presentation6
Download
Report
Transcript presentation6
COMP2322
Networks in Organisations
Richard Henson
March 2016
Week 6: Windows Networks:
Availability, Inegrity & Security
Objectives:
Explain why user and system settings need to be
controlled on networked machines
Explain the role of the registry in Windows desktop
and network configuration, user settings, and
security
Select appropriate software tools for backup and
fault tolerance
Platforms for
Operating Systems
Continuing
With
from last week…
Windows 2000 Server…
Intel platform survived threats from RISC
architecture…
64-bit alpha platform never that popular
rights to DEC’s alpha chip finally bought by Intel!
Platforms at Client-end and
Server-end
Soon afterwards…Windows became
64-bit on an Intel platform:
on server motherboards
» running Windows 2003 onwards
on workstations (Vista)
Due to Microsoft’s disastrous (mis)launch of Vista…
Apple client platform had a chance to emerge and
develop a good range of apps
ensured success of i-player & i-phone
Windows 2003 Server
Main difference at kernel level:
64-bit option
32-bit kernel unchanged…
Noteworthy extra functional
enhancements:
GDI+ interface
Enhanced active directory
Group Policy management console
BIOS Developments
Earlier motherboards had a single chip
containing the BIOS on ROM and a writeable
CMOS area
the command line interface invoked was 16-bit
More recent motherboards use EFI
(Extensible Firmware Interface)
uses a 32-bit command line
only really exploited with Windows 7, and 2008
Server…
More about booting
to an Intel platform
BIOS should “point” to selected medium
that contains a “boot loader” program
» contains “master boot record” (MBR)
» points to the boot partition
containing the operating system
Different media prepared in different
ways
» hard disk still the conventional boot medium
number of partitions so potential choice of bootable media
» CDs & USBs only have one partition
Partitions, Hard Disks and
Multiple Operating Systems
MBR must be on the first (C:) partition
possible to have different operating systems on
the same hard disk…
» varieties of Windows
» varieties of Unix…
BUT…
MBR systems different on Unix and Windows
still possible to have ONE Unix partition…
Logon
Once the operating system has been
loaded…
user logon screen presented
Rapid local boot is fine…
but most organisational computers are on
networks…
» why?
why does network logon take so long?
Rapid Boot-up with
Windows 7 (1)
Huge improvements in time to logon
screen…
32-bit colour animation appears at an early
stage
» driven by the CPU (& using EFI)
graphics card not yet initiated…
meanwhile, operating system's kernel and
critical device drivers are loading into
memory in the background…
Rapid Boot-up with
Windows 7 (2)
Early stage of boot process is i/o bound:
loading the kernel
device driver files
other system component files
Dimensions of the boot animation
limited to a small region of the screen
avoid i/o delay loading animation images
during the early stage of boot…
Rapid Boot-up with
Windows 7 (3)
Changes to the boot “architecture”
Windows 7 animation happens as the process
moves along
» contrast with Vista, where the pear animation comes only
after the boot sequence is complete…
fewer transitions in graphics mode during
initialisation of the graphics subsystem and
Windows shell
» again, c.f. Vista, where screen flashes black a few times..
Sound plays BEFORE user login starts…
BUT…
The user in an organisation then needs
to log on…
endless loading of policy files…
subsequent configuration to accommodate
settings into the local registry…
Backing up Active Directory
Goes without saying that the loss of
Active Directory will be bad for the
network
people won’t even be able to log on!
Should be backed up… regularly!
Best way to do this is on another
computer…
Fault Tolerance
General engineering principle…
if it can go wrong… it will!
To maintain availability for users, the
whole domain controller should be
backed up!
active directory designed as a distributed
database that backs up to a reserve
domain controller
Backup domain controller software set up
using same active directory wizard
Fault Tolerance
(hardware fault)
E.g. Hard disks
can crash or become corrupt
System needed for a backup to take
over “seamlessly”
i.e. without the user noticing…
Achieved by disk mirroring/duplexing
exact copy available to take over at a
moment’s notice
Domain Trust
This allows users on one domain to log
onto resources on another domain
Trusts can be one or two-way
Domain
A
Domain
B
Enterprise Structure of
Active Directory
A hierarchical
system of
organisational
data objects
i.e. domains,
A Tree can be
» a single
domain
» group of
domains
Domain Trees & Forests
Active Directory provides “trust” between the
databases of domains that are linked in this
way
A “Tree” is the domains and links between
them
A “Forest” contains data needed to connect
all objects in the tree:
domain objects in the tree are logically linked together in the
forest and their users can “trust” each other
Active Directory and Users
Active directory allows set up and
management of domain users
Can also define domain groups, and
allow domain users to become part of
domain groups
aids administration
policy file can be set up
» interacts with user machines registry during login
» controls user desktop
Organisations, Organisational
Units, and Domains
An organisation may:
have several locations
have several functions
in same location
Alternative to
multiple domains…
organisational units
group policy can be
applied selectively
WINS (Windows Internet
Names Service)
Used on earlier Windows TCP/IP networks to
enable computer devices to communicate
using IP
manages a dynamic database of IP addresses and
local network (NetBIOS) names
clients request IP addresses for particular NetBIOS
names
WINS server provides that information
Active Directory and DNS
In Active directory, each domain in the
tree has a unique DNS identity
therefore a unique IP address…
can cause confusion when setting up
domain structure!!
Also, each device within a domain can
also made use of DNS, via its IP
address…
no need for WINS…
Microsoft TCP/IP stack
Differs from UNIX TCP/IP (e.g. no FTP,
SMTP or Telnet)
DNS is available as a network service
Application layer components:
Windows sockets - to interface with sockets-based
applications
NetBT - to interface with NetBIOS applications
SNMP, TCP, UDP, IP as with Unix protocol
stack
Configuring
TCP/IP on Windows
Requires local administrator access!!
Locate and double-click TCP/IP
If DHCP (dynamic host configuration
protocol) is running, IP addressing is
dealt with automatically by the DHCP
server
TCP/IP Configuration (2)
Otherwise, three IP addresses can
be manually added:
Local static machine IP address
Subnet mask
Default gateway
TCP/IP Configuration (3)
Local machine IP address
DHCP protocol can automatically assign IP
addresses from a Windows 2000 server machine
running DHCP server
Alternatively, a static IP address can be keyed in
manually
Subnet mask:
normally 255.255.255.0 for small networks
255.255.x.0 for larger networks
» x -> 0 as the network gets larger
Default gateway is the IP address of the LANInternet interface computer…
Windows TCP/IP utilities
Located in the system32 directory
Not available from the GUI
Only accessible via the NT prompt (Ping
(packet internet groper):
FTP
Telnet
Finger (retrieval of system information from a
computer running TCP/IP & finger
ARP (displays local IP addresses according to
equivalent MAC or “physical” addresses)
ipconfig (displays local IP configuration)
tracert (checks route to a remote IP address)
Terminal Services
Allows any PC running a version of
Windows to remotely run an NT series
server
uses a copy of the server’s desktop on the
client machine
Client tools must be installed first, but the
link can run with very little bandwidth
possible to remotely manage a server
thousands of miles away using a phone
connection…
Remote Access Service
RAS also allows access to an NT network
through routes such as:
PSTN
X25
ISDN
Uses Point to Point protocol (PPP)
remember that?
Also supports use of PPP Multilink protocol,
which allows a combination of communications
links and multiple links to be used
Remote Access Service
Also provides capability for VPNs (Virtual
Private Networks) using secure Internet
access
using PPTP (point-point tunnelling protocol)
Standard username/password authentication
still required for all remote logins
Can be used as a Gateway for NetBIOS
names or (using IPX) to remotely gain access
to Novell Netware services
RAS & Secure Remote Login
To login remotely, user must have a valid
username/password and RAS dial-in
permission
RAS can use “call back” security:
Server receives a remote request for access
Server makes a note of the telephone number
Server calls the remote client back, guaranteeing
that the connection is made from a trusted site
Login information is encrypted by default
All remote connections can be audited
Internet Information Server (IIS)
Microsoft’s Web Server
can also provide ftp or smtp publishing service
Purpose:
make html pages available:
» as a local www service
» across the network as an Intranet
» across trusted external users/domains as an Extranet
run server-scripts in communication with client
browsers
Internet Information Server (2)
Sets up its own directory structure for
developing Intranets, Extranets, etc.
Access to any IIS service can be
restricted using username/password
security
Internet Information Server (3)
Can allow anonymous remote login:
Uses a “guest” account – access only to files that
make up the Intranet
Anonymous login prevents trying to hack in
through guessing passwords of existing users
Provides the software connectivity for a
server-side interface that can connect clientserver Internet applications