| This article talks about Windows XP and all | | | | ntuser.man and no changes will be saved when |
| the new features it brings along with it. | | | | the user logs off so he/she will get the same |
| Microsoft has really introduced a powerful | | | | default profile when he/she logs back on. |
| new operating system which brings lots of | | | | |
| flexibility and ease of use to the user. It | | | | Local Security Policy: |
| also at the same time is an extremely | | | | |
| reliable and sturdy operating system for both | | | | Local security policies give the |
| the average and the excessive user. In this | | | | administrator several measures to maintain |
| article we start by talking about the | | | | security in the workgroup. There are three |
| requirements XP needs for optimum operation | | | | different types of policies like auditing, |
| and how we can meet those requirements. We | | | | user rights and security settings. There are |
| also talk about the bits and pieces of | | | | also account policies which include password |
| installing, upgrading and migrating user | | | | policies and account lockout policies. |
| settings. We also highlight the new powerful | | | | Password policies enable us to enforce |
| features in Windows XP installation like | | | | password laws where the administrator can set |
| unattended installations and remote | | | | password length, history, age and even |
| installations. Microsoft also aims to target | | | | complexity for secure environments. Account |
| the home market with this new operating | | | | lockout policies prevent hackers from |
| system and has included several new features | | | | constantly trying to log on to the system |
| such as user account management and group's | | | | using brute force like all combinations of |
| management at a much easier GUI level. Yet | | | | passwords. Local policies give us a variety |
| it remains the same reliable operating system | | | | of features. One section is user rights |
| if not even better for setting security, | | | | assignments where the administrator can |
| group security and domain security policies. | | | | assign specific policies to specific users |
| Microsoft also includes several new features | | | | and groups which allow different users to |
| in terms of auditing and generating a lot of | | | | have different powers and rights on the |
| reports in logs for the administrative user. | | | | network and the machine. Auditing properties |
| We also talk about the Windows installer | | | | enable us to generate reports on how the |
| included in this new operating system which | | | | system is performing to be clear who is |
| helps remove code clutter and in turn | | | | trying to do what on the machine or the |
| provides us with a more stable operating | | | | network. Microsoft does make our work easier |
| system than earlier releases. We also see a | | | | by giving us preconfigured security |
| significant improvement in user interface and | | | | templates. These are groups of settings for |
| options with a greater ease-of-use for the | | | | various scenarios. These can be accessed |
| average day user and options like | | | | through a bunch of .inf files provided by |
| multilingual support which target the | | | | Microsoft and you can implement these by |
| corporate environment. Windows XP also takes | | | | either importing the .inf file into the group |
| hardware support and installation to a new | | | | or by using the Microsoft security |
| level with its new plug-and-play features an | | | | configuration and analysis snap-in. These can |
| extremely good compatibility with mobile | | | | be applied to a local machine or a group and |
| hardware. We then discuss the Revolutionary | | | | are easy to create through the MMC. The |
| new NTFS file system on which Windows XP runs | | | | preconditions are to first create a snap-in |
| and all its new advantages over the old FAT | | | | and add the security policies and security |
| and FAT32 file systems. Windows XP also gives | | | | configuration and templates modules in it and |
| us a good Networking set up and | | | | then create a database and then import a |
| troubleshooting environment with new features | | | | security template into it. Then you can |
| like off-line folder sharing and resource | | | | compare and analyze or even set your computer |
| management. Remote connectivity has become a | | | | to these configurations. You can also save |
| much achievable target with the launch of | | | | these security templates as shortcuts for |
| Windows XP giving the telecommuter the | | | | access to each machines security settings. |
| flexibility to work from home. We finally | | | | |
| talk about how this new operating system | | | | Group Policies: |
| stands up to its older legacy brothers in | | | | |
| terms of performance, optimization, recovery, | | | | The main function of group policies is to |
| back up and other services. All in all | | | | implement restrictions on their computer to |
| Microsoft has definitely released a powerful | | | | prevent unintentional mess up of the OS on |
| beast of an operating system onto the | | | | the computer. In a workgroup background you |
| consumers and it is up to us to realize and | | | | can implement local group policies which are |
| utilize Windows XP at its full potential. | | | | specific to that local machine only and to |
| | | | the users on that machine, so in order to |
| Meeting Minimum XP Requirements: | | | | implement this on the entire workgroup you |
| | | | will have to implement this locally on each |
| Microsoft Win XP minimum requirements can be | | | | machine which can become a headache. However, |
| classified into various categories. The most | | | | you can have remote shortcuts to each |
| important requirement is the minimum | | | | desktop's MMC (focus MMC on remote machines) |
| processor power needed, which is set to 233 | | | | on your computer and then can implement those |
| MHz by Microsoft. I personally do not agree | | | | policies through this procedure. In a domain |
| with such low standards since the cost of | | | | setting you need to implement these policies |
| processors is dropping fast and it is the | | | | through the organizational units in active |
| biggest driver for a machines performance | | | | directory on the active directory server. By |
| factor. A minimum of 300 MHz is what I would | | | | default group polices have a refresh period |
| recommend on the lowest level. The control | | | | after which group policies will be downloaded |
| terminal investigated in this report is up to | | | | but you can run a GPUPDATE to refresh and |
| the benchmark or just above average | | | | implement new group policies immediately. |
| requirements for the user. The processor is a | | | | Group policies are accessed through the same |
| 2.5 GHz Pentium 4 and is performing at an | | | | way as local policies by adding the snap-in |
| optimal rate. Win XP pro does support multi | | | | of group policies. You can create group |
| processor support, but is not necessary in | | | | policies on that local machine or connect to |
| this scenario. The next requirement brought | | | | remote machine by clicking the browse icon, |
| to my attention is the amount of RAM | | | | but you need to have administrative rights on |
| Microsoft recommends for minimum requirements | | | | each machine and also on that machine. As |
| for Win XP Pro to operate is 64MB, which is | | | | ever domain policies override local computer |
| clearly too low according to current | | | | policies. |
| standards. However, Microsoft does state a | | | | |
| serious lack of Win XP pro function | | | | Auditing Windows XP: |
| availability while using 64MB of RAM. An | | | | |
| example of this would be disabled Fast user | | | | As a network administrator one of the main |
| switching during this mode. I personally | | | | tasks is to make sure that the resources are |
| recommend a minimum of 256MB for any machine | | | | being used the way they are used or not being |
| with average performance requirements running | | | | used they should not be. Auditing in Windows |
| Win XP Pro. The control machine undertaken in | | | | XP is just the feature which helps us track |
| this report has excellent RAM support with | | | | these key events. This can be used to track |
| 1GB of available RAM. The RAM level in this | | | | successful or failed system events. It helps |
| machine takes a load of the processor as well | | | | the administrator choose between either |
| and at the same time provides excellent | | | | tracking things being done correctly or |
| performance for heavy multi usage of various | | | | things not being done correctly. The most |
| software's in the market. The hard drive | | | | important factor is file access and account |
| requirements for Microsoft have been ever | | | | logon. One drawback of auditing is that it |
| increasing with new releases of operating | | | | should be turned on locally on each machine, |
| systems and Win XP pro requires a minimum of | | | | since it cannot be enabled on a domain basis. |
| 1.5GB of hard drive space. This higher | | | | Auditing should not be turned on in the |
| increase can be accounted for bigger | | | | entire domain since it does take a |
| operating systems with more included in them, | | | | performance hit on the system. An example |
| for e.g. Win XP pro includes a several | | | | would be the Audit object failures which |
| features like media support for writing to CD | | | | tracks failures or successes of files and |
| media and also a built in firewall. The | | | | printers. Enabling this would not turn on |
| control machine does a pretty good job of | | | | auditing on the file, in order to that you |
| satisfying these hard drive requirements with | | | | need to go to the properties of the folder or |
| a 120GB primary (Master) hard drive and | | | | files you want to audit. Head to the security |
| another 120GB secondary (Slave) hard drive. | | | | tab, if you cannot see the security tab this |
| However there are some flaws in this | | | | either means that simple file sharing is |
| implementation which are highlighted in the | | | | turned on or that your drive is based on |
| backup section of the report. One advantage | | | | FAT32 partitioning style. You need to have a |
| of having two hard drives is clear that the | | | | NTFS partition style and simple file sharing |
| paging file can be placed on a separate hard | | | | tuned off for this security tab to show up. |
| drive for better and faster performance. The | | | | However, in a domain environment simple file |
| control machine also exceeds the display | | | | sharing is turned of by default. Once you can |
| requirements of Win XP. Microsoft has stepped | | | | see the security tab hit the advanced tab and |
| up the bar with this release and has made 800 | | | | select the auditing tab and add the user or |
| x 600 a minimum display requirement for this | | | | the group you would like to audit. Auditing |
| operating system and a lot of video drives | | | | reports can be seen through the event viewer |
| will not let you shift below this resolution. | | | | which can be located through control panel |
| The control machine had capabilities above | | | | and then in administrative tools. Finally the |
| this with display potential up to 1600 x | | | | key thing to remember about auditing is that |
| 1200. Win XP Pro also recommends setup | | | | it has to be turned on at two separate |
| floppies or bootable CD standards for repair | | | | places, once in the local security policies |
| and reinstall, which is also met by the | | | | and second at the resource you want to audit |
| control machine. However I personally | | | | like a file or a printer. |
| recommend bootable CD's to setup floppies | | | | |
| which are more prone to failure of a long | | | | Windows Installer: |
| period of time. A better way would also be | | | | |
| image backups and image installs which are | | | | If you install an application on Windows XP |
| discussed later in this report. The BIOS is | | | | you are most probably using the Windows |
| ACPI (Advanced Configuration and Power | | | | Installer. Microsoft started this through |
| Interface) capable, which enables power | | | | Windows 200o to prevent other applications |
| management features and shut down through HAL | | | | from just installing themselves and breaking |
| (Hardware abstraction Layer) installation. | | | | and clobbering other DLL's. There are also |
| Win XP pro has a lot of graphical user | | | | problems during uninstall where the program |
| features which can only be utilized through a | | | | would take away a critical Windows component |
| good graphics card. The control unit in this | | | | and then your system might not boot. This new |
| audit has a good graphics card with 128 MB of | | | | service is integrated into the operating |
| dedicated graphics memory for exploiting | | | | system to make the programs well behaved. |
| these features. | | | | Windows Installer introduces package files |
| | | | (.msi) which are installation files on the CD |
| Installing Windows XP: | | | | itself. There are a lot of advantages to |
| | | | using the Windows Installer, for e.g. the |
| I would like to bring to notice some | | | | ability to self-heal in a case where the |
| installation features available from | | | | program detects that a DLL is corrupt or |
| Microsoft during a windows install. The text | | | | missing and then can heal itself by pulling |
| mode option is enabled during a clean install | | | | that file back from the source CD or network. |
| and gives us the ability to press the F5 key | | | | There is also a rollback capability where |
| to choose a HAL enable BIOS from the menu. | | | | something terrible happens during the |
| This is critical for an individual or an | | | | installation, Windows Installer makes sure to |
| organization which wants to enable the | | | | take snapshots of the system before and after |
| feature of auto power off. The BIOS has to | | | | the installation. In case of failure it |
| HAL capable in order to use this feature. It | | | | rollback's the system to the state how it was |
| is always recommended to update the BIOS to | | | | before. There is also on-demand installation |
| HAL capability before installing Win XP. | | | | where you can install features as needed and |
| Changing BIOS after installing Win XP has | | | | required later on by the system. These can be |
| some serious risks of resulting in an | | | | obtained from the source on either a media |
| unbootable OS and should not be attempted | | | | format like a CD or on the network. Source |
| without proper back up of data. Microsoft | | | | resiliency also enables us to define several |
| advertises the F6 option during this to | | | | source targets where you can connect and |
| install any SCSI/RAID adapters. You can also | | | | download the files you need incase one source |
| turn of ACPI by pressing F7 to get a HAL that | | | | is corrupted. You can publish application in |
| is not ACPI capable. ACPI can interfere with | | | | a domain setting and then can assign a group |
| some features on the machine, for e.g. if the | | | | or users who can connect to download and |
| machine is a server type auto shut down would | | | | install this application. Also, you can |
| not be really a good feature to implement. | | | | assign applications to users or groups where |
| The rest of the process is old style mode | | | | the application doesn't really install itself |
| where you can create and delete partitions on | | | | but it places a link or a shortcut of that |
| your hard drive. There is also the option of | | | | application on that terminal for that user to |
| choosing between NTFS and FAT32. However I | | | | access it and when the user tries to access |
| would recommend NTFS, if your hard drive is | | | | it the first time it goes ahead and installs |
| over 32GB NTFS is the only choice for you. | | | | itself using the Windows Installation |
| Windows XP does all the hard work and jumps | | | | services. This also enables us to have two |
| into the GUI mode installation and then asks | | | | different versions of the same program using |
| the user for information like the windows | | | | two different DLL's which can coexist on the |
| key, name and regional settings. The most | | | | same terminal in the same hard drive. MSIEXEC |
| important thing is setting the windows | | | | is the command prompt installer which is the |
| administrator password and writing it down | | | | core of the Windows Installer. There are |
| and keeping it somewhere safe. It also asks | | | | several flags to this command and you can run |
| for computer names and network configuration | | | | this from the command line to install those |
| and also asks for whether you are in a domain | | | | problematic applications. One of the most |
| environment or a workgroup environment and | | | | important flags is the /f which can be used |
| our IP settings. NetBEUI has been disabled in | | | | to repair bad installations and even find |
| this version of Microsoft operating system. | | | | corrupt DLL files. |
| You can also enter the hard drive for file | | | | |
| access during this installation by pressing | | | | User Interface: |
| Shift+F10. This enables you to move files | | | | |
| across the hard drives, access files you need | | | | Windows XP gives the average user a lot of |
| and even install drivers for new hardware | | | | power with the ease to configure his/her user |
| during installation. For people who want the | | | | interface. Configuring the desktop is |
| old style installation you can press | | | | something you can do almost to an extreme in |
| Shift+F11 for the old style wizard settings. | | | | Windows XP. Standard desktop settings remain |
| Microsoft has also implemented dynamic update | | | | the same as the ability to change wallpapers, |
| which means that as long as you have an | | | | colors and sounds. There are also themes and |
| internet connection it will try to connect | | | | skins which can change the entire look the |
| and try to download all the updates needed | | | | Windows XP and work as API's which run on the |
| before your machine is up and running. It | | | | machine and not any third party tools you |
| will also try to install new device drivers, | | | | need to get. Simple day to day tasks have |
| as long as the manufacturer has his drivers | | | | been made a lot easier with a folder and file |
| windows logo certified. However dynamic | | | | options available on the left hand side of |
| update is only available for updated installs | | | | the windows explorer. The start menu has |
| and is not available on clean installs. | | | | become more powerful than it was before. It |
| Microsoft also enables you implement your own | | | | also incorporates the ability to customize |
| dynamic update sites to prevent clogging of | | | | itself as per your program usability. However |
| bandwidth in a corporate environment for | | | | for you old school people Windows XP does |
| machines searching for updates through the | | | | give you the option of switching to the old |
| Microsoft's website. The admin can link to | | | | style desktop or the classic desktop. All you |
| windows update corporate site and download | | | | have to do is right-click and go to |
| all the updates and package them together and | | | | properties and change the theme to Windows |
| put it up on a web server for the staff to | | | | classic to obtain the old style Windows look. |
| install. A switch can be installed inside the | | | | The appearance tab helps the user pick a |
| setting of the answer file for downloading | | | | color scheme they like best or you could also |
| from these installs. Another feature is | | | | enter advanced mode and pick colors for each |
| windows product activation which does not | | | | part yourself. The effects tab is the most |
| exist for the volume license user where the | | | | underused tab which gives the user the |
| same media kit is going to be used for | | | | ability to get cleaner fonts and even remove |
| multiple installs. However retail and OEM | | | | and set animations on your windows. Most |
| licenses require windows product activation | | | | appearances are customizable in Windows XP |
| by creating a hash of your computer depending | | | | and Microsoft's is trying real hard towards a |
| upon several features like hardware. Windows | | | | goal to please every user type. |
| product activation can also be done in the | | | | |
| answer file and the information sent through | | | | Interface Options: |
| HTTP or HTTPS and Microsoft's minimal | | | | |
| requirement is that reactivation is required | | | | Microsoft has added a lot interface options |
| after changing 3-4 pieces of hardware on your | | | | for users who otherwise have problems using |
| computer. | | | | the computer. One is accessibility services |
| | | | where Microsoft has included several options |
| Upgrading Windows XP: | | | | like the sticky keys, filter keys or toggle |
| | | | keys and even sounds and onscreen keyboard. |
| Most administrators do not have the luxury to | | | | There is also a narrator which gives us text |
| make a clean install because there are a lot | | | | to speech for the visually challenged. There |
| of software and data installed on the current | | | | is also the magnifier which is also a great |
| operating system. The biggest drawback to | | | | asset. An easy way to access the narrator, |
| this is that all the legacy code and baggage | | | | magnifier and the onscreen keyboard is |
| in the old operating system will be carried | | | | pressing the Windows key + U. Multilingual |
| over to the new operating system. An upgrade | | | | support has also been included in Windows XP |
| is possible from Windows 98/98SE/ME/2000 and | | | | just like as in Windows 2000. However, not |
| Windows NT 4.0 with SP6. However the server | | | | all applications support this but you can |
| class cannot be upgraded from windows 2000 | | | | almost enable this all API's. All that is |
| professional. You cannot upgrade from Windows | | | | required is to head to the regional settings |
| 95 or Windows 3.x. A compatibility check | | | | in the control panel and install the language |
| should always be made before upgrading to the | | | | you want to work with the remap the keyboard |
| new OS. Check using the switch | | | | accordingly and you're done. One drawback is |
| (-checkupgradeonly) for hardware report on | | | | that for other users to use a document |
| compatible hardware on the machine to install | | | | created in this language they must have the |
| windows XP. If you're running Windows NT 4.0 | | | | same language settings installed on their |
| with fault tolerance and volume sets the | | | | computer. You can even change entire |
| drives are going to be inaccessible once you | | | | interface of the computer into another |
| install XP since it does not support fault | | | | language by installing support for that |
| tolerance or volume sets. Microsoft does give | | | | language. This servers as a strategic |
| you an easy way to use the key FTONLINE to | | | | advantage for global organizations which |
| bring the fault tolerant set online to backup | | | | operate in different regions in terms of |
| the information or recreate a volume set or | | | | saving space in terms of storing a file in |
| striped volumes and get that information | | | | different languages since multi language |
| back. However you cannot create fault | | | | support enables us to store only one copy of |
| tolerant drives with Win XP. In a case of | | | | the file and have it available in different |
| serious error you can always roll back the | | | | languages. |
| upgrade. This feature can be accessed from | | | | |
| the "Add Remove Programs" in the Control | | | | Hardware Installation: |
| Panel. However the biggest drawback is that | | | | |
| once you change from FAT32 to NTFS you cannot | | | | Windows XP supports plug and play feature |
| go back to uninstall the upgrade and get your | | | | where you can just plug in devices and it |
| old operating system running. The install | | | | will detect them automatically without any |
| procedure is pretty much the same as the once | | | | installations. One of the most important |
| we encountered on a clean install without the | | | | advantages of this feature is that signed |
| headache of drive partitioning. It even tries | | | | drivers are installed automatically without |
| to download updates (Dynamic Update) if an | | | | prompting. However, non plug and play devices |
| internet connection is detected. The software | | | | require manual installation. This saves a lot |
| and regional settings and other user settings | | | | of headache to the administrator when it |
| are preserved on the computer. The upgrade | | | | comes to installing different pieces of |
| does come with different view screens after | | | | hardware. The user needs to have the |
| the install. Views change with the kind of | | | | administrative privileges to install these |
| environment you are running in for e.g. a | | | | hardware's and drivers. These can be |
| domain environment the user gets to see the | | | | maintained to the device manager which can be |
| Ctrl+Alt+Del screen whereas the user gets to | | | | accessed from right clicking my computers |
| see the welcome screen in a workgroup | | | | icon. Microsoft is pushing to wears a new |
| environment. | | | | setting known as driver signing. This enables |
| | | | Microsoft to see what drivers are installed |
| Migrating User Settings: | | | | on the system. In a case of an unsigned |
| | | | driver the user is warned about this before |
| User settings are an extremely important | | | | installing it but he/she can still choose to |
| feature needed in a corporate environment to | | | | go ahead or not go ahead with it. Vendors |
| preserve the same look for a user. The file | | | | have to actively pursue to get their drivers |
| and transfer settings wizard comes to our | | | | signed by Microsoft to achieve a signed |
| rescue down to the last solitaire icon on the | | | | driver rating. In a case of an unsigned |
| users computer. File and transfer settings | | | | driver Microsoft raises a flag which warns |
| transfer transfers files in four categories. | | | | the user about the unsigned driver. This can |
| The first category is appearance which | | | | raises several issues in a network for the |
| includes color schemes, sounds and others. | | | | administrator to handle where people bring in |
| Second, it also keeps internet settings like | | | | their own USB devices to plug in to their |
| your favorites and your internet security | | | | systems and then can raise several flags and |
| settings. Third, it also backs up all your | | | | incompatibilities in the environment. The |
| account settings like all your e-mail | | | | administrator can handle this situation by |
| accounts and all the internet addresses | | | | disabling and blocking the installation of |
| stored in your machine through outlook. | | | | unsigned drivers. One of the drawbacks in |
| Finally it even transfer the settings for | | | | windows 2000 was the ability for a user to |
| installed software's like Microsoft office | | | | modify the registry keys and install an |
| and even third party software's like adobe. | | | | unsigned driver and then change back the keys |
| However the drawback is that the required | | | | after the installation. This loop hole has |
| software's should be installed before their | | | | been fixed by Microsoft and the user is not |
| settings can be reapplied to the new | | | | given the ability to change registry keys and |
| operating system. The File and Transfer | | | | hence he cannot install unsigned drivers |
| settings wizard can be reached through the | | | | without administrative permission. One of the |
| windows CD by accessing the icon "Perform | | | | other features that will is the facility of |
| Additional Task". The process is simple and | | | | the drivers or to even roll back drivers |
| visually guided. It gives you the option to | | | | incase of a mishap. Updating device drivers |
| choose just files or both files and settings | | | | still requires the user to have |
| and transfer all the required files through a | | | | administrative privileges. However updating |
| direct cable, floppies/media or network. This | | | | device drivers is one of the most frequent |
| can also be used from XP to XP machines, in a | | | | causes of system crash. This is where the |
| case of customizing a brand new machine to | | | | ability of rollback kicks in where Windows XP |
| industry standards. However this is should be | | | | maintains copies of older versions of your |
| used for only for small offices or a very | | | | driver which you can kick back to incase of |
| small office. A better version of this for | | | | an update failure. There is also something |
| large offices is user state migration tool | | | | known as the last good option which should be |
| for scripting mass XP migration of files. The | | | | a last resort in case of a safe boot. Driver |
| user state migration tool is made up of | | | | signing gives us the options to free install, |
| several tools once of which is scanstate.exe | | | | warn or block drivers that are unsigned. A |
| which includes files like migapp.inf, | | | | normal user can always go to a much stricter |
| migsys.inf, miguser.inf and sysfiles.inf and | | | | option like if the administrator has selected |
| you can change these files as you please. A | | | | warn the normal user can choose block, |
| simple illustration would be to access the | | | | however he/she cannot choose to ignore it. |
| migapp.inf file, put in the settings you need | | | | |
| and put in the files you need to transfer and | | | | Hardware Support: |
| run scanstate.exe on every computer. The new | | | | |
| machine would run a different program | | | | Windows XP supports most kinds of hardware |
| loadstate.exe which will unpack the file and | | | | these days. You can pretty much take anything |
| load those settings. However like in file | | | | in the market and it will be supported by |
| transfer settings this cannot transfer | | | | Windows XP. Windows XP even supports |
| application and only settings to applications | | | | smartcard operations fresh out of the box. |
| for e.g. it will not install adobe acrobat on | | | | One of the coolest features is the ability to |
| your computer and then transfer its settings. | | | | hook up to twelve display devices on to one |
| If an application is not detected on the | | | | machine. As a matter of fact you can link up |
| computer the settings for it will not be | | | | to ten display devices onto one single |
| used. This application can be accessed in the | | | | terminal. There's also dual head technology |
| following directory "CD:VALUEADDMSFTUSMT". | | | | incorporated into Windows XP which gives the |
| This ability is completely scriptable so an | | | | user power to connect multiple monitors with |
| administrator can send these as e-mail | | | | a single video card adapter, for e.g. in case |
| messages to all the users and does not have | | | | of a laptop you can connect it to monitor and |
| to present at all the machines to run this. | | | | have it perform different from the screen on |
| | | | your laptop or as an extension to the screen |
| Unattended Installation: | | | | on your laptop. Windows XP supports Directx |
| | | | and OpenGL which are graphics technologies or |
| Microsoft also supplies us with tools for | | | | graphics API's. Microsoft is offering this |
| unattended installation which is a great | | | | towards the gaming market where they have |
| feature for network administrators working in | | | | finally been able to run Directx on the NT |
| large corporate environment. This feature | | | | core for the games to perform an optimum |
| saves the tedious task of sitting down at | | | | level. Another Windows XP service included |
| each computer and installing Windows XP on | | | | out of the box is faxed support .This |
| each one of them. Unattended installation is | | | | practically will meet most users average day |
| made possible through a tool called the Setup | | | | to day tasks of receiving and sending faxes. |
| Manager which links to the file unattend.txt | | | | Fax support of course is not installed by |
| which makes it possible answer all the | | | | default and the user has to install it |
| questions which Win XP is going to ask us | | | | through and remove windows components. As |
| during the process of installation. A simple | | | | soon as you install facts aboard Windows XP |
| way to implement this is to drop all the | | | | creates a virtual printer through which it |
| required information for setup in the | | | | will send it to your faxes. |
| unattend.txt and drop this file in a floppy | | | | |
| disk during the installation process or | | | | You can even have your terminal receive faxes |
| script this file inside if you are setting up | | | | through a virtual printer. Setting up fax |
| through an image. There is one drawback to | | | | services is pretty easy for the average user |
| this since the each computer requires some | | | | to configure. It does require a telephone |
| unique information like computer name and IP | | | | number and other information. You can even |
| addresses. This can be handled through a UDF | | | | set it up to auto print faxes or choose how |
| file which is the unique database file. IP | | | | you would like to be alerted. One of the |
| addresses on the other hand can be handled | | | | directions most new hardware is trying to |
| through DHCP and other processes. If you are | | | | move this towards using USB and firewire |
| booting off an image, this can be achieved by | | | | (IEEE 1394) ports. These are plug and play |
| scripting the winnt32 file. The command line | | | | hot swappable devices which you can connect |
| should read like this winnt32 /s: source path | | | | and disconnect without having to install any |
| /u: unattend.txt /udf: udf path. However, if | | | | drivers. One of the features of USB is that |
| booting of a CD then this file should be | | | | you can target USB root hub through device |
| placed inside the floppy disk with the name | | | | manager to allocate power to each hub. |
| winnt.sif. This feature is again hidden | | | | Another way to get out of this power drain is |
| inside the Win XP and can be accessed through | | | | to use a self powered external hub which |
| the SUPPORT/TOOLS/ path and then by | | | | draws its power externally to function. You |
| extracting the deploy.cab file. This file had | | | | can even take a look at the universal host |
| to be extracted and will then reveal all the | | | | controller in device manager under the USB |
| tools you require to deploy and unattended | | | | drop down menu to see the amount of bandwidth |
| installation of Win XP. There are also three | | | | taken by each controller. |
| very helpful reference files inside this | | | | |
| folder which give you a lot of information of | | | | Mobile Computer Hardware: |
| using these tools. The setup manager tool a | | | | |
| GUI tool which guides you through setting up | | | | Windows XP has a pretty good mobile hardware |
| the process of creating the uanttend.txt and | | | | support. As more and more users switch from |
| the unique database file. It follows the | | | | desktops to laptops Microsoft has increased |
| simple procedure of asking questions starting | | | | its support and capabilities towards mobile |
| from the organization and user name, Win XP | | | | hardware. One of the most important features |
| key (This is the most important feature and | | | | is included support for ACPI which saves a |
| has to entered correctly otherwise the | | | | lot of battery power on laptop machines. |
| installation would not take place), workspace | | | | Applications can also request no power saving |
| or domain settings, regional and internet | | | | incase of server machine where applications |
| settings, language and time zone settings, | | | | need to keep running constantly. Dynamic |
| computer names and even external commands to | | | | docking and undocking creates separate |
| start up other installations for e.g. | | | | profiles for docked and undocked mode. ACPI |
| installing Microsoft office after Win XP | | | | gives the capabilities of power management |
| install. This setup manager also gives us the | | | | through power options available in control |
| options of several types of install like GUI | | | | panel. Power management facilities give us |
| installation, read only installation (user | | | | the flexibility to maintain different power |
| can see everything but cannot change | | | | settings incase of desktops and laptops. Also |
| anything) and others. You do not have to | | | | it even creates different settings when the |
| create this unattned.txt file from scratch | | | | laptop is in docked mode and running on AC |
| for each terminal and can modify this file as | | | | power and when in undocked mode and using |
| per your needs for every other user. However | | | | battery juice. One of the power saving modes |
| this does become extremely cumbersome for | | | | is the hibernation mode where the computer |
| large environments and the headache of | | | | dumps its memory on the hard drive and shuts |
| creating a unattned.txt file for each user in | | | | itself off and when you start it again it |
| a larger corporate working area. Microsoft | | | | reloads its RAM from the hard drive. An |
| does have its answer to that which is called | | | | easier way for an average user are built in |
| the sysprep tool or the system preparation | | | | power schemes given by Microsoft that help |
| tool which gives us the ability to roll out | | | | you mange your power settings better to get |
| clones of operating systems on each machine. | | | | the maximum time out of your laptop. Windows |
| This does give the network administrator the | | | | XP also gives you the flexibility to set up |
| ability to somewhat use a cookie cutter style | | | | UPS and adjust hibernation. In order to bring |
| to roll out machines with preinstalled | | | | your computer to hibernate mode initiate a |
| applications and operating systems customized | | | | shit down sequence and then when the window |
| before the mass installation procedure. The | | | | pops up hold down the shift key to change the |
| problem however can arise in the security | | | | standby option to hibernate. Hibernate is |
| identifiers (SID) that Microsoft uses to | | | | much bigger power saver then standby, since |
| identify each machine and unique to that | | | | standby still consumes a lot of power. You do |
| machine. You can use cloning tools to roll | | | | need to log back on to the system after |
| out these clones but you still have to use | | | | hibernation. Windows also has wireless |
| sysprep to authenticate support. Microsoft's | | | | support for Windows XP through Bluetooth |
| strips those SID's out and repacks them so | | | | (802.11b) and Infrared technology built in to |
| when the user sits down on the brand new | | | | the operating system. Windows XP can detect |
| machine he has to enter some information for | | | | and connect automatically to wireless |
| the machine to get going. The applications | | | | networks using either an access point or an |
| are installed in the background though, but | | | | ad hoc ability (ad hoc ability connects |
| its Microsoft's way of making sure that each | | | | multiple computers to each other without |
| machine has a unique SID after installation. | | | | having to connect to an access point). |
| Administrators are advised to run the latest | | | | |
| third party cloning facilities to achieve the | | | | Storage Devices: |
| optimum results and then use sysprep to | | | | |
| repack the machine as a brand new one for the | | | | Windows XP hard disk support comes in two |
| SID's to work safely and in accordance to | | | | different flavors. The first one is the old |
| Microsoft. However you have to be extremely | | | | style know as basic disks which include four |
| careful before rolling out clones since they | | | | primary partitions or three extended |
| are very hardware specific, so your terminals | | | | partitions and one extended partition. |
| should have identical HAL's, mass storage | | | | Microsoft has now implemented a new strategy |
| device controllers and ACPI support. VAR's | | | | know as volumes disks. You can have up to 200 |
| (Value added resellers) should use the | | | | volumes per driver, however Microsoft does |
| -factory mode switch to install and | | | | recommend you to not go this high and has set |
| reconfigure the machine as per according to | | | | a limit of at most 32 volumes per drive. If |
| their requirements. This is also known as the | | | | you plan to multiboot using this drive |
| audit mode and the machine can resealed after | | | | dynamic disks and dynamic volumes are only |
| this by running sysprep again with a -reseal | | | | usable by Windows XP and Widows 2000. |
| switch. This can also be done automatically | | | | Applications don't really have an issue with |
| using the file WINBOM.INI. | | | | dynamic disks. One drawback is that laptop |
| | | | computer and removable storage cannot have |
| Remote Installation Services: | | | | dynamic disks since this is really used when |
| | | | there are multiple drives. You cannot mix |
| A remote Installation service gives us the | | | | dynamic and basic disks on one drive. On |
| power to install Win XP over the network. | | | | basic disk you can primary and extended |
| Microsoft uses a PXE (Preboot Execution | | | | partitions only and you cannot create |
| environment) to achieve this and the setback | | | | fault-tolerance volumes or even span drives. |
| is that you're network card should be PXE | | | | Dynamic disks have this ability. The first |
| certified. However, Microsoft also gives some | | | | step is a simple volume which can be NTFS, |
| hope to some left behind by giving us the | | | | FAT or FAT32. The next step above this is a |
| option of using boot disks for people who do | | | | spanned volume used in a case of multiple |
| not have PXE certified network cards but, | | | | hard drives where you can add more space to |
| there always is setback and this time it's | | | | hard drive without adding another drive |
| that this feature is supported by only very | | | | letter. Simple volumes can be extended to |
| specific network cards. Unfortunately, if | | | | create spanned volumes but the kicker is that |
| you're network card does not belong to any | | | | you cannot extend a system or boot volumes. |
| one of these classes you are out of luck and | | | | The third case is a striped volume which is |
| cannot use this feature. The basic way to | | | | written on both drives which doubles your |
| setup is to connect to a RIS sever (Remote | | | | throughput on both drives. This in turn |
| Installation server). Once you are connected | | | | increases performance and also doubles your |
| to the RIS server there are three ways to | | | | throughput on reading and writing. You can |
| connect and install Win XP. The first one is | | | | access these management tools by right |
| a simple installation where you download and | | | | clicking on My Computers and then selecting |
| run an image of Win XP CD. The second process | | | | manage and choosing Disk management in the |
| is a scripted installation by creating an | | | | computer management window. It is very simple |
| answer file and achieving an unattended | | | | to convert a disk to a dynamic disk, the |
| installation. The final and the most powerful | | | | process involves right clicking on the disk |
| is the System image which uses a tool RIPrep | | | | icon itself on the left most side and |
| (Remote Installation Preparation tool). This | | | | choosing convert to dynamic disk. This |
| allows us to create an image with all the | | | | renders it unusable by other operating |
| customized applications installed on them and | | | | systems since the partition table is |
| then transfer that image to all the required | | | | rewritten. You can extend a simple volume by |
| machines. RIS requires an active directory | | | | just right clicking and choosing extend |
| environment with integrated DNS built it. The | | | | volume and choose the desired size you would |
| RIS server must be setup in the active | | | | like to extend the volume to. Converting an |
| directory. Most administrators would dedicate | | | | existing basic setup to dynamic setup |
| a separate sever for this process. Microsoft | | | | requires at least 1MB of unpartitioned space |
| also states that the RIS partition should a | | | | but vice versa is only possible through |
| separate one and should not a boot or system | | | | reformat. For users updating their system |
| partition, so you would have to throw in a | | | | from other legacy system you need to use |
| spare hard drive and drop this image on it. | | | | FTONLINE to bring your data online mount it |
| Also, the partition must be an NTFS. RIS | | | | and then wipe out your drives and bring your |
| installation utility and RIS preparation | | | | data back to the drives. It is not a long |
| utility will allow you to put the different | | | | term solution for storage. There are also |
| images on the server. The process then | | | | other removable storage media like CD's |
| requires the Win XP CD and copies the I386 | | | | floppies and USB hard drives. Windows XP has |
| directory on the server and you can then | | | | full support for burning CD's included into |
| choose to scripted installs or simple | | | | the operating system. However, it's not as |
| installs after that. The RIS uses single | | | | advanced as other third party applications. |
| instance storage which means that it stores | | | | |
| only one copy of each file when you upload | | | | File Systems: |
| different images on the server. This result's | | | | |
| in saving a lot of space on the server as | | | | As a network administrator you need to know |
| well but this makes another reason the put | | | | the kinds of file systems that are supported |
| this on a dedicated server and once all this | | | | by Windows XP. NTFS is the new file system |
| configured you can put access levels on the | | | | which has a lot more capabilities |
| images to allow users restricted access so | | | | incorporated into it. The FAT file system is |
| that they cannot install any image they like. | | | | the universal file system, which has a lot of |
| End users will boot from the network and boot | | | | limitations which were overcome by FAT32. |
| from the PXE network card or PXE floppy disk | | | | One of the biggest drawbacks was the cluster |
| and it asks them to log on and authenticate | | | | size in FAT, so for e.g. the bigger your |
| themselves to the domain server and then give | | | | drives got the bigger the cluster became so |
| them choices of installation images. In a | | | | for a 1K file you would've used a 32K cluster |
| multi-domain environment the administrators | | | | and ended up wasting 31K space. This becomes |
| will be required to set up these RIS servers | | | | a considerable waste when thinking in terms |
| on each domain. Similar drawbacks exist on | | | | of gigabytes. FAT32 overcame this problem by |
| hardware compatibility. There are limited | | | | introducing a 4K cluster, but still has a lot |
| allowable differences in hardware on the | | | | of limitations. NTFS has a lot of new |
| machines but the HAL's must be identical and | | | | features like compression, encryption and |
| as well the hard drives should be equal or | | | | permissions. Users still using FAT or FAT32 |
| larger in size. PXE book disks will work only | | | | systems on Windows XP can convert to NTFS by |
| on limited NIC cards so laptop users with | | | | running a command from the prompt known as |
| PCMCIA are out of luck. Also remote | | | | convert [driverletter]: /fs:ntfs. However, |
| installation can only be done on C drives and | | | | you cannot convert back to FAT or FAT32. In a |
| segregations on drives don't allow the | | | | case when you convert your boot drive it will |
| service to work. | | | | convert on reboot. A backup is recommended to |
| | | | prevent data loss before running this |
| Installation Troubleshooting: | | | | command. In a case you have already started |
| | | | the process and haven't backed up your data |
| Troubleshooting is always an enemy an | | | | you can jump into registry editor using the |
| administrator has had to face during his | | | | regedit command and look up inside |
| work. Even though Win XP is a quite sturdy | | | | HKEY_LOCAL_MACHINE - system - |
| operating system, there is a slight chance | | | | CurrentControlSet - Control - Session |
| that you will run into problems during | | | | Manager. |
| installation. The first step would be to | | | | |
| check the hardware compatibility and hardware | | | | Inside here you will see boot execute. When |
| health. Most the time the problems I have | | | | you run this you will see the conversion |
| encountered on Win XP have been due to bad | | | | process listed there and you can delete it to |
| hardware. There is no guarantee that devices | | | | stop the conversion process. There are also |
| on Windows 2000 will work on Windows XP. A | | | | other file systems maintenance tasks which |
| first step is to install Windows XP with | | | | most administrators like to do whenever they |
| minimum hardware and then drop in extra | | | | find time for e.g. disk defragmentation. The |
| hardware components after the install. That | | | | new feature in Windows XP is that you can |
| will allow you to isolate the bad or | | | | schedule this defragmentation via the command |
| incompatible piece of hardware. You can also | | | | line. Disk cleanup is also a pretty safe way |
| access the Microsoft's website access the | | | | that deletes cache files and other temp files |
| hardware compatibility listing. You should | | | | stored on your computer. It even tells you of |
| also check if the BIOS is ACPI compatible as | | | | files which you haven't used in a long time. |
| described earlier. | | | | |
| | | | NTFS: |
| User Accounts: | | | | |
| | | | NTFS clearly has a lot of benefits compared |
| Windows XP requires user accounts to operate | | | | to others like FAT and FAT32. NTFS is the |
| on it. It is based on the Windows NT kernel | | | | default choice when you start from scratch. |
| formula. Every user on Windows XP needs a | | | | However, one difference is that formatting |
| user account. A big advantage of having user | | | | NTFS will set file security during |
| accounts is to be able to customize Win XP | | | | installation which you do not get when you |
| according to your environment. Windows XP can | | | | convert from FAT or FAT32. This can be |
| operate in a workgroup environment or an | | | | securing access from critical system files |
| active directory domain. Windows XP also | | | | which was not present in FAT and FAT32. |
| provides us with built in user accounts. The | | | | Microsoft has introduced the quick format |
| most powerful of all is the administrator | | | | option during setup process. NTFS also |
| account and time and time again it has been | | | | introduces file and directory security |
| said to not do day to day tasks logged on as | | | | settings which are very helpful in corporate |
| the administrator. The control machine in | | | | environments. IT also gives us the abilities |
| this case is at a serious threat since the | | | | of quotas, compression and encryption. By |
| only user account present on this machine is | | | | default if the user is not in a domain |
| the administrator account and is not password | | | | environment then the sharing and NTFS |
| protected. This is serious threat since this | | | | permissions are combined into one. Simple |
| user has complete control for e.g. format a | | | | file sharing is turned on in the tools folder |
| drive even by accident. The other account is | | | | option which disables the security tab from |
| the guest account which is open for users to | | | | the properties of a folder or a file. This |
| access the machine but not giving it the | | | | can be turned back on by just disabling |
| power to corrupt or mess with the installed | | | | simple file sharing. Windows XP creates a My |
| programs. A workgroup environment is good for | | | | documents and Shared Documents folder. You |
| a small corporate network but the biggest | | | | can make you My Documents folder private and |
| drawback is the each terminal should have a | | | | even when you place a password on your user |
| user account for that user on that machine, | | | | account then Windows asks you to privatize |
| since Windows XP authenticates user accounts. | | | | your entire files and folders. Shared |
| However, domain environment has a central | | | | Documents enables multiple users to share |
| storage of all accounts which reduces | | | | documents with each other. However, in a |
| overhead and makes it easy to add new | | | | workgroup setting you can only make folder |
| accounts and terminals. In a domain | | | | private in your user account. In order to |
| environment if there is one user account, you | | | | disable this option you as an administrator |
| can use that account to log on to any machine | | | | need to turn off simple file sharing. In a |
| in the local domain. User accounts in a | | | | domain environment this is turned off by |
| workgroup can be maintained through user | | | | default and security tab is available. |
| accounts in the control panel. By default | | | | Permissions granted to a user always add up |
| user accounts in Windows XP does not need a | | | | as most permissible but deny always overrides |
| password but the administrator can change | | | | other permissions. There is also inheritance |
| these default settings. Microsoft has also | | | | which trickles down to the file level which |
| installed a feature known as "prevent | | | | means that file permissions override the |
| forgotten password" where through the | | | | folder permissions. However, you can always |
| administrator account you can create a floppy | | | | block inheritance and override a lower level |
| disk with your password stored on it for | | | | permission with the higher one. Windows XP |
| recovery. However, this floppy disk should be | | | | has also added a feature to view effective |
| safeguarded, since it can be a security loop | | | | permissions on a file. These can be accessed |
| hole to the entire network. In a domain | | | | through the effective permissions tab |
| environment you must log on as a member of | | | | available in the security tab of a file or |
| the administrator's group to create and | | | | folder and by clicking the advanced tab. You |
| delete user accounts. However, in a domain | | | | can select the user or the group you want to |
| environment you have to add domain users to | | | | view permissions on. NTFS utilizes the |
| the local group to grant them access to the | | | | concept of ownership of file where the owner |
| machines in that group using that user | | | | always has full control of the file they |
| account. The concept is a little different, | | | | created; even after they are locked out they |
| since domain user accounts should be granted | | | | can take ownership of the file and give |
| access to a local group and are then able to | | | | themselves access to it. Administrator can |
| log on to any machine in that group using | | | | take ownership of any file available in the |
| that domain account, whereas each computer in | | | | system, but so that this cannot be abused |
| a domain environment can also have local user | | | | they cannot give ownership to someone else, |
| accounts specific to that machine and only | | | | they sure can give them permissions to view |
| accessible through it. | | | | and modify but not ownership. This is a key |
| | | | concept of recovering files when a user has |
| Group Accounts: | | | | left the company or has been locked out from |
| | | | his files. Taking ownership is very easy, |
| Groups are a boon to an administrator in | | | | head to the security tab and click advanced |
| settings permissions. This allows us to take | | | | tab and choose the owner tab and then you can |
| users and combine them to manage resources. | | | | add yourself back. Then you can go ahead and |
| Local groups allow us to set permissions to a | | | | add yourself back into the file permissions |
| group and have it trickle down on to the | | | | to give you back full control. NTFS also |
| members of that group, local groups existing | | | | gives us the ability to compress files on a |
| on each machine that give us this ability. | | | | case by case basis. Compression and |
| Windows XP also gives us some built in groups | | | | decompression happen automatically. |
| like the administrator's group and the users | | | | Compressing folders will also compress files |
| group. Local groups however have authority on | | | | and adding new files to it will also keep the |
| that local machine. Microsoft's management | | | | new files compressed. Windows XP does |
| console allows us to create, delete and | | | | highlight them with different color to mark |
| manage groups. A user can be a member of | | | | them as compressed. Encryption and |
| multiple groups so that allows the user to | | | | compression do not mix well in Windows XP. |
| have a combination of most permissible | | | | You can access encryption and compression |
| abilities. However, deny always overrides an | | | | through the properties and advanced tab and |
| allow so if a user is denied a permission in | | | | choosing between compression and encryption. |
| one group that overrides that permission in | | | | Microsoft uses the EFS (Encrypting File |
| all his member groups. There are several | | | | Systems) for safeguarding files and folders. |
| built in groups like administrator's, backup | | | | Encrypting a folder will encrypt all files |
| operators, guest, network configuration, | | | | inside the folder as well. The key is |
| power users, remote desktop users and help | | | | encryption is stronger than permissions |
| users group. The name pretty much defines | | | | because the data gets scrambled using |
| most of these groups. Most of the members | | | | certificates. This means that user who owns |
| belong to the power users group which gives | | | | that certificates can only access that data. |
| them the opportunity to install applications | | | | There is no longer the security hole where |
| and do day to day tasks. However there are | | | | encrypted file transfer was not possible and |
| some restrictions placed on this group for | | | | data had to be decrypted for the other user |
| e.g. they cannot access other user's files | | | | to read it. Now when you give access to |
| and cannot format hard drives or change user | | | | somebody else for your encrypted files he/she |
| group settings and other user's accounts. | | | | gets a copy of the certificate to decrypt |
| There are also some system groups which are | | | | those files. One drawback is that if you move |
| used by Windows XP itself to perform certain | | | | files into an already encrypted folder it |
| tasks. The operating system handles these | | | | will not be encrypted, however the ones |
| groups and you do not need to manage these | | | | created will be. You can give access to |
| groups. One such group is the "everyone | | | | another user of your encrypted file by adding |
| group" which explains itself of how it | | | | them through the details tab available |
| includes everyone. If you want to give wide | | | | through the properties and advanced tabs. The |
| open access to computer you can grant a user | | | | catch is that the user should've have |
| as a member of the "everyone group". However, | | | | encrypted a file at least once to have a |
| this does include anonymous access so a user | | | | certificate available on the computer. This |
| cannot log on using anonymous access. There | | | | is needed by Windows XP since the first time |
| are also other system groups like | | | | you encrypt a file it issues you an |
| authenticated users which have to proved | | | | encryption certificate. In a domain |
| themselves worthy to log on to the system and | | | | environment you must trust the server for |
| creator/owner groups. There are also network | | | | delegation in order to encrypt files on the |
| and interactive groups which differentiate on | | | | server. You can also use WebDAV for providing |
| the basis of your location. Network group | | | | secure transport and storage to avoid trust |
| classifies users who log on using a network | | | | for delegation. |
| whereas interactive users are users who | | | | |
| actually sit down at the machine to log on. | | | | EFS Recovery: |
| Creating and managing user groups can be | | | | |
| achieved through the Microsoft management | | | | Recovering encrypted data can be made |
| console. This saves a lot of headache at the | | | | possible since Microsoft's introduction of |
| domain level since the domain administrator | | | | the DRA or the data recovery agent. This |
| can create a domain level group in the domain | | | | utilizes a special key which is tagged on to |
| environment. The local administrator can then | | | | every file encrypted. In a domain setting the |
| add that domain level group into the local | | | | administrator is defaulted as the being the |
| machine group he just created and this gives | | | | data recovery agent so there is always a back |
| the members of that group immediate access to | | | | door for recovering encrypted files. In a |
| that machine. | | | | workgroup environment there is no default |
| | | | data recovery agent, so you need to create a |
| Logging onto Windows: | | | | data recovery agent. The key is to create a |
| | | | DRA before any files get encrypted, since you |
| Logging on Windows XP is different from a | | | | won't be able to recover files which were |
| workgroup to a domain environment. Microsoft | | | | encrypted before that. The first things you |
| has finally stepped away from the | | | | need to do are access your security policies |
| Ctrl+Alt+Del key combination to log onto to | | | | by heading into the local security policies |
| Windows. In a workgroup environment the user | | | | and then into public key policies which will |
| is greeted with a welcome screen, however the | | | | show you encrypting file systems. Making a |
| old style log on can be made compulsory in a | | | | DRA is a little tricky to begin with. Start |
| workgroup environment by the administrator. | | | | by running the command prompt and running the |
| In a domain environment the Ctrl+Alt+Del | | | | cipher command as follows cipher |
| screen in the default and you cannot get away | | | | r:[filename]. This command will create your |
| without it. In a workgroup setting you can | | | | two recovery certificates, one is public key |
| disable the welcome screen but this also | | | | (.cer) and the other is private one (.pfx). |
| switches off the fast user switching option. | | | | It also asks you for a password to open your |
| Fast user switching is available only in a | | | | private keys. Once done you then right click |
| workgroup setting targeted towards a home | | | | on the encrypting file systems in the local |
| environment. This enables multiple users to | | | | security policy and add a new DRA and then |
| run their sessions on the same terminal | | | | browse to the recover file you just created |
| without closing the other person's session or | | | | and add that. Now, when any user encrypts a |
| let a user log on without logging another | | | | file you will be listed as a data recovery |
| user off. This uses terminal services made | | | | agent. You can also reset password for |
| available to us by Microsoft. There is at | | | | another user if he or she forgets it but this |
| least a 128MB memory requirement needed for | | | | trashes that user's certificate, so he/she |
| using this service. You can use fast user | | | | will not be able to access files which were |
| switching by using the Windows key + L, but | | | | encrypted with the previous certificate |
| you require the welcome screen switched on | | | | before. This is where the DRA comes as a |
| for this. You can also see what accounts are | | | | savior. In order to disable EFS you need to |
| currently logged on by using the task manager | | | | completely remove the encryption policy, it |
| and switching to the users tab which will | | | | doesn't just go away by removing the DRA. |
| show you all the current users logged on and | | | | Disabling EFS is through accessing the |
| it show which user is currently active and | | | | encrypting file systems menu in the local |
| which are disconnected. Troubleshooting user | | | | security policies and right clicking to go to |
| accounts can be a simple task. Be sure to | | | | all tasks and then selecting delete policy. |
| check if passwords are correct and caps lock | | | | However, turning off EFS is not quite that |
| is not turned on and also if your account has | | | | easy in a workgroup environment. You can find |
| not been disabled. You can also turn on the | | | | more details about in recently published |
| guest account as a last resort to have | | | | Microsoft's documents. |
| limited access. This can be a security loop | | | | |
| hole so most administrators avoid it. In a | | | | Networking Setup and Troubleshooting: |
| domain environment XP caches user log on | | | | |
| information so you as an administrator can | | | | Windows XP is very powerful operating system |
| turn on a feature which prevents a user from | | | | which includes a lot of features when it |
| logging on if the domain controller is down. | | | | comes to networking. Windows XP is multi |
| You can prevent this by accessing the | | | | protocol ready and uses NWLink which is |
| security policies from the administrative | | | | easily configured for simple file sharing. |
| tools from the control panel. This gives you | | | | However, it also supports the universal TCP |
| an option of changing the number of cached | | | | IP protocol. The advantages are numerous and |
| logon's to zero which will prevent a user | | | | even a working copy to new IPv6 protocol for |
| from logging on if the domain controller is | | | | all you network wizards to play around with. |
| down. Changes such as this require the user | | | | NetBEUI support is not longer available as a |
| to be a member of the administrative group | | | | standard but as a hidden add-on on the disk. |
| and also these security policies can be | | | | Windows XP also gives us the ability to |
| overridden by policies set on the domain | | | | bridge different media types. The network |
| level. | | | | connection box shows you one entry for each |
| | | | network connection available on your |
| User Profiles: | | | | computer. Bridging them can be very easy by |
| | | | just selecting them all and right-clicking to |
| User profiles in Windows XP give the user the | | | | select bridge connections. You can install |
| power to maintain his/her own settings for | | | | other protocols like NetBEUI by clicking |
| each user. This is just a group of files | | | | install and then by choosing "have disk" and |
| personal to that user and HKCU portion of the | | | | browsing through the disk to install it. |
| registry. All the user profiles and the | | | | Windows XP has introduced an alternate |
| default profiles are found in the folder | | | | configuration on TCP/IP settings where it |
| Documents and Settings. However this is only | | | | kicks into the alternate configuration if the |
| in a case of a clean install of Windows XP, | | | | primary one is not obtained. This can be used |
| but when we upgrade from Windows NT the user | | | | to store two different connection settings |
| profiles are found in the system root | | | | for home and office for your laptop or in |
| directory. Profiles are specific to each | | | | another applied scenario. Networking with |
| machine, so if a user has an account on ten | | | | Windows XP is not without its pitfalls. |
| different machines his user profile on each | | | | Networking troubleshooting in Windows XP |
| machine will and local and different. This | | | | begins at a basic level where the first thing |
| exception in this case can be a roaming user | | | | the administrator should do is look if the |
| profile where the user roams around from one | | | | cable is plugged in and the lights are |
| terminal to another. In this case the user | | | | blinking. You can then go ahead and type the |
| can log on to any machine and his user | | | | net config redirector command which displays |
| profile is downloaded at the terminal he sits | | | | the entire current network configuration on |
| down on and he can make changes to his/her | | | | your computer. You can even repair a |
| profile and when he logs off those changes | | | | connection by right clicking on the |
| are saved on to the active directory. In | | | | connection you want to fix and Windows XP |
| order to set up this user profile the | | | | then runs a lot of commands behind the hood |
| administrator must create a user account and | | | | to fix that connection. If this still doesn't |
| put a UNC (Universal naming convention for | | | | work you can then use the command "nets hint |
| e.g. domainnamefoldername%username%) tab in | | | | ip reset [logfile]". In essence this tears |
| the profile tab of the user in the active | | | | the stack down all the way the base and |
| directory. However, the trick is to give | | | | rebuilds that TCP/IP connection or in other |
| proper permissions to directory where the | | | | words reinstalling the connection. You can |
| user profiles are saved in order for the user | | | | access the advanced settings by clicking |
| to access his/her profile; otherwise the user | | | | advanced tab and then choosing advanced |
| will receive a default profile. This profile | | | | settings which shows you the bindings on that |
| is also cached locally incase the roaming | | | | computer. Another command used is IPCONFIG |
| profile is not available or the profile | | | | with flags like /all, /renew, /flushdns and |
| server goes down the user can still log on | | | | registerdns. Other simple commands used are |
| using the locally stored profile. However, | | | | PING command for pinging IP addresses, |
| incase the user logs onto multiple terminals | | | | TRACERT for tracing IP addresses, NBTSTAT -R |
| the profile from which he logs on last will | | | | to empty and reload name cache, NETSTAT for |
| the last profile updated. This can also be | | | | showing all the incoming and outgoing active |
| made ad a mandatory profile for e.g. in kiosk | | | | connections and NETSTAT - R which shows you |
| environment where you want the user to have | | | | the routing table. |
| the exact same profile whenever he/she logs | | | | |
| on. You can do this by going into the user | | | | READ 'Pt 2' for more details. |
| profile and renaming a file ntuser.dat to | | | | |