|
|
|
   |
||
 |
||
|
|
||
| ||||||||||||
|
|
Asynchronous and synchronous Group Policy application in an Active Directory Domain. Microsoft Article on XP Fast logon Optimization of Windows XP. Another Microsoft Article relating info on this subject. This difference in behavior of Windows XP clients can cause group policy not to be applied at the next reboot. I would recommend setting a domain policy for XP client to act like Windows 2000 clients to have synchronous log in behavior.
Windows does not natively contain the necessary tools for you to create your own MSI files. Instead, you will have to rely on a third party MSI creation tool. There are several good tools available for free. Two of the more popular choices are MAKEMSI (http://users.cyberone.com.au/dbareis/makemsi.htm) and WinInstall LE 2003 (http://www.ondemandsoftware.com/freele.asp).
Q. How can I force Group Policy to refresh on a Windows Server 2003 or Windows XP machine? A. To manually force Group Policy to refresh under Windows 2000, you use the command secedit /refreshpolicy Microsoft has replaced this command in Windows 2003 and XP with the command gpupdate You can run this command without any switches to update both machine and user policies. When you run Gpupdate on Windows 2003, the machine will display the following text: Refreshing Policy... User Policy Refresh has completed. Computer Policy Refresh has completed. To check for errors in policy processing, review the event log. The last line doesn't appear on XP machines. To update only the user command components, type gpupdate /target:user To load only the computer command components, type gpupdate /target:computer The optional switches that you can use with the Gpupdate command are - /force--This switch loads all policy settings rather than just those that have changed. - /wait:<time>--This switch specifies the amount of time to wait for the policy processing to finish before returning to the command prompt. - /logoff--This switch causes the user to log off after Group Policy refreshes. - /boot--This switch causes a reboot after Group Policy refreshes. - /sync--This switch synchronously (i.e., in the background) applies the next boot or user logon policy (the system will prompt you to log off or reboot, depending on the /target setting).
A really good resource for making a slipstreamed cd that installs winxp sp1 and rollup pack 1 is at http://www.msfn.org. Or you could go to the direct link that shows you at http://msfn.org/articles.php?action=show&id=38. It covers it step by step.
How can I automate registry settings across my entire domain? You can automate registry settings that aren't already part of a group policy by creating a new administrative template in the Default Domain Policy Group Policy Object (GPO). For step-by-step instructions on how to accomplish this task, see Randy Franklin Smith's complete answer to this question. http://secadministrator.com/articles/index.cfm?articleid=26447
How Do I Restrict Access to Some or All of the Control Panel Applets on NT Systems? The Windows NT System Policy Editor (SPE) contains two Control Panel-related settings that appear in the properties of user and group system-policy objects. The first setting--Restrict display--lets you restrict user access to the tabs of the Control Panel Display applet. The other setting--Remove folders from Settings on Start menu--lets you hide the Control Panel folder from a user's Start menu. Selecting this check box also hides the Printers folder on the Start menu. If you want to restrict access to specific Control Panel applets, you can change the access control entries (ACEs) on the corresponding Control Panel extension file. All such files reside in the \%systemroot%\system32 folder and have a .cpl extension. To get a clear overview of these files, sort the content of the system32 folder by file type, then locate the files of type Control Panel extension. To change the ACEs, right-click the .cpl file and select Properties. Select the Security tab and adjust the permissions as needed. Make sure that the System account keeps Full Control access. To automate this process, you can run cacls.exe from a logon or .bat script. For an overview of which .cpl file corresponds to which Control Panel applet, see the Microsoft article "HOWTO: Start a Control Panel Applet in Windows 95 or Later." http://support.microsoft.com/?kbid=135068
How can I uninstall the Microsoft Java Virtual Machine (JVM) from Windows XP? You might want to remove the Microsoft JVM, which Microsoft no longer supports, in favor of the more recent Sun Microsystems' JVM. To remove the Microsoft JVM, perform the following steps: 1. From the Start menu, select Run. 2. Enter the command RunDll32 advpack.dll,LaunchINFSection java.inf,UnInstall to start the uninstall process 3. Click Yes to the confirmation, then select Reboot. 4. After the machine restarts, delete the following items: - the \%systemroot%\java folder - java.pnf from the \%systemroot%\inf folder - jview.exe and wjview.exe from the \%systemroot%\system32 folder - the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Java VM registry subkey - the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\JAVA_VM registry subkey (to remove the Microsoft Internet Explorer--IE--options) Microsoft JVM is now removed. You can download Sun's newer JVM for Windows at http://java.sun.com/getjava/index.html .
Diskpart is similar to the MS-DOS Fdisk utility, which lets you create and view partitions from the command line. However, Diskpart does much more than Fdisk. In addition, the Diskpart UI matches the graphical interface of the Microsoft Management Console (MMC) Disk Management snap-in. Diskpart is part of the "Microsoft Windows 2000 Server Resource Kit" and the "Microsoft Windows 2000 Professional Resource Kit." (Microsoft includes Diskpart as a core utility in Windows Server 2003 and Windows XP.) You can download the tool for free from Microsoft's Web site at http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/diskpart-o.asp.To run Diskpart, type diskpart at the command prompt, then press Enter. Rather than relying on command-line execution, you actually run commands inside the Diskpart environment. When you're finished, type exit to leave the Diskpart environment. For example, the screen might display C:\Documents and Settings\john>diskpart Microsoft DiskPart version 1.0 Copyright (C) 1999-2001 Microsoft Corporation. On computer: TRINITY DISKPART> exit Leaving DiskPart... C:\Documents and Settings\john> during a Diskpart session.
Administer a Windows 2000 and .net server from a Windows XP workstation using the 2003 Administration Pack from Microsoft. (The Windows XP workstation needs to be running SP1)
FORCING AN ACL TO ACCOMPANY A FILE ACROSS SHARES IN WIN2K
Proper DNS Configuration in a Win2K Environment
Search the Windows Magazine Tips here
Terminal Server On Linux? The client is aptly named "rdesktop". The developer is a fellow in Australia named Matt Chapman.
The -l option is interesting, in that it doesn't request a license from the terminal server itself. With the use of some scripting, you could have the Red Hat box boot up, logon and start the rdesktop client all without the user doing anything. Once the client is started in full screen mode you really can't tell that your aren't on a Windows machine; even Ctrl-Alt-Del works. It really is a slick client and could potentially save you quite a bit of money. If you run rdesktop, you will, at a minimum, save on one Windows license.
Potentially more if you also used Sun's StarOffice. In either case, rdesktop is
a pretty good implementation of the terminal server client and if you are using
Linux, it will give you a way to connect to your MS server.
You can download it here:
A. Microsoft Print Migrator 3.0, which is available at http://www.microsoft.com/windows2000/technologies/fileandprint/print/download.asp , lets you migrate printers between servers. The current version supports- migrating printers between different Windows versions (e.g., from Windows NT 4.0 to Windows 2000 or Windows .NET Server--Win.NET Server--2003) - Microsoft Cluster service - options for moving Line Print Report (LPR) ports to standard TCP/IP Port Monitor ports Print Migrator 3.0 can back up a machine's print configuration to a .cab file for the Win.NET Server, Windows XP, Win2K Service Pack 2 (SP2), and NT 4.0 SP6a platforms. The software can also back up file-and-print shares, but not the share content. The download includes a full-command version, and you can download a separate Help file from the URL I mentioned above that explains the command version.
For a list of Post SP2 fixes for Windows 2000- Visit this Microsoft Site.
TRY A FREE MICROSOFT OFFICIAL CURRICULUM SELF-PACED COURSE http://www.microsoft.com/train_cert/moc Microsoft announces eight free self-paced Microsoft Official Curriculum courses available through the new Microsoft.com download center at http://www.microsoft.com/downloads. To download a free MOC HTML-based, self-paced training course from this site, click on keyword search and type in the keyword "training". Select the Windows 2000 platform, and you'll find the list of available training courses. FREE ONLINE WINDOWS 2000 SERVER TRAINING Participate in this self-paced, four-part training to introduce your school district's technical staff to the basics of Windows 2000 Server. http://www.microsoft.com/education/product/win2ktrain.asp
Microsoft has included a new tool in Win2K Pro called the
System File Checker. It's designed to check the files on your system for data
corruption, improper versions, and missing files. If the System File Checker
finds any questionable files, it will
System Recovery Console You can run the Recovery \i386\winnt32.exe /cmdcons from your Win2K CD-ROM. This approach adds the Recovery
Console to your More info on the recovery console: You can boot Windows 2000 from either the installation disks
or CD-ROM If the SAM is intact, you need to log on to the system with an
Windows 2000 has a cool new TCP/IP utility in Win2K called PATHPING. PATHPING is a combination of two useful TCP/IP utilities, ping
and
For Information on Windows 2000 automatic deployment options visit this site on Microsoft's web site.
Windows 2000 RunAs at a command prompt
The RUNAS command lets you launch any command on your system as any user account--even as the Administrator. For example, if I want to run a command prompt on my laptop, but do it via the local Administrator account, I type the following command into the Start, Run prompt: runas /user:LAPTOP\Administrator cmd This launches the command prompt (cmd) under the context of the Administrator account for the local accounts database on the machine called LAPTOP.
PROVIDING A WIN2K TIME SERVICE Win2K-NT 4.0 Time Synchronization. The timesrv.exe utility from the original Windows NT 4.0 Server Resource Kit doesn't support the Network Time Protocol (NTP) that Win2K systems need. After some exploration, Microsoft has released updates for w32time and timesrv, the tools you need to successfully set up an NT 4.0 system that operates as an official time server. However, the updates are hidden in a most unlikely spot: a folder called Y2kfix at Microsoft's FTP site. You can download the tools and documentation from ftp.microsoft.com/reskit/y2kfix/x86. Microsoft article Q258059 contains all the information you need to create an NT 4.0 NTP server. http://support.microsoft.com/support/kb/articles/q258/0/59.asp
One useful Win2K feature is its ability to update itself after you've applied a service pack. Unlike NT, when you update a system-level component after you've applied a service pack, Win2K remembers where you installed the service pack from and returns to that location to get any files it needs to replace or change based on the components you've added. If you need to free up space or you want all of your networked machines to point to the same files, follow these steps: 1. Open regedit. 2. Go to HKEY_LOCAL_MACHINE. 3. Open the value ServicePackSourcePath (on my system it defaults to C:). 4. Enter the path to the service pack files' location, which can be a drive or a network share.
The Windows 2000 Server Resource Kit contains several utilities you can use to manage NT 4.0 systems from a Win2K desktop. After installing the resource kit, you'll find a plethora of tools in the Network Management Tools folder. Although most of the tools run only from the command line and have unusually cryptic and poorly documented argument lists, the Win2K versions of User Manager for Domains and Server Manager have the same GUI that NT 4.0's native applets employ.
If you prefer to add or modify Win2K or NT 4.0 user accounts from the command line, check out the Console User Manager utility (cusrmgr.exe). And while we're on the subject of user accounts, you might want to try the user status utility usrstat.exe, which displays the full name and last logon time for each user in a domain. If you maintain a large NT 4.0 account database, you should pipe this utility's output to a file.
GETTING STARTED WITH REMOTE INSTALLATION SERVICES One of Windows 2000 Server's cool new features--Remote Installation Services--simplifies your admin tasks and offers reduced TCO. Check out a great article here at techrepublic. (Will need to sign up for a free account.)
Using Junction Points for drive letters in Win2000 One advantage that Windows 2000 brings to end users is the removal of the 26 drive letter limitation. Under Windows NT, you could access resources under a fully qualified path name (i.e., \\resource\sharename) without having to map a drive letter to that resource if it wasstorage.If you wanted a persistently available resource, it was usually easiest to map remote storage to a drive letter. But you didn't have that option for local storage; it received a drive letter whether or not you liked it. And adding drives sometimes played with the default order of the drives, requiring care when installing new drives. Win2K adds a feature called NTFS Junction Points. A junction point is a physical location on a local hard disk that points to another location on that disk or another storage device. When you create a mounted drive, you create a junction point. A mounted drive is a device attached to an empty folder on an NTFS volume. It behaves the same as any other drive, but no drive letter is attached to the volume, just a label. You can mount an entire drive to a directory on another drive. When users access that directory, they have access to that entire drive, regardless of size. For example, you could have any number of drives physically installed on one system, but the users and applications might see only a single C drive letter.Win2K has four methods to deal with mounted drives and junction points. Two are contained within the OS, and two are in the Win2KProfessional Resource Kit. In this column, information below is only the two methods found in the base OS.The easiest way to create a mounted drive is to use the Disk Management portion of the Computer Management Console. When you add a drive or want to change existing drives, right-click the drive or partition and select Change Drive Letter and Paths.... From that dialog box, you can add, edit, or remove drive letters and mount points. To add a drive letter, select Add, Add New Drive Letter or Path. Select a drive letter from the drop-down menu of available letters. To select a new mount point, click "Mount in this NTFS folder" and type in the fully qualified path name to the empty folder you want to use as the mount point. The Browse button lets you look at the directory tree for the available volumes that support mount points and lets you select an existing folder or create a new empty folder to use as the junction point. This procedure lets you perform all disk and drive management activities from the same application. But of course, some of us want to do everything the hard way (i.e., from the command line), so Win2K lets us use the MOUNTVOL command. Entering mountvol without any parameters returns information similar to the following: Creates, deletes, or lists a volume mount point. MOUNTVOL [drive:]path VolumeName MOUNTVOL [drive:]path /D MOUNTVOL [drive:]path /L path Specifies the existing NTFS directory where the mount point will reside. VolumeName Specifies the volume name that is the target of the mount point. /D Removes the volume mount point from the specified directory /L Lists the mounted volume name for the specified directory. Possible values for VolumeName along with current mount points are: \\?\Volume{08a4ee15-86cd-11d4-a06e-806d6172696f}\ C:\ \\?\Volume{08a4ee16-86cd-11d4-a06e-806d6172696f}\ D:\ \\?\Volume{08a4ee17-86cd-11d4-a06e-806d6172696f}\ E:\ \\?\Volume{08a4ee14-86cd-11d4-a06e-806d6172696f}\ G:\ \\?\Volume{08a4ee13-86cd-11d4-a06e-806d6172696f}\ F:\ \\?\Volume{08a4ee12-86cd-11d4-a06e-806d6172696f}\ A:\ The command returns all possible values and current mount points for the local system, which means that your system won't return the same response as you see above. You'll also notice that the primary identification of the drive volumes provided is not the drive letter but the Global Unique ID (GUID), which identifies the drive even if you later change the drive letter. Of course, Win2K doesn't require that you use drive letters beyond the boot device. Also remember that you can cut and paste in the command windows, so you don't need to retype the GUID information. The ability to mount drives using junction points is very useful. Even if you don't need to use this functionality now, take a few minutes and play with your existing Win2K NTFS partitions to get a feel for how it works.
OPTIMIZING REMOTE INSTALLATION SERVICES Windows 2000 Remote Installation Services (RIS) enables you to pull down complete, customized computer installations from your network server. Trent Cook offers some pointers for fine-tuning RIS and then demonstrates the installation process.
STOP TELLING ME THAT!
If users dislike being continually notified of the status of network print jobs, you can disable the Printing Notification dialogs that are sent by the Spooler Service when a print job's been completed, deleted, or when there's an error. Note that this setting applies globally to all the printers on a particular print server. It isn't possible to set this option on a per-printer basis. This setting must be made on the server that's sending the pop-up in order to affect all clients. The only way to disable a pop-up on an individual client is to disable the Messenger Service on that client. Follow these steps to disable the Printing Notification dialog boxes: 1. Click Start | Settings | Printers. 2. Go to File | Server Properties | Advanced. 3. Deselect the Notify When Remote Documents Are Printed check box. 4. Stop and restart the Spooler Service from the Services portion of Control Panel so the new setting will take effect. Remember, under Windows NT 4.0 and Windows 2000, if the print notification is turned off and the printer is connected by a parallel or serial cable, error messages will appear on the server. While an error is displayed, printing will not resume to the printer, even if the cause of the error is cleared from the printer. Someone must log on to the server and click Retry or Cancel in the Error Message dialog box. This does not affect network-connected printers.
* Planning for Active Directory Ready to roll out your company's AD infrastructure? Think again about how many domains you need and what your site topology should be.
* Monitoring Your AD-Enabled Network Identify the Win2K network components that you need to monitor and the features you should look for in a monitoring and management tool.
* The Active Directory Delegation of Control Wizard Successfully leverage Win2K's ability to safely delegate routine management and support tasks throughout your enterprise.
Microsoft's Management services site for Windows 2000 is an excellent site for many Windows 2000 management and installation questions and planning.
Tweak UI for WIn2000 For those of you who use TweakUI, Microsoft's handy little UI utility, but now find the earlier version of TweakUI (version 1.1) incompatible on computers running Windows 2000, Windows Millennium Edition (Windows Me), or Windows 98, help is here. Microsoft has an updated version of the utility that runs on these OSs. For those who haven't tried TweakUI, I highly recommend it. It's full of great little utilities such as Logon Automatically at system startup, Covering your tracks, Repairing your icons, Limiting which applets appear in Control Panel, and more. You can download the TweakUI 1.33 update from the following URL. http://www.microsoft.com/ntworkstation/downloads/PowerToys/Networking/NTTweakUI.asp
ANOTHER LOCATION
FOR DHCP BACKUP DHCP is
responsible for significantly easing our workload in managing IP addresses. The
DHCP service does back up its database and files. However, it stores
them in the Winnt\system32\DHCP\backup directory on the same partition
that is running the DHCP service. Obviously, when
you back up this server, you get the backup copy as well, but as an
additional level of peace of mind, you might want to change the backup
location, usually to another physical drive. To change the
location of that backup directory, follow these steps: 1. At the Run
command, open up regedt32. 2. Once the
registry editor is open, navigate to HKLM\System\CurrentControlSet\Services\DHCP
Server. 3. Double-click
Parameters, then double-click Backup Database Path. 4. Change the
first part of the line to indicate a different physical drive on the
server, such as E:\System32\dhcp\backup. Don't forget to create the
directory structure on that drive. Now the
information will be backed up to that different drive. This works in Windows
2000 as well. As always, remember our usual warnings about backing up
the registry first. PROVIDE
DHCP FAIL-OVER ON YOUR NT NETWORK Richard
Charrington explains how you can implement continuous DHCP service on your
network, even in the event of DHCP failure. You can use this process to
free up a DHCP server for maintenance and more, all without service
interruptions. CLEANING UP THE
SYSTEM TRAY areas to check
when trying to permanently remove items from your system tray: 1. Check the
program itself; it might let you unload it and never have it load
again. 2. Check your
startup folders, and remove any icons you don't want. 3. Check the
registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. 4. Check win.ini
and system.ini files on your computer. A few other
places: -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Win.ini,
System.ini; and winfile.ini" -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\ParseAutoexec
(If you set this value to 1, commands in the
autoexec.bat file will run.) So, that's about
eight different places that Microsoft lets vendors hide system tray icons
that come up at startup. Again, each of these icons takes resources
(memory) from your system, so if you don't want 'em, clean 'em out! WINDOWS 2000 PRO TIP: REPAIR BROKEN APPLICATIONS WITH THE
WINDOWS MSIEXEC /fe packagename.msi MSIEXEC starts the Windows Installer service. The /f switch
informs the c - Reinstall if file is missing or the checksum is invalid The packagename.msi file is the .msi file for the application
that you
Use the NetDiag Tool from the Win2K Resource Kit to Diagnose Problems.
You can find the support tools package in the Win2K CD-ROM's \SUPPORT\TOOLS directory. After installing the package, you'll see a new menu option on your program's menu called Windows 2000 Support Tools. Although there are about a dozen actual tools available from the Start menu, in reality, there are more than 40 different applications that this package installs on your system. One of the most useful tools is the NetDiag tool (Netdiag.exe). This tool alone is worth digging out your Win2K CD-ROM so you can install the Support Tools. NetDiag performs a series of diagnostic tests on a system to troubleshoot any problems your system might be experiencing. NetDiag tests many networking items, including basic IP connectivity, WAN connectivity, WINS support, and browser and domain availability. Each test category outputs a simple passed or failed result, giving you valuable information about where to look for problems.
Setup
hangs while inspecting. If setup hangs at
the subject screen, use the checked version of
Move your Printer Queue to Another Folder Most organisations running NT- or Windows 2000-based networks use print-server functionality, and it is not uncommon to find at least one or two servers functioning as dedicated print servers on a large network. Even on the smallest LANs, any NT or W2K user who has shared their printer is functioning as a print server. Under Windows NT and Windows 2000, a printer stores (spools) data on disk until the printer is ready to accept data. If a printer is under heavy use or offline, this spooling process can consume large quantities of disk space as documents get backed up in the queue. Windows normally uses the boot volume for this purpose, and files are spooled to %SystemRoot%\system32\spool by default. If you are short of disk space on your boot partition, this can cause major headaches, as well as performance degradation. It is possible to alter the spool folder on a printer-by-printer basis by making a registry change, however. You can even have different printers spooling data to different folders or volumes. This Registry key points to the default spool folder for all printers : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printer s\DefaultSpoolDirectory Changing this value affects all printers on the machine. The following REG_SZ Registry key defines the spool folder for a given printer (where [PrinterName] is the name of your printer. If the key value it is blank, then the default folder from the above key is used. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Printer s\[PrinterName]\SpoolDirectory If you change the value of the key, you must ensure that the folder exists and that it is local - no network paths allowed! For any changes to take effect, you must stop and restart the Spooler Service. For further information, refer to KB article Q123747.
How do you keep all your pc's on an NT (TCP/IP)network synchronized to the right time date? In the your netlogon script, put in the line: net time \\computername /set /yes And on the machine that is synching with "computername" You can run the timeserv from the NT Resource Kit to have the system time synch up with an atomic clock. For more info on TIMESERV, check this article: http://support.microsoft.com/support/kb/articles/Q232/2/55.ASP You can use a PDC or BDC for this purpose, or you can do it with most any server, it doesn't take a lot of resources at all!
Windows 2000 shipped with a new and improved directory service called Active Directory. Unfortunately, not all clients can take advantage of its advanced features. Only Windows 2000 includes support for Active Directory; older operating systems don't. Even if clients don't take advantage of the Active Directory service, you can still use them on your network. For example, when you upgrade a Windows NT domain to Windows 2000 Active Directory, you can still use your existing Windows NT 4 client computers and Windows NT 4 servers. To facilitate the integration, Microsoft released a special Active Directory client for Windows NT 4. This client software adds support for some Active Directory features, including: * Site awareness allows clients to log on to the domain controller that's closest to the client. * Active Directory Service Interfaces (ADSI) allow Active Directory scripting. * Distributed file system (DFS) fault-tolerant client provides access to Windows 2000 fault-tolerant DFS shares. * Windows Address Book (WAB) property pages allow users to change properties on user objects, and they include support for display specifiers. * NTLM version 2 authentication allows for stronger authentication. Even with Active Directory client software, Windows NT 4 clients don't support all advanced Active Directory features. Among them are: * Kerberos authentication * Group Policy objects * IPSec and L2TP Microsoft has also released an Active Directory client for Windows 95/98. http://www.microsoft.com/Windows2000/adclients/default.asp
Deploying Exchange 2000 in Ten Steps Migrating from Windows NT or NetWare to Windows 2000 in
Education Environments
The corporate update site is an excellent site for obtaining updates on Microsoft products.
Trouble Shoot Group Policy Microsoft's White Paper on GPO's
How do I determine which process has TCP ports or UDP ports open?
Download the Wntipcfg.exe tool for Windows 2000 from Microsoft's website. This is the GUI tool similar to Window's winipcfg tool.
* WIN2K SP3'S AUTOMATIC UPDATES CLIENT
How to Disable the Change Password Button for One or More Specific UsersThe following procedure must be done on the user's computer:
Installing the Recovery Console on WinXP or Win2KInstalling the Recovery Console is an easy process. Simply complete the following steps: 1. From the XP installation CD-ROM or from a network share that contains the XP installation files, run the application \i386\winnt32.exe /cmdcons. For example, if the CD-ROM is in the D drive, click Start, Run and enter D:\i386\winnt32.exe /cmdcons 2. To confirm a local installation, click Yes when prompted. 3. When the installation finishes, reboot the computer. 4. Check the boot menu for the new Microsoft Windows Recovery Console entry. You'll find complete instructions for installing and using the XP Recovery Console at the URL below. If you've already used the console in Win2K, you'll find few changes in the XP process. Remember that the Recovery Console has only a limited subset of the available command-line utilities. Users should become familiar with what they can and can't do from the console command line. http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307654&sd=tech
PROTECT YOUR SYSTEM BY AUDITING OBJECTSAuditing is a network security tool that can record the information you need to identify system abuse and hacking activity. By having this information delivered to you in real time, you can catch and stop hackers in their tracks. Hackers discover new and exciting exploits almost on a daily basis. Don't sit back and wait to be taken down or defaced. Audit objects that have the potential to be run remotely, plus those that can be used to modify your configuration or wreak havoc on your system. Here are several commands I recommend that you audit:
* Cmd.exe: The command-line emulation program is the target of buffer overflows. * Ping.exe: This network discovery tool is used for denial of service attacks. * Ftp.exe: The command-line FTP client is used to transfer files to and from the system. * Tftp.exe: This command-line utility provides another way to transfer files when FTP has been blocked. * Net.exe: This is one of the most powerful command-line administration utilities.
STEPS TO SET UP AUDITING To set up auditing, start by modifying the Local Security Settings. Follow these steps:
1. Go to Control Panel | Administrative Tools | Local Security Policy. 2. From the MMC, select Local Policies. 3. Choose Audit Policy. 4. Double-click Audit Object Access. 5. Select Success And Failure.
If the Web server is part of the domain, which it shouldn't be, you must enable object auditing as a Domain Policy--not just a Local Policy. Here's how to enable object auditing:
1. Go to Control Panel | Administrative Tools | Domain Security Policy. 2. From the MMC, select Local Policies. 3. Choose Audit Policy. 4. Double-click Audit Object Access. 5. Select Success And Failure. 6. Specify a command to audit, such as Net.exe, by going to the winnt\system32 folder, right-clicking the command, and then selecting Properties | Security | Advanced | Auditing | Add. 7. Identify which users should get logged when they try to access the object Net.exe. 8. Select the SYSTEM account. 9. To enable full auditing on the Net.exe / SYSTEM account, select all Successful and Failed options. 10. Click OK. 11. Select Add, and perform the same steps for the IUSR account. 12. Repeat this procedure for Cmd.exe, Ping.exe, Ftp.exe, and Tftp.exe.
Once auditing is enabled, your security logs will become populated with events when these objects are accessed, such as "560: object open & 562: handle closed."
Hide a Computer or Server from users network neighborhoodTo hide a server from the network browser list, you can make a registry change or use the Net Config Server command. Both methods require a server reboot to put the change into effect. To hide a server by using the first method, in the registry, you must add the Hidden key (of type REG_DWORD) and set its value to 1 in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters subkey. To hide a server using the second method, open a command prompt. Then, type either the command Net config server /Hidden:yes or the command Net config srv /Hidden:yes
|
