TechTutorials - Free Computer Tutorials  

Introduction to Windows 2000 Professional 

Added: 05/16/2001, Hits: 4,467, Rating: 0, Comments: 0, Votes: 0
Add To Favorites | Comment on this article
Tutorial Quick Links:
Backup and Recovery
File System
Hardware Devices
Optimization and Tuning
User Environment
Network Connections
Remote Access

The following are the installation requirements for a Windows 2000 Professional workstation:

  • 133 MHz or higher Pentium-compatible processor

  • 64MB minimum; 4GB maximum)

  • 2GB hard drive with a minimum of 650 MB of free space(Additional free hard disk space is required if you are installing over a network).

  • Windows 2000 Professional supports up to 2 processors.

Always check the HCL before beginning any installation. Installations can be created on any type of partition-FAT, FAT32, or NTFS. NTFS is recommended, but use FAT or FAT 32 for dual booting. Upgrades can be performed on Windows 9x machines and NT 3.51 and higher OS's. To upgrade a Windows 3.1 or NT 3.5, first upgrade to Windows 9x or NT 4.0, respectively. To install over a network, install a distribution server first. Slipstreaming is the ability to install Windows 2000 and the service packs at the same time, and can be done using a distribution image for many computers. There are four logs for troubleshooting failed installations: Setupact.log, Setuperr.log, Setupapi.log and Setuplog.txt.

The following table lists some of the common switches available for use with WINNT.EXE
/e: commandExecutes a command before the last phase of setup.
/r: foldernameCreates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders.
/rx: foldernameCreates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes.

Use Winnt32.exe for a clean installation or upgrade from Windows 9.x or NT Workstation. There are a number of switches that can be used with winn32.exe. Below are a couple of the important ones:

/copydir: foldername Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders. Same as /r for winnt.exe.
/copysource: foldernameCreates a folder to be copied as a part of setup - into the Windows 2000 directory, but the folder IS DELETED as setup finishes. Same as /rx for winnt.exe.
/cmd:Executes a command before the last phase of setup. Same as /e: for winnt.exe.
/cmdconsInstalls the appropriate files to restart the system in command-line non-graphical mode for repair purposes.
/syspartPrepares a hard disk to be transferred to another computer system. This switch installs setup files and marks the partition active. Requires the use of /tempdrive switch.
/tempdriveSpecifies which drive to install Windows 2000 temporary files during setup.
/makelocalsourceCopies all of the Windows 2000 source files to the target drive during installation.
/norebootAvoids reboot after installation so that another command can be run.
/checkupgradeonlyChecks your system for incompatibilities that will prevent a successful upgrade.
/unattendUpgrades your previous version of Windows by using unattended Setup mode. All user settings are taken from the previous installation so that no user intervention is required during Setup. You can also use this command in an unattended installation by specifying the [seconds][:answer_file] variables.

Windows 2000 Professional supports unattended installations. The /U switch is used for unattended installations and is followed by the location of the answer and installation files. Unattended installations can be done for clean installs as well as upgrades. Unattended installations can be fully automated. The default answer file that ships with Win2K is called unattend.txt and can be modified. Setup Manager can also create answer files.

Windows 2000 comes with a variety of tools that can be helpful during installations. Understand the following concepts:

  • Disk duplication is used when the computers have identical hardware configurations, and is only used for clean installs.

  • Sysprep is used when you need to prepare an image of a computer for cloning but does not provide the actual distribution of this image. That is done with third-party tools.

  • To use Remote Installation Service(RIS), there must be DHCP server service, DNS server service, and AD running on the network.

  • Scripting is used when computers have different hardware configurations and when disk duplication cannot be used. Answer files offer information that is normally manually input into installation dialog boxes like user name, password, domain name, time zones, etc.

Backup and Recovery
Recovery Console:
Now that you have installed Windows 2000, you should immediately take steps to protect your installation by installing the Recovery Console. Recovery Console is similar to the emergency repair disk in NT 4.0, but with many functionality enhancements. Recovery Console will allow you to You can start and stop services, read and write data on a local drive (including drives formatted with the NTFS file system), copy data from a floppy disk or CD, format drives, fix the boot sector or master boot record, and perform other administrative tasks. With Windows NT 4.0, many administrators would create a FAT partition that would allow them to boot to a DOS prompt. The recovery console eliminates the need to create a FAT partition for this purpose.

Recovery Console is set up as follows:
Insert the installation CD and switch to the I386 directory. Type C:\>winnt32 /cmdcons.
When asked for confirmation, answer "yes". The file will be copied to the hard disk. After rebooting the computer you will be able to select "Microsoft Windows 2000 Command Console" and start Windows 2000 in command mode. You will be prompted for a Windows 2000 installation that you wish to repair and will be prompted for the Adminstrator password. Once you are in, there is a wide variety of commands that you will be able to perform. Type HELP for a list of all of the commands. Some of the more important commands are:

  • DISKPART - Similar to fdisk

  • LISTSVC - Lists services

  • ENABLE/DISABLE - Enable/disable service or driver

  • FIXBOOT - Create a new boot sector on the system partition

  • FIXMBR - Repairs master boot record

  • MAP - Shows a list of drives and ARC paths.

  • LOGON - Choose which installation to work with

The Backup program has been greatly enhanced in order to support Active Directory and a much wider variety of backup media including removable disks, network drives, logical drives and tape devices are now supported. Another nice feature is that an integrated scheduling option has been added which relieves the need to use AT or other scheduling utility.

Windows 2000 has several other utilities to aid in the event of a failure, many of which are included in "Advanced Options" which are accessed by pressing F8 at the boot menu. In order to troubleshoot failures, it is a good idea to understand the boot process which occurs in the following steps:

  1. Power-on self test (POST)

  2. Initial startup

  3. Bootstrap loader process

  4. Select operating system

  5. Detecting hardware

  6. Selecting a configuration

  7. Loading and initializing the kernel(Ntoskrnl.exe)

  8. Log on

The boot process requires the following files:

NTLDRActive Partition
Boot.iniActive Partition
Ntdetect.comActive Partition
SYSTEM key%SystemRoot%\System32\Config
Device drivers%SystemRoot%\System32\Drivers

Ntbootdd.sys is required only if you are using a SCSI-controlled boot partition, and the SCSI adapter does not have a SCSI BIOS enabled. Bootsect.dos is required only for multiple booting.

When working with the boot.ini file, you need to understand ARC naming conventions. ARC is an architecture-independant way of naming drives for x86, risc, alpha, etc. NT uses this convention in its boot.ini file to determine which disk holds the OS. The table below will explain the different options.

Multi(x)Specifies an EIDE disk or a SCSI disk if the bios is enabled to detect it. Can only be used on x86 systems. "x" is the number of the controller.
SCSI(x)Defines a SCSI controller if the BIOS is not enabled to do so. Again, "x" is the number of the controller.
Disk(x)Defines which SCSI disk the OS is on. If SCSI(x) was used then x=the SCSI ID of the drive. If Multi(x) was used then x=0.
Rdisk(x)Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if on primary controller. x=2-3 if on multi-channel EIDE controller.
Partition(x) Specifies the partition that the operating system is located on. (x)=the partition's number.

Below are the various recovery tools included in Windows 2000.

  • ERD - Emergency Repair Disk. The RDISK utility found in NT 4.0 is gone. An ERD is now created using the ntbackup utility and no longer backs up registry data.

  • Enable VGA Mode - Located in the advanced options menu, this utility allows one to fix display settings or drivers that have caused the display to become unviewable.

  • Last Known Good Configuration - Tells Windows 2000 to forget any changes that you have made since the previous boot, by looking for the last configuration that did not cause system critical errors at boot. Good to try if you have made a change to the system and then rebooted with problems.

  • Safe Mode - Loads a minimal version of Windows 2000 with only the drivers needed to boot the computer. Because this option does not load any network services or drivers, it is a good tool to use when you suspect that the problem lies in this area.

  • Safe Mode With Networking - Same as Safe Mode, but includes networking support.

  • Safe Mode With Command Prompt
  • - Safe Mode in which EXPLORER.EXE is replaced by CMD.EXE. From the command prompt it is still possible to run Explorer and other GUI applications from a command line. No networking support in this mode.

File System
Disk Manager is the old Disk Administrator and is a snap-in. It can be used to defragment, create, and manage volumes and disks. Disk systems now support FAT32, NTFS, and FAT. The convert.exe utility can be used to convert a FAT or FAT32 partition to NTFS. NTFS partitions cannot be converted to FAT or FAT32. If such a need exists, the partition must be deleted and recreated as FAT or FAT32.

The NTFS file system has many new capabilities as follows:

  • EFS - Encrypted File System. Windows 2000 NTFS volumes have the ability to encrypt data on the disk itself. This is based on public key and private key encryption procedures. Private keys are used to encrypt and decrypt files, and the key can be placed on a floppy disk for transport to other machines. The CIPHER command can be used for encrypting from a command line. Only the user that stored the file can open it again or a recovery agent. Taking ownership of an encrypted file will not let you read it. Cipher.exe is a command line utility that allows for bulk or scripted file encryption. To enable a folder to have any new contents encrypted, simply view the property page for the folder and select "Encrypt contents to secure data".

  • Disk Quotas - Provides the ability to set space limitations on users on a per volume basis. The ownership of a file determines which user to charge the space used against. You must enable quota management from the properties dialog - quota tab of a given disk. You can then set thresholds for individual users including a warning level when their files exceed a certain amount of storage that is approaching their quota limit.

  • Defragmentation - Windows 2000 now includes a disk defragmenter that can be used on NTFS partitions.

  • Volume Mount Points - Provides the ability to add new volumes to the file system without having to assign a drive letter to them. This feature is only available on NTFS partitions.

The Distributed File System has also been enhanced. There are two types of DFS implementations: Stand-alone and Fault Tolerant. Stand-alone DFS stores the configuration information on a single node (server). Child nodes can only go one level below root, and can exist on any server. Fault Tolerant DFS stores the DFS configuration information in Active Directory. There can be two identical shares on different servers configured as a single child node to provide fault tolerance. You can have multiple levels of child volumes and file replication is supported. Clients must have DFS software installed. Windows NT4, Windows 2000 and Windows 98 include this software while Windows 95 clients must download the appropriate DFS client software from

Windows 2000 features a new storage type is called "dynamic disks". Dynamic disks' advantages include an unlimited number of volumes created per disk. NTFS Volumes can be extended and we can now include space from different disks. Perhaps the most important item is that the disk configuration is stored on the disk itself. This means that we can move disks between computers (within reason) and have the data available with little additional effort. Dynamic volumes are not supported for Zip disks or laptops. Basic disks can be upgraded to dynamic disks without restarting the computer, but backward conversion causes all data to be lost. Simple volumes are created on dynamic disks and are made up of one physical disk. Spanned volumes combines many physical disks(up to 32), and are written to sequentially until all are full. Striped volumes are created from multiple disks(up to 32) and are written to concurrently. There are no fault tolerant disk configurations available in Windows 2000 Professional.

Hardware Devices
Plug and play is now supported in Windows 2000. Both APM and ACPI are supported for power management. Must be supported by computer's BIOS. ACPI is new, APM is legacy. Device Manager is still used for the usual activities: troubleshooting, updating drivers, etc. and still have the familiar red and yellow warnings. Changes to network adapters no longer require the computer be rebooted, and if they are plug and play, are automatically configured.

NTFS Permissions
File and Directory Permissions:
NTFS permissions are largely the same. The following tables will break down each of the permissions types. The following table displays the different permissions for files.

Full ControlRead, write, modify, execute, change attributes, permissions, and take ownership of the file.
ModifyRead, write, modify, execute, and change the file's attributes.
Read & ExecuteDisplay the file's data, attributes, owner, and permissions, and run the file (if it's a program or has a program associated with it for which you have the necessary permissions).
ReadDisplay the file's data, attributes, owner, and permissions.
WriteWrite to the file, append to the file, and read or change its attributes.

The following table displays the different permissions for directories.

Full ControlRead, write, modify, and execute files in the folder, change attributes, permissions, and take ownership of the folder or files within.
ModifyRead, write, modify, and execute files in the folder, and change attributes of the folder or files within.
Read & ExecuteDisplay the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
List Folder ContentsDisplay the folder's contents and display the data, attributes, owner, and permissions for files within the folder, and run files within the folder (if they're programs or have a program associated with them for which you have the necessary permissions).
ReadDisplay the file's data, attributes, owner, and permissions.
WriteWrite to the file, append to the file, and read or change its attributes.

The Read & Execute and List Folder Contents folder permissions appear to be exaclty the same, however, they are inherited differently, thus are different permissions. Files can inherit the Read & Execute permissions but can't inherit the List Folder Contents permission. Folders can inherit both.

So you may be wondering what is really different from NT 4.0. NT 4.0 gave the options of granting access or not specifying. Windows 2000 has the new option of denying a user or users a particular permission. For example, if you wanted to make sure that Bob is unable to read any file, then simply deny him read permissions. Permissions are cumulative, except for Deny, which overrides everything.

The next table shows what happens to files when they are copied or moved within or across NTFS partitions.

Moving within a partitionDoes not create a new file - simply updates location in directory. File keeps its original permissions.
Moving across a partitionCreates a new file and deletes the old one. Inherits the target folders permissions.
Copying within a partitionCreates a new file which inherits permissions of target folder.

Files moved from an NTFS partition to a FAT partition do not retain their attributes or security descriptors, but will retain their long filenames.

As with NT 4.0, Windows 2000 also supports special access permissions which are made by combining other permissions. The following tables will show special access permissions and how the recipe to make them.

File Special PermissionsFull ControlModifyRead & ExecuteReadWrite
Traverse Folder/Execute FileXXX  
List Folder/Read DataXXXX 
Read AttributesXXXX 
Read Extended AttributesXXXX 
Create Files/Write DataXX  X
Create Folders/Append DataXX  X
Write AttributesXX  X
Write Extended AttributesXX  X
Delete Subfolders and FilesX    
Read PermissionsXXXXX
Change PermissionsX    
Take OwnershipX    

Folder Special PermissionsFull ControlModifyRead & ExecuteList Folder ContentsRead
Traverse Folder/Execute FileXXXX 
List Folder/Read DataXXXXX
Read AttributesXXXXX
Read Extended AttributesXXXXX
Create Files/Write DataXX   
Create Folders/Append Dataxx   
Write AttributesXX   
Write Extended AttributesXX   
Delete Subfolders And FilesX    
Read PermissionsXXXXX
Change PermissionsX    
Take OwnershipX    

Remember that file permissions override the permissions of its parent folder. Anytime a new file is created, the file will inherit permissions from the target folder.

Share Permissions:
Shares are administered through the MMC, My Computer or through Explorer and permissions can be set on a share in the "Share Permissions" tab. Share level permissions only apply when a file or folder is being accessed via the network and do not apply to a user logged into the machine locally. The following are the different share-level permissions:

ReadView files and subdirectories. Execute applications. No changes can be made.
ChangeIncludes read permissions and the ability to add, delete or change files or subdirectories
Full ControlCan perform any and all functions on all files and folders within the share.

These permissions are identical to NT 4.0, however, there is one new change. As we discussed above the Deny permission can also be applied to shares. The Deny permission overrides all others. When folders on FAT and FAT32 volumes are shared, only the share level permissions apply as these systems do not support file and directory permissions. When folders on NTFS volumes are shared, the effective permission of the user will be the most restrictive of the two. This means that if Bob is trying to access a file called mystuff located on myshare and he has share permissions of read and file permissions of full control, his effective permissions would be read. Conversely, if his share permissions are full control and his file permissions are read, he will still only have read permissions to mystuff

When comparing either Share or NTFS permissions, the least restrictive always wins out. When comparing both Share and NTFS permissions, take the least restrictive of each category and then the more restrictive of those two.

A Printer is a physical piece of equipment (AKA print device), a logical printer is what the user sees on the screen of the local computer (AKA software), print processor, print router, and printer pools are all self-explanatory. Print spools hold documents until they are ready to be printed. Printers can be located in AD and can be found by querying the location of a printer that can staple, print on specific papers, or can be chosen by printer type to name a few. Windows 2000 Professional automatically downloads the drivers for clients running Windows 2000, Windows NT 4/3.51 and Windows 9x.

Print Pooling allows jobs to be dispersed across more than one printer, making them behave as one. Printer pools must contain printers that use the same driver.

If a printer experiences a jam in the middle of a job, you can select "resume" to continue where you left off.


HKEY_CURRENT_USERContains the root of the configuration information for the user who is currently logged on and contains their profile.
HKEY_USERSContains the root of all user profiles on the computer. HKEY_CURRENT_USER is an alias for a subkey in the HKEY_USERS subtree.
HKEY_LOCAL_MACHINEContains configuration information particular to the computer(for any user).
HKEY_CLASSES_ROOTA subkey of HKEY_LOCAL_MACHINE \Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer.
HKEY_CURRENT_CONFIGContains information about the hardware profile used by the local computer at system startup.

The registry editors included with Windows 2000 include Regedt32 and Regedit. Each registry editor has advantages and disadvantages. You can perform most tasks with either registry editor, but certain tasks are easier with one registry editor. The following are advantages of Regedt32:

  • Using the Security menu, you can check for and apply access permissions to subtrees, keys, and individual subkeys.
  • Each subtree is displayed in its own dedicated window, reducing clutter.
  • You can set an option to work in read-only mode.
  • You can edit values longer than 256 characters.
  • You can easily edit REG_MULTI_SZ entry values.
  • You can load multiple registry files at the same time.

The following are advantages of Regedit:

  • Regedit has more powerful search capabilities.
  • All the keys are visible in one Windows Explorer like window.
  • You can bookmark favorite subkeys for fast access later on.
  • Regedit reopens to the subtree that was last edited.
  • You can export the registry to a text file.
  • You can import a registry file from the command line.

Optimization and Tuning
Performance Monitor is included in Windows 2000 and is an MMC snap-in. Just as in NT 4.0, there are performance counters that can be used to determine the source of performance problems. The following is a list of important counters and suggested thresholds.

  • Object = Processor. Counter = % Processor Time - If this value is consistently at or above 80% and disk and network counter values are low, a processor upgrade may be necessary

  • Object = System. Counter = % Processor Queue Length - A sustained processor queue length that is over 2 may indicate a processor bottleneck.

  • Memory:
  • Object = Memory. Counter = Pages/sec - If value is consistently over 20 the system may need a memory upgrade.

  • Object = Memory. Counter = Commited bytes - Should be less than amount of RAM in the computer.

  • Physical Disk:
  • Object = PhysicalDisk. Counter = % Disk Time - If over 90%, add more disk drives and partition the files among all of the drives.

  • Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck.

  • Logical Disk:
  • Object = PhysicalDisk. Counter = Disk Queue Length - If consistently over 2 drive access may be a bottleneck.

  • Network:
  • Object = Server. Counter = Bytes Total/sec - If the sum of Bytes Total/sec for all servers is about equal to the max transfer rates of your network, the network may need to be further segmented.

  • Windows 2000 Performance Monitor has several different logging methods. Many 3rd party performance applications utilize the Trace log feature. Counter logs allow you to log performance values at a designated interval for local or remote Win2K computers. Alert logs can send a message or run a script/program when a pre-determined threshold has been surpassed.

    Performance Monitor now offers more flexibility for exporting data as it can now be saved in HTML, binary, binary circular, .csv, and .tsv.

    Paging File
    A paging file(pagefile.sys) is responsible for managing virtual memory and stores data that is not resident in RAM. There is a lot of conflicting information on Microsoft's website regarding the recommended size of the paging file and we are not sure which is correct. Some references say that it should be 1.5x the amount of physical RAM and others say that it should be physical RAM +12mb as in NT 4.0. You can see the conflicting recommendations in the following support articles:

    What you will more likely see on the exam are questions that attempt to see if you understand situations in which the page file should be increased rather than memorizing recommended settings. One such situation is when SQL Server is employed. In this case it is recommended that the paging file be set to 1.5x the amount of physical RAM.

    For better performance, the paging file should be distributed across multiple drives that do not contain system or boot files.

    Driver Signing
    Driver signing is the verification by MS that the drivers you are installing have been tested and will work. You can set limits on users for installing drivers by choosing Warn, Ignore or Block if the driver isn't signed properly. Use the System File Checker (SFC /scannow) to check the digital signatures of drivers on a computer. Other options include /quiet, /scanboot, /scanonce, /cancel, and others.

    User Environment
    User profiles are used to keep users' desktop settings and preferences available to them each time they log on. Roaming user profiles will keep this information on the network server so users can access their profile from any computer on the network. Ntuser.dat and are the same as in NT 4.0 for creating mandatory profiles. Local profiles are stored in C:\Documents and Settings\username.

    Offline Files
    Offline files can be configured to allow users to cache network information normally stored on servers. The Synchronization Manager is used to manage those files once it is set up. Offline files are stored in the systemroot\CSC directory. Offline files supports 3 types of caching as follows:
  • manual caching for documents - This setting requires users to specify the documents that they would like cached.

  • automatic caching for documents - As you might expect, this option will cache all files that a user opens.

  • automatic caching for programs - Reduces network traffic as the network versions of the documents or programs are only stored once. After it is cached, the offline copies are used.

  • Localization
    There are 24 localized versions of Win2K. UNICODE is a character set that supports world-wide communications and has characters for French, Russian, and other foreign languages. RTL and API allow developers to create a single program for an application and allow these programs to be used correctly in other languages. Locales are localized language and customs settings and are listed below:
  • User locales = numbers, currency, time, etc.

  • Input locales = keyboard, mouse, etc.

  • System locales = character set and fonts

  • Software Packages
    Software can be efficiently deployed, updated and removed using Group Policies and two technologies built into Windows 2000 - Windows Installer and Software Installation and Maintenance.

    Windows Installer will replace Setup.exe for many applications. Its advantages include the ability to build custom installations, enable programs to "repair" themselves if a critical file is missing or corrupt and to remove themselves very cleanly when necessary. Software Installation and Maintenance combines Group Policies and Active Directory technologies to enable an administrator to install, manage and remove software across the network. This is only available for Windows 2000 clients.

    When you deploy software, you can choose to assign it or publish it. Assigned software can be targeted at users or computers. If you assign an application to a USER, the icons show up on the desktop and/or start menu, but the program is only installed when the user runs it for the first time. If it is assigned to a COMPUTER, it's installed the next time the system is restarted.

    If you publish an application, the user can install it through Add/Remove Programs or through opening a file that requires that particular program(a file association). Published programs cannot self repair, cannot be published to computers and are not advertised on the users' desktop or start menu - only through add/remove programs.

    Assigned applications require a windows installer file(.msi) while published applications can use Windows Installer files or ZAP files. A .ZAP file is an administrator created text file that specifies the parameters of the program to be installed and the file extensions associated with it. Installations that utilize .ZAP files cannot self repair or install with higher privileges and will typically require user intervention to completely install.

    You can deploy upgrades using GPO's simply by specifying which program is to be upgraded and whether or not it is a mandatory upgrade. You can apply service packs or patches by "re-deploying" an existing Group Policy with the new information regarding the service pack.

    Fax Support
    Windows 2000 Professional ships with built-in fax support with a single user license. Faxing is managed via the Fax Service Management tool which will be installed when a fax device is installed on the computer. The "virtual" fax machine will appear as an icon in the printers folder. In order for faxes to be sent, the user must have appropriate permissions to send them. These permissions can be viewed by finding the fax icon in the printer folder and viewing the Security tab in the properties. In order to receive faxes, the "Enable to Receive" must be selected.

    Network Connections
    Windows 2000 supports many industry standard protocols including:

    • TCP/IP(obviously)

    • NetBeui

    • Appletalk

    • IPX/SPX

    • DLC - For use with Mainframes, AS400s, etc.

    • IrDA - Infrared Data Association

    The same tools are still in use for troubleshooting TCP/IP: PING, IPCONFIG, TRACERT, ARP, NBSTAT, NETSTAT, ROUTE, etc. PATHPING is new and can be used to troubleshoot lost data packets.

    Like Windows 98, Windows 2000 supports a new feature called Automatic Private IP Addressing. When "Obtain An IP Address Automatically" is enabled, but the client cannot obtain an IP address from a DHCP server, Automatic Private IP addressing assigns an address in the form of 169.254.x.x and a class B subnet mask of ( The computer broadcasts this address to its local subnet and if no other computer responds to the address, the computer allocates this address to itself. Remember that a computer that picks up one of these addresses will only be able to communicate with other computers have compatible addresses and subnet masks.

    RAS Policies are a new feature in Windows 2000. Now it is possible to build an entire set of rules called a RAS Policy to dictate several conditions that must exist before a user can connect. It allows the flexibility to require that a user must be dialing from a specific IP address or from a range of addresses, during the right time of day, from the appropriate caller id location using the appropriate protocol. We can restrict access by group membership or the type of service requested. All of these are configurable and optional. Once the user has met all of the conditions, we can apply a profile, which can include items such as the IP address to use for this session, the authentication type that is allowed, any restrictions such as idle time and the rules for BAP with multilink sessions.

    Windows 2000 now provides support for VPNs. A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can create a connection between two computers across a shared or public network that emulates a point-to-point private link. Windows 2000 supports a couple of different VPN protocols. Point to Point Tunneling Protocol(PPTP) creates an encrypted "tunnel" through an untrusted network and is supported by Windows 95/98/NT4/2000. Layer Two Tunneling Protocol(L2TP) works like PPTP in that it creates a "tunnel", but uses IPSec encryption in order to support non-IP protocols and authentication. The table below illustrates the features of each:

    Header compression X
    Tunnel authentication X
    Built-in encryptionX 
    Transmits over IP-based
    Transmits over UDP, Frame Relay, X.25 or ATM X

    Windows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.

    NAT can be configured separately from ICS and provides the following features and benefits that do not exist when used with ICS alone:

    • Multiple public IP addresses - NAT can use more than one range of public addresses.

    • Configurable address range - NAT allows manual configuration of IP addresses and subnet masks, whereas ICS uses a fixed IP address range. Any range of IP addresses can be configured using the NAT properties in Routing and Remote Access Manager. A DHCP allocator provides the mechanism for distributing IP addresses, the same way that DHCP does this. NAT can also use IP addresses distributed from a DHCP server by selecting the Automatically assign IP addresses by using DHCP check box in the NAT properties sheet.

    • DNS and WINS proxy
    • - Name resolution can be established by using either DNS or WINS. You can configure this by selecting the appropriate check boxes in the NAT properties sheet under the Name Resolution tab.
    • Multiple network interfaces
    • - You can distribute NAT functionality on more than one network interface by adding the interface to NAT in the Routing and Remote Access Manager.

    Remote Access
    RAS has changed rather dramatically. Several new RAS protocols are now available to make our communications over dial up lines or the Internet much more secure and more flexible. These new protocols include Extensible Authentication Protocol (EAP), Layer Two Tunneling Protocol (L2TP), Bandwidth Allocation Protocol (BAP), Internet Protocol Security (IPSec) and Remote Authentication Dial-In User Service (RADIUS).

    EAP gives the ability to use Transport Level Security, another encryption methodology for usernames and passwords.

    L2TP enables to create a tunnel through a public network that is authenticated on both ends, uses header compression, and relies on IPSec for encryption of data passed through the tunnel.

    Bandwidth Allocation Protocol allows to set up Multilink capabilities, but if a user isnít using the bandwidth of multiple lines, we can drop one of the lines assigned to that user and use it for another user.

    IPSec is essentially a driver at the IP layer that provides encryption very low down in the protocol stack.

    RADIUS is an RFC based standard that allows us to provide authentication services from the corporate network to a client that is attaching to an ISP that wants access to our server. The ISPís dial up server that hosts the client is a client to the Radius Server Service (IAS) on the corporate network. The IAS server allows the user to connect.

    Local user accounts are managed from the Computer Management Snap-in while domain accounts are managed from the Active Directory User and Computers snap-in. Local accounts only give access to local resources. In a domain model, if a user wishes to access network resources, they will need to have an account in the directory with appropriate permissions to the resources that they are trying to access. There are 2 local user accounts that are created during installation which are Administrator and Guest(disabled by default).

    There are 2 types of groups in Windows 2000 - Security and Distribution. It is not recommended to use local groups in a domain environment. There are several built-in local groups as follows:

    Local GroupDescription
    AdministratorsCan manage all functions on the local system.
    Backup OperatorsAre able to backup and restore files on local system regardless of permissions on files and directories being backed up. May also grant permissions to other users to perform backup operations.
    GuestsProvides limited access to system resources.
    Power UsersCan create and administer user accounts and groups. Can only manage users that they created. Can install and remove applications and share resources.
    ReplicatorUsed to replicate content between DCs
    UsersThe default group that a new user is added to. Can run applications installed by administators or power users, but not other local users.

    Local Group Policy
    Group policy is managed using the Group Policy snap-in. Group Policy allows one to control specific rights to local groups and edit administrative templates. Below are the common security templates for Windows 2000 Workstation.
    Basic(basicwk.inf)The default security configuration. Does not cover user rights.
    Compatible(compatws.inf)For allowing compatibility with non-Windows 2000 application installations.
    Highly Secure(hisecws.inf)Limits workstation's ability to communicate with non-Windows 2000 operating systems. Best used in native environments.

    Templates only work on NTFS partitions. The Security Configuration and Analysis tool will compare current security settings to recommended settings based on a security template.

    Local Account and Lockout Policies
    Allow administrators to manage user's password and lockout configurations including password length, complexity, lockout threshold, duration, etc.

    Event Viewer
    Like its predecessors, Windows 2000 is still using the Event Viewer to monitor security, system and application events. Event Viewer is accessed through the Computer Management snap-in. The security log writes events to the logs based on audit policy. Auditing is disabled by default as it can slow system performance. The following table shows the different security events that can be added to an audit policy.

    Account LogonLogs each logon attempt.
    Logon EventsLogs network logon attempts including interactive or service logons.
    Account ManagementLogs every instance of changes(management) of user accounts.
    Directory ServiceLogs Active Directory Service events.
    Policy ChangeLogs changes in policies.
    Process TrackingTracks all programs and processes initiated by a user in order to monitor their activities.
    Object AccessTracks a users attempts to access resources in the Active Directory.
    Priveledge UseLogs when a user utilizes special access priveledges.
    System EventLogs configured system events such as startup/shutdown, etc.

    Acronyms that are good to know:

    1. ACL - access control list
    2. ACPI - advanced configuration and power interface
    3. AD - active directory
    4. APM - advanced power management
    5. APIPA - automatic private internet protocol addressing
    6. CA - certificate authority
    7. CAL - client access license
    8. DHCP - dynamic host control protocol
    9. DNS - domain name system
    10. EAP - extensible authentication protocol
    11. EFS - encrypting file system
    12. FEK - file encryption key
    13. GPO - group policy object
    14. GPT - group police template
    15. HCL - hardware compatibility list
    16. IAS - internet authentication services
    17. ICS - internet connection sharing
    18. IPSec - internet protocol security
    19. L2TP - layer two tunneling protocol
    20. LDAP - lightweight directory access protocol
    21. LPD - line printer daemon
    22. MMC - microsoft management console
    23. NAT - network address translation
    24. NTFS - NT file system
    25. ODBC - open database connectivity
    26. OSI - open systems interconnection (model)
    27. OU - organizational unit
    28. PCMCIA - personal computer memory card interface adapter
    29. PPP - point to point protocol
    30. PPTP - point to point tunneling protocol
    31. PXE - preboot execution environment
    32. RAS - remote access service
    33. RIPrep - remote installation preparation
    34. RIS - remote installation services
    35. RRAS - routing and remot access service
    36. SAM - security accounts manager
    37. SMP - symmetric multiprocessing
    38. SMS - systems management server
    39. Sysprep - system preparation
    40. TFTP - trivial file transfer protocol
    41. UDF - unique database file
    42. UNC - universal naming convention
    43. VPN - virtual private network
    44. WDM - windows32 driver model

    Comments (0)

    Be the first to comment on this article

    Related Items

    7 Seconds Resources, Inc.

    IT Showcase