Windows 7 Resource Kit- P26

50 571 0
Windows 7 Resource Kit- P26

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Core Networking Improvements CHAPTER 25 1203 As with other versions of Windows, server-side support for SMB (sharing files and printers) is provided by the Server service, and client-side support (connecting to shared resources) is provided by the Workstation service. Both services are configured to start automatically, and you can safely disable either service if you don’t require it. The security risks presented by having the Server service running are minimized because Windows Firewall will block incom- ing requests to the Server service on public networks by default. Strong Host Model When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host). IP implementations that follow a weak host model accept any locally destined packet, regardless of the interface on which the packet was received. IP implementations that follow the strong host model accept locally destined packets only if the destination address in the packet matches an address assigned to the interface on which the packet was received. The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model. Windows Vista and Windows 7 support the strong host model for both IPv4 and IPv6 and are configured to use it by default. However, you can revert to the weak host model using Netsh. The weak host model provides better network connectivity, but it also makes hosts susceptible to multihome-based network attacks. To change the host model being used, use the following Netsh commands (and specify the name of the network adapter). Netsh interface IPv4 set interface "Local Area Connection" WeakHostSend=enabled Ok. Netsh interface IPv4 set interface "Local Area Connection" WeakHostReceive=enabled Ok. To return to the default settings, use the same command format but disable the WeakHostSend and WeakHostReceive parameters. Wireless Networking In Windows Server 2003 and Windows XP, the software infrastructure that supports wireless connections was built to emulate an Ethernet connection and can be extended only by supporting additional Extensible Authentication Protocol (EAP) types for 802.1X authentication. In Windows Vista and Windows 7, the software infrastructure for 802.11 wireless connections, called the Native Wi-Fi Architecture (also referred to as Revised Native Wi-Fi MSM, or RMSM), has been redesigned for the following: n IEEE 802.11 is now represented inside of Windows as a media type separate from IEEE 802.3. This allows hardware vendors more flexibility in supporting advanced features of IEEE 802.11 networks, such as a larger frame size than Ethernet. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 25 Configuring Windows Networking 1204 n New features in the Native Wi-Fi Architecture perform authentication, authorization, and management of 802.11 connections, reducing the burden on hardware vendors to incorporate these functions into their wireless network adapter drivers. This makes the development of wireless network adapter drivers much easier. n The Native Wi-Fi Architecture supports APIs to allow hardware vendors the ability to extend the built-in wireless client for additional wireless services and custom capabili- ties. Extensible components written by hardware vendors can also provide customized configuration dialog boxes and wizards. In addition, Windows Vista and Windows 7 include several important changes to the behavior of wireless auto configuration. Wireless auto configuration is now implemented in the WLAN AutoConfig service, which dynamically selects the wireless network to which the computer will connect automatically, based either on your preferences or on default settings. This includes automatically selecting and connecting to a more preferred wireless network when it becomes available. The changes include: n Single sign-on To enable users to connect to protected wireless networks before logon (and thus, allow wireless users to authenticate to a domain), administrators can use Group Policy settings or the new Netsh wireless commands to configure single sign-on profiles on wireless client computers. After a single sign-on profile is config- ured, 802.1X authentication will precede the computer logon to the domain and users are prompted for credential information only if needed. This feature ensures that the wireless connection is placed prior to the computer domain logon, which enables scenarios that require network connectivity prior to user logon, such as Group Policy updates, execution of login scripts, and wireless client domain joins. n Behavior when no preferred wireless networks are available In earlier versions of Windows, Windows created a random wireless network name and placed the network adapter in infrastructure mode if no preferred network was available and automatically connecting to nonpreferred networks was disabled. Windows would then scan for pre- ferred wireless networks every 60 seconds. Windows Vista and Windows 7 no longer creates a randomly named network; instead, Windows “parks” the wireless network adapter while periodically scanning for networks, preventing the randomly generated wireless network name from matching an existing network name. n Support for hidden wireless networks Earlier versions of Windows would always connect to preferred wireless networks that broadcast a Service Set Identifier (SSID) before connecting to preferred wireless networks that did not broadcast that identifier, even if the hidden network had a higher priority. Windows Vista and Windows 7 con- nect to preferred wireless networks based on their priority, regardless of whether they broadcast an SSID. n WPA2 support Windows Vista and Windows 7 support Wi-Fi Protected Access 2 (WPA2) authentication options, configurable by either the user (to configure the stan- dard profile) or by AD DS domain administrators using Group Policy settings. Windows Vista and Windows 7 support both Enterprise (IEEE 802.1X authentication) and Personal Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improved APIs CHAPTER 25 1205 (preshared key authentication) modes of operation for WPA2 and can connect to ad hoc wireless networks protected by WPA2. n Integration with NAP WPA2-Enterprise, WPA-Enterprise, and dynamic WEP connections that use 802.1X authentication can use the NAP platform to prevent wireless clients that do not comply with system health requirements from gaining unlimited access to a private network. In addition, troubleshooting wireless connection problems is now easier because wireless connections do the following: n Support the Network Diagnostics Framework, which attempts to diagnose and fix common problems n Record detailed information in the event log if a wireless connection attempt fails n Prompt the user to send diagnostic information to Microsoft for analysis and improvement For more information about troubleshooting wireless networks, see Chapter 31. For more information about configuring wireless networks, see the section titled “How to Configure Wireless Settings” later in this chapter. Improved APIs Windows Vista and Windows 7 also include improved APIs that will enable more powerful networked applications. Systems administrators will not realize immediate benefits from these improved APIs; however, developers can use these APIs to create applications that are more robust when running on Windows Vista and Windows 7. This enables developers to create applications faster and to add more powerful features to those applications. Network Awareness More applications are connecting to the Internet to look for updates, download real-time information, and facilitate collaboration between users. However, creating applications that can adapt to changing network conditions has been difficult for developers. Network Awareness enables applications to sense changes to the network to which the computer is connected, such as closing a mobile PC at work and then opening it at a coffee shop wireless hotspot. This enables Windows Vista and Windows 7 to alert applications of network changes. The application can then behave differently, providing a seamless experience. For example, Windows Firewall with Advanced Security can take advantage of Network Awareness to automatically allow incoming traffic from network management tools when the computer is on the corporate network but block the same traffic when the computer is on a home network or wireless hotspot. Network Awareness can therefore provide flexibility on your internal network without sacrificing security when mobile users travel. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 25 Configuring Windows Networking 1206 Applications can also take advantage of Network Awareness. For example, if a user discon- nects from a corporate internal network and then connects to his or her home network, an application could adjust security settings and request that the user establish a VPN connec- tion to maintain connectivity to an intranet server. New applications can go offline or online automatically as mobile users move between environments. In addition, software vendors can integrate their software into the network logon process more easily because Windows Vista and Windows 7 enable access providers to add custom connections for use during logon. Network Awareness benefits only applications that take advantage of the new API and does not require any management or configuration. For Network Awareness to function, the Network Location Awareness and Network List Service services must be running. Improved Peer Networking Windows Peer-to-Peer Networking, originally introduced with the Advanced Networking Pack for Windows XP and later included in Windows XP SP2, is an operating system platform and API in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P) applications that do not require a server. Windows Vista and Windows 7 include the following enhancements to Windows Peer-to-Peer Networking: n New, easy-to-use API APIs to access Windows Peer-to-Peer Networking capabilities such as name resolution, group creation, and security have been highly simplified in Windows Vista and Windows 7, making it easier for developers to create P2P applications. n New version of PNRP Peer Name Resolution Protocol (PNRP) is a name resolution protocol, like DNS, that functions without a server. PNRP uniquely identifies comput- ers within a peer cloud. Windows Vista and Windows 7 include a new version of PNRP (PNRP v2) that is more scalable and uses less network bandwidth. For PNRP v2 in Windows Vista and Windows 7, Windows Peer-to-Peer Networking applications can access PNRP name publication and resolution functions through a simplified PNRP API that supports the standard name resolution methods used by applications. For IPv6 addresses, applications can use the getaddrinfo() function to resolve the fully qualified domain name (FQDN) name.prnp.net, in which name is the peer name being resolved. The pnrp.net domain is a reserved domain for PNRP name resolution. The PNRP v2 protocol is incompatible with the PNRP protocol used by computers running Windows XP. Microsoft is investigating the development and release of an update to the Windows Peer-to-Peer Networking features in Windows XP to support PNRP v2. n People Near Me People Near Me is a new capability of Windows Peer-to-Peer Networking that allows users to dynamically discover other users on the local subnet and their registered People Near Me–capable applications, as well as to invite users into a collaboration activity easily. The invitation and its acceptance start an applica- tion on the invited user’s computer, and the two applications can begin participating in a collaboration activity such as chatting, photo sharing, or game playing. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improved APIs CHAPTER 25 1207 PNRP v2 is not backward compatible with earlier versions of the protocol. Although PNRP v2 can coexist on a network with earlier versions, it cannot communicate with PNRP v1 clients. Services Used by Peer-to-Peer Networking Windows Peer-to-Peer Networking uses the following services, which by default start manually (Windows will start services automatically as required): n Peer Name Resolution Protocol (PNRP) n Peer Networking Grouping n Peer Networking Identity Manager n PNRP Machine Name Publication Service If these services are disabled, some P2P and collaborative applications might not function. Managing Peer-to-Peer Networking Windows Peer-to-Peer Networking is a set of tools for applications to use, so they don’t provide capabilities without an application. You can manage Windows Peer-to-Peer Networking using the Netsh tool or by using Group Policy settings: n Netsh tool Commands in the Netsh p2p context will be used primarily by developers creating P2P applications. Systems administrators should not need to troubleshoot or manage Windows Peer-to-Peer Networking directly, so that aspect of the Netsh tool is not discussed further here. n Group Policy settings You can configure or completely disable Windows Peer-to- Peer Networking by using the Group Policy settings in Computer Configuration \Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services. You should need to modify the configuration only if an application has specific, nondefault requirements. HoW it WoRKS Peer-to-Peer Name Resolution I n P2P networking, peers use PNRP names to identify computers, users, groups, services, and anything else that should be resolved to an IP address. Peer names can be registered as unsecured or secured. Unsecured names are just automatically generated text strings that are subject to spoofing by a malicious computer that registers the same name. Unsecured names are therefore best used in private or otherwise secure networks. Secured names are signed digitally with a certificate and thus can be registered only by the owner. PNRP IDs are 256 bits long and are composed of the following: Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 25 Configuring Windows Networking 1208 n The high-order 128 bits, known as the peer-to-peer ID, are a hash of a peer name assigned to the endpoint. n The low-order 128 bits are used for the service location, which is a generated number that uniquely identifies different instances of the same ID in a cloud. The 256-bit combination of peer-to-peer ID and service location allows multiple PNRP IDs to be registered from a single computer. For each cloud, each peer node manages a cache of PNRP IDs that includes both its own registered PNRP IDs and the entries cached over time. When a peer needs to resolve a PNRP ID to the address, protocol, and port number, it first examines its own cache for entries with a matching peer ID (in case the client has resolved a PNRP ID for a different service location on the same peer). If that peer is found, the resolving client sends a request directly to the peer. If the resolving client does not have an entry for the peer ID, it sends requests to other peers in the same cloud, one at a time. If one of those peers has an entry cached, that peer first verifies that the requested peer is connected to the network before resolving the name for the requesting client. While the PNRP request mes- sage is being forwarded, its contents are used to populate caches of nodes that are forwarding it. When the response is sent back through the return path, its contents are also used to populate node caches. This name resolution mechanism allows clients to identify each other without a server infrastructure. EAPHost Architecture For easier development of EAP authentication methods for IEEE 802.1X-authenticated wireless connections, Windows Vista and Windows 7 support a new EAP architecture called EAPHost. EAPHost provides the following features that are not supported by the EAP implementation in earlier versions of Windows: n Network Discovery EAPHost supports Network Discovery as defined in the “Identity selection hints for Extensible Authentication Protocol (EAP)” Internet draft. n RFC 3748 compliance EAPHost will conform to the EAP State Machine and address a number of security vulnerabilities that are specified in RFC 3748. In addition, EAPHost will support additional capabilities such as Expanded EAP Types (including vendor- specific EAP methods). n EAP method coexistence EAPHost allows multiple implementations of the same EAP method to coexist simultaneously. For example, the Microsoft version of Protected EAP (PEAP) and the Cisco Systems, Inc. version of PEAP can be installed and selected. n Modular supplicant architecture In addition to supporting modular EAP methods, EAPHost also supports a modular supplicant architecture in which new supplicants can be added easily without having to replace the entire EAP implementation. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Improved APIs CHAPTER 25 1209 For EAP method vendors, EAPHost provides support for EAP methods already developed for Windows Server 2003 and Windows XP, as well as an easier method of developing new EAP methods. Certified EAP methods can be distributed with Windows Update. EAPHost also allows better classification of EAP types so that the built-in 802.1X- and PPP-based Windows supplicants can use them. For supplicant method vendors, EAPHost provides support for modular and pluggable supplicants for new link layers. Because EAPHost is integrated with NAP, new supplicants do not have to be NAP aware. To participate in NAP, new supplicants only need to register a con- nection identifier and a callback function that informs the supplicant to re-authenticate. For more information, read “EAPHost in Windows” at http://technet.microsoft.com/en-us /magazine/cc162364.aspx. Layered Service Provider (LSP) The Windows Sockets (Winsock) Layered Service Provider (LSP) architecture resides between the Winsock dynamic-link library (DLL), which applications use to communicate on the network, and the Winsock kernel-mode driver (Afd.sys), which communicates with network adapter drivers. LSPs are used in several categories of applications, including: n Proxy and firewalls. n Content filtering. n Virus scanning. n Adware and other network data manipulators. n Spyware and other data-monitoring applications. n Security, authentication, and encryption. Windows Vista and Windows 7 include several improvements to LSPs to enable more powerful network applications and better security: n Adding and removing LSPs is logged to the System Event Log. Administrators can use these events to determine which application installed an LSP and to troubleshoot failed LSP installations. n A new installation API (WSCInstallProviderAndChains) provides simpler, more reliable LSP installations. n New facilities categorize LSPs and allow critical system services to bypass LSPs. This can improve reliability when working with flawed LSPs. n A diagnostics module for the Network Diagnostics Framework allows users to selectively remove LSPs that are causing problems. Windows Sockets Direct Path for System Area Networks Windows Sockets Direct (WSD) enables Winsock applications that use TCP/IP to obtain the performance benefits of system area networks (SANs) without application modifications. SANs are a type of high-performance network often used for computer clusters. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 25 Configuring Windows Networking 1210 WSD allows communications across a SAN to bypass the TCP/IP protocol stack, taking advantage of the reliable, direct communications provided by a SAN. In Windows Vista and Windows 7, this is implemented by adding a virtual switch between Winsock and the TCP/IP stack. This switch has the ability to examine traffic and pass communications to a SAN Winsock provider, bypassing TCP/IP entirely. Figure 25-13 illustrates this architecture. Application Winsock Switch User Kernel SAN NDIS MiniPort SAN Network Adapter SAN Winsock Provider SAN Winsock Driver Base Winsock Provider TCP/IP FIGURE 25-13 WSD enables improved performance across SANs by selectively bypassing TCP/IP using a virtual switch. How to Configure Wireless Settings Users want to stay constantly connected to their networks, and wireless LANs and wireless WANs are beginning to make that possible. However, managing multiple network connections can be challenging, and users often have difficulty resolving connectivity problems. As a result, users place more calls to support centers, increasing support cost and user frustration. You can reduce this by configuring client computers to connect to preferred wireless networks. Windows will connect automatically to most wired networks. Wireless networks, however, require configuration before Windows will connect to them. You can connect Windows com- puters to wireless networks in three different ways: n Manually Windows 7 includes a new user interface that makes it simple to connect to wireless networks. You can use this interface to manually configure intranet-based computers running Windows 7; users can use this method to connect to public net- works when they travel. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. How to Configure Wireless Settings CHAPTER 25 1211 n Using Group Policy Group Policy settings are the most efficient way to configure any number of computers running Windows in your organization to connect to your internal wireless networks. n From the command line or by using scripts Using the Netsh tool and commands in the netsh wlan context, you can export existing wireless network profiles, import them into other computers, connect to available wireless networks, or disconnect a wireless network. After a wireless network is configured, the Wireless Single Sign-On feature executes 802.1X authentication at the appropriate time based on the network security configuration, while simply and seamlessly integrating with the user’s Windows logon experience. The following sections describe each of these configuration techniques. Configuring Wireless Settings Manually Windows 7 makes it very easy to connect to a wireless network using the enhanced View Available Networks (VAN) feature included in the platform. For example, to configure a wireless network that is currently available, follow these steps: 1. Click the networking icon in the notification area. note The WLAN AutoConfig service must be started for wireless networks to be available. This service by default is set to start automatically. 2. Click the network to which you want to connect and then click Connect, as shown in Figure 25-14. FIGURE 25-14 The Network Connection Details dialog box provides graphical access to IP configuration settings. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. CHAPTER 25 Configuring Windows Networking 1212 note A network that is configured not to broadcast an SSID will appear as an Unnamed Network, allowing you to connect to the network. 3. If the network is encrypted, provide the encryption key. Why Disabling SSID Broadcasting Doesn’t Improve Security W ireless networks broadcast an SSID that specifies the network name to help users who have not connected to the network previously find it. However, disabling the SSID broadcast does not increase security, because the tools that a malicious attacker might use to find and connect to your wireless network do not rely on SSID broadcasts. The SSID broadcast does make it easier for legitimate users to find and connect to your wireless networks. So by disabling the broadcast of the SSID, you can negatively affect the people whom you do want to be able to connect. Using Group Policy to Configure Wireless Settings In AD DS environments, you can use Group Policy settings to configure wireless network policies. For best results, you should have Windows Server 2003 SP1 or later installed on your domain controllers because Microsoft extended support for wireless Group Policy settings when they released SP1. Before you can use Group Policy to configure wireless networks, you need to extend the AD DS schema using the 802.11Schema.ldf file included on this book’s companion media. If you do not have access to the companion media, you can copy the schema file from http://technet.microsoft.com/en-us/library/bb727029.aspx. To extend the schema, follow these steps: 1. Copy the 802.11Schema.ldf file to a folder on a domain controller. 2. Log on to the domain controller with Domain Admin privileges and open a command prompt. 3. Select the folder containing the 802.11Schema.ldf file and run the following com- mand (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS domain whose schema is being modified; an example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast.microsoft.com AD DS domain). ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain 4. Restart the domain controller. After you extend the schema, you can configure a wireless network policy by following these steps: 1. Open the Active Directory GPO in the Group Policy Object Editor. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... available in Windows 7 are also available in Windows Server 2008 R2 Improvements to Windows Firewall Introduced Previously in Windows Vista The introduction of Windows Firewall with Advanced Security in Windows Vista represented a significant advance over the Windows Firewall introduced earlier in Windows XP Service Pack 2 (SP2) The following new or enhanced features were added to Windows Firewall with... protected Windows Firewall with Advanced Security has been enhanced in the Windows 7 operating system with improvements in configurability, manageability, and diagnostics This chapter examines how Windows Firewall with Advanced Security works in Windows 7 and how to configure, manage, monitor, and troubleshoot firewall and IPsec connectivity issues Understanding Windows Firewall with Advanced Security Windows. .. a computer running Windows XP instead of Netsh interface ipv4 set dnsserver, which you use to configure DNS settings for a computer running Windows Vista or Windows 7 However, Netsh in Windows Vista and Windows 7 is backward compatible and will accept the older, Windows XP–compatible syntax Because DHCP is the default setting for network adapters, it is more likely that you will need to use Netsh commands... Windows Firewall with Advanced Security This section begins by outlining the improvements introduced previously in Windows Vista followed by a summary of the new improvements added in Windows 7 The section then continues by describing the underlying architecture of Windows Firewall with Advanced Security and how it works Unless otherwise indicated, Windows Firewall and IPsec features available in Windows. .. Enhancements” at http://technet.microsoft.com/en-ca/library/bb7 270 29.aspx includes instructions on extending the AD DS schema to support configuring wireless Windows Vista clients n “Deployment of IEEE 802.1X for Wired Networks Using Microsoft Windows at http://www.microsoft.com/downloads/details.aspx?familyid=05951 071 -6b20-4cef-993947c397ffd3dd includes more information about 802.1X authentication... Firewall with Advanced Security in Windows Vista: n n Windows Service Hardening  Windows Service Hardening (WSH) helps prevent misuse of Windows services by detecting and blocking abnormal behavior For more information concerning this feature, see the section titled “Understanding Windows Service Hardening” later in this chapter n Location-aware profiles  Windows Firewall in Windows XP supported only two... section titled “Authenticated Bypass Rules” later in this chapter Additional Improvements to Windows Firewall in Windows 7 Beginning with Windows 7, Windows Firewall with Advanced Security has been further improved with the addition of the following new and enhanced features: n Multiple Active Firewall Profiles  In Windows Vista, only one firewall profile could be active at any one time This means that... configurations  In Windows Vista, you could create only one global main mode configuration for IPsec communications involving the local computer While the Windows Firewall with Advanced Security Microsoft Management Console (MMC) snap-in in Windows 7 still allows you to configure only a single main mode configuration for the computer, you can now use the Netsh command-line tool in Windows 7 and Windows Server... packets for both IPv4 and IPv6 Windows Firewall with Advanced Security can also be used to protect network traffic as it passes between the local computer and other computers on the network To accomplish this, Windows Firewall with Advanced Security uses IPsec Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 12 27 Windows 7 builds upon the foundation of Windows Vista by adding new... options  In Windows Vista, you could only block or allow edge traversal Beginning with Windows 7, however, two new options have been added for configuring edge traversal that can be used to allow users or applications to decide whether they can receive unsolicited traffic For more information, see http://msdn.microsoft.com/en-us/library/dd 775 221.aspx n Easier configuration of Suite B algorithms  In Windows . in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P) applications that do not require a server. Windows Vista and Windows 7 include. The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model. Windows Vista and Windows 7 support the strong host model

Ngày đăng: 20/10/2013, 12:15

Từ khóa liên quan

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan