The changes include: n Single sign-on To enable users to connect to protected wireless networks before logon and thus, allow wireless users to authenticate to a domain, administrators c
Trang 1Core Networking Improvements CHapTER 25 1203
As with other versions of Windows, server-side support for SMB (sharing files and printers)
is provided by the Server service, and client-side support (connecting to shared resources) is provided by the Workstation service Both services are configured to start automatically, and you can safely disable either service if you don’t require it The security risks presented by having the Server service running are minimized because Windows Firewall will block incom-ing requests to the Server service on public networks by default
Strong Host Model
When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host) IP implementations that follow a weak host model accept any locally destined packet, regardless
of the interface on which the packet was received IP implementations that follow the strong host model accept locally destined packets only if the destination address in the packet matches an address assigned to the interface on which the packet was received The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model Windows Vista and Windows 7 support the strong host model for both IPv4 and IPv6 and are configured to use it by default However, you can revert to the weak host model using Netsh The weak host model provides better network connectivity, but it also makes hosts susceptible to multihome-based network attacks
To change the host model being used, use the following Netsh commands (and specify the name of the network adapter)
Netsh interface IPv4 set interface "Local Area Connection" WeakHostSend=enabled
Ok
Netsh interface IPv4 set interface "Local Area Connection" WeakHostReceive=enabled Ok.
To return to the default settings, use the same command format but disable the
WeakHostSend and WeakHostReceive parameters
Wireless Networking
In Windows Server 2003 and Windows XP, the software infrastructure that supports wireless connections was built to emulate an Ethernet connection and can be extended only by supporting additional Extensible Authentication Protocol (EAP) types for 802 1X authentication In Windows Vista and Windows 7, the software infrastructure for 802 11 wireless connections, called the Native Wi-Fi Architecture (also referred to as Revised Native Wi-Fi MSM, or RMSM), has been redesigned for the following:
n IEEE 802 11 is now represented inside of Windows as a media type separate from IEEE
802 3 This allows hardware vendors more flexibility in supporting advanced features of IEEE 802 11 networks, such as a larger frame size than Ethernet
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 2n New features in the Native Wi-Fi Architecture perform authentication, authorization, and management of 802 11 connections, reducing the burden on hardware vendors to incorporate these functions into their wireless network adapter drivers This makes the development of wireless network adapter drivers much easier
n The Native Wi-Fi Architecture supports APIs to allow hardware vendors the ability to extend the built-in wireless client for additional wireless services and custom capabili-ties Extensible components written by hardware vendors can also provide customized configuration dialog boxes and wizards
In addition, Windows Vista and Windows 7 include several important changes to the behavior of wireless auto configuration Wireless auto configuration is now implemented in the WLAN AutoConfig service, which dynamically selects the wireless network to which the computer will connect automatically, based either on your preferences or on default settings This includes automatically selecting and connecting to a more preferred wireless network when it becomes available The changes include:
n Single sign-on To enable users to connect to protected wireless networks before
logon (and thus, allow wireless users to authenticate to a domain), administrators can use Group Policy settings or the new Netsh wireless commands to configure single sign-on profiles on wireless client computers After a single sign-on profile is config-ured, 802 1X authentication will precede the computer logon to the domain and users are prompted for credential information only if needed This feature ensures that the wireless connection is placed prior to the computer domain logon, which enables scenarios that require network connectivity prior to user logon, such as Group Policy updates, execution of login scripts, and wireless client domain joins
n Behavior when no preferred wireless networks are available In earlier versions of
Windows, Windows created a random wireless network name and placed the network adapter in infrastructure mode if no preferred network was available and automatically connecting to nonpreferred networks was disabled Windows would then scan for pre-ferred wireless networks every 60 seconds Windows Vista and Windows 7 no longer creates a randomly named network; instead, Windows “parks” the wireless network adapter while periodically scanning for networks, preventing the randomly generated wireless network name from matching an existing network name
n Support for hidden wireless networks Earlier versions of Windows would always
connect to preferred wireless networks that broadcast a Service Set Identifier (SSID) before connecting to preferred wireless networks that did not broadcast that identifier, even if the hidden network had a higher priority Windows Vista and Windows 7 con-nect to preferred wireless networks based on their priority, regardless of whether they broadcast an SSID
n WPA2 support Windows Vista and Windows 7 support Wi-Fi Protected Access 2
(WPA2) authentication options, configurable by either the user (to configure the
Trang 3stan-Improved APIs CHapTER 25 1205
(preshared key authentication) modes of operation for WPA2 and can connect to ad hoc wireless networks protected by WPA2
n Integration with NAP WPA2-Enterprise, WPA-Enterprise, and dynamic WEP
connections that use 802 1X authentication can use the NAP platform to prevent wireless clients that do not comply with system health requirements from gaining unlimited access to a private network
In addition, troubleshooting wireless connection problems is now easier because wireless connections do the following:
n Support the Network Diagnostics Framework, which attempts to diagnose and fix common problems
n Record detailed information in the event log if a wireless connection attempt fails
n Prompt the user to send diagnostic information to Microsoft for analysis and improvement
For more information about troubleshooting wireless networks, see Chapter 31 For more information about configuring wireless networks, see the section titled “How to Configure Wireless Settings” later in this chapter
Improved APIs
Windows Vista and Windows 7 also include improved APIs that will enable more powerful networked applications Systems administrators will not realize immediate benefits from these improved APIs; however, developers can use these APIs to create applications that are more robust when running on Windows Vista and Windows 7 This enables developers to create applications faster and to add more powerful features to those applications
Network awareness
More applications are connecting to the Internet to look for updates, download real-time information, and facilitate collaboration between users However, creating applications that can adapt to changing network conditions has been difficult for developers Network Awareness enables applications to sense changes to the network to which the computer is connected, such as closing a mobile PC at work and then opening it at a coffee shop wireless hotspot This enables Windows Vista and Windows 7 to alert applications of network changes The application can then behave differently, providing a seamless experience
For example, Windows Firewall with Advanced Security can take advantage of Network Awareness to automatically allow incoming traffic from network management tools when the computer is on the corporate network but block the same traffic when the computer is on a home network or wireless hotspot Network Awareness can therefore provide flexibility on your internal network without sacrificing security when mobile users travel
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 4Applications can also take advantage of Network Awareness For example, if a user nects from a corporate internal network and then connects to his or her home network, an application could adjust security settings and request that the user establish a VPN connec-tion to maintain connectivity to an intranet server New applications can go offline or online automatically as mobile users move between environments In addition, software vendors can integrate their software into the network logon process more easily because Windows Vista and Windows 7 enable access providers to add custom connections for use during logon Network Awareness benefits only applications that take advantage of the new API and does not require any management or configuration For Network Awareness to function, the Network Location Awareness and Network List Service services must be running
discon-Improved peer Networking
Windows Peer-to-Peer Networking, originally introduced with the Advanced Networking Pack for Windows XP and later included in Windows XP SP2, is an operating system platform and API in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P) applications that do not require a server Windows Vista and Windows 7 include the following enhancements to Windows Peer-to-Peer Networking:
n New, easy-to-use API APIs to access Windows Peer-to-Peer Networking capabilities
such as name resolution, group creation, and security have been highly simplified
in Windows Vista and Windows 7, making it easier for developers to create P2P applications
n New version of PNRP Peer Name Resolution Protocol (PNRP) is a name resolution
protocol, like DNS, that functions without a server PNRP uniquely identifies
comput-ers within a peer cloud Windows Vista and Windows 7 include a new vcomput-ersion of PNRP
(PNRP v2) that is more scalable and uses less network bandwidth For PNRP v2 in Windows Vista and Windows 7, Windows Peer-to-Peer Networking applications can access PNRP name publication and resolution functions through a simplified PNRP API that supports the standard name resolution methods used by applications For IPv6
addresses, applications can use the getaddrinfo() function to resolve the fully qualified domain name (FQDN) name prnp net, in which name is the peer name being resolved The pnrp.net domain is a reserved domain for PNRP name resolution The PNRP v2
protocol is incompatible with the PNRP protocol used by computers running Windows
XP Microsoft is investigating the development and release of an update to the Windows Peer-to-Peer Networking features in Windows XP to support PNRP v2
n People Near Me People Near Me is a new capability of Windows Peer-to-Peer
Networking that allows users to dynamically discover other users on the local subnet and their registered People Near Me–capable applications, as well as to invite users into a collaboration activity easily The invitation and its acceptance start an applica-tion on the invited user’s computer, and the two applications can begin participating
Trang 5Improved APIs CHapTER 25 1207
PNRP v2 is not backward compatible with earlier versions of the protocol Although PNRP v2 can coexist on a network with earlier versions, it cannot communicate with PNRP v1 clients
Services Used by peer-to-peer Networking
Windows Peer-to-Peer Networking uses the following services, which by default start manually (Windows will start services automatically as required):
n Peer Name Resolution Protocol (PNRP)
n Peer Networking Grouping
n Peer Networking Identity Manager
n PNRP Machine Name Publication Service
If these services are disabled, some P2P and collaborative applications might not function
Managing peer-to-peer Networking
Windows Peer-to-Peer Networking is a set of tools for applications to use, so they don’t provide capabilities without an application You can manage Windows Peer-to-Peer Networking using the Netsh tool or by using Group Policy settings:
n Netsh tool Commands in the Netsh p2p context will be used primarily by developers
creating P2P applications Systems administrators should not need to troubleshoot or manage Windows Peer-to-Peer Networking directly, so that aspect of the Netsh tool is not discussed further here
n group Policy settings You can configure or completely disable Windows
Peer-to-Peer Networking by using the Group Policy settings in Computer Configuration
\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services You should need to modify the configuration only if an application has specific, nondefault requirements
HoW it WoRKS
Peer-to-Peer Name Resolution
In p2p networking, peers use pNRp names to identify computers, users, groups, services, and anything else that should be resolved to an Ip address peer names can be registered as unsecured or secured Unsecured names are just automatically generated text strings that are subject to spoofing by a malicious computer that registers the same name Unsecured names are therefore best used in private or otherwise secure networks Secured names are signed digitally with a certificate and thus can be registered only by the owner.
pNRp IDs are 256 bits long and are composed of the following:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 6n The high-order 128 bits, known as the peer-to-peer ID, are a hash of a peer name assigned to the endpoint.
n The low-order 128 bits are used for the service location, which is a generated number that uniquely identifies different instances of the same ID in a cloud The 256-bit combination of peer-to-peer ID and service location allows multiple pNRp IDs to be registered from a single computer For each cloud, each peer node manages a cache of pNRp IDs that includes both its own registered pNRp IDs and the entries cached over time.
When a peer needs to resolve a pNRp ID to the address, protocol, and port number,
it first examines its own cache for entries with a matching peer ID (in case the client has resolved a pNRp ID for a different service location on the same peer) If that peer is found, the resolving client sends a request directly to the peer.
If the resolving client does not have an entry for the peer ID, it sends requests to other peers in the same cloud, one at a time If one of those peers has an entry cached, that peer first verifies that the requested peer is connected to the network before resolving the name for the requesting client While the pNRp request mes- sage is being forwarded, its contents are used to populate caches of nodes that are forwarding it When the response is sent back through the return path, its contents are also used to populate node caches This name resolution mechanism allows clients to identify each other without a server infrastructure.
EapHost architecture
For easier development of EAP authentication methods for IEEE 802 1X-authenticated wireless connections, Windows Vista and Windows 7 support a new EAP architecture called EAPHost EAPHost provides the following features that are not supported by the EAP implementation
in earlier versions of Windows:
n Network Discovery EAPHost supports Network Discovery as defined in the “Identity
selection hints for Extensible Authentication Protocol (EAP)” Internet draft
n RFC 3748 compliance EAPHost will conform to the EAP State Machine and address
a number of security vulnerabilities that are specified in RFC 3748 In addition, EAPHost will support additional capabilities such as Expanded EAP Types (including vendor-specific EAP methods)
n EAP method coexistence EAPHost allows multiple implementations of the same
EAP method to coexist simultaneously For example, the Microsoft version of Protected EAP (PEAP) and the Cisco Systems, Inc version of PEAP can be installed and selected
Modular supplicant architecture In addition to supporting modular EAP methods,
Trang 7Improved APIs CHapTER 25 1209
For EAP method vendors, EAPHost provides support for EAP methods already developed for Windows Server 2003 and Windows XP, as well as an easier method of developing new EAP methods Certified EAP methods can be distributed with Windows Update EAPHost also allows better classification of EAP types so that the built-in 802 1X- and PPP-based Windows supplicants can use them
For supplicant method vendors, EAPHost provides support for modular and pluggable supplicants for new link layers Because EAPHost is integrated with NAP, new supplicants do not have to be NAP aware To participate in NAP, new supplicants only need to register a con-nection identifier and a callback function that informs the supplicant to re-authenticate
For more information, read “EAPHost in Windows” at http://technet.microsoft.com/en-us /magazine/cc162364.aspx
Layered Service provider (LSp)
The Windows Sockets (Winsock) Layered Service Provider (LSP) architecture resides between the Winsock dynamic-link library (DLL), which applications use to communicate on the network, and the Winsock kernel-mode driver (Afd sys), which communicates with network adapter drivers LSPs are used in several categories of applications, including:
n Proxy and firewalls
n Content filtering
n Virus scanning
n Adware and other network data manipulators
n Spyware and other data-monitoring applications
n Security, authentication, and encryption Windows Vista and Windows 7 include several improvements to LSPs to enable more powerful network applications and better security:
n Adding and removing LSPs is logged to the System Event Log Administrators can use these events to determine which application installed an LSP and to troubleshoot failed LSP installations
n A new installation API (WSCInstallProviderAndChains) provides simpler, more reliable
Windows Sockets Direct path for System area Networks
Windows Sockets Direct (WSD) enables Winsock applications that use TCP/IP to obtain the performance benefits of system area networks (SANs) without application modifications SANs are a type of high-performance network often used for computer clusters
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 8WSD allows communications across a SAN to bypass the TCP/IP protocol stack, taking advantage of the reliable, direct communications provided by a SAN In Windows Vista and Windows 7, this is implemented by adding a virtual switch between Winsock and the TCP/IP stack This switch has the ability to examine traffic and pass communications to a SAN Winsock provider, bypassing TCP/IP entirely Figure 25-13 illustrates this architecture
ApplicationWinsockSwitchUser
Kernel SAN NDIS MiniPort
SAN Network Adapter
SAN WinsockProvider
SAN WinsockDriver
Base WinsockProvider
TCP/IP
FIgURE 25-13 WSD enables improved performance across SANs by selectively bypassing TCP/IP using a virtual switch
How to Configure Wireless Settings
Users want to stay constantly connected to their networks, and wireless LANs and wireless WANs are beginning to make that possible However, managing multiple network connections can be challenging, and users often have difficulty resolving connectivity problems As a result, users place more calls to support centers, increasing support cost and user frustration You can reduce this by configuring client computers to connect to preferred wireless networks
Windows will connect automatically to most wired networks Wireless networks, however, require configuration before Windows will connect to them You can connect Windows com-puters to wireless networks in three different ways:
n Manually Windows 7 includes a new user interface that makes it simple to connect
to wireless networks You can use this interface to manually configure intranet-based
Trang 9How to Configure Wireless Settings CHapTER 25 1211
n Using group Policy Group Policy settings are the most efficient way to configure
any number of computers running Windows in your organization to connect to your internal wireless networks
n From the command line or by using scripts Using the Netsh tool and commands
in the netsh wlan context, you can export existing wireless network profiles, import
them into other computers, connect to available wireless networks, or disconnect a wireless network
After a wireless network is configured, the Wireless Single Sign-On feature executes 802 1X authentication at the appropriate time based on the network security configuration, while simply and seamlessly integrating with the user’s Windows logon experience The following sections describe each of these configuration techniques
Configuring Wireless Settings Manually
Windows 7 makes it very easy to connect to a wireless network using the enhanced View Available Networks (VAN) feature included in the platform For example, to configure a wireless network that is currently available, follow these steps:
1. Click the networking icon in the notification area
note The WLaN autoConfig service must be started for wireless networks to be available This service by default is set to start automatically.
2. Click the network to which you want to connect and then click Connect, as shown in Figure 25-14
FIgURE 25-14 The Network Connection Details dialog box provides graphical access to IP configuration settings
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 10note a network that is configured not to broadcast an SSID will appear as an Unnamed Network, allowing you to connect to the network.
3. If the network is encrypted, provide the encryption key
Why Disabling SSID Broadcasting Doesn’t Improve Security
Wireless networks broadcast an SSID that specifies the network name to help users who have not connected to the network previously find it However, disabling the SSID broadcast does not increase security, because the tools that a malicious attacker might use to find and connect to your wireless network do not rely on SSID broadcasts The SSID broadcast does make it easier for legitimate users
to find and connect to your wireless networks So by disabling the broadcast of the SSID, you can negatively affect the people whom you do want to be able to connect.
Using Group policy to Configure Wireless Settings
In AD DS environments, you can use Group Policy settings to configure wireless network policies For best results, you should have Windows Server 2003 SP1 or later installed on your domain controllers because Microsoft extended support for wireless Group Policy settings when they released SP1
Before you can use Group Policy to configure wireless networks, you need to extend the
AD DS schema using the 802 11Schema ldf file included on this book’s companion media
If you do not have access to the companion media, you can copy the schema file from
http://technet.microsoft.com/en-us/library/bb727029.aspx To extend the schema, follow
these steps:
1. Copy the 802 11Schema ldf file to a folder on a domain controller
2. Log on to the domain controller with Domain Admin privileges and open a command prompt
3. Select the folder containing the 802 11Schema ldf file and run the following
com-mand (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS
domain whose schema is being modified; an example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast microsoft com AD DS domain)
ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain
4. Restart the domain controller After you extend the schema, you can configure a wireless network policy by
Trang 11How to Configure Wireless Settings CHapTER 25 1213
2. Expand Computer Configuration, Windows Settings, Security Settings, and then click Wireless Network (IEEE 802 11) Policies
3. Right-click Wireless Network (IEEE 802 11) Policies and then click Create A New Windows Vista Policy The Wireless Network Properties dialog box appears
4. To add an infrastructure network, click Add and then click Infrastructure to open the Connection tab of the New Profile Properties dialog box In the Network Names list, click NEWSSID and then click Remove Then, type a valid internal SSID in the Network Names box and click Add Repeat this to configure multiple SSIDs for a single profile
If the network is hidden, select the Connect Even If The Network Is Not Broadcasting check box
5. On the New Profile Properties dialog box, click the Security tab Use this tab to ure the wireless network authentication and encryption settings Click OK
config-note This resource kit does not cover how to design wireless networks However, you should avoid using Wired Equivalent privacy (WEp) whenever possible WEp is vulnerable to several different types of attack, and WEp keys can be difficult to change Whenever pos- sible, use Wpa or Wpa2, which both use strong authentication and dynamic encryption keys.
The settings described in the previous process will configure client computers to connect automatically to your internal wireless networks and to not connect to other wireless networks
Configuring Wireless Settings from the Command Line or a Script
You can also configure wireless settings using commands in the netsh wlan context of the
Netsh command-line tool, which enables you to create scripts that connect to different wireless networks (whether encrypted or not) To list available wireless networks, run the following command
Netsh wlan show networks Interface Name : Wireless Network Connection There are 2 networks currently visible
SSID 1 : Litware Network Type : Infrastructure Authentication : Open
Encryption : None
SSID 1 : Contoso Network Type : Infrastructure Authentication : Open
Encryption : WEP
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 12Before you can connect to a wireless network using Netsh, you must have a profile saved for that network Profiles contain the SSID and security information required to connect to
a network If you have previously connected to a network, the computer will have a profile for that network saved If a computer has never connected to a wireless network, you need
to save a profile before you can use Netsh to connect to it You can save a profile from one computer to an Extensible Markup Language (XML) file and then distribute the XML file to other computers in your network To save a profile, run the following command after manu-ally connecting to a network
Netsh wlan export profile name="SSID"
Interface profile "SSID" is saved in file ".\Wireless Network Connection-SSID.xml" successfully.
Before you can connect to a new wireless network, you can load a profile from a file The following example demonstrates how to create a wireless profile (which is saved as an XML file) from a script or the command line
Netsh wlan add profile filename="C:\profiles\contoso1.xml"
Profile contoso1 is added on interface Wireless Network Connection
To connect to a wireless network quickly, use the netsh wlan connect command and
specify a wireless profile name (which must be configured or added previously) The following examples demonstrate different but equivalent syntaxes for connecting to a wireless network with the Contoso1 SSID
Netsh wlan connect Contoso1 Connection request is received successfully
Netsh wlan connect Contoso1 interface="Wireless Network Connection"
Connection request is received successfully
Note that you need to specify the interface name only if you have multiple wireless work adapters—an uncommon situation You can use the following command to disconnect from all wireless networks
net-Netsh wlan disconnect Disconnection request is received successfully
Trang 13How to Configure Wireless Settings CHapTER 25 1215
You can use scripts and profiles to simplify the process of connecting to private wireless networks for your users Ideally, you should use scripts and profiles to save users from ever needing to type wireless security keys
You can also use Netsh to allow or block access to wireless networks based on their SSIDs For example, the following command allows access to a wireless network with the Contoso1 SSID
Netsh wlan add filter permission=allow ssid=Contoso networktype=infrastructureSimilarly, the following command blocks access to the Fabrikam wireless network Netsh wlan add filter permission=block ssid=Fabrikam networktype=adhoc
To block all ad hoc networks, use the Denyall permission, as the following example demonstrates
Netsh wlan add filter permission=denyall networktype=adhoc
To prevent Windows from automatically connecting to wireless networks, run the ing command
follow-Netsh wlan set autoconfig enabled=no interface="Wireless Network Connection"
You can also use Netsh to define the priority of user profiles (but not Group Policy files) Group Policy profiles always have precedence over user profiles The following example demonstrates how to configure Windows to connect automatically to the wireless network defined by the Contoso profile before connecting to the wireless network defined by the Fabrikam profile
pro-Netsh wlan set profileorder name=Contoso interface="Wireless Network Connection"
priority=1 Netsh wlan set profileorder name=Fabrikam interface="Wireless Network Connection"
priority=2Netsh has many other commands for configuring wireless networking For more informa-tion, run the following at a command prompt
Netsh wlan help
note When troubleshooting problems connecting to wireless networks, open Event Viewer and browse the applications and Services Logs\Microsoft\Windows
\WLaN-autoConfig event log You can also use this log to determine the wireless networks to which a client is connected, which might be useful when identifying the source of a security compromise For more information, see Chapter 31.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 14How to Configure TCP/IP
You can use several different techniques to configure TCP/IP Most environments use DHCP
to provide basic settings Alternatively, you can configure TCP/IP settings manually using graphical tools Finally, some settings are configured most easily using scripts that call command-line tools such as Netsh You can use logon scripts to automate command-line configuration The following sections describe each of these configuration techniques
note For wireless networks, you will need to first connect the wireless adapter to the wireless network and then configure the TCp/Ip settings However, wireless networks almost always have a DHCp server available.
DHCp
Almost all client computers should be configured using DHCP With DHCP, you configure
a DHCP server (such as a computer running Windows Server 2003) to provide IP addresses and network configuration settings to client computers when they start up Windows 7 and all recent Windows operating systems are configured to use DHCP by default, so you can configure network settings by simply setting up a DHCP server and connecting a computer to the network
As the number of mobile computers, traveling users, and wireless networks has increased,
so has the importance of DHCP Because computers may have to connect to several ent networks, manually configuring network settings would require users to make changes each time they connected to a network With DHCP, the DHCP server on the local network provides the correct settings when the client connects
differ-Some of the configuration settings you can configure with DHCP include the following:
n IP address Identifies a computer on the network
n Default gateway Identifies the router that the client computer will use to send traffic
to other networks
n DNS servers Internet name that servers use to resolve host names of other computers
n WINS servers Microsoft name that servers use for identifying specific computers on
the network
n Boot server Used for loading an operating system across the network when
config-uring new computers or starting diskless workstationsClients use the following process to retrieve DHCP settings:
1. The client computers transmit a DHCPDiscover broadcast packet on the local network
Trang 15How to Configure TCP/IP CHapTER 25 1217
2. DHCP servers receive this broadcast packet and send a DHCPOffer broadcast packet back to the client computer This packet includes the IP address configuration informa-tion If more than one DHCP server is on the local network, the client computer might receive multiple DHCPOffer packets
3. The client computer sends a DHCPRequest packet to a single DHCP server ing the use of those configuration settings Other DHCP servers that might have sent
request-a DHCPOffer brorequest-adcrequest-ast will see this response request-and know threquest-at they no longer need to reserve an IP address for the client
4. Finally, the DHCP server sends a DHCPACK packet to acknowledge that the IP address has been leased to the client for a specific amount of time The client can now begin using the IP address settings
In addition, client computers will attempt to renew their IP addresses after half the DHCP lease time has expired By default, computers running Windows Server 2003 have a lease time
of eight days Therefore, client computers running Windows attempt to renew their DHCP settings after four days and will retrieve updated settings if you have made any changes to the DHCP server
Because client computers retrieve new DHCP settings each time they start up, connect to
a new network, or a DHCP lease expires, you have the opportunity to change configuration settings with only a few days’ notice Therefore, if you need to replace a DNS server and you want to use a new IP address, you can add the new address to your DHCP server settings, wait eight days for client computers to renew their DHCP leases and acquire the new settings, and then have a high level of confidence that client computers will have the new server’s IP address before shutting down the old DNS server
If a client computer does not receive a DHCP address and an alternate IP address ration has not been manually configured, Windows client computers automatically configure themselves with a randomly selected Automatic Private IP Addressing (APIPA) address in the range of 169 254 0 1 to 169 254 255 255 If more than one computer running Windows on a network has an APIPA address, the computers will be able to communicate However, APIPA has no default gateway, so client computers will not be able to connect to the Internet, to other networks, or to computers with non-APIPA addresses For information about IPv6, refer
configu-to Chapter 28 You can use the following techniques to determine whether a client has been assigned an
IP address and to troubleshoot DHCP-related problems:
n IPConfig From a command line, run IPConfig /all to view the current IP
configura-tion If the client has a DHCP-assigned IP address, the DHCP Enabled property will be set to Yes, and the DHCP Server property will have an IP address assigned, as the fol-
lowing example demonstrates
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 16Ipconfig /all Windows IP Configuration Host Name : Win7 Primary Dns Suffix : hq.contoso.com Node Type : Hybrid
IP Routing Enabled : No WINS Proxy Enabled : No DNS Suffix Search List : contoso.com
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix : contoso.com Description : Broadcom NetXtreme 57xx Gigabit Controller
Physical Address : 00-15-C5-08-82-F3
DHCP Enabled : Yes
Autoconfiguration Enabled : Yes Link-local IPv6 Address : fe80::a1f2:3425:87f6:49c2%10(Preferred) IPv4 Address : 192.168.1.242(Preferred) Subnet Mask : 255.255.255.0
Lease Obtained : Sunday, August 20, 2006 11:12:44 PM Lease Expires : Monday, August 28, 2006 11:12:44 PM Default Gateway : 192.168.1.1
DHCP Server : 192.168.1.210
DNS Servers : 192.168.1.210 NetBIOS over Tcpip : Enabled
note If you are troubleshooting a client connectivity problem and notice that the Ip address begins with 169.254, the DHCp server was not available when the client com- puter started Verify that the DHCp server is available and the client computer is prop-
erly connected to the network Then, issue the ipconfig /release and ipconfig /renew
commands to acquire a new Ip address For more information about troubleshooting network connections, see Chapter 31.
n Network And Sharing Center In Network And Sharing Center, click the name of the
connection (such as Local Area Connection) to open the connection status Then, click Details to open the Network Connection Details dialog box, as shown in Figure 25-15
This dialog box provides similar information to that displayed by the IPConfig /all
command
Trang 17How to Configure TCP/IP CHapTER 25 1219
FIgURE 25-15 The Network Connection Details dialog box provides graphical access to IP configuration settings
n Event Viewer Open Event Viewer and browse the Windows Logs\System Event Log
Look for events with a source of Dhcp-Client for IPv4 addresses or DHCPv6-Client for IPv6 addresses Although this technique is not useful for determining the active configuration, it can reveal problems that occurred in the past
Configuring Ip addresses Manually
The alternative to using DHCP is to configure IP address settings manually However, because
of the time required to configure settings, the likelihood of making a configuration error, and the challenge of connecting new computers to a network, manually configuring IP addresses
is rarely the best choice for client computers
To configure an IPv4 address manually, follow these steps:
1. Click the network icon in the notification area and then click Open Network And Sharing Center
2. Click Change Adapter Settings
3. Right-click the network adapter and then click Properties
4. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 185. If you always want to use manually configured network settings, click the General tab and then click Use The Following IP Address If you want to use manually configured network settings only when a DHCP server is not available, click the Alternate Configu-ration tab and then click User Configured Then, configure the computer’s IP address, default gateway, and DNS servers
6. Click OK twice The configuration changes will take effect immediately, without ing you to restart the computer
requir-You should rarely need to configure an IPv6 address manually because IPv6 is designed
to configure itself automatically For more information about IPv6 autoconfiguration, refer to Chapter 28 To configure an IPv6 address manually, follow these steps:
1. Click the network icon in the notification area and then click Open Network And Sharing Center
2. Click Change Adapter Settings
3. Right-click the network adapter and then click Properties
4. In the Properties dialog box, click Internet Protocol Version 6 (TCP/IPv6) and then click Properties
5. Click Use The Following IPv6 Address and configure the computer’s IP address, subnet prefix length, default gateway, and DNS servers TCP/IPv6 does not support an alternate configuration, as TCP/IPv4 does
6. Click OK twice The configuration changes will take effect immediately, without requiring you to restart the computer
You can prevent users from accessing these graphical tools Most important settings require administrative credentials, so simply not giving users local administrator access to their computers will prevent them from making most important changes You can also use the Group Policy settings located in User Configuration\Policies\Administrative Templates
\Network\Network Connections to restrict the user interface further (but this will not sarily prevent a user from using other tools to make changes)
neces-Command Line and Scripts
You can also configure network settings from the command line or from a script using the
Netsh tool and commands in the Netsh interface ipv4 or Netsh interface ipv6 contexts For
example, to configure the standard network interface to use DHCP and to use the DNS servers provided by DHCP, you could issue the following commands
Netsh interface ipv4 set address "Local Area Connection" dhcp Netsh interface ipv4 set dnsserver "Local Area Connection" dhcp
Trang 19How to Configure TCP/IP CHapTER 25 1221
note Windows Xp also included the Netsh tool However, the Windows Xp version of
Netsh uses different commands For example, you would use netsh interface ip set dns to configure DNS settings for a computer running Windows Xp instead of netsh interface ipv4
set dnsserver, which you use to configure DNS settings for a computer running Windows
Vista or Windows 7 However, Netsh in Windows Vista and Windows 7 is backward ible and will accept the older, Windows Xp–compatible syntax.
compat-Because DHCP is the default setting for network adapters, it is more likely that you will need to use Netsh commands to configure a static IP address The following command demonstrates how to do this for IPv4
Netsh interface ipv4 set address "Local Area Connection" source=static address=192.168.1.10 mask=255.255.255.0 gateway=192.168.1.1
Netsh interface ipv4 set dnsserver "Local Area Connection" source=static address=192.168.1.2 register=primary
The following commands demonstrate configuring a static IP address and DNS server configuration for IPv6
Netsh interface ipv6 set address "Local Area Connection" address=2001:db8:3fa8:102a::2 anycast
Netsh interface ipv6 set dnsserver "Local Area Connection" source=static address=2001:db8:
3fa8:1719::1 register=primaryYou should avoid using scripts to configure production client computers because they are not tolerant of varying hardware configurations and because DHCP provides most of the configuration capabilities required for production networks However, scripts can be useful for quickly changing the network configuration of computers in lab environments Instead of manually writing Netsh commands, you can configure a computer using graphical tools and use the Netsh tool to generate a configuration script
note You can generate a configuration script that can be run from within Netsh by
run-ning the command netsh interface dump > script_filename You can then apply that script using the command netsh –f script_filename.
Netsh provides the ability to configure almost any aspect of Windows 7 networking For detailed instructions, refer to Windows Help And Support or run the following command from a command prompt
Netsh ?
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 20diReCt FRoM tHe SoURCe
Automate Network Interface Card Configuration Using Netsh
Don Baker, premier Field Engineer
Windows Platform
During the years I worked as a consultant, it was not uncommon to connect my laptop to several different networks in the same day In some cases, they were DHCp-enabled, so connection was easy For others, I would have to configure the network adapter manually Ugh!
Enter the Netsh commands You can use the Netsh command to modify the network configuration on computers running Windows 2000 and later versions It’s not the friendliest syntax to use, but it is a real time-saver once you learn to use it The fol- lowing sample scripts use Netsh to set STaTIC Ip entries on an adapter and to set the adapter back to DHCp mode so the settings can be obtained automatically To use the code, type it into a batch file, modify "name=" to the name of the adapter in quotation marks, and change the Ip addresses.
Static IP
netsh interface ipv4 set address name="Wireless Network Connection"
source=static addr=192.168.0.100 mask=255.255.255.0 gateway=192.168.0.250 gwmetric=0
netsh interface ipv4 set dnsserver name="Wireless Network Connection" source=static addr=192.168.0.2 register=NONE
REM netsh interface ipv4 set wins name="Wireless Network Connection" source=static addr=10.217.27.9
REM OR if no WINS server netsh interface ipv4 set winsserver name="Wireless Network Connection" source=dhcp
ipconfig /all
DHCP
netsh interface ipv4 set address name="Wireless Network Connection"
source=dhcp netsh interface ipv4 set dnsserver name="Wireless Network Connection" source=dhcp
netsh interface ipv4 set winsserver name="Wireless Network Connection" source=dhcp
ipconfig /renew "Wireless Network Connection"
ipconfig /all
Trang 21How to Connect to AD DS Domains CHapTER 25 1223
How to Connect to AD DS Domains
Most organizations with more than a few client computers running Windows should use an
AD DS domain to simplify managing the computers Typically, joining clients to a domain
is one of the first steps in configuring a computer The process you should use is slightly different if you have 802 1X authentication enabled
How to Connect to a Domain When 802.1X authentication
Is Not Enabled
For networks without 802 1X authentication, follow these steps to join a domain:
1. Click Start Right-click Computer and then click Properties
2. Under Computer Name, Domain, And Workgroup Settings, click Change Settings
3. From the System Properties dialog box, click Network ID
4. The Join A Domain Or Workgroup Wizard appears Select This Computer Is Part Of A Business Network; I Use It To Connect To Other Computers At Work Click Next
5. On the Is Your Company Network On A Domain? page, click My Company Uses A Network With A Domain Click Next
6. On the You Will Need The Following Information page, verify that you have domain credentials available and that you know the domain name Click Next
7. On the Type Your User Name, Password, And Domain Name For Your Domain Account page, provide your domain credentials Click Next
8. If the Type The Computer Name And Computer Domain Name page appears, type the computer and domain name Then click Next
9. If prompted, type a user name, password, and domain Click OK
10. On the Do You Want To Enable A Domain User Account On This Computer? page, click
Do Not Add A Domain User Account Click Next
11. Click Finish
12. Click OK and then restart the computer when prompted
If you experience problems joining a domain, see Chapter 31
How to Connect to a Domain When 802.1X authentication
Is Enabled
For networks with 802 1X authentication, joining a domain is slightly more complicated During 802 1X authentication, the client authenticates the server’s identity by ensuring that the server certificate is valid and was issued by a trusted certification authority (CA) However,
if you used an internal CA (such as one hosted by Windows Server 2003 certificate services)
to issue the server certificate, the CA will not be trusted by default until the computer joins a
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 22domain Therefore, to join the domain, you must temporarily configure the client computer to ignore the 802 1X authentication server’s certificate
note If you have configured your 802.1X authentication servers with a server certificate issued by a public Ca that is trusted by Windows by default, you can leave the Validate Server Certificate check box selected.
To join a domain with 802 1X authentication enabled, follow these steps:
1. Start the Services console, start the Wired AutoConfig service, and set the Wired AutoConfig service to start automatically
2. Open Network And Sharing Center and then click Manage Adapter Settings
3. Right-click the network adapter and then click Properties
4. In the Properties dialog box, click the Authentication Tab Click the Choose A Network Authentication Method list and then click Microsoft: Protected EAP (PEAP)
5. Click Settings In the Protected EAP (PEAP) Properties dialog box, clear the Validate Server Certificate check box Click OK twice
6. Follow the standard instructions for joining the computer to a domain, as described in the previous section
7. After the computer has joined the domain and is restarted, perform steps 2 though 5 again This time, in step 5, select the Validate Server Certificate check box
To automate this process partially, configure a computer running Windows 7 to not validate
the server certificate Then use the Netsh lan export profile command to export a profile for
the configured network adapter You can create a script to import that profile on other client computers to allow them to join a domain without validating a server certificate For more information about exporting and importing profiles, see the section titled “Configuring Wireless Settings from the Command Line or a Script” earlier in this chapter
Summary
Windows Vista represented the most significant update to Windows networking since
1995 Windows 7 provides incremental improvements and several key new features Most significantly, you can use the new BranchCache feature to reduce WAN utilization between branch offices and your central office Support for DNSsec can reduce the risk of man-in-the-middle attacks that might take advantage of weaknesses in your name resolution infrastructure Support for GreenIT can reduce power utilization while still allowing remote manageability These changes let you do more with your network infrastructure while minimizing administration time and maximizing end-user productivity
Trang 23Additional Resources CHapTER 25 1225
n Chapter 28, “Deploying IPv6,” includes information about IPv6
n Chapter 31, “Troubleshooting Network Issues,” includes information about solving networking problems
n “Active Directory Schema Extensions for Windows Vista Wireless and Wired Group
Policy Enhancements” at http://technet.microsoft.com/en-ca/library/bb727029.aspx
includes instructions on extending the AD DS schema to support configuring wireless Windows Vista clients
n “Deployment of IEEE 802 1X for Wired Networks Using Microsoft Windows” at
47c397ffd3dd includes more information about 802 1X authentication
Trang 25C H A P T E R 2 6
Configuring Windows Firewall and Ipsec
n Understanding Windows Firewall with Advanced Security 1227
n Managing Windows Firewall with Advanced Security 1262
n Summary 1291
n Additional Resources 1292
Host-based firewalls and Internet Protocol security (IPsec) are two important ways of ensuring your network is protected Windows Firewall with Advanced Security has been enhanced in the Windows 7 operating system with improvements in configurability, manageability, and diagnostics This chapter examines how Windows Firewall with Advanced Security works in Windows 7 and how to configure, manage, monitor, and troubleshoot firewall and IPsec connectivity issues
Understanding Windows Firewall with Advanced Security
Windows Firewall with Advanced Security (also referred to as “Windows Firewall” in this chapter) is a host-based, stateful firewall included in the Windows Vista operating system and later versions that can be used to specify which types of network traffic are allowed
to pass between the local computer and the rest of the network Specifically, Windows Firewall with Advanced Security is:
n A host-based firewall designed to protect the local computer, as opposed to a perimeter firewall designed to protect the entire internal network
n A stateful firewall that can inspect and filter both inbound and outbound packets for both IPv4 and IPv6
Windows Firewall with Advanced Security can also be used to protect network traffic
as it passes between the local computer and other computers on the network To plish this, Windows Firewall with Advanced Security uses IPsec
accom-Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.