WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

WINDOWS 1002000 PROFESSIONAL RESOURCE KIT [Electronic resources] - نسخه متنی

Chris Aschauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Sitemap

Cover

Acknowledgments

Introduction

Document Conventions

Resource Kit Compact Disc

Resource Kit Support Policy

Part I: Overview

Chapter 1 -- Introducing Windows 2000 Professional

Quick Guide to Using Windows 2000 Professional

Overview

Deployment and Installation

Configuration and Management

Networking

Interoperability

Performance Monitoring

Troubleshooting

Accessibility

Where to Find More Information in this Book

Additional Resources

Chapter 2 -- Using Windows 2000 Professional with Windows 2000 Server

Quick Guide to Using Windows 2000 Professional with Windows 2000 Server

Centralized Deployment

Centralized Administration

Advanced Security

Robust Networking Infrastructure

Interoperability with Other Networks

Additional Resources

Part II: Deployment and Installation

Chapter 3 -- Deploying Windows 2000 Professional

Quick Guide to Deploying Windows 2000 Professional

Mapping Your Needs to Windows 2000 Professional

Planning Your Deployment

Determining a Preferred Client Configuration

Assessing Your Current Network Infrastructure

Determining a Client Connectivity Strategy

Determining Implementation Methods

Testing Your Deployment Plan

Conducting a Pilot

Preparing for the Rollout

Chapter 4 -- Installing Windows 2000 Professional

Quick Guide

What's New

Planning Your Installation

Running Setup

Post-Installation Tasks

Additional Resources

Chapter 5 -- Customizing and Automating Installations

Quick Guide to Customizing and Automating Installations

Overview of Customizing and Automating Installations

Step 1: Plan

Step 2: Prepare

Step 3: Customize

Step 4: Deploy

Additional Resources

Chapter 6 -- Setup and Startup

Quick Guide to Setup and Startup

Phases of Setup

Windows 2000 Professional Startup Process

Plug and Play Device Detection

Installing a Multiple-Boot Operating System

Installing Service Packs

Removing Windows 2000 Professional from Your Computer

Troubleshooting Windows 2000 Professional Setup

Part III: System Configuration and Management

Chapter 7 -- Introduction to Configuration and Management

Quick Guide to Workstation Configuration and Management

What's New

Managing Windows 2000 Professional in a Windows 2000 Server Environment

Managing Windows 2000 Professional in a Non-Windows 2000 Environment

Managing Users and Groups

Group Policy

Management Tools

Managing Windows 2000 Professional in a Multilanguage Environment

Making Windows 2000 Professional More Accessible

Chapter 8 -- Customizing the Desktop

Quick Guide to Customizing the Desktop

Overview of Desktop Customization and Configuration

Defining Desktop Administration Standards

Implementing Custom Desktops in a Windows 2000 Server Network

Implementing Custom Desktop Configurations in Non-Windows 2000 Server Networks

Using Group Policy Settings for Desktop Control

Desktop Shortcuts and Icons

Active Desktop and Wallpaper Settings

Start and Programs Menus

Customizing the Taskbar and Toolbars

Limiting Access to Display Options

Screen Saver Group Policy Settings

Restoring the Original Configuration

Choosing a New User Interface

Troubleshooting

Additional Resources

Chapter 9 -- Managing Files, Folders, and Search Methods

Quick Guide to Files, Folders, and Search Methods

What's New

Windows 2000 Server Network Advantages

Working with Files and Folders

Customizing Folders

Using Offline Files and Folders

Searching for Files, Folders, and Network Resources

Troubleshooting

Additional Resources

Chapter 10 -- Mobile Computing

Mobile Computing Quick Guide

What's New

Setting Up a Portable Computer

Configuring Offline Files for Portable Computers

Configuring Power Management

Managing Hardware on Portable Computers

Security Considerations for Portable Computers

Folder Redirection and Configuring Roaming User Profiles

Hardware Issues Related to Portable Computers

Chapter 11 -- Multimedia

Quick Guide to Multimedia

What's New

Optimizing Workstations for Multimedia

Using Multimedia Effectively

Troubleshooting Multimedia

Additional Resources

Chapter 12 -- Telephony and Conferencing

Quick Guide to Telephony and Conferencing

Overview of Telephony and Conferencing

Configuring Telephony and Conferencing

Troubleshooting

Additional Resources

Chapter 13 -- Security

Quick Guide to Security

What's New

Planning for Security

User Authentication

Security Groups, User Rights, and Permissions

Security Policy

Security Templates

Remote Access

Internet Protocol Security

Encrypting File System

Public Key Technology

Protecting User Data on Portable Computers

Additional Resources

Chapter 14 -- Printing

Quick Guide to Printing

What's New

Finding Printers

Installing Printers

Configuring Printers

Creating and Sending Print Jobs

Monitoring and Managing Print Jobs

Printer Pooling

Printing Concepts

Troubleshooting Printing Problems

Additional Resources

Chapter 15 -- Scanners and Cameras

Quick Guide to Scanners and Cameras

What's New

Installing Scanners and Cameras

Configuring Scanners and Cameras

Scanner and Camera Concepts

Troubleshooting

Chapter 16 -- Fonts

Quick Guide to Fonts

What's New

Installing Fonts

Managing Installed Fonts

Character Set Types

Supported Code Pages

Troubleshooting Font Problems

Chapter 17 -- File Systems

Quick Guide to File Systems

Overview of Windows 2000 File Systems

File System Comparisons

FAT

NTFS

Compact Disc File System

Universal Disk Format

Using Long File Names

File System Tools

Chapter 18 -- Removable Storage and Backup

Quick Guide to Removable Storage

Overview of Removable Storage

Administering Removable Storage

Troubleshooting Removable Storage

Overview of Backups

Establishing a Backup Plan

Backing Up System State Data

Using the Backup Tool

Chapter 19 -- Device Management

Quick Guide to Device Management

What's New

Device Tree

Plug and Play

Device Installation

Configuring Device Settings

Troubleshooting Device Management

Additional Resources

Chapter 20 -- Power Management

Quick Guide to Power Management

Overview of Power Management

Power Management Features

Understanding the Advanced Configuration and Power Interface

Using the Power Management Interface

Troubleshooting Power Management

Additional Resources

Part IV: Network Configuration and Management

Chapter 21 -- Local and Remote Network Connections

Quick Guide to Local and Remote Network Connections

Overview of Local and Remote Network Connections

Creating, Configuring, and Monitoring Connections

Remote Network Security

Group Policies for Network and Dial-up Connections

Internet Connection Sharing

Internet Connection Sharing Scenario: Connecting Your Branch Office's Intranet to the Internet

Troubleshooting

Chapter 22 -- TCP/IP in Windows 2000 Professional

TCP/IP Configuration Quick Guide

Overview of Windows 2000 TCP/IP

Install TCP/IP

Configure IP Address Assignment

Configure TCP/IP Name Resolution

Configure Multihoming

Configure Local IP Routing Table

Configure Internet Connection Sharing

Configure IP Security and Filtering

Configure Quality of Service

Perform TCP/IP Troubleshooting

Additional Resources

Chapter 23 -- Windows 2000 Professional on Microsoft Networks

Quick Guide to Windows 2000 Professional on Microsoft Networks

Overview of Microsoft Networking

Configure Transport Protocols

Join Network Environment

Confirm Group Membership

Troubleshooting Microsoft Networking

Part V: Network Interoperability

Chapter 24 -- Interoperability with NetWare

Quick Guide to NetWare Interoperability

Overview of Windows 2000 Professional and NetWare Connectivity

Client Service and Gateway Service

Configuring Client Service for NetWare

Accessing NetWare Resources

NetWare Administration Through Windows 2000 Professional

Windows 2000 Professional and NetWare Security

NWLink

Troubleshooting Windows 2000 Professional and NetWare Connectivity

Chapter 25 -- Interoperability with UNIX

Quick Guide to UNIX Interoperability

Overview of Windows 2000 Professional and UNIX Connectivity

Planning and Installing Services for UNIX on Windows 2000 Professional

Configuring Services for UNIX on Windows 2000 Professional

Tools

Troubleshooting

Chapter 26 -- Interoperability with IBM Host Systems

Quick Guide to Interoperability with IBM Host Systems

Overview of Interoperability with IBM Host Systems

DLC Protocol

SNA Server Client and Components

Network Management Integration

Windows 2000 Professional and IBM Host Security

Troubleshooting

Part VI: Performance Monitoring

Chapter 27 -- Overview of Performance Monitoring

Quick Guide to Monitoring Performance

Performance Monitoring Concepts

Monitoring Tools

Starting Your Monitoring Routine

Analyzing Monitoring Results

Investigating Bottlenecks

Troubleshooting Problems with Performance Tools

Monitoring Remote Computers

Monitoring Legacy Applications

Integrating the System Monitor Control into Office and Other Applications

Chapter 28 -- Evaluating Memory and Cache Usage

Quick Guide to Monitoring Memory

Overview of Memory Monitoring

Determining the Amount of Installed Memory

Understanding Memory and the File System Cache

Establishing a Baseline for Memory

Investigating Memory Problems

Resolving Memory and Cache Bottlenecks

Additional Resources

Chapter 29 -- Analyzing Processor Activity

Quick Guide to Monitoring Processors

Overview of Processor Monitoring and Analysis

Establishing a Baseline for Processor Performance

Recognizing a Processor Bottleneck

Processes in a Bottleneck

Threads in a Bottleneck

Advanced Topic: Changing Thread Priority to Improve Performance

Eliminating a Processor Bottleneck

Additional Resources

Chapter 30 -- Examining and Tuning Disk Performance

Quick Guide to Monitoring Disks

Disk Monitoring Concepts

Configuring the Disk and File System for Performance

Working with Disk Counters

Establishing a Baseline for Disk Usage

Investigating Disk Performance Problems

Resolving Disk Bottlenecks

Evaluating Cache and Disk Usage by Applications

Part VII: Troubleshooting

Chapter 31 -- Troubleshooting Tools and Strategies

Quick Guide to Troubleshooting

General Troubleshooting Strategy

Startup and Recovery Tools

Maintenance and Update Tools

System File and Driver Tools

Applications Tools

Networking Tools

Troubleshooting Procedures

Chapter 32 -- Disk Concepts and Troubleshooting

Quick Guide to Disk Concepts

Basic and Dynamic Disks

Disk Sectors Critical to Startup

Troubleshooting Disk Problems

Additional Resources

Chapter 33 -- Windows 2000 Stop Messages

System Messages

Stop Messages

Troubleshooting Stop Messages

Hardware Malfunction Messages

Additional Resources

Appendix A -- Accessibility for People with Disabilities

Quick Guide to Accessibility for People with Disabilities

Overview of Accessibility in Windows 2000 Professional

Customizing Computers for Accessibility

Setting Accessibility Options by Type of Disability

Configuring Accessibility Features

Adding Third-Party Products and Services

Additional Resources

Appendix B -- Sample Answer Files for Windows 2000 Professional Setup

Answer File Format

Answer File Keys and Values

Sample Answer Files

Additional Resources

Appendix C -- Hardware Support

Overview of Hardware Support

Universal Serial Bus

IEEE 1394

Supporting Other Buses

New and Enhanced Hardware Support

Troubleshooting Hardware Support Components

Additional Resources

Glossary

3

5

8

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

Q

R

S

T

U

V

W
توضیحات
افزودن یادداشت جدید







Configure IP Security and Filtering


Windows 2000 Professional incorporates two primary methods for securing IP packets: IP security and TCP/IP filtering. IP security is a new feature of Windows 2000 Professional. IP security protects data by securing and optionally encrypting IP packets prior to transmission on the network. The following section discusses the features of IP security, and describes the methods for installing and configuring this feature. TCP/IP filtering, known as TCP/IP Security in Windows NT 4.0, is also discussed as a method of controlling the IP traffic received by the network interface.

Determine IP security method to be implemented. Windows 2000 Professional supports two methods to secure and control the transmission of IP packets: IP security, an industry-defined set of standards that verifies, authenticates, and optionally encrypts data at the IP packet level; and TCP/IP filtering, which controls the ports and packet types for incoming local host data. Either or both of these methods can be implemented within the same Windows 2000 Professional-based client. For more information about IP security, see "Overview of IPSec," "Considerations for IPSec," and "Configure IP Filtering" in this chapter.

Enable and configure IP Security, if required. IP Security may be enabled in the registry of the Windows 2000 Professional computer through local policies, or implemented via Active Directory group policies in an enterprise environment. If implemented locally, built-in or custom policies created via the Policy Manager snap-in can determine the rules required for negotiating and starting communications with other hosts. See "Configuring IPSec Policies" later in this chapter.

Enable IP filtering, if required. You may wish to restrict the type of IP traffic that can be received by a Windows 2000 Professional-based client. IP filtering allows the creation of rules that limit packet reception by TCP and UDP port, or by IP protocol type. See "TCP/IP Filtering" later in this chapter.

Overview of IPSec


The need for Internet Protocol (IP)-based network security is already evident. In today's massively interconnected business world of the Internet, intranets, branch offices, and remote access, sensitive information constantly crosses the networks. The challenge for network administrators and other information service professionals is to ensure that this traffic is:


    Safe from data modification while en route.

    Safe from interception, viewing, or copying.

    Safe from being accessed by unauthenticated parties.


These issues are known as data integrity, confidentiality, and authentication. In addition, replay protection prevents acceptance of a packet that has been captured and later resent.

For these reasons, Internet Protocol security, or IPSec, was designed by the Internet Engineering Task Force (IETF). IPSec supports network-level authentication, data integrity and encryption. IPSec integrates with the inherent security of the Windows 2000 operating system to provide the ideal platform for safeguarding intranet and Internet communications.

IP security uses industry-standard encryption algorithms and a comprehensive security management approach to provide security for all TCP/IP communications on both sides of an organization's firewall. The result is a Windows 2000, end-to-end security strategy that defends against both external and internal attacks.

IP security is deployed below the transport layer, sparing network managers (and software vendors) the difficulty and expense of trying to deploy and coordinate security one application at a time. By simply deploying Windows 2000 IP security, network managers provide a strong layer of protection for the entire network, with applications automatically inheriting from IPSec-enabled servers and clients.

How IP Security Prevents Network Attacks


Without security measures and controls in place, data might be subjected to an attack. Some attacks are passive, meaning information is simply monitored; others are active, meaning the information is altered with intent to corrupt or destroy the data or the network itself. Table 22.8 presents some common security risks found in today's networks.

Table 22.8 Types of Network Attacks










































Attack typeDescriptionHow IPSec prevents
Eavesdropping (also called sniffing, snooping)Monitoring of cleartext or unencrypted packets. Encapsulated packets can also be monitored if attacker has access to key and packets are unencrypted.Data is encrypted before transmission, preventing access even if the packet is monitored or intercepted. Only the intended receiving party can decrypt the data.
Data modificationAlteration and transmission of modified packets.Data hashing attaches a digital "signature" to each packet, which is checked by the receiving computer to detect modification.
Identity spoofingUse of constructed or captured packets to falsely assume the identity of a valid address.Kerberos v5, MS-CHAP, and other authentication methods secure Windows 2000-based computers.
Denial-of-service Preventing access of network by valid users. An example is to flood the network with packet traffic.Authentication methods limit access from unauthorized users.
Man-in-the-middleDiversion of IP packets to an unintended third party, to be monitored and possibly altered.Anti-replay mechanisms, data hashing.
Known-keyAccess or construction of a security key, used to decrypt or modify data. A compromised key might be used to create additional keys.Under Windows 2000, public keys are periodically refreshed, reducing the possibility that a captured key can be used to gain access to secure information.
Application layer attackMainly directed at application servers, this attack is used to cause a fault in a network's operating system or applications or to introduce viruses into the network.Since IPSec is implemented at the network layer, packets that do not meet the security filters at this level are never filtered upwards, protecting applications and operating systems.

IPSec prevents the previous type of attacks by using cryptography-based mechanisms. Cryptography allows information to be transmitted securely by hashing (digitally signing data) and encrypting (encoding) the information.

A combination of an algorithm and a key is used to secure information:


    The algorithm is the mathematical process by which the information is secured.

    A key is the secret code or number required to read, modify, or verify secured data.


IPSec uses a policy-based mechanism to determine the level of security required during a communications session. Policies can be distributed throughout a network by means of Windows 2000 domain controllers, or created and stored locally within the registry of a Windows 2000 Professional-based computer.

Before the transmission of any data, an IPSec-enabled computer negotiates the level of security to be maintained during the communications session. During the negotiation process, the authentication method is determined, a hashing method is determined, a tunneling method is chosen (optional), and an encryption method is determined (optional). The secret authentication keys are determined locally at each computer by using information exchanged at this time; no actual keys are ever transmitted. After the key is generated, it is used to authenticate the session, and secured data exchange can begin.

The resulting level of security can be low or high, based on the IP security policy of the sending or receiving computer. For example, a communications session between a Windows 2000 Professional-based computer and a non-IPSec host might not require a secure transmission channel. Conversely, a communications session between a Windows 2000 server containing sensitive information and a dial-in host might be high, using data encryption by means of a securing transmission.

An Example of IPSec


Figure 22.19 provides an overview of the procedure of establishing an IP security session:


Figure 22.19 Overview: the IPSec Process


    An application on Computer A generates outbound packets to send to Computer B across the network.

    IPSec checks IP Security Group Policy settings on Computer A to determine the computer's active IP Security policy. The default policies allow a computer to demand secure communication, to request secure communication but proceed unsecurely if necessary, or to never request IP security.

    Computer A begins security negotiations with Computer B. The two computers exchange public keys and establish a shared, secret key that is created independently at both ends without being transmitted across the network.

    The IPSec driver on Computer A signs the outgoing packets for integrity, and optionally encrypts them for confidentially. It transmits the packets to Computer B.

    Routers and servers along the network path from Computer A to Computer B do not require IPSec. They simply pass along the packets in the usual manner.

    The IPSec driver on Computer B checks the packets for integrity and decrypts their content if necessary. It then transfers the packets to the receiving application.


Although routers and switches can freely forward encrypted IP packets, firewalls, security routers, and proxy servers must enable IP forwarding to ensure packet delivery. For more information about IP forwarding, see "Unicast Routing Overview," in the Internetworking Guide.

Considerations for IPSec


IP security provides encryption of outgoing IP packets, but at the cost of local computer performance. On a computer with IP encryption enabled, packets are encrypted before being passed to the network, which is a processor-intensive procedure. Although IPSec implements symmetric encryption of network data, encryption of a large amount of IP packets can tax all but the fastest workstations.

IPSec supports processing offload by the network adapter. Many network adapters include onboard processors that perform many of the tasks that are normally performed by the computer's central processor, including packet encryption. Consult the product documentation for your network adapter to see if it supports encryption processing offload.

Configuring IPSec Policies


IPSec policies, rather than applications or operations systems, are used to configure IPSec services. The policies provide variable levels of protection for most traffic types in most existing networks.

There are two storage locations for IPSec policies:


    Active Directory in a Windows 2000 domain controller.

    Locally defined in the registry for computers that are not part of a Windows 2000 domain.


Your network security administrator can configure IPSec policies to meet the security requirements of a user, group, application, domain, site, or global enterprise from a Windows 2000 domain controller. IPSec policy can also be implemented in a non-Windows 2000- based domain environment through local IPSec policies.

The IPSec policies are based on your organization's guidelines for secure operations. Through the use of security actions, called rules, one policy can be applied to heterogeneous security groups of computers or organizational units. Windows 2000 Professional provides an MMC console called Local Security Policy to create and manage IPSec policies.

This section describes the procedure for configuring domain-based and local IPSec policies on a Windows 2000 Professional-based computer. For detailed information on planning, creating and implementing IPSec policies on a Windows 2000 domain controller, see "Internet Protocol Security" in the TCP/IP Core Networking Guide.

Configuring Domain-based IPSec Policies


For an organization that wishes to implement IP security, creating IP security policies at the domain controller provides the most efficient method of controlling enterprise security policy. Windows 2000 provides an administrative interface, the Local Security Policy snap-in, to create and administer security policies. An IP security administrator can create security policies at varying levels or granularity, from the site, domain, organizational unit, user or computer levels. Different security policies can be applied for different groups, based on identified needs for security.

After an IPSec policy has been created at the domain controller, security policy can be applied to members of a specific container. For example, if Sally is a member of an organizational unit (OU) that has a security policy applied to it, the OU's security policy is automatically applied at startup. No user intervention is required. Using domain-based policies ensure that the proper security is always implemented at users' machines, regardless of the existence of local security policies.

When a computer that is normally a member of a Windows 2000 domain is temporarily disconnected, the security policy information is cached in the local registry.

IPSec Precedence Rules


IP security policy precedence is identical to that of other Group Policy settings. In a domain, Group Policy is applied hierarchically from the least restrictive object (site) to the most restrictive object (organizational unit).

For more information about Active Directory and Group Policy, see chapters under "Active Directory" and "Desktop Configuration Management" in the Distributed Systems Guide.

Configuring Local IPSec Policies


Local IPSec policies can be selected and stored locally at a Windows 2000 Professional-based computer. This can be done to implement local IP security in the following situations:


    The computer is a member of a Windows 2000 domain that does not implement IPSec policies.

    The computer is a member of a Windows NT domain.

    The computer is part of a workgroup.

    The computer is not a member of any domain or workgroup, but is connected to other hosts by means of an enterprise intranet or the Internet.


By implementing local IP security, the Windows 2000 Professional-based computer can transfer IP packets based on the security policy stored in its registry. Three preconfigured local IPSec policies are provided at system installation: Client, Server, and Secure Server. Table 22.9 summarizes the attributes of the default security policies.

Table 22.9 Default Local IP Security Policies






















Policy NameSecurity RequirementsAttributes
Client (Respond Only)LowFor computers that do not require secure communications, this policy enables a Windows 2000 Professional-based computer to respond to requests for secured communications. Unsecured communications are available with non-IPSec hosts.
Server (Request Security)ModerateEnables a Windows 2000 Professional-based computer to accept unsecured communications, but attempt to establish a secure channel by requesting security from the sending host. Communications are unsecured if the requesting host is not IPSec-enabled.
Secure Server (Require Security)HighRequires that all communications with a Windows 2000 Professional-based computers be secured. All unsecured incoming communications are rejected, and all outgoing communications are secured.

The default security policies can be used as -is, eliminating the need to create custom policies unless you have special requirements. You must have administrative privileges in order to select or change IP security policies.

By default, no local IPSec policies are active. To select one of the default local IPSec policies, use the following procedure.

To activate a local IPSec policy


    In Control Panel, double-click Network and Dial-up Connections.

    Right-click Local Area Connection, and then select Properties.

    Select Internet Protocol (TCP/IP), and then click Properties.

    Click Advanced, and then click the Options tab.

    Select IP security, and then click Properties.

    Select Use this IP security policy, and then select the IPSec policy you want from the list.



For any Windows 2000 Professional-based computer that is a member of a domain, IPSec policies assigned at the domain override any local IPSec policy when that computer account is connected to the domain.

IPSec Policy Management Snap-in


The Microsoft Management Console (MMC) IP Security Policy Management snap-in allows you to perform the following tasks:


    Create and manage local and domain-based IPSec policies

    Manage IP filter lists and filter actions

    Check IPSec policies

    Restore default IPSec policies

    Import and export IPSec policies


The IP Security Policy Management snap-in is not loaded in Windows 2000 Professional by default. To install the IP Security Policy Management snap-in, perform the following steps while logged on to an account with administrative rights.

To install the IP Security Policy Management snap-in


    In an empty or existing MMC console, select Console/Add/Remove Snap-in.

    In the Standalone dialog box, click Add.

    In the Available Standalone Snap-ins box, select IP Security Policy Management, and then click Add.

    In the Select which computer this Snap-in will manage dialog box, select the option that matches the security policy environment to be managed by the target computer.

    From the target computer, you can manage the security policy of the target computer (stored in its registry), the IP security policy of the local or another domain (if appropriate permissions have been granted) or manage the local security policy of another computer, stored in its registry.

    Click Finish.


Creating Local IPSec Policies


New IPSec policies can be created by selecting Create IP Security Policy from the Actions menu of the IP Security Policy Management console, or by right-clicking the details panel of the console, and then selecting Create IP Security Policy. This action starts the IP Security Policy wizard.

The IP Security Policy wizard prompts you for the information needed to configure the initial response rule for the new policy. The following information is required:


    Policy name and description

    Application of default rule

    A security rule determines how IPSec policy secures communication. Selection of this option specifies that a default rule is created for use as the response rule if no other rule exists or applies.

    Additional rules can be created after the default rule by editing the IP security policy.

    Authentication method for default rule

    An authentication method for the two computers must be determined before secure communications can begin. Use this option to select the method of authentication for the default rule, if chosen:


      Kerberos v5

      Certificate-based

      Preshared key


A detailed discussion of the creation of IP security policies is beyond the level of this section. For more information on IP policy and rule creation, refer to Windows 2000 Help and "Internet Protocol Security" in the TCP/IP Core Networking Guide.

TCP/IP Filtering


Windows 2000 Professional includes support for TCP/IP filtering (known as TCP/IP Security in Windows NT 4.0). TCP/IP filtering allows you to specify exactly which types of incoming IP traffic are processed for each IP interface. This feature is designed to isolate the traffic being processed by Internet and intranet clients in the absence of other TCP/IP filtering provided by the Routing and Remote Access service or other TCP/IP applications or services. TCP/IP filtering is disabled by default.

TCP/IP filtering is a set of input filters for nontransit TCP/IP traffic. Nontransit traffic is traffic that is processed by the host because the destination IP address of inbound IP datagrams are addressed to an assigned interface address, appropriate subnet broadcast address, or multicast address. TCP/IP filtering does not apply to transit or routed traffic that is forwarded between interfaces.

TCP/IP filtering allows you confine nontransit inbound TCP/IP traffic based on the:


    Destination TCP port

    Destination UDP port

    IP protocol


To configure TCP/IP filtering


    In Control Panel, double-click Network and Dial-up Connections select Local Area Connection, and then right-click Properties.

    On the General tab, click Internet Protocol (TCP/IP) in the list of components, and then click Properties.

    Click Advanced.

    Click the Options tab, TCP/IP filtering, and then Properties.


TCP/IP filtering can be enabled and disabled for all adapters by means of a single check box. This can help troubleshoot connectivity problems that might be related to filtering. Filters that are too restrictive do not allow expected kinds of connectivity. For example, if you do not include the RIP protocol, then the RIP Listener service will not function.

/ 335