Figure 4.2 NT uses option /OX to create bootable floppies. Another method of deploying Windows NT is the direct local/network installation. This method is used especially for systems with unsupported CD-ROM drives. By copying the entire /I386 folder from a Windows NT CD-ROM to a shared network drive or directly from a shared CD-ROM drive to your system’s hard drive, you can execute WINNT.EXE. For installs without floppies, you may type WINNT /B or WINNT32 /B from the command prompt. Doing so copies the boot files to your local C drive and then uses your hard disk drive as if it were a boot disk. Unsupported installation methods described by Microsoft include the Within- Windows and Unattended Setup procedures. Type “WINNT /W” from the command prompt—that is, the command for Unattended Setup; you can then set up Windows NT from within a current Windows session bypassing conflicting issues involved with a standard setup. Note, however, that this method should be attempted only on comput- ers in which all the hardware components are standard and no user input is required. Server Licensing During the setup installation process, you will be asked the inevitable licensing ques- tion: per seat or per server? Regardless of your selection, you don’t have to notify Microsoft. For either option, however, a server license is required, giving you the right to run the server software on a particular system. For an explanation of each method and its recommended uses, read through Microsoft’s official licensing option clauses: PER-SEAT LICENSING. A per-seat license associates a Client Access License with a specific computer or “seat.” Client computers are allowed access to any Windows NT Server or Windows NT Server, Enterprise Edition on the network, as long as each client machine is licensed with the appropriate Client Access License. The per-seat mode is most economical in distributed computing environ- ments where multiple servers within an organization provide services to clients, such as a company that uses Windows NT Server for file and print services. Installing and Configuring a Testing Target 95 PER-SERVER LICENSING. A per-server license associates a Client Access License with a particular server. This alternative allows concurrent-use licens- ing: If customers decide to use the server in per-server mode, they must have at least as many Client Access Licenses dedicated to that server to accommodate the maximum number of clients that will connect to that server at any one point in time. The server assigns Client Access Licenses temporarily to client comput- ers; there is no permanent Client Access License association with a specific client machine. If a network environment has multiple servers, then each server in per server mode must have at least as many Client Access Licenses dedicated to it as the maximum number of clients that will connect to it at any one point in time. Under this option, the customer designates the number of Client Access Licenses that apply to the server during setup. The per-server mode is most eco- nomical in single-server, occasional, or specialty-use server solutions (with mul- tiple concurrent connections). Some examples include Remote Access Service solutions, CD-ROM servers, or the initial server of a planned larger deployment. Server Types During installation, you’ll be given an option in regard to the overall server configura- tion type. From this option, you must choose one of three standard configuration types: PDC, BDC, or stand-alone server. Let’s break down each of these types and investigate them briefly. A domain is a unique administration group within which members can easily collab- orate. This structure simplifies administration when, for example, user privileges are changed or resources are added. The changes can be applied to the domain as a whole yet affect each user individually. When a system acts as a PDC, it manages the master domain group database from where user authentication derives—the first server in a domain must act as the PDC. A user who logs in and is verified from the database has access to predefined resources on many different servers, all controlled by the domain that is managed by the PDC. NOTE A PDC cannot be configured for an existing domain. Rather, a PDC creates the domain. During the domain setup process, you’ll be required to specify a unique name for the domain. After you provide a name, NT will determine whether that name is cur- rently in use. Assuming that your name has been accepted and the domain has been created, the server will assign a security identification (SID) used for identifying the server and everybody on the domain. For this reason, it’s important not to overwrite a PDC (or BDC, discussed in the upcoming text) by creating a new one in its place, as existing users will not be able to communicate via the newly created SID. By default, the system administrator account will be used to govern the domain. A utility that is installed with the PDC, aptly named User Manager for Domains, can be used for further domain manipulation. Only users with administrative privileges (e.g., the administrator account) can use the utility to govern the domain. 96 Chapter 4 NOTE Both PDCs and BDCs, as well as stand-alones (mentioned in the next section), can be created from the Windows NT setup process. In Windows network domains, an NT server can be set up as a BDC for the PDC. A BDC can provide redundancy if a PDC fails and will share the load if the network gets too busy for the PDC. In a nutshell, a BDC will retain a copy of the domain group data- base from the PDC. If the PDC fails or requires extensive maintenance, a BDC may be promoted to the PDC level. Therefore, a BDC must have administrative access to the domain via a PDC. Microsoft recommends that every PDC have a BDC to provide some fault tolerance for a domain. To share the load on a busy network, a BDC can provide direct user authentication to spread out the logon process load. BDCs can be placed strategically to provide authentication for different user subgroups. NOTE A BDC can be configured only when a PDC is active in the domain. When a BDC is moved to a new domain, Windows NT will have to be reinstalled. On some networks, a Windows NT server may be configured as stand-alone, mean- ing that it participates in the domain but acts as neither a PDC nor a BDC. That said, a stand-alone server might be used to administer the domain group on a domain con- troller, unless it maintains its own user list for local server access. Stand-alone servers have two primary advantages over domain controllers. One is that they can be easily moved from domain to domain without reinstallation of the operating system; the other, that typically they are integrated in networks and/or domains to focus on application services. With this design, stand-alone servers can manage application loads, while domain controllers will manage the domain. This model provides better efficiency in resource management communication. NOTE During the installation process, you will be given the opportunity to install World Wide Web (WWW) services, such as Microsoft’s Internet IIS. Because we’ll be serving Web pages, providing file transfer with the FTP, and using Gopher services, be sure that you check this option during the setup procedure. Step-by-Step Installation Now we’re ready to step through a typical standard installation, using the recommended setup procedure from the Windows NT CD-ROM. The steps are given as a continuous sequence throughout the various aspects of the procedure. Step 1. Power up the system by inserting Microsoft Windows NT Server Setup Boot Disk 1 into your primary floppy drive. At this point, the Windows NT Exec- utive and the Hardware Abstraction Layer (HAL) will load. Insert Setup Disk 2 Installing and Configuring a Testing Target 97 and press Enter to continue. Inserting the second disk will load critical drivers and system files. At this point, you’ll be given two options: proceed with the installation by pressing Enter or repair a previously installed copy of Microsoft Windows NT Server that may have been damaged. Since we’re doing a new installation, press Enter to continue. Step 2. You have two choices of I/O controllers: to have Setup auto-detect the devices in your system or to install manually by pressing S. If you choose the auto-detect method, Setup will prompt you to insert Setup Disk 3. Do so; then press Enter to continue. After Setup works through the driver installation/ identification process, press Enter to continue the installation. Step 3. Next, the product license agreement will load. It’s a good idea to read the entire Windows NT End User License Agreement. To do so, press Page Down. At the end of the agreement, press F8 to accept its terms—assuming that you do—to continue. Step 4. Assuming that this is a fresh installation, at this point Setup will ask you to identify your computer type, video display, keyboard, and mouse. In our scenario, Windows NT will have detected (and will support) suitable choices. Proceed by pressing Enter. In this step, you select an installation location for Windows NT. You may create/delete active hard drive partitions in FAT or NTFS format if they do not already exist. (If you need more information on these two formats, read the sidebar titled “FAT or NTFS? That Is the Question” in Chapter 1.) Select the partition to which to install the operating system; then press Enter. You may now choose to format the partition by using FAT or NTFS. Then, be sure to use the default directory, \WINNT, by pressing Enter. Here, Setup offers to check for hard disk corruption. For our scenario, let’s go with an “exhaustive” examination by pressing Enter. The alternative is to press Esc, which activates only a simple examination. Either way, following the examina- tion, Setup will begin copying files to the hard drive. When the file copy proce- dure is complete, remove the floppy disk and press Enter to reboot the system. Step 5. After the reboot, a GUI controlled by the NT Setup wizard will display. Click the Next button to continue. At this stage, Setup will gather information about the system. Step 6. When Setup has all the information it needs about your system, it will display a screen that requests site and licensing information. Enter your name and company name (optional); then click Next. You’ll be instructed to enter the CD-ROM License Key, which, typically, you can find on the back of the jewel case. Click Next. Choose either the Per Seat or the Per Server licensing type; then click Next. Step 7. After you’ve chosen a server type, you’ll be asked to enter a unique name for the server (up to 15 characters). Once you’ve done that, click Next. Now, keeping in mind what you learned earlier in the chapter, select the server type: PDC, BDC, or stand-alone server. Step 8. Choose the administrative password (up to 14 characters); then click Next. 98 Chapter 4 Step 9. This step allows you to create an Emergency Repair Disk (ERD), which is used to recover from system failures. Be sure to direct Setup to complete this process. It’s recommended that you accept the default components during Setup. Click Next to accept and continue. Step 10. After setting up the ERD, click Next to confirm the network setup process and that the system is (and will be) connected to a network. Step 11. At this point, you should choose to install the Web services with IIS. Step 12. Click Start Search to direct Setup to detect your NIC. Click Next to continue. Step 13. Select the network protocol(s)—in this case TCP/IP; then click Next. The recommended choice is to allow Setup to install the default network services. You can opt to add additional protocols and services later. Click Next to continue. Step 14. At this time, you’ll be asked to configure the IP settings that will be bound to your NIC(s). These settings include IP address, hostname, gateway, and/or DNS server. Click Continue to register your input; then click Next to accept and start the network service. Step 15. Enter the domain (if the system is a domain controller) or workgroup name; then click Next to continue. Step 16. Configure the correct date, time, and time zone. Click Close to confirm and accept. Step 17. Confirm the VGA; then click OK. Remember to click Test to verify the settings. Step 18. Click Restart Computer to complete the installation process. Logging In The next time you restart the system, you’ll be asked to log in using the administrative password you chose during the Setup process (see Figure 4.3). For security purposes, when you type, the letters will appear only as asterisks. Figure 4.3 Logging in as the administrator. Installing and Configuring a Testing Target 99 Congratulations! The installation for the testing target operating system is now com- plete. We’ve already configured the major necessary components for this platform, so if you choose to skip the following section on options services for the testing target, you can move forward to Chapter 5 to begin testing simulations with the Cerberus Internet Scanner. Optional Services for Your Testing Target This section presents a general discussion on configuring optional services on your testing target Windows NT operating system for your analysis testing. These services include the Windows Internet Naming Service (WINS) and the DNS. Installing WINS WINS is a name resolution service that resolves an IP address with an associated node on a network. WINS uses a distributed database that contains this information for each node currently available. According to Microsoft, a WINS server is a Windows NT Server computer running Microsoft TCP/IP and WINS server software. WINS servers maintain a database that maps computer names to TCP/IP addresses, allowing users to easily communicate with other computers while gaining all the benefits of TCP/IP. A computer running WINS server software should be assigned a fixed IP address. The WINS server computer should not be a DHCP client. If the WINS server computer has more than one network adapter card, make sure that the binding order of IP addresses is not changed. You must be logged on as a member of the Administrators group to install or run the WINS Manager tool. To use or configure a WINS server, you must have full administrative rights for that server. Using WINS servers can offer these benefits on your internetwork: ■■ Dynamic database maintenance to support computer name registration and name resolution. Although WINS provides dynamic name services, it offers a NetBIOS namespace, making it much more flexible than DNS for name resolution. ■■ Centralized management of the computer name database and the database replication policies, alleviating the need for managing LMHOSTS files. ■■ Dramatic reduction of IP broadcast traffic in LAN Manager internetworks, while allowing client computers to easily locate remote systems across LANs or WANs. ■■ Enables clients running Windows NT and Windows for Workgroups on a Windows NT Server network to browse domains on the far side of a router without a local domain controller being present on the other side of the router. ■■ Its extremely scalable design makes it a good choice for name resolution on medium to very large internetworks. 100 Chapter 4 Windows NT includes WINS, but it is not installed by default. The easiest method of installing this service is by using the Network Utility, following these steps: 1. From Start/Settings/Control Panel, double-click the Network icon. 2. From within the Services tab, click Add. 3. Select Windows Internet Name Service from the Network Service list; then click OK to continue. 4. When prompted, insert the Microsoft Windows NT Server CD and click Continue. The driver files are located on the Windows NT CD-ROM, so be sure to have the CD handy. If you want Setup to look in a different place, type in that location. 5. After Setup copies the appropriate files, click Close to continue. 6. Click Yes to complete the installation and restart the system. Once WINS has been installed, Setup will install a new configuration manager in the Administrative Tools utility, aptly named WINS Manager. The WINS service is a Windows NT service running on a Windows NT server. The supporting WINS client software is automatically installed for Windows NT Server and for Windows NT com- puters when the basic operating system is installed. To start WINS Manager, from Start/Programs/Administrative Tools click WINS Manager or, at the command prompt, type start winsadmn. You can include a WINS server name or IP address with the command (e.g., start winsadmn 192.168.0.2 or start winsadmn mywinsserver). To start and stop the actual WINS, use the Services utility from the Control panel. You can also start and stop the WINS server at the command prompt by using the com- mands net start wins, net stop wins, net pause wins, and net continue wins. When paused, WINS will not accept a WINS name registration packet (as a point-to-point-directed IP message) from a client. This enables a WINS administrator to prevent clients from using WINS while they continue to administer, replicate, and scavenge old records. When you install a WINS server, the WINS Manager icon is added to Program Man- ager. You can use this tool to view and change parameters for any WINS server on the internetwork, but you must be logged on as a member of the Administrators group for a WINS server to configure that server. If the WINS is running on the local computer, that WINS server will be opened automatically for administration. If the WINS is not running when you start WINS, the Add WINS Server dialog box appears. The WINS Manager window appears when you start WINS Manager. The title bar in the WINS Manager window shows the IP address or computer name for the currently selected server, depending on whether you used the address or name to connect to the server. WINS Manager also shows some basic statistics for the selected server. To display additional statistics, on the Server menu click Detailed Information. To connect to a WINS server for administration that uses the WINS Manager, follow these steps: Installing and Configuring a Testing Target 101 1. If you want to connect to a server to which you have previously connected, under WINS Servers double-click the appropriate server icon. If you want to connect to a server to which you have not previously connected, on the Server menu click Add WINS Server. 2. In the WINS Server box, type the IP address or computer name of the WINS server you want to work with; then click OK. You do not have to prefix the name with double backslashes; WINS Manager will add these for you. Setting Preferences for WINS Manager You can configure several options for administering WINS servers. The commands for controlling preferences are on the Options menu. To display the status bar for help on commands, click Status Bar on the Options menu. When this command is active, its name is checked on the menu and the status bar at the bottom of the WINS Manager window will display descriptions of commands as they are highlighted in the menu bar. To set preferences for the WINS Manager, using the WINS Manager, follow these steps: 1. On the Options menu, click Preferences. 2. To see all the available preferences, click Partners. 3. Click an Address Display option to indicate how you want address information to be displayed throughout WINS Manager: as computer name, IP address, or an ordered combination of both. 4. Click Auto Refresh if you want the statistics in the WINS Manager window to be refreshed automatically. Then type a number in the Interval box to specify the number of seconds between refresh actions. WINS Manager also refreshes the statistical display automatically each time an action is initiated while you are working in WINS Manager. 5. Click LAN Manager-Compatible if you want computer names to adhere to the LAN Manager naming convention. Windows NT follows the LAN Manager convention, so unless your network accepts NetBIOS names from other sources, this box should be selected. 6. If you want the system to query the list of servers for available servers each time the system starts, click Validate Cache of Known WINS Servers At Startup Time. 7. If you want a warning message to appear each time you delete a static map- ping or the cached name of a WINS server, click Confirm Deletion of Static Mappings and Cached WINS Servers. 8. In the Start Time box, specify the default for replication start time for new pull partners. Then specify values for the Replication Interval to indicate how often data replicas will be exchanged between the partners. The minimum value for the Replication Interval is five hours. 102 Chapter 4 TEAMFLY Team-Fly ® 9. In the Update Count box, type the number of registrations and changes that can occur locally before a replication trigger is sent by this server when it is a push partner. The minimum value is 20. Configuring a WINS Server You will want to configure multiple WINS servers to increase the availability and to balance the load among servers. Each WINS server must be configured with at least one other WINS server as its replication partner. For each WINS server, you must con- figure threshold intervals for triggering database replication, based on a specific time, a time period, or a certain number of new records. If you designate a specific time for replication, the replication will occur only once. If you designate a specific time period, replication will repeat at that interval. To configure a WINS server using the WINS Manager, follow these steps: 1. On the Server menu, click Configuration. This command is available only if you are logged on as a member of the Administrators group for the WINS server that you want to configure. 2. For the WINS Server Configuration options, specify time intervals by typing a time or clicking the spin buttons, as described in the following list: Renewal Interval. Specifies how often a client reregisters its name. Extinction Interval. Specifies the time interval from when an entry is marked released to when it’s marked extinct. Extinction Timeout. Specifies the time interval from when an entry is marked extinct and when the entry is finally scavenged from the database. Verify Interval. Specifies the interval after which the WINS server must verify that old names it does not own are still active. 3. If you want this WINS server to pull replicas of new WINS database entries from its partners when the system is initialized or when a replication-related parameter changes, click Initial Replication in the Pull Parameters options, then type a value for Retry Count. In a push/pull relationship, data is passed from the Primary to Secondary WINS server if the Secondary (pull partner) requests that the Primary (push partner) send an update or if the Primary asks the pull partner to start requesting updates. 4. To inform partners of the database status when the system is initialized, click Initial Replication in the Push Parameters options. 5. To inform partners of the database status when an address changes in a map- ping record, click Replicate on Address Change. 6. Set any Advanced WINS Server Configuration options. The replication interval for this WINS server’s pull partner is defined in the Prefer- ences dialog box. The extinction interval, extinction time-out, and verify interval are Installing and Configuring a Testing Target 103 derived from the renewal interval and the replication interval specified. The WINS server adjusts the values specified by the administrator to minimize the inconsistency between a WINS server and its partners. The retry count is the number of times the server should attempt to connect (in case of failure) with a partner for pulling replicas. Retries are attempted at the replication interval specified in the Preferences dialog box. The file where database update operations are saved is jet.log. This file is used by WINS to recover data if necessary. You should back up this file when you back up other files on the WINS server. WINS Static Mappings You can change the IP addresses in static mappings owned by the WINS server you are currently administering. To edit a static mapping entry, using the WINS Manager, follow these steps: 1. On the Mappings menu, click Static Mappings. 2. In the Static Mappings dialog box, click the mapping you want to change; then click Edit Mapping. 3. In the IP Address box, type a new address for the selected computer; then click OK. The change is made in the WINS database immediately. If the change you enter is not allowed for the database because that address is already in use, a message will ask you to enter another address. You can view but not edit the Computer Name and Mapping Type mapping option in the Edit Static Mappings dialog box. If you want to change the Computer Name or Mapping Type related to a specific IP address, you must delete the entry and redefine it in the Add Static Mappings dialog box. It is important to note that because each sta- tic mapping is added to the database when you click Add, you cannot cancel work in this dialog box. If you make a mistake when entering a name or address for a mapping, you must return to the Static Mappings dialog box and delete the mapping there. To add static mappings to the WINS database by typing entries, follow these steps: 1. On the Mappings menu, click Static Mappings. 2. In the Static Mappings dialog box, click Add Mappings. 3. In the Computer Name box, type the computer name of the system for which you are adding a static mapping. 4. In the IP Address box, type the address for the computer. 5. Click a Type option to indicate whether this entry is a unique name or a kind of group, as described in the following list: Unique. A unique name in the database, with one address per name. Group. A normal group, where addresses of individual members are not stored. The client broadcasts name packets to normal groups. 104 Chapter 4 [...]... directory ■ ■ Error Indicates system errors, such as difficulty reading a directory Add, Remove, and Edit Properties Buttons To set up a directory, press the Add; or select a directory in the Directories listing box and press the Edit button Use the Remove button to delete directories you no longer want Press the Add button in the Directory Properties window to set up new directories: ■ ■ Directory... directory Add, Remove, and Edit Buttons To set up a directory, press the Add button or pick a directory in the Directory listing box and press the Edit button Use the Remove button to delete directories you no longer want to list Click Add, then Installing and Configuring a Testing Target configure the FTP service directories by using the associated dialog box Use its contents as follows: ■ ■ Directory... the path to the directory to use for the WWW service ■ ■ Browse button Use to select the directory to use for the WWW service ■ ■ Home Directory Specify the root directory for the WWW service Internet Information Server provides a default home directory, \Wwwroot, for the 1 13 114 Chapter 4 WWW service The files that you place in the WWW home directory and its subdirectories are available to remote... default home directory ■ ■ Virtual Directory Specify a subdirectory for the FTP service ■ ■ Alias Enter a name for the virtual directory This is the name that is used to connect to the directory Enter either the directory name or the “alias” that service users will use You can add other directories outside the home directory that are accessible to browsers as subdirectories of the home directory That is,... Directory Set the path to the directory to use for the FTP service ■ ■ Browse button Select the directory to use for the FTP service ■ ■ Home Directory Specify the root directory for the FTP service Internet Information Server provides a default home directory, \Ftproot, for the FTP service The files that you place in the FTP home directory and its subdirectories are available to remote browsers You... home directory ■ ■ Virtual Directory Specify a subdirectory for the WWW service Enter the directory name or “alias” that service users will use to gain access You can add other directories outside the home directory that are accessed by browsers as subdirectories of the home directory That is, you can publish from other directories and have those directories accessible from within the home directory Such... computer To change the directory in which to install Microsoft Internet Information Server, click the Change Directory button and type the complete directory path in the dialog box 6 Click OK to continue and select the directories for the World Wide Web, FTP, and Gopher directories 7 Click OK After Setup copies the appropriate files and detects that your Guest account is enabled on the system, for security. .. in RFC 1 035 Defined in RFC 1 035 Defined in RFC 1 035 NS: Name Server Defined in RFC 1 035 NSAP: Network Service Access Point Address Defined in RFC 134 8; redefined in RFC 1 637 and 1706 NXT: Next Defined in RFC 2065 PTR: Pointer Defined in RFC 1 035 PX: Pointer to X.400/RFC822 information RP: Responsible Person RT: Route Through Defined in RFC 1664 Defined in RFC 11 83 Defined in RFC 11 83 SIG: Cryptographic... Conversely, to add computers to which you want to grant access, select the Denied Access button and click Add ■ ■ Choose Single Computer and provide the Internet Protocol (IP) address to exclude a single computer ■ ■ Choose Group of Computers and provide an IP address and subnet mask to exclude a group of computers ■ ■ Press the button next to the IP address to use a DNS name instead of an IP address Your. .. attributes of the directory If the files are on an NTFS drive, NTFS settings for the directory must match these settings Read must be selected for FTP directories Write allows clients to write files to the FTP server Select this only for directories that are intended to accept files from users 119 120 Chapter 4 Directory Listing Style Choose the directory listing style to send to FTP users, whether . directories: ■■ Directory. Type the path to the directory to use for the WWW service. ■■ Browse button. Use to select the directory to use for the WWW service. ■■ Home Directory. Specify the root directory for. Directories listing box and press the Edit button. Use the Remove button to delete directories you no longer want. Press the Add button in the Directory Properties window to set up new directories: ■■ Directory you want to grant anonymous logon access to your site. If you want to use your current security system to control information access, change the anonymous logon account from IUSR_computername to an