Chapter I Installing and Deploying XP Professional
Only Windows 2000, NT4 (SP6), 98 and ME can upgrade to XP.
Chkupgrd.exe tool – Readiness Analyzer
• Click Upgrade options
• D:\i386\winnt32.exe /checkupgradeonly
F6 for SCSI/RAID controllers
FAT, FAT32, NTFS – compression, quotas, encryption, mount points and remote storage
Uninstall
• Can’t uninstall if convert from FAT to NTFS
• Can’t uninstall back to NT/2000
• Can uninstall back to 98/ME
• Added/removed application will behave strangely.
winnt.exe for 16bits DOS
• /u:answer
• /s:sourcepath—Points to the location of XP installation files.
• /udf:id—Used in conjunction with a UDF file, which overrides the values of the answer file.
winnt32.exe for 32bits Win98, 2000
• /unattend
• /makelocalsource—Copies the contents of the CD-based installation to the local hard drive for future reference, when the CD is not available.
• /dudisable—Turns off the Dynamic Updates function on the client that is being installed.
• /duprepare:pathname
• /dushare:pathname
Setup Manager Utility answers the install prompt and save it as Unattend.txt.
• Agree to EULA
• Input ID
• Create a distribution share point
• Create unique computer name for a Uniqueness DB File – UDF
• Add 3rd party PnP drivers
• Add printers, scripts, batch files and other commands to distribution share point
XP CD Support\Tools->Deploy.cab->Extract Setupmgr.exe
1. Use a network boot disk to connect the target computer to the network.
2. Next, use the net use command to map to the distribution share point using an available drive letter.
3. Switch the command prompt to the mapped drive letter (such as I) and use the following as an example to launch an unattended install for a computer called computer1:
I:\WINNT.EXE /s:I:\i386 /u:unattend.txt /udf:computer1.unattend.udb
System Preparation Tool (Sysprep) prepares a master image of a computer that contains XP Professional and any software applications that users might need.
First create a folder called sysprep in %systemdrive% (for example, c:\sysprep).
XP CD Support\Tools->Deploy.cab->Extract Sysprep.exe
Using the sysprep.exe command removes all unique parameters from the computer and then shuts down the computer. Reboot the computer with a disk image boot disk and create an image of the computer.
After you have applied an image to a computer, a Mini-Setup Wizard runs. Use Setup Manager to create an answer file called Sysprep.inf, save it at floppy disk or C:\sysprep. This file provides the preceding settings to the Mini-Setup Wizard to answer all the installation prompts.
Remote Installation Services (RIS)
Press F12 key during the boot process to find a RIS server and start the installation.
To install RIS, you need DHCP server, DNS—find RIS from Active Directory, Active Directory, 2G+ Non-system partition.
Steps in a Windows 2000:
• Add component Remote Installation Services
• Run risetup.exe to copy XP image.
• Log on as a domain administrator and launch Start|Programs|Administrative Tools|Active Directory Users and Computers. Next, right-click the RIS Server Computer objects and selects Properties. Click the Remote Install tab. Select the Respond to Client Computers Requesting Service option.
Riprep.exe limitations:
• It can only make an image of the C partition of a computer.
• When you apply the image to a computer via RIS, any existing partitions are deleted. The entire hard drive is repartitioned as a single partition and then is formatted with NTFS.
Connect to the REMINST share point on the RIS server. Run riprep.exe from \RIS Server\REMINST\Admin\I386\riprep.exe.
RIS client
• Install a PCI network adapter that contains a Preboot Execution Environment (PXE) boot ROM.
• Use the rbfg.exe utility to create a RIS boot disk. After you have installed RIS, you can find the utility in RemoteInstall\Admin\i386\rbfg.exe.
User State Migration Tool (USMT).
One folder houses the scanning portion. Another folder handles the loading portion of the process. In the scanning folder, copy the following files from the ValueAdd\MSFT\USMT folder off in XP CD:
• Scanstate.exe
• *.dll
• *.inf
In the loading folder, copy the following files from the same location:
• Loadstate.exe
• *.dll
• MigUser.inf
Scanstate /I .\migapp.inf /I .\migsys.inf /I .\migfiles.inf /I .\sysfiles.inf \\
Loadstate /I .\miguser.inf \\
In Win2000/XP, you can deployment of software through Group Policy Objects (GPOs)
The process of combining XP installation files with a Service Pack is called slipstreaming. You apply a SP to a distribution share of the installation files by executing update.exe /s.
Use the Qchain.exe to install hotfixes, not SP – no reboot,
Two types of files are downloaded by Dynamic Update:
• Replacement files — Files that are typically DLLs that replace the errant files located on the CD-ROM. These replacement files are flagged to replace files that need critical fixes or updates.
• Device drivers — these files are new device drivers that were not available on the CD-ROM. Any updates to existing device drivers are not available through Dynamic Update.
• The client needs to be running Internet Explorer 4.1 or later versions of the following two files: Winenet.dll and Shlwapi.dll.
If you “significantly overhaul” your hardware, you will need to reactivate your system within 30 days.
• Windows Updates is for manual update
• Automatic Updates
• Dynamic Updates happens during XP installation.
Chapter II Establishing, Configuring, and Managing Resources
Administrators group and the Power Users group are the only users who retain the rights to create shared network folders.
Simple File Sharing
• Enabled by default when the computer is stand-alone or a member of a network workgroup. Sharing and NTFS permissions are same.
• Disabled when the computer is a member of a Windows domain. Sharing and NTFS permissions are not the same. It is better leave sharing permission to all users’ full control and fine tune NTFS permission.
• Enabled if upgrade from 98/ME if not in a domain.
• Disable if upgrade from NT/2000.
Simple File Sharing creates a Shared Documents folder, inside of which it creates two subfolders, Shared Pictures and Shared Music. Disable from Tools|Options|View.
XP Professional permits a maximum of 10 concurrent network connections per share.
The Security tab of an NTFS folder’s properties dialog box is not displayed when Simple File Sharing is enabled and the computer is not a member of a Windows domain.
Creating Shared Folders from the Shared Folders in MMC Snap-in by right-click the My Computer icon and select Manage
Hidden or administrative shares
• Only admin with login can see it
• Admin can create with $ append
• C$, D$, ADMIN$, IPC$, print$
net share share_name=x:\folder_name
net use X: \\servername\sharename
Server side:
Allow Caching Of Files In This Shared Folder
• Automatic Caching Of Documents
• Automatic Caching Of Programs And Documents
• Manual Caching Of Documents—This is the default caching setting.
Client side:
The default cache size is configured as 10% of the client computer’s available disk space. You can change this setting by selecting Tools|Folder Options|Offline Files tab.
The Offline Files feature is also known as Client-Side Caching (CSC). The default location on XP computers for storage of offline files is %systemroot%\CSC (for example, C:\Windows\CSC). You can use the Cachemov.exe tool from the Windows 2000 Professional Resource Kit, or the Windows 2000 Server Resource Kit to relocate the CSC folder onto a different drive volume.
In Windows XP, the Offline Files feature cannot be turned on if Fast User Switching is enabled,
Go to shared folder, and select Make Available Offline
NTFS permissions are broken down into access control list (ACL) settings and access control entries (ACEs). The ACL details “who” (user or group) is granted access to an object. ACEs detail the specific permission entries (read, write, and so on) for each specific object (folder or file, for example).
Read, Read and Execute, List Folder, Contents (applies to folders only), Write, Modify, and Full Control.
Permissions are inherit from parents implicitly, but can be overridden with explicit permissions. If the checkboxes for the Security tab under Permissions are shaded, the file or folder has inherited the permissions from the parent folder.
NTFS security permissions are cumulative. Users obtain permissions by having them assigned directly to their user accounts, in addition to obtaining permissions via group memberships.
Just as Deny permissions always take precedence over Allow permissions, explicit permissions always override inherited permissions.
The %systemroot% folder (for example, C:\Windows) is automatically assigned special default security permissions for the following groups: Administrators, System, and Creator Owner.
If you upgrade from Windows NT 4 Workstation to XP Professional, all existing users become members of the Local Power Users group under XP to allow them run noncertified applications.
For the root of all NTFS drive volumes, by default
• System—Full Control with inherited permissions from parent folder
• Administrators—Full Control with inherited permissions from parent folder
• Creator Owner—Full Control with inherited permissions from parent folder
• Everyone—Read and Execute with no inherited permissions from parent folder
• Users—Read and Execute with inherited permissions from parent folder
In a workgroup, user/group accounts are saved in local database, while accounts are central managed in a domain.
A Windows Active Directory domain maintains a domain-wide database of users and groups that is referred to as the directory. The Active Directory database is physically stored on domain controller computers. The Active Directory database is replicated and synchronized with all the other domain controllers within a domain.
The best practice is to always assign NTFS security permissions to groups rather than to individual users.
Moving or copying files and folders from NTFS to network drives or non-NTFS volumes results in the loss of all NTFS security permission settings.
• Moving within the same NTFS retain their permissions from the source folder.
• Moving to a different NTFS inherit their permissions from the destination folder.
• Copying within the same NTFS inherit their permissions from the destination folder.
• Copying to a different NTFS inherit their permissions from the destination folder.
Xcopy.exe offers /O and /X options that retain an object’s NTFS permissions, in addition to inheriting the destination folder’s permissions. The /X switch also retains any auditing settings.
To retain only an object’s source permissions without inheriting any permission from the destination folder, use the Scopy.exe tool or the Robocopy.exe tool from the Windows 2000 Professional Resource Kit or the Windows 2000 Server Resource Kit.
From the Advanced Security Settings dialog box, you can view effective permissions by clicking the Effective Permissions tab, or change ownership from Owner tab.
View the security log with the Event Viewer snap-in of the MMC. By default, auditing is turned off. Auditing for the local XP system is enabled through the Local Security Settings snap-in of the MMC.
IIS 5.1 ships with XP Professional by default not installed.
Under %systemroot%\system32\drivers\etc, the HOSTS file maps DNS host computer names to IP addresses. A LMHOSTS file maps NetBIOS computer names to IP addresses.
To back up the IIS metabase by right-clicking the computer name root container and selecting All Tasks|Backup/Restore Configuration. The backup gets stored as a file with the .md0 extension, and the default backup location is %systemroot%\system32\inetsrv\metaback.
The WebDAV (Web Distributed Authoring and Versioning) protocol acts as a redirector that enables users to open and save documents via HTTP port 80.
Users can encrypt files stored in Web Folders.
net use lptx: \\print_server_name\printer_share_name
Users may manage only their own print jobs, unless they are members of the Administrators group or the Power Users group (for standalone and workgroup), or members of the Print Operators group or the Server Operators group (for domain). Users can also manage other users’ print jobs if they have been granted the Allow Manage Documents permission.
Internet Printing Protocol (IPP) gives users the ability to print over an Internet connection. IIS version 5 or later must be running on the print server computer.
Chapter III Setting Up, Managing, and Troubleshooting Security Accounts and Policies
Local Users and Groups snap-in in MMC
Four local users by default: Administrator, HelpAssistant, SUPPORT_xxxxxxxx and Guest. The Guest and the SUPPORT_xxxxxxxx are disabled by default.
• Administrator can not be disable, deleted, locked out, can be renamed.
• Guest can be disable, locked out, can not be deleted.
• HelpAssistant is for Remote Desktop Assistance, can be renamed, deleted, disable.
Groups
1. Administrators have complete and unrestricted access to the computer/domain.
2. Backup Operators can override security restrictions for the sole purpose of backing up or restoring files.
3. Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted.
4. Network Configuration Operators can have some administrative privileges to manage configuration of networking features.
5. Power Users possess most administrative powers with some restrictions. Thus, Power Users can run legacy applications in addition to certified applications.
6. Remote Desktop Users are granted the right to logon remotely.
7. Replicator supports file replication in a domain.
8. Users are prevented from making accidental or intentional system-wide changes. Thus, Users can run certified applications, but not most legacy applications.
9. Debugger users can debug processes on this machine, both locally and remotely.
10. HelpServicesGroup for the Help and Support Center.
Built-in security principals installed by default under XP Professional:
Everyone, Authenticated Users, Creator Owner, Creator Group, Network, Interactive, Anonymous Logon, Dialup, Remote Interactive Logon, Terminal Server User
User account names must be unique, recognized only up to their 20th character, although the name itself can be longer. User password can be 127.
Universal groups and Domain Local groups are available to add as members only when the domain is in native mode, meaning that it can contain only Windows 2000 domain controllers and no legacy backup domain controllers.
It is recommended that you disable, not delete, any user that leaves an organization.
XP not in a domain has two categories of user accounts exist: Limited and Administrator.
If you already made a Password Reset Disk for your local user account through the Forgotten Password Wizard, you can recover later.
User Principal Name (UPN) is an attribute of an Active Directory user object and, by default, is of the form username@domain.name, where domain.name is the Windows 2000 domain for which your user account resides.
Domain user accounts are managed with the Active Directory Users and Computers snap-in.
Unlike the local security database, which is a flat list of users and groups, Active Directory has containers and Organization Units - OUs, which collect database objects such as users, computers, printers, and other OUs.
Local Group Policy can be accessed by opening the Group Policy snap-in within a MMC and then selecting the Local Computer option. The Local Security Policy is nothing more than a subset of the Local Group Policy. The policy-based settings will apply to a computer at startup and to a user at logon. Also, these policy settings are applied at a refresh interval, which does not require a reboot or logging off.
Group Policy Objects (GPOs) provide a centralized enumeration of configuration settings. To access Group Policy, you must go to the properties of a site, domain, or OU (SDOU), and click the Group Policy tab. To work with group policy for a site, you use the Active Directory Sites and Services Console, whereas to work with group policy for a domain or OU, you use Active Directory Users and Computers.
In the case of an individual machine, it can only have one Local Group Policy, whereas an SDOU can have multiple GPOs.
The same application of policies applies to a user at logon: local policy, site policy, domain policy, and OU policy. If there is ever a conflict in a particular configuration setting, the last setting applied controls.
Some rights are assigned to Built-in groups. Other rights are assignable. User rights, because they are system-oriented, override object permissions when the two are in conflict with each other.
Security Options
• Clear the Virtual Memory Pagefile when the system shuts.
• Do not display last username in logon screen
• Number of previous logons to cache
Resultant Set of Policy (RSoP)
• Group Policy Result (gpresult)
o /z verbose
• Group Policy Update (gpupdate). The Group Policies automatically refresh by default every 90 minutes.
o /target: (Computer|User) — allows explicit refreshing of either the computer or user portions of the policies that need to be applied.
o /force — Reapplies all settings in the policies, whereas if no switches are used, only the changed policies will apply.
o /logoff — some user-based Group Policy settings exist (such as Folder Redirection) that do not apply until the user logs off and back on. With this switch, the user will automatically be logged off after the other policies refresh.
o /boot
• RSoP snap-in.
Security Configuration and Analysis tool and secedit command can be used to analyze and configure security settings to a computer. You can create database and import security templates - Basicws.inf, Securews.inf, Hisecws.inf, Compatws.inf.
Two Types of Software Restriction Policies
• Disallowed - Software will not run, regardless of the access rights of the user.
• Unrestricted -Software access rights are determined by the access rights of the user.
Software Identification Rules
Hash rule, Path rule, Certificate rule, Zone rule
Obtain a .NET Passport through the .NET Passport Wizard in User Accounts
Comments
Post a Comment