MCSA/MCSE 70-270 Exam Prep 2: Windows XP Professional
Connectivity is the single most valuable capability in a computer. By connecting to other computers, a computer is able to access other information, applications, and peripheral equipment. Businesses have long since discovered that their employees will work longer hours and greatly increase their productivity when they are able to connect to the company's network from remote sites. For this reason, they provide remote access servers (RASs) with either dial-up modems or VPN servers and Internet connections. Windows XP Professional computers link up with the Internet or corporate networks using dial-up networking connections. After Windows XP connects with a dial-up connection, the user can open files and folders, use applications, print to printers, and pretty much use the network just as if he or she were connected to the network through its network adapter. Standard protocols are used to make dial-up network connections:
After you have connected with a dial-up connection, you can use the Add Network Place Wizard to create a shortcut to a location on the remote network or an Internet site. This reduces the time spent in navigating to the resources used most on the network, making it both more efficient and easier for users to connect via remote access. To create a network location shortcut, follow the instructions in Step by Step 11.3.
Windows XP Professional lets you search for computers on the network, even when connected remotely. The search utility is exceptionally cooperative. If you type in a partial name or similar name, Windows XP displays the results. Therefore, misspellings do not prevent you from finding the computer you need to use. To search for a computer, click Start and then click Search. In the task pane, select Printers, Computers, or People. If you do not see this option, click Other Search Options and you are shown another set of tasks in the task pane, including the Printers, Computers, or People option. Click to select a computer on the network. In the box, type the name or partial name of the desktop or server that you want to access and then click Search. You can double-click any of the results and view the shared folders, files, printers, and other resources that the found computer provides. If you do not know the name of the computer that you want to access, you can use the Browse feature in My Network Places. You should see a list of the currently configured network location shortcuts that were either created by you or automatically configured by the operating system. Double-click the Microsoft Windows Network. Double-click the name of the domain or workgroup that you want to browse through. When you find the computer, double-click it to view its shares. Understanding Remote Access
Dial-up networking connections are used for any type of connectionbetween two different computers, between a computer and a private network, between a computer and the Internet, and from a computer through the Internet to a private network using a tunneling protocol. You can share a dial-up connection using Internet Connection Sharing (ICS). All these functions and features offer different ways of connecting computers across large geographical distances. When a computer connects to a remote access server, it performs functions nearly identical to logging on locally while connected to the network. The major difference is the method of data transport at the physical level, because the data is likely to travel across a rather slow telephone line for dial-up and Internet connections. Another difference between a local network user and a remote access user is the way that the user's identification is authenticated. If using Remote Authentication Dial-In User Service (RADIUS), the RADIUS server takes on the task of authenticating users and passing along their data to the directory service(s) in which the users' accounts are listed. Don't confuse remote access with remote control. Remote access is the capability to connect across a dial-up or VPN link, and from that point forward, to be able to gain access to and use network files, folders, printers, and other resources identically to the way a user could do on a local network computer. Remote control, on the other hand, is the capability to connect to a network remotely, and then, through the use of an application (such as PCAnywhere, Citrix, or Remote Desktop) create a session with a host computer where the desktop for that host computer is displayed on your PC, often within the application's window, although most of these applications enable you to run the session "full screen." Remote Access Authentication Protocols
Authentication is the first perimeter of defense that a network administrator can define in a remote access system. The process of authenticating a user is meant to verify and validate a user's identification. If the user provides invalid input, the authentication process should deny the user access to the network. An ill-defined authentication system, or lack of one altogether, can open the door to mischief and disruption because the two most common methods for remote access are publicly available: the Internet, and the public services telephone network. Table 11.2 discusses the authentication protocols supported by Windows XP's dial-up network connections.
Exam Alert Trusted publishers The 70-270 exam touches on certificate authentication and is likely to ask you about the relationship between trusted resources and certificates. When using certificate authentication, the client computer must have a way of validating the server's certificate. To ensure absolutely that this validation will work, you can import the server's certificate into the client's Trusted Publishers list. If there is no way for a client to validate the server's certificate, an error displays stating that the server is not a trusted resource. Remote Access Security
Windows XP can be configured in an assortment of ways to ensure that your remote access services meet your organization's security criteria. Much of the configuration takes place on the server side of remote access. These security features are available on a Windows XP Professional computer when you configure it to receive remote access connections. The Local Security Settings can be accessed through Administrative Tools under Control Panel's Performance and Maintenance category. The policies defined in this utility affect all users on the computer, unless the policies allow you to configure them on a per-user or per-group basis. This window is shown in Figure 11.10. Figure 11.10. You can configure security policies that affect remote access in the Local Security Settings.
You may configure the Account Lockout Policy on the local computer to increase security. Under the Account Lockout Policy, you can configure how many bad passwords the computer will accept before it disables the user from logging on, how long the user will be locked out, and how long to wait before starting to count invalid logon attempts again. Remember that the Account Lockout Policy does not only affect remote access users, but all users who try to log on to the computer. The following list describes the various Account Lockout Policy options:
You should always consider that because the default time periods are known quantities, an experienced hacker attempting to gain access to one of these accounts is likely to try again at intervals that will allow retries without locking the compromised account. To counter this, you should always set the policies to a longer duration than 30 minutes. If your computer is configured to accept VPN connections, you will probably want to establish IPSec settings. IPSec is a protocol used for authentication and encryption and is often used in VPNs in conjunction with L2TP. Specifying callback settings is another method you can use to restrict misuse of a Windows XP computer configured to accept incoming connections via dial-up. You can do this in the properties of the incoming connection. Open the Network Connections applet in Control Panel and double-click the incoming connection. Click the Users tab. In the window, you see a list of users configured on the computer. By default, none of the users is enabled to log on to the computer through this connection. You can select the options for each user to whom you want to grant remote access. You can compel all users to use encryption by selecting the Require All Users to Secure Their Passwords and Data option. You can also eliminate the need for a password for incoming connections from handheld devices by selecting the Always Allow Directly Connected Devices Such As Palmtop Computers to Connect Without a Password option. Select a user and click the Properties button. Click the Callback tab. Select whether you want the user to provide a callback number (use this for travelers), or whether you want to set a permanent callback number. Using callback is a verification step to ensure the identity of the calling user. On the General tab, you can specify whether to allow a VPN connection by selecting the Allow Others to Make Private Connections to My Computer by Tunneling Through the Internet or Other Network option. Using a VPN Connection to Connect to Computers
We've already touched on VPN connections. The way a VPN works is rather interesting. The private network is connected to the Internet. An administrator sets up a VPN server that sits basically between the private network and the Internet. When a remote computer connects to the Internet, whether via dial-up or other means, the remote computer can connect to the VPN server by using TCP/IP. Then the PPTP or L2TP protocols encapsulate the data, whether it is using TCP/IP or another protocol suite, inside the TCP/IP packets that are sent to the VPN server. After the data is received at the VPN server, it strips off the encapsulating headers and footers, then transmits the packets to the appropriate network servers and resources. The two tunneling protocols, although similar and both supported by Windows XP and Windows 2003 servers, act somewhat differently. PPTP incorporates security for encryption and authentication in the protocol. L2TP does not. Instead, you must use IPSec to secure the data. To establish the VPN client connection on Windows XP, follow the instructions in Step by Step 11.4. To follow along with this exercise and to test it, you should have a client computer and a VPN server that can both connect to the Internet. These two computers should not be connected in any other way than through the Internet.
Creating a Dial-Up Connection to Connect to a Remote Access Server
You can create a dial-up connection to most remote access servers using the same wizard that you used to create a VPN connection. Start by opening Control Panel, selecting the Network and Internet Connections category, and double-clicking Network Connections. In the task pane, select Add a Network Connection. In the wizard, click Next to go to the second screen. You then choose Connect to the Network at My Workplace and click Next. Click Dial-Up Connection and click Next. Type a name for this connection and click Next. Type the phone number for remote access. If you have multiple phone numbers, type one of them and configure the rest later. Click the Finish button in the final screen. Your connection has been created. After you have successfully produced a dial-up connection, you can specify the configuration options to match those of your remote access server. Right-click the connection icon and select Properties from the shortcut menu. The connection's Properties dialog box consists of the following tabs, each with different types of configurations:
Connecting to the Internet by Using Dial-Up Networking
Internet connections are configured identically to private network connections except that you must specify TCP/IP as the protocol. Most Internet Service Providers (ISPs) provide a CD-ROM with proprietary software to connect to and use the Internet. This software usually creates an Internet connection in the Network Connections applet for you. The reason ISPs do this is to make it very simple for a new user to configure a connection to his or her network. To configure your own connection to an ISP, you use the same Add a Network Connection Wizard. However, in this case, you select the Connect to the Internet option button. The dialog then allows you to select an ISP from a list, set up the connection manually, or use the ISP's CD. Click Set Up My Connection Manually and click Next. The resulting dialog box enables you to use a modem, broadband device that requires a password (typically a DSL modem that dials into the ISP), or a broadband device that is always on (such as a cable modem or DSL). Select the first option button and click Next. Type the name of the ISP and click Next. Type the phone number of the ISP and click Next. In the next screen, enter the name and password that the ISP provided you, and type the password again in the Confirm Password text box. Select the options for whether you want everyone who uses the computer to have access to this Internet connection, and whether this will be the default Internet connection for the computer. Click Next when you are finished. You can click Finish to then open up the Connect screen. If your ISP provided you with additional configuration information, you should click the Properties button to fine-tune your connection. Configuring and Troubleshooting Internet Connection Sharing (ICS)
Quite often, it is not feasible for a small office or a home user to install a high-speed dedicated link to the Internet, such as a T1 line, or have each computer dial up to an ISP. Even dedicated broadband links offered to home users are reasonably priced only if they are connected directly to a single network adapter in a computer. One of the growing trends for small office or home networks is to share an Internet connection with all the members of the network. Windows XP Professional contains a feature called Internet Connection Sharing (ICS), which enables a small office or home network to use one computer on the network as the router to the Internet. Windows XP's ICS components consist of
ICS can be used to share any type of Internet connection, although it must be a connection that is enabled for all users on the PC dial-up for sharing to be effective. To enable ICS, you need to make sure that the Internet-connected computer has been configured with connections for a modem and a network adapter. If you are using broadband, you need two network adapters: one to connect to the broadband device for the Internet and the other to connect to the network. Caution Check for use of IP address 192.168.0.1 Before you configure ICS, you should ensure that no computers are currently assigned an IP address of 192.168.0.1 because the network adapter on the ICS computer is automatically assigned that address when ICS is configured.
You can use the Set Up a Home or Small Office Network Wizard, which is in the task pane of the Network Connections window. When you configure the computer that will share the Internet connection, you can select the option labeled This Computer Connects Directly to the Internet. The Other Computers on My Network Connect to the Internet Through This Computer. With the same Set Up a Home or Small Office Network Wizard, you can select the This Computer Connects to the Internet Through a Residential Gateway or Through Another Computer on My Network option when you configure the other computers on the network. However, if you want to share an Internet connection so that you have more hands-on control, you can start by right-clicking the Internet connection in the Network Connections applet in Control Panel and selecting Properties from the shortcut menu. Then click the Advanced tab, as shown in Figure 11.11. Figure 11.11. ICS is configured on the Advanced tab of the network connection to the Internet.
Click the drop-down box under Home Networking Connection and select the connection that connects to the home or office network. If the Internet connection is through a dial-up DSL, analog modem, or X.25 connection, and you want any computer on the network to be able to connect to the Internet on demand, you should select the Establish a Dial-up Connection Whenever a Computer on My Network Attempts to Access the Internet check box. If other people will be logging on to the computer and you want them to be able to make changes to this, select the Allow Other Network Users to Control or Disable the Shared Internet Connection check box. Click the Settings button to enable the protocols that computers on the Internet can use to access computers on your private network. When you select a box next to one of these options, you are prompted for the IP address or name of the computer that provides the service, and in certain cases you can customize the port number, which helps to avoid security problems. These are shown in Figure 11.12. If you want to provide a different service via a protocol not shown, click the Add button. Figure 11.12. If you have servers on your network providing these or other services, configure them in the ICS Advanced Settings.
After you have configured ICS, you should first test the host computer to ensure that it can still access the Internet. After you have validated the ICS host, you can test the connection from one of the other computers after configuring it. To configure a client computer, you should log on to a client computer as an administrator. Open the Network Connections applet in Control Panel. Right-click Local Area Connection and select Properties from the shortcut menu. Click the General tab, if it is not already selected. In the This Connection Uses the Following Items list, highlight Internet Protocol (TCP/IP) and then click the Properties button. ICS automatically configures the sharing computer as a simple DHCP server, providing IP addresses in the private IP address Class C range of 192.168.0.2192.168.0.254 and a mask of 255.255.255.0. The IP address of the ICS computer is 192.168.0.1. Therefore, you should ensure that the IP properties are configured to obtain an IP address automatically. (You can configure a static IP address if you prefer. You need to use one in the same range and with the same mask of 255.255.255.0, along with a default gateway address of 192.168.0.1.) Click OK to close the dialog. Open Internet Explorer and type a URL, such as http://www.microsoft.com. You may need to wait for the ICS computer to establish a connection with the ISP, but after that has completed, you should see the web page. If you have problems with ICS, you should open Event Viewer and check out the System log for any errors related to ICS. In addition you can view the NSW.LOG file to look for errors. |