|
Implementing and Administering Windows 2000
Network Infrastructure DHCP (Dynamic Host
Configuration Protocol)
DHCP is used to automatically assign IP addresses. The
addresses will be leased for a specified period of time
(default 8 days). The benefits of DHCP are that you don't have
to keep a database of addresses. Also it takes away the
likelihood of typing numbers in wrong.
The lease process:
Request - The client sends out a broadcast to its entire
subnet looking for any DHCP server. The MAC and Computer name
are part of this request.
Offer - All DHCP servers on the subnet will offer an address
to the client.
Accept - The DHCP client broadcast back to the first DHCP
server a request to accept the offer.
Acknowledge - The DHCP server broadcasts back an
acknowledgement (DHCPACK) that the lease was successful.
If you have multiple NIC cards, each one processes the IP
information independently.
Renewal - A DHCP client will try to renew its address
after 50% of the lease life is up. This is a direct request to
the DHCP server, not a broadcast. The DHCP server may renew
the IP and the client will keep it for the specified amount of
days again. If the DHCP server does not renew the lease
(issues a DHCPNACK), the client will keep the IP configuration
until 87.5% of the lease life is up. The client will then send
out a broadcast message to the entire subnet and the process
starts over again. .If you want to renew your lease manually,
use the command ipconfig /release followed by ipconfig
/renew.
Authorization - In Windows 2000, DHCP servers need
to be authorized before they can send out leases. This
prevents an unauthorized DHCP server from appearing on the
network and handing out leases. Only Enterprise Admins can
authorize DHCP servers.
Scopes - A scope is a group of IP addresses that
your DHCP server will be able to hand out.
Reservations - You can reserve a specific IP address
for a client. You will need the MAC address of the client.
DHCP options - Along with an IP address, DHCP can
hand out several other pieces of information, such as:
Subnet Mask
Domain Name
Default Gateway
DNS server
WINS server
NetBIOS node type
Option Classes - DHCP option classes allow you to
give specific options to certain groups of computers. There
are 2 types of option classes, Vendor-defined and
User-defined.
Vendor-defined - allows you to set options based on
the operating system.
User-defined - identify by client type. You can use
this to do things like set a short lease for dialup
connections.
DHCP Relay Agent - used in a routed environment, the
relay agent captures DHCP requests and forwards them to a DHCP
server on another subnet.
DNS (Domain Name System)
DNS is used to resolve fully qualified domain names (FQDN)
to IP addresses. i.e. CERTguide.com resolves to 24.128.102.7
Windows 2000 uses DNS as its primary means of resolution
including locating domain controllers.
Query Types
Iterative Query - If the DNS server does not have the answer,
it will tell you that it can't help you.
Recursive Query - If the DNS server does not have the answer,
it will go to another DNS server that does.
Lookup Zone Files
Forward Lookup Zone - resolves hostname to IP address
Reverse Lookup Zone - resolves IP address to hostname.
Host File - manually updated text file that contains IP
address to host name combinations. This is how it was done
before DNS.
Zone Types
DNS is divided into zones so you can be responsible only
for your section or zone
Standard Primary - contains read/write copy of zone file
stored in a text file.
Standard Secondary - contains read only copy of zone file
stored in a text file. Changes are made on the primary and
replicated to the secondary.
Active Directory Integrated - stores zone info in Active
Directory. Changes update with Active directory replication
automatically.
Record Types
A record - hostname to IP address. You must add these manually
if your clients do not update. Also referred to as a host
record.
MX record (Mail Exchanger) - Specifies which server to deliver
mail to.
CNAME (canonical name) record - allows you to give additional
names to an A record. If the server patriots.CERTguide.com
hosts the website for www.CERTguide.com, create a CNAME to map
www to patriots. Also referred to as an alias record.
Start of Authority (SOA record) - controls how often and with
who replication takes place.
Zone Transfer - This is the process of replication
data from one DNS server to another.
Windows 2000 introduces incremental zone transfer. (IXFR)
which only transfers changes to the zone instead of the entire
zone.
Subdomain - also known as a child domain. located below
the domain. tips.CERTguide.com is a subdomain of CERTguide.com
DDNS (Dynamic DNS) - Windows 2000 includes DNS that
is dynamically updated to prevent having to manually keep the
DNS database current. When a Windows 2000 client boots up, it
will send its info straight to the DNS server to be added.
Windows9.x and NT clients can not pass their information
directly to the DNS server so the DHCP server forwards their
information along to allow them to take advantage of the
Dynamic DNS. Dynamic updates are configured at the zone level
so you can choose to update one or more zones manually if you
choose.
Caching only servers - look up queries for clients
and cache the information so the clients don't have to keep
going to the server. They are not authoritative for
anything.
WINS (Windows Internet Name Service)
WINS is responsible for resolving NetBIOS names to IP
addresses. When a WINS client boots up it announces itself to
the WINS server. The WINS server stores the name and IP of the
client in the database to hand out on future requests. This
enables you to connect to a server named Appserver by name
instead of having to remember Appserver’s IP address. The WINS
database is dynamic.
WINS is not needed in a purely Windows 2000 environment and
is strictly there for backward compatibility.
WINS servers are required to have static IP addresses.
Name Resolution Nodes
B-Node (broadcast) - uses broadcasts to resolve names (not
recommended for larger networks)
P-Node (peer to peer) - uses WINS only, no broadcasts. No
WINS server, no resolution.
M-Node (mixed) - Broadcast first, then WINS. (not recommended
as you want to minimize broadcasts)
H-Node (hybrid) - uses WINS first, then broadcast.
(recommended as it cuts down broadcasts by trying WINS first
but will resort to broadcast as last resort.)
These node types can be assigned by DHCP or edited in the
registry at:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters\Nodetype
The values are:
B-node - 1
P-node - 2
M-node - 4
H-node - 8
LMhosts file - text file that you manually update that
holds NetBIOS name and IP combinations.
Non-WINS clients
DNS Integration - WINS can be integrated with DNS so non-WINS
clients can query the DNS server and the DNS server will get
the answer from WINS.
Static Mappings - You can manually add mappings for
non-windows clients to your WINS database. This will allow
your WINS enabled clients to query the WINS server for things
like UNIX boxes.
WINS Proxy - listens for broadcast from non-WINS clients,
captures them and gets the info from the WINS server, then
returns info to non-WINS client.
WINS Replication - You should have multiple WINS
servers for fault tolerance. These servers can be set up to
replicate the data to each other. WINS replicates changes
only instead of the whole database.
Push Partner - WINS will replicate after a certain number of
changes to the database.
Pull Partner - WINS will replicate at a certain time period
regardless of the number of changes.
Push/Pull Partner - WINS will replicate at a certain number of
changes or at a specified time interval regardless of the
number of changes.
PKI ( Public Key Infrastructure)
Public Key Encryption - Public Key Encryption uses a
2 key method to encrypt data.
Public Key is given out to any user wishing to communicate
Private Key is kept for decoding the public key transmission.
ex. I send you my public key, you encrypt data with my public
key and send it to me, only I have the matching private key to
decrypt the data. If the data is intercepted, it is
unreadable.
Public Key Authentication - Public Key Encryption uses
the same 2 key method for authentication.
This is also known as digital signatures. Digital signatures
are very common when visiting websites.
Public Key is sent out to user to authenticate sender.
Private key is used to encrypt data to be sent.
ex. I send you my public key so you can decrypt data that is
encrypted with my private key. I encrypt data using my
private key. You decrypt the data with my public key thus
verifying that I am who I claim to be.
CA (Certificate Authority) - A Certificate Authority
is responsible for assigning the keys for encryption,
decryption and authentication. There are 2 types of CA's.
Enterprise and Stand-Alone. Each of these types can have a
root CA and Subordinate CA's. The following table shows the
types and their characteristics:
| Enterprise Root CA |
Top Level CA - An Enterprise CA requires Active
directory so should be used in your internal 2000 network |
| Enterprise Subordinate CA |
Obtains its CA certificate from the Enterprise root.
- An Enterprise CA requires Active directory so should be
used in your internal 2000 network |
| Stand-Alone Root CA |
Top Level CA - A Stand-Alone CA does not require
Active Directory thus can be used for people connecting
from outside your network (i.e.. the Internet or an
Extranet.) |
| Stand-Alone Subordinate CA |
Obtains its CA certificate from the Stand-Alone root.
A Stand-Alone CA does not require Active Directory thus
can be used for people connecting from outside your
network (i.e.. the Internet or an Extranet.) |
IPSec (Internet
Protocol Security)
IPSec is a method of encrypting IP packets. If packets are
captured while going across the network, they will not be able
to be read. In Windows 2000, IPSec is enforced by setting a
policy in the IP Security Policy Management snap-in to the
Management Console.
Predefined Policies.
Client - A computer will only respond using IPSec if
another computer requests it.
Server - A computer will always respond using IPSec but
will accept unsecured traffic.
Secure Server - A computer will not accept any
unsecured traffic and will only send out secured traffic.
IPSec can be used in 2 modes, transport and tunnel
Transport Mode - This is the default mode for IPSec.
It provides secured communication between computers running
Windows 2000.
Tunnel Mode - Enforces IPSec policies for all Internet
traffic. Supports most legacy Operating Systems. Windows
2000 Routing and Remote Access is necessary on machines at
each end of the tunnel.
Encryption Schemes -
Authentication Encryption Schemes include SHA and MD5
SHA (Secure Hash Algorithm) - uses 160-bit encryption.
High performance overhead.
MD5 (Message Digest 5) - Most widely used. uses
128-bit encryption and has low overhead.
Packet Encryption choices include 56-bit DES, 40-bit DES
and 3DES
56-bit DES (56-bit Data Encryption Standard) - used for
most exported applications and E-mail. Low security using a
single 56-bit key
40-bit DES (40-bit Data Encryption Standard) - used for
exports to France. Low security using a single 40-bit key.
3DES (Triple Data Encryption Standard) - Most secure
using three 56-bit keys. Processes data 3 times using a
different key each time. High Processor overhead.
RAS (Remote Access Service)
Windows 2000 supports several remote access protocols
including:
PPP (Point to Point Protocol) - most common Remote
Access protocol. Allows for multivendor environments.
SLIP Serial Line Internet Protocol) - not supported on
the server, only the client. Mostly used for telnet.
Microsoft RAS - Clients must use NetBEUI. Server acts
as gateway to connect to NetBEUI, TCP/IP, or IPX/SPX.
ARAP (AppleTalk Remote Access Protocol) - A windows
2000 server running ARAP can accept connections from MAC
clients.
Windows 2000 RAS supports several LAN protocols including:
TCP/IP
NetBEUI
NWlink
AppleTalk
Permissions can be set to allow access, deny access or control
through Remote Access Policy. (control through RAS policy only
available in native mode)
Caller ID can be enabled to check for a specific number
before accepting connection. (only available in native mode)
RAS can be configured to call user back at a specific
number to complete connection.
RAS can be set to assign a static IP address if a client
requires a specific IP.
Windows 2000 RAS supports multilink in which several
connections can be combined to increase bandwidth. Both
client and server need to have multilink enabled.
BAP (bandwidth Allocation Protocol) - works with multilink
to provide bandwidth on demand by adding or dropping links as
needed.
Remote Access Authentication Protocols
PAP (Password Authentication Protocol) - uses clear
text passwords. provides little security.
SPAP - (Shiva Password Authentication Protocol) - more
secure than PAP. use to connect to Shiva LANRover to Windows
2000. Medium Security.
CHAP - (Challenge Handshake Authentication Protocol) -
uses the industry standard MD5 1-way encryption scheme to
encrypt the response. Highly Secure.
MS-CHAP (Microsoft Challenge Handshake
Authentication Protocol)- 1-way encrypted password. This
is enabled by default on a windows 2000 server running RAS.
Highly Secure.
MS-CHAP v2 (Microsoft Challenge Handshake Authentication
Protocol v2)- Strong encryption. Windows 2000 clients use
this by default for dialup. Windows 2000,NT4 and Win98
clients use this by default for VPN. Highly Secure.
EAP (Extensible Authentication Protocol) - Client and
server negotiate the Authentication method to include MD5
username and password encryption, smart-cards, token cards,
retina or fingerprint scanners and other third party
authentication technologies.
Remote Access Data Encryption Protocols
MPPE (Microsoft Point to Point Encryption) - Encrypts
data moving between a PPTP connection and a VPN server. Can
use 128-bit, 56-bit or 40-bit encryption.
IPSec (Internet Protocol Security) -
see above
IP Addressing - RAS can hand out IP addresses using 3
methods:
Static IP address - IP address is configured on the
client. Not recommended because of the administration.
IP address Range - assign a range of addressees to the
RAS server to be able to give out.
DHCP addressing - RAS will get addresses for its
clients from a DHCP server. Highly recommended as there is
only one pool of IP addresses to maintain.
Remote Access Policies - RAS Policies consist of
Conditions, permissions and profile.
Conditions - Conditions include things like time, user
groups, IP addresses, caller ID's that must be matched for
client to connect.
Permissions - RAS policy permissions work in
conjunction with a user's dial-in permissions in Active
Directory. Dial-n permissions will override RAS Policy
permissions. i.e. The sales group is a granted remote access
through a policy from 9:00 to 5:00. John, a member of the
sales group is given 24 hour access in active directory. John
will have 24 hour access.
Profiles - This contains settings such as time limits,
authentication and encryption protocols.
IAS (Internet Authentication Service) - IAS in
conjunction with Routing and Remote Access Service provide
support for RADIUS (Remote Authentication Dial-in User
Service). RADIUS is used for authentication of users outside
of the internal network. IAS also allows for tracking of
connections for things like usage for billing purposes and
auditing for security purposes.
VPN (Virtual Private Networks)
A VPN is a tunnel between two systems. The data that passes
between the systems is encrypted. This allows for secure
communication across a public network such as the Internet.
VPN's use either PPTP or L2TP encryption.
PPTP (point to point tunneling protocol) - only works
on IP network. Uses built-in PPP encryption
L2TP (Layer 2 Tunneling Protocol)- works on IP, Frame
Relay, X.25 or ATM. Uses IPSec encryption
Using Windows 2000 as a Router
A multihomed (multiple network cards) Windows 2000 server
can be used as a router. A router forwards IP packets between
network segments. This functionality is greatly increased
over NT4.0.
Routing Table - A routing table contains entries for
all of the networks that the router knows about and how to get
a packet there. Entries are put into this table by default
for networks that the router is directly connected to. Other
networks have to be added to the routing table for packets to
be sent there. Type 'route print' from the command prompt to
see your system's routing table.
Static Routing - You manually add entries to your
routing table. If a route changes, the table must be
updated. This is OK for small networks, but is not
recommended for large networks because of the administration.
Demand Dial Routing- A Windows 2000 router can be
configured to dial out to another router across the public
phone network. This connection will only be made when there
is a request to send information across that line. One nice
feature is that you can restrict it to certain times or
protocols so if you only want a connection to be made for you
daily file transfer, you can restrict the demand-dial to only
dial up for FTP.
RIP (Routing Information Protocol)- dynamically updates
routers with routing change info. Uses routing table. RIP
v1 uses broadcast to send its updates while RIP v2 uses
multicast. Easy to setup and manage but not very scalable as
it causes a lot of traffic with updates..
OSPF (Open Shortest Path First) - dynamically updates
routers with routing change info. Uses link-state database.
Complex to setup and manage but will work nice in an
enterprise class network as it only announces changes to its
routes as opposed to announcing all routes.
Packet Filtering - Filters can be put on to block
certain types of traffic from certain interfaces. ex. You can
set a filter on a web server to only accept traffic on port
80(default http port)
Configure Internet Access for your
Network
Using Windows 2000 as a router can allow your network to
connect to the Internet. The problem with this is that each
client will need an live IP address to connect. Here are some
other options that Windows 2000 offers to avoid each client
needing a registered IP address.
NAT (Network Address Translation) - Windows 2000
includes NAT which allows you to use a private IP scheme on
your internal network yet still connect to the Internet. Many
computers can access the Internet using a single registered
IP.
The server running NAT will receive the requests from the
internal client. The NAT server will replace the header info
with its own and send the packet to the Internet and store the
information about who made the request in a mapping table.
When the NAT server gets the response, it sends it back to the
client that had the original request by obtaining its info
from the mapping table.
Internet Connection Sharing - Internet Connection
Sharing is similar t NAT but is not very flexible. It is good
for a very small network or a home connection. It
automatically assigns IP addresses from a predefined IP
scheme.
Proxy Server - Proxy Server is similar to NAT in
that it fulfills requests for the clients. However Proxy uses
caching so that multiple requests for the same information do
not have to keep going out to the Internet. Also Proxy Server
analyzes packets so you can set security restrictions such as
protocol, user, time, Port #, domain name or IP address. | 
