folders and files to restore
CHAPTER 15:
505
NOTE
If you backed up your system to tape, ensure that the appropriate backup tape is inserted and ready before you browse the media tree. Tape cataloging takes a long time, so if you discover that you are browsing the wrong tape, the cataloging steps have to be repeated with the next tape you insert.
2. Navigate the folder tree and select the items you want to restore. 3. In the Restore Files To drop-down list, select the appropriate location to restore the files to. You can choose the original location or specify a different location.
IMPORTANT
To restore files, you must have at least Write permission to the destination folder or be assigned the Restore Files And Directories user right. For more information on user rights, see Chapter 13.
By default, a restored file does not replace the original (if it still exists). Occasionally, you are asked to restore files to replace corrupt versions. If you are required to do this, you can restore them to an alternate location and copy them into the original folder, or you can choose Tools | Options and specify overwriting of the originals (Figure 15-15).
FT15HT15.BMP
Figure 15-15 Selecting restore options
4. Click Start Restore to begin the restore process.
Using ASR to Recover a System

Restoring a system from an ASR save requires the ASR floppy disk created during the backup process, the Windows XP installation CR-ROM, and the backup media created during the ASR backup.
506
You can initiate an ASR restore by booting from the Windows XP CD-ROM: 1. Boot the system from the Windows XP CD-ROM. 2. Shortly after the CD-ROM launches Setup, you are prompted on the bottom of the screen to press F2 to run ASR (Figure 15-16).
FT15HT16.BMP
Figure 15-16 Choosing the ASR option during Windows Setup
3. The Setup program asks for the ASR floppy disk (Figure 15-17), which will be used to restore the original disk configuration. Insert this disk and press any key to continue.
FT15HT17.BMP
Figure 15-17 Setup prompting to insert the ASR floppy disk
4. Setup continues as it would during a normal setup. In the Installing Windows phase, you are asked to specify the backup medium (Figure 15-18) from which the Automated System Recovery Wizard should restore the original settings and data. Enter the file name and click Next.
CHAPTER 15:
507
FT15HT18.BMP
Figure 15-18 Selecting the backup medium for an ASR restore
5. The wizard presents a completion page, where you confirm your intentions (Figure 15-19). Click Finish to restore the system and all data from the backup medium.
FT16HT19.BMP
Figure 15-19 Completing the Automated System Recovery Wizard
USING SYSTEM RESTORE TO RECOVER DATA AND SETTINGS

System Restore tracks system configuration changes and file deletions, and it stores backup versions of these files and settings in a hidden portion of the free space on the system. It allows a user to recover settings lost by the improper configuration of a program or inadvertent deletion of files.
508
Configuring System Restore

System Restore is configured on the System Restore tab of the System Properties dialog box (Figure 15-20). (Right-click My Computer and choose Properties.)
Figure 15-20 Accessing System Restore settings

FT15HT20.BMP
System Restore can be configured to use up to 12 percent (the default) of the space on a disk. This setting is configured in the Settings dialog box for each disk drive (Figure 15-21).
Figure 15-21 Configuring System Restore disk space

FT15HT21.BMP
Creating a Restore Point Manually

System Restore sets a restore point every 24 hours and whenever a significant event such as the installation of a program, operating system update, or device driver makes changes to the system. You will often see the message Setting a system restore point when you are installing an application or running Windows Update.
CHAPTER 15:
509
You can also create a restore point manually at any time: 1. Open the System Restore console by choosing Start | All Programs | Accessories | System Tools and choosing System Restore. The System Restore Wizard starts (Figure 15-22).
FT15HT22.BMP
Figure 15-22 The System Restore Wizard Welcome page
2. Select the Create A Restore Point option, and click Next. This opens the Create A Restore Point page (Figure 15-23). Provide a description for your restore point and click Create. System Restore creates the restore point.
FT15HT23.BMP
Figure 15-23 Creating a restore point
510
Restoring Settings and Data from a Restore Point

To restore settings from a system restore point, you use the same wizard as in the previous example. You choose the appropriate restore point and let System Restore recover the settings that were saved in the restore point: 1. Open the System Restore console by choosing Start | All Programs | Accessories | System Tools and choosing System Restore. 2. Select Restore My Computer To An Earlier Time, and click Next. 3. Use the displayed calendar (Figure 15-24) to choose the appropriate restore point. Click Next.
FT15HT24.BMP
Figure 15-24 Selecting a restore point
4. On the confirmation page that appears (Figure 15-25), click Next. Windows restarts and restores the settings stored in the restore point.
FT15HT25.BMP
Figure 15-25 The System Restore confirmation page
CHAPTER 15:
511
USING STARTUP AND RECOVERY TOOLS TO RECOVER A SYSTEM

Windows XP includes several other recovery methods you can use to restore configurations and data, including rolling back device drivers, Safe Mode, Last Known Good Configuration, and the Recovery Console.
NOTE
Device driver rollback was covered in Chapter 4.
Using the Recovery Console

The Recovery Console is a command-line based utility that you can install or run from the Windows XP CD-ROM. In this section, we will install the Recovery Console and show how to run it from the Windows XP CD-ROM. Installing the Recovery Console The Recovery Console is installed with the Windows XP Setup program Winnt32.exe. By issuing the command with the /cmdcons option, you can install the Recovery Console as a system startup option: 1. Insert the Windows XP CD-ROM. Close the Welcome To Microsoft Windows XP splash screen. 2. At a command prompt, execute the following command:
D:\Winnt32.exe /cmdcons
3. The Windows Setup program will confirm that you intend to install the Recovery Console (Figure 15-26). Click OK.
FT15HT26.BMP
Figure 15-26 Recovery Console installation confirmation
4. The Setup program installs the Recovery Command Console and displays a completion message (Figure 15-27). Click OK to complete the installation.
FT15HT27.BMP
Figure 15-27 Recovery Command Console installation success message
512
IMPORTANT
If you are installing the Recovery Console on a system that has had a service pack applied, do not install it from the original CD-ROM. Instead, obtain a Windows XP CD-ROM that includes the service pack. Failure to do so might render the Recovery Console inoperative.
Using the Recovery Console You can select the Recovery Console at the operating system selection screen during startup (Figure 15-28). After startup, you are prompted to select which operating system to recover. On a single-boot system, the only selection is Windows. You are then prompted to log on using the recovery password (Figure 15-29). For workstations, this password is the local Administrator password.
Figure 15-28 The Recovery Console added as an operating system selection

FT15HT28.BMP
Figure 15-29 Logging on to the Recovery Console

FT15HT29.BMP
If the Recovery Console is not installed as a startup option, you can start it from the Windows XP CD-ROM: 1. Boot the system from the Windows XP CD-ROM. 2. On the Welcome To Setup screen (Figure 15-30), press R to launch the Recovery Console.
CHAPTER 15:
513
FT15HT30.BMP
Figure 15-30 Choosing the Recovery Console option on the Welcome To
Setup screen
3. Choose the operating system to maintain, and log on. Features of the Recovery Console The Recovery Console has many commands that you can use for recovering a system. The two we will concern ourselves with here are Fixboot and Fixmbr:
Fixboot Writes a new boot sector to the system drive. The syntax for this command is:
Fixmbr drive:
where drive is the letter of the system disk.
Fixmbr Repairs the master boot record of the system partition. This command can be used to render a virus-damaged system bootable again. The syntax for this command is:
Fixmbr device_name
where device_name is the name of the boot device. If you leave this option blank, the Fixmbr command will repair the default boot device.
NOTE
For a complete list of recovery commands, search on Recovery Console commands in the Help and Support Center.
Using the Last Known Good Configuration

When a system starts, it loads a set of drivers that are specified in the registry. But during normal operation, you might make changes to the current driver configurations. Occasionally, when you restart the system, you will discover that a new or altered device driver is causing problems that are preventing the system from successfully booting.
514
By using the Last Known Good Configuration, you can use the previous driver configuration to get the system started. This ability to revert to previous drivers exists as long as no user has logged on to the system. Once a user successfully logs on, the new configuration is stored as the Last Known Good Configuration for the next startup. To use the Last Known Good Configuration, take these steps: 1. While Windows XP is booting, press F8 after you see your computers BIOS screen but before you see the Windows XP loading screen. This opens the Windows Advanced option menu (Figure 15-31).
FT15HT31.BMP
Figure 15-31 Windows Advanced options menu
2. Select Last Known Good Configuration, and press ENTER.
Starting a System in Safe Mode

Safe Mode is a restricted mode that launches only the minimum driver set required to load the operating system. It can be used to diagnose problems with drivers that would normally run during a normal Windows XP session. If the problem disappears in Safe Mode, this is an indication that you have a faulty device driver. You can remove or replace the faulty driver to repair your system.
NOTE
Safe Mode is also an excellent place to conduct virus scans because many applications and services that normally have files open will not be running. This allows you to get more complete scan results.
To Start Windows XP in Safe Mode, take these steps: 1. While Windows XP is booting, press F8 after you see your computers BIOS screen but before you see the Windows XP loading screen. This opens the Windows Advanced option menu (Figure 15-32).
CHAPTER 15:
515
FT15HT32.BMP
Figure 15-32 Windows Advanced Options menu
2. Select Safe Mode, and press ENTER. 3. In the Safe Mode notification message box, click Yes (Figure 15-33).
FT15HT33.BMP
Figure 15-33 Windows XP running in Safe Mode
NOTE
Additional Safe Mode options such as Safe Mode With Networking and Safe Mode With Command Prompt allow you to access files (such as drivers and applications) over a network or bypass the GUI entirely if you wish.
516
SUMMARY
You can use the Windows Backup utility to back up and restore files, folders, and system state objects. The Backup utility uses features such as Volume Shadow Copy and Automated System Recovery (ASR) to provide comprehensive disaster recovery capabilities. Careful disaster recovery planning is a crucial part of a backup strategy. You can create, save, modify, and schedule backup jobs by using the Backup utility. ASR creates a backup and associated floppy disk to be used to completely restore a system. You can use System Restore to recover lost configuration settings or applications. The Recovery Console provides a command-prompt environment that you can use to recover a system. It can be installed as a startup option or loaded from the Windows XP CD-ROM. The Last Known Good Configuration starts Windows XP with the driver set used in the last successful startup. Safe Mode, which allows you to start the system with a minimal set of drivers, helps you to troubleshoot and repair configuration issues.
REVIEW QUESTIONS
1. Which feature of Windows XP allows you to back up open files? a. Automated System Recovery (ASR) b. Differential backup c. Incremental backup d. Volume Shadow Copy 2. You are planning a backup strategy. You are required to ensure that any file can be restored to a point within the last 24 hours. You also do not want to have to load more than one backup tape. The time required to perform the backup is not a concern. Which backup strategy makes most sense in this scenario?
CHAPTER 15:
517
a. Weekly normal and daily differential backups b. Weekly normal and daily incremental backups c. Daily normal backups d. Weekly normal and daily differential backups with a Wednesday copy backup 3. Which of the following recovery technologies completely restores a system? a. System Restore b. Safe Mode c. Last Known Good Configuration d. Automated System Recovery (ASR) 4. You want to install an application but are concerned about its effect on system configuration. What can you do to ensure that you can quickly recover your settings? a. Create a restore point with System Restore b. Perform a full system backup c. Back up the system state d. Create an Automated System Recovery (ASR) backup 5. You have installed a new device driver for your sound card, and now your system will not boot. What recovery technology allows your system to boot with the previous set of drivers? a. Recovery Console b. Last Known Good Configuration c. Automated System Recovery (ASR) d. Safe Mode 6. You have installed a driver that is causing system problems. You did not notice the problems before you logged on to the system. Which of the following technologies can help you fix this problem? (Choose all correct answers.) a. Recovery Console b. Last Known Good Configuration c. System Restore d. Safe Mode
518
CASE SCENARIOS
Scenario 15-1: Backup Planning
You are helping a small company with its disaster recovery planning. It has 13 desktop computers in two configurations. Configuration A (12 systems) is a standard Windows XP Professional installation with Microsoft Office 2003 Professional Edition on each system. All documents are stored on a single Windows XP Professional system (Configuration B) that functions as a file and print server. Each of the 12 workstations has a floppy drive, a CD-ROM drive, and a DVD-R drive. The file server system has a floppy drive and a high-capacity tape drive. Answer the following questions about this scenario: 1. What backup and restoration method will provide the ability to quickly and completely recover a workstation? a. Daily Normal backups to DVD-R. Restore from DVD-R after reinstalling Windows. b. Automated System Recovery backup set with floppy and DVD-R disk. Use ASR restore to recover system. Refresh ASR set when configuration changes. c. Automated System Recovery backup set with floppy and DVD-R disk. Use ASR restore to recover system. Use System Restore to recover recent changes. d. Single normal backup to DVD-R, daily differential backup to the server. Recover by restoring DVD-R backup after reinstalling Windows, and restore remaining data from server backup file. 2. You want to choose a backup schedule for the system that acts as a file and print server. You want to find a way to minimize the nightly backup window while not complicating the restore process. Which of the following backup schedules offers the best balance between backup speed and ease of restoration? a. Daily normal backup b. Weekly normal backup and daily incremental backup c. Weekly normal backup and daily differential backup d. Weekly copy backup and daily normal backup
CHAPTER 15:
519
Scenario 15-2: Power Problems

Your organization was struck with a severe brownout followed by a complete power outage lasting a few hours. After power was restored, you discovered that three systems would not boot. Two simply need new power supplies, but the third is reporting Operating system not found when you attempt to start it. Answer the following questions about this scenario: 1. Which of the following Windows XP recovery tools offers the best chance of repairing this system quickly? a. Automated System Recovery (ASR) b. Safe Mode c. Last Known Good Configuration d. Recovery Console 2. After recovering this system, you discover that some files are still corrupted. Which of the following backups offer the best chance of restoring all corrupt files? a. Normal backup done after the last major configuration change b. Normal backup done three days before c. Copy backup done the day before d. Incremental backup done that morning
CHAPTER 16
MANAGING PERFORMANCE
Optimize memory performance Monitor and optimize processor utilization Improve disk performance Improve application performance Configure and manage scheduled tasks Monitor and optimize performance for mobile users
Over time, the performance of a Windows XP system will decline as it becomes filled with applications and documents. Newer applications that require more memory will degrade performance by requiring virtual memory resources. Administrators might neglect time-consuming disk management tasks because they want to avoid disruptions to the system during business hours. This chapter shows how to identify performance issues with a Windows XP system. We will discuss using the Performance console to monitor system performance and to detect bottlenecks (shortages or deficiencies that affect performance) in memory, physical disks, and CPU utilization. You will learn how to identify which changes offer the greatest improvements in overall performance and how to use scheduled tasks to perform after-hours maintenance.
521
522
DESIGNING A SYSTEM FOR PERFORMANCE

Satisfactory performance depends largely on making sure the system meets the needs of applications and allows them to run in the way they were designed to run. Many manufacturers indicate the memory and CPU requirements of their applications, but few tell you what type of disk performance they require or how your system might be affected if you run more than one instance of the application. In this section, we will discuss the resources that applications require for optimum performance and how to determine whether you have enough resources.
Factors Leading to Poor Performance

To operate most efficiently, an application needs three things: sufficient processor cycles, sufficient memory space, and sufficiently quick access to data from a disk or the network. Given these three things, it will thrive and perform to its fullest potential. Take any of these three things away or replace it with an unsatisfactory substitute, and performance will decline. Our task is to determine what is needed in these three areas and balance the needs of the application against the needs of other applications on the system and the needs of the operating system itself. Memory Sufficient memory is critical for good performance. Windows loads system components and applications into physical memory for rapid access during operation. When memory is insufficient, Windows is forced to use a portion of the hard disk drive as virtual memory. It does this by transferring memory pages to a portion of the physical disk set aside for this purpose. This process is called paging, and the physical diskbased storage location is referred to as a paging file. Use of paging files can provide massive amounts of memory space but it incurs performance costs because hard disks transfer data at a much slower speed compared with hardware memory (RAM). Windows XP always maintains some memory pages in the paging file, but the percentage of paged memory is relatively low until the system begins to run out of RAM. As free space in RAM decreases, you will notice hard disk activity begin to rise. When a system is short on RAM, performance will become very slow, and the excessive disk activity might lead you to suspect that the system needs faster physical disks when in fact it needs more physical RAM. Disk and network access Applications and data are loaded from hard disk or transmitted across a network interface. Any delay in the loading of this data can affect performance. Slow or
CHAPTER 16:
523
excessively fragmented hard disks can noticeably hurt the performance of applications. Likewise, a slow network connection will contribute to slower application performance. Processor speed Most users would be surprised to learn that CPU speed might have the least effect on true performance. If you watch the processor charts in Task Manager, you will likely see your CPU idling most of the time. Most Windows-based applications use relatively little processing power because users spend much of their time entering data or analyzing the results of calculations. When processing is called for, it is typically handled in a few seconds, and then the CPU returns to idle. Certain CPU-intensive tasks, such as video rendering, computer gaming, and complex calculations, do require more processing power, but you can easily discover those needs through monitoring.
Determining Resource Requirements

Software product packaging usually includes information on system requirements operating system version, CPU, memory, and free disk space. But it doesnt say how fast the disk has to be or how much memory you need to run two instances of the application. When it says Pentium III CPU, is that enough to run the application alongside Microsoft Office, or will you require somewhat more processing power? What do these requirements really tell you? Software manufacturers list requirements as if their application will run in isolation. It is up to you to put those requirements in context to see if your systems resources are adequate. Consider all the applications your system will be running at once. Use the system requirements data to add up the total memory required. To be safe, double the requirements for applications you might run multiple instances of. For example, if your application requires 128 MB of RAM and you plan to run it at the same time as an application that requires 256 MB, consider installing at least 384 MB of RAM for satisfactory performance. If you plan to run two instances of the new application concurrently, make it 512 MB. By making these calculations, you can get a truer picture of your system requirements.
MONITORING PERFORMANCE
Perhaps the most overlooked cause of poor performance is not knowing what good performance looks like. If you look at a system that is too slow or unresponsive, it can be difficult to determine which aspect of performance to improve first. Only by starting with a clean system and seeing what the performance counters
524
look like when all is well can you evaluate the changes that occur as performance declines. You can spot trends that indicate whether the system needs more memory, more disk, or more CPU. You can monitor performance of Windows XP in two ways:
Performance console Allows you to designate specific aspects of system performance to monitor so you can spot trends and indications of the cause of performance problems (Figure 16-1). You can add counters for each major application you install. Overall, the Performance console can give you a comprehensive picture of what is causing performance issues.
F16HT01.BMP
Figure 16-1 Performance console
Task Manager Allows you to view currently active tasks and see their effect on CPU and memory utilization (Figure 16-2). This is a quick way to view the main contributors to poor performance.
F16HT02.BMP
Figure 16-2 Task Manager
CHAPTER 16:
525
The Performance Console

The Performance console is the primary performance analysis tool in Windows XP. It allows you to create charts, histograms, and reports that depict performance statistics collected by performance counters. The Performance console includes two performance monitoring snap-ins:
System Monitor Manages the interactive reporting of performance data. It includes an active charting tool that displays performance data in real time, and it also allows administrators to view the contents of previously captured logs. Performance Logs and Alerts Performance Logs and Alerts logs performance data and generates alerts when certain counters reach a specified threshold.
Performance objects and performance counters The Performance console uses performance objects to help you configure monitoring. Each performance object corresponds to an aspect of system operation. Performance objects contain multiple counters, which are discrete items or statistics that offer detailed information about a facet of the objects performance. Commonly used performance objects include:
Processor Contains a collection of performance counters that report on CPU statistics. The most commonly used counter in this object is %Processor Time, which tracks processor utilization. Greater than 80 percent utilization for long periods indicates an overloaded CPU. Memory Tracks statistics involving the systems physical and virtual memory. Commonly used counters from this object include:
Available Bytes Indicates the number of free bytes in the systems physical memory. A small amount of free memory indicates a possible memory bottleneck. Windows XP dynamically manages the paging file on disk in an attempt to balance free memory. As the free memory total decreases, page file usage increases, reducing performance. Pages / sec Indicates the number of times per second that the system needs a specific memory page but has to go to the paging file for it rather than finding it in RAM. For this counter, a number higher than 15 or 20 indicates excessive paging activity and a need for more physical RAM.
526
Page faults / sec Also indicates the amount of paging activity. This counter is a combination of the number of hard page faults (when the page is not in RAM but on disk) and soft page faults (when the page is elsewhere in RAM and has to be mapped into the current process).
Physical Disk Monitors activity and statistics related to the physical hard disk drives in the system. Common counters for this object include:
Average Disk Read Queue Length Records the average length of a disks read queue. This statistic indicates number of read requests waiting for the disk. Average Write Queue Length Records the average length of a disks write queue. This statistic indicates number of write requests waiting for the disk. % Disk Time Indicates the percentage of the time the disk is busy servicing read and write requests.
Logical Disk Monitors activity and statistics related to the logical disk drives (volumes and volume sets) in the system. Common counters for this object include:
Average Disk Queue Length Records the average length of a disks read and write queues. This statistic indicates the number of read and write requests waiting for the disk. Any consistent number recorded in this counter indicates that the physical disks are unable to keep up with demand. % Disk Time Indicates the percentage of the time the disk is busy servicing read and write requests.
Viewing Performance Charts with System Monitor

The default view for System Monitor is the chart view. The first time you open System Monitor, you see the default chart (Figure 16-3) with three performance counters : % Processor, Average Disk Queue Length, and Pages / sec. These are commonly used as the primary indicators of system health. You can add performance objects, each with many counters, to track data about virtually any application or process on the system. Applications can install their own performance objects for monitoring their performance. For example, Microsoft Exchange Server and Microsoft SQL Server add performance objects on server class systems, and the .NET Framework and Microsoft Internet Information Services (IIS) installations add performance objects on both workstation and server systems.
CHAPTER 16:
527
Figure 16-3 System Monitor with default counters

F16HT03.BMP
To add additional counters to a System Monitor chart: 1. In Control Panel, choose Administrative Tools | Performance. Click the System Monitor item to display the default chart (as shown earlier in Figure 16-3).
NOTE
You can also launch the Performance console by executing Perfmon.msc at a command line or in the Run dialog box. (Choose Start | Run.)
2. Add a counter by clicking the + button on the toolbar or right-clicking the chart and selecting Add Counters. This opens the Add Counters dialog box (Figure 16-4).
F16HT04.BMP
Figure 16-4 Adding counters in System Monitor
528
3. Select the appropriate new counter, choose an instance of the counter if necessary, and click Add.
NOTE
To see information on the purpose of any counter, click the Explain button.
4. Add any additional instances of the counter, and click Close.

NOTE
Instances are counters tied to a specific processor, disk, or queue. They are helpful in determining which actual device is generating delays. However, be careful about how many instances you add. The chart can quickly become cluttered. Instead, consider creating a separate chart for other instances of the same counter.
Managing chart properties In addition to adding counters to the chart view, you can manage properties such as display scale, color, sample rate, and the scale of individual counters. This allows you to organize the monitor data into a meaningful display that can be both informative and persuasive. You might use this data at some point to justify a large budget for new equipment or system upgrades. Or you might use it to demonstrate the performance improvement brought about by an action you have taken. To configure chart properties, right-click on the System Monitor chart view and select Properties. The System Monitor Properties dialog box appears, with the following tabs:
General Allows you to configure which view is displayed and the attributes of the view such as whether to show the legend or the toolbar (Figure 16-5). You can also select the sample rate for the view.
F16HT05.BMP
Figure 16-5 The System Monitor Properties dialog box
CHAPTER 16:
529
NOTE
Choosing a sample rate is an important part of designing a chart view. Faster rates will catch short-term events, but will not allow the view to display for a very long time period. Slower sample rates will allow the view to show more data, but may miss short-term events. You will have to determine which option is best for your needs.
Source Allows you to choose the data source for the current view. You can choose to display real-time data or data that has been recorded to a log or database. Data Allows you to manage individual counters (Figure 16-6). You can configure their color, line width, line style, and the scale used in the chart view.
F16HT06.BMP
Figure 16-6 The Data tab of the System Monitor Properties dialog box
Graph Allows you to configure visual elements of the System Monitor chart. You can enable or disable the appearance of grid lines and change the scale of the chart. Appearance Allows you to select color schemes and fonts for the current System Monitor view.
Saving a chart view You might need to save a particular chart viewfor example, to refer to later or because you are particularly pleased about the statistics it displays. You can save the view as an HTML file that contains the performance monitor object with the data that was displayed when the file was saved. You can also activate the display with new data by clicking the Freeze Display button (Figure 16-7). This activates the chart view and displays the performance counters in real time in your browser.
530
Figure 16-7 Activating a saved HTML view of System Monitor

F16HT07.BMP
NOTE You can use saved views to import counters into Performance Logs and Alerts, as you will see in the next section.
Using Histograms and Reports

You can also display performance data using histograms, which look like moving bar graphs, and reports, which display performance data in a text format. These two views are typically used less than the chart view, but they can make certain performance trends easier to spot or understand. Using Histograms to Analyze Performance Histograms (Figure 16-8) excel at identifying differences in multiple instances of one performance counter. Because histograms use a bar graph analogy, they can quickly present the relative levels at which counters are operating. This makes busy counters stand out better. You activate the histogram view by clicking the bar graph icon on the System Monitor toolbar. You can add and remove counters in the same way that you can with the chart view. Using Reports to Summarize Performance Data The report view (Figure 16-9) allows you to present data as text. This can be helpful when you need to present performance information to a decision maker as justification for purchasing additional hardware or systems. You can save performance reports as HTML or formatted text (Figure 16-10) by right-clicking in the report frame and choosing the appropriate option.
CHAPTER 16:
531
Histogram view
Figure 16-8 Using the histogram view to identify busy counters

F16HT08.BMP
Report view
Figure 16-9 System Monitors report view

F16HT09.BMP
Figure 16-10 Displaying a performance report in WordPad

F16HT10.BMP
532
Using Performance Logs to Spot Trends

Lets say you have been hired for a performance-tuning job. The system performs well when it first starts, but it runs more slowly each day until it eventually needs to be restarted. You open System Monitor and begin charting the major performance indicators: memory, processor, physical disk, and network. Unfortunately, even by lowering the sample rate, you can only display a fixed time span in the chart view. With Performance Logs and Alerts, you can easily create a performance log that runs for a week or more to spot trends in one or more counters. You can display the log in the System Monitor chart view or use the report view of System Monitor to create a report of your findings. You can also set alerts to notify you when a counter reaches a critical threshold so you can open a chart view to see what is going on. Performance Logs and Alerts includes three tools:
Counter logs Traditional performance logs that record a specified counter for a specified interval. You can configure logs to run for a certain amount of time or stop them manually. Trace logs Track process data to assist with debugging tasks. You probably wont use trace logs for common performance-monitoring tasks. Alerts Notify users or administrators when a counter has reached a specified threshold. Alerts are useful when you are trying to see what is happening at a certain time. You can respond to the alert by opening a saved System Monitor view to view activity in real time.
Configuring a performance log You can create performance logs from scratch by adding the applicable counters to your log task, or you can copy counters from a saved System Monitor view. You configure performance logs by using the Properties dialog box for a new or existing performance log (Figure 16-11).
Figure 16-11 Properties dialog box for a performance log

F16HT11.BMP
CHAPTER 16:
533
Configuration settings for performance logs are found on three tabs:
General Specifies counters to be monitored and the sample rate. You can add entire performance objects or individual counters to your performance log. Log Files Includes log file settings such as log type and naming convention. Schedule Specifies start and stop times for the log. You can configure a log to run at certain times of day, or you can specify a logging interval of a week. You can also specify an action to take when the log file closes. You can launch a new log or run a program or batch file to process the log file that just closed.
Creating a performance log To create a performance log, take these steps: 1. In Control Panel, choose Administrative Tools | Performance to open the Performance console. Expand the Performance Logs And Alerts item in the console tree. You will see the System Overview log created by Microsoft. You can use this log as is or browse its settings for ideas on how to configure your own log. Note the counters, sample intervals, and log file names in this log. 2. You can create a new log from settings saved in a System Monitor view by right-clicking Counter Logs and choosing New Log Settings From (Figure 16-12). Browse to and select the saved view.
F16HT12.BMP
Figure 16-12 Creating a new performance log
534
NOTE
You can also choose New Log Settings to create a new blank log. You must then specify your own counters and settings.
3. After providing a name for your log, you will be presented with the Properties dialog box for your new log (Figure 16-13). Configure the appropriate settings and schedule, and click OK.
F16HT13.BMP
Figure 16-13 Configuring performance log properties
NOTE
Many performance experts recommend creating a baseline performance log soon after you acquire a system. This makes it easier later on to see which aspects of performance are declining and take appropriate action.
Using Performance Alerts

Performance alerts notify users or administrators when a specified counter crosses a threshold value configured by an administrator. The alert can simply be a notification, or it can perform tasks such as starting a performance log or running an application or batch file. To configure an alert: 1. In Control Panel, choose Administrative Tools | Performance to open the Performance console. Expand the Performance Logs And Alerts item in the console tree. 2. Right-click Alerts and choose New Alert Settings From (Figure 16-14) to copy alert settings from a saved System Monitor view.
NOTE
You can also create a new alert without using saved settings. Simply choose New Alert Settings and specify your own counters.
CHAPTER 16:
535
F16HT14.BMP
Figure 16-14 Creating a new performance alert
3. After naming your new alert, configure counters and settings in the Properties dialog box for the new alert. Use the General tab (Figure 16-15) to configure counters, alert thresholds, and sample intervals.
F16HT15.BMP
Figure 16-15 Configuring alert properties
4. On the Action tab, configure the alert action (Figure 16-16).
F16HT16.BMP
Figure 16-16 Configuring alert actions
536
Monitoring Performance with Task Manager

Task Manager provides real-time information about the programs and processes running on your computer and the computers performance. You can use Task Manager to start programs, stop programs and processes, and view a simplified chart view of your computers performance. You can start Task Manager in the following ways:

Press CTRL+SHIFT+ESC. Right-click the Windows taskbar, and then click Task Manager. Press CTRL+ALT+DELETE.
NOTE
Depending on your systems configuration, you might have to select Task Manager from the Security Configuration dialog box after pressing CTRL+ALT+DELETE.
Task Manager has the following tabs:
Applications Displays the running foreground applications and allows you to switch from one to another or to end an application that has stopped responding to the system (Figure 16-17).
F16HT17.BMP
Figure 16-17 Displaying active foreground applications in Task Manager
Processes Lists all system processes and allows you to manage them (Figure 16-18). You can end individual processes or change their execution priority.
NOTE
Note the Show Processes From All Users check box. You can select it to display processes running for all users currently logged on to the system.
CHAPTER 16:
537
F16HT18.BMP
Figure 16-18 Displaying active processes in Task Manager
Performance Provides a quick glimpse of processor and memory graphs (Figure 16-19). These graphs can show you at a glance whether the system is in trouble.
F16HT19.BMP
Figure 16-19 Viewing performance in Task Manager
Networking Graphs the utilization level of any network interfaces installed on the system (Figure 16-20). You can quickly see if your system is experiencing bandwidth-related performance issues.
F16HT20.BMP
Figure 16-20 Displaying network utilization
538
Users Lists users who log on to the system while Fast User Switching is enabled (Figure 16-21). You will not see this tab on systems that are members of an Active Directory domain or that have Fast User Switching disabled.
F16HT21.BMP
Figure 16-21 Displaying users currently logged on to a system
Ending Runaway or Locked Processes Occasionally, you will face a system with a process that has locked or is consuming all available resources. Using the Processes tab, you can identify which process is hogging the processor or memory and end it. To end a runaway or locked process, right-click the process you want to end and choose End Process (Figure 16-22).
Figure 16-22 Ending a process in Task Manager

F16HT22.BMP
NOTE
You can also end tasks by using the Applications tab. Simply select the application and click the End Task button.
CHAPTER 16:
539
Managing Users with Task Manager If you are administering a system with multiple users logged on via Fast User Switching and you need to log someone off, you can do so from the Users tab in Task Manager. To log off a user, right-click the username on the Users tab and choose Log Off (Figure 16-23). The users applications will be ended and he will be logged off.
Figure 16-23 Logging off a user in Task Manager

F16HT23.BMP
You can also use the Users tab to send a message to a user who is logged on to the system. Right-click the username on the Users tab and choose Send Message. Enter the message into the Send Message dialog box (Figure 16-24), and click OK to send it.
Figure 16-24 The Send Message dialog box

F16HT24.BMP
NOTE
Sending a message using Task Manager sends the message even if the Messenger service is disabled.
IMPROVING PERFORMANCE
Monitoring and improving performance is as much an art as a science. You must carefully analyze and interpret performance counters and performance logs. Solving severe performance issues can be an iterative process, often requiring you
540
to reanalyze performance after you have made changes, to gauge their effect. In this section, we will discuss how to improve performance in key areas of system operation.
Memory Performance
Improving memory performance or size often leads to the largest improvements in performance. Each application that runs on your system attempts to carve out its own memory space. You can look at the system requirements on the product packaging to get an idea of how much memory your application needs. To determine whether you need more memory, check out a few key performance counters:
Memory: Available Bytes Shows how close your system is to running out of memory. For example, on a 512-MB system, 24 MB of free space is not a good statistic. As your system approaches the limit of physical memory, it begins to swap more and more pages to disk to retain enough free memory to handle sudden requests. Memory: Pages / sec Indicates the relative mount of paging taking place. As the use of the page file increases, this counter rises. Page file usage is extremely detrimental to performance. Page File: % Usage Indicates the percentage of the page file that is currently in use. If your system has 512 MB of RAM and is using another 512 MB in the page file, you have about half the physical memory you need.
Disk Performance
When you monitor disk performance, you should consider the source of disk activity. On a system with low memory, page file traffic will account for much of your disk activity. If, after ensuring that your system has ample memory, you still suspect disk performance issues, look at the following counters:
Physical Disk: Average Disk Queue Length Records the average length of a disks read and write queues. This statistic indicates the number of read and write requests waiting for the disk. Any consistent number recorded in this counter indicates that the physical disks cannot keep up with demand. Consider faster disks or a hardware RAID solution to improve performance. Physical Disk: % Disk Time Indicates the percentage of the time the disk is busy servicing read and write requests. Again, if you need to improve these numbers, consider faster disks or a hardware RAID solution.
CHAPTER 16:
541
Managing disk performance tasks using scheduled tasks Disk performance can be affected not only by hardware but also by the effects of fragmentation. You can use scheduled tasks to manage a weekly defragmentation job on your system. To schedule defragmentation on your system: 1. Select the appropriate command-line Disk Defragmenter command. For the C: drive, you can use:
C:\Windows\System32\Defrag C:
2. In Control Panel, open Scheduled Tasks. 3. Double-click the Add Scheduled Task item to launch the Scheduled Task Wizard (Figure 16-25). Click Next to begin configuring the task.
F16HT25.BMP
Figure 16-25 Adding a new scheduled task
4. Browse to C:\Windows\System32\Defrag.exe (Figure 16-26). Click Open to advance to the next page of the wizard.
F16HT26.BMP
Figure 16-26 Selecting Defrag.exe
542
5. Choose Weekly to run this task every week (Figure 16-27). Click Next.
F16HT27.BMP
Figure 16-27 Scheduling the defragmentation job to run weekly
6. Set the day of the week and time you want to run the task (Figure 16-28). Click Next.
F16HT28.BMP
Figure 16-28 Choosing to run the task every Sunday
7. Provide the name and password of the Administrator-level account you will run the task under (Figure 16-29). Click Next.
F16HT29.BMP
Figure 16-29 Providing a user account to use for the Defrag.exe task
CHAPTER 16:
543
8. On the final wizard page, select the Open Advanced Properties For This Task When I Click Finish check box. Click Finish. 9. The tasks Properties dialog box opens. You can modify the command line for the task to specify your disk drive (Figure 16-30). Click OK.
F16HT30.BMP
Figure 16-30 Completing the Defrag.exe command line
Managing Paging Files to Improve Disk Performance Excessive paging of memory affects the performance of a systems hard disks and results not only in reduced read/write performance of the disks but also reduced paging efficiency when applications vie with virtual memory for disk time. To alleviate some of these concerns, you should place the paging file on a different disk than the operating system. File reads and writes can then happen concurrently with virtual memory paging, thereby improving efficiency. If your system runs out of space in the paging file, all activity will essentially cease while the system increases the paging file size. This might take as long as several minutes and will severely affect performance. You can manage page file location and size by using the System Properties dialog box. To change the location or size of the paging file: 1. Right-click My Computer and choose Properties to open the System Properties dialog box. 2. On the Advanced tab (Figure 16-31), click the Settings button under Performance to open the Performance Options dialog box.
544
F16HT31.BMP
Figure 16-31 The Advanced tab of the System Properties dialog box
3. On the Advanced tab (Figure 16-32), find the Virtual Memory option. Click Change to open the Virtual Memory dialog box (Figure 16-33).
F16HT32.BMP
Figure 16-32 The Performance Options dialog box
CHAPTER 16:
545
F16HT33.BMP
Figure 16-33 Managing virtual memory
4. Select the disk to use for the paging file. You can change the size of the paging file on each disk. If you are moving the paging file, select another disk and configure the paging file size for that disk. Once the new file size is defined, you can restart the system to begin using the new file. You can then use the Virtual Memory dialog box to remove the original paging file.
NOTE
The default size for the paging file is 1.5 times the amount of physical RAM in the system.
Adding CPUs
If you have a dual-processor-capable system, you might consider adding a second CPU if required, but you should exhaust all other options before you do so. The true bottleneck often lies in memory or on the disk. However, if CPU utilization consistently hovers above 80 percent on your system while you are working, you should consider adding an additional CPU. Be sure to buy an exact twin of your existing CPUthe same processor family, model, and stepping number, and preferably from the same die lot. If you cannot find a matching processor, you can buy two processors from a current batch. However, this might be so expensive that you are better off buying a newer system. After analyzing performance and eliminating other possible causes, you will have all the information you need to make the decision when the time comes.
546
Hyper-Threading CPUs Some recently released CPU models support a feature called simultaneous multithreading or hyper-threading. This feature allows a CPU to execute multiple threads of an application in parallel, gaining some of the benefits usually seen with multiple CPUs. This parallel execution can improve performance of multithreaded applications by as much as 25 percent and can improve performance of applications compiled for hyper-threading even more. Hyper-threading CPUs appear to the system as two processors, and they actually have duplicate circuitry for managing application threading. They do not have separate execution units (the component that actually executes program instructions).
Mobile System Performance

Managing mobile system performance requires understanding the unique challenges posed by mobile systems: multiple processor speeds, slow network connections, slower hard disk drive technology, and less RAM. Some CPUs use speed-switching technology to reduce CPU power consumption while on battery. Check if your system performs better on AC power. If this is the case, and you are not concerned about battery life, consider disabling the reduction in CPU speed that might occur when you disconnect power. You can do this by selecting the Always On power management scheme. Other improvements to consider include adding memory or switching to a faster disk. Consider how these changes will affect battery life. Some faster disks require more power to operate.
CHAPTER 16:
547
SUMMARY
Common factors leading to poor performance include insufficient memory, slow disk or network performance, and insufficient CPU speed. The Performance console provides tools for viewing performance data, logging performance data, and sending alerts when certain performance thresholds are met. Performance objects contain performance counters that relate to certain aspects of system or application performance. Performance counters report the statistics of a single aspect of system or application performance. Improving system performance often requires several rounds of monitoring and adjustments to achieve the desired results.
REVIEW QUESTIONS
1. Adding __________ is usually the easiest way to improve performance. (knowledge demonstration) a. CPUs b. Memory c. Disks d. Power 2. Which of the following performance counters can help you determine whether a system has adequate memory? (Choose all correct answers.) (knowledge application) a. Memory: Available Bytes b. Page File: % Usage c. Memory: Pages / sec d. Physical Disk: Average Disk Queue Length 3. You are analyzing performance of your Windows XP system. Physical Disk: % Disk Time is well over 50, Page File: % Usage is less than 10, and Memory: Pages / sec is less than 5. Which of the following items is most likely causing the performance issues on your system? (knowledge application)
548
a. Memory b. Disk c. CPU d. Network 4. From which of the following sources can you copy counters when you configure a performance alert? (knowledge demonstration) a. Page file b. Performance log c. Saved System Monitor view d. Performance object 5. You notice that your mobile computer seems to run more slowly when you are not using the AC adapter. What could be causing this? (knowledge application) a. The CPU is designed to run more slowly while on battery power. b. The CPU isnt getting the power it needs to run efficiently. c. The battery is of the wrong type. d. The battery needs charging. 6. Which Windows XP system utility can you use to perform scheduled maintenance tasks on your system? (knowledge demonstration) a. System Restore b. Scheduled tasks c. Maintenance Manager d. Disk Defragmenter
CASE SCENARIOS
Scenario 16-1: A Slow Application
The CFO calls you in because he is running a large spreadsheet on his system and it is running unusually slowly. He wants you to try to get his system moving faster again.
CHAPTER 16:
549
Answer the following questions about this scenario: 1. Which Windows XP utility will give you a quick look at the performance of this system? 2. Available memory seems to be fine, but you notice that the systems hard disk thrashes excessively whenever you launch a new application. Which of the following performance counters can you use to check the status of the physical disk? a. Memory: Available Bytes b. Page File: % Usage c. Memory: Pages / sec d. Physical Disk: Average Disk Queue Length 3. You ask the CFO about his use of the system. Nothing has changed in terms of applications or datathe system has just been getting slower. You check Physical Disk: Average Disk Queue Length and find the value excessive. Which of the following factors might be responsible for the poor disk performance? a. The hard disk is failing. b. The system needs faster disks. c. The disk is seeing excessive use of virtual memory. d. The disk is excessively fragmented.
Scenario 16-2: Spotting the Cause of Performance Issues

You are analyzing a system with System Monitor and have noted the following statistics: Memory: Available Bytes (768 MB Ram total) Memory: Pages / sec Page File: % Usage Physical Disk: Average Disk Queue Length Answer the following questions about this scenario: 1. Is memory probably an issue on this system? 2. Do you have enough information to know definitively whether disk performance is an issue on this system? If not, what additional counters can you use to monitor disk performance? 234 MB 2 24 4
GLOSSARY
access control entry (ACE) An entry in an objects discretionary access control list (DACL) that grants permissions to a user or group. An ACE is also an entry in an objects system access control list (SACL) that specifies the security events to be audited for a user or group. access control list (ACL) Commonly used to refer to DACL. See Discretionary Access Control List (DACL). Active Directory The directory service that stores information about users, computers, files, printers, and other objects on a network and makes this information available to users and network administrators. Active Directory gives network users a single logon process to access permitted resources anywhere on the network. It provides network administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects. Active Directory domain An Active Directory domain is a collection of computers defined by the administrator of a Windows network. These computers share a common directory database, security policies, and security relationships with other domains. An Active Directory domain provides access to the centralized user and group accounts maintained by the domain administrator. An Active Directory forest is made up of one or more domains, each of which can span more than one physical location. ActiveX A set of technologies that allows software components to interact with one another in a networked environment, regardless of the language in which the components were created. Address Resolution Protocol (ARP) In TCP/IP, a protocol that uses broadcast traffic on the local network to resolve a logically assigned IP address to its physical hardware or media access control layer address. Advanced Configuration and Power Interface (ACPI) An open industry specification that defines power management on a wide range of mobile, desktop, and server computers and peripherals. ACPI is the foundation for the OnNow industry initiative that allows system manufacturers to deliver computers that will start at the touch of a keyboard. ACPI design is essential for taking full advantage of power management and Plug and Play (PnP). alert See performance alert.
APIPA See Automatic Private IP Addressing (APIPA). ARP See Address Resolution Protocol (ARP). attribute For files, information that indicates whether a file is read-only, hidden, ready for archiving (backing up), compressed, or encrypted, and whether the file contents should be indexed for fast file searching. auditing The process of tracking users activities by recording selected types of events in the security log of a server or a workstation. audit policy A policy that determines which security events are to be reported to the network administrator. Authenticode A security feature of Internet Explorer. Authenticode allows vendors of downloadable programs (plug-ins or ActiveX controls, for example) to attach digital certificates to their products to assure users that their code is from the original developer and has not been altered. Authenticode lets users decide before downloading begins whether to accept or reject software components posted on the Internet.
551
552
Automatic Private IP Addressing (APIPA) A feature of Windows XP TCP/IP that automatically configures a unique IP address from the range 169.254.0.1 through 169.254.255.254 and a subnet mask of 255.255.0.0 when the TCP/IP protocol is configured for dynamic addressing and a Dynamic Host Configuration Protocol (DHCP) server is not available. base 2 base 10 See binary. See decimal.
bit Short for binary digit. The smallest unit of information handled by a computer. One bit expresses a 1 or a 0 in a binary numeral, or a true or false logical condition. It is represented physically by an element such as a high or low voltage at some point in a circuit, the polarity of a magnetized spot on a magnetic disk, or the presence or absence of a spot on an optical disk. Boolean Of, pertaining to, or characteristic of logical (true/false) values. bot On the Internet, a program that performs a repetitive or time-consuming task, such as searching Web sites or newsgroups or indexing them in a database or other recordkeeping system. This term is also increasingly used to describe a malicious program that scans the Internet address space looking for systems with a particular vulnerability. This kind of bot, also known as a zombie, infects the host to control it remotely, using it to launch attacks on other systems or to spew unsolicited email messages across the Internet. broadband connection A high-speed connection. Broadband connections are typically 256 kilobytes per second (KBps) or faster. Broadband includes DSL and cable modem service. browser helper object (BHO) A DLL that allows developers to control Internet Explorer to perform certain tasks for which it was not initially designed, thus extending Internet Explorers capabilities. Examples of BHOs are antivirus scanners, download managers, and navigation monitors. byte A unit of data that typically holds a single character, such as a letter, digit, or punctuation mark. Some single characters can take up more than one byte. cached credentials Stored logon credentials that are used to authenticate a user when a domain controller is not available for authentication.
basic disk A physical disk that can be accessed by MS-DOS and all Windowsbased operating systems. Basic disks can contain up to four primary partitions, or three primary partitions and an extended partition with multiple logical drives. To create partitions that span multiple disks, you must first convert the basic disk to a dynamic disk using Disk Management. basic input/output system (BIOS) On x86-based computers, the set of essential software routines that test hardware at startup, start the operating system, and support the transfer of data among hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be executed when the computer is turned on. Although critical to performance, the BIOS is usually invisible to users. BHO See browser helper object (BHO).
binary Having two components, alternatives, or outcomes. The binary number system has the number 2 at its base, so values are expressed as combinations of two digits, 0 and 1. binary number A number expressed in base 2 or binary form. Binary numbers are composed of zeros and ones. See also binary.
GLOSSARY
553
CIDR See classless interdomain routing (CIDR). classless interdomain routing (CIDR) An address scheme that uses aggregation strategies to minimize the size of top-level Internet routing tables. compatibility mode A feature of a computer or operating system that allows it to run programs written for a different system. Programs often run more slowly in compatibility mode. convergence The process of stabilizing a system after changes occur in the network. In routing, if a route becomes unavailable, routers send update messages throughout the internetwork, reestablishing information about preferred routes. decimal A numbering system based on powers of 10. Each successive placeholder represents a progression of a multiple of 10. desktop The on-screen work area on which windows, icons, menus, and dialog boxes appear. device driver A program that allows a specific device, such as a modem, network adapter, or printer, to communicate with the operating system. Although a device might be installed on your system, Windows cannot use the device until you have installed and configured the appropriate driver. If a device is listed in the Hardware Compatibility List (HCL), a driver is usually included with Windows. Device drivers load (for all enabled devices) when a computer is started or new hardware is installed, and thereafter run invisibly. DHCP See Dynamic Host Configuration Protocol (DHCP). DHCP client Any network-enabled device that supports the ability to communicate with a DHCP server for the purpose of obtaining dynamic leased IP configuration and related optional parameter information.
DHCP server A computer running a DHCP service that offers dynamic configuration of IP addresses and related information to DHCP-enabled clients. Digital Subscriber Line (DSL) A type of high-speed Internet connection that uses standard telephone wires. This is also referred to as one type of broadband connection. discretionary access control list (DACL) The part of an objects security descriptor that grants or denies specific users and groups permission to access the object. Only the owner of an object can change permissions granted or denied in a DACL; thus, access to the object is at the owners discretion.
display adapter See video adapter.

Domain Name System (DNS) A hierarchical, distributed database that contains mappings of DNS domain names to IP addresses. DNS enables the location of computers and services by userfriendly names, and it also enables the discovery of other information stored in the database. dotted decimal notation The process of formatting an IP address as a 32-bit identifier made up of four groups of numbers, each representing a binary octet, with each group separated by a period. An example of an IP address using dotted decimal notation might look like this: 192.168.100.214 DSL See Digital Subscriber Line (DSL).
554
dynamic disk A disk that can be accessed only by Windows 2000, Windows Server 2003, and Windows XP. Dynamic disks provide features that basic disks do not, such as support for volumes that span multiple disks. Dynamic disks use a hidden database to track information about dynamic volumes on the disk and other dynamic disks in the computer. You convert basic disks to dynamic disks by using the Disk Management snap-in. When you convert a basic disk to a dynamic disk, all existing basic volumes become dynamic volumes. Dynamic Host Configuration Protocol (DHCP) A TCP/IP service protocol that offers dynamic leased configuration of host IP addresses and distributes other configuration parameters to eligible network clients. DHCP provides safe, reliable, and simple TCP/IP network configuration, prevents address conflicts, and helps conserve the use of client IP addresses on the network. Dynamic Update A feature of Windows XP Setup that queries Microsoft for product updates that can be incorporated into the Windows XP installation to enhance its operation. These updates might include replacement setup files or updated device drivers. Encrypting File System (EFS) A Windows feature that enables users to encrypt files and folders on an NTFS volume to keep them safe from access by intruders. encryption The process of disguising a message or data in order to hide its content. Ethernet An IEEE standard for contention networks, in which devices connected to the network compete for access to the network. Ethernet uses a bus or star topology and relies on the form of access known as Carrier Sense Multiple Access with Collision Detec-
tion (CSMA/CD) to regulate communication-line traffic. Network nodes are linked by coaxial cable, fiber-optic cable, or twisted-pair wiring. Data is transmitted in variable-length frames containing delivery and control information and up to 1,500 bytes of data. The Ethernet standard provides for transmission at rates of 10 megabits (10 million bits), 100 megabits (100 million bits), 1 gigabit (1 billion bits), or 10 gigabits (10 billion bits) per second. exception In Windows Firewall, a packet filtering rule that allows inbound connections to certain applications or ports. file system In an operating system, the overall structure in which files are named, stored, and organized. NTFS, FAT, and FAT32 are types of file systems. File Transfer Protocol (FTP) A member of the TCP/IP suite of protocols that is used to copy files between two computers on the Internet. Both computers must support their respective FTP roles: one must be an FTP client and the other must be an FTP server. FilterKeys A keyboard feature that instructs your keyboard to ignore brief or repeated keystrokes. You can also adjust the keyboard repeat rate, which is the rate at which a key repeats when you hold it down. firewall A combination of hardware and software that provides a security system, usually to prevent unauthorized access from the outside to an internal network or intranet. FTP See File Transfer Protocol (FTP).
gateway A device connected to multiple physical TCP/IP networks that is capable of routing or delivering IP packets among them. giga One billion. In data storage, a prefix meaning 2 to the 30th power, or 1,073,741,824.
GLOSSARY
555
GPO
See Group Policy Object (GPO).
group A collection of users, computers, contacts, or other groups. Groups can be used for security or as e-mail distribution lists. Distribution groups are used only for e-mail. Security groups are used both to grant access to resources and as e-mail distribution lists. Group Policy Object (GPO) A collection of Group Policy settings. Group Policy Objects are essentially the documents created by the Group Policy snap-in, a Windows utility. GPOs are stored at the domain level, and they affect users and computers contained in sites, domains, and organizational units (OUs). In addition, each Windows computer has exactly one group of settings stored locally, called the local GPO. hibernation A state in which your computer shuts down after saving everything in memory on your hard disk. When you bring your computer out of hibernation, all programs and documents that were open are restored to your desktop. hive A section of the registry that appears as a file on your hard disk. The registry subtree is divided into hives (named for their resemblance to the cellular structure of a beehive). A hive is a discrete body of keys, subkeys, and values that is rooted at the top of the registry hierarchy. A hive is backed by a single file and a .log file, which are in the systemroot\System32\Config or the systemroot\Profiles\username folders. Hypertext Markup Language (HTML) A simple markup language used to create hypertext documents that are portable from one platform to another. HTML files are simple ASCII text files with codes embedded (indicated by markup tags) to denote formatting and hypertext links. HTML is the basis for most World Wide Web communications.
ICMP See Internet Control Message Protocol (ICMP). IDS See intrusion detection system (IDS). IGMP See Internet Group Management Protocol (IGMP). Internet Control Message Protocol (ICMP) A required maintenance protocol in the TCP/IP suite that reports errors and allows simple connectivity. ICMP is used by the Ping tool to perform TCP/IP troubleshooting. Internet Group Management Protocol (IGMP) A protocol used by IP hosts to report their multicast group memberships to any immediately neighboring multicast routers. Internet Protocol (IP) A routable protocol in the TCP/IP protocol suite that is responsible for IP addressing, routing, and the fragmentation and reassembly of IP packets. Internet service provider (ISP) A company that provides individuals or companies access to the Internet and the World Wide Web. An ISP provides a telephone number, username, password, and other connection information so users can connect their computers to the ISPs computers. An ISP typically charges a monthly or hourly connection fee. interrupt request (IRQ) A request for attention from the processor. When the processor receives an interrupt, it suspends its current operations, saves the status of its work, and transfers control to a special routine known as an interrupt handler, which contains the instructions for dealing with the particular situation that caused the interrupt. intrusion detection system (IDS) A type of security management system for computers and networks that gathers and analyzes information from various sources to identify possible security breaches. IP See Internet Protocol (IP).
556
IP address A 32-bit address used to identify a node on an IP internetwork. Each node on the IP internetwork must be assigned a unique IP address, which is made up of the network ID plus a unique host ID. This address is typically represented with the decimal value of each octet, separated by a period (for example, 192.168.7.27). In Windows XP Professional, you can configure the IP address statically, dynamically through DHCP, or automatically through automatic private IP addressing (APIPA). ISP See Internet service provider (ISP).
logon script A file that can be assigned to user accounts. Typically a batch file, a logon script runs every time the user logs on. It can be used to configure a users working environment at every logon, and it allows an administrator to influence a users environment without managing all aspects of it. A logon script can be assigned to one or more user accounts. loopback address The address of the local computer used for routing outgoing packets back to the source computer. This address is used primarily for testing. MAC address See Media Access Control (MAC) address. malware Software created and distributed for malicious purposes, such as to invade computer systems in the form of viruses, worms, or innocent-seeming plug-ins and extensions that mask other destructive capabilities. Master File Table (MFT) An NTFS system file on NTFS-formatted volumes that contains information about each file and folder on the volume. The MFT is the first file on an NTFS volume. Media Access Control (MAC) address A hardware address that uniquely identifies each node of a network. MAC addresses are globally uniqueno two network adapters have a duplicate MAC addressand they are encoded directly into the firmware of the network adapter. media library A data-storage system usually managed by Removable Storage. A library consists of removable media (such as tapes or discs) and a hardware device that can read from or write to the media. The two major types of libraries are robotic libraries (automated multiple-media, multidrive devices) and standalone drive libraries (manually operated, single-drive devices). A robotic library is also called a jukebox or a changer.
kernel The core of layered architecture that manages the most basic operations of the operating system and the computers processor. The kernel schedules different blocks of executing code, called threads, to keep the processor as busy as possible, and coordinates multiple processors to optimize performance. The kernel also synchronizes activities among Executive-level subcomponents, such as the I/O Manager and the Process Manager, and handles hardware exceptions and other hardware-dependent functions. kilo One thousand. In digital storage, a prefix meaning 2 to the 10th power, or 1,024. Line Printer Daemon (LPD) A service on a UNIX-like print server that receives documents (print jobs) from Line Printer Remote (LPR) utilities running on client systems. Windows print servers can support LPD to provide interoperability with UNIX. Line Printer Remote (LPR) A connectivity utility that runs on client systems and is used to print files to a computer running an LPD server. Windows clients can be configured to print using LPR for interoperability with UNIX.
GLOSSARY
557
media pool A logical collection of removable media that have the same management policies. Media pools are used by applications to control access to specific tapes or discs within libraries managed by Removable Storage. The four media pools are: unrecognized, import, free, and application-specific. Each media pool can only hold media or other media pools. mega One million. In data storage, a prefix meaning 2 to the 20th power, or 1,048,576. metadata Data about data. For example, the title, subject, author, and size of a file constitute the files metadata. MFT See Master File Table (MFT).
network ID In IP addressing, the base address of an IP network address block, in which the host portion of the address (expressed in binary form) is all zeros. notification area The area on the taskbar to the right of the taskbar buttons. The notification area displays the time and can also contain shortcuts that provide quick access to programs such as Volume Control and Power Options. Other shortcuts can appear temporarily, providing information about the status of activities. For example, the printer shortcut icon appears after a document has been sent to the printer and disappears when printing is complete. NT file system See NTFS.
netblock A contiguous group of IP addresses, often described as a single block with a common network ID. network A group of computers and other devices, such as printers and scanners, that are connected by a communications link, enabling all the devices to interact with each other. Networks can be small or large, permanently connected through wires or cables, or temporarily connected through phone lines or wireless transmissions. The largest network is the Internet, which is a worldwide group of networks. network adapter A device that connects your computer to a network. This device is sometimes called an adapter card or a network interface card (NIC). network basic input/output system (NetBIOS) An application programming interface (API) that can be used by programs on a local area network (LAN). NetBIOS provides programs with a uniform set of commands for requesting the lower-level services required to manage names, conduct sessions, and send datagrams between nodes on a network.
NTFS An acronym for NT file system, NTFS is an advanced file system that provides performance, security, reliability, and advanced features not found in any version of FAT. For example, NTFS guarantees volume consistency by using standard transaction logging and recovery techniques. If a system fails, NTFS uses its log file and checkpoint information to restore the consistency of the file system. In Windows 2000 and Windows XP, NTFS also provides advanced features such as file and folder permissions, encryption, disk quotas, and compression. octet A unit of data that consists of exactly 8 bits. offline A state that marks a component in a cluster as unavailable. A node in an offline state is either inactive or not running. Resources and groups also have an offline state.
558
Open Systems Interconnection (OSI) reference model A networking model introduced by the International Organization for Standardization (ISO) to promote multivendor interoperability. OSI is a seven-layer conceptual model consisting of the application, presentation, session, transport, network, data-link, and physical layers. organizational unit (OU) An Active Directory container object used within domains. An organizational unit is a logical container into which users, groups, computers, and other OUs are placed. It can contain objects only from its parent domain. An OU is the smallest scope to which a Group Policy object can be linked, or over which administrative authority can be delegated. OU See organizational unit (OU).
password A shared authentication mechanism stored in each users account. Each user generally has a unique user password and must type that password when logging on or accessing a server. performance alert A feature that detects when a predefined counter value rises above or falls below the configured threshold and notifies a user by means of the Messenger service. performance counter In System Monitor, a data item that is associated with a performance object. For each counter selected, System Monitor presents a value corresponding to a particular aspect of the performance that is defined for the performance object. performance counter instance In System Monitor, a term used to distinguish between multiple performance objects of the same type on a computer. performance object In System Monitor, a logical collection of counters that is associated with a resource or service that can be monitored. permission A rule associated with an object to regulate which users can gain access to an object and the manner in which they can gain access. Permissions are granted or denied by the objects owner. Platform for Privacy Preferences (P3P) An open World Wide Web Consortium (W3C) protocol that allows Internet users to control the type of personal information collected by the Web sites they visit. P3P uses User Agents built into browsers and Web applications to allow P3P-enabled Web sites to communicate privacy practices to users before they log on to the Web site. P3P compares the Web sites privacy policies with the users personal set of privacy preferences, and it reports any disagreements to the user.
P3P See Platform for Privacy Preferences (P3P). packet An Open Systems Interconnection (OSI) network layer transmission unit that consists of binary information representing data and a header containing an identification number, source and destination addresses, and errorcontrol data. packet filtering The process of controlling network access based on IP addresses. packet header The portion of a data packet that precedes the body. The header contains data that is needed for successful transmission, such as source and destination addresses and control and timing information. partition A portion of a physical disk that functions as if it were a physically separate disk. After you create a partition, you must format it and assign it a drive letter before you can store data on it.
GLOSSARY
559
Plug and Play A set of specifications developed by Intel that allows a computer to automatically detect and configure a device and install the appropriate device drivers. Point-to-Point Protocol (PPP) An industry standard suite of protocols for the use of point-to-point links to transport multiprotocol datagrams. PPP is documented in RFC 1661. Point-to-Point Protocol over Ethernet (PPPoE) A specification for connecting users on an Ethernet network to the Internet through a broadband connection, such as a single DSL line, wireless device, or cable modem. Using PPPoE and a broadband modem, local area network (LAN) users can gain individual authenticated access to high-speed data networks. By combining Ethernet and Point-to-Point Protocol (PPP), PPPoE provides an efficient way of creating for each user a discrete connection to a remote server. port An interface for program communication over a network connection. Together with a network address, a port defines a socket. PostScript A page-description language (PDL) developed by Adobe Systems for printing with laser printers. PostScript offers flexible font capability and highquality graphics. It is the standard for desktop publishing because it is supported by imagesetters, the high-resolution printers used by printing services for commercial typesetting. PPP See Point-to-Point Protocol (PPP).
print server A computer that is dedicated to managing the printers on a network. The print server can be any computer on the network. printer permissions Permissions that specify the type of access that a user or group has to a printer. The printer permissions are Print, Manage Printers, and Manage Documents. printing pool Two or more identical printers that are connected to one print server and act as a single printer. In this case, when you print a document, the print job is sent to the first available printer in the pool. protocol A set of rules and conventions for sending information over a network. These rules govern the content, format, timing, sequencing, and error control of messages exchanged among network devices. proxy server A firewall component that manages Internet traffic to and from a local area network (LAN) and can provide other features, such as document caching and access control. A proxy server can improve performance by supplying frequently requested data, such as a popular Web page, and can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files. Recovery Console A command-line interface that provides a limited set of administrative commands that are useful for repairing a computer.
PPPoE See Point-to-Point Protocol over Ethernet (PPPoE). print job The source code that contains both the data to be printed and the commands for printing. Print jobs are classified into data types based on what modifications, if any, the spooler must make to the job for it to print correctly.
560
registry A database repository for information about a computers configuration. The registry contains information that Windows continually references during operation, such as profiles for each user; the programs installed on the computer and the types of documents each can create; property settings for folders and program icons; what hardware exists on the system; and which ports are being used. The registry is organized hierarchically as a tree and is made up of keys and their subkeys, hives, and value entries. Remote Installation Services (RIS) A software service that allows an administrator to set up new client computers remotely, without having to visit each client. The target clients must support remote booting. restore point A representation of a stored state of your computer. A restore point is created by System Restore at both specific intervals and when applications register important changes to your computer. You can also create restore points manually at any time. rights Tasks that a user is permitted to perform on a computer system or domain. The two types of user rights are privileges (such as the right to shut down the system) and logon rights (such as the right to log on to a computer locally). Both types are assigned by administrators to individual users or groups as part of the security settings for the computer. roaming user profile A server-based user profile that is downloaded to the local computer when a user logs on and that is updated both locally and on the server when the user logs off. A roaming user profile is available from the server when a user logs on to a workstation or server computer. When logging on, the user can use the local user profile if it is more current than the copy on the server.
router Hardware that helps networks achieve interoperability and connectivity and can link networks that have different network topologies (such as Ethernet and Token Ring). Routers match packet headers to network segments and choose the best path for the packet, optimizing network performance. routing table In data communications, a table of information that provides network hardware with the directions needed to forward packets of data to locations on other networks. SACL See system access control list (SACL). safe mode In some versions of Windows, a boot mode that bypasses startup files and loads only the most basic drivers. Safe mode allows the user to correct some problems with the systemfor example, if the system fails to boot or the registry has become corrupted. screen resolution The setting that determines the amount of information that appears on screen, measured in pixels. Low resolution, such as 640480, makes items on the screen appear large, although the screen area is small. High resolution, such as 1024768, makes the overall screen area large, although individual items appear small. screen saver A moving picture or pattern that appears on your screen when you have not used the mouse or keyboard for a specified period of time. Secure Sockets Layer (SSL) An open standard for establishing a secure communications channel to prevent the interception of sensitive information, such as credit card numbers. It primarily enables secure electronic financial transactions on the World Wide Web, although it is designed to work over other Internet services as well.
GLOSSARY
561
security descriptor A data structure that contains security information associated with a protected object. Security descriptors include information about who owns the object, who can access it and in what way, and what types of access will be audited. security ID (SID) A data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Service Set Identifier (SSID) A name used to distinguish one wireless network from another. It is configured into an infrastructure device such as an access point, and systems not configured with the same SSID are not allowed to communicate on that network. session A logical connection created between two hosts to exchange data. Sessions typically use sequencing and acknowledgments to send data reliably. share To make resources, such as folders and printers, available to others. Also used as a synonym for shared folder. share name A name that refers to a shared resource on a server. Each shared folder on a server has a share name that can be used by PC users when they access the folder. shared folder A folder that is located on a remote computer that has been made available for users to access over a network. shared folder permissions Permissions that restrict to only certain users on the network the availability of a shared resource.
Simple Network Management Protocol (SNMP) A network protocol used to manage TCP/IP networks. In Windows, the SNMP service is used to provide status information about a host on a TCP/ IP network. site One or more well-connected (highly reliable and fast) TCP/IP subnets. A site allows administrators to configure Active Directory access and replication topology quickly and easily to take advantage of the physical network. When users log on, Active Directory clients locate Active Directory servers in the same site as the user. smart card A credit cardsized device that is used with an access code to enable certificate-based authentication and single sign-on (SSO) to an enterprise. Smart cards securely store certificates, public and private keys, passwords, and other types of personal information. A smart card reader attached to the computer reads the smart card. SNMP See Simple Network Management Protocol (SNMP). socket An identifier for a particular service on a particular node on a network. The socket consists of a node address and a port number, which identifies the service. For example, port 80 on an Internet node indicates a Web server. spyware Software designed for the purpose of collecting data, sometimes personal, about users or their computer use. Often this data is transmitted by the software to a remote site for tabulation or analysis. SSID SSL See Service Set Identifier (SSID). See Secure Sockets Layer (SSL).
StickyKeys A keyboard feature that enables you to press a modifier key (CTRL, ALT, or SHIFT) or the Windows logo key and have it remain active until a non-modifier key is pressed. This is useful for people who have difficulty pressing two keys simultaneously.
562
subnet mask A 32-bit value that enables the sender of IP packets to distinguish the network ID and host ID of a destination system. subnetting Dividing a network into smaller networks or subnets to improve network security or performance or to make available a portion of the network to another person or organization. supernetting Aggregating multiple networks of the same address class into a single, larger netblock. synchronize To reconcile the differences between files stored on one computer and versions of the same files on other computers. Once the differences are determined, both sets of files are updated. system access control list (SACL) The part of an objects security descriptor that specifies which events are to be audited per user or group. Examples of auditing events are file access, logon attempts, and system shutdowns. taskbar The bar that contains the Start button and appears by default at the bottom of the desktop. You can click the taskbar buttons to switch among programs. You can also hide the taskbar, move it to the sides or top of the desktop, and customize it in other ways. TCP/IP See Transmission Control Protocol/Internet Protocol (TCP/IP). Temporal Key Integrity Protocol (TKIP) A protocol used to manage the rotation or changing of encryption keys for wireless communications. theme A set of visual elements that provide a unified look for your computer desktop. A theme determines the look of the various graphic elements of your desktop, such as the windows, icons, fonts, colors, and the background and screen saver pictures. It can also define sounds associated with events such as opening or closing a program.
Time to Live (TTL) A timer value included in packets sent over TCP/IPbased networks that tells the recipients how long to hold or use the packet or any of its included data before expiring and discarding the packet or data. TKIP See Temporal Key Integrity Protocol (TKIP). TLS See Transport Layer Security (TLS).
ToggleKeys A feature that sets your keyboard to beep when one of the locking keys (CAPS LOCK, NUM LOCK, or SCROLL LOCK) is turned on or off. Token Ring An Institute of Electrical and Electronics Engineers (IEEE) standard for polling networks. In this type of network, all the computers are schematically arranged into a circle. A token, which is a special bit pattern, travels around the circle. To send a message, a computer catches the token, attaches a message to it, and then lets it continue to travel around the network. The Token Ring standard provides for transmission at 4 megabits (4 million bits), 16 megabits (16 million bits), 100 megabits (100 million bits), or 1 gigabit (1 billion bits) per second. Transmission Control Protocol/Internet Protocol (TCP/IP) A widely used set of networking protocols on the Internet. TCP/IP provides communication across interconnected networks of computers with diverse hardware architectures and various operating systems. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Transport Layer Security (TLS) A standard protocol that provides secure Web communications over the Internet or intranets. It enables clients to authenticate servers and optionally allows servers to authenticate clients. It also provides a secure channel by encrypting communications. TLS is the latest and most secure version of the SSL protocol.
GLOSSARY
563
Trojan horse A destructive program disguised as a game, utility, or application. TTL See Time to Live (TTL).
UDP See User Datagram Protocol (UDP). UNC See Universal Naming Convention (UNC). uniform resource locator (URL) An address that uniquely identifies a location on the Internet. A URL for a World Wide Web site starts with http://, as in the (fictitious) URL http:// www.example.contoso.com/. A URL can contain more detail, such as the name of a page of hypertext, usually identified by the filename extension .html or .htm. uninterruptible power supply (UPS) A device placed between a computer and a power source to ensure that electrical flow is not interrupted. UPS devices use batteries to keep the computer running for a period of time after a power failure. UPS devices usually provide protection against power surges and brownouts as well. Universal Naming Convention (UNC) The convention used for the full name of a resource on a network. It conforms to the \\servername\sharename syntax, where servername is the name of the server and sharename is the name of the shared resource. UNC names of directories or files can also include the directory path under the share name, with the following syntax: \\servername\sharename\directory\ filename. user account A record that consists of all the information that defines a user to Windows. This includes the username and password required for the user to log on, the groups to which the user account belongs, and the rights and permissions the user has for the computer and network and for accessing his resources.
User Datagram Protocol (UDP) A TCP complement that offers a connectionless datagram service that, much like IP, guarantees neither delivery nor correct sequencing of delivered packets. user profile A file that contains configuration information for a specific user, such as desktop settings, persistent network connections, and application settings. Each users preferences are saved to a user profile that Windows uses to configure the desktop each time a user logs on. username A unique name identifying a user account to Windows. An accounts username must be unique among the other group names and usernames within its own domain or workgroup. video adapter An expansion board that plugs into a personal computer to give it display capabilities. A computers display capabilities depend on both the logical circuitry (provided in the video adapter) and the monitor. Each adapter offers several video modes. The two basic categories of video modes are text and graphics. Within the text and graphics modes, some monitors also offer a choice of resolutions. At lower resolutions, a monitor can display more colors. Modern adapters contain memory, so the computers RAM is not used for storing displays. In addition, most adapters have their own graphics coprocessor for performing graphics calculations. These adapters are often called graphics accelerators. virtual memory Temporary storage used by a computer to run programs that need more memory than the computer has. For example, programs might have access to 4 gigabytes (GB) of virtual memory on a computers hard drive even if the computer has only 32 megabytes (MB) of RAM. The program data that does not currently fit into the computers memory is saved into paging files.
564
virtual private network (VPN) The extension of a private network that encompasses encapsulated, encrypted, and authenticated links across shared or public networks. VPN connections can provide remote access and routed connections to private networks over the Internet. virus A program that attempts to spread from computer to computer and either cause damage, by erasing or corrupting data, or annoy users, by printing messages or altering what is displayed on the screen. volume An area of storage on a hard disk. A volume is formatted by using a file system, such as FAT or NTFS, and has a drive letter assigned to it. You can view the contents of a volume by clicking its icon in Windows Explorer or in My Computer. A single hard disk can have multiple volumes, and volumes can also span multiple disks. volume shadow copy A volume that represents a duplicate of the original volume taken at the time the copy began. VPN See virtual private network (VPN).
WiFi Protected Access (WPA) A newer encryption method that uses changeable encryption keys to thwart key cracking. WPA will be ratified as the encryption standard 802.11i. It initializes a key when a connection is established and uses the Temporal Key Integrity Protocol (TKIP) to manage key rotation. Windows Management Instrumentation (WMI) A management infrastructure in Windows that supports monitoring and controlling system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status. Wired Equivalent Privacy (WEP) An encryption method for wireless communication that uses a fixed encryption key to encrypt the network traffic. The key is entered into each device during configuration. WMI See Windows Management Instrumentation (WMI). worm A program that propagates across computers, usually by creating copies of itself in each computers memory. WPA See WiFi Protected Access (WPA).
WebDAV See Web Distributed Authoring and Versioning (WebDAV). Web Distributed Authoring and Versioning (WebDAV) An application protocol related to HTTP version 1.1 that allows clients to transparently publish and manage resources on the World Wide Web. Web Proxy Auto-Discovery (WPAD) protocol A protocol that allows a Web browser to automatically locate and configure settings for a proxy server. WEP See Wired Equivalent Privacy (WEP).
SYSTEM REQUIREMENTS
To complete the exercises in this textbook, your computer needs to meet the following minimum system requirements:
Microsoft Windows XP Professional with Service Pack 2 (SP2). (A 120day evaluation edition of Windows XP Professional With SP2 is included on the CD-ROM.) Service Pack 2 may be installed separately on pre-Service Pack 2 systems. Microsoft PowerPoint or Microsoft PowerPoint Viewer. (PowerPoint Viewer is included on the supplemental student CD-ROM.) Microsoft Word or Microsoft Word Viewer. (Word Viewer is included on the supplemental student CD-ROM.) Internet Explorer 6 or later. Minimum CPU: 233 megahertz (MHz) Pentium-compatible. (Pentium II 300 MHz or faster processor is recommended.) Minimum RAM: 64 megabytes (MB). (128 MB or more is recommended.) Disk space for setup: 4.5 gigabytes (GB). Display monitor capable of 800 x 600 resolution or higher. CD-ROM drive. Microsoft mouse or compatible pointing device.
Uninstall Instructions
The time-limited release of Windows XP Professional with SP2 will expire 120 days after installation. If you decide to discontinue the use of this software, you will need to reinstall your original operating system. You might need to reformat your hard drive.

(70 270) Installing - Configuring.and - Administering.microsoft - Windows.xp - Professional (Text - Book)

Загружено:

Сведения о документе

Оригинальное название

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

(70 270) Installing - Configuring.and - Administering.microsoft - Windows.xp - Professional (Text - Book)

Загружено:

Авторское право:

Доступные форматы

PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright 2005 by Microsoft

SubAssy Part No. X11-03252 Body Part No. X11-03253

CHAPTER 13: CHAPTER 14:

Glossary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .551 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .565

Introducing Windows XP Professional . . . . . . . . . . . 1

Installing Windows XP Professional . . . . . . . . . . . .25

Managing Disks and File Systems . . . . . . . . . . . . . .75

Managing Devices and Peripherals. . . . . . . . . . . .119

Configuring and Managing the User Experience . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Configuring and Managing Printers and Fax Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183

Configuring and Managing NTFS Security . . . . .219

Configuring and Managing Shared Folder Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

Supporting Applications in Windows XP Professional. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295

Connecting Windows XP Professional to a Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .317

Configuring TCP/IP Addressing and Security . . .353

Managing Internet Explorer Connections and Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381

Managing Users and Groups . . . . . . . . . . . . . . . . .419

Configuring and Managing Computer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461

Backing Up and Restoring Systems and Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .491

Managing Performance . . . . . . . . . . . . . . . . . . . . .521

ABOUT THIS BOOK

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

ABOUT THIS BOOK

THE SUPPLEMENTAL COURSE MATERIALS CD-ROM

Readiness Review Suite Setup Instructions

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

eBook Setup Instructions

THE LAB MANUAL

ABOUT THIS BOOK

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

COVERAGE OF EXAM OBJECTIVES

Chapter 2 Chapter 2 Chapter 2

Labs 1 and 2 Lab 2 Not covered

Not Covered Lab 2

ABOUT THIS BOOK

Control access to files and folders by using permissions.

Control access to shared folders by using permissions.

Control access to printers by using permissions. Connect to an Internet printer.

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

Monitor and configure disks. Monitor, configure, and troubleshoot volumes.

Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapter 4 Chapters 4, 10, and 11

ABOUT THIS BOOK

Lab 4 Not Covered

Monitoring and Optimizing System Performance and Reliability

Configuring and Troubleshooting the Desktop Environment

Chapters 5 and 13 Chapter 5 Chapter 5 Chapter 5 Chapter 5 Chapter 5

Labs 5 and 13 Lab 5 Lab 5 Lab 5 Lab 5 Lab 5

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

Implementing, Managing, and Troubleshooting Network Protocols and Services

Chapters 10 and 11 Chapter 10 Chapter 10

Labs 10 and 11 Lab 10 Lab 10

Chapter 10 Chapter 10 Chapter 10 Chapter 12 Chapter 12 Chapter 10 Chapter 11

Lab 10 Lab 10 Lab 10 Lab 12 Labs 6, 8, and 12 Lab 10 Lab 11

ABOUT THIS BOOK

Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 13 Chapter 12

Lab 13 Lab 13 Lab 13 Lab 13 Lab 13 Not Covered Lab 12

THE MICROSOFT CERTIFIED PROFESSIONAL PROGRAM

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

ABOUT THIS BOOK

ABOUT THE AUTHORS

FOR MICROSOFT OFFICIAL ACADEMIC COURSE SUPPORT

INSTALLING, CONFIGURING, AND ADMINISTERING MICROSOFT WINDOWS XP PROFESSIONAL

EVALUATION EDITION SOFTWARE SUPPORT