Everything You Ever Need To Know About Windows 2000 Professional

This page is in series of my personal study notes I have put together when preparing for various certification exams. This page includes content from my preparation for exam 70-210 titled "Installing, Configuring, and Administering Microsoft Windows 2000 Professional" and was originally published on September 16, 2001.

Implementing and Administering Resources, Users, and Groups

Sharing

  • Only Administrators and Power Users can create shared network folders.
  • Windows 2000 Professional allows maximum 10 concurrent connections per share.
  • Administrative shares (c$, admin$, ipc$) are re-created every time the machine is restarted or the server service restarted. They only can be disabled permanently by modifying the registry.
  • Admin$ share shares the systemroot (c:\winnt) folder.
  • IPC$ is user for Inter Process Communications.- communication between objects running on different machines on the network
  • The share permissions are only available for backward compatibility or when sharing resources on non-NTFS drive.

Offline Files

  • You can make network files available offline by storing shared files on your computer so they are accessible when you are not connected to the network.
  • When sharing files you can enable caching with 3 options (after enabling “allow caching of files in this folder” in the CACHE dialog box):
    • Automatic Caching for Documents
    • Automatic Caching for Programs
    • Manual Caching for Documents (Default)
  • By default files with following extensions are NOT cached: SLM, LDB, MDW, MDB, PST, DB. Configured through Group Policy.
  • Synchronization Manager is used to control which network device is used for file synchronization.
  • Offline Files is also referred to as CSC (Client Side Caching).
  • The default location for cached files on workstation is SystemRoot\CSC (c:\winnt\csc). This can be changed using Resource Kit utility CACHEMOV.EXE. This utility moves cached folder to the root of drive specified (\CSC).

Local Users and Groups

  • User and group accounts are stored in one of two locations: local security database and Active Directory
  • BUILT-IN LOCAL USERS (2) - There are two built-in users installed by default: Administrator and Guest (disabled)
    • Administrator
      • Cannot be disabled, locked out, deleted
      • Cannot be removed from Administrators group
      • Can be renamed
    • Guest:
      • Can be disabled (Disabled by default)
      • Can be locked out
      • Cannot be deleted
      • Can be renamed
      • Does not save user preferences or settings
  • BUILT-IN LOCAL GROUPS (6) are installed by default with following rights (privileges):

o    Administrators

§   Have ALL built-in system privileges assigned (full control to the system)

§   When system is added to domain the Domain Administrators group is added to local Administrators group.

§   Only Administrators can format a hard drive partition.

§   Can create shared folders and printers.

o    Backup Operators

§   Can backup and restore files & folders regardless of their permissions

§   Can log-on or shut down system

§   Cannot change security settings

o    Guests

§   Have limited privileges - no specific rights or permissions on objects.

§   Can logon to system and shut it down

§   Can’t make permanent UI changes

§   If machine joins domain, the Domain Guests group becomes automatically member of the local Guests group

o    Power Users

§   Can add and change local accounts (change only users they created)

§   Can create shared folders and printers.

§   Cannot take ownership of files, backup/restore, install system drivers, or manage security and auditing logs

o    Replicator

§   Supports file replication within domain context (NT only – not used in Win 2000 domains)

o    Users

§   Can perform tasks only after administrator granted them rights to do so.

§   New user is automatically added to the Users group.

§   Can logon, shutdown system

§   Cannot create local shared folders or printers.

§   If machine joins domain, the Domain Users group automatically becomes member of the local Users group.

·          BUILT-IN SYSTEM GROUPS (7) installed by default. Membership of this groups changes depending how the system is accessed.

o    Everyone

§   All users who access the computer (Including guest account). Best practice to avoid using this group.

o    Authenticated Users

§   Have valid account on local system or domain. Use this group instead of anyone to prevent anonymous users.

o    Creator Owner

§   User becomes member of this group by creating or taking ownership of a resource. When member of Administrators group creates resource Administrators group becomes member of this group rather than actual user.

o    Network

§   All accounts connecting from remote computers.

o    Interactive

§   locally logged in users

o    Anonymous Logon

§   Users that were not validated or authorized.

o    Dialup

§   Users connected via DialUp networking.

·          In NT/Win2K users and groups participate in one of two security contexts: Workgroup security and Domain security.

o    Workgroups are logical groupings of computers that do not share centrally managed user and group database

o    Domain is a logical grouping of computers that share centrally managed database of users and groups.

·          Active Directory database is physically stored on domain controller computers. It is replicated and synchronized with other domain controllers. In NT Domain group memberships can travel between domains provided that trusts are enabled. In Active Directory domains group memberships travel throughout entire forest.

·          User accounts must be unique, are recognized only to 20th character although name itself can be longer, and are NOT case sensitive.

·          User passwords are case sensitive and can be up to 127 characters (NT4, 9x supports only 14)

·          Local groups can contain only local accounts, when machine is in domain also may contain domain accounts.

·          When renaming an account SID does not change – it is good practice to rename account when you want to give someone who left same access (replace account).

·          Administrator account cannot be disabled and only Administrators can enable the Guest account.

·          It is recommended to disable accounts rather than deleting – deleting destroys the SID therefore you loose log for that account.

·          You cannot copy local user accounts

Domain Users

·          All domain controllers in Windows 2000 can make changes to the Active Directory database.

·          All users have two logon names:

o    UPN is used for logon to Win2K domain (consists of username + @ + domain name (DNS))

o    Pre-Windows 2000 logon name for authentication to NT, Win9x. (it is the username part)

·          When adding domain account to local group, the group’s Members property must be used. The domain users Member Of property displays only domain groups.

·          You can copy domain user accounts

·          You can create a template account by disabling it and then copying it.

Logon Process (Authentication)

·          Two authentication types:

o    Interactive logon is when user physically logs in to the machine

o    Network logon (remote logon) is when user is authenticated on remote server

·          Winlogon process (runs as service) takes logon info (through security dialog), and passes to the LSA sub-system (Local Security Authority)

o    Logging locally – LSA validates logon information against local security database of the system

o    Logging to domain – LSA forwards logon information to Netlogon process, which then locates then locates domain controller computer against which the logon credentials are checked.

·          Once user is authenticated an access token is generated that is carried with the user wherever he goes. The access token contains admission tickets which contain information about objects and resources user can access.

o    Rights (privileges) determine what privileges user has to interact with the Operating System

o    Permissions determine what user can do to objects.

ACLs (Access control lists)

·          ACL (Access Control List) is a property associated with every object. It contains information about specific users and groups that have been granted access to this object, along with particular security permissions.

·          ACL Permissions are broken down into two groups:

o    5 Basic Permissions (for files – 6 for folders) actually consist of advanced permissions grouped together

§   Full Control

§   Modify

§   Read & Execute

§   Read

§   Write

§   List Folder Contents (folders only)

o    17 Advanced are the building blocks for basic permissions – allow detailed control over what access user may have on objects.

§   Traverse Folder/Execute File

§   Execute File

§   List Folder/Read Data

§   Read Data

§   Read Attributes

§   Read Extended Attributes

§   Create Files/Write Data

§   Write Data

§   Write Attributes

§   Write Extended Attributes

§   Delete Subfolders and Files

§   Delete

§   Read Permissions

§   Change Permissions

§   Take Ownership

§   Create Folders/Append Data

§   Append Data

·          By default NTFS permissions are inherited from an object’s parent.

·          NTFS permissions are cumulative, but DENY always overwrites ALLOW.

·          By default all NTFS drives are assigned Allow Full Control permission to the Everyone group for the root of each drive.

·          NTFS permission conflicts: if group and user permissions are in conflict the most liberal permissions take precedence, however Deny always takes precedence over Allow, and explicit permissions always override inherited permissions.

Moving & Copying Files

Golden rule: Moving file or folder on the same volume retains - everything else inherits.

Compression

Original File or Folder

Action

Destination Folder

Result

Compressed

Move

Uncompressed

Compressed (retains)

 

Copy

Uncompressed

Uncompressed (inherits)

Uncompressed

Move

Compressed

Uncompressed (retains)

 

Copy

Compressed

Compressed (inherits)

Uncompressed (other volume or non-NTFS drive)

Move

Compressed

Compressed (inherits)

Permissions

Action

Destination

Result

Move

Same NTFS volume

Retains original from source

Move

Different NTFS volume

Inherits from destination

Copy

Same NTFS volume

Inherits from destination

Copy

Different NTFS volume

Inherits from destination

·          The xcopy.exe utility –O and –X switches allow to retain permissions when copying (-X retains auditing settings) – in addition to inheriting from destination.

·          The scopy.exe or robocopy.exe (from Res Kit) allow retaining permissions without inheriting from destination.

·          NTFS allocates space based on uncompressed size (cannot move compressed file which when uncompressed is bigger than available disk space)

·          Compression is not supported on volumes with cluster sizes larger than 4KB

Ownership

·          Administrators can take ownership of any object, and can grant users ability to take ownership.

·          Object ownership cannot be assigned to others, a user must have permission to take ownership of an object.

Auditing

·          By default auditing is turned off

·          Local auditing is configured through the Local Security Settings MMC snap-in.

·          Five 5 types of events can be audited:

o    File and folder access

o    Logons and logoffs

o    Systems shutdowns and restarts

o    Changes to user and group accounts

o    Changes on Active Directory objects (if workstation belongs to AD)

·          To enable auditing of file/folder access first local policy need to be modified to enable this, then individual files or folders need to be configured using the Advanced access settings and adding which users and actions to audit.

EFS (Encrypting File System)

·          EFS uses public/private key based cryptography

·          You can compress or encrypt file, but cannot do both.

·          Files remain encrypted even when renamed, moved, copied or backed up as long as they reside on NTFS drive volumes.

·          Cipher.exe is command line utility to encrypt or decrypt files.

·          Only user who encrypted file or DRA (Data Recovery Agent) can decrypt the file. Default DRAs are:

o    Local Administrator account (non domain server computer)

o    Domain Administrator accounts (for domain member servers or workstations)

·          Encrypted files moved or copied to another NTFS folder remain encrypted. Moved or copied to non-NTFS drive or floppy become decrypted.

·          Users who did not encrypt the file get access denied when trying to move or copy to non-NTFS volume or to different NTFS volume. They cannot copy at all (even to the same volume), but can move fine in the same volume.

·          Encrypted files can be available offline but are not encrypted in the offline cache

Web Server Resources

·          Windows 2000 Pro does not install IIS by default

·          TCP/IP protocol is required for IIS, valid DNS server recommended.

·          HOSTS file maps DNS names to IPs

·          LMHOSTS file maps NetBIOS names to Ips

Printers

·          Printer terminology:

o    Printer is a software interface between OS and printer device, directs jobs to one or more print devices.

o    Print device is hardware that produces physical documents

o    Printer port – a software interface through which print jobs get directed to locally or network attached print devices.

o    Print server – a host pc for printers

o    Printer driver – software specific to each print device – translates printing commands to printer language codes specific to each print device.

o    Print job – document to be printer with print processing commands

o    Print resolution – specifies quality and smoothness of printed document

o    Print spooler – service that initiates, processes and distributes print jobs.

o    Print queue – logical waiting are for print jobs.

o    Print Pooling allows installing two identical printers as one logical printer.

·          You can use net use command to connect to remote printers:

o    Net use lptx: \\print_server\printer_share (lpt1, lpt2, or lpt3)

·          Windows 2000 print server computers automatically download correct print drivers to client computers running win9x, NT, 2K as long as the drivers have been installed on the print servers.

·          You can configure printer properties using the properties tab. The following tabs are available: General, Sharing, Ports, Advanced, Security, and Device Settings.

·          The following groups can manage print jobs in print queues: Printer Owners, Print Operators, Print Job Owners.

·          Users can manage other users’ print jobs if they have “Manage Documents” permission.

·          To take ownership of a printer you need “Manage Printers” permission

·          IPP (Internet Printing Protocol) gives ability to print over Internet connection. To connect to the printers folder over Internet use http://printserver/printers address. To connect to specific printer (shared) use http://printserver/printer_share_name.

·          Change directory of printer spooler (Advanced Print Server properties)

·          Printer ports supported: LPT, COM, USB, Firewire (IEEE 1394), UNC path.

·          Win2K Pro provides print services only to Win & Unix clients. Server required for Apple & Novell clients.

·          IPP (Internet Printing Protocol) requires Win2K Srv / IIS or Win2K Pro / PWS

·          Printer priority is configured through Advanced tab

Active Directory

·          AD stores objects that represent enterprise resources (e.g. users, groups, computers, printers, folders, applications, connections, security, and configuration settings, etc).

·          In Win2K domain controller is not created when OS installed – rather it is promoted to domain controller afterwards. It then obtains copy of active directory and starts necessary services.

·          There is no primary controller – all domain controllers can write to the directory; changes are replicated to all other controllers – AD uses multi-master replication model.

·          The AD domain is specified by two names: NetBIOS name and DNS name. (DNS is primary name resolution in Windows 2000)

Policy

Policy based administration provides single list of configurable settings in one tool.

·          Local Policy (4)

o    Security Configuration and Analysis (MMC Snap-In or SECEDIT.EXE – command line) snap-in allows to capture security settings of a system as a database which can be re-applied when configuration changes and exported to other systems or saved as a template – High Security template can be applied)

§   Default templates are stored in WINNT\SECURITY\TEMPLATES directory.

·          BASICWK.INF – use to reverse changes by other templates – except user rights

·          COMPATWS.INF – allows users to have the same relaxed privileges as power users to run NT4 compatible apps.

·          SECUREWS.INF – secure configuration – except files, folders, and registry keys

·          HISECWS.INF – very secure – only win2K to win2K communication (encryption)

o    Local policies – configured through Local Security Policy MMC Snap-In

o    Account Policies control the password requirements and how the system responds to invalid logon attempts.

§   Maximum password age

§   Minimum password length

§   Passwords must meet complexity requirements

§   Enforce password history

§   Minimum password age

§   Account lockout threshold

§   Reset account lockout counter after

§   Account lockout duration

o    Audit Policies specify what events are logged to Security Log, which can be viewed only by administrators.

§   Logon events

§   Account management

§   Object access

§   Privilege use

o    User Rights Assignment (privileges) allows user or group to perform system functions. They override object permissions if the two are in conflict.

o    Security Options are miscellaneous security settings (often found in other configuration apps) that can be compiled and applied together.

§   Disable Ctrl+Alt+Delete requirement for logon

§   Clear the virtual memory pagefile when the system shuts down

§   Do not display last username in logon screen

o    Individual machine can have only one local policy

·          Group Policy is like local policy, but can be linked or applied to domain, OU, or site.

o    To work with group policy for a site, use Active Directory Sites and Services MMC console.

o    To work with group policy for domain or OU, use Active Directory Users and Computers console.

o    SDOU can have multiple policies.

o    GPO (Group Policy Objects) are divided into Computer Settings and User Settings (computer settings are applied first)

§   Computer Settings apply to every computer in SDOU and by default to all child OUs.

§   User settings apply to every user in the SDOU

o    Policies are applied in the following order (LSDOU):

§   Local

§   Site

§   Domain

§   OU

o    If there is conflict in particular configuration setting the last setting applied takes effect.

o    If an OU contains users or computers that require different policies, it is recommended to split OU into one or more OUs.

Comments