University Computing and Networking Services
Windows NT Server
Setup and Administration

Table of Contents

  1. Introduction
    1. A Brief History of Windows NT
    2. What Is Windows NT?
    3. Windows NT Architecture
    4. Why Would You Use Windows NT?
    5. Why Would You Not Use Windows NT?
    6. A Quick Look at Windows NT
  2. Installation
    1. Before You Start
    2. Hardware Requirements
    3. File System Options
    4. Hard Drive Partitions
    5. Bootstrap Options
    6. Fault Tolerance Provisions
  3. Networking
    1. Internet Services
    2. Macintosh Support
    3. Routing
    4. Printing
    5. Network Control Panel
    6. NT Domains
    7. Client Machine Configuration
    8. Dynamic Host Control Protocol
    9. Browsing
  4. System Administration
    1. Responsibilities
    2. Managing User Accounts
    3. Managing User Groups
    4. Using Logon Scripts
    5. Managing Shares
    6. Mapping Share
    7. Server Manager
    8. Services
    9. Installing Applications
    10. Disk Quotas
  5.  Securing Your Systems
    1. File and Directory Level Security
    2. Share Level Security
    3. Setting Share Permissions
    4. Setting File/Directory Permissions
    5. Event Logs
    6. Emergency Repair Disks
    7. Uninterruptible Power Supply
    8. Backups
    9. Security Pitfalls
    10. Choosing Passwords
    11. Updating Windows NT
  6.  Resources
    1.   Publications
    2.  Web Sites
    3.   Listservs
  7. Exercises
    1. Exercise One
    2. Exercise Two
    3. Exercise Three
    4. Exercise Four

Introduction

A Quick Look at Windows NT

Windows NT is a network operating system that:

A Brief History of Windows NT

Windows NT is a network operating system. It's development began with a product called Lan Manager, which was based on the OS/2 1.0 operating system developed by Microsoft and IBM. The earliest version of NT was called Windows NT Advanced Server 3.1 and was released in 1993. In 1994, Microsoft released Windows NT 3.5, which was a more developed version of the original, requiring less memory and included built in connectivity for both Netware and TCP/IP. This version was separated into Workstation and Server and included tools which could be used to administer the system from MS Windows for Workgroups. Microsoft released Windows NT 3.51 in 1995. This version added file and directory compression and added the ability to recognize newer hardware. The biggest improvement came with the release of Windows NT 4.0. This version brought about many changes, including but not limited to the inclusion of a different graphics architecture and DHCP (Dynamic Host Configuration Protocol) services.

What is Windows NT?

Windows NT is a 32-bit operating system.  This means, in the most basic terms, that it handles memory and space better than 16-bit operating systems.  Windows NT was built to be a portable, secure, compliant, scalable, extensible, fault tolerant, and international operating system.

NT is Not a DOS Shell

Unlike Windows 95, Windows NT does not contain DOS.  DOS programs are executed by a DOS emulator and are not allowed direct access to system hardware.
 

Supported Filesystems

Windows NT supports two filesystems: DOS File Allocation Table (FAT) and NT File System (NTFS). It does not support the Windows 95 (Release 2) FAT32 filesystem. FAT32 was developed after the release of Windows NT. NTFS maintains a significant advantage over the FAT filesystem, namely security. The FAT filesystem cannot determine file ownership or file access priveleges; thus a file cannot be secured. NTFS allows a system administrator to control file access by assigning rights and priveleges to certain groups or users.

Windows NT Architecture

A Modular Architecture

It is important for administrators to understand the architecture of Windows NT 4.0. This knowledge will help you to understand how and why certain software runs on NT. Windows NT uses a modular architecture which was designed  to be efficient. This means that it includes separate and distinct software components to perform the operating system tasks. Each component is responsible for a set of tasks.

User Mode vs. Kernel Mode

There are two major components; the User mode and the Kernel mode.  The Kernel is a priveledged and protected space in which components have access to all hardware and memory in the system. User mode is a less priveledged mode in which components cannot access the hardware and must ask permission through API's (Application Program Interface) to access even their own address space which is controlled by the Kernel.

Kernel Mode

Windows NT Executive is the main component of the Kernel mode and is divided into three major components: The Hardware Abstraction Layer lies between the physical hardware and the Microkernel. This architecture is also what allows the OS to run on different platforms.  The HAL enables NT Services to access and control the CPU (Central Processing Unit). The HAL is installed during the setup process.

The Microkernel is basically the traffic control center of the operating system.  It controls all threads and handles all interupts and exceptions.  In multi-processor systems, the Microkernel is responsible for scheduling all threads between available processors which is called symmetric multiprocessing.  The Microkernel enables the system to act efficiently, by best utilizing all available resources.  It won't let one processor stand idle, while another one does all the work.  Each process is assigned a priority number, which determines how quickly the thread is processed.  You can manually change the priority of a process, but I wouldn't recommend it unless you are an advanced administrator.  If you do reset the priority of a process, the system will set the priorities back to the default settings when you reboot the machine.

Executive Services include essential software services which are invoked by an operating system component.  Examples are I/O Manager, Process Manager, Virtual Memory Manager, and the Graphics Device Drivers and Interface services.  These services are situated just below the System Services, which act as the interface between User mode and Kernel mode.

User Mode

Windows NT was written to be backwards compatible with legacy operating systems.  In order to accomplish this the developers created User mode components called evironment subsystems.  This is what allows different applications to run side by side, simultaneously on the desktop.  NT can run software written for many systems, including Posix, Win32, MS-DOS, OS/2 1.x and Win3.x.  Essentially, each one of these systems runs in its own space on Windows NT.  Specifically, all Win16 applications run in one shared space and each MS-DOS application runs in it own separate space.  This is a great feature of Windows NT and is referred to as the Protected Memory Model.

Protected Memory Model and Preemptive Multitasking

Windows NT provides a protected memory model to help keep processes separate and private. Each process is given its own 32-bit address space. Each process is made to believe that it is the only process running on the system. Therefore, the probability of a server crash due to a single application is reduced. There is no way for one application to access the memory space of another application.

Windows NT uses preemptive multitasking to control the use of the processor.  The operating system does not allow a single program to maintain control of the CPU if many other programs also need to execute. Each program gets a small slice of time during which time it may use the CPU.  This is controlled by the Microkernel.

What This Architecture Does For Us

In conclusion, Windows NT is a networked operating system that runs on multiple platforms, uses protected memory, provides preemptive multitasking and implements directory and file level security.  This is what makes Windows NT a secure and robust operating system.

Why Would You Use Windows NT?

You might choose to use Windows NT if:

Why Would You Not Use Windows NT?

You might choose to use another network operating system if:

Installation

Before you Start

Its important that a few steps are taken before you start an installation.

Hardware Requirements

Microsoft's Minimum Requirements

Realistic Minimum Requirements
  • 486DX/33 processor
  • Pentium Class processor 90MHZ or better
  • 12MBytes of RAM
  • 64 Mbytes of RAM
  • 150 MBytes of free Hardrive Space
  • 1 GIG of SCSI HardDrive Space (this is a server right?)
  • VGA monitor
  • SVGA monitor (VGA is acceptable)
  • CD-ROM drive
  • Fast CD-ROM drive
 
  • Tape Backup System
For a list of required hardware, please visit Microsoft.

File System Options

NT supports its own NTFS (NT File System) and the standard FAT (File Allocation Table.) Some of the features of NTFS include: FAT lacks some of the features of NTFS. The most notable is security permissions at the file level. It does however support long filenames just as in Win95. Sometimes FAT is recommended or even necessary:

Hard Drive Partitions

Drives can be partitioned any way you want. Just remember to keep at least 150 to 300 MByte partition for the system partition. If you wish, you can partition the entire drive as one partition either FAT or NTFS. However, if you partition your entire drive FAT you basically throw any security aspects of WinNT out the door. If you choose to have only one partition I would recommend an NTFS partition. A 150-300 MB FAT partition for the system and the rest NTFS for users and data is a good solution if you wish to use multiple partitions. The FAT partition shouldn't be shared.

Another thing to think about is the fact that Fat partitions can be converted to NTFS with the convert.exe tool but NTFS cannot be converted to FAT.

 FAT will not handle more than 4 gigabytes or 2^32 bytes per partition. NTFS should handle up to 2 terabytes or 2^41 bytes.

Bootstrap Options

It is possible to Dual boot an NT Server or Workstation. For a workstation it may actually be necessary, but for a Server NT should be the sole operating system. If you have a workstation and choose to dual boot it there must be a FAT partition for Win95 or DOS in order for NT to be able to access files in that partition and vice versa. NT's OS Loader must be in the FAT partition if you are using it to load both Systems. There are other 3rd party tools available that will let you boot other Operating Systems alongside NT.

If you plan to Dual boot NT and Win95, install Win95 first. Win95 will overwrite the masterboot record and if installed second will overwrite important data for NT.

Fault Tolerance Provisions

Windows NT permits the use of software driven fault tolerance. This means it is possible to configure your machine to improve reliability in the event of a disk or disk controller failure. WinNT also allows for hardware based fault-tolerance. NT's ftdisk.sys file is its fault tolerance disk driver. It allows: Software fault tolerance can be implemented on the boot partition but because NT must load in order to start the fault tolerance driver a special fault tolerant floppy must also be created.

Good server class machines are available with hardware fault tolerance which may be not only safer but also faster. The use of hardware fault tolerance should make your server easier to manage and machines are available with hot swappable drives which may be replaced as the machine is running with no down time and no noticeable performance hit. The system processor isn't burdened with the overhead of the processes because the RAID controller handles the parity.

Networking

NT was designed to be used in a networked environment. NT uses a protocol called NetBIOS to communicate with other NT machines, Windows 95/98 machines, or Windows 3.11 machines. NetBIOS will run over: At UGA we recommend TCPIP. NetBEUI is not suitable for large routed networks such as the one we use on campus, and we are no longer routing NetBEUI on the campus.

It's important that you get IP addresses assigned to you from your Domain Network Liason or from the Network Information Center (NIC) before you begin installation. You should also request a name from the NIC to correspond to the IP address.

Internet Services

Will you be running? These services come free with WinNT Server in the form of IIS (Microsoft's Internet Information Server) or from other third party vendors such as Netscape. These services demand TCPIP. This means an IP address should be requested from the Network Liason for your department and a name should be registered with the NIC for that IP address.

Macintosh Support

If you will be sharing data via AppleTalk you will need to turn on Services for Macintosh. This will allow your NT server to advertise itself as an AppleTalk device and allow people to copy Mac documents and programs to and from your server. You will need to know what AppleTalk zone to place your NT server into so that your clients will be able to use it easily. Do not turn on AppleTalk routing unless you are specifically working with someone in the LANS department of UCNS. Turning on AppleTalk routing has the ability to negatively affect networking campus wide.

Routing

Don't.

Please do not take it upon yourself to enable routing or the Routing Information Protocol (RIP) unless you are very familiar with routing. Running either or both can damage campus wide connectivity and could result in serious problems within the campus network. Please don't implement any form of routing or any routing protocol without working with someone in the LANS department of UCNS.

Printing

NT will allow users to access local and networked printers, including Macintoshes and Netware printers. Local printers only require an available parallel port and drivers for the printer. NT comes with software to support most popular printers and printer vendors will most likely have NT software if the printer is newer than the OS release.

Printers that are networked with Microsoft networking require that the printer be shared from a computer via Microsoft networking and are accessible from the server.  This is true even for network attached printers, which have their own network card.  When you install a networked printer on a client, you are actually installing a logical printer which directs the print job to the print server.  This is termed 'connecting to a printer.'  When you install a printer which is physically attached to a computer via a serial cable, it is termed 'creating a printer'. These two terms are often confused.

Windows NT (as well as the 9x's) have a feature called 'Drag and Drop Printing.'  This feature allows you to simply find the printer you wish to connect to using Network Neighborhood and drag it to the desktop which will initiate the installation of the appropriate drivers by the operating system.

Printer Services allow you to expand the client base from which you can print by adding services for Netware and Macintosh clients.  TCP/IP services add LPD (Line Printer Daemon) and LPR (Line Printer Remote) functionality to the NT print system.  This allows Unix and/or TCP/IP clients to print to NT hosted printers It also allows NT clients to print to printers which are hosted by Unix print servers.  Netware hosted printers require that NT has File and Print Services for Netware or that a Netware client be installed on the server. For most NT servers the installation of a Netware client is not recommended.

Network Control Panel

The network control panel is central to configuring your server. It will allow you to setup:

Identification


The identification tab allows you to specify your Computer Name and Domain.  The identity of a computer can be changed by clicking on the Change button.

The Computer Name should be 15 characters or less and should be a unique name on your network (in our case, the campus network)  The Domain can be any existing Domain  within the network or a new Domain.  You may not add a second Primary Domain Controller to an existing domain.

Services

 Certain services are here by default.

Other services are available such as: These services should be installed as needed.  They can cause excess load and security problems when not properly configured and may also affect the campus wide network so make sure you have researched the service before you install it.  Don't install everything available during the initial NT installation!  You can always go back later add add services as needed.

Protocols

These are the network protocols that are used to talk to other computers.

 The main protocols for use on campus are TCP/IP and IPX/SPX.
NWLink NetBIOS is used to let NetBIOS run across IPX/SPX.

Adapters

This control panel is used to set up the network adapter, also called Network Interface Card (NIC), for your server.  These adapters are usually added at installation and are sometimes even detected by NT, though it is not really a plug and play operating system.  Even if the adapter is detected, I think it is much safer to manually install the NT drivers which shipped with the card or from the vendor's web site.  This way you can ensure that the card is being correctly used by the computer and is fully utilizing the services that it offers.  To add a new network adapter, simply click Add and either pick the card from a list of vendors and cards or choose Have Disk and browse for the appropriate drivers on a disk or your hard drive.  Making sure that you have the correct and current NT drivers for your card in advance of your installation may save you a lot of time!


 

Bindings

These tell what services and protocols are bound to what devices.  You can move the order of the binding up or down, to meet the needs of your server.  Consider the following example.  If you primarily utilize TCP/IP, but have other protocols installed,  TCP/IP should be bound first to the NIC, so that it is the first protocol attempted in a network call.


 

WinMSD

WinMSD is a command line utility which is invaluable for determining the exact hardware configuration of a system.  It provides a real look at the current settings, including resource use of the machine.  It is located in the c:\winnt\system32 directory.  This is a very useful tool for documenting all system hardware components and drivers.  It is also the place to look to find system conflicts for IRQ's, DMA's and I/O Location ranges.
 
 

Link to the  Network Control Panel exercise.

NT Domains

Servers can be set up in domains or workgroups. The premise behind the domain is that one or more servers can share a common element --the domain-- and workstations may join the domain by logging into it. This gives administrators a single point of administration for accounts, shares and printers. There may be multiple domains which may or may not have a relationship to each other. Servers in the domain can be configured as stand alone servers or domain controllers. The major difference between domain controllers and servers is that only domain controllers can authenticate users and participate in security tasks.

 In order to create a domain, you must start by building a server.  The first server must be configured as the primary domain controller(PDC). This is the central repository of administrative and security information.  The PDC maintains the master copy of the security accounts (SAM) database.  Once the PDC has been created, any machine added to that domain is assigned a unique identifier by the PDC.  Once the PDC has been installed, other servers may be installed as backup domain controllers (BDC) which assist the PDC  in handling authentication.  The BDC replicates administrative information between itself and the PDC. The Netlogon Service on the NT Server performs the task of replication from the PDC to the BDCs. When a password or other security item is changed, it is always changed on the PDC, the BDC merely keeps a copy.

Microsoft recommends one BDC for every two thousand users.  This really depends upon your network.  If you have 300 hundred folks trying to log in at 8am every morning, you may want to add another BDC to help with the load.  If you have multiple locations, you will want a BDC at each location so logon doesn't have to occur over a WAN link.

Its possible that a server is assigned to be neither a PDC nor a BDC and may be installed as a stand-alone server. This is useful for a dedicated Web or Ftp server that needs to use all of its power for performing those tasks and doesn't need the extra load that domain administration might cause.  If you configure a server to be a stand alone server you may not change its status without reinstalling the server.  Thus, assigning server status needs to be well thought out before installation.

A PDC can be moved/renamed to a brand new domain, but not into an existing domain.  A BDC cannot be moved to another domain without reinstalling the server.

Any computer running MS networking that is not in a domain is automatically part of a workgroup (even if it is the only machine in the workgroup.)

Client Machine Configurations

For Windows95 and Windows NT Workstations the "Client for Microsoft Networks" is usually installed by default. It will also by default install NetBEUI. You should remove NetBEUI and add TCPIP either during the install or later from the network control panel.

You should set your machine name to its NetBIOS name and set your Workgroup to the name of the Domain you wish to join.   When a client machine is placed in an existing domain you also need to create a Computer account for the machine. You will need a user name and password for an account on the PDC with the rights to create a machine account (usually Domain Administrator.) This can also be accomplished by using the Server Manager for the Domain in which you are adding the computer.

By highlighting the client for Microsoft Networks and clicking on properties you will get the chance to place the Win95 machine into the domain.

Much of this is taken verbatim from the Windows 95 networking configuration document -- http://www.uga.edu/~ucns/lans/docs/win95doc/ -- which covers setting up Windows 95 networking on campus.

Dynamic Host Control Protocol (DHCP)

This protocol allows you to assign IP addresses dynamically and/or to reserve certain IP addresses for certain Network Interface Cards (NICs.) On campus,  the best solution is to statically assign or reserve IP numbers to nics. The reason you might not want to dynamically assign IP addresses without specifying a NIC address is that any computer on your physical subnet or leg of the broadband can ask for and will receive an IP address from your DHCP server until you run out of addresses.  This means that your clients may not be able to get the addresses that they need because your server gave it to someone in a different department on campus. The installation of DHCP is simple and straightforward. There is also a way to pass DHCP requests across a leg of the backbone with a DHCP Relay service.

A static form of DHCP is also a good way to keep NIC and IP records since they should all be in the DHCP data records.

Browsing

Browsing across subnets on campus is easy if you enable WINS on both your servers and clients.  WINS is a NetBios name resolution software.  We have two WINS servers on campus which serve the entire campus.  Without WINS, you would not be able to browse for Microsoft resources outside your broadcast domain.

System Administration

Responsibilities

The NT system administrator is responsible for:

Managing User Accounts

The most common way to create small numbers of users is by using the "User Manager" or "User Manager for Domains" tool. It can be found from the "Start" menu under "Programs" and "Administrative tools(Common)".

Adding a new user is as easy as clicking on "User" and selecting "New User".

The New User dialog will come up and ask you for a username, fullname and password. You will also have the option of setting up password restictions, stating whether or not the password expires and disabling or reenabling the account. After selecting this you might want to add your user to some groups. Click "Groups".

Groups that are already created are shown and can be selected by double clicking or by single clicking and then clicking Add. You can see the groups the user belongs to and also those to which he/she doesn't belong. When you finish click "OK".

After groups you might want to set up some profiles or a home directory. Click "Profiles".

Profiles are simply a place to store a user's preferences. This means that if a user logs into a different machine than normal the desktop should still look familiar. Icons in the same places etc. The login script is a way to map drives for a user and run certain programs when they log in. This help to maintain a steady environment over different machines. The profiles work with Windows NT only. The home directory can be a local or remote directory where things can be stored. It won't be created in a place where the user has no rights.

Click on cancel to return the NEW USER dialogue box.  Click on "Hours".

Here you can set the hours during which users can access the domain.  This only prevents someone from logging in during unscheduled times.  It will not close down an open connection.

Click on Cancel to return the NEW USER dialogue box.  Click on "Logon To".

Here you can decide which machines a user can log in from.

Click on Cancel to return to the NEW USER Dialogue box.  Click on "Account".

You can set an expiration date for an account.  This is useful for temporary employees.


Managing User Groups

Why put users into groups?

There are two types of groups:

Creating User Groups

Groups can be added more or less in the same way as users. In the User Manager Dialogue box  click on "User" and then on "New global group".

Just fill out the name of the group and add the members.

Link to the User/Group Management Exercise.

Using Logon Scripts

Logon scripts in the Windows NT environment are batch files used to map network drives and start executables as the user logs into the domain. Logon scripts are assigned to the user via his profiles in the User Manager. By default logon scripts are stored on the PDC in the following directory: 
 \\system root\system32\repl\import\scripts
The "system root" directory is usually "c:\winnt" but can be different due to certain circumstances. If the logon script is in the default location, only the name of the script needs to be specified. If it's elsewhere the full path must be specified. If you wish to use logon scripts and have BDC's you must enable directory replication for the scripts to make it to the BDC's.  There is a good  TechNet Article  regarding login scripts.

Managing Shares

Shares can be added through Windows NT Explorer or through the Server Manager (Start, Programs, Administrative Tools, Server Manager).

 It is possible to open shares on remote computers using the Server Manager . The computer selected in this example is called Clockwork. By clicking on "Computer" and then on "Shared Directories" you'll see the shares on the machine Clockwork.

Selecting "New Share" will give you the opportunity to add a new share to the machine.

Select your path and share name and click permissions to set them as a share. Then in the Server Manager you should see your new share.

Another way to view the shares on a computer is to double click on the computer in Server Manager.

Select "Shares" to see the available shares.


 

Mapping Shares

Windows95 and Windows NT will allow you to add drive pointers to by simply pointing and clicking on available shares or via the net use command. If you wanted to map the driveletter "G" to a shared directory called "public" on the NT Server Clockwork you would simply type: 
 net use g: \\PDC\Netlogon
If you don't find the command line attractive there are a few other ways to map a driveletter to a share. One way is to double click on the Network Neighborhood icon. The browser should pop up and show you something similar to this.

Once inside the Browser you can choose the computer.  If it is not visible, doubleclick "Entire Network".  If you are looking for a Windows share doubleclick "Microsoft Windows Network".  Its possible that this window will be skipped if you only have the MS client installed.

Choose the Workgroup or Domain that your target computer is in. In this case the Domain is called UGACLASS.

Pick your target machine. We will use BDC for this example.
 

Then choose the share you wish to map. We'll map to the NETLOGON directory.

Clicking the right mouse button over the NETLOGON icon will give you these options. Choose "Map Network Drive..."

The following window will popup and allow you to choose which drive letter you want to point to it and who to connect as. Leaving this blank will cause it to try your current username and password to access the share. Since this share is on another machine you must authenticate. NT and 95 will try your current name and password by default. Also there is the option to reconnect at logon. This can be both useful but only use this if you want to connect to that share every time you logon.  If you map a drive as an administrator on a user machine, every time that user logs in they will be prompted for a password (yours) to reconnect.

Now L: looks like a regular drive except that instead of a disk drive icon there's a networked drive icon.  As seen in Explorer:


 

Server Manager

The Server Manager acts as an essential tool for administering the domain.  Here are some of the administrative functions that it contains:
 

Services

A service is a process that does not require that a user be logged on to run.  It really acts as part of the operating system.  It is a good place to troubleshoot.  Sometimes stopping and restarting a service will get things moving again.  Some services have dependancy services, where another service must be running for one service to run.
 

Installing Applications

There are two big concerns with installing applications; serving the application correctly to the users and making sure the application does not breach the security of the server.  This could leave the domain/ machine/users in an unsecure state.

Can they use the application? If they can't it might as well not be on the server. Often times things will work fine for you logged in as an adminstrator but not for anyone else. For this reason test the program as a regular user. The users must have enough rights for the program to work.

Are you creating a breach in security?  You don't want just any user to write things into the system directory or overwrite the NT kernel with a poorly named MS-Word document. This means that there are certain areas where normal users can't be allowed.  Often it seems that the off-limits areas are exactly where the program wants to write its temp files. In order to fulfill both of your primary duties in this area you have to make a compromise between the amount of useability needed and the value of your data or machine.

Disk Quotas

Disk Quotas are used to limit the amount of space a user can utilize on a shared space or in their home directory on the server.  Unfortunately, Windows NT 4.0 was not released with Quota Management tools, but if you have a need for something like this there are third party tools available.  Quota Advisor is the first one that comes to mind, but I think there are several.

Securing Your Systems

When a Windows NT Server 4.0 is installed using the NTFS filesystem there are two types of security. Share-level security and File and Directory level security.

Share level security applies strictly to users connecting via a network. File and directory level security applies to users local to the machine as well as those who connect via a network.

File and Directory Level Security

Files and directories need to allow different levels of access based on group, user, and purpose. There are six types of basic permissions for directories:

R  Read
W  Write
Delete
X  Execute
P  Change Permissions
O  Take Ownership

All of these permissions may be set for directories; but they are grouped for ease of use as shown in the following diagram:


 

Permissions on files are limited to No Access, Read, Change and Full Control.

There is another type of permission which you see above called Special Access There is one for files and another for directories.  This allows you to set exactly which permissions you want to set, without using the standard 'sets' of permissions.

Here are some examples of directories and how their permissions should be set:

Share Level Security

Shares are ways in which users connect to another computer.  Share level security is less flexible than file and directory level security. There are four levels which apply to the share. When accessing a share, you must consider both File and Directory level security and Share level security.  The most restrictive security between the two will apply.  If you are sharing on a FAT partition, since FAT has no other security, share-level security is the only security that you may apply.

Setting Share Permissions

To set up Share Permissions, right click on the file or directory you want to share and click "Sharing".  Name the share and determine the number of machines you want to be able to connect to the share.

To set Share permissions, click on the Permissions button.

You can add or remove permissions for various groups and users.  Click on "Add".  You can list all the users by clicking "Show Users."


Setting File/Directory Permissions

Right Click on a file or directory from within Explorer and click on "Sharing".  You should see the following dialogue box:
 

Click on the Security tab and then click on "Permissions".

You should see the following dialogue box:

You may add or remove users and group or alter the permissions for users and groups.

Event Logs

The Event Viewer administrative tool can be helpful in troubleshooting problems with your system and can also inform you of potential future problems.  It is divided into three areas; system, application and security.  It gives an up to the minute history of all events on a Windows NT Server.  You can set it to monitor as many or as few events as you need.  Make sure that you set the logs file size appropriately or it can take over your machine!  Also, this tool is only as good as the person who is using it.  You need to look at your logs regularly, to stay on top of what is going on in your network.
 


Emergency Repair Disks

During installation, you will be prompted to let the system create a repair disk.  This disk contains important system information which can help to restore your server in the event of a failure.  The following files are contained on the disk:

Setup.log - an information file created during the setup process.
System._ - a copy of the SYSTEM hive from the Registry.
Sam._ - a copy of the SAM from the Registry.
Security._ - a copy of the SECURITY hive from the Registry.
Software._ - a copy of the SOFTWARE hive from the Registry.
Default._ - a copy of the DEFAULT hive from the Registry.
Config.nt - a copy of the Windows NT version of the DOS CONFIG.SYS file.
Autoexec.nt - a copy of the Windows NT version of the DOS AUTOEXEC.BAT file.
Ntuser.da_ - a copy of the default user profile.

When using the Rdisk.exe utility, you have two options.  Update Repair Info and Create Repair Disk.  Make sure that you update the repair information regularly, which updates the %systemroot%\system32\repair folder.  Once updated, use the rdisk utility to create a new Emergency Repair Disk which copies the information from the %systemroot%\system32\repair folder to disk.

Uninterruptible Power Supply (UPS)

Use one. You server is sensitive to power fluctuations and outages. Get one with software that can bring your server down gracefully in times of power outages. The server caches information in memory and doesn't always write to disk immediately. This means that just snapping it off in mid stream can cause damage that may require that you rebuild from backups.

System Backups

Even if you choose to use hardware or software disk fault tolerance it is still imperative that you have a backup scheme. The more important the data on your server the more thought should go into this. Computers can be stolen. Drive controllers could start writing 0s to disk. Buildings catch on fire.

A good scheme might be weekly full backups and daily incremental backups. You might keep full backups for a month and incrementals for a week. You may also choose to keep duplicate backups or older backups off site. It's also important that your tapes can handle all of the data that you are generating.

Keep the following things in mind:


A Security Pitfall inherent in NT

Consider the following situation:

Even though the Administrators groups have full rights, no one can do anything to the directory. Any administrator is also a member of the group Everyone and since Everyone has No Access and No Access overrides all other rights this folder is essentially locked to all.

Remember!  The No Access right supercedes all others. If you give yourself full access to directories below and then no access to the current directory you can't get to the lower directory.

Choosing Passwords

Password selection is an extremely important facet of security:

Updating Windows NT

Like many products released today Windows NT has its share of "features." There are "Service Packs" and "hotfixes" to get rid of some of the more undesirable features.

Services Packs are cumulative meaning the latest service pack should contain any "good" or wanted features from previous service packs and the hotfixes which applied to previous service packs. It is generally a good idea to patch to the latest service pack.

Hotfixes are specific patches to bugs or security holes. Many of these patches are very specific to certain applications or security holes. I don't recommend applying all hotfixes unless:

Hotfixes must be applied in the order they were released as some hotfixes will modify the same files. Thus if you apply an old hotfix over a new one you could either undo a good fix or cause system instability.

 Current patches for Windows NT 4.0 can be found at:

 http://harpo.dev.uga.edu/~jones/nt/patches.html
 

Link to the Security Level Exercise

System Policy

You can enable system policies for users, groups or comuters by using the System Policy Editor.  This tools is located in Administrative Tools.  Once a policy is created, the file NTConfig.pol is stored in the \Netlogon folder of the PDC.  When a user logs into the network, Windows NT looks for a policy file and, if found, stores it in the local registry.  If the user cannot log in to the network for some reason, NT uses the cached version of this file locally.

Resources

There are many resources available....

Publications

Here are just a few of the resources that I rely on:

Windows NT Power Toolkit by Stu Sjouwerman and Ed Tittel (ISBN # 0-7357-0922-x)  Stu runs the NTSysadmin listserv, which I think is the best on the web!  This book stays on my desk.

Windows NT Security Guide by Stephen A. Sutton (ISBN# 0-201-41969-6)  A good read that will help you lock down your NT boxes.

The Windows NT and Windows 2000 Answer Book by John Savill (ISBN# 0-201-60636-4)  John's runs the NTFAQ site and resides in the UK.  There is a very large NT contingent in Brittain.  Another book which never leaves my desk.

Inside Windows NT Server 4 by Drew Heywood (ISBN# 1-56205-860-6)  A concise resource which is well organized.

Windows NT Server 4, Unleashed by Jason Garms, et al. (ISBN# 0-672-30933-5)  I pull this one off the shelf at least once a day.

Microsoft Windows NT Resource Kit,

There are many more great resources on NT.  Check back and you will find more listed here.

The Web

The Microsoft  Home Page is a great place to search when you need information about NT.
You can join a Microsoft NT  Discussion Group at the TechNet site.
The  NTFAQ  site is a great resource for questions you need answered.  They have a great search engine.
See the  Sunbelt Software site for one of the best NT resources on the web.  This is where the big guys hang out.
For NT security information and up to the minute news of exploits, see the  NTBUGTRAQ site.
There are a lot of people, like George, who give away their NT knowledge on the web for free. Geo's NT Tips
Lot's of great tips and how to's on this site... NT Pro Tech Tips
This Kiwi (he's in New Zealand) offers his NT 4.0 class for free on the web... NT Server class
My class is also available on the web.... UCNS NT Server Class
The UGA NT Web Site is being created as we speak and will soon be a great resource for us here on campus!

There are so many more sites for find information on NT.  I will continue to add resources to this page, so be sure to check back often.  These sites will MAKE you NT administrators.

Mailing Lists

Many of the mentioned web sites also have mailing lists (listservs), to keep you abreast of the daily changes and issues that come with NT administration.  Some of these lists are loaded with the best NT admins in the world.  Do join, but be aware that these guys are not small players.  They are very willing to share their expertise with you, as long as you have done everything you can to research the issue yourself first.  I have only posted to these lists a couple of times in the several years that I have worked with NT.  Why?  I can usually find the answer myself with a little digging.

Use the Knowledge Base and TechNet on the Microsoft website, the search engines at the NT sites I have listed above and most of all, use your books!  The NT books I listed above are great resources.  You don't have to read them cover to cover, in fact, I wouldn't recommend it.  Use them as resources when you see a word that you don't understand or need to clarify some piece of knowledge that you think you know but can't express in words.  Before you know it, you will actually understand about a third of what comes across on the listservs...and if the big guys take your head off for asking an easily researched question, don't say I didn't tell you so!
 

Exercises

Network Control Panel Exercise

  1. Go to the "Start" menu and then up to "Settings" and over to "Control Panel". This will open the Control Panel window. Now double-click on the Network Control Panel to open it.
  2. Check your adapter type.
    1. Note your adapter brand and model.
  3. Check the settings on your TCP/IP protocol stack.
    1. Double-click on "TCP/IP"
    2. Note the WINS Configuration.
    3. Click on "OK" to return to the Network Control Panel.
  4. Ensure that the Domain is set to UGACLASS.
  5. Close the Network Control Panel by clicking on "OK" and reboot your workstation.
  6. When the "Enter Network Password" dialog appears ensure that the domain name is "UGACLASS". Enter 'LabX, where x = your station number, e.g. if you are on station 10 enter Student10 (numbered from 01 - 18). Your password is "password".  What would happen if you logged into the Domain 'LabX'?
  7. Do you know another way to access the Network Control Panel other than the way we accessed it in this example?
  8. Go to the "Start" menu and then to Programs. Open up a DOS prompt and type "net view".  This is a 'command line' tool which allows you to see all shared resources in a domain.
  9. Type "exit" at the DOS prompt to close the DOS window.
  10. Go to Start/Shut down/ Close all Programs and log on as a different user.
  11. Log on as LabX.  What happened?
Please be aware that your Labx account has supervisory privileges for the NT domain UGACLASS and as such can add, change, or delete anything within this domain. Please do not venture off on your own as you may accidently change the configuration setup for this class and we would all have to go home.

User/Group Management Exercise

  1. Make sure you are logged in as Labx (where x = the number on your workstation).
  2. Go to the User Manager for Domains (Start/Programs/Client-based Network Tools)
  3. Click User-->New user. 
  4. When the New User dialog comes up set up a new user whose Username is userx. Fill out the rest of the dialogue box.
  5. Why would you want to create an account that can't change its password?
  6. Go into the groups dialog by clicking on Groups. 
  7. Make sure UserX is in the group "Domain Users" only.
  8. Exit the dialog box by hitting OK.
  9. Enter the profiles dialog and map the \\PDC\Home\UserX directory to Z: by using the connect button and filling in the path.
  10. Say Ok to exit the dialog.
  11. Did it create the Home Directory for you?
  12. Say Add to add the user
  13. Say Close to exit the New User dialog.
  14. Now create another user called NTAdminX (where x is the number of your workstation) and make that user a member of Domain Administrators and Domain Users.  Set the Primary group to Domain Administrator.  Say OK to exit the dialog box.
  15. Now add a group ...
  16. Click User -->New Global Group.
  17. Name the new Global group "GroupX"
  18. Add NTadminx and userx to GroupX.
  19. Say Ok at the New Global Group.
  20. Go to start --> shutdown -->close all programs and log on as another user.
  21. Log on as UserX.

Drive Mapping Exercise

  1. Logon as LabX.
  2. Use the "net use" command to use g: as a pointer to \\PDC\netlogon.
  3. Double click on My Computer to see the drive mapped.
  4. Use the "net use" command to use h: as a pointer to \\PDC\Apps.
  5. type net use /d h: to stop using h: to point to Apps.
  6. use h: to map \\PDC\mb


 

Security Level Exercise

  1. Logon as UserX.
  2. Use notepad to save a file to your home directory.
  3. Close all programs and log on as NTadminx.
  4. Try to read the file you just created.
  5. Close all programs and log back on as userx.
  6. Give (RX)(RX)for your home directory to GroupX.
  7. Add another file to your home directory.
  8. Give NTadminX read permission for the file and No one Else.