Transcript presentation6

COMP2322
Networks in Organisations
Richard Henson
March 2016
Week 6: Windows Networks:
Availability, Inegrity & Security

Objectives:
 Explain why user and system settings need to be
controlled on networked machines
 Explain the role of the registry in Windows desktop
and network configuration, user settings, and
security
 Select appropriate software tools for backup and
fault tolerance
Platforms for
Operating Systems
 Continuing
 With
from last week…
Windows 2000 Server…
 Intel platform survived threats from RISC
architecture…
 64-bit alpha platform never that popular
 rights to DEC’s alpha chip finally bought by Intel!
Platforms at Client-end and
Server-end

Soon afterwards…Windows became
64-bit on an Intel platform:
on server motherboards
» running Windows 2003 onwards
on workstations (Vista)

Due to Microsoft’s disastrous (mis)launch of Vista…
 Apple client platform had a chance to emerge and
develop a good range of apps
 ensured success of i-player & i-phone
Windows 2003 Server

Main difference at kernel level:
64-bit option
32-bit kernel unchanged…

Noteworthy extra functional
enhancements:
GDI+ interface
Enhanced active directory
Group Policy management console
BIOS Developments

Earlier motherboards had a single chip
containing the BIOS on ROM and a writeable
CMOS area
 the command line interface invoked was 16-bit

More recent motherboards use EFI
(Extensible Firmware Interface)
 uses a 32-bit command line
 only really exploited with Windows 7, and 2008
Server…
More about booting
to an Intel platform

BIOS should “point” to selected medium
that contains a “boot loader” program
» contains “master boot record” (MBR)
» points to the boot partition


containing the operating system
Different media prepared in different
ways
» hard disk still the conventional boot medium

number of partitions so potential choice of bootable media
» CDs & USBs only have one partition
Partitions, Hard Disks and
Multiple Operating Systems

MBR must be on the first (C:) partition
 possible to have different operating systems on
the same hard disk…
» varieties of Windows
» varieties of Unix…

BUT…
 MBR systems different on Unix and Windows
 still possible to have ONE Unix partition…
Logon

Once the operating system has been
loaded…
user logon screen presented

Rapid local boot is fine…
but most organisational computers are on
networks…
» why?
why does network logon take so long?
Rapid Boot-up with
Windows 7 (1)

Huge improvements in time to logon
screen…
32-bit colour animation appears at an early
stage
» driven by the CPU (& using EFI)

graphics card not yet initiated…
meanwhile, operating system's kernel and
critical device drivers are loading into
memory in the background…
Rapid Boot-up with
Windows 7 (2)

Early stage of boot process is i/o bound:
loading the kernel
device driver files
other system component files

Dimensions of the boot animation
limited to a small region of the screen
avoid i/o delay loading animation images
during the early stage of boot…
Rapid Boot-up with
Windows 7 (3)

Changes to the boot “architecture”
 Windows 7 animation happens as the process
moves along
» contrast with Vista, where the pear animation comes only
after the boot sequence is complete…
 fewer transitions in graphics mode during
initialisation of the graphics subsystem and
Windows shell
» again, c.f. Vista, where screen flashes black a few times..

Sound plays BEFORE user login starts…
BUT…

The user in an organisation then needs
to log on…
endless loading of policy files…
subsequent configuration to accommodate
settings into the local registry…
Backing up Active Directory

Goes without saying that the loss of
Active Directory will be bad for the
network
people won’t even be able to log on!
Should be backed up… regularly!
 Best way to do this is on another
computer…

Fault Tolerance

General engineering principle…
if it can go wrong… it will!

To maintain availability for users, the
whole domain controller should be
backed up!
active directory designed as a distributed
database that backs up to a reserve
domain controller
Backup domain controller software set up
using same active directory wizard
Fault Tolerance
(hardware fault)

E.g. Hard disks
can crash or become corrupt

System needed for a backup to take
over “seamlessly”
i.e. without the user noticing…

Achieved by disk mirroring/duplexing
exact copy available to take over at a
moment’s notice
Domain Trust
This allows users on one domain to log
onto resources on another domain
 Trusts can be one or two-way

Domain
A
Domain
B
Enterprise Structure of
Active Directory

A hierarchical
system of
organisational
data objects
i.e. domains,

A Tree can be
» a single
domain
» group of
domains
Domain Trees & Forests



Active Directory provides “trust” between the
databases of domains that are linked in this
way
A “Tree” is the domains and links between
them
A “Forest” contains data needed to connect
all objects in the tree:
 domain objects in the tree are logically linked together in the
forest and their users can “trust” each other
Active Directory and Users
Active directory allows set up and
management of domain users
 Can also define domain groups, and
allow domain users to become part of
domain groups

aids administration
policy file can be set up
» interacts with user machines registry during login
» controls user desktop
Organisations, Organisational
Units, and Domains

An organisation may:
 have several locations
 have several functions
in same location

Alternative to
multiple domains…
organisational units
group policy can be
applied selectively
WINS (Windows Internet
Names Service)

Used on earlier Windows TCP/IP networks to
enable computer devices to communicate
using IP
 manages a dynamic database of IP addresses and
local network (NetBIOS) names
 clients request IP addresses for particular NetBIOS
names
 WINS server provides that information
Active Directory and DNS

In Active directory, each domain in the
tree has a unique DNS identity
therefore a unique IP address…
can cause confusion when setting up
domain structure!!

Also, each device within a domain can
also made use of DNS, via its IP
address…
no need for WINS…
Microsoft TCP/IP stack



Differs from UNIX TCP/IP (e.g. no FTP,
SMTP or Telnet)
DNS is available as a network service
Application layer components:
 Windows sockets - to interface with sockets-based
applications
 NetBT - to interface with NetBIOS applications

SNMP, TCP, UDP, IP as with Unix protocol
stack
Configuring
TCP/IP on Windows
Requires local administrator access!!
 Locate and double-click TCP/IP
 If DHCP (dynamic host configuration
protocol) is running, IP addressing is
dealt with automatically by the DHCP
server

TCP/IP Configuration (2)

Otherwise, three IP addresses can
be manually added:
Local static machine IP address
Subnet mask
Default gateway
TCP/IP Configuration (3)

Local machine IP address
 DHCP protocol can automatically assign IP
addresses from a Windows 2000 server machine
running DHCP server
 Alternatively, a static IP address can be keyed in
manually

Subnet mask:
 normally 255.255.255.0 for small networks
 255.255.x.0 for larger networks
» x -> 0 as the network gets larger

Default gateway is the IP address of the LANInternet interface computer…
Windows TCP/IP utilities



Located in the system32 directory
Not available from the GUI
Only accessible via the NT prompt (Ping
(packet internet groper):
 FTP
 Telnet
 Finger (retrieval of system information from a
computer running TCP/IP & finger
 ARP (displays local IP addresses according to
equivalent MAC or “physical” addresses)
 ipconfig (displays local IP configuration)
 tracert (checks route to a remote IP address)
Terminal Services

Allows any PC running a version of
Windows to remotely run an NT series
server
uses a copy of the server’s desktop on the
client machine

Client tools must be installed first, but the
link can run with very little bandwidth
possible to remotely manage a server
thousands of miles away using a phone
connection…
Remote Access Service

RAS also allows access to an NT network
through routes such as:
 PSTN
 X25
 ISDN

Uses Point to Point protocol (PPP)
 remember that?

Also supports use of PPP Multilink protocol,
which allows a combination of communications
links and multiple links to be used
Remote Access Service

Also provides capability for VPNs (Virtual
Private Networks) using secure Internet
access
 using PPTP (point-point tunnelling protocol)


Standard username/password authentication
still required for all remote logins
Can be used as a Gateway for NetBIOS
names or (using IPX) to remotely gain access
to Novell Netware services
RAS & Secure Remote Login


To login remotely, user must have a valid
username/password and RAS dial-in
permission
RAS can use “call back” security:
 Server receives a remote request for access
 Server makes a note of the telephone number
 Server calls the remote client back, guaranteeing
that the connection is made from a trusted site


Login information is encrypted by default
All remote connections can be audited
Internet Information Server (IIS)

Microsoft’s Web Server
 can also provide ftp or smtp publishing service

Purpose:
 make html pages available:
» as a local www service
» across the network as an Intranet
» across trusted external users/domains as an Extranet
 run server-scripts in communication with client
browsers
Internet Information Server (2)

Sets up its own directory structure for
developing Intranets, Extranets, etc.

Access to any IIS service can be
restricted using username/password
security
Internet Information Server (3)

Can allow anonymous remote login:
 Uses a “guest” account – access only to files that
make up the Intranet
 Anonymous login prevents trying to hack in
through guessing passwords of existing users

Provides the software connectivity for a
server-side interface that can connect clientserver Internet applications