MCSA/MCSE 70-270 Exam Prep 2: Windows XP Professional

Connectivity is the single most valuable capability in a computer. By connecting to other computers, a computer is able to access other information, applications, and peripheral equipment. Businesses have long since discovered that their employees will work longer hours and greatly increase their productivity when they are able to connect to the company's network from remote sites. For this reason, they provide remote access servers (RASs) with either dial-up modems or VPN servers and Internet connections. Windows XP Professional computers link up with the Internet or corporate networks using dial-up networking connections. After Windows XP connects with a dial-up connection, the user can open files and folders, use applications, print to printers, and pretty much use the network just as if he or she were connected to the network through its network adapter.

Standard protocols are used to make dial-up network connections:

  • Point-to-Point Protocol (PPP) A dial-up protocol that can support multiple networking protocols, such as TCP/IP and Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX), and can be used with compression and encryption.

  • Serial Line Internet Protocol (SLIP) An older dial-up protocol that was originally created for Unix and can support TCP/IP traffic.

  • Point-to-Point Tunneling Protocol (PPTP) A protocol used to transmit private network data across a public network in a secure fashion. PPTP supports multiple networking protocols and creates a secure VPN connection.

  • Layer 2 Tunneling Protocol (L2TP) A protocol used to transmit private network data across a public network. L2TP supports multiple networking protocols. Used with IP Security (IPSec), it creates a secure VPN connection.

After you have connected with a dial-up connection, you can use the Add Network Place Wizard to create a shortcut to a location on the remote network or an Internet site. This reduces the time spent in navigating to the resources used most on the network, making it both more efficient and easier for users to connect via remote access. To create a network location shortcut, follow the instructions in Step by Step 11.3.

Step by Step: 11.3 Creating a Shortcut to a Network Location

1.

Click My Network Places.

2.

In the task pane, click Add a Network Place.

3.

The Add Network Place Wizard opens. Click Next to bypass the welcome screen.

4.

Select Choose Another Network Location and then click Next.

5.

Type the address of the network location. If it is a network share, use the Universal Naming Convention (UNC) notation of \\server\share. If it is a website, type http://website.com. If it is an FTP site, type ftp://ftpsite.com, and so on.

6.

Click Next.

7.

Provide a name for the location, or accept the default name that Windows XP selects, and click Next.

8.

Click Finish. The network place opens.

9.

You can remove the network place by right-clicking the icon and selecting Delete from the shortcut menu. This does not delete the share or any files that are placed in the share. Click Yes to confirm deletion.

Windows XP Professional lets you search for computers on the network, even when connected remotely. The search utility is exceptionally cooperative. If you type in a partial name or similar name, Windows XP displays the results. Therefore, misspellings do not prevent you from finding the computer you need to use. To search for a computer, click Start and then click Search. In the task pane, select Printers, Computers, or People. If you do not see this option, click Other Search Options and you are shown another set of tasks in the task pane, including the Printers, Computers, or People option. Click to select a computer on the network. In the box, type the name or partial name of the desktop or server that you want to access and then click Search. You can double-click any of the results and view the shared folders, files, printers, and other resources that the found computer provides.

If you do not know the name of the computer that you want to access, you can use the Browse feature in My Network Places. You should see a list of the currently configured network location shortcuts that were either created by you or automatically configured by the operating system. Double-click the Microsoft Windows Network. Double-click the name of the domain or workgroup that you want to browse through. When you find the computer, double-click it to view its shares.

Understanding Remote Access

Dial-up networking connections are used for any type of connectionbetween two different computers, between a computer and a private network, between a computer and the Internet, and from a computer through the Internet to a private network using a tunneling protocol. You can share a dial-up connection using Internet Connection Sharing (ICS). All these functions and features offer different ways of connecting computers across large geographical distances.

When a computer connects to a remote access server, it performs functions nearly identical to logging on locally while connected to the network. The major difference is the method of data transport at the physical level, because the data is likely to travel across a rather slow telephone line for dial-up and Internet connections. Another difference between a local network user and a remote access user is the way that the user's identification is authenticated. If using Remote Authentication Dial-In User Service (RADIUS), the RADIUS server takes on the task of authenticating users and passing along their data to the directory service(s) in which the users' accounts are listed.

Don't confuse remote access with remote control. Remote access is the capability to connect across a dial-up or VPN link, and from that point forward, to be able to gain access to and use network files, folders, printers, and other resources identically to the way a user could do on a local network computer. Remote control, on the other hand, is the capability to connect to a network remotely, and then, through the use of an application (such as PCAnywhere, Citrix, or Remote Desktop) create a session with a host computer where the desktop for that host computer is displayed on your PC, often within the application's window, although most of these applications enable you to run the session "full screen."

Remote Access Authentication Protocols

Authentication is the first perimeter of defense that a network administrator can define in a remote access system. The process of authenticating a user is meant to verify and validate a user's identification. If the user provides invalid input, the authentication process should deny the user access to the network. An ill-defined authentication system, or lack of one altogether, can open the door to mischief and disruption because the two most common methods for remote access are publicly available: the Internet, and the public services telephone network. Table 11.2 discusses the authentication protocols supported by Windows XP's dial-up network connections.

Table 11.2. Authentication Protocols for Remote Access

Acronym

Name

Usage

Security

CHAP

Challenge Handshake Authentication Protocol

Client requests access. Server sends a challenge to client. Client responds using MD5 hash value. Values must match for authentication.

One-way authentication. Server authenticates client.

EAP

Extensible Authentication Protocol

Developed for PPP and can be used with IEEE802. Is capable of heading other authentication protocols, so improves intero-perability between RAS systems, RADIUS servers, and RAS clients. Used with MD5-Challenge, smart cards, and certificate authentication in Windows XP Professional.

Not used to provide its own security, enables enhanced interoperability and efficiency of authentication process.

MS-CHAP

Microsoft Challenge Handshake Authentication Protocol

Requires both the client and the server to be Microsoft Windows based. Nearly identical to CHAP, in that the client requests access, server provides a challenge, client responds with one-way MD5 hash value, and if a match, is granted access.

One-way authentication. Server authenticates client.

MS-CHAPv2

Microsoft Challenge Handshake Authentication Protocol version 2

Requires both the client and the server to be Microsoft Windows based. Does not work with LAN Manager. Client requests access, server challenges, client responds with an MD5 hash value and piggybacks a challenge to server. If a match, server responds with a success packet granting access to client, which includes an MD5 hash response to the client's challenge. Client logs on if the server's response matches what client expects.

Mutual (two-way) authentication.

PAP

Password Authentication Protocol

Client submits a clear-text user identification and password to server. Server compares to information in its user database. If a match, client is authenticated.

Clear-text, one-way authentication. Least secure method.

SPAP

Shiva Password Authentication Protocol

Developed by Shiva but used by other RAS systems. Client provides a username and password to server, which uses reversible encryption. If a match, server grants access.

Reversible encryption, one-way authentication.

Smart cards

Certificates

User must have knowledge of PIN and possession of smart card. Client swipes card, which submits smart card certificate, and inputs PIN. Results are reviewed by server, which responds with its own certificate. If both client and server match, access is granted. Otherwise, error that credentials cannot be verified.

Certificate-based, two-way authentication.

Exam Alert

Trusted publishers The 70-270 exam touches on certificate authentication and is likely to ask you about the relationship between trusted resources and certificates. When using certificate authentication, the client computer must have a way of validating the server's certificate. To ensure absolutely that this validation will work, you can import the server's certificate into the client's Trusted Publishers list. If there is no way for a client to validate the server's certificate, an error displays stating that the server is not a trusted resource.

Remote Access Security

Windows XP can be configured in an assortment of ways to ensure that your remote access services meet your organization's security criteria. Much of the configuration takes place on the server side of remote access. These security features are available on a Windows XP Professional computer when you configure it to receive remote access connections.

The Local Security Settings can be accessed through Administrative Tools under Control Panel's Performance and Maintenance category. The policies defined in this utility affect all users on the computer, unless the policies allow you to configure them on a per-user or per-group basis. This window is shown in Figure 11.10.

Figure 11.10. You can configure security policies that affect remote access in the Local Security Settings.

You may configure the Account Lockout Policy on the local computer to increase security. Under the Account Lockout Policy, you can configure how many bad passwords the computer will accept before it disables the user from logging on, how long the user will be locked out, and how long to wait before starting to count invalid logon attempts again. Remember that the Account Lockout Policy does not only affect remote access users, but all users who try to log on to the computer. The following list describes the various Account Lockout Policy options:

  • If you set the Account Lockout Threshold policy to 0, Windows XP does not lock out a user no matter how many times the user submits a bad password. You should set this policy to a number of invalid logon attempts that is acceptable, such as 3.

  • The Account Lockout Duration policy is the time period, in terms of minutes, that the account will be locked out. The longer the time period, the more strict the security. The default suggested time period is 30 minutes. You cannot set a duration until the Account lockout threshold has been configured to a number greater than zero.

  • The Reset Account Lockout Counter After policy has a default term of 30 minutes. This is the length of time that the computer waits after counting the last invalid logon attempt before resetting the counter. The longer the time period that this policy is set, the stricter the security.

You should always consider that because the default time periods are known quantities, an experienced hacker attempting to gain access to one of these accounts is likely to try again at intervals that will allow retries without locking the compromised account. To counter this, you should always set the policies to a longer duration than 30 minutes. If your computer is configured to accept VPN connections, you will probably want to establish IPSec settings. IPSec is a protocol used for authentication and encryption and is often used in VPNs in conjunction with L2TP.

Specifying callback settings is another method you can use to restrict misuse of a Windows XP computer configured to accept incoming connections via dial-up. You can do this in the properties of the incoming connection. Open the Network Connections applet in Control Panel and double-click the incoming connection. Click the Users tab. In the window, you see a list of users configured on the computer. By default, none of the users is enabled to log on to the computer through this connection. You can select the options for each user to whom you want to grant remote access. You can compel all users to use encryption by selecting the Require All Users to Secure Their Passwords and Data option. You can also eliminate the need for a password for incoming connections from handheld devices by selecting the Always Allow Directly Connected Devices Such As Palmtop Computers to Connect Without a Password option. Select a user and click the Properties button. Click the Callback tab. Select whether you want the user to provide a callback number (use this for travelers), or whether you want to set a permanent callback number. Using callback is a verification step to ensure the identity of the calling user.

On the General tab, you can specify whether to allow a VPN connection by selecting the Allow Others to Make Private Connections to My Computer by Tunneling Through the Internet or Other Network option.

Using a VPN Connection to Connect to Computers

We've already touched on VPN connections. The way a VPN works is rather interesting. The private network is connected to the Internet. An administrator sets up a VPN server that sits basically between the private network and the Internet. When a remote computer connects to the Internet, whether via dial-up or other means, the remote computer can connect to the VPN server by using TCP/IP. Then the PPTP or L2TP protocols encapsulate the data, whether it is using TCP/IP or another protocol suite, inside the TCP/IP packets that are sent to the VPN server. After the data is received at the VPN server, it strips off the encapsulating headers and footers, then transmits the packets to the appropriate network servers and resources.

The two tunneling protocols, although similar and both supported by Windows XP and Windows 2003 servers, act somewhat differently. PPTP incorporates security for encryption and authentication in the protocol. L2TP does not. Instead, you must use IPSec to secure the data.

To establish the VPN client connection on Windows XP, follow the instructions in Step by Step 11.4. To follow along with this exercise and to test it, you should have a client computer and a VPN server that can both connect to the Internet. These two computers should not be connected in any other way than through the Internet.

Step by Step: 11.4 Creating a VPN Connection

1.

Right-click My Network Places and select Properties. Alternatively, open Control Panel and select Network Connections from the Network and Internet Connections category.

2.

In the task pane, select Create a New Connection.

3.

The New Connection Wizard starts. Click Next to bypass the first screen.

4.

In the ensuing wizard screen, click Connect to the Network at My Workplace. (You should select this option for any VPN connection, even if it is not your workplace.) Then click Next.

5.

You are next given the option for selecting a dial-up or a VPN connection. Click Virtual Private Network Connection and then click Next.

6.

Type the name of the organization and click Next.

7.

Type in the IP address of the VPN server. Click Next.

8.

The final screen enables you to create a shortcut to the VPN connection on the desktop by checking the box. Click the Finish button.

9.

The Connect dialog screen opens. If you will be connecting to the Internet through a dial-up connection and then establishing the VPN session, click the Properties button.

10.

On the General tab, select the Dial Another Connection First check box. Then, from the list, select the dial-up connection.

11.

If you will be dialing into a Windows domain, you should click the Options tab and select the Include Windows Logon Domain check box.

12.

You can configure the security options under the Security tab. Click the Advanced (Custom Settings) option, click the Settings button, and then select the boxes next to the protocols that the VPN server allows, or select the Use Extensible Authentication Protocol (EAP) option and select either Smart Card or Other Certificate (Encryption Enabled) or MD5-Challenge from the list. Click the Properties button if you opt for a smart card to further specify the certificates used and servers to connect to. Click OK to close the dialog box when finished. Click OK again to return to the original connection's Properties dialog box.

13.

Click the IPSec Settings button on the Security tab. If you are using a pre-set key, select the box, type the data string in the text box, and then click OK.

14.

Click the Networking tab and from the list box under Type of VPN, select whether you are using PPTP or L2TP with IPSec.

15.

Click the Settings button and select the Enable LCP Extensions and Enable Software Compression options, and, if you are able to use multiple links to the Internet, select the Negotiate Multi-Link for Single Link Connections option. Click OK.

16.

Click the Advanced tab. Under the Windows Firewall section, click Settings. Because this is a VPN connection, and it is separate from the Internet connection, you need to disable the Windows Firewall, so select the Advanced tab, and under the Network Connection Settings section, clear the box next to the VPN connection. Click OK.

17.

Click OK again.

18.

In the Connect dialog box, type your username, password, and domain in the appropriate boxes. Click Connect. After you have connected, open My Network Places, browse through the network, and test whether you can transfer a file to your computer.

Creating a Dial-Up Connection to Connect to a Remote Access Server

You can create a dial-up connection to most remote access servers using the same wizard that you used to create a VPN connection. Start by opening Control Panel, selecting the Network and Internet Connections category, and double-clicking Network Connections. In the task pane, select Add a Network Connection. In the wizard, click Next to go to the second screen. You then choose Connect to the Network at My Workplace and click Next. Click Dial-Up Connection and click Next. Type a name for this connection and click Next. Type the phone number for remote access. If you have multiple phone numbers, type one of them and configure the rest later. Click the Finish button in the final screen. Your connection has been created. After you have successfully produced a dial-up connection, you can specify the configuration options to match those of your remote access server. Right-click the connection icon and select Properties from the shortcut menu. The connection's Properties dialog box consists of the following tabs, each with different types of configurations:

  • General This dialog page enables you to select which modem or device to use in the connection, and a Configure button leads to the device's hardware configuration options. The Phone Number section lets you change the phone number and, by clicking the Alternates button, insert additional phone numbers and place them in an order to be dialed. If you select the box to use the dialing rules, the connection can automatically insert the correct leading numbers, such as long distance information when the computer is dialing from a long distance number or the code that will cancel Call Waiting. The last option on this page is to display an icon in the taskbar whenever this connection links up.

  • Options This tab provides the presentation features, such as prompting for a name and password, including the Windows domain, and redialing options if the line is busy or the connection dropped. The X.25 button enables you to configure the connection to use X.25 rather than the Plain Old Telephone Service (POTS).

  • Security As you can guess, the Security tab lets you select the security protocols to use, including EAP (for smart card, certificate services, or MD5-Challenge), CHAP, MS-CHAP, PAP, SPAP, and so on. You can also configure interactive logon and scripting, which can assist you in troubleshooting a consistent modem connect failure.

  • Networking The networking dialog enables you to choose between PPP and SLIP. You should select PPP only unless your remote access server does not allow PPP but allows only SLIP connections. (SLIP allows only TCP/IP.) You can configure the TCP/IP options specifically for this connection, plus configure NetBEUI and NWLink.

  • Advanced This dialog lets you share the connection with other computers on your local network and configure the Windows Firewall. Given that this is a private connection between a single computer (or small private network) and a private network, you should not select the Windows Firewall because it may impede access to resources or impact performance.

Connecting to the Internet by Using Dial-Up Networking

Internet connections are configured identically to private network connections except that you must specify TCP/IP as the protocol. Most Internet Service Providers (ISPs) provide a CD-ROM with proprietary software to connect to and use the Internet. This software usually creates an Internet connection in the Network Connections applet for you. The reason ISPs do this is to make it very simple for a new user to configure a connection to his or her network.

To configure your own connection to an ISP, you use the same Add a Network Connection Wizard. However, in this case, you select the Connect to the Internet option button. The dialog then allows you to select an ISP from a list, set up the connection manually, or use the ISP's CD. Click Set Up My Connection Manually and click Next. The resulting dialog box enables you to use a modem, broadband device that requires a password (typically a DSL modem that dials into the ISP), or a broadband device that is always on (such as a cable modem or DSL). Select the first option button and click Next. Type the name of the ISP and click Next. Type the phone number of the ISP and click Next. In the next screen, enter the name and password that the ISP provided you, and type the password again in the Confirm Password text box. Select the options for whether you want everyone who uses the computer to have access to this Internet connection, and whether this will be the default Internet connection for the computer. Click Next when you are finished. You can click Finish to then open up the Connect screen. If your ISP provided you with additional configuration information, you should click the Properties button to fine-tune your connection.

Configuring and Troubleshooting Internet Connection Sharing (ICS)

Quite often, it is not feasible for a small office or a home user to install a high-speed dedicated link to the Internet, such as a T1 line, or have each computer dial up to an ISP. Even dedicated broadband links offered to home users are reasonably priced only if they are connected directly to a single network adapter in a computer.

One of the growing trends for small office or home networks is to share an Internet connection with all the members of the network. Windows XP Professional contains a feature called Internet Connection Sharing (ICS), which enables a small office or home network to use one computer on the network as the router to the Internet.

Windows XP's ICS components consist of

  • Auto-dial A method of establishing the Internet connection when attempting to access Internet resources on a computer that does not host the Internet connection.

  • DHCP Allocator A simplified DHCP service that assigns IP addresses from the address range of 192.168.0.2192.168.0.254, with a mask of 255.255.255.0 and default gateway of 192.168.0.1.

  • DNS Proxy Forwards DNS requests to the DNS server, and forwards the DNS replies back to the clients.

  • Network Address Translation (NAT) Maps the range of IP addresses (192.168.0.1192.168.0.254) to the public IP address(es), which is assigned by the ISP. NAT is a specification in TCP/IP that tracks the source private IP addresses and outbound public IP address(es), reformatting the IP address data in the header dynamically so that the source requests reach the public resources and the public servers can reply to the correct source-requesting clients.

ICS can be used to share any type of Internet connection, although it must be a connection that is enabled for all users on the PC dial-up for sharing to be effective. To enable ICS, you need to make sure that the Internet-connected computer has been configured with connections for a modem and a network adapter. If you are using broadband, you need two network adapters: one to connect to the broadband device for the Internet and the other to connect to the network.

Caution

Check for use of IP address 192.168.0.1 Before you configure ICS, you should ensure that no computers are currently assigned an IP address of 192.168.0.1 because the network adapter on the ICS computer is automatically assigned that address when ICS is configured.

You can use the Set Up a Home or Small Office Network Wizard, which is in the task pane of the Network Connections window. When you configure the computer that will share the Internet connection, you can select the option labeled This Computer Connects Directly to the Internet. The Other Computers on My Network Connect to the Internet Through This Computer. With the same Set Up a Home or Small Office Network Wizard, you can select the This Computer Connects to the Internet Through a Residential Gateway or Through Another Computer on My Network option when you configure the other computers on the network.

However, if you want to share an Internet connection so that you have more hands-on control, you can start by right-clicking the Internet connection in the Network Connections applet in Control Panel and selecting Properties from the shortcut menu. Then click the Advanced tab, as shown in Figure 11.11.

Figure 11.11. ICS is configured on the Advanced tab of the network connection to the Internet.

Click the drop-down box under Home Networking Connection and select the connection that connects to the home or office network. If the Internet connection is through a dial-up DSL, analog modem, or X.25 connection, and you want any computer on the network to be able to connect to the Internet on demand, you should select the Establish a Dial-up Connection Whenever a Computer on My Network Attempts to Access the Internet check box. If other people will be logging on to the computer and you want them to be able to make changes to this, select the Allow Other Network Users to Control or Disable the Shared Internet Connection check box. Click the Settings button to enable the protocols that computers on the Internet can use to access computers on your private network. When you select a box next to one of these options, you are prompted for the IP address or name of the computer that provides the service, and in certain cases you can customize the port number, which helps to avoid security problems. These are shown in Figure 11.12. If you want to provide a different service via a protocol not shown, click the Add button.

Figure 11.12. If you have servers on your network providing these or other services, configure them in the ICS Advanced Settings.

After you have configured ICS, you should first test the host computer to ensure that it can still access the Internet. After you have validated the ICS host, you can test the connection from one of the other computers after configuring it.

To configure a client computer, you should log on to a client computer as an administrator. Open the Network Connections applet in Control Panel. Right-click Local Area Connection and select Properties from the shortcut menu. Click the General tab, if it is not already selected. In the This Connection Uses the Following Items list, highlight Internet Protocol (TCP/IP) and then click the Properties button. ICS automatically configures the sharing computer as a simple DHCP server, providing IP addresses in the private IP address Class C range of 192.168.0.2192.168.0.254 and a mask of 255.255.255.0. The IP address of the ICS computer is 192.168.0.1. Therefore, you should ensure that the IP properties are configured to obtain an IP address automatically. (You can configure a static IP address if you prefer. You need to use one in the same range and with the same mask of 255.255.255.0, along with a default gateway address of 192.168.0.1.) Click OK to close the dialog. Open Internet Explorer and type a URL, such as http://www.microsoft.com. You may need to wait for the ICS computer to establish a connection with the ISP, but after that has completed, you should see the web page.

If you have problems with ICS, you should open Event Viewer and check out the System log for any errors related to ICS. In addition you can view the NSW.LOG file to look for errors.

Категории