Professional Documents
Culture Documents
Preface
I have written this short preparation guide as a way for myself to ease studying for the Mcirosoft 70-270 exam titled: "Installing,
configuring and administrating Microsoft Windows XP Professional". I provide this guide as is, without any guarantees, explicit or implied,
as to its contents. You may use the information contained herein in your computer career, however I take no responsibility for any
damages you may incur as a result of following this guide. You may use this document freely and share it with anybody as long as you
provide the whole document in one piece and do not charge any money for it. If you find any mistakes, please feel free to inform me about
them Tom Kitta. Legal stuff aside, let us start.
FQDN has a limit of 155 bytes for DC in Windows 2000/2003 (255 bytes in NT 4.0)
Computer name has a limit of 63 bytes
Computer name has to be unique on the network
Administrative password
If you have a plug and play modem, you set it up now
Date and time
Network settings
Work group name or domain affiliation
Automated finishing tasks
[1.3] Install options
For clean install/upgrade on computers running win 3.x or DOS (16 bit systems) use winnt.exe
For install/upgrade on computers running 32 bit OS use winnt32.exe
[1.4] After installation
The default network setup is for the Windows XP to be a DHCP client
You need to activate your product within 30 days unless you have corporate licence
After 30 days you will not be able to logon to your PC without activation if you log out or restart your PC (you will still be able to
access your PC in safe mode without network support)
Activation can be done over the phone or online
There are three log files created after installation
%systemdir%\setupact.log - installation actions log
%systemdir%\setuperr.log - errors that occurred during installation
%systemdir%\netsetup.log - network related log (like domain joining)
[1.5] Support for multiboot
Windows XP will configure multiboot automatically if it detect compatible OS (i.e. Microsoft OS) and you are using clean install
option
Do not use dynamic disks or NTFS if the other OS doesn't support it
Windows XP will not be able to read volumes compressed with Windows NT4 compression
[1.6] Joining a domain
You can pre-authorize a computer in the AD
Or, you can enter user name and password of the domain user that has 'Add computers to the domain' permission to add computer
to the AD
[1.7] Laptop special Windows XP features
Credential manager
Clear type
Hot docking
[1.8] Other points
Hardware compatibility list (HCL) http://www.microsoft.com/hcl/ now Windows catalog http://www.microsoft.com/windows/catalog/
If hardware is not found in the Windows catalog you will not get any support from Microsoft
BIOS is preferred with ACPI (Advanced Configuration and Power Interface) functionality, APM (Advanced Power Management) is
the API for ACPI hardware
If you are upgrading from Windows 98/Me checks whatever there are drivers for your hardware, since 98/Me drivers are VxDs
(virtual device drivers) and don't work on Windows XP
You can upgrade from Windows 98/Me/NT4/NT3.51/2000 Pro (due to a bug win95 will qualify as upgrade media but only for clean
install)
System partition is the location of the files that are needed for Windows XP to boot, vary little space, default is the active partition
Boot partition is the location of Windows XP OS (all files)
Note that Microsoft changed the default directory for installation from WINNT to WINDOWS
Installation files are in \I386 directory on the CD
WFP - Windows file protection is used to protect Windows system DLL files from modification, files are stored in %SystemRoot%
\System32\Dllcache
Sfc.exe - scans and verifies the versions of all protected system files when the computer is booting
Dynamic update runs during installation of Windows XP. You can disable it with /dudisable switch of winnt32, /duprepare:pathname
to prepare network share for dynamic update files, /dushare:pathname to specify network share with dynamic update files.
Part 2: Automatinginstallation
Remote Installation Service (RIS) introduced in Windows 2000 - for use with multiple PCs for automatic deploy
Disk imaging (cloning) which uses reference PC - for use with PCs that have similar hardware
Unattended installation - use when you have lots of PCs with network cards that are not PXE-compliant
[2.2] Create answer files with Setup manager
Answer files are automated installation scripts used to answer the questions that appear during a normal Windows XP
Professional installation
Answer files are used with all methods of unattended installations. To create answer files you use Setup manager (setupmgr)
To use setup manager you need to extract it from \support\tools\deploy.cab found on installation CD
There is a sample answer file on the installation CD, unattend.txt
Through answer file you can configure
Mass storage devices
Plug and Play devices
HALs
Set passwords
Configure language, regional, and time zone settings
Display settings
Converting to NTFS
Installing applications can choose from the following options
Use cmdlines.txt to add applications during GUI portion of the setup
Within answer file configure [GuiRunOnce] section to install an application the first time a user logs on
Create a batch file
Use the Windows installer
Use sysdiff tool to install applications that don't have automated install procedures
[2.3] Using RIS (Remote Installation Service)
You can configure RIS server to distribute 2 types of images:
CD based image
Contains only Windows XP OS
Copies all files to the target PC before commencing installation of the Windows XP OS
Created automatically during installation of RIS
A Remote Installation Preparation (RIPrep) image
Can contain both Windows XP OS and applications
This images is based on pre-configured computer
Copies only files needed for installation on given PC, thus faster than CD based image which copies everything
Can be deployed to the clients that have the same HAL and HD controller
Must be created manually, not automatic like CD based image
For RIS you need DHCP, DNS and AD configured on your network
RIS server uses Boot information negotiation layer (BINL) for initial contact, then TFTP is used to transfer bootstrap image
RIS and DHCP server need to be authorized in AD, RIS server is authorized through DHCP manager
The following services are run as part of RIS: BINL, SIS, SIS Groveler, TFTP
To configure RIS server use risetup.exe
NTFS is required to store image files with at least 2Gb free space on separate from OS partition
RIS template files are used to specify installation parameters, default file is ristndrd.sif
You need following user rights to install images using RIS
Create Computer accounts
Logon as batch job (Administrator doesn't have this right by default)
For non-PXE network cards use rbfg.exe utility to create RIS boot disk (this utility doesn't support all network cards)
[2.4] Using disk images
Uses reference computer HD image that needs to prepared first with sysprep which needs to be extracted from deploy.cab found in
installation CD
Source and target computer must satisfy
Both computers must have the same HD controller
Both computers must have the same HAL
Plug and Play devices may not be the same as long as there are drivers for all of them
You will need to extract sysprep utility from the deploy.cab
Sysprep strips user personal data from the installation image
After you copy the installation image to the destination PC a mini wizard runs (unless you have an answer file)
Sysprep modes:
Audit: allows for the verification of hardware and software installation by a system builder while running in factory floor mode.
Audit boots allow a system builder to reboot after factory floor mode has completed its automated pre-install customization, in
order to complete hardware and software installation and verification, if necessary.
Factory: allows for the automated customization of a pre-install on the factory floor by using a Bill of Materials file to automate
software installations, software, and driver updates, updates to the file system, the registry, and INI files such as Sysprep.inf.
This mode is invoked via the "sysprep -factory" command.
Reseal: is run after an original equipment manufacturer (OEM) has run Sysprep in factory mode and is ready to prepare the
computer for delivery to a customer. This mode is invoked via the "sysprep -reseal" command.
Clean: Sysprep will clean the critical device database. The critical device database is a registry listing of devices and services
that have to start in order for Windows XP to boot successfully. Upon setup completion, the devices not physically present in
the system are cleaned out of the database, and the critical devices present are left in tact. This mode is invoked via the
"sysprep -clean" command.
[2.5] Unattended installation
With this method you use a distribution server or Windows XP installation CD on it to install Windows XP on target PC
The distribution may have answer file
The target computer must be able to connect to the distribution server over the network (if used)
End user interaction levels:
Fully automated installation
GUI attended installation
Read only installation
Hide pages installation
Provide defaults installation
[2.6] Installing applications with Windows Installer Packages
Microsoft installer (MSI) files - provided by software vendor
Repackaged application (MSI) - do not include native Windows installer packages, used to provide applications that can be
cleanly installed
ZAP files - used when you don't have MSI files and install applications using native setup program
MSP files (modification files) - provide paths to installed Microsoft software, must be assigned to MSI file at deployment
Windows installed packages work as
Published applications - not advertised, can be installed through Add/Remove programs. They can also be installed through
opening of a document that uses uninstalled published application.
Assigned applications - advertised through programs menu, installed next time user starts the PC, before log on prompt
appears
Please note that Windows Installer packages cannot be published to computers in Windows XP, all other options are OK, i.e. you
can assign applications to computers and assign/publish applications to users
You can create your own MSI files using VERITAS Software Console or WinINSTALL LE Discover
You create GPO for MSI package which is to be published or assigned. If it is for a user, User Configuration\Software Settings
\Software, if it is a computer Computer Configuration\Software Settings\Software
Using AD you can uninstall old application, upgrade on top of old application. Computers can accept only mandatory upgrades,
users support both optional and mandatory upgrades.
If you have multiple versions of the same software, you will need to configure install order and/or whatever it is a mandatory install
You need AD to deploy packages which are found on a share on a file server
Msiexec.exe - provides the means to install, modify, and perform operations on Windows Installer from the command line. For
example you can force end user to enter CD key for the software that is being installed
If older applications fail to run on Windows XP due to security issues, use compatws.inf template
Upgrade of Windows 98/Me can be undone using osuninst.exe or through add and remove programs control panel
For upgrade you have a choice of Express upgrade or Custom upgrade
[3.2] Unsupported by upgrade Windows 9x software properties
File system applications
Custom plug and play solutions
Custom power management solutions
Third part disk compression utilities, defragmenters (Windows NT and 2000 as well)
Partitions compressed with DriveSpace or DoubleSpace are not supported
[3.3] Migrating user data
User state management tool (USMT) is used for migration of users from one computer to another
ScanState.exe - collects user data and settings information based on the configuration of the Migapp.inf, Migsys.inf, Miguser.inf,
sysFiles.inf
LoadState.exe - deposits information collected on the source computer to a PC running copy of Windows XP. Cannot be used on a
computer that was upgraded to Windows XP.
Supports Windows 95/98/Me/2000 to XP
F.A.S.T.
Files and Settings Transfer Wizard (F.A.S.T.) It is one of the least known new features in Windows XP.
Supports all Windows versions from Windows 95 (with IE4) through Windows XP (XP as destination only)
Can be used as poor man's backup utility, creates a backup files that can be stored to HD or CD-RW
Can move user accounts one at a time, good for single users
Local user credential are compared to local security database, domain user credentials are checked agains active directory stored
on domain controller
When user logs onto the system an access token is created
Local user credentials cannot be used to access network resources
[6.3] Managing users
You manage users through 'Local users and groups' MMC that can be accessed in two ways
Custom MMC
By right clicking on My computer and selecting 'manage'
User account consist of:
Name and password
SID (security identifier) - consists of a domain SID, which is the same for all SIDs created in the domain, and a RID, which is
unique for each SID created in the domain. SIDs are unique in the network.
Can have other attributes, like group membership
User names can be up to 256 bytes (characters) long and must be unique (different than other user names and group names)
User names cannot contain *{}\/:;,=|+?"<> and cannot be made of spaces and periods alone
User names are not case sensitive but passwords are
You can create users using net user
You have following user options:
User name (required field)
Full name (by default same as user name)
Description
Password textbox (up to 127 bytes (characters), 15 for NTLM)
Confirm password textbox
User must change password at next logon checkbox
User cannot change password checkbox
Password never expires checkbox
Account is disabled checkbox
You can set the following user properties
User profile path - stored in 'Documents and settings\%username%' folder, contains user preferences, and file ntuser.dat. In
Windows NT 4.0 the path was \%systemdir%\profiles\%username%
Logon script - files that are run every time user logs into the PC
Home folder - is where users commonly store their personal files and documents
Password reset disk - use when user forgot their password. If you just reset the user password access to encrypted data will be
lost.
Mandatory profiles can only be used with roaming profiles, they don't work with local profiles. Mandatory profiles can only be set up
by an administrator
You can copy profiles using 'User profiles' tab of 'System properties'
UNC path - is in the format //computer_name/share_name
Renaming an account maintains all group membership, permissions, and privileges of the account. Copying a user account
maintains group membership, permissions, an privileges assigned to its groups, but doing so does not retain permissions
associated with the original user account. Deleting and re-creating an account with the same name loses all group membership and
permissions.
[6.4] Build-in local groups
Administrators - full control over the PC
Backup operators - can only access file system through backup utility
Network configuration operators (new) - network settings
Guests - limited privileges
Power users - can add/remove users, create non-administrative shares, manage printers, start and stop services that are not
started automatically
Remote desktop users (new) - members can logon remotely
Replicator - for directory replication used by domain servers
Users - run programs, print stuff, nothing special
HelpServices (new) - support through Microsoft Help services
[6.5] Special groups
Special groups are used by the system. Membership is automatic based on special criteria. You cannot manage these groups.
Creator Owner - the account that created or took ownership of an object
Part 7: Managingsecurity
[7.1] Policies
Configured through 'Local computer policy' group policy, gpedit.msc MMC
Account policies are used to control logon procedures. If you want to control user after logging on, use local policies
Local policies are made up of
Audit policy - disabled by default
User rights assignment - too many to list here, see explanation underneath
Security options - also too many to list
Local policies are set for all users of the computer, you cannot single users out (you need AD for that)
[7.2] Password policy settings
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Complexity requirement
Store passwords using reversible encryption
[7.3] Account lockout policy
Account lockout duration
Account lockout threshold
Reset account lockout counter after X minutes
[7.4] Enabling auditing for files, folders and printers
You will need to enable auditing for object access policy
And you also need to enable auditing for individual files and folders through NTFS security or through printer security
Auditing data is placed into security log
[7.5] Auditing
Account logon events - success or failure of domain logon
Account management - events such as resetting passwords and modifying user properties
Directory services - any time user access AD an event is generated
Logon events - success or failure of local logon or logon to a share
Object access - file, folder or printer access
Policy change - success or failure of change of security options, user rights, account policies and audit policies. Both domain and
local PC changes are tracked.
Process tracking - useful for applications
System events - system events such as shutting down PC or clearing the logs
[7.6] User rights
Administrators can assign specific rights to group accounts or to individual user accounts. If a user is a member of multiple groups,
the user's rights are cumulative, which means that the user has more than one set of rights. The only time that rights assigned to
one group might conflict with those assigned to another is in the case of certain logon rights.
There are too many user rights to list
Part 8: Managingdisks
Using the signature() syntax instructs Ntldr to locate the drive whose disk signature matches the value in the parentheses, no
matter which SCSI controller number the drive is connected to
The signature() value is extracted from the physical disk's Master Boot Record (MBR)
[8.4] Easy way to memorize ARC
There are 5 letters in the word 'Multi' and 5 letters in the word 'Rdisk'
There are 4 letters in the word 'SCSI' and 4 letters in the word 'Disk'
'SCSI' works together with 'Disk' while 'Multi' works together with 'Rdisk'
When system uses Multi(x) it uses BIOS INT-13 Extensions, so on board BIOS has to be enabled
[8.5] Disk Management MMC snap-in
To activate: start -> all programs -> administrative tools -> computer management -> disk management tree node
Another ways is to r-click on My computer and select 'manage' from the list
Finally you can just create a custom MMC snap in
Using disk management, among other things, you can:
Initialize new disks
Create new volumes and partitions
If you r-click and select properties -> general tab you can see location heading with a number. That number is the ARC number of
the HD.
If you need a disk formatted in FAT or FAT32 you cannot do it from disk manager, you need to use: format x: /fs:FAT32 Note
Windows can format FAT 32 disks up to maximum of 32Gb but can read higher capacity drives
DiskPart.exe - you can create scripts to automate tasks, such as creating volumes or converting disks to dynamic.
Fsutil.exe - perform many NTFS file system related tasks, such as managing disk quotas, dismounting a volume, or querying
volume information.
Mountvol.exe to mount a volume at an NTFS folder or unmount the volume from the NTFS folder.
[8.6] Remote management
Computer management is not just for the local machine, you can also manage other PCs, to activate r-click on computer
management (local) and select 'connect to another pc'
By default Domain Admins are part of local administrators group and you need these right to connect and administer remote PCs
If you cannot access Device Manager from the Computer Management extension snap-ins on a remote computer, ensure that the
Remote Registry service is started on the remote computer.
Computer Management does not support remote access to computers that are running Windows 95.
In remote management 'Device Manager' is in read only mode
[8.7] Basic Disks
Primary partition is the only one that is bootable and there is a maximum of 4 primary partitions
Extended partitions are not bootable
Logical drives are created in extended partitions. There are no limits as to the number of logical drives each extended partition
may have.
Primary partitions and logical drives are assigned drive letters
Basic Disk FAT is located on the first sector of the hard disk; space is shared with the MBR
[8.8] Dynamic disks
Fault tolerance better than basic disks, due to multiple storage places for information. 1Mb database is placed at the end of each
physical hard disk containing information about all dynamic disk located in this particular system, this creates multiple storage
spaces of the same data.
Can be one of the following:
Simple volume:
Single disk
No fault tolerance
Can be NTFS or FAT
Spanned volume:
maximum of 32 disks
Cannot extend spanned volumes, need to delete and recreate
No fault tolerance
Mirror volume:
Also known as RAID 1
Windows XP Pro does not support mirror volumes
Can be NTFS or FAT
Fault tolerance, data is the same on both disks
To replace the failed mirror in a mirrored volume, right-click the failed mirror and then click Remove Mirror, and then
right-click the other volume and click Add Mirror to create a new mirror on another disk
Variation of mirroring called duplexing uses HD connected to different controllers for even more fault tolerance
Striped volume:
Also known as RAID 0
Maximum of 32 disks
Breaks data into 64Kb chunks for writing to different disks that make up the stripe
It is recommended to use same type of hard drives for member drive
Windows XP cannot be installed on software RAID 0
You cannot extend striped volume, need to recreate it
No fault tolerance
RAID 5:
Made up of three disks with each storing parity information
Fault tolerance when one disk fails
Maximum of 32 disks, minimum of 3
Not available in Windows XP professional
To replace the failed disk region in a RAID-5 volume, right-click the RAID-5 volume and then click Repair Volume
Only in Windows XP Professional, Windows 2000 Professional and Windows 2003 server (all editions) you can use dynamic disks
Note: if disk fails for which ARC path is in boot.ini system will not boot. You should have a disk with modified boot.ini
Mounted volumes - can mount HD as a NTFS folder
Uninstall disks prior to moving them, Re-scan disk when you attach it
Dynamic disks can be re-configured without re-boot
When your boot disk is also a dynamic disk, then you will not be able to dual boot into OS that is not dynamic disk capable
Dynamic disks are not supported on laptops due to luck of advantage over basic disks in this scenario
Dynamic disk partition table types:
dynamic GUID partition table (GPT) disks, for 64bit editions of Windows
dynamic MBR disks, for 32 and 64bit editions of Windows
The Foreign status occurs when you move a dynamic disk to the local computer from another computer
You can have a maximum of 2000 volumes on a dynamic disk, recommended maximum is 32
Volumes created after the 26th drive letter has been used must be accessed using volume mount points
Hard drives that are connected to the Pc using USB or IEEE 1394 can not be converted to dynamic volumes
Extending simple volume:
Similar to spanned volume but uses the same physical HD with simple volume
You can extend a simple volume only if it does not have a file system or if it is formatted using the NTFS file system. You also
need free space on HD and the volume could not have been originally a basic disk partition.
You cannot extend volumes formatted using FAT or FAT32
You cannot extend a system volume, boot volume, striped volume, mirrored volume, or RAID-5 volume
[8.9] Volume status descriptions
Failed - basic or dynamic volume cannot be started automatically or the disk is damaged
Failed Redundancy - data on a mirrored or RAID-5 volume is no longer fault tolerant because one of the underlying disks is not
online, has substatus information
Formatting - occurs only while a volume is being formatted with a file system
Healthy - normal volume status on both basic and dynamic volumes, no known problems, has substatus information
Regenerating - occurs when a missing disk in a RAID-5 volume is reactivated
Resynching - occurs when creating a mirror or restarting a computer with a mirrored volume
Unknown - occurs when the boot sector for the volume is corrupted
Data Incomplete - displayed in the Foreign Disk Volumes dialog box, and occurs when data spans multiple disks, but not all of the
disks were moved.
Data Not Redundant - displayed in the Foreign Disk Volumes dialog box when you import all but one of the disks in a mirrored or
RAID-5 volume
Stale Data - displayed in the Foreign Disk Volumes dialog box, and occurs when a mirrored or RAID-5 volume has stale mirror
information, stale parity information, or I/O errors
[8.10] Converting to dynamic disk and back to basic disk
If you convert a boot disk, or if a volume or partition is in use on the disk you attempt to convert, you must restart the computer for
the conversion to succeed.
The conversion may fail if you change the disk layout of a disk to be converted or if the disk has I/O errors during the conversion.
After you convert a basic disk into a dynamic disk, any existing partitions on the basic disk become (dynamic) simple volumes.
If you are using shadow copies and they are stored on a different disk then original you must first dismount and take offline the
volume containing the original files before you convert the disk containing shadow copies to a dynamic disk.
If you are converting disks form dynamic to basic the disk being converted must not have any volumes on it nor contain any data
before you can change it back to a basic disk. If you want to keep your data, back it up before you convert the disk to a basic disk.
[8.11] Disk quotas
Disk quota applies to everyone using the volume except administrators
Remember that every user needs few Mb (min 2) for storage of the profile which is needed for logging in
Quota entry can be created per user but not per group, only volumes and users have quota entries
Quota limit is calculated using the uncompressed file size, thus compressing files will not create more space
The default quota entry is for all users of given volume. You can add additional quota entries on per user basis only.
Once again, quota entries are per user per volume, no groups are allowed.
Remember that once a user uses a volume with quota set on it an entry is automatically added. Thus, if you had a general entry for
all users and later on some users run out of space and need more you modify quota entries not add new ones.
Disk quota is only applied to the files that are being added after the quota entry got created, it doesn't apply to files that were already
there
Each file can contain up to 64kb of metadata that is not applied towards users quota limit
Fsutil is used to manage quota from command line
To free some space run disk cleanup, from command prompt: cleanmgr.exe (note it doesn't clear internet temporary files)
[8.12] Defragmenting
You will need at least 15% of free HD space in order to defragment
You may need to repeat the process several times in order to achieve planned results
Defragmenting should be done on every volume every 1 to 2 months
You cannot schedule defragmenting task (unless you use custom scripts)
Windows defragmenter works with FAT16, FAT32 and NTFS
On modern computer systems that use NTFS and don't use the file system extensively (desktops) the benefits of defragmenting a
hard drive are measurable but not noticeable for the end user. Thus defragmenting is only significant performance tool for file
servers.
[8.13] Encryption:
Only users who created the files, users whom owner gave access to view the file (new in Windows XP, additional users need to
already be issued certificates) and recovery agents can decrypt the file
When moving encrypted file from one volume to another volume, it stays encrypted. When copying file it also stays encrypted. This
behaviour is unique for encryption!
Note that user which has NTFS permissions to an encrypted file can delete that file, even if he/she cannot view that file. They can
also move the file around on the same NTFS volume (different volume would mean a copy operation and possible decryption).
Cannot encrypt and compress at the same time (due to encryption process using pseudo random salt which cannot be further
compressed due to its nature)
You can zip 1st using winzip or other 3rd party compression tool, then encrypt to get encrypted and compressed file
Executable file cipher.exe is a command line encryption utility
By default, the recovery agent is the Administrator account on the 1st DC, there is no default for stand alone server/workstation
For encryption property, moving/copying a file to a FAT system decrypts file without warning
It is recommended to store recovery agent certificate on a floppy disk in secured location. It is also recommended to copy their file
to be recovered to the recovery agent PC where it will be recovered.
User needs correct certificate to perform action on a file that would result in that file being decrypted
[8.14] How EFS (encrypted file system) works
When the user chooses to encrypt a file, a file encryption key is generated
This encryption key, together with encryption algorithm is used to encrypt the contents of the file
The file encryption key is encrypted itself using user's public key and stored together with the encrypted file. The file encryption key
is also protected by the public key of each additional EFS user that has been authorized to decrypt the file and each recovery agent.
File can only be decrypted by using user's private key, by using private key of users given permission to view the file and private
key of recovery agent
Private/public pair is created using user's certificate
On stand alone machines user's certificate is created the 1st time he or she tries to encrypt a file
For domain user certificate is issued by the certification authority - user needs permission to get a certificate
Files marked with the System attribute cannot be encrypted, nor can files in the systemroot directory structure.
Before users can encrypt or decrypt files and folders that reside on a remote server, an administrator must designate the remote
server as trusted for delegation.
If you open the encrypted file over the network, the data that is transmitted over the network by this process is not encrypted.
Users can use EFS remotely only when both computers are members of the same Windows Server 2003 family forest
Encrypted files are not accessible from Macintosh clients
Encrypting File System (EFS) no longer requires a recovery agent
[8.15] Compression (NTFS)
When you compress a whole folder:
All files are compressed automatically when added but not current folder occupants
OR
Compression can also be applied to current files and subfolders
Decompression is a reverse process of compression
Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's
permissions
When you move a file on the same volume, it keeps its original permissions. When you move a file to another volume, the move is
treated as a copy operation and the file permissions are inherited from the destination folder.
All file attributes behave in the same way with the exception of encryption
File compression is supported only on NTFS volumes with cluster sizes 4 KB and smaller
For command line use compact.exe, it can display and modify compression attributes but it works only on NTFS
Deny right takes precedence over allow right in group and user security context. This is true even for Administrator and object
owner.
[9.4] General NTFS permissions for files
Read
List files attributes
Read data in the file
Read permissions
Write
Change file attributes
Create new files and write data to files
Append data to files
Read and execute = 'Read' + execute file permission
Modify = 'Read and Execute' + 'Write' + delete permission
Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.5] General NTFS permissions for folders
Read
List folder attributes
List folder
Read permissions
Write
Change folder attributes
Create folders
Read and execute
Modify = 'Read and Execute' + 'Write' + delete permission
List folder contents (only permission for a folder)
Traverse folders
List the contents of a folder
See folder's or file attribute
Full control = all of above permissions + 'Change Permissions' permission + 'Take Ownership' permission
[9.6] Share permissions
Only applicable for folders, no share permissions for files
Read = read file data, file names and subfolder names + execute (default assigned to everyone group)
Change = read permission + delete files and subfolders + write
Full control = all of above permissions + change of share permissions right only
Share permissions do not apply to users that are logged into the OS interactively (i.e. locally)
NTFS general permissions always apply, even for a share i.e. user needs two read permissions in order to access a file over the
network
Use NTFS permissions to tighten security
To add share form command prompt: net share 'folder name'='path'
To delete share form command prompt: net delete 'folder name'
To connect to a share from command prompt use: net use \\computer_name\share_name
When a share name ends in $ it is hidden and cannot be browsed to, full name needs to be typed in
Share permissions are not included in a backup or restore of a data volume
Share permissions do not replicate through the File Replication service
When both NTFS and share permissions are applied to a resource the system looks at the effective permissions for NTFS and
share permissions and applies to the object the most restrictive set of cumulative permissions
Be default, simple file sharing is enabled in Windows XP if you are not connected to a domain. Therefore, the Security tab and the
advanced options for permissions are not available. In Windows XP Home edition you have to use simple file sharing.
You can not disable simple file sharing in Microsoft Windows XP Home Edition, in Windows XP Pro you use folder options to
disable simple file sharing
[9.7] Explicit permissions and inherited permissions for files and folders
There are two types of permissions: explicit permissions and inherited permissions.
Explicit permissions are those that are set by default when the object is created, by user action.
Inherited permissions are those that are propagated to an object from a parent object. Inherited permissions ease the task of
managing permissions and ensure consistency of permissions among all objects within a given container.
Explicit permissions take precedence over inherited permissions, even inherited Deny permissions. This has nothing to do with user
and group security context.
[9.8] Inherited permissions (file and folders)
All files and folders inherit their permissions from the parent folder by default
There are three ways to make changes to inherited permissions:
Make the changes to the parent folder, and then the file or folder will inherit these permissions. Remember this is not related
to user and group security!
Select the opposite permission (Allow or Deny) to override the inherited permission.
Clear the 'Allow inheritable permissions from the parent to propagate to this object and all child objects. Include these with
entries explicitly defined here' check box. You can then make changes to the permissions or remove the user or group from
the permissions list. However, the file or folder will no longer inherit permissions from the parent folder. You be presented with
a confirmation dialog that has these options
You can 'copy' permission entries making all entries explicit (convert inherited entries into explicit)
Or you can remove all inherited permissions and keep only the current explicit permissions
You cannot change parent permissions inside a child object - they show as grayed out if inheritance is on.
If the object is inheriting conflicting settings from different parents then the setting inherited from the parent closest to the object in
the subtree will have precedence.
Only inheritable permissions are inherited by child objects. When setting permissions on the parent object, you can decide whether
folders or subfolders can inherit them with Apply onto.
[9.9] Special shares
drive letter$ - shared resource that enables administrators to connect to the root directory of a drive
ADMIN$ - resource that is used during remote administration of a computer. The path of this resource is always the path to the
system root (ex. c:\windows)
IPC$ - resource that shares the named pipes that are essential for communication between programs. You use IPC$ during remote
administration of a computer and when you view a computer's shared resources. You cannot delete this resource.
NETLOGON - required resource that is used on domain controllers
SYSVOL - required resource that is used on domain controllers
PRINT$ - resource that is used during remote administration of printers
FAX$ - shared folder on a server that is used by fax clients in the process of sending a fax
You cannot browse to $ shares (cannot see them in Explorer)
[9.10] Moving and copying of files
Moving a file on the same volume means that the file location is moved in MFT only, not the physical file itself.
When you copy a file, no matter whatever on the same volume or not, the destination file will inherit the destination folder's
permissions (destination folder and file permission will be the same)
When you move a file on the same volume, it keeps its all of its original permissions, explicit and inherited from original folder.
Assign the following names: the file, call it F, new folder call it A, original folder, call it B. When you move F from B to A and then
make some permissions changes on folder A, they will be inherited by the file F (unless inheritance is blocked on F), old inherited
permissions (the one's from folder B) will be removed. However, the file F will keep all explicit permissions, which is different then
copy operation, where explicit permissions are removed after copy.
When you move a file to another volume, the move is treated as a copy operation. The file permissions are inherited from the
destination folder in the same way regular copy operation permission are inherited.
[9.11] Other points
Groups or users granted Full Control on a folder can delete any files in that folder regardless of the permissions protecting the file
Every general permission has 'Synchronize' permission
Read attributes permission includes 'Read Extended Attributes' permission
Everyone group is no longer granted full control by default to shares, only read access (as of service pack 1, original had full
access)
The Anonymous Logon security group has been removed from the Everyone security group
Windows XP and 2000 need installation of client software, twcli32.msi to take advantage of Volume Shadow Service (VSS) that is
run on Windows Server 2003 computer
You can use UNIX (LPR) protocol, for this you will need to add LPR port. LPR is included in "print services" for UNIX, which is
installed as a separate component of Windows XP
You can also have print services for Macintosh and for Netware
Whenever you hear anything that deals with: LPR, LPD, LPQ think UNIX
You can set printer priority (1-99) as well as printer availability (which means when the printer will be available timewise) to
different user groups as well as access to the print device itself to different user groups and individual users.
For example to use different print priority for two groups you need to setup two print devices, restrict their use and set priority on
them
If you want to know printer utilization track print queue object in system monitor
%systemdir%\system32\spool\printers\ is the default location of the spool folder. You should change it if your server serves
many printers.
A port is defined as the interface that allows the PC to communicate with the print device
Print.exe - sends a text file to a printer
Net Print - displays information about a specified printer queue, displays information about a specified print job, or controls a
specified print job
Bidirectional support - option on ports tab that allows printer to communicate with the computer, for example print errors
[11.5] Spooling
Spooling is the process of saving the jobs to disk in a queue before they are sent to the print device
You have the option of:
Start printing after the last page is spooled - small jobs that enter the queue after large jobs may print before large jobs
finish spooling
Start printing immediately - strict order of entry into the queue determines who gets printed 1st
Print directly to the printer - good for troubleshooting the print device
You can change location of print spooler
[11.6] Print processor
There are 5 print processors in Windows XP
RAW - makes no change to the job
RAW (FF appended) - always adds form feed character
RAW (FF auto) - tries to determine whatever form feed character needs to be added
NT EMF - for use with other Windows XP clients, multiple versions
TEXT - interprets all data as plain text
[11.7] Printer Pooling
One printer, multiple print devices
Think of it as load balancing for printers, used in larger enterprises
Need to use the same driver for all print devices that are member of the pool. Many newer printer devices will work with older driver,
use driver that is the newest for the oldest printer.
It is enabled with a check box found at the bottom of the ports tab
When one print device fails the print job gets redirected to another print device in the pool
[11.8] Redirecting print jobs
You can redirect print jobs provided both printers use the same driver
When user placed into a queue a request to print a document on a print device which failed to print BEFORE commencement of
printing you can redirect printing to another printer
To redirect a print job select print device you want jobs redirected from
If the new printer is on this print server, just select new port to which the new printer is attached, otherwise
Click on 'ports' tab
Click on 'add port', select local printer and click on 'new port'
Type in UNC share name of the printer you want the job redirected to, in format \\other_print_server\share_name
Check the check box next to the port you just created
[11.9] Separator pages
Separator pages are used in multi user environments, sample files are found in %systemroot/system32/ folder with .sep ending
Pcl.sep - used to send a separator page on printers supporting PCL (Printer Control Language), which is a common standard
Pscript.sep - doesn't send a separator page but switches the computer to PostScript printing mode
Sysprint.sep - used by PostScript printers to send separator pages
Sysprintj.sep - same as sysprint.sep but with support for Japanese characters
[11.10] Managing printers
To manage printer, right click it, you have following options:
SPAP (Shiva Password Authentication Protocol) - less secure than CHAP or MS-CHAP, no encryption of connection data
EAP-TLS (Extensible Authentication Protocol - transport level security) - certification based authentication (EAP) used with
smart cards, both authentication and connection data are encrypted, not supported on stand alone servers - only for domains.
EAP-MD5 CHAP (Extensible Authentication Protocol - Message Digest 5 Challenge Handshake Authentication protocol) -
this is a version of Chap that was ported to EAP framework. Encrypts only authentication data, not connection data, same like
Chap.
Unauthenticated access - connections without credentials, good for testing
[12.3] Using Virtual Private Networking (VPN)
Data that is sent over the network is encrypted, for VPN you just need access to a network while for RAS you need to dial-in
VPN supports
Single inbound connections
Tunneling protocols
Callback security
Multilink support (chaining of multiple modems)
PPTP (Point-to-Point Tunneling Protocol) - build in encryption for IP or IPX protocols inside of PPP datagrams, require IP
connectivity between your computer and the server
L2TP (Layer Two Tunneling Protocol) - Windows XP implementation of L2TP is designed to run natively over IP networks only,
does not support native tunneling over X.25, Frame Relay, or ATM networks. Uses IPsec and certificates for security.
[12.4] Using Internet Connection Sharing (ICS)
Internet connection sharing (ICS) allows you to connect a small network to the internet through a single connection
Internet connection sharing server gets assigned address 192.168.0.1 and its simple DHCP server assigns addresses in the range
of 192.168.0.2 - 192.168.0.254 to all client computers
You can specify which protocols and ports are to be shared, for example HTTP on port 80
You configure connection sharing using Network and Internet connections from control panel in advanced tab
[12.5] Managing IE settings
Security zones
Internet
Local intranet
Trusted sites
Restricted sites
Content
Content advisor - you can limit what is accessed based on language, nudity, sex and violence
Certificates
Personal information - you can configure Auto complete and Microsoft profile assistant
Connections - how you connect to the internet, any connection
Programs associated with different internet services, HTML editor, E-mail, News groups, Internet call, calendar and contact list
Advanced tab has too many options to list
You can print to an internet printer if the print server has IIS and supports internet printing
Internet printing uses Internet print protocol (IPP)
To install internet printer, start the 'Add printer wizard', choose network printer and type as address http://computername/printers/
share_name/.printer
You can connect through a web browser to print server by surfing to http://print_server/printers if it is allowed and print server has
IIS installed
To connect using IE to an ftp server that uses password and user name, use: ftp://user_name:password@ftp.company.com;
Otherwise IE will ask you to enter your credentials.
[12.6] Internet connection firewall
ICF is a stateful firewall
Configured from Network Connections -> Connection you wish to firewall -> properties -> advanced tab
You can log dropped packets and successful connections
You can choose a service that already is listed (like port 80 IIS) or add your own
Don't confuse with IP packet filtering which is set for all connections at once.
[12.7] Other points
PPP - Point-to-Point Protocol that provides advanced futures (like: IPX, NetBEUI and TCP/IP, encrypted authentication if
configured) not found in Serial Line Internet Protocol (SLIP)
[14.1] Overview
Document everything in your plan, test your plan
Posses a 'recovery toolkit' with stuff like backup utilities/system utilities etc.
Make sure you backup:
User data
Critical system files
Critical applications
Recovery point - how much data can we loose? Most medium size companies are OK with loosing up to 24h - thus daily backup is
OK.
Time frame for recovery - how long does it take to recover affected systems
Hot sites are ultimate backup solution for server farms (a hot site can take on all functions of the current site, is kept synchronized
and is in a different physical location)
Backup files have .bkf extension
When files are backed up they retain all of their original attributes including encryption
File attributes are lost when you restore backup to a FAT volume
[14.2] Windows XP boot sequence
Preboot sequence
Power on self test (POST) is run when PC is turned on, system configures hardware
The Master Boot Record (MBR) is loaded to which BIOS points
MBR points to the active partition which in turn is used to specify which partition should be used to boot the OS
NTLDR is used to start Windows XP boot process
Boot sequence
NTLDR switches the processor from real mode to 32-bit flat memory mode and starts mini file system drivers which support
PC file systems
Operating system selection with BOOT.INI occurs, for OS other than Windows XP file BOOTSECT.DOS is used
NTDETECT.COM detects hardware which is stored in registry
Control is passed to NTOSKRNL.exe
Kernel load sequence
HAL (hardware abstraction layer) driver is loaded (hal.dll)
Control set that the OS will use is loaded
Low level drivers such as disk are loaded
Kernel initialization sequence
The registry key HKEY_LOCAL_MACHINE\HARDWARE is created with current PC hardware
The Clone Control set is created, it is the exact data used to configure the PC without changes made by setup
Low level drivers are initialized and higher level subsystems are being loaded
Logon sequence
Log on dialog box appears, user enters valid credentials
Service controller performs scan of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services to see whatever there
are any services that still needs to be loaded
[14.3] Backup types
Normal (full) - Clears archive bit, backs up all data on volume that is being backed up.
Incremental - backs up only these files that have their archive bit set to 1 (since last full or incremental backup). Clears archive bit.
Restore process will have to chain multiple incremental backups. This backup is fastest when combined with normal backup.
Differential - backs up only these files whose archive bit is set to 1. Does not clear archive bit, no chaining of backups during
restore process
Copy - only backup type that can back up registry and other critical system files. Like full backup, but does not clear or set any
archive bits. This type of backup is used for archiving or when backing up between incremental and normal backup routine.
Daily - backs up only these files that were modified today. Does not clear archive bit.
You can exclude files from being backed up
System state - boot and system files, AD (if DC), SYSVOL directory (if DC), COM+ Class Registration database, registry, Cluster
service information (if server is part of a cluster), IIS Metadirectory (if installed) - only for local system!
All backed up files keep their file attributes, unless you are restoring to FAT
For command prompt use: ntbackup.exe
Backup cannot be preformed to CD-R and DVD-R
When NTBackup creates a backup set it also creates a listing of files and folders included on the set, called a catalog. It is stored
on both the disk of the server and the backup set itself.
[14.4] Backup log
By default 10 backup logs are kept on the server
There are three logging options:
No log
Summary log (default)
Detailed log
[14.5] Restore options
Do not replace files (default)
Replace only if the file on disk is older
Always replace files
Options do you have to restore the files to
Restore to alternate location
Restore to single folder
Restore to original location
[14.6] Boot problems
Hit F8 for boot menu during startup
Last known good configuration is the control set in the registry (current settings, like used drivers)
Last known good configuration is still good choice only if user has not logged on since problem arouse
Safe mode does not backup the 'Last known good configuration'
To access recovery console: 'winnt32.exe /cmdcons' - this places recovery console option into boot.ini
Recovery console is good for missing boot files
Can run recovery console from Windows XP CD, to run console from CD boot from CD and press R (repair installation)
When boot files are missing you will have to copy new ones from installation CD
The maximum number of lines in the [operating systems] section of the Boot.ini file in Windows XP is 10. If you add an 11th line (or
more), only lines 1 through 10 will be seen during the boot phase of Windows XP
Directory services restore mode:
This is like a safe mode for a domain controller
Active directory is not started
[14.7] Advanced boot options
Safe mode - in boot.ini /safeboot:minimal /sos /bootlog /noguiboot
Safe mode with networking - in boot.ini /safeboot:network /sos /bootlog /noguiboot
Safe mode with command prompt - in boot.ini /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot
Enable boot logging - in boot.ini /bootlog (log is stored in %systemroot%\ntbtlog.txt)
Enable VGA mode - in boot.ini /basevideo
Last known good configuration - in boot.ini no corresponding switch exists
Directory services restore mode (Windows domain controllers only) - in boot.ini /safeboot:dsrepair /sos
Debugging mode - in boot.ini /debug
The /sos /bootlog /noguiboot switches are not required with any of the above settings, but they are useful to help with
troubleshooting. These switches are included if you press F8 and choose one of the modes from startup boot menu.
[14.8] ASR - Automated system recovery
Replaces ERD (emergency repair disk)
Stores system state data (uses a cd or tape)
Need Windows XP CD and ASR floppy to do a clean install and apply system settings
ASR is needed to recover from boot failures
To create ASR disk either run ntbackup.exe from command prompt or go to: start -> all programs -> accessories -> system tools -
>backup
Using ASR recovers the system up to the point ASR was created
If you create ASR for system without floppy files are saved to the %systemroot%\repair folder. ASR restore will not work without a
floppy drive and the floppy disk.
To preform ASR recovery you need:
ASR floppy disk
ASR Backup set
Windows XP setup CDROM
There is no ASR in Windows XP Home edition