Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
303. Troubleshoot network protocol security. Tools might include the IP Security
Monitor MMC snap-in, Event Viewer, and Network Monitor.
501. Monitor network traffic. Tools might include Network Monitor and System
Monitor.
Network Monitor
System Monitor
Data collected
Data reports
Event tracking
The free version of Network Monitor that comes with Windows can only monitor
traffic to and from the local computer.
To capture all network packets, use the SMS version of Network Monitor.
Even when using the SMS version, you cannot capture packets sent to other
computers on other segments through a switch. (Switched traffic is only sent to
the segment where the destination computer sits.)
Use Dedicated Capture mode with Network Monitor to ensure you capture all
packets.
Client Configuration
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Purpose
IP address
Subnet mask
Default
gateway
Identifies the router to which packets for remote networks are sent.
Host name
DNS server
WINS server
MAC address
IP Addressing
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Uses
Static (manual)
assignment
DHCP).
To reduce DHCP-related traffic.
APIPA
Single-subnet network.
No DNS services.
Automatic configuration of IP address and subnet mask only.
Small, non-subnetted networks.
Implementation for which you do not need to customize the default
address range.
DHCP
Alternate
By default, all Windows computers try to use DHCP for TCP/IP configuration
information.
APIPA is used to automatically generate an IP address if the DHCP server is
unavailable and if no alternate address is configured.
The APIPA range is 169.254.0.1 to 169.254.255.255 with a mask of 255.255.0.0.
If the computer assigned itself an IP address (using APIPA), this means the
computer could not contact a DHCP server.
When you configure a static IP address, you disable DHCP and APIPA.
Use an alternate IP address to use DHCP on one network and static addressing on
another without reconfiguring the connection.
When you configure an alternate IP address, APIPA is no longer used when the
DHCP server can't be contacted.
You can rely on APIPA for your IP addressing solution, but only for a network
with a single subnet. APIPA does not set the default gateway or name server
address.
IP Addressing Facts
The following table lists the default IP addressing classes and masks:
Class Address Range
Default Mask
1.0.0.0 to 126.255.255.255
255.0.0.0
You should also know the following address ranges that are reserved for private
addresses. Use these addresses on a private network that is connected to the Internet
through a network address translation (NAT) router.
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
The first address in a range on the subnet is the subnet address. Typically, this
address is not assigned to hosts.
The last address in a range on the subnet is the broadcast address. Typically, this
address is not assigned to hosts.
Troubleshooting IP
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Use Ping, Tracert, Pathping, and Ipconfig to diagnose and correct TCP/IP
problems.
Troubleshooting TCP/IP
Use the following tips to troubleshoot TCP/IP:
Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and
other IP configuration values.
If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the
computer could not contact a DHCP server. Use Ipconfig /renew to try contacting
the DHCP server again.
Use Ping (Packet Internet Groper) to send small packets to a computer to see if
the computer responds. Microsoft recommends the following use of Ping:
1. Ping the loopback address (127.0.0.1). This verifies that the TCP/IP
protocol stack has been properly installed.
2. Ping the local IP address assigned to the machine. This verifies
communication to the NIC.
3. Ping the default gateway. This verifies connectivity to the default gateway
or to another machine on the local network. This verifies that the local
network is accessible.
4. Ping a remote host. This checks the connectivity between the default
gateway and the remote host.
Use Tracert to see the route packets take through an internetwork between two
devices.
Use Pathping to view the route of the connection and the connectivity response
time. This can help identify where communication latency occurs.
Use the Arp -d * command to remove all dynamic ARP entries from the ARP list.
(Arp -d clears the ARP cache.)
Use the Windows system logs to track DHCP service startup and shutdown as
well as critical errors.
Configuring DHCP
As you study this section, answer the following questions:
What is a scope?
How can you change the subnet on a scope?
What two security features must be enabled for a DHCP server to function
correctly?
After finishing this section, you should be able to complete the following tasks:
DHCP Authorization
Be aware of the following facts about DHCP server authorization.
When you authorize a DHCP server, its IP address is added to a list of authorized
DHCP server maintained in Active Directory.
When a DHCP server starts, its IP address is compared to the Active Directory
list. If it is found, the server is allowed to issue IP addresses. If it is not found, the
server is not allowed to issue IP addresses, and the server does not respond to
DHCP requests.
Only Windows 2000 or Windows 2003 servers check for authorization.
You can authorize a server before DHCP is installed.
Rogue DHCP servers running other operating systems (like Unix, NetWare, or
Windows NT) do not check for authorization before assigning addresses.
A Windows DHCP server checks for authorization when it boots and reauthorizes
every five minutes.
You must be a member of the Enterprise Admins group to authorize a server.
In some cases, when you install DHCP on a domain controller, it will be
authorized automatically.
When you install DHCP, the server is added automatically to the DHCP console
on the local machine. When it is installed on another machine, you must add it
manually to the local DHCP console.
Managing Scopes
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Scope Facts
You should know the following facts about DHCP scopes:
Use exclusions to prevent the DHCP server from assigning certain IP addresses.
For example, exclude any IP addresses for devices that are not DHCP clients.
Use reservations to make sure a client gets the same IP address each time from the
DHCP server. The reservation associates the MAC address with the IP address the
client should receive. For example, use a reservation for servers and printers to
keep their IP addresses consistent while still assigning the addresses dynamically.
When using reservations, do not exclude the addresses you want to assign.
To change the subnet mask used by a scope, you must delete and recreate the
scope. You cannot selectively change the subnet mask in an existing DHCP scope.
The scope must be activated before the DHCP server will assign addresses to
clients.
After finishing this section, you should be able to complete the following tasks:
Server. Options set on the server are delivered to all clients of that DHCP server.
Scope. Options set on the scope are delivered to all computers that obtain an IP
address from within the scope.
Class. A class defines a group of computers that share common characteristics.
For example, the vendor class can be used to deliver options to Microsoft
Windows clients. Class options are delivered to all computers within the class.
Reserved client. Options set on a reservation are delivered to the specific client.
Options are applied in the order listed above. If conflicting settings are delivered, the last
parameters delivered will take precedence over the previous settings.
Common options include:
003 Router, the IP address of the default router (the default gateway)
006 DNS Servers, the IP address of DNS server or servers
015 DNS Domain Name, the domain that the client belongs to; used to update
DNS server
044 WINS/NBNS Servers, the IP address of WINS server or servers
046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS
name servers
After finishing this section, you should be able to complete the following tasks:
Install DHCP.
Stop the DHCP service.
In DHCP Console, restore the DHCP backup files.
Verify the DHCP configuration and start DHCP.
Troubleshooting DHCP
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Detect and correct rogue DHCP server errors via client TCP/IP properties.
Troubleshoot DHCP address assignment.
When the lease time reaches 50%, the client tries to renew its lease with the
DHCP server. It sends a DHCPREQUEST unicast message to the DHCP server
requesting a lease renewal. If the DHCP server does not respond, it continues to
use the IP address.
When the lease time reaches 87.5%, the client sends a DHCPREQUEST unicast
message to renew the lease. If the DHCP server does not respond, it continues to
use the IP address.
When the lease time expires, the client broadcasts a DHCPREQUEST message to
renew the lease.
When the client boots, it broadcasts a DHCPREQUEST message to renew the
lease.
If the server sends a negative acknowledgement (a DHCPNAK packet) during
any renewal attempt, the client must reinitialize TCP/IP and restart the DHCP
lease at the beginning.
Enable BootP forwarding on routers to ensure that lease request broadcast packets
are forwarded through the routers.
The following table summarizes the packets exchanged between DHCP clients and
servers.
Message
Description
DHCPDISCOVER
DHCPACK
DHCPNAK
DHCPDECLINE
DHCPRELEASE
DHCPINFORM
Troubleshooting DHCP
For a Windows 2003 Server DHCP server to deliver IP addresses, the following
conditions must be met:
One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The
following table lists the command switches useful in troubleshooting DHCP.
Command
Use
Ipconfig /all
Ipconfig
/renew
Ipconfig
/release
An address IP address in the 169.254.0.0 range indicates that the client could not contact
the DHCP server and has used APIPA to assign itself an address.
You should recognize the following symptoms of a rogue server:
If the client has an address from the wrong server, remove the rogue server, then do
Ipconfig /release followed by Ipconfig /renew.
DNS Concepts
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers.
A DNS server uses the Root Hints file to forward a request to a Root DNS server
as a last resort to resolve a host name to an IP address.
A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers.
Recursion is the process by which a DNS server or host uses root name servers
and subsequent servers to perform name resolution. Most client computers do not
perform recursion, rather they submit a DNS request to the DNS server and wait
for a complete response. Many DNS servers will perform recursion.
Configuring DNS
As you study this section, answer the following questions:
What is a zone?
What is the difference between a standard primary and secondary zone?
How do standard primary and secondary zones differ from Active Directoryintegrated zones?
What is the difference between a zone and a domain?
What is a reverse lookup zone?
After finishing this section, you should be able to complete the following tasks:
Zone Types
The table below lists the types of DNS zones:
Zone Type
Description
Standard primary
Standard secondary
Reverse lookup
Active Directoryintegrated
After finishing this section, you should be able to complete the following tasks:
Create, track, and manage the seven most common resource records.
Troubleshoot resource records using the Netlogon service.
Use
A (host address)
The A record maps a DNS host name to an IP address. This is the most
common resource record type.
CNAME
(canonical
name)
The CNAME record provides alternate names (or aliases) to hosts that
already have an A record.
MX (Mail
Exchanger)
NS (name
server)
The NS resource record identifies all name servers that can perform name
resolution for the zone. Typically, there is an entry for the primary server
and all secondary servers for the zone.
PTR (pointer)
SOA (Start of
Authority)
The first record in any DNS database file is the SOA. It defines the
general parameters for the DNS zone. The SOA record includes
parameters such as the authoritative server and the zone file serial
number.
SRV (service
locator)
After finishing this section, you should be able to complete the following tasks:
Secure dynamic updates are only available for Active Directory-integrated zones.
To use secure DDNS, a client must be a member of the same Active Directory
domain as the DDNS server.
Only the original client can alter or remove records when using secure DDNS.
After finishing this section, you should be able to complete the following tasks:
With dynamic DNS, client computers can update the DNS database with their host name.
Keep in mind the following facts about client dynamic updates:
By default, Windows 2000/XP/2003 clients register their DNS name with the
DNS server.
In the TCP/IP properties, Advanced settings, DNS tab, the Register this
connection's addresses in DNS setting controls whether the client dynamically
registers its name with DNS.
With dynamic DNS enabled on the client, the computer will register its full DNS
name from the configuration on the Network Identification tab of the System
applet (using the primary suffix).
You can configure the client to register two different DNS names with the DNS
server. To do this, in the TCP/IP properties, Advanced settings, DNS tab, identify
an additional DNS suffix for the client and enable the Use this connection's DNS
suffix in DNS registration option. When enabled, the client will register its name
with the connection-specific suffix as well as the primary suffix.
You can also configure the client with custom search suffixes.
By default, when you submit a DNS query without using the fully qualified
domain name (FQDN), the client computer appends the computer's domain to the
name to perform the DNS lookup. The client will also use parent suffixes to try
the request multiple times.
Edit the Advanced TCP/IP properties to customize the search suffixes. You can
specify search suffixes outside of the parent suffixes, and modify the order in
which suffixes are used for searches.
After finishing this section, you should be able to complete the following tasks:
No single point of failure. Changes are made to multiple rather than individual
servers.
Fault tolerance. Each host server maintains up-to-date zone information.
Single replication topology. Zone transfers occur through Active Directory
replication.
Secure dynamic updates. Only authorized computers can update dynamically.
Simplified management. Any authorized computer can initiate changes to the
zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you
have the following options:
Replication Option Where data is replicated
2000 Default
DomainDNSZones
ForestDNSZones
Application
Partitions
Delegating Domains
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Delegate domains.
After finishing this section, you should be able to complete the following tasks:
The Cache.dns file holds the 13 root hint addresses for the Internet root servers.
The Cache.dns file can be found in two locations:
o %SystemRoot%\system32\dns\Cache.dns (the copy in use)
o %SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the
backup location)
If you have a root zone configured on a DNS server, the server will act as a root
zone server.
A DNS server configured as a root zone server will never use the root hints file
(Cache.dns). It considers itself authoritative. Consequently, the server won't
access the Internet to forward DNS queries.
If you want the DNS server to access the Internet, delete the root zone in the DNS
Console.
You can configure root hints through the properties of a DNS server or by
configuring the DNS server's Cache.dns file. If the server is configured to load
data from Active Directory, you must configure root hints using the DNS snap-in
because the local Cache.dns is not used (the root hints data is stored in AD).
What configuration options do you have to control and manage name resolution?
How does conditional forwarding differ from standard forwarding?
How does a stub zone differ from a secondary zone?
How do conditional forwarders differ from stub zones?
After finishing this section, you should be able to complete the following tasks:
Zone Transfers
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
The zone serial number is modified when changes are made to the zone file.
Zone transfer is initiated when a secondary server checks the master server and
finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary
server when changes have been made.
By default, a DNS server replicates the entire zone database (called a full zone
transfer or AXFR).
A partial zone transfer, in which only the changed information is replicated, is
also called an incremental zone transfer or IXFR.
To initiate a manual transfer, increment the serial number first. Otherwise, no
transfer will occur (a transfer only occurs when the serial number has changed).
You can improve DNS performance by placing multiple DNS servers on your
network. For example, you can place a secondary server on the other side of a
WAN link to reduce WAN traffic caused by name resolution. However, zone
replication traffic must still cross the WAN link.
A caching only server runs DNS but has no zones configured. Use a caching only
server to improve performance while eliminating zone transfers.
Normally, zone transfers happen automatically at periodic intervals. You can force an
update of zone data through the DNS console or by using the Dnscmd command. The
following table lists some actions you can take to refresh zone data manually.
DNS
Console
Action
Dnscmd
Option
Result
Reload
Dnscmd
/ReloadZone
The server reloads zone data from its local copy (it reads the
data back in from the zone file on the hard disk).
Transfer
Dnscmd
from Master /Refresh
Reload from
N/A
Master
The DNS server dumps its copy of the data and reloads the
entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server
and then transfer the data from the master, or you can simply reload the data from the
master.
Designing DNS
As you study this section, answer the following questions:
When using internal and external DNS, what are the three possible scenarios for
the DNS namespace?
What are the advantages and disadvantages of each of the three methods?
What are the four goals of any split namespace design?
After finishing this section, you should be able to complete the following tasks:
A split-brain DNS solution allows you to run internal DNS and external DNS that
don't communicate with one another. This helps to maintain internal security.
Following are three split-brain DNS configuration options:
o Set up the same DNS name internally and externally.
o Set up different DNS names internally and externally.
o Set up the internal DNS as a subdomain of the external DNS.
The purpose of a split-brain DNS solution is to:
o Allow external clients to access only external resources.
o Allow internal clients to access all resources.
Implementation
Use
Primary zone
Secondary zone Select a secondary zone to copy read-only zone data from another server.
For example, your Windows server can be a secondary server to a nonWindows server, or a non-Windows server can be a secondary server to
an Active Directory-integrated zone. Secondary zone servers accomplish
three tasks:
1. Fault tolerance
2. Load balancing
3. Reduce name resolution traffic over WAN links
Use a reverse lookup zone to find the host name for a given IP address.
For example, use a reverse lookup zone if you need to identify the host
name of clients who connect to a server or services. Following are
Reverse lookup reasons to set up reverse lookup zones:
To use Nslookup by using the IP address.
zone
To use IP filtering in IIS.
Use when you have DNS servers that are also domain controllers. AD-I
Active
zones allow multi-master updates to the DNS database, automatically
Directoryreplicate data through Active Directory (rather than conventional DNS
integrated zone replication), secures zone updates, and allow secure dynamic client
registration.
Caching only
server
Use to reduce DNS name resolution traffic over WAN links without the
zone transfer traffic.
Zone delegation
Forwarders
Use to send DNS queries to other servers when the current server does
not hold the data.
Conditional
forwarding
Stub zone
Use when you need to automatically update lists of name servers for a
domain but do not want to replicate zone data.
Root zone
Use to make your DNS server authoritative for the entire name space. For
example, you can configure a root zone to prevent name queries from
being forwarded to the Internet root zone servers.
Root hints
Root hints point to the root zone servers. Normally root hints point to the
Internet root zone servers. If you have a custom root zone, make sure root
hints on internal servers point to your root zone servers.
After finishing this section, you should be able to complete the following tasks:
203. Monitor DNS. Tools might include System Monitor, Event Viewer,
Replication Monitor, and DNS debug logs.
502. Troubleshoot connectivity to the Internet.
Use
Nslookup
Use the Nslookup tool to perform DNS name resolution. Enter the name of
the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd
Dnscmd displays the properties of DNS servers, zones, and resource records.
You can also use Dnscmd to modify these properties, create and delete zones
and resource records, and force replication.
Ping
Network
Monitor
Ipconfig
You can use Ipconfig without switches to display the IP address, subnet
mask, and default gateway for all adapters. However, the following switches
are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache.
/Flushdns, to flush the local DNS cache.
DNSLint
The DNSLint utility helps you to isolate and diagnose DNS problems. You
must use one of the three following switches with DNSLint.
/d, to perform domain name tests
To provide fault tolerance for DNS servers, use one of the following strategies:
Use Active Directory-integrated zones. If one DNS server goes down, zone data is
still stored in Active Directory. Be sure to analyze the replication scope to make
sure you have at least two servers holding the DNS data for each zone.
Create secondary zones. If the primary server goes down, you can change one of
the secondary zones to the primary zone.
Back up the DNS database. If you have only one DNS server, be sure to back up
the DNS database. For non-Active Directory-integrated zones, you can back up
the DNS files or copy them to another location. For Active Directory-integrated
zones, you must back up the system state data (because DNS is stored in Active
Directory).
What are the three steps in the remote access connection process?
How can you implement a dial-up solution?
How do remote access clients get an IP address for the remote access connection?
After finishing this section, you should be able to complete the following tasks:
Characteristics
DHCP-
Configure the remote access server and client to obtain an address from a
delivered
DHCP server. When the client requests a remote access connection for the
first time:
1. The server requests 10 addresses from the DHCP server.
2. The server uses one address for its own remote access port.
3. The server assigns other addresses in the range to incoming clients.
4. If needed, the server requests additional IP addresses in blocks of
10.
Automatic
assignment
Static IP
address
Configure a range of addresses on the remote access server for its clients.
One address is automatically assigned the remote access port on the server.
Clients are assigned an IP address from the address pool configured on the
server.
You can configure the client with a specific IP address that it uses when it
connects to the remote access server. Doing so requires two steps:
Configure the IP address for the dial-up connection on the client.
After finishing this section, you should be able to complete the following tasks:
Protocol
Characteristics
2003/XP/2000
NT 3.5/4.0
95/98/ME
2003/XP/2000
NT 3.5/4.0
95/98/ME
2003/XP/2000
NT 4 (SP 4)
98 (SP 1)
95 (with the
latest updates
for a VPN
connection
only)
2003/XP/2000
For wireless clients, the most secure solution uses Protected EAP (PEAP) for an initial
authentication to the wireless access point. When using PEAP, select one of the following
two options:
The client must be running all networking protocols (such as IP or IPX) that are
used on destination computers.
Both the remote access client and the remote access server must use a common
WAN protocol (such as PPP).
If your client and server have multiple modems, you can configure both to use
multilink. With multilink, multiple physical connections are established to
increase the bandwidth of a single connection. When using multilink, enable
Bandwidth Allocation Protocol (BAP) to establish and drop links based on link
activity.
Callback is a form of security in which the server disconnects the user after
authentication then immediately calls the user back. The server can use a preset
phone number for each user, or the user can enter a callback phone number after
authentication. You cannot use multilink and callback together.
To configure remote clients for DNS, configure them with the IP address of the
DNS server on the private network. DNS requests will be automatically routed to
the DNS server.
After finishing this section, you should be able to complete the following tasks:
Control access through the remote access policy (only settable in the
user account)
Profile
A profile is the list of settings that are applied to the connection once access
is granted. Profile settings can reject or restrict remote access to connections
that:
Use a specific media type
Are initiated during specific days and times
Use specific authentication protocols
Remote access policies determine the level of access remote clients get to
resources.
Authorization for access to resources is determined by three steps:
1. Conditions
2. Permissions
3. Profile settings
Incoming connections are compared to the conditions found in a policy.
If the connection does not match the conditions in the first policy, the next policy
in order is checked.
You should put more specific (or restrictive) policies at the top of the list to make
sure they're not supplanted by more general policies.
When a match is found, that policy will be used for the connection (no other
policies will be checked).
If the connection does not match any conditions in any policy, the connection will
be refused.
After a matching policy is found, permissions are checked. If the permissions
deny the connection, no other policies are checked.
Permissions identified in the user account override permissions set in the policy
(unless Control access through Remote Access Policy is selected).
By default, the user account setting for remote access is set to Deny.
The Control access through Remote Access Policy setting is only available in
2000 native mode or Windows 2003 domain functional level.
If the permissions grant access, the policy profile is checked for additional
conditions.
If all profile conditions match, the connection is granted. If not, it is refused.
You can establish enough restrictions through the profile to prevent user access.
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The
remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny
access. The IAS server notifies the remote access server whether access is allowed
for the remote access client.
To configure a remote access server as a RADIUS client, configure the
authentication provider on the remote access server. Point to the IAS server and
configure a shared secret.
On the IAS server, you must identify all RADIUS clients that will use the server
as the authentication provider. You will need to supply the same shared secret as
was configured on the RADIUS client.
How does IAS differ from a normal remote access server? Why use it?
How does IAS relate to RADIUS?
What are the three As handled by the IAS server?
When using IAS, where are remote access policies stored?
After finishing this section, you should be able to complete the following tasks:
IAS Facts
If your network includes several remote access servers, you can control remote access
from a single location by installing a Remote Authentication Dial-In User Service
(RADIUS) server. Internet Authentication Service (IAS) is the service you install on a
Windows 2000 server to make it a RADIUS server.
You should know the following facts about RADIUS:
Remote access clients pass authentication credentials to the remote access server.
The remote access server is configured as a RADIUS client to the IAS server. The
remote access server forwards authentication credentials onto the IAS server.
Remote access policies configured on the IAS server are used to allow or deny
access. The IAS server notifies the remote access server whether access is allowed
for the remote access client.
What process does a remote access client use to establish a remote access
connection?
What troubleshooting steps should you take if a remote access connection fails?
How do the troubleshooting steps differ depending on when the connection fails?
After finishing this section, you should be able to complete the following tasks:
If the connection fails during the last two stages (authenticating and registering the
computer):
If a connection can be made, but the client can only access resources on the remote
access server (and not on other servers connected to the remote network):
Verify that the client is using all necessary LAN protocols used by servers on the
remote network.
Verify that the remote access server is configured for both remote access and
LAN routing.
Routing
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Use the Route Add command to add routes from the command prompt. Use the
syntax:
Route add destination_address mask subnet_mask -p
For example, to add a route to network 192.168.1.0 with mask 255.255.255.0, use
the command:
Route add 192.168.1.0 mask 255.255.255.0 -p
The -p parameter makes the route permanent. It will be added each time the router
reboots.
A default-route is used when no other routes in the routing table are found. You
can also add a default-route entry to your routing table.
For a route to a subnet (network), enter the subnet address and mask.
For a route to a host, enter the host IP address and 255.255.255.255 for the mask.
For the default route, use 0.0.0.0 for the network and 0.0.0.0 for the mask.
After finishing this section, you should be able to complete the following tasks:
Solution
Uses
Default routing
entries
Static routes
Use for small networks (10 subnets or less) that do not change often.
Use to eliminate traffic due to routing updates.
RIP
Use for small networks (50 or less subnets) when a dynamic solution
is required.
OSPF
Windows 2003 supports RIP 1 and RIP 2. RIP has the following characteristics:
6. The link stays active until the preconfigured idle disconnect time. If no data has
been sent during that time, the link is dropped.
To configure and enable demand-dial routing, complete the following tasks:
1.
2.
3.
4.
Application and
time-out errors
Authentication
errors
Only one-way
communication
If one host can connect to the remote router, but a host on the remote
network cannot connect back, verify that the username settings for both
routers match the remote port name. It is also possible for one router to
use an incorrect username, but still be granted a connection if there is a
user account with that name. However, the connection will be a remote
access connection, not a demand-dial connection.
Lost auto-static
routes
If you have configured the server for auto-static routing updates, and
the routing table contains data but later is empty, check to make sure
that each router can establish a connection with the other. If a
connection cannot be made to send the updates, the table will not
contain any auto-static routes because they have been deleted. Correct
the problem by scheduling auto-static updates or updating routes
manually.
After finishing this section, you should be able to complete the following tasks:
NAT Facts
Network Address Translation (NAT) allows you to connect a private network to the
Internet without obtaining registered addresses for every host. Private addresses are
translated to the public address of the NAT router.
The NAT router maps port numbers to private IP addresses. Responses to Internet
requests include the port number appended by the NAT router. This allows the
NAT router to forward responses back to the correct private host.
NAT supports a limit of 5,000 concurrent connections.
NAT provides some security for the private network because it translates or hides
the private addresses. In addition, outside hosts cannot normally initiate contact
with private hosts (unless explicitly configured).
A NAT router can act as a limited-function DHCP server, assigning addresses to
private hosts.
A NAT router can forward DNS requests to the Internet.
NAT does not work with IP protocols that embed an IP address in the packet data.
For this reason, you cannot create a VPN on two sides of a NAT router. However,
special modifications do allow FTP to function with NAT.
After finishing this section, you should be able to complete the following tasks:
What are the basic methods you can use to block network traffic through a router?
What are the three firewall solutions built in to Windows 2003 and how do they
differ?
What are the TCP/IP ports used by common traffic types?
After finishing this section, you should be able to complete the following tasks:
Service
20, 21
23
Telnet
25
50, 51
53
67, 68
IPSec
Domain Name Server (DNS)
Dynamic Host Configuration Protocol (DHCP)
69
80
88, 749
Kerberos
110
119
137-139
143
NetBIOS
Internet Message Access Protocol (IMAP4)
161, 162
389
443
1723
For example, to allow HTTP traffic (both normal and secure traffic), open ports 80 and
443.
Firewall and Proxy Facts
Keep in mind the following facts about firewalls and proxy servers.
After finishing this section, you should be able to complete the following tasks:
VPN Protocols
If you are designing a VPN connection, you must identify the tunneling protocol used for
the connection. Windows 2003 supports the following tunneling protocols:
The tunneling protocol you choose will also effect the authentication and encryption
options available. The following table summarizes these choices.
Tunneling Protocol Authentication Protocol
PPTP
2000/XP/2003
NT 4.0
95/98/ME
L2TP
2000/XP/2003
After finishing this section, you should be able to complete the following tasks:
302. Monitor network protocol security. Tools might include the IP Security
Monitor Microsoft Management Console (MMC) snap-in and Kerberos support
tools.
303. Troubleshoot network protocol security. Tools might include the IP Security
Monitor MMC snap-in, Event Viewer, and Network Monitor.
IPSec Facts
IPSec is supported only on Windows 2000/XP/2003. How computers use IPSec to
communicate is controlled through IPSec policies. Windows comes with the following
three IPSec policies:
Policy
Characteristics
Templates
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Preconfigured Templates
Security templates are a collection of settings that configure settings to a predefined state.
Windows provides the following predefined security templates:
Template
Function
Gives default security settings for files, registry, and system service
Secure*.inf
Hisec*.inf
Compatws.inf
Use the Setup Security.inf template to restore the system to its default state.
Apply additional templates to add security (just applying the more secure
template might not reset custom settings to their default state).
Use Group Policy to deploy and periodically enforce templates (the template will
be applied at normal group policy application times).
Don't use Group Policy to distribute the Setup Security.inf template because it is
very large and will consume a lot of bandwidth and take time as it is applied to the
computer.
You can customize a preconfigured template to meet your needs. After you
modify the template, save it with a new file name to preserve the preconfigured
settings.
Secedit.exe allows you to apply only the parts of a template that you need. (A
better solution is to customize the template and save it with a different name.)
Template Facts
Use the Security Analysis and Configuration snap-in to manage security templates,
analyze current settings, create custom templates, or import an existing template. When
working with templates:
Compare an existing system with a template to see how the system compares to
the template.
Clear current settings before importing a new template.
After applying a secure template, you might need to restore group memberships in
the Administrators or Power Users group.
You can also use the Secedit command to analyze and apply templates.
You should also know the following facts about security analysis:
The Microsoft Baseline Security Analyzer will tell you which patches have been
installed on a particular computer.
You should also need to verify that patches have not been manually applied.
Check the Windows Update log to see if a patch came from the Software Update
Server or from the Windows Update website.
Use the following key to decipher the meanings of icons when analyzing the system:
= The system does not match the template
= The system meets or exceeds the template
= The template does not define the value
Security Principles
As you study this section, answer the following questions:
After finishing this section, you should be able to complete the following tasks:
Unnecessary services
Auditing
Program vulnerabilities for programs such as Internet Explorer, Media Player, IIS,
SQL, Exchange, and Office
MBSA does not come as part of the 2003 Server installation. You can download it from
Microsoft's Web site. You should know the following facts about MBSA:
The analyzer runs in both a GUI and command-prompt mode (run Mbsacli.exe to
run from the command line).
You can use MBSA to analyze up to 10,000 remote computers at a time. Results
of the analysis can be saved to a file for later review.
MBSA can analyze Windows NT/2000/XP/2003 computers.
You must have administrator privileges to scan a local or remote computer.
To scan a local computer, make sure the Workstation and Server services are
enabled.
The computer running MBSA to analyze remote computers must be running the
Workstation service and have Microsoft Networks turned on.
The computer that you are analyzing must be running the following services:
o Remote Registry
o Server
o File and Print sharing
To analyze only missing hotfixes and updates, run Mbsacli.exe /hf (this command
replaces the Hfnetchk.exe utility).
A similar utility Qfecheck.exe, scans Windows 95/2000/XP computers for missing
hotfixes. However, this utility can only analyze the local computer.
Design securities strategies according to the rule of least privilege. This means
that you give users the fewest rights and privileges possible while still allowing
them to do their jobs. (It is easier to add permissions than it is to remove
permissions.)
Disable unnecessary services as well as file and print sharing when they're not
needed.
Implement a firewall and up-to-date anti-virus software.
Audit the system regularly.
Use security templates and Group Policy to apply security settings uniformly
across the network.
Use IPsec and SSL to secure network communications.
Use SUS to control the updates deployed across the network.
Use Hfnetchk to scan computers for hot fix levels.
Use Mbsacli to scan remote computers for security and configuration issues.
Services
As you study this section, answer the following questions:
What is a service?
What is service startup behavior and why might you modify this?
What are the three user accounts that various XP/2003 services run under?
What is a service dependency?
After finishing this section, you should be able to complete the following tasks:
Start, stop, and restart services. Modify the service startup behavior.
Configure service failure recovery options.
Identify service dependencies.
Change a services user account if necessary.
Services Facts
You should know the following facts about services:
After finishing this section, you should be able to complete the following tasks:
SUS Facts
Software Update Services (SUS) allows you to configure the distribution of operating
system patches for clients, including ones related to security. You can deploy SUS in the
following ways:
The SUS server approves the updates. Clients contact the SUS server for update
approvals then retrieve the updates from the Windows Update server. This
requires a great deal of bandwidth.
The SUS server approves and synchronizes the updates. SUS stores the updates
locally for clients to retrieve. Reduces bandwidth demands since only the SUS
server contacts the Windows Update server.
The SUS servers in various locations would be responsible approving and
synchronizing updates and then contacting the Windows Update server.
Use a "master" SUS server to approve and synchronize updates from the
Windows Update server. The child SUS servers synchronize updates from the
master. If WAN bandwidth between the master and child servers is poor, you may
decide against this structure.
In most enterprise implementations, client computers contact local SUS servers to get a
list of approved updates and download those updates. In this configuration, SUS client
computers must be configured to receive updates from the local SUS server instead of the
Windows Update Web site. The easiest way to configure client settings is to use Group
Policy to distribute the server name and other update parameters. The following table lists
the Automatic Update policies:
Policy
Description
There are three options for configuring the behavior of the Automatic
Updates client:
Notify for Download And Notify For Install
Configure
Auto Download And Notify For Install
Automatic Updates
Reschedule
Automatic Updates
Scheduled
Installations
No Auto-Restart
This policy allows Automatic Updates to disregard a required restart
For Scheduled
when a user is logged on. The user receives a notification about the
Automatic Updates
required restart but is not required to restart the machine.
and Installations
Specify Intranet
Microsoft Update
Service Location