QUIZ CHAPTERS 11-14
2000 SERVER
Chapter 11
Computer security includes everything from the physical computing environment to the software
environment. In a
software environment, security should provide four functions: authentication,
integrity,
confidentiality, and anti-replay.
Authentication is the process or reliably determining the genuine identity of the communicating computer (host) or user. Authentication is based on cryptography, it ensures that an attacker eavesdropping on the network cannot gain the information needed to impersonate a valid user or entity.
Integrity is the correctness of data as it was originally sent. Integrity services protect data from unauthorized modification in transit. Without data integrity, any data and the host it is sent from is suspect.
Confidentiality ensures that data is disclosed only to intended recipients.
Anti-replay, also called replay prevention, ensures that datagrams are not retransmitted. Each datagram sent is unique. This uniqueness prevents attacks in which a message is intercepted and stored, then re-used later to attempt illegal access to information.
A
key is a value used to encrypt or decrypt information
A public and
private key pair are typically used for two purposes: data encryption and digital message singing.
1. Data Encryption
Data
encryption provides confidentiality by ensuring that only the intended
recipient is able to decrypt and view the original data. When secure data must be transmitted, the
sender obtains the recipient’s public key.
The sender then uses the recipient’s public key to encrypt data and then
send it. When the recipient receives the
data, the recipient uses his or her own private key to decrypt the data. Encryption is only secure if the sender uses the recipient’s public key
for encryption. If a sender uses his or
her private key to encrypt data, anyone can capture the data and decrypt it by
obtaining the sender’s public key.
2. Digital Message Signing
When a sender signs a message, a message digest is created. A message digest is a representation of the message and is similar to a cyclic redundancy check (CRC).
The recipient then creates a message digest from the message and compares the message digest to the decrypted message digest. If the message digests match, integrity is guaranteed.
Authentication is provided through the key pair. Since the message digest was encrypted by using the sender’s private key (and only the sender’s public key will decrypt the message digest), the recipient can be certain that the message came from the owner of the key pair.
The recipient, however, must have a mechanism for ensuring that the key pair belongs to the intended sender and not someone impersonating the sender.
This is done
through a certificate issued by a trusted third party, which confirms the
identity of the owner of the public key.
The trusted
third party is known as a Certificate Authority (CA).
Server Engine
The core component of Certificate Services. The engine acts as a broker for all requests it receives from the entry modules, driving the flow of information between components during the processing of a request and generation of a certificate.
A self-assigned CA
certificate is also called a root certificate because it is the certificate for
the root CA. The root CA must sign its
own CA certificate because by definition there is no higher certifying
authority to sign its CA certificate.
Certificate Authority
Type **Excellent Quiz question **
The CA type allows selection of how the CA will be utilized in a CA hierarchy and whether or not the CA will rely upon Active Directory services.
·
·
·
Stand-alone
·
Stand-alone Subordinate CA. This CA becomes a subordinate CA to a
Stand-alone
Certutil.exe is a command-line utility used for administering certificate services. Running certutil without any command-line switches displays summary information about the local certificate authority.
Both the SSL and TLS protocols provide secure data communication through data encryption and decryption, client authentication, and optional server authentication. Both are typically used to send and receive private communication across the Internet by using public key cryptography and its authentication method.
The benefits of SSL and TLS
include the following:
· Authentication that assures the client that data is sent to the correct server and that the server is secure.
· Encryption that assures that nothing other than the secure target server can read the data.
· Data integrity that assures that the transferred data has not been altered.
Smart Cards
Smart Cards, which are the size of a credit card, can be used to store a user’s public key, private key, and certificate. Smart cards are a secure way to protect and control a user’s keys, instead of storing them on a computer.
Security-critical computations are performed by the smart card, instead of exposing a user’s private key to the computer.
To use a smart card, a computer must have a smart card reader. A smart card is an ISO 7816-compatible device that contains an embedded microprocessor, an RSA or equivalent cryptography coprocessor, and local storage. The local storage includes the following:
· 6 to 24 KB ROM for the smart card operating system and applications.
· 128-512 bytes of RAM for run-time data
· 1-16KB EEPROM for user data
Authenticode
Authenticode technology allows software publishers to digitally sign any form of active content, including multiple-file archives. These signatures may be used to verify both the publishers of the content and the content integrity at download time.
Fault Tolerance
Encryption and Decryption are sensitive operations because failure could result in data loss. Therefore, EFS makes all operations automatic. If an operation cannot be completed, it is completely undone. For example, if a computer loses power during an encryption operation, EFS undoes the operation on restart so that the file is in a consistent state.
Once a file is encrypted, the processes of encryption and decryption are automatic and transparent to users and applications whenever the file is used. You can perform encryption on one file at a time or one folder at a time.
You can
encrypt a file or folder in Windows Explorer and from the command prompt.
NOTE: It is not possible to use NTFS compression
and encryption on the same file. Compression
and encryption are mutually exclusive.
EFS Encryption
EFS encrypts, decrypts, and recovers files. When a user encrypts a file in EFS, the following process occurs:
1. The EFS service opens the file for exclusive access.
2. All data streams in the file are copied to a temporary file.
3. A file key is randomly generated and used to encrypt the file according to the DES encryption scheme.
4. A Data Decryption Field (DDF) is created that contains the file key, which is encrypted with the user’s public key.
5. A Data Recovery Field (DRF) is created that contains the file key, this time encrypted with the recovery agent’s public key. The recovery agent’s public key is obtained from the Encrypted Data Recovery Policy (EDRP).
6. The EFS server writes the encrypted data, along with the DDF and DRF, back to the file.
EFS Decryption *** Users Private Key ***
The decryption process uses the DDF, created during encryption, to decrypt a file. When a file is decrypted in EFS, the following process occurs:
1. When an application accesses an encrypted file, NTFS recognizes the file as encrypted and sends a request to the EFS driver.
2. The EFS driver retrieves the DDF and passes it to the EFS service.
3. The EFS service decrypts the DDF with the user’s private key to obtain the file key.
4. The EFS service passes the file key back to the EFS driver.
5. The EFS driver uses the file key to decrypt the file.
6. The EFS driver returns the decrypted data to NTFS, which then completes the file request, and sends the data to the requesting application.
EFS Recovery ** Agents Private Key **
Similar to the decryption process. When a file is recovered in EFS, the following process occurs:
1. NTFS sends a request to the EFS driver.
2. The EFS driver retrieves the DRF and passes it to the EFS service.
3. The EFS service recovers the DRF by using the recovery agent’s private key to obtain the file key.
4. The EFS service passes the file key back to the EFS driver.
5. The EFS driver uses the file key to recover the file.
6. The EFS driver returns the recovered data to NTFS, which then completes the file request, and sends the data to the requesting application.
IP Security ***
CIA ***
IPSec in Windows 2000 is designed to protect sensitive data on a TCP/IP network. IPSec is useful when the network between two communicating computers is not secure. It provides confidentiality, integrity, and authentication of IP traffic for each packet traversing the network.
IPSec Components
The Windows 2000 installation process installs the services, protocols, and drivers necessary for IPSec:
· IPSec Policy Agent service
· Internet Security Association and Key Management Protocol (ISAKMP)
· Oakley Key Management protocol
· IPSec driver
IPSec Policy Agent Service
The IPSec Policy Agent service passes the policy information to the IPSec network driver and the ISAKMP/Oakley protocols. The IPSec Policy Agent service does not store policies locally; instead it must retrieve them from the Active Directory store.
When the
Kerberos authentication protocol is used, a trusted Kerberos service on a
server verifies the user’s identity.
Before connecting to the server the user requests a ticket from the
Kerberos service, called the
The Kerberos service operates as a trusted third-party to generate session keys and grant tickets for specific client/server sessions.
The
Device Manager Snap-in
Device Manager is an MMC
snap-in that provides you with a graphical view of the hardware that is
installed on your computer.
In addition to being able
to open the Device Manager snap-in form the Hardware tab of the System
Properties, you can open the tool from the Computer Management MMC or create a
custom MMC containing the Device Manager snap-in.
The Device Manager
snap-in allows you to perform the following tasks:
·
Determine
whether the hardware on your computer is working properly.
·
Change hardware
configuration settings
·
Identify the
device drivers loaded for each device, and obtain information about each device
driver.
·
Change advanced
settings and properties for devices.
·
Install updated
device drivers.
·
Disable,
enable, and uninstall devices
·
Identify device
conflicts and manually configure resource settings
·
Print a System
Resource Report or the devices installed on your computer.
Driver
Signing
The Driver Signing
function allows Windows 2000 to notify users whether or not a driver they are
installing has passed Microsoft certification process. Microsoft digitally signs drivers as part of
WHQL testing if the driver runs on Windows 2000 operating systems. This certification process proves to users
that the drivers they employ are identical to those Microsoft has tested and
notifies them if a driver file has been changed after the driver was put on the
HCL.
Driver Signing allows for three responses:
·
Ignore. Allows all files to be installed, whether
they’ve been signed or not.
·
Warn. Notifies the user if a driver that’s being
installed hasn’t been signed, and give the user a change to say “no” to the
installation. Warn also gives the user
the option to install unsigned versions of a protected driver file.
·
Block. Prevents all unsigned drivers from being
installed.
Introduction
to Windows Backup
Windows 2000 provides
Windows Backup which is a tool that allows you to easily backup and restore
data. Start/Programs/Accessories/System
Tools/Backup. OR Run, type ntbackup.
You can use Backup to
backup data manually or to schedule unattended backup jobs on a regular basis.
Backup
Types
Windows Backup provides
five backup types that define what data is backed up: normal, copy, differential, incremental and
daily.
When a file changes, an attribute
is set on the file that indicates the file has changed since the last
backup. Backing up the file clears or
resets the attribute.
NOTE: msbackup will only backup at 20 GB/hour, and
it will not backup live files.
Files to Backup: .ini file, System files, .pab files. .pst
(e-mail) registry
Not to Backup: Programs, operating system, page file and temporary internet files.
Copy
During a copy backup, all
selected files and folders are backed up. It neither looks nor clears markers.
Differential (Slow Backup and Fast Recovery)
Only selected files and
folders that have a marker are backed up.
Because a differential backup does not clear markers, if you did two
differential backups in a row on a file, the file would be backed up each time.
Incremental (Fast Backup and Slow Recovery)
Only selected files and
folders that have a marker are backed up.
An incremental backup clears markers.
Daily
During a daily backup, all selected files and folders that have changed during the day are backed up. A daily backup neither looks for nor clears markers. DAILY BACKUP LOOKS AT THE DATE.
Lesson
3: Implementing Disaster Protection
A computer disaster or
any event that renders a computer unable to start. The term disaster protection refers to any
effort to prevent computer disasters and minimize downtime in the event of
system failure. You can achieve a level
of disaster protection by configuring an uninterruptible power supply (UPS) and
implementing fault-tolerant disk configurations.
Mirrored
Volumes (RAID 1)
A mirrored volume uses
the Windows 2000 Server fault tolerance driver (ftdisk.sys) to write the same
data to a volume on each of two physical disks simultaneously.
A mirrored volume can
contain any partition, including the boot or system partition; however, both
disks in a mirrored volume must be Windows 2000 dynamic disks.
Mirrored volumes can be
striped across multiple disks. This
configuration is often referred to as RAID 10, RAID 1 mirroring and RAID 0
striping. Unlike RAID0, RAID 10 is a
fault-tolerant RAID configuration because each disk in the stripe is also
mirrored. RAID 10 improves disk I/O by
performing read and write operations across the stripe.
Performance
on Mirrored Volumes
Mirrored volumes can
enhance read performance because the fault tolerance driver reads from both
members of the volume at once. There can
be a slight decrease in write performance because the fault tolerance driver
must write to both members.
Because disk space usage
is only 50 percent (two members for one set of data), mirrored volumes can be
expensive.
CAUTION Deleting a mirrored volume will delete all
the information stored on that volume.
Disk
Dulplexing (RAID 1)
If the same disk
controller controls both physical disks in a mirrored volume and the disk
controller fails, neither member of the mirrored volume is accessible. You can install a second controller in the computer so that each disk in the mirrored
volume has its own controller. This
arrangement, called disk duplexing, can protect the mirrored volume against
both controller failure and hard disk failure.
Some hardware implementations of disk duplexing use two or more channels
on a single disk controller card.
RAID
5 (Volumes)
Windows 2000 Server also
supports fault tolerance through striped volumes with parity (RAID 5). Parity is a mathematical method of
determining the number of odd and even bits in a number or series of numbers,
which can be used to reconstruct data if one number in a sequence of numbers is
lost.
In a RAID-5 Volume,
Windows 2000 achieves fault tolerance by adding a parity-information stripe to
each disk partition in the volume.
If a single disk fails,
Windows 2000 can use the data and parity information on the remaining disks to
reconstruct the data that was on the failed disk.
RECOVERY: Replace the hardware in the same format, then
recover from backup.
RAID-5 volumes have a
cost advantage over mirrored volumes because disk usage is optimized. The more disks you have in the RAID-5 volume,
the less the cost of the redundant data stripe.
The following table shows how the amount of space required for the data
stripe decreases with the addition of 2-GB disks to the RAID-5 volume:
Mirrored volumes Striped volumes with parity
RAID 1 RAID 5
Supports FAT and NTFS Supports
FAT and NTFS
Can protect system or
boot partitions Cannot protect system or boot
Partitions.
Requires 2 hard disks Requires
min. 3 and max. 32 hard
Disks.
Has a higher cost per MB Has
a lower cost per MB
50% utilization 33%
minimum utilization
Has good write
performance Has
moderate write
Performance
Has good read performance Has
excellent read performance
Uses
less system memory Required more system memory
You can choose one of the
following options when you start Safe Mode:
· Safe Mode. Starts Windows 2000 and uses only basic files and drivers (mouse, except serial mice; monitor; keyboard; mass storage; base video; default system services; and no network connections. If your computer does not boot properly in safe mode you may need to use the ERD to repair your system. Only loads the core components, NIC, CD-ROM, Hard Drive and Floppy.
·
Safe Mode with Networking. Starts
Windows 2000 with only basic files and drivers, plus network connections.
·
Safe Mode with Command Prompt. Starts
Windows 2000 with only basic files and drivers.
After logging on, the command prompt is displayed instead of the Windows
desktop, Start menu, and Taskbar.
· Enable Boot Logging. Starts Windows 2000 while logging all the installed drivers and services that were loaded (or not loaded) by the system to a file. NDIS2 driver works with DOS, if it fails do not worry, NDIS version 5.0 works better. When you open the log in notepad, search for the work FAIL.
·
Enable VGA Mode. Starts Windows 2000 with the basic VGA
driver. This mode is useful when you
have installed a new driver for your video card driver is always used when you
start Windows 2000 in Safe mode (either Safe mode, Safe mode with Networking or
Safe mode with Command Prompt). Loads up the standard 640 X 480 16-bit screen).
·
Last Known Good Configuration. Starts
Windows with the registry information that Windows saved as the last
shutdown. Use this option only in cases
of incorrect configuration. Last Known
Good Configuration does not solve problems caused by corrupted, incompatible,
or missing drivers or files. Also, any
changes made since that last successful startup will be lost.
·
Directory Service Restore Mode. Used to
restore the SYSVOL directory and Active Directory services on a domain
controller. This option is available
only on domain controllers, and if Directory Services is loaded. Bad news, restore from the last backup.
·
Debugging Mode. Starts Windows 2000 while sending debug
information through a serial cable to another computer. This is an important mode for software
developers. Similar to DOS, type in
“Help”.
Chapter
13
The process of finding and consolidating fragmented files and folders is called defragmenting. The Disk Defragmenter snap-in is used to locate fragmented files and folders and then defragment them.
The Disk Defragmenter defragments FAT16, FAT32, and NTFS
volumes.
Compressing Files and
Folders
You
can set the compression state of folders and files in Windows Explorer or by
using the compact command-line utility.
For information on compact utility syntax, go to a command prompt and
type compact/?.
Copying and Moving Compressed Files and Folders
There are rules that determine whether the compression state of files and folders is retained when you copy or move them within and between NTFS and FAT volumes.
Copying a File Within an
NTFS Volume
When you copy a file within an NTFS volume, the file inherits the compression state of the target folder.
Moving a File or Folder
Within an NTFS Volume
When you move, the file or folder retains its original compression state.
Copying a File or Folder
between NTFS Volumes
The file or folder inherits the compression state of the target folder.
Moving a File or Folder
between NTFS Volumes
The File or folder inherits the compression state of the target folder. Because Windows 2000 treats a move or a copy and then a delete, the files inherit the compression state of the target folder.
Moving or Copying a file or
Folder to a FAT volume
Windows 2000 supports compression for NTFS files only. Because of this, when you move or copy a compressed NTFS file or folder to a FAT volume, Windows 2000 automatically uncompresses the file or folder.
Moving or Copying a
Compressed File or Folder to a Floppy Disk
When you move or copy a compressed NTFS file or folder to a floppy disk, Windows 2000 automatically uncompresses the file or folder.
NOTE: When you copy a compressed NTFS file, Windows 2000 uncompresses the file, copies the file, and then if the target folder is marked for compression, compresses the file again as a new file. This might cause performance degradation.
Internet Information Services 5.0 is a component of the
Windows 2000 operating system.
Installing and removal of IIS is accomplished in one of three ways: when installing or upgrading Windows 2000, by
using the Add/Remove Programs utility in Control Panel, or by using an
unattended.txt file during an unattended installation.
Whether your sit is on an intranet or the Internet, the principles of providing content are the same. You place your Web files in folders on your server so that users can establish an HTTP connection and view your files with a Web browser.
Each Web site and FTP site must have one home directory. The home directory is the central location for your published pages. It contains a home page (typically named index.htm, index.html, default,asp, default.htm, or default.html) that welcomes Web browser users and contains links to other pages in your site.
A default home directory is created when you install IIS and when you create a new Web site. If you are setting up both a Web site and an FTP site on the same computer, you must specify a different home directory for each service (WWW and FTP). The default home directory for WWW service is \InetPug\Wwwroot. The default home directory for FTP service is \InetPub\Ftproot. You can choose a different directory as your home directory.
A script is a series of instructions and commands that you can use to programmatically alter the content of your Web pages.
There are two kinds of scripting: client-side and server-side. Client-side scripts run on the Web browser and are embedded in a Web page between HTML <SCRIPT> and </SCRIPT>tags.
Server-side run exclusively on the Web server and are most often used to modify Web pages before they are delivered to the browser.
Properties
and Inheritance of Properties on Sites
Properties are values that can be set on your Web site. For example, you can use the Internet Information Services snap-in to change the TCP port assigned to the default Web site from the default value of 80 to another port number.
During the installation of IIS, default values were assigned to the various properties. You can use the default settings in IIS, or you can customize these settings to suit your Web publishing needs.
Properties can be set on site level, directory level, or
on the file level.
Telnet Authentication
You can use your local Windows 2000 user name and password or domain account information to access the Telnet server. The security scheme is integrated into Windows 2000 security.
If you are
using NTLM authentication, the client uses the Windows 2000 security context
for authentication and the user is not prompted for user name and
password. The user name and
password are encrypted.