Партнерка на США и Канаду по недвижимости, выплаты в крипто
- 30% recurring commission
- Выплаты в USDT
- Вывод каждую неделю
- Комиссия до 5 лет за каждого referral
Figure 15.9. The Network Adopter Tab
PERMISSIONS
The Terminal Services Permissions tab (Figure 15.10) defines which users and groups have rights to assume Full Control, User Access, and Guest default, the Administrator and System groups are allowed all three. This tab is employed to delegate authority to other users or groups for Terminal Server management.
Figure 15.10. The Permissions Tab
As with other Permissions properties dialog boxes, additional users and groups are included by clicking the Add button and deleted with the Remove button. The Advanced button is used to apply special permissions. (See Chapter 10 for more information about managing this Permissions tab.)
LOGON SETTINGS
The Logon Settings tab (Figure 15.11) permits the use of either client-provided or administrator-defined logon information. If the latter is selected, complete the text boxes for User name, Domain, Password, and Confirmed password.
Figure 15.11. The Logon Settings Tab
SESSIONS OPTIONS
The Sessions tab (Figure 15.12) establishes parameters around the time a client can remain idle, the maximum length of a session, and whether that client can reconnect. One of the benefits of Terminal Services is that a user can disconnect without terminating the session. Providing that the parameters are set to enable this function and time period, he can reconnect as the same or a different client exactly where he left off.
Figure 15.12. The Session Tab
ENVIRONMENT SETTINGS
The Environment tab (Figure 15.13) permits the user to use an individual profile or overrides these settings with those established in this dialog box. In many environments, only certain applications need be initiated. For example, in a customer service environment, a set of knowledge-based Help applications may be all that is necessary. In such a case, check the Override settings and designate the program path and file name.
Figure 15.13. The Environment Tab
Terminal Services Server Settings
The Server Settings determine how Terminal Services is applied (with default settings shown in Figure 15.14).
Figure 15.14. Server Settings
The seven default settings are
· Delete temporary folders on exit determines how temporary folders are treated on exit.
· Use temporary folders per session determines where temporary folders are created during a session.
· Permission Compatibility indicates if security is set Full or Relaxed.
· Sessions Directory enables or disables session directory functions.
· Restrict each user to one session places a yes or no restriction on the user sessions.
· Licensing defines the basis of the license.
· Active Desktop defines whether the Microsoft Active Desktop environment is enabled or disabled.
TERMINAL SERVICES ADMINISTRATION
The Terminal Server allows the administrator to remotely monitor servers, sessions, users, and processes, and supports the centralized deployment of applications, disk management, and device access. It also allows the administrator to manage the applications available to users, logon privileges, and security.
NOTE
The Remote Desktop Web Connection includes a downloadable ActiveX control and sample Web pages. These should be used as starting points for running Windows-based programs with Internet Explorer. This is a Windows Server 2003 built-in reversion of the Terminal Services Advanced Client (TSAC). For the latest sample pages, go to the Microsoft Web site.
Administrative Tools
Terminal Services offers a number of system administrative tools. With the exception of the Services Configuration and Connections Manager snap-ins, discussed earlier, the following tools will be explored in this section:
· Terminal Services Manager
· The Active Directory Users and Computers snap-in and the Local Users and Groups snap-in
· Task Manager additions
· Client software generation and installation
· Remote connection
· Common commands
NOTE
Up to two such sessions can be created concurrently. However, it is strongly recommended that a single administrator session be used on a given system at one time. Additionally, Windows Server 2003 allows an administrator to connect remotely to the server console. When an administrator logs on remotely, the console is locked at the physical device. To unlock the physical server console, simply terminate the remote console session.
REMOTE DESKTOP MMC ADMINISTRATIVE TOOL
The Remote Desktops MMC snap-in (Figure 15.15) enables administrators to host multiple Terminal Services connections in an easily navigable tree. It is also useful for managing many Windows 2003 or Windows 2000 right-clicking Remote Desktops, the administrator can identify the additional servers by selecting Add New Connection.
Figure 15.15. Remote Desktop MMC Snap-in
TERMINAL SERVICES MANAGER
Terminal Services Manager (Figure 15.16) is used to view and administer users, active sessions, and processes on terminal servers anywhere on the network. It is available from the Start menu 
Administrative Tools Terminal Services Manager.
Figure 15.16. Terminal Services Manager
The Actions menu invokes the ability to connect and disconnect sessions. Users and sessions as well as processes can be displayed by drilling down the administrative tree. Processes can be terminated at this stage.
ACTIVE DIRECTORY USERS AND COMPUTERS SNAP-IN AND THE LOCAL USERS AND GROUPS SNAP-IN
Depending on the environment, the Active Directory Users and Computers snap-in or the Local Users and Groups snap-in establishes Terminal Services settings for individual users. From the respective snap-in, select the local computer or domain, select Users, right-click the targeted user, and select Properties. Because four of the Properties tabs are important to Terminal Services, let's briefly examine them:
· Remote control establishes the settings for individual user access to Terminal Services. Figure 15.17 shows the Remote control options.
Figure 15.17. The Remote Control Tab
· Terminal Services Profile establishes the path and file name of Terminal Services profiles for an individual user (see Figure 15.18).
Figure 15.18. The Terminal Services Profile Tab
· Sessions regulates the flexibility granted to an individual user with regard to session length and reconnection options. Refer to Figure 15.19 for a description of Sessions options.
Figure 15.19. The Sessions Tab
· Environment determines which applications are to be launched at logon. The client's local disk drives and printer can be made available under Terminal Services–supported applications.
TASK MANAGER ADDITIONS
The Task Manager also monitors and administers Terminal Services. Two fields have been added to it in Windows 2000 and Windows Server 2003. These are used to view processes and to terminate them as required. The Task Manager is available by pressing CTRL+ALT+DEL and selecting Task Manager.
Load Management
With Windows Server 2003, load management can be either session-based or server-based.
· The server load management uses Windows Management Instrumentation (WMI) to provide metrics for both network and hardware load balancing. This provides information on server availability and load such as server up/down and the number of supportable server sessions. The load balancer uses this data to control server use.
· Session load management provides a Session Directory facility. This new feature reroutes disconnected users back to their active session. The Session Directory must be started as a service on one computer that is running Terminal Services in a group of servers. Although it can also reside on another server, the service must be started through the Computer Management MMC snap-in. Each Terminal Server in the server group must enable the Session Directory access. The name of the server hosting the Session Directory must be identified together with the name of the server group that Terminal Server is joining. This action is accomplished through the Terminal Services Configuration tool under Server Settings, or WMI can be used.
Client Software and Installation
The Terminal Services client is now called Remote Desktop Connection. This software is automatically installed as an integral part of Windows XP. For previous versions of Windows operating system clients, the Terminal Services Client software is available at \\Windows\system32\clients\tsclient. Both a 16-bit and 32-bit version are available. The easier way to make the software available for downloading is to share out the tsclient directory. This is achieved by right-clicking tsclient selecting Properties clicking Share. Alternatively, the contents of the 16-bit or 32-bit directories can be copied to a diskette or other media like a CD and then manually installed on individual systems. In all cases, the installation is accomplished by double-clicking the Setup file and following the standard prompt.
Command-Line Programs
Terminal Services provides a number of command-line functions, shown in the following list. They may be executed from the command prompt or via the Run option on Start menu.
· Change logon temporarily disables Terminal Service logons.
· Change port shifts the COM port mappings required by MS-DOS programs.
· Change user executes changes to the. ini policies file mapping for a current user.
· Cprofile deletes individual files linked to a user's profiles.
· Dbgtrace enables or disables debug traces.
· Flattemp enables or disables temporary directories.
· Logoff terminates the client session.
· Msg sends messages to a user or multiple users.
· Query process outputs process information on Terminal Services.
· Query session displays Terminal Services session data.
· Query termserver outputs a list of network terminal servers.
· Register registers an application with execution characteristics.
· Reset session deletes a session and reestablishes a connection.
· Shadow remotely monitors and controls a user's session.
· Tscon connects to other Terminal Server sessions.
· Tsdiscon disconnects a user's Terminal Services session.
· Tskill kills a Terminal Services session.
· Tsprof copies an existing user's configuration and modifies the profile path.
· Tsshutdn shuts down the Terminal Services server.
TERMINAL SERVICES FROM A USER'S PERSPECTIVE
From a user's perspective, Terminal Services should provide the same rich experience as operating on a local system. If it is properly sized and configured, the user should not realize a noticeable degradation in performance.
Windows Server 2003 provides a number of enhancements that improve user accessibility to resources through a technology called redirection. Redirection must be enabled on both the server and client. Terminal Services Virtual Channel application programming interfaces (APIs) supports the extension of client resource redirection for custom applications. Using Terminal Services Remote Desktop from a Window XP client or other RDP 5.1–enabled client, many resources are available in the Remote Desktop connection including:
File System. The client file system is accessible through the remote desktop as if they were network shared drives.
Parallel and Serial Port Device Support. Applications have access to the serial and parallel ports on the client, thereby allowing devices like scanners and bar code readers to be used locally and reflected on the server.
Printer. The default local or network printer on the client is the default printing device for the remote desktop.
Clipboard. The remote desktop and client computers share a clipboard, therefore assuring greater data interchanged.
The Microsoft implementation of Terminal Services provides application server support on even minimally configured Windows-based personal computers (e. g., old 8086-class machines running Windows 3.1). Using add-on software from third-party vendors, applications can also be displayed and used from UNIX, Apple Macintosh, Java, and MS-DOS platforms. This ability to run applications such as Office 2000/XP using existing hardware equipment, and thus preserve previous hardware investments through the purchase of Terminal Server licenses, can be very attractive.
With Terminal Services, the users of thin clients can immediately run Windows Server 2003 applications while maintaining their current, familiar environment. If the server is properly sized, the response time between a keystroke or mouse click and a displayed result should be transparent to them. This response time is predicated on persistent caching.
A user can roam among thin clients with Terminal Services and not have to log off. Instead, she need only disconnect the session and then, when she returns to the terminal or to another thin-client system, merely log back on to the same session. The user can also maintain multiple concurrent sessions from one or more clients and run several tasks at the same time. Moreover, she can easily cut and paste between terminal sessions. The cut-and-paste facilities are also supported between the local computer and the Terminal Server session.
Finally, printers that are currently operational on the local client can be recognized through Windows Server 2003 Terminal Services.
User Launching
The client software that supports Windows Server 2003 access is newly renamed Remote Desktop Connection. It comes integrated with Windows XP and is available via Start All Programs Accessories Communications. When the client software is installed on earlier versions of Windows, the software will be accessible from Start Programs Accessories Communications.
Although not recommended, earlier versions of the Terminal Services Client software can also access Windows Server 2003. The reliability, stability, and security of the connection, however, are not as robust. Users of Windows 3.11 launch Terminal Services from Control Panel and double-click TSClient. For all other Windows versions, use the Start menu select Programs and select Terminal Services Client.
TERMINAL SERVICES CLIENT
To disconnect the Terminal Services Client without ending the session, press the X on the terminal services identification notation on the top of the screen. You will then receive a warning that confirms that you are terminating the session but the applications on the server will continue to run. The user can then reconnect where he left off. Administrators should discourage users from using this approach unless they intend to return to the session in a relatively short period of time. If applications are left running, server resources will be unnecessarily used.
Table 15.1. Terminal Server Shortcut Keys | |
Shortcut Keys | Description |
ALT+PAGE UP | Switches between programs going right to left. |
ALT+PAGE DOWN | Switches between programs going left to right. |
ALT+INSERT | Moves though programs in the order they were launched. |
ALT+HOME | Displays the Start menu. |
CTRL+ALT+BREAK | Switches the client between a full screen and an active window. |
ALT+DELETE | Displays the Windows pop-up menu. |
To end the session, select the Start menu and click Shut Down. From the Shut Down Windows dialog box, select Log Off and confirm with OK.
A number of shortcuts can be used during a Terminal Services session to streamline operations. These are listed in Table 15.1.
NOTE
To enhance the user experience, Windows Server 2003 supports Audio Redirection for RDP. This feature enables sound reproduction on a client computer with any application using wave sound. This includes enabling on-the-fly mixing, minimal performance impact of the audio stream I/O, and no user interaction requirement. Note that this feature could place a heavy load on the network.
POSTSCRIPT
Terminal Services offers a thin-client architecture that permits the retrofitting of less powerful computer systems. For an administrator, it also permits remote management of any server in the network. If only for that reason, Terminal Services should be a very popular add-on. In conjunction with other thin-client technologies, such as a Web - or Java-based implementation, Terminal Services adds a broader dimension to the Windows Server 2003 enterprise.
Chapter 16. Internet Information Services
Internet Information Services (IIS) is a fully integrated Web, SMTP, NNTP, and FTP server. Since IIS is integrated at the operating system level, it is difficult to discuss Windows Server 2003 without major reference to it.
The version of IIS (5.0) shipped with Windows 2000 has been the focus of numerous security attacks. The resulting negative publicity together with customer vulnerability has led Microsoft to refocus its attention to IIS. After all, if Framework is to be embraced, this underlying Internet-directed server technology must be rock solid. The Windows Server 2003 version, IIS 6.0, includes many functional enhancements and stricter security features. An example is the new Web server Security Lockdown Wizard. Although IIS 6.0 is shipped with default settings, it is important to note that security functionality can be adjusted using this wizard as part of the IIS configuration routines. Of course, it would be naïve to assert that any new release of IIS will be impervious to the determined efforts of hackers and crackers. Nevertheless, breaches of IIS 6.0 will be significantly more difficult. In addition, the ability to rapidly apply patches has been improved.
In an attempt to tighten IIS security, Windows Server 2003 has instituted several global precautionary settings. Several areas of IIS have been secured to improve security by reducing the default functionality of the Web server. Some of the more prominent changes are:
· IIS is not automatically installed by default on Windows Server 2003 and must be explicitly installed by the administrator.
· By default, IIS installs only with the ability to service static pages and the use of Active Server Pages (ASP) and functions must be enabled.
· ISAPI extensions and CGIs are disabled by default and must be explicitly enabled through the Web Service Extensions section in IIS Manager.
· Application pools run under an identity with lowered privileges of the IIS_WPG group.
· The Web server core runs under an identity with lowered privileges.
Despite these standard default restrictions and other enhancements, IIS will probably remain a primary target for the hacker community. Therefore, it is critical that administrators monitor security alerts from Microsoft and apply appropriate patches first to nonproduction machines. Once the stability of the patch can be confirmed in rapid fashion, then the patch should be applied to product IIS Servers.
Many of IIS's technological foundations are covered in other chapters, including key integration with the Active Directory, security, and remote networking. For that reason, this chapter centers on functional aspects of IIS, specifically,
· Concepts and features
· Basic administration
· The Simple Mail Transfer Protocol server
· The Network News Transfer Protocol server
· The File Transfer Protocol server
OVERVIEW
Internet Information Services incorporates some of the most advanced Web technologies in a single integrated set of functions. For the system administrator, IIS offers Web security, data and process reliability, Web-based application development, and management tools. A brief examination of these features should put IIS functionality into perspective.
Administrators of IIS 5.0 will find the Windows Server 2003 upgrades to IIS 6.0 operationally familiar; however, beneath the familiar interface reside significant changes to this product's basic architecture. The design of IIS 6.0 assumes an environment that is in a constant state of change. This means that any hosting software must intelligently deal with the legacy approach and the next generation of Internet applications and services. As such, it must proactively be fault tolerant with the ability to dynamically restart processes as necessary while retaining request queues. All this must be accomplished in a very secure environment.
New Manageability Features
The rapid growth of the Internet has resulted in the need for greater scalability and manageability. Increasingly, Web sites are not confined to a single server. Web farms that cluster multiple servers to perform unique functions are becoming commonplace. This reality has only increased the complexity of management. IIS 6.0 introduces two important management features that should be welcomed by any administrator. First, IIS 6.0 adds an XML-based, storage-layer replacement of the configuration store metabase. Second, Windows Management Instrumentation (WMI) support plus command-line support allow more flexible administration outside the IIS 5.0–based MMC IIS snap-in.
The metabase can be edited with built-in safeguards. Windows Server 2003 file-change notification service receives alerts when the metabase file has been edited. After the detection of an edited metabase, IIS compares this file to the corresponding history file of the same version that resides in the History directory. Differences between the two files are evaluated and IIS uses the most recent edit. IIS formulates an appropriate Admin Base Object (ABO) API commands to apply these changes to the in-memory metabase. IIS saves its in-memory metabase values and creates a new history file. The history file is copied into the History directory. Editing is accomplished by first stopping iisadmin, then setting the EnableEditWhileRunning property in the metabase to "1". Restart iisadmin. Alternatively, the administrator can use the IIS snap-in Computer Properties Enable Direct Metabase Edit.
XML METABASE
The XML metabase is a hierarchical store of configuration values. The information includes inheritance, data typing, change notification, and security. In versions 4.0 and 5.0, IIS configuration store was a nonreadable and noneditable binary file called Metabase. bin. This is replaced by a plain-text, XML-formatted file that can be edited, imported/exported, and reviewed easily for troubleshooting. The XML format provides compatibility with existing public metabase APIs. IIS 6.0 extends ADSI schema and schema extensibility support. Other specific features include:
· Automatic version and history. Changes in the metabase are automatically written to disk in a new file called Metabase. xml. Version numbers are automatically assigned so that rollback or restoration can be applied easily.
· On-the-fly editing. Metabase. xml can be edited while IIS is running using a program like Notepad, and no reboot is required after edits are complete.
· Configuration import and export. Using the new ABO methods of Export ( ) and Import ( ), configurations from any node can be moved across servers.
· Server-specific backup. Backup and restoration can be accomplished independently on an individual server basis.
IIS WMI PROVIDER AND COMMAND-LINE ADMINISTRATION
Building on the functionality introduced in Windows 2000 WMI, IIS 6.0 leverages the programming interface to permit greater customization. Any schema extensions developed through ADSI are automatically reflected in WMI. When changes are made to the ADSI schema, they are pushed to the IIS WMI provider.
IIS 6.0 also affords support of scripts, including those shipped in the Windows\System32 folder. Those VB scripts interface with the WMI provider to retrieve and set configuration data within the metabase. The scripts shipped with IIS 6.0 include:
· iisweb. vsb to create, delete, start, stop, and list Web sites
· iisftp. vsb to create, delete, start, stop, and list FTP sites
· iisdir. vsb to create, delete, start, stop, and display virtual directories
· iisftpdr. vsb to create, delete, start, stop, and display virtual directories under an FTP root
· iiscnfg. vbs to export and import IIS configuration to an XML file
NOTE
The Web Server version of Windows Server 2003 automatically installs the new Web administration tool set. If you are deploying this version of the operating system, this toolset will provide a primary management source.
IIS Security Features
The IIS application suite relies on and is integrated with Windows Server 2003 security schemes. It also relies on additional standard Internet security features. This section reviews IIS high-level security; for additional information about Windows Server 2003 security and authentication, refer to Chapters 8 through 10.
Because IIS 5.0 took heavy hits on security, it seems appropriate to first underscore the enhancements made to IIS 6.0. The new preventive measures are based on analysis of the patterns displayed by the hacker community. The major improvements designed to lock down a site and apply patches include:
· IIS Lockdown Wizard. This wizard is designed to permit administrators to enable/disable IIS features. IIS 6.0 is shipped in locked-down state. This means that only static content such as. htm, .jpg, and. bmp is serviced. To make functions such as Active Server Pages or Front Page Server Extensions available, the system administrator must enable them.
· Configurable work process identity. As discussed later, the process architecture now isolates activities into something known as work processes.
· IIS 6.0 runs as a low-privileged default, the IIS 6.0 work process is a low-privileged account called *****nning IIS 6.0 as a low-privileged account greatly reduces a hacker's ability to perform broad-based system attacks.
· FTP user isolation. Hackers of any operating system using TCP/IP haven't been able to invade via FTP. IIS 6.0 isolates FTP from other system functions.
IIS SECURITY MECHANISMS
IIS security works in parallel with the Windows Server 2003 operating system security; the range of mechanisms includes access control, authentication, encryption, certificates, and system auditing. These are briefly examined in the following list:
· Access control. Access control simply oversees how a user who has been granted access to the IIS server can use resources. NTFS permissions are applied to system resources in the same way as they are with any other Windows Server 2003 activity, but IIS also uses HTTP Web security specifications. In particular, WebDAV (described in greater detail later) permits navigation through files and directories. With WebDAV commands, also known as verbs, authorized users can edit, delete, and add files and directories.
· Authentication. IIS 6.0 employs several forms of user name and password authentication.
- Anonymous Authentication uses the IUSR_computername user account, to which special permissions should be applied, if appropriate, to avoid any user's gaining access to the public content of the Web site or FTP site. When enabled, IIS always authenticates a user through this account first.
- Basic FTP Authentication uses the user name and password associated with a specific Windows Server 2003 user account on the system. Its major downside is that passwords are transmitted without encryption and can be captured, exposing user accounts to security breaches.
- Kerberos v5 authentication is ideal for intranets in Windows Server 2003 environments. However, since it does not work in conjunction with HTTP Proxy services, it may have significant limitations on the Internet.
· Encryption. Encryption scrambles information at one end of the communication and deciphers it at the verified receiving end. It is commonly used for financial and banking transactions such as transmission of credit card numbers. Encryption is based on the Secure Sockets Layer (SSL 3.0) protocol and its extension, Server-Gated Cryptography. In the United States and Canada, IIS encryption can use a minimum 128-bit session key rather than the 48-bit or 56-bit DES standard used in other parts of the world.
· Certificates. Certificates are digital documents used in the authentication process. They are required when encrypted data is sent over an SSL 3.0 connection. A certificate is created through Microsoft's Certificate Authority, discussed in Chapter 11, or obtained from third-party certificate grantors.
· Services auditing. Monitoring the IIS services for irregular activities is an important security safeguard. Auditing uses logs to detect activities that violate file and directory policies. Either Windows Server 2003 auditing features or IIS 5.0–configured logs can be employed and are generated through the Audit Policies or Internet Information Services snap-in tool.
IIS INTERNET SECURITY TECHNOLOGIES
In addition to security features employed by the Windows Server 2003 operating system itself, such as Kerberos version 5, IIS's Web-specific security schemes include the following:
· Basic authentication is derived from the HTTP 1.0 specification and is the most widely used Web-based method for matching user names and passwords for access purposes. A password is sent in Base64 encoded format, but it is not encrypted, which means that in nonsecured environments, it can be captured by a sniffer. For this reason, Basic Authentication provides only marginal Web security. Its major advantage is that most Web browsers support this HTTP 1.0 standard.
· Digest authentication is based on the W3C (World Wide Web Consortium) standards for HTTP 1.1. It extends Basic Authentication by using a one-way hash (or message digest) for password interpretation. The password is not decipherable from the hash, which prevents password capture in a nonsecure environment. Only advanced browsers like Internet Explorer 5.0 or later can receive data using this technology; older browsers are returned an error message.
· Advanced Digest Authentication is based on Internet Engineering Task Force (IETF) RFC 2617. It behaves similarly to digest authentication except in the way user credentials are stored on the domain controller (DC). Digest authentication only sends users credentials across the network as an MD5 hash. Advanced Digest Authentication mirrors this routine and also stores user credentials in Active Directory on the DC as an MD5 hash. This hash is known as a message digest. Advanced Digest Authentication is available to Web Distributed Authoring and Versioning (WebDAV) directories. It does not replace Digest Authentication.
· Certificate-based Web transactions that use PKCS #7/PKCS #10 protocols are also supported by IIS. Used with IIS certification functions, PKCS #7 establishes encryption formats for datalike digital signatures. PKCS #10 determines the request format for certificates.
|
Из за большого объема этот материал размещен на нескольких страницах:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
