Friday, January 28, 2011

Windows Xp Professional – a Complete Summary Pt 1

This article talks about Windows XP and all the new features it brings along with it. Microsoft has really introduced a powerful new operating system which brings lots of flexibility and ease of use to the user. It also at the same time is an extremely reliable and sturdy operating system for both the average and the excessive user. In this article we start by talking about the requirements XP needs for optimum operation and how we can meet those requirements. We also talk about the bits and pieces of installing, upgrading and migrating user settings. We also highlight the new powerful features in Windows XP installation like unattended installations and remote installations. Microsoft also aims to target the home market with this new operating system and has included several new features such as user account management and group’s management at a much easier GUI level. Yet it remains the same reliable operating system if not even better for setting security, group security and domain security policies. Microsoft also includes several new features in terms of auditing and generating a lot of reports in logs for the administrative user. We also talk about the Windows installer included in this new operating system which helps remove code clutter and in turn provides us with a more stable operating system than earlier releases. We also see a significant improvement in user interface and options with a greater ease-of-use for the average day user and options like multilingual support which target the corporate environment. Windows XP also takes hardware support and installation to a new level with its new plug-and-play features an extremely good compatibility with mobile hardware. We then discuss the Revolutionary new NTFS file system on which Windows XP runs and all its new advantages over the old FAT and FAT32 file systems. Windows XP also gives us a good Networking set up and troubleshooting environment with new features like off-line folder sharing and resource management. Remote connectivity has become a much achievable target with the launch of Windows XP giving the telecommuter the flexibility to work from home. We finally talk about how this new operating system stands up to its older legacy brothers in terms of performance, optimization, recovery, back up and other services. All in all Microsoft has definitely released a powerful beast of an operating system onto the consumers and it is up to us to realize and utilize Windows XP at its full potential.

Meeting Minimum XP Requirements:

Microsoft Win XP minimum requirements can be classified into various categories. The most important requirement is the minimum processor power needed, which is set to 233 MHz by Microsoft. I personally do not agree with such low standards since the cost of processors is dropping fast and it is the biggest driver for a machines performance factor. A minimum of 300 MHz is what I would recommend on the lowest level. The control terminal investigated in this report is up to the benchmark or just above average requirements for the user. The processor is a 2.5 GHz Pentium 4 and is performing at an optimal rate. Win XP pro does support multi processor support, but is not necessary in this scenario. The next requirement brought to my attention is the amount of RAM Microsoft recommends for minimum requirements for Win XP Pro to operate is 64MB, which is clearly too low according to current standards. However, Microsoft does state a serious lack of Win XP pro function availability while using 64MB of RAM. An example of this would be disabled Fast user switching during this mode. I personally recommend a minimum of 256MB for any machine with average performance requirements running Win XP Pro. The control machine undertaken in this report has excellent RAM support with 1GB of available RAM. The RAM level in this machine takes a load of the processor as well and at the same time provides excellent performance for heavy multi usage of various software’s in the market. The hard drive requirements for Microsoft have been ever increasing with new releases of operating systems and Win XP pro requires a minimum of 1.5GB of hard drive space. This higher increase can be accounted for bigger operating systems with more included in them, for e.g. Win XP pro includes a several features like media support for writing to CD media and also a built in firewall. The control machine does a pretty good job of satisfying these hard drive requirements with a 120GB primary (Master) hard drive and another 120GB secondary (Slave) hard drive. However there are some flaws in this implementation which are highlighted in the backup section of the report. One advantage of having two hard drives is clear that the paging file can be placed on a separate hard drive for better and faster performance. The control machine also exceeds the display requirements of Win XP. Microsoft has stepped up the bar with this release and has made 800 x 600 a minimum display requirement for this operating system and a lot of video drives will not let you shift below this resolution. The control machine had capabilities above this with display potential up to 1600 x 1200. Win XP Pro also recommends setup floppies or bootable CD standards for repair and reinstall, which is also met by the control machine. However I personally recommend bootable CD’s to setup floppies which are more prone to failure of a long period of time. A better way would also be image backups and image installs which are discussed later in this report. The BIOS is ACPI (Advanced Configuration and Power Interface) capable, which enables power management features and shut down through HAL (Hardware abstraction Layer) installation. Win XP pro has a lot of graphical user features which can only be utilized through a good graphics card. The control unit in this audit has a good graphics card with 128 MB of dedicated graphics memory for exploiting these features.

Installing Windows XP:

I would like to bring to notice some installation features available from Microsoft during a windows install. The text mode option is enabled during a clean install and gives us the ability to press the F5 key to choose a HAL enable BIOS from the menu. This is critical for an individual or an organization which wants to enable the feature of auto power off. The BIOS has to HAL capable in order to use this feature. It is always recommended to update the BIOS to HAL capability before installing Win XP. Changing BIOS after installing Win XP has some serious risks of resulting in an unbootable OS and should not be attempted without proper back up of data. Microsoft advertises the F6 option during this to install any SCSI/RAID adapters. You can also turn of ACPI by pressing F7 to get a HAL that is not ACPI capable. ACPI can interfere with some features on the machine, for e.g. if the machine is a server type auto shut down would not be really a good feature to implement. The rest of the process is old style mode where you can create and delete partitions on your hard drive. There is also the option of choosing between NTFS and FAT32. However I would recommend NTFS, if your hard drive is over 32GB NTFS is the only choice for you. Windows XP does all the hard work and jumps into the GUI mode installation and then asks the user for information like the windows key, name and regional settings. The most important thing is setting the windows administrator password and writing it down and keeping it somewhere safe. It also asks for computer names and network configuration and also asks for whether you are in a domain environment or a workgroup environment and our IP settings. NetBEUI has been disabled in this version of Microsoft operating system. You can also enter the hard drive for file access during this installation by pressing Shift+F10. This enables you to move files across the hard drives, access files you need and even install drivers for new hardware during installation. For people who want the old style installation you can press Shift+F11 for the old style wizard settings. Microsoft has also implemented dynamic update which means that as long as you have an internet connection it will try to connect and try to download all the updates needed before your machine is up and running. It will also try to install new device drivers, as long as the manufacturer has his drivers windows logo certified. However dynamic update is only available for updated installs and is not available on clean installs. Microsoft also enables you implement your own dynamic update sites to prevent clogging of bandwidth in a corporate environment for machines searching for updates through the Microsoft’s website. The admin can link to windows update corporate site and download all the updates and package them together and put it up on a web server for the staff to install. A switch can be installed inside the setting of the answer file for downloading from these installs. Another feature is windows product activation which does not exist for the volume license user where the same media kit is going to be used for multiple installs. However retail and OEM licenses require windows product activation by creating a hash of your computer depending upon several features like hardware. Windows product activation can also be done in the answer file and the information sent through HTTP or HTTPS and Microsoft’s minimal requirement is that reactivation is required after changing 3-4 pieces of hardware on your computer.

Upgrading Windows XP:

Most administrators do not have the luxury to make a clean install because there are a lot of software and data installed on the current operating system. The biggest drawback to this is that all the legacy code and baggage in the old operating system will be carried over to the new operating system. An upgrade is possible from Windows 98/98SE/ME/2000 and Windows NT 4.0 with SP6. However the server class cannot be upgraded from windows 2000 professional. You cannot upgrade from Windows 95 or Windows 3.x. A compatibility check should always be made before upgrading to the new OS. Check using the switch (-checkupgradeonly) for hardware report on compatible hardware on the machine to install windows XP. If you’re running Windows NT 4.0 with fault tolerance and volume sets the drives are going to be inaccessible once you install XP since it does not support fault tolerance or volume sets. Microsoft does give you an easy way to use the key FTONLINE to bring the fault tolerant set online to backup the information or recreate a volume set or striped volumes and get that information back. However you cannot create fault tolerant drives with Win XP. In a case of serious error you can always roll back the upgrade. This feature can be accessed from the “Add Remove Programs” in the Control Panel. However the biggest drawback is that once you change from FAT32 to NTFS you cannot go back to uninstall the upgrade and get your old operating system running. The install procedure is pretty much the same as the once we encountered on a clean install without the headache of drive partitioning. It even tries to download updates (Dynamic Update) if an internet connection is detected. The software and regional settings and other user settings are preserved on the computer. The upgrade does come with different view screens after the install. Views change with the kind of environment you are running in for e.g. a domain environment the user gets to see the Ctrl+Alt+Del screen whereas the user gets to see the welcome screen in a workgroup environment.

Migrating User Settings:

User settings are an extremely important feature needed in a corporate environment to preserve the same look for a user. The file and transfer settings wizard comes to our rescue down to the last solitaire icon on the users computer. File and transfer settings transfer transfers files in four categories. The first category is appearance which includes color schemes, sounds and others. Second, it also keeps internet settings like your favorites and your internet security settings. Third, it also backs up all your account settings like all your e-mail accounts and all the internet addresses stored in your machine through outlook. Finally it even transfer the settings for installed software’s like Microsoft office and even third party software’s like adobe. However the drawback is that the required software’s should be installed before their settings can be reapplied to the new operating system. The File and Transfer settings wizard can be reached through the windows CD by accessing the icon “Perform Additional Task”. The process is simple and visually guided. It gives you the option to choose just files or both files and settings and transfer all the required files through a direct cable, floppies/media or network. This can also be used from XP to XP machines, in a case of customizing a brand new machine to industry standards. However this is should be used for only for small offices or a very small office. A better version of this for large offices is user state migration tool for scripting mass XP migration of files. The user state migration tool is made up of several tools once of which is scanstate.exe which includes files like migapp.inf, migsys.inf, miguser.inf and sysfiles.inf and you can change these files as you please. A simple illustration would be to access the migapp.inf file, put in the settings you need and put in the files you need to transfer and run scanstate.exe on every computer. The new machine would run a different program loadstate.exe which will unpack the file and load those settings. However like in file transfer settings this cannot transfer application and only settings to applications for e.g. it will not install adobe acrobat on your computer and then transfer its settings. If an application is not detected on the computer the settings for it will not be used. This application can be accessed in the following directory “CD:VALUEADDMSFTUSMT”. This ability is completely scriptable so an administrator can send these as e-mail messages to all the users and does not have to present at all the machines to run this.

Unattended Installation:

Microsoft also supplies us with tools for unattended installation which is a great feature for network administrators working in large corporate environment. This feature saves the tedious task of sitting down at each computer and installing Windows XP on each one of them. Unattended installation is made possible through a tool called the Setup Manager which links to the file unattend.txt which makes it possible answer all the questions which Win XP is going to ask us during the process of installation. A simple way to implement this is to drop all the required information for setup in the unattend.txt and drop this file in a floppy disk during the installation process or script this file inside if you are setting up through an image. There is one drawback to this since the each computer requires some unique information like computer name and IP addresses. This can be handled through a UDF file which is the unique database file. IP addresses on the other hand can be handled through DHCP and other processes. If you are booting off an image, this can be achieved by scripting the winnt32 file. The command line should read like this winnt32 /s: source path /u: unattend.txt /udf: udf path. However, if booting of a CD then this file should be placed inside the floppy disk with the name winnt.sif. This feature is again hidden inside the Win XP and can be accessed through the SUPPORT/TOOLS/ path and then by extracting the file. This file had to be extracted and will then reveal all the tools you require to deploy and unattended installation of Win XP. There are also three very helpful reference files inside this folder which give you a lot of information of using these tools. The setup manager tool a GUI tool which guides you through setting up the process of creating the uanttend.txt and the unique database file. It follows the simple procedure of asking questions starting from the organization and user name, Win XP key (This is the most important feature and has to entered correctly otherwise the installation would not take place), workspace or domain settings, regional and internet settings, language and time zone settings, computer names and even external commands to start up other installations for e.g. installing Microsoft office after Win XP install. This setup manager also gives us the options of several types of install like GUI installation, read only installation (user can see everything but cannot change anything) and others. You do not have to create this unattned.txt file from scratch for each terminal and can modify this file as per your needs for every other user. However this does become extremely cumbersome for large environments and the headache of creating a unattned.txt file for each user in a larger corporate working area. Microsoft does have its answer to that which is called the sysprep tool or the system preparation tool which gives us the ability to roll out clones of operating systems on each machine. This does give the network administrator the ability to somewhat use a cookie cutter style to roll out machines with preinstalled applications and operating systems customized before the mass installation procedure. The problem however can arise in the security identifiers (SID) that Microsoft uses to identify each machine and unique to that machine. You can use cloning tools to roll out these clones but you still have to use sysprep to authenticate support. Microsoft’s strips those SID’s out and repacks them so when the user sits down on the brand new machine he has to enter some information for the machine to get going. The applications are installed in the background though, but its Microsoft’s way of making sure that each machine has a unique SID after installation. Administrators are advised to run the latest third party cloning facilities to achieve the optimum results and then use sysprep to repack the machine as a brand new one for the SID’s to work safely and in accordance to Microsoft. However you have to be extremely careful before rolling out clones since they are very hardware specific, so your terminals should have identical HAL’s, mass storage device controllers and ACPI support. VAR’s (Value added resellers) should use the –factory mode switch to install and reconfigure the machine as per according to their requirements. This is also known as the audit mode and the machine can resealed after this by running sysprep again with a –reseal switch. This can also be done automatically using the file WINBOM.INI.

Remote Installation Services:

A remote Installation service gives us the power to install Win XP over the network. Microsoft uses a PXE (Preboot Execution environment) to achieve this and the setback is that you’re network card should be PXE certified. However, Microsoft also gives some hope to some left behind by giving us the option of using boot disks for people who do not have PXE certified network cards but, there always is setback and this time it’s that this feature is supported by only very specific network cards. Unfortunately, if you’re network card does not belong to any one of these classes you are out of luck and cannot use this feature. The basic way to setup is to connect to a RIS sever (Remote Installation server). Once you are connected to the RIS server there are three ways to connect and install Win XP. The first one is a simple installation where you download and run an image of Win XP CD. The second process is a scripted installation by creating an answer file and achieving an unattended installation. The final and the most powerful is the System image which uses a tool RIPrep (Remote Installation Preparation tool). This allows us to create an image with all the customized applications installed on them and then transfer that image to all the required machines. RIS requires an active directory environment with integrated DNS built it. The RIS server must be setup in the active directory. Most administrators would dedicate a separate sever for this process. Microsoft also states that the RIS partition should a separate one and should not a boot or system partition, so you would have to throw in a spare hard drive and drop this image on it. Also, the partition must be an NTFS. RIS installation utility and RIS preparation utility will allow you to put the different images on the server. The process then requires the Win XP CD and copies the I386 directory on the server and you can then choose to scripted installs or simple installs after that. The RIS uses single instance storage which means that it stores only one copy of each file when you upload different images on the server. This result’s in saving a lot of space on the server as well but this makes another reason the put this on a dedicated server and once all this configured you can put access levels on the images to allow users restricted access so that they cannot install any image they like. End users will boot from the network and boot from the PXE network card or PXE floppy disk and it asks them to log on and authenticate themselves to the domain server and then give them choices of installation images. In a multi-domain environment the administrators will be required to set up these RIS servers on each domain. Similar drawbacks exist on hardware compatibility. There are limited allowable differences in hardware on the machines but the HAL’s must be identical and as well the hard drives should be equal or larger in size. PXE book disks will work only on limited NIC cards so laptop users with PCMCIA are out of luck. Also remote installation can only be done on C drives and segregations on drives don’t allow the service to work.

Installation Troubleshooting:

Troubleshooting is always an enemy an administrator has had to face during his work. Even though Win XP is a quite sturdy operating system, there is a slight chance that you will run into problems during installation. The first step would be to check the hardware compatibility and hardware health. Most the time the problems I have encountered on Win XP have been due to bad hardware. There is no guarantee that devices on Windows 2000 will work on Windows XP. A first step is to install Windows XP with minimum hardware and then drop in extra hardware components after the install. That will allow you to isolate the bad or incompatible piece of hardware. You can also access the Microsoft’s website access the hardware compatibility listing. You should also check if the BIOS is ACPI compatible as described earlier.

User Accounts:

Windows XP requires user accounts to operate on it. It is based on the Windows NT kernel formula. Every user on Windows XP needs a user account. A big advantage of having user accounts is to be able to customize Win XP according to your environment. Windows XP can operate in a workgroup environment or an active directory domain. Windows XP also provides us with built in user accounts. The most powerful of all is the administrator account and time and time again it has been said to not do day to day tasks logged on as the administrator. The control machine in this case is at a serious threat since the only user account present on this machine is the administrator account and is not password protected. This is serious threat since this user has complete control for e.g. format a drive even by accident. The other account is the guest account which is open for users to access the machine but not giving it the power to corrupt or mess with the installed programs. A workgroup environment is good for a small corporate network but the biggest drawback is the each terminal should have a user account for that user on that machine, since Windows XP authenticates user accounts. However, domain environment has a central storage of all accounts which reduces overhead and makes it easy to add new accounts and terminals. In a domain environment if there is one user account, you can use that account to log on to any machine in the local domain. User accounts in a workgroup can be maintained through user accounts in the control panel. By default user accounts in Windows XP does not need a password but the administrator can change these default settings. Microsoft has also installed a feature known as “prevent forgotten password” where through the administrator account you can create a floppy disk with your password stored on it for recovery. However, this floppy disk should be safeguarded, since it can be a security loop hole to the entire network. In a domain environment you must log on as a member of the administrator’s group to create and delete user accounts. However, in a domain environment you have to add domain users to the local group to grant them access to the machines in that group using that user account. The concept is a little different, since domain user accounts should be granted access to a local group and are then able to log on to any machine in that group using that domain account, whereas each computer in a domain environment can also have local user accounts specific to that machine and only accessible through it.

Group Accounts:

Groups are a boon to an administrator in settings permissions. This allows us to take users and combine them to manage resources. Local groups allow us to set permissions to a group and have it trickle down on to the members of that group, local groups existing on each machine that give us this ability. Windows XP also gives us some built in groups like the administrator’s group and the users group. Local groups however have authority on that local machine. Microsoft’s management console allows us to create, delete and manage groups. A user can be a member of multiple groups so that allows the user to have a combination of most permissible abilities. However, deny always overrides an allow so if a user is denied a permission in one group that overrides that permission in all his member groups. There are several built in groups like administrator’s, backup operators, guest, network configuration, power users, remote desktop users and help users group. The name pretty much defines most of these groups. Most of the members belong to the power users group which gives them the opportunity to install applications and do day to day tasks. However there are some restrictions placed on this group for e.g. they cannot access other user’s files and cannot format hard drives or change user group settings and other user’s accounts. There are also some system groups which are used by Windows XP itself to perform certain tasks. The operating system handles these groups and you do not need to manage these groups. One such group is the “everyone group” which explains itself of how it includes everyone. If you want to give wide open access to computer you can grant a user as a member of the “everyone group”. However, this does include anonymous access so a user cannot log on using anonymous access. There are also other system groups like authenticated users which have to proved themselves worthy to log on to the system and creator/owner groups. There are also network and interactive groups which differentiate on the basis of your location. Network group classifies users who log on using a network whereas interactive users are users who actually sit down at the machine to log on. Creating and managing user groups can be achieved through the Microsoft management console. This saves a lot of headache at the domain level since the domain administrator can create a domain level group in the domain environment. The local administrator can then add that domain level group into the local machine group he just created and this gives the members of that group immediate access to that machine.

Logging onto Windows:

Logging on Windows XP is different from a workgroup to a domain environment. Microsoft has finally stepped away from the Ctrl+Alt+Del key combination to log onto to Windows. In a workgroup environment the user is greeted with a welcome screen, however the old style log on can be made compulsory in a workgroup environment by the administrator. In a domain environment the Ctrl+Alt+Del screen in the default and you cannot get away without it. In a workgroup setting you can disable the welcome screen but this also switches off the fast user switching option. Fast user switching is available only in a workgroup setting targeted towards a home environment. This enables multiple users to run their sessions on the same terminal without closing the other person’s session or let a user log on without logging another user off. This uses terminal services made available to us by Microsoft. There is at least a 128MB memory requirement needed for using this service. You can use fast user switching by using the Windows key + L, but you require the welcome screen switched on for this. You can also see what accounts are currently logged on by using the task manager and switching to the users tab which will show you all the current users logged on and it show which user is currently active and which are disconnected. Troubleshooting user accounts can be a simple task. Be sure to check if passwords are correct and caps lock is not turned on and also if your account has not been disabled. You can also turn on the guest account as a last resort to have limited access. This can be a security loop hole so most administrators avoid it. In a domain environment XP caches user log on information so you as an administrator can turn on a feature which prevents a user from logging on if the domain controller is down. You can prevent this by accessing the security policies from the administrative tools from the control panel. This gives you an option of changing the number of cached logon’s to zero which will prevent a user from logging on if the domain controller is down. Changes such as this require the user to be a member of the administrative group and also these security policies can be overridden by policies set on the domain level.

User Profiles:

User profiles in Windows XP give the user the power to maintain his/her own settings for each user. This is just a group of files personal to that user and HKCU portion of the registry. All the user profiles and the default profiles are found in the folder Documents and Settings. However this is only in a case of a clean install of Windows XP, but when we upgrade from Windows NT the user profiles are found in the system root directory. Profiles are specific to each machine, so if a user has an account on ten different machines his user profile on each machine will and local and different. This exception in this case can be a roaming user profile where the user roams around from one terminal to another. In this case the user can log on to any machine and his user profile is downloaded at the terminal he sits down on and he can make changes to his/her profile and when he logs off those changes are saved on to the active directory. In order to set up this user profile the administrator must create a user account and put a UNC (Universal naming convention for e.g. domainnamefoldername%username%) tab in the profile tab of the user in the active directory. However, the trick is to give proper permissions to directory where the user profiles are saved in order for the user to access his/her profile; otherwise the user will receive a default profile. This profile is also cached locally incase the roaming profile is not available or the profile server goes down the user can still log on using the locally stored profile. However, incase the user logs onto multiple terminals the profile from which he logs on last will the last profile updated. This can also be made ad a mandatory profile for e.g. in kiosk environment where you want the user to have the exact same profile whenever he/she logs on. You can do this by going into the user profile and renaming a file ntuser.dat to and no changes will be saved when the user logs off so he/she will get the same default profile when he/she logs back on.

Local Security Policy:

Local security policies give the administrator several measures to maintain security in the workgroup. There are three different types of policies like auditing, user rights and security settings. There are also account policies which include password policies and account lockout policies. Password policies enable us to enforce password laws where the administrator can set password length, history, age and even complexity for secure environments. Account lockout policies prevent hackers from constantly trying to log on to the system using brute force like all combinations of passwords. Local policies give us a variety of features. One section is user rights assignments where the administrator can assign specific policies to specific users and groups which allow different users to have different powers and rights on the network and the machine. Auditing properties enable us to generate reports on how the system is performing to be clear who is trying to do what on the machine or the network. Microsoft does make our work easier by giving us preconfigured security templates. These are groups of settings for various scenarios. These can be accessed through a bunch of .inf files provided by Microsoft and you can implement these by either importing the .inf file into the group or by using the Microsoft security configuration and analysis snap-in. These can be applied to a local machine or a group and are easy to create through the MMC. The preconditions are to first create a snap-in and add the security policies and security configuration and templates modules in it and then create a database and then import a security template into it. Then you can compare and analyze or even set your computer to these configurations. You can also save these security templates as shortcuts for access to each machines security settings.

Group Policies:

The main function of group policies is to implement restrictions on their computer to prevent unintentional mess up of the OS on the computer. In a workgroup background you can implement local group policies which are specific to that local machine only and to the users on that machine, so in order to implement this on the entire workgroup you will have to implement this locally on each machine which can become a headache. However, you can have remote shortcuts to each desktop’s MMC (focus MMC on remote machines) on your computer and then can implement those policies through this procedure. In a domain setting you need to implement these policies through the organizational units in active directory on the active directory server. By default group polices have a refresh period after which group policies will be downloaded but you can run a GPUPDATE to refresh and implement new group policies immediately. Group policies are accessed through the same way as local policies by adding the snap-in of group policies. You can create group policies on that local machine or connect to remote machine by clicking the browse icon, but you need to have administrative rights on each machine and also on that machine. As ever domain policies override local computer policies.

Auditing Windows XP:

As a network administrator one of the main tasks is to make sure that the resources are being used the way they are used or not being used they should not be. Auditing in Windows XP is just the feature which helps us track these key events. This can be used to track successful or failed system events. It helps the administrator choose between either tracking things being done correctly or things not being done correctly. The most important factor is file access and account logon. One drawback of auditing is that it should be turned on locally on each machine, since it cannot be enabled on a domain basis. Auditing should not be turned on in the entire domain since it does take a performance hit on the system. An example would be the Audit object failures which tracks failures or successes of files and printers. Enabling this would not turn on auditing on the file, in order to that you need to go to the properties of the folder or files you want to audit. Head to the security tab, if you cannot see the security tab this either means that simple file sharing is turned on or that your drive is based on FAT32 partitioning style. You need to have a NTFS partition style and simple file sharing tuned off for this security tab to show up. However, in a domain environment simple file sharing is turned of by default. Once you can see the security tab hit the advanced tab and select the auditing tab and add the user or the group you would like to audit. Auditing reports can be seen through the event viewer which can be located through control panel and then in administrative tools. Finally the key thing to remember about auditing is that it has to be turned on at two separate places, once in the local security policies and second at the resource you want to audit like a file or a printer.

Windows Installer:

If you install an application on Windows XP you are most probably using the Windows Installer. Microsoft started this through Windows 200o to prevent other applications from just installing themselves and breaking and clobbering other DLL’s. There are also problems during uninstall where the program would take away a critical Windows component and then your system might not boot. This new service is integrated into the operating system to make the programs well behaved. Windows Installer introduces package files (.msi) which are installation files on the CD itself. There are a lot of advantages to using the Windows Installer, for e.g. the ability to self-heal in a case where the program detects that a DLL is corrupt or missing and then can heal itself by pulling that file back from the source CD or network. There is also a rollback capability where something terrible happens during the installation, Windows Installer makes sure to take snapshots of the system before and after the installation. In case of failure it rollback’s the system to the state how it was before. There is also on-demand installation where you can install features as needed and required later on by the system. These can be obtained from the source on either a media format like a CD or on the network. Source resiliency also enables us to define several source targets where you can connect and download the files you need incase one source is corrupted. You can publish application in a domain setting and then can assign a group or users who can connect to download and install this application. Also, you can assign applications to users or groups where the application doesn’t really install itself but it places a link or a shortcut of that application on that terminal for that user to access it and when the user tries to access it the first time it goes ahead and installs itself using the Windows Installation services. This also enables us to have two different versions of the same program using two different DLL’s which can coexist on the same terminal in the same hard drive. MSIEXEC is the command prompt installer which is the core of the Windows Installer. There are several flags to this command and you can run this from the command line to install those problematic applications. One of the most important flags is the /f which can be used to repair bad installations and even find corrupt DLL files.

User Interface:

Windows XP gives the average user a lot of power with the ease to configure his/her user interface. Configuring the desktop is something you can do almost to an extreme in Windows XP. Standard desktop settings remain the same as the ability to change wallpapers, colors and sounds. There are also themes and skins which can change the entire look the Windows XP and work as API’s which run on the machine and not any third party tools you need to get. Simple day to day tasks have been made a lot easier with a folder and file options available on the left hand side of the windows explorer. The start menu has become more powerful than it was before. It also incorporates the ability to customize itself as per your program usability. However for you old school people Windows XP does give you the option of switching to the old style desktop or the classic desktop. All you have to do is right-click and go to properties and change the theme to Windows classic to obtain the old style Windows look. The appearance tab helps the user pick a color scheme they like best or you could also enter advanced mode and pick colors for each part yourself. The effects tab is the most underused tab which gives the user the ability to get cleaner fonts and even remove and set animations on your windows. Most appearances are customizable in Windows XP and Microsoft’s is trying real hard towards a goal to please every user type.

Interface Options:

Microsoft has added a lot interface options for users who otherwise have problems using the computer. One is accessibility services where Microsoft has included several options like the sticky keys, filter keys or toggle keys and even sounds and onscreen keyboard. There is also a narrator which gives us text to speech for the visually challenged. There is also the magnifier which is also a great asset. An easy way to access the narrator, magnifier and the onscreen keyboard is pressing the Windows key + U. Multilingual support has also been included in Windows XP just like as in Windows 2000. However, not all applications support this but you can almost enable this all API’s. All that is required is to head to the regional settings in the control panel and install the language you want to work with the remap the keyboard accordingly and you’re done. One drawback is that for other users to use a document created in this language they must have the same language settings installed on their computer. You can even change entire interface of the computer into another language by installing support for that language. This servers as a strategic advantage for global organizations which operate in different regions in terms of saving space in terms of storing a file in different languages since multi language support enables us to store only one copy of the file and have it available in different languages.

Hardware Installation:

Windows XP supports plug and play feature where you can just plug in devices and it will detect them automatically without any installations. One of the most important advantages of this feature is that signed drivers are installed automatically without prompting. However, non plug and play devices require manual installation. This saves a lot of headache to the administrator when it comes to installing different pieces of hardware. The user needs to have the administrative privileges to install these hardware’s and drivers. These can be maintained to the device manager which can be accessed from right clicking my computers icon. Microsoft is pushing to wears a new setting known as driver signing. This enables Microsoft to see what drivers are installed on the system. In a case of an unsigned driver the user is warned about this before installing it but he/she can still choose to go ahead or not go ahead with it. Vendors have to actively pursue to get their drivers signed by Microsoft to achieve a signed driver rating. In a case of an unsigned driver Microsoft raises a flag which warns the user about the unsigned driver. This can raises several issues in a network for the administrator to handle where people bring in their own USB devices to plug in to their systems and then can raise several flags and incompatibilities in the environment. The administrator can handle this situation by disabling and blocking the installation of unsigned drivers. One of the drawbacks in windows 2000 was the ability for a user to modify the registry keys and install an unsigned driver and then change back the keys after the installation. This loop hole has been fixed by Microsoft and the user is not given the ability to change registry keys and hence he cannot install unsigned drivers without administrative permission. One of the other features that will is the facility of the drivers or to even roll back drivers incase of a mishap. Updating device drivers still requires the user to have administrative privileges. However updating device drivers is one of the most frequent causes of system crash. This is where the ability of rollback kicks in where Windows XP maintains copies of older versions of your driver which you can kick back to incase of an update failure. There is also something known as the last good option which should be a last resort in case of a safe boot. Driver signing gives us the options to free install, warn or block drivers that are unsigned. A normal user can always go to a much stricter option like if the administrator has selected warn the normal user can choose block, however he/she cannot choose to ignore it.

Hardware Support:

Windows XP supports most kinds of hardware these days. You can pretty much take anything in the market and it will be supported by Windows XP. Windows XP even supports smartcard operations fresh out of the box. One of the coolest features is the ability to hook up to twelve display devices on to one machine. As a matter of fact you can link up to ten display devices onto one single terminal. There’s also dual head technology incorporated into Windows XP which gives the user power to connect multiple monitors with a single video card adapter, for e.g. in case of a laptop you can connect it to monitor and have it perform different from the screen on your laptop or as an extension to the screen on your laptop. Windows XP supports Directx and OpenGL which are graphics technologies or graphics API’s. Microsoft is offering this towards the gaming market where they have finally been able to run Directx on the NT core for the games to perform an optimum level. Another Windows XP service included out of the box is faxed support .This practically will meet most users average day to day tasks of receiving and sending faxes. Fax support of course is not installed by default and the user has to install it through and remove windows components. As soon as you install facts aboard Windows XP creates a virtual printer through which it will send it to your faxes.

You can even have your terminal receive faxes through a virtual printer. Setting up fax services is pretty easy for the average user to configure. It does require a telephone number and other information. You can even set it up to auto print faxes or choose how you would like to be alerted. One of the directions most new hardware is trying to move this towards using USB and firewire (IEEE 1394) ports. These are plug and play hot swappable devices which you can connect and disconnect without having to install any drivers. One of the features of USB is that you can target USB root hub through device manager to allocate power to each hub. Another way to get out of this power drain is to use a self powered external hub which draws its power externally to function. You can even take a look at the universal host controller in device manager under the USB drop down menu to see the amount of bandwidth taken by each controller.

Mobile Computer Hardware:

Windows XP has a pretty good mobile hardware support. As more and more users switch from desktops to laptops Microsoft has increased its support and capabilities towards mobile hardware. One of the most important features is included support for ACPI which saves a lot of battery power on laptop machines. Applications can also request no power saving incase of server machine where applications need to keep running constantly. Dynamic docking and undocking creates separate profiles for docked and undocked mode. ACPI gives the capabilities of power management through power options available in control panel. Power management facilities give us the flexibility to maintain different power settings incase of desktops and laptops. Also it even creates different settings when the laptop is in docked mode and running on AC power and when in undocked mode and using battery juice. One of the power saving modes is the hibernation mode where the computer dumps its memory on the hard drive and shuts itself off and when you start it again it reloads its RAM from the hard drive. An easier way for an average user are built in power schemes given by Microsoft that help you mange your power settings better to get the maximum time out of your laptop. Windows XP also gives you the flexibility to set up UPS and adjust hibernation. In order to bring your computer to hibernate mode initiate a shit down sequence and then when the window pops up hold down the shift key to change the standby option to hibernate. Hibernate is much bigger power saver then standby, since standby still consumes a lot of power. You do need to log back on to the system after hibernation. Windows also has wireless support for Windows XP through Bluetooth (802.11b) and Infrared technology built in to the operating system. Windows XP can detect and connect automatically to wireless networks using either an access point or an ad hoc ability (ad hoc ability connects multiple computers to each other without having to connect to an access point).

Storage Devices:

Windows XP hard disk support comes in two different flavors. The first one is the old style know as basic disks which include four primary partitions or three extended partitions and one extended partition. Microsoft has now implemented a new strategy know as volumes disks. You can have up to 200 volumes per driver, however Microsoft does recommend you to not go this high and has set a limit of at most 32 volumes per drive. If you plan to multiboot using this drive dynamic disks and dynamic volumes are only usable by Windows XP and Widows 2000. Applications don’t really have an issue with dynamic disks. One drawback is that laptop computer and removable storage cannot have dynamic disks since this is really used when there are multiple drives. You cannot mix dynamic and basic disks on one drive. On basic disk you can primary and extended partitions only and you cannot create fault-tolerance volumes or even span drives. Dynamic disks have this ability. The first step is a simple volume which can be NTFS, FAT or FAT32. The next step above this is a spanned volume used in a case of multiple hard drives where you can add more space to hard drive without adding another drive letter. Simple volumes can be extended to create spanned volumes but the kicker is that you cannot extend a system or boot volumes. The third case is a striped volume which is written on both drives which doubles your throughput on both drives. This in turn increases performance and also doubles your throughput on reading and writing. You can access these management tools by right clicking on My Computers and then selecting manage and choosing Disk management in the computer management window. It is very simple to convert a disk to a dynamic disk, the process involves right clicking on the disk icon itself on the left most side and choosing convert to dynamic disk. This renders it unusable by other operating systems since the partition table is rewritten. You can extend a simple volume by just right clicking and choosing extend volume and choose the desired size you would like to extend the volume to. Converting an existing basic setup to dynamic setup requires at least 1MB of unpartitioned space but vice versa is only possible through reformat. For users updating their system from other legacy system you need to use FTONLINE to bring your data online mount it and then wipe out your drives and bring your data back to the drives. It is not a long term solution for storage. There are also other removable storage media like CD’s floppies and USB hard drives. Windows XP has full support for burning CD’s included into the operating system. However, it’s not as advanced as other third party applications.

File Systems:

As a network administrator you need to know the kinds of file systems that are supported by Windows XP. NTFS is the new file system which has a lot more capabilities incorporated into it. The FAT file system is the universal file system, which has a lot of limitations which were overcome by FAT32. One of the biggest drawbacks was the cluster size in FAT, so for e.g. the bigger your drives got the bigger the cluster became so for a 1K file you would’ve used a 32K cluster and ended up wasting 31K space. This becomes a considerable waste when thinking in terms of gigabytes. FAT32 overcame this problem by introducing a 4K cluster, but still has a lot of limitations. NTFS has a lot of new features like compression, encryption and permissions. Users still using FAT or FAT32 systems on Windows XP can convert to NTFS by running a command from the prompt known as convert [driverletter]: /fs:ntfs. However, you cannot convert back to FAT or FAT32. In a case when you convert your boot drive it will convert on reboot. A backup is recommended to prevent data loss before running this command. In a case you have already started the process and haven’t backed up your data you can jump into registry editor using the regedit command and look up inside HKEY_LOCAL_MACHINE – system – CurrentControlSet – Control – Session Manager.

Inside here you will see boot execute. When you run this you will see the conversion process listed there and you can delete it to stop the conversion process. There are also other file systems maintenance tasks which most administrators like to do whenever they find time for e.g. disk defragmentation. The new feature in Windows XP is that you can schedule this defragmentation via the command line. Disk cleanup is also a pretty safe way that deletes cache files and other temp files stored on your computer. It even tells you of files which you haven’t used in a long time.


NTFS clearly has a lot of benefits compared to others like FAT and FAT32. NTFS is the default choice when you start from scratch. However, one difference is that formatting NTFS will set file security during installation which you do not get when you convert from FAT or FAT32. This can be securing access from critical system files which was not present in FAT and FAT32. Microsoft has introduced the quick format option during setup process. NTFS also introduces file and directory security settings which are very helpful in corporate environments. IT also gives us the abilities of quotas, compression and encryption. By default if the user is not in a domain environment then the sharing and NTFS permissions are combined into one. Simple file sharing is turned on in the tools folder option which disables the security tab from the properties of a folder or a file. This can be turned back on by just disabling simple file sharing. Windows XP creates a My documents and Shared Documents folder. You can make you My Documents folder private and even when you place a password on your user account then Windows asks you to privatize your entire files and folders. Shared Documents enables multiple users to share documents with each other. However, in a workgroup setting you can only make folder private in your user account. In order to disable this option you as an administrator need to turn off simple file sharing. In a domain environment this is turned off by default and security tab is available. Permissions granted to a user always add up as most permissible but deny always overrides other permissions. There is also inheritance which trickles down to the file level which means that file permissions override the folder permissions. However, you can always block inheritance and override a lower level permission with the higher one. Windows XP has also added a feature to view effective permissions on a file. These can be accessed through the effective permissions tab available in the security tab of a file or folder and by clicking the advanced tab. You can select the user or the group you want to view permissions on. NTFS utilizes the concept of ownership of file where the owner always has full control of the file they created; even after they are locked out they can take ownership of the file and give themselves access to it. Administrator can take ownership of any file available in the system, but so that this cannot be abused they cannot give ownership to someone else, they sure can give them permissions to view and modify but not ownership. This is a key concept of recovering files when a user has left the company or has been locked out from his files. Taking ownership is very easy, head to the security tab and click advanced tab and choose the owner tab and then you can add yourself back. Then you can go ahead and add yourself back into the file permissions to give you back full control. NTFS also gives us the ability to compress files on a case by case basis. Compression and decompression happen automatically. Compressing folders will also compress files and adding new files to it will also keep the new files compressed. Windows XP does highlight them with different color to mark them as compressed. Encryption and compression do not mix well in Windows XP. You can access encryption and compression through the properties and advanced tab and choosing between compression and encryption. Microsoft uses the EFS (Encrypting File Systems) for safeguarding files and folders. Encrypting a folder will encrypt all files inside the folder as well. The key is encryption is stronger than permissions because the data gets scrambled using certificates. This means that user who owns that certificates can only access that data. There is no longer the security hole where encrypted file transfer was not possible and data had to be decrypted for the other user to read it. Now when you give access to somebody else for your encrypted files he/she gets a copy of the certificate to decrypt those files. One drawback is that if you move files into an already encrypted folder it will not be encrypted, however the ones created will be. You can give access to another user of your encrypted file by adding them through the details tab available through the properties and advanced tabs. The catch is that the user should’ve have encrypted a file at least once to have a certificate available on the computer. This is needed by Windows XP since the first time you encrypt a file it issues you an encryption certificate. In a domain environment you must trust the server for delegation in order to encrypt files on the server. You can also use WebDAV for providing secure transport and storage to avoid trust for delegation.

EFS Recovery:

Recovering encrypted data can be made possible since Microsoft’s introduction of the DRA or the data recovery agent. This utilizes a special key which is tagged on to every file encrypted. In a domain setting the administrator is defaulted as the being the data recovery agent so there is always a back door for recovering encrypted files. In a workgroup environment there is no default data recovery agent, so you need to create a data recovery agent. The key is to create a DRA before any files get encrypted, since you won’t be able to recover files which were encrypted before that. The first things you need to do are access your security policies by heading into the local security policies and then into public key policies which will show you encrypting file systems. Making a DRA is a little tricky to begin with. Start by running the command prompt and running the cipher command as follows cipher /r:[filename]. This command will create your two recovery certificates, one is public key (.cer) and the other is private one (.pfx). It also asks you for a password to open your private keys. Once done you then right click on the encrypting file systems in the local security policy and add a new DRA and then browse to the recover file you just created and add that. Now, when any user encrypts a file you will be listed as a data recovery agent. You can also reset password for another user if he or she forgets it but this trashes that user’s certificate, so he/she will not be able to access files which were encrypted with the previous certificate before. This is where the DRA comes as a savior. In order to disable EFS you need to completely remove the encryption policy, it doesn’t just go away by removing the DRA. Disabling EFS is through accessing the encrypting file systems menu in the local security policies and right clicking to go to all tasks and then selecting delete policy. However, turning off EFS is not quite that easy in a workgroup environment. You can find more details about in recently published Microsoft’s documents.

Networking Setup and Troubleshooting:

Windows XP is very powerful operating system which includes a lot of features when it comes to networking. Windows XP is multi protocol ready and uses NWLink which is easily configured for simple file sharing. However, it also supports the universal TCP/IP protocol. The advantages are numerous and even a working copy to new IPv6 protocol for all you network wizards to play around with. NetBEUI support is not longer available as a standard but as a hidden add-on on the disk. Windows XP also gives us the ability to bridge different media types. The network connection box shows you one entry for each network connection available on your computer. Bridging them can be very easy by just selecting them all and right-clicking to select bridge connections. You can install other protocols like NetBEUI by clicking install and then by choosing “have disk” and browsing through the disk to install it. Windows XP has introduced an alternate configuration on TCP/IP settings where it kicks into the alternate configuration if the primary one is not obtained. This can be used to store two different connection settings for home and office for your laptop or in another applied scenario. Networking with Windows XP is not without its pitfalls. Networking troubleshooting in Windows XP begins at a basic level where the first thing the administrator should do is look if the cable is plugged in and the lights are blinking. You can then go ahead and type the net config redirector command which displays the entire current network configuration on your computer. You can even repair a connection by right clicking on the connection you want to fix and Windows XP then runs a lot of commands behind the hood to fix that connection. If this still doesn’t work you can then use the command “nets hint ip reset [logfile]”. In essence this tears the stack down all the way the base and rebuilds that TCP/IP connection or in other words reinstalling the connection. You can access the advanced settings by clicking advanced tab and then choosing advanced settings which shows you the bindings on that computer. Another command used is IPCONFIG with flags like /all, /renew, /flushdns and /registerdns. Other simple commands used are PING command for pinging IP addresses, TRACERT for tracing IP addresses, NBTSTAT –R to empty and reload name cache, NETSTAT for showing all the incoming and outgoing active connections and NETSTAT – R which shows you the routing table.

READ ‘Pt 2' for more details.

View the original article here

No comments:

Post a Comment