Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

2.2 New Features and Enhancements

Anyway, now that I've vented my frustration a bit, I
have to confess that I feel the new features and enhancements in
WS2003 far outweigh the silly or unnecessary changes described
earlier. Not only is WS2003 a more scalable platform than W2K,
it's also more manageable and secure. Because this
book focuses on the core tasks of everyday administration, this
section highlights key new features W2K administrators should be
aware of as you prepare to transition to WS2003, more or less in the
order you might discover them as you start playing around with the
new platform.

2.2.1 Activation

If you've tried installing WS2003,
you've already been prompted to activate your
product, unless you're an enterprise client with
some sort of volume licensing agreement with Microsoft. Activation is
an antipiracy measure implemented by Microsoft on Windows XP and
later; see

Installation in Chapter 4 for more information. Whether Activation is a
plus or a minus is debatable, but it's a fact of
life from now on.

2.2.2 Stay Current

When you first log on to WS2003 as Administrator,
you'll be confronted with a notification bubble (or
whatever they call it) that says "Stay current with
Automatic Updates." This Automatic Updates feature
was first included in Service Pack 3 for W2K, so you may already be
familiar with it. If not, see

Automatic Updates
in Chapter 4 for more information about using this
feature to automatically download and install the latest security
patches from Microsoft as they are released.

2.2.3 Manage Your Server

When you first log on to WS2003 as Administrator,
you'll also be confronted with the new Manage Your
Server tool, which replaces (and incorporates) the old Configure Your
Server Wizard in W2K. Manage Your Server lets you add roles to your
server to turn it into a file server, print server, application (web)
server, DHCP server, domain controller, and so on. Manage Your Server
isn't the only way to add such roles however; for
example, if you simply share a folder, your server automatically
assumes the file server role.

My opinion is that Manage Your Server is great for initial server
configuration tasks such as installing Active Directory on a smaller
network, but beyond that the tool isn't really much
use, mainly because of its layout. It's got way too
much whitespace, which means you have to scroll to use it if you have
more than a couple of roles configured on your server.

2.2.4 Administration Tools Pack

If you're really serious about managing your WS2003
servers, install the Windows Server 2003 Administration Tools Pack
using the Windows Installer file

Adminpak.msi
located in the

\i386 folder on your WS2003
product CD. The Admin Tools pack installs a full slate of tools for
managing any WS2003 machine including domain controllers, and by
installing this pack on a Windows XP Professional machine, you can
then use this machine as your main administrator workstation for
managing WS2003 servers anywhere on your network.
It's a big improvement on walking over to a domain
controller in order to run Active Directory Users and Computers from
the local console every time you have to reset some
user's password. Note that you must have Windows XP
Service Pack 1 or later installed before installing these tools on
your XP machine and in order to use an XP machine to remotely
administer Internet Information Services 6 (IIS 6), you need Windows
XP Service Pack 2 or later.

2.2.5 Convenience Consoles

Tucked away on the Admin Tools Pack are three new MMC consoles that
combine the functionality of a number of administrative tools to make
life more convenient for administrators. These convenience
consoles are:

Active Directory Management

Combines the functionality of Active Directory Users and Computers,
Active Directory Domains and Trusts, Active Directory Sites and
Services, and DNS

IP Address Management

Combines the functionality of DHCP, DNS, and WINS

Public Key Management

Combines the functionality of Certification Authority, Certificate
Templates, CertificatesCurrent User, and Certificates (Local
Computer)

For more information on convenience consoles and other tools, see

Administrative Tools in Chapter 4. In addition to the three convenience consoles
described above, there is also a new File Server Management console
that appears under Administrative Tools when you add the file server
role to your WS2003 machine. File Server Management combines the
functionality of Shared Folders, Disk Defragmenter, and Disk
Management and is convenient for managing file servers, but for some
reason it's not included in the list of convenience
consoles in Help and Support.

2.2.6 Help and Support

Speaking of Help and Support, the old Help feature of W2K has been
totally revamped as Help and Support in WS2003. In general,
it's a huge improvement, but there are some
frustrations, too. First, the pluses:

• The contents are well organized and enable you to quickly find
  general information about major topics like tools, tasks, users and
  groups, disks and data, and so on.

• If your server is connected to the Internet, Help and Support
  displays a list of Top Issues automatically downloaded from
  support.microsoft.com and allows
  you to search online for help regarding error messages, software
  compatibility information, and other information useful to
  administrators.

• Help and Support includes several additional tools that can be
  accessed by clicking on the Tools link and then selecting Help and
  Support Center Tools. These tools can display system, hardware, and
  software information; offer or obtain remote assistance; perform
  network diagnostics and more, displaying the results in a readable
  form.

What's the downside of Help and Support? The Search
feature is slow, finicky, and sometimes hard to use. For example, say
you want to learn how to create a scope on a DHCP server. If you
simply type "scope" into the Search
box, the result is zero Suggested Topics, 204 Help Topics, and (if
you are connected to the Internet) up to 999 Microsoft Knowledge Base
topics (or fewer if you've configured Help and
Support to return fewer results). Browsing through the 204 Help
Topics, the fifth topic, "Configuring Scopes:
DHCP," has a useful discussion of what scopes are
but doesn't actually explain the steps for creating
one, nor does it contain a link to another topic containing such
information. Scroll further down to topic 26,
"Create a new scope: DHCP," and you
find the information you are looking for. What makes it harder is
that the 204 Help Topics displayed here are listed in seemingly
random fashion and can't be sorted alphabetically.

Now compare this to using the old Help system in W2K. Start Help,
switch to the Index tab, type
"scope," and under
"scopes" you see an alphabetical
list of topics that includes "creating, how to
create a scope," which is the desired information,
quick and painless. To be honest, you can still use this Index method
in WS2003 Help and Support by clicking the Index button on the
toolbar, something I do often.

2.2.7 Remote Desktop

In W2K, another way to administer W2K servers was to use Terminal
Services in Remote Administration Mode. In WS2003 this feature is now
called Remote Desktop, is installed by default (yay!), and can be
enabled with a few mouse clicks:

Start Control Panel System Remote Remote Desktop elect checkbox

If you have IIS installed on a WS2003 server (it
isn't installed by default anymore), you can also
use Remote Desktop Web Connection to remotely administer your server
from a Windows computer with IE 5 or later using a downloadable
ActiveX control. This is cool too. For more information on Remote
Desktop and Remote Desktop Web Connection, see

Remote
Desktop in Chapter 4.

2.2.8 Enhancements to Tools

Speaking of administration, Table 2-5 briefly
summarizes the enhanced functionality in the new platform for some
commonly used administrative tools and other utilities.

2.2.9 Enhancements to Active Directory

While this book is not a detailed guide for implementing Active
Directory in an enterprise, day-to-day Active Directory
administration is an essential part of managing the WS2003 platform,
and you can use this book to quickly look up how to perform common
tasks in the following topics in Chapter 4:

Active Directory ,

Domain ,

Domain Controller ,

Forest ,

OU ,

Site , and

Trusts . Briefly, here are some of the
enhancements to Active Directory in WS2003:

• Domains can now be renamed using free tools you can download from
  www.microsoft.com/windowsserver2003/downloads/.
  Note however, that while you can even rename the forest root domain,
  you can't change which domain is forest root.

• Forest/domain functional levels now replace the earlier W2K model of
  native/mixed modes and provide interoperability between NT, W2K, and
  WS2003 domain controllers. See

  Domain in Chapter 4 for more information.

• The Application Partition allows greater control over how directory
  information is replicated (DNS information is stored here now).

• Object quotas can be defined for restricting the maximum number of
  directory objects a user can create.

• Schema classes and attributes that are no longer needed can now be
  redefined.

• Compression of replication traffic can be disabled between selected
  sites.

• Global catalog servers are no longer required in each site to support
  logons, because WS2003 domain controllers now cache universal group
  membership information on a regular basis.

• Replication of updates to group membership is streamlined by
  replicating changes to only group membership, not the entire
  membership of a group.

• The Inter-Site Topology Generator (ISTG) has an improved algorithm
  that scales to forests containing much larger numbers of sites than
  W2K could support.

• Domain controllers can be deployed more quickly in remote sites using
  the new Install Replica From Media feature.

• Dcpromo does a better job of demoting domain controllers than it did
  in W2K.

• Active Directory client software is no longer provided for Windows 95
  or for Windows NT 4.0 SP3 or earlier.

• Cross-forest authentication enables users in one forest to access
  resources in another forest.

Note that some of these tasks aren't described
further in this book because they require advanced understanding of
Active Directory, how to edit the schema, and so onsee
O'Reilly's

Active
Directory for more information.

2.2.10 Enhancements to Command-Line Administration

Compared to the earlier W2K platform, there are huge improvements in
managing WS2003 machines from the command line. To start with, there
are numerous new commands for managing:

• Disks and disk quotas using the diskpart and
  defrag commands

• The boot loader menu using the bootcfg command

• Running processes using the tasklist and
  taskkill commands

• Active Directory using the dsadd,
  dsget, dsmod,
  dsmove, dsquery, and
  dsrm commands

• Scheduled tasks using the schtasks command
  (replaces the at command)

• Device drivers using the driverquery command

• Group Policy using the gpupdate and
  gpresult commands

Also, scripts such as

prncnfg and

prnmngr manage printers and print servers from
the command line. These scripts (and similar ones for managing IIS)
use the Windows Management Instrumentation (WMI) provider, which
exposes almost every aspect of the platform for scripted
administration. The power of WMI can really be harnessed only if you
take the time and effort to learn VBScript or JScript in some depth,
which is beyond the scope of this book.
O'Reilly's

DNS on Windows
2003 by Robbie Allen, Matt Larson, and Cricket Liu,
includes a chapter on using scripting to manage DNS programmatically.

2.2.11 Other Major Enhancements

Here are some additional enhancements that improve the manageability,
scalability, and security of WS2003 over W2K:

• Automated System Recovery provides a last-resort method for
  recovering a failed system if other approaches such as Last Known
  Good Configuration, Safe Mode, or the Recovery Console
  don't work. See

  Backup in Chapter 4 for more information.

• The new volume shadow copy feature provides point-in-time copies of
  shared folders so you can restore earlier versions of files; see
  

  Files and Folders in Chapter 4 for more information. Of course, this feature
  doesn't replace regular backups.

• The Internet Information Services (IIS) component is totally revamped
  but is now not installed by default for greater security (you can
  even block its installation using Group Policy). To do justice to the
  capabilities of the new IIS 6 platform really requires an entire
  book, and I've written one called

  IIS 6
  Administration (McGraw-Hill).

• The new Group Policy Management Console (GPMC) is an integrated tool
  for managing Group Policy on WS2003. Unfortunately, this tool was
  created too late in the development cycle and is not included on your
  WS2003 product CD, but you can find out how GPMC 1.0 works and
  download it from www.microsoft.com/windowsserver2003/downloads/
  along with other cool add-ons like the Domain Rename Tools and IIS 6
  Migration Tool.

• The Distributed File System (DFS) now supports multiple DFS roots on
  a single server, but only on the Enterprise Edition of WS2003. This
  is good news for enterprise deployments that use DFS.

• The ACL editor (Security tab on a file's or
  folder's properties sheet) now includes a feature
  for displaying the effective permissions resulting from group
  membership; see

  Permissions in Chapter 4 for more information.

• The default permissions on the root directory of an NTFS volume used
  to be "Everyone has Full Control,"
  but these defaults have been tightened considerably in WS2003 to make
  the platform more secure out of the box.

• The new Resultant Set of Policies (RSoP) snap-in can be used to
  analyze how GPOs combine to produce effective settings on the local
  machine.

2.2.12 Minor Enhancements

Here are some further enhancements in WS2003 that are perhaps less
significant in terms of day-to-day administration but may be
extremely useful in certain situations:

• Screensavers are now password-protected by defaulta simple but
  effective security enhancement.

• An optional POP-3 mail server component to complement the existing
  SMTP component of IIS. I call this a minor enhancement because most
  admins will use Exchange Server anyway for such purposes.

• A new Protected Power Mode is available for hard drives to increase
  I/O performance, though at the expense of increased risk of data
  loss. This is accessed by:

  Computer Management Device Manager Disk Drives right-click on drive Properties Policies Enable advanced performance

• The source IP address and port number are now included in all logon
  audit events.

• Performance now supports log files greater than 1 GB in size.

• The DHCP database can now be backed up while the DHCP service is
  running.

• DNS client settings can now be configured using Group Policy.

• A user's My Documents folder can now be redirected
  to his home directory using Group Policy.

• If your hardware supports it, you can add or remove RAM while the
  system is running.

• If your hardware supports it, you can use Emergency Management
  Services (EMS) to remotely manage certain aspects of WS2003 even when
  your server has crashed and is no longer available on the network.

• Application Compatibility mode ensures legacy Windows 9x/NT
  applications can run properly under WS2003. To use this feature, do
  the following:

  Windows Explorer right-click on program icon Properties Compatibility

• The Shutdown Event Tracker records reasons for shutting down servers
  and displays when a user logs on after a server has unexpectedly
  rebooted. You can also force a shutdown or restart of a local or
  remote computer from the command line (see
  shutdown in Chapter 5).

• For improved security, the Telnet service is now disabled instead of
  being set to manual startup as it was in W2K.

• If an application hangs, you can now move or minimize its window and
  work on something else while you wait to see if it responds.

• Device drivers can now be rolled back to previously installed
  versions if new versions cause problems (see
  

  Devices in Chapter 4 for more
  information).

• Internet Connection Firewall (ICF) provides limited firewall
  functionality for TCP/IP connections. For your network card you can
  configure this by:

  Control Panel Network Connections Local Area Connection Properties Advanced

  You can also use ICF for securing VPN and dial-up connections; see
  

  Connections in Chapter 4 for
  more information.

• When you install WS2003, you are prompted (but not forced) to specify
  a strong password for the default Administrator account.