Mastering Windows Server 2003: Upgrade Edition for SP1 and R2
Part One: Introduction
Introduction
What’s changed in Windows, how it affects the Windows networker. An overview of the changes in SP1 and R2.
A. Book overview
B. Why Microsoft built Service Pack 1
C. What is R2, and do you need it?
D. The “R2 Calculus:” how R2 is different from Server 2003 with SP1
E. Readers cannot buy Server 2003 in its original edition any more – any new buyer gets R2
F. What we won’t cover either because of specific hardware-centricity or developer-oriented nature
1. IPMI Hardware Manager
2. SAN Storage Manager
3. Common Logging File System
4. Subsystem for Unix-based Applications
G. The authors and the chapters
Part Two: Windows Server 2003 Service Pack 1
I. Getting and Installing SP1
The easiest ways to get and deploy SP1 and, in the unlikely event of “installer remorse,” how to get rid of it if necessary.
A. Microsoft Update and Windows Server Update Services
B. Expanding SP1
C. Slipstreaming SP1 into 2003
D. Uninstalling SP1
II. Hiding Folders From Prying Eyes: Access-Based Enumeration (ABE)
Ever wished you could create a file share and prevent people from seeing folders in that share that they don’t have access to? It’s an obvious way to deter people from trying to get into places that they’re not supposed to be, and anyone who’s ever used a Novell NetWare network wonders why Novell’s had this feature for years and Microsoft hasn’t. Until now, that is – one of SP1’s greatest undocumented features is Access-Based Enumeration or ABE, Microsoft’s somewhat tardy but very welcome answer to something that administrators have been asking for for a long time.
A. The problem: people can see folders that they cannot access
B. The solution: ABE
C. Acquiring the ABE code
D. Enabling ABE from the command-line and the GUI
E. What ABE does and doesn’t hide
III. De-Worming Windows with Data Execution Prevention (DEP)
DEP is an aspect of SP1 that affects every piece of code in Windows. It is the single most important reason why SP1 is the largest service pack on record. It is also the thing that may save you from the next Windows worm, even if you haven’t had time to patch.
A. What DEP does
B. DEP on various platforms
1. Old 32-bit processors: software only
2. Newer 32-bit processors and 64-bit processors: hardware and software
C. DEP’s four settings: on, off, “kind of on” and “kind of off”
D. Setting DEP via Control Panel
E. Setting DEP via boot.ini
IV. Stacking the Deck Against Bad Guys… The IP Stack, That Is
TCP/IP, the language of the Internet, is a great way to build networks that are big, flexible, compatible … and easy to attack. Learn in this chapter what non-obvious (but important) changes SP1 brought to 2003’s networking software. You’ll also learn about a neat feature that can un-do the damage that spyware sometimes does to your system when you remove the spyware.
A. Understanding raw sockets
B. SP1’s changes to TCP and UDP
C. How removing spyware can damage your TCP/IP stack
D. Using “netsh winsock” to repair the damage
V. Where SP1 may cause incompatibilities: the “de-anonymizers”
When XP’s SP2 and 2003’s SP1 first appeared, they met with a lot of fear, as some people said that they caused a lot of applications to stop working, and so many said not to install XP SP2 and 2003 SP1. But there’s no real need to worry because once you understand how 2003 SP1 seeks to better secure your system, then you’ll see how to resolve almost any incompatibility.
A. The basics: how SP1 reduces the “anonymity” of many programs
B. How that produces incompatibilities
C. Remote Procedure Call changes in SP1
D. Distributed Transaction Coordinator changes in SP1
E. Distributed Common Object Model changes in SP1
F. Web Development and Versioning changes in SP1
G. A strategy for solving incompatibilities
VI. Fine-Tuned Security Monitoring: Per-User Auditing
One of SP1’s basically-undocumented features is the notion of “per-user” auditing. This takes an old but not always useful NT technology – security auditing – and increases its value significantly.
A. How per-user auditing makes monitoring your network easier
B. Per-user auditing requirements and limitations
C. Configuring per-user auditing
D. Examples
VII. Stopping Spyware: Controlling ActiveX and Browser Helper Objects
Just when we almost had the virus threat in hand, spyware appeared. It spreads in a manner similar to viruses, but it’s much scarier. Where viruses just want to spread quickly and either annoy you or damage your data, spyware wants to stay nice and inconspicuous as it steals your data and possibly your identity. Two favorite methods for bad guys to install spyware on your system are through ActiveX controls and Browser Helper Objects (BHOs). But Service Pack 1 includes a bunch of new group policy settings to allow you to cut bad ActiveX and BHOs off at the knees.
A. Examining ActiveX controls and BHOs on a system
B. Blocking them with SP1’s group policy settings
C. Identifying ActiveX and BHOs – “class IDs” and where to get them
D. Setting up an ActiveX/BHO “blacklist”
E. Setting up an ActiveX/BHO “whitelist”
VIII. Locking Up the Ports: Windows Firewall
As with XP’s Service Pack 2, 2003’s SP1 includes a much improved and fairly useful software firewall called Windows Firewall. This chapter covers Windows Firewall in detail, as well as explaining another not-well-documented SP1 feature – “IPsec bypass.”
A. What Windows Firewall can and can’t do
B. WF controls: command line, GUI, group policy
C. Turning WF on and off
D. Making WF work differently inside and outside the office
E. Opening particular ports via program exceptions
F. Opening particular ports via port exceptions
G. Windows Firewall just for servers: IPsec bypass
1. Understanding IPsec bypass
2. Using IPsec bypass to protect a server open to the public internet
3. IPsec mumbo-jumbo: deciphering the SDDL string made easy
IX. Thwarting Mobile Thieves: Blocking USB Memory Sticks
Nowadays, it’s dead easy for a thief to make off with your data, assuming he’s got physical access to one of your computers. He can pop a USB “thumb drives,” “jump drives,” “memory sticks” or even one of the many small solid-state MP3 players into your computer’s USB ports, copy the data and walk away. Unless you’ve got 2003 SP1, that is. Another of SP1’s basically-undocumented options lets you render any USB storage devices plugged into a 2003 system to be a read-only system. In other words, the attacker can copy data from the USB memory to your server, but not the other way around.
A. How the USB read-only block works
B. What an attacker would need to bypass this defense
X. Terminal Server SP1 Changes
In this chapter, Christa Anderson updated her original Terminal Server chapter from the original Mastering Windows Server 2003 book.
XI. Buttoning Up Your System with Security Configuration Wizard (SCW)
Do you find Windows wizards annoying? Many techies do. But SP1’s got a wizard that’s worth a look – the Security Configuration Wizard (SCW). More an expert system than a simple wizard, SCW examines your system and then, if permitted, closes all close-able ports, enables several group policy settings, creates IPsec policies, shuts down services and tweaks permissions on both the hard disk and the Registry. It’s worth a look!
A. SCW overview
B. Walking through the wizard
C. SCW from the command line
D. Rolling back SCW – what does and doesn’t work
E. Applying SCW templates wholesale
Part Three: New to R2
XII. Upgrading to R2
If R2’s not a “real” new version, can you upgrade to it? What’s involved with installing R2 in comparison to installing a copy of the original 2003?
A. Who can upgrade to R2
B. New R2 licensing for virtual machines
C. R2’s two-CD setup
D. Automating R2 setup with setup2.exe
XIII. R2’s Slightly New GUI: MMC 3.0
R2 offered Microsoft the excuse to change how coders can build “snap-ins,” programs that fit into Microsoft’s Management Console (MMC) with MMC 3.0. While it was a big story for programmers, as building MMC 3.0 snap-ins is much simplified compared to snap-ins for MMC 2.1, administrators will see only a few small interface changes. This chapter covers those changes.
A. MMC 3.0: why anyone cares
B. Enabling the new features
C. The new Admin Tools pack: admin folder on second disk
XIV. Print Management Gets Easier: Printer Management Console
The R2 innovation with what is probably the most broad-spectrum appeal is the Print Management Console. Anyone who’s ever wished for a better tool to manage multiple print servers and queues, or anyone who’s ever wanted to use the power of group policies to deploy printers but couldn’t make it work will love the new PMC.
A. Print Management Console (PMC) overview
B. Installing PMC
C. Connecting print servers to PMC
D. Using printer filters
1. Understanding the built-in printer filters
2. Creating custom filters
3. Notifying administrators of problems with SMTP
E. Gathering information about shared printers with PMC
1. Viewing print queues
2. Viewing driver versions
3. Viewing ports
4. Viewing forms
F. Managing remote printer queues
G. Using PMC to create group policy objects to deploy printers
XV. Watching Your Disks: Storage Reports Management
The steady growth in affordable disk size has given even the smallest organizations so many bytes to keep track of that server administrators need tools to find out what’s on those disks and, often, which files to get rid of to free up some space! (After all, we all know that the e-mail server’s hunger for disk space is never satisfied.) R2 offers a basic disk usage reporting tool that, while it probably won’t put Veritas out of business any time soon, is a nice addition to R2’s list of goodies.
A. Storage Reports Management (SRM) setup
B. SRM report options
1. Scheduled reports
2. Automatic e-mail delivery
3. Eight different report types
C. SRM report types
D. Creating a report
E. Scheduling a report
F. Setting up e-mailed reports
1. Setting up SRM to be able to e-mail
2. Configuring reports to be e-mailed
XVI. Controlling Folder Usage: Folder Screens and Quotas
R2 seeks to beef up administrator control of disk storage with two new tools: folder screens and folder quotas. Windows has had quotas in the past since Windows 2000, but they only apply to entire volumes and so can be of limited use. R2, in contrast, lets an administrator set quotas on an entire folder. R2 also lets an administrator ban files with particular extensions so that one could, for example, block any files with the extension “MP3” from a given folder and thereby keep such files out of a share. It’s all built atop a new snap-in called the “File Server Resource Manager.”
A. Installing the File Server Resource Manager
B. Understanding R2 folder quotas
C. Using quota templates
D. Creating new quota templates
E. Administrator notification via quotas
F. Understanding R2 folder screens
G. Introducing file screens
H. Prebuilt file screens
I. Creating new file screens
J. Using and creating “file groups” to simplify managing screens
K. Administrative notification via file screens
XVII. R2 ‘s New Distributed File Service, DFS Namespaces
Server 2000 introduced a tool that lets you organize many file shares into a neat, hierarchical system, changing a process of doing a scavenger hunt among dozens of file servers into a one-click operation. That tool also allowed you to make those file shares reliable and highly available even over geographically disparate organization. Its name was the Distributed File System or DFS, and it was built atop another new-to-2000 service called the File Replication Service or FRS. DFS and FRS were nice but didn’t quite do the job in some situations, causing Microsoft to re-write FRS for R2. But DFS isn’t the only thing that depends on FRS – FRS is also an invaluable tool for Sysvol, an essential part of any Active Directory domain. Microsoft decided, however, not to let Sysvol use the new-and-improved FRS (they’re saving that for Longhorn.) R2, then, contains two completely different file replication services: the original, which is still called File Replication Service, and the updated version, which Microsoft called the Distributed File Service Replicator, or DFS-R. And, since the Distributed File Service on R2 now uses the new-and-improved file replication service (DFS-R), DFS itself needed a new name: DFS Namespaces. Confused? You won’t be, after you read this chapter.
A. Why DFS or DFS namespaces: a high-level view of benefits
B. Meet the Players: DFS, FRS, DFS-R and DFS Namespaces
C. DFS Terminology over the years: 2000, 2003 RTM, 2003 SP1 and R2
D. Active Directory and DFS Namespaces
1. AD’s role in DFS
2. Finding things in an AD-based DFS world
3. Shifting servers without disrupting service
4. Sites and DFS namespaces
E. A simple DFS namespace scenario
F. Building the DFS namespace root
G. Populating it with links
H. Making the root fault-tolerant: creating a root target
I. Making the links fault-tolerant: creating a link target
J. How the replication works – multi-master at work
K. Modifying DFS namespaces
L. Other stuff????
XVIII. Communicating and Collaborating with Windows SharePoint Services
A few years ago, Bill Gates said to his programmers, “it’s too darn hard to communicate and collaborate with corporate partners via the Web!” So Redmond’s coders created something called SharePoint Portal Services, a moderately pricy tool to fill that bill. Microsoft liked what SharePoint Portal Services could do so much, however, that they decided to create a free downloadable “SharePoint Lite” called “Windows SharePoint Services” or “WSS.” They then took things a bit further and decided to include WSS right in R2. WSS is, to hear the Microsoft folks talk, Big Stuff; for example, it’s not unusual to hear a Microsoft SharePointer say that “departmental file servers are obsolete; WSS is the way to go.” SharePoint lets you create a Web site wherein people can carry on threaded discussions, share things like contacts information, things-to-do lists, announcements, pictures, documents, meeting announcements, and like. You can create surveys with WSS and customize it quite a bit, all without any need to do any HTML coding – it’s all click by click.
XIX. Unix and Windows I: Network File System
For years, Microsoft has offered a series of tools that make it easier to run both Windows and Unix (or its cousin Linux) on the same network. Those tools were all packaged together as something called “Services for Unix” (SFU) and it used to be a separate for-pay product. A bit back, however, Microsoft decided to give it away – you can find it still at Microsoft’s site as “Services for Unix 3.5” – and incorporated it on the R2 CDs. One of the major pieces of SFU that R2 inherits is the ability to act both as a client and server for “Network File System” or NFS. First invented at Sun Microsystems in 1984, NFS is a file sharing system much like the Server Message Block (SMB) file sharing system built into every copy of Windows. Like SMB, NFS is mostly an intranet, inside-the-firewall solution; most of us wouldn’t employ either NFS or SMB across the Internet. Including an NFS server module in every R2 server will simplify communicating with Unix clients, because virtually every copy of Unix or Linux includes an NFS client. Similarly, allowing any R2 server to be able to communicate with Unix boxes hosting NFS shares makes accomplishing the Windows-Unix connection a bit simpler.
A. What is NFS? Like SMB but Unixy
B. How R2 makes any R2 server an NFS client (but doesn’t help an XP or 2003 box)
C. NFS from the server side, NFS terminology, is there an NFS-SMB gateway?
D. Step by steps
E. CLI control with nfsshare and nfsadmin
F. NFS clients for all: Microsoft’s free Services for Unix 3.5
G. Configuring the NFS client
1. Via the GUI
2. Via the CLI: mount
3. Mapping Windows accounts to Unix IDs
H. AD integration
XX. Unix and Windows II: Network Information Service
Before there was Active Directory, Sun Microsystems built an application that could let a bunch of Unix (or, later, Linux) systems share a centralized list of users and passwords called Network Information Service or NIS. NIS is, then, a very simple directory service. It’s not used as much as it once was, mostly because it’s not very scalable or secure, but in some networks it makes perfect sense. R2 supports NIS in two ways, and the first is its NIS support. Any R2-based domain controller can “speak NIS. More specifically, a 2003 R2 DC can act as something called a “master NIS server,” which then can provide authentication/logon services to Unix/Linux workstations and/or “slave NIS servers. (R2 cannot act as a slave NIS server.)
A. Meet “Identify Management for Unix”
1. Network Information Service
2. Password synchronization
B. Compare briefly to AD
C. Goal: unify directory services, two approaches
1. Any R2 DC can mimic a NIS server, although only a master NIS server
2. It can also skip the NIS role and automate password synchronization between a NIS domain and an AD
D. Step by steps: make a Solaris box look to the R2 box, and Red Hat box
E. Limitations
XXI. Unix and Windows III: Identity Management for Unix
If you’re running a mixed Windows/Unix/Linux network and want to simplify managing all of those accounts, then making your R2 DC a master NIS server may be the answer. But alternatively, if your network already has a set of NIS servers, then your users probably have two user accounts – a Windows account and a NIS account. In that case, R2 can keep these two different accounts’ passwords synchronized with a tool called “Identity Management for Unix”
A. How Unix password synchronization works
B. Configuring password synchronization
C. Identity Management for Unix GUI
D. CLI control: psadmin
XXII. Active Directory Federation Service (ADFS)
Active Directory has become the most popular directory service in the world. But that success has created new demands, the most common of which is “how do I make my AD forest talk to someone else’s AD forest, and how do I do it without having to relax my forest’s security to an unacceptable level?” Active Directory Federation Service (ADFS) is one of Microsoft’s answers, and, according to some folks at Microsoft, ADFS is the most-requested thing in all of R2!
A. ADFS overview
B. ADFS components and terminology
1. Only works on Web applications
2. Passive and active ADFS – this is passive
3. Secure Token Server (STSes)
4. Security Assertion Markup Language (SAML)
C. ADFS setup
1. A sample application: one secured Web page in bigfirm.com, and ADFS lets someone in acme.com access the secured Web page without a logon dialog box.
2. Domain controller setup
3. Creating the SAML trust
D. Advice for ADFS planning
XXIII. Active Directory Application Mode (ADAM)
A part of Active Directory that we tend not to think much about is the fact that it’s built atop a database engine, and a somewhat interesting engine at that. That led Microsoft to decide to create a version of Active Directory that lacks built-in support for user accounts, group policies and the like. That’s called Active Directory Application Mode, or ADAM. Basically, ADAM lets developers built AD-aware applications while still allowing customers to run those apps without requiring that the customers have an AD. ADAM also allows developers to write AD-aware applications that require changes to the “schema,” the structure of AD. Knowing that installing a given AD-aware app will require modifying an organization’s AD schema usually gives buyers pause – but ADAM lets developers write AD-aware apps that can store their schema changes separately in ADAM, offering customers the benefits of an AD-aware app without the worry of schema modification. ADAM is mostly of interest to developers, so administrators don’t usually have to worry too much about it. But if you purchase an application built atop ADAM then it is almost certain that you’ll have to install ADAM.
A. Aspects of ADAM
Multi-master database replication
LDAP query language
AD-like schema
AD-like editing tool
B. Who would use ADAM
C. Installing ADAM