IIS 7.0 Web Administration Techniques

tableWeb administrators have many options for managing IIS. The key administration tools are:

IIS Manager (InetMgr.exe)

IIS Administration objects made available through the IIS 7.0 WMI provider

IIS command-line administration tool (AppCmd.exe)

IIS Manager provides the standard administration interface for IIS. To start IIS Manager, click Start and choose All Programs, Administrative Tools, and then Internet Information Services (IIS) Manager. When started, IIS Manager displays the Start page and automatically connects to the local IIS installation, if it's available. On the Start page, you have the following options:

Connect to localhost Connects you to the IIS installation on the local computer

Connect to a server Allows you to connect to a remote server

Connect to a site Allows you to connect to a specific Web site on a designated Web server

Connect to an application Allows you to connect to a specific Web application on a designated site and server

Remote access to an IIS server is controlled by the WMSVC. When you install and start WMSVC on an IIS server, it listens on port 8172 on all unassigned IP addresses and allows remote connections from authorized user accounts. You can connect to a remote server by following these steps:

1.	In Internet Information Services (IIS) Manager, click Start Page in the console tree and then click Connect To A Server. This starts the Connect To A Server wizard.
2.	Type or select the server name in the Server Name box. For a server on the Internet, type the FQDN of the server, such as www.adatum.com. For a server on the local network, type the computer name, such as WEBSVR87. Port 80 is the default port for connections. As necessary, you can provide the port to which you want to connect. For example, if you want to connect to the server on port 8080, you would follow the server name by :8080, such as WEBSVR87:8080.
3.	After you type the server name (and optionally the port number), click Next. IIS Manager will then try to use your current user credentials to log on to the server. If this fails, you'll need to provide the appropriate credentials on the presented Provide Credentials page before clicking Next to continue. Click Finish to complete the connection.

Tip

If IIS Manager displays a connection error stating that the remote server is not accepting connections, you'll need to log on locally or through remote desktop. Once logged on, check to ensure the Management Service is started and configured properly.

You can connect to a specific Web site on a designated server by following these steps:

1.	In Internet Information Services (IIS) Manager, click Start Page in the console tree and then click Connect To A Site. This starts the Connect To A Site Wizard.
2.	Type or select the server name in the Server Name box, such as TESTSVR22. In the Site Name box, type or select the name of the Web site to which you want to connect, such as Default Web Site.
3.	Click Next. IIS Manager will then try to use your current user credentials to log on to the server. If this fails, you'll need to provide the appropriate credentials on the presented Provide Credentials page before clicking Next to continue. Click Finish to complete the connection.

You can connect to a specific application on a designated site and server by following these steps:

1.	In Internet Information Services (IIS) Manager, click Start Page in the console tree and then click Connect To An Application. This starts the Connect To An Application Wizard.
2.	Type or select the server name in the Server Name box, such as TESTSVR22. In the Site Name box, type or select the name of the Web site to which you want to connect, such as Default Web Site.
3.	In the Application Name box, type or select the relative path of the Web application to which you want to connect, such as /MyApplication or /Apps/Myapp.
4.	Click Next. IIS Manager will then try to use your current user credentials to log on to the server. If this fails, you'll need to provide the appropriate credentials on the presented Provide Credentials page before clicking Next to continue. Click Finish to complete the connection.

IIS Manager has been completely redesigned for IIS 7.0. Instead of being a snap-in for the Microsoft Management Console, IIS Manager is now a stand-alone application with a browser-like interface. Once you connect to a server, site, or application, IIS Manager automatically connects to these installations upon startup. You can change this behavior by disconnecting from the remote server while in IIS Manager.

IIS 7.0 introduces the concept of delegated administration. With delegated administration, a machine administrator can delegate administrative control safely and securely. Delegated administration allows different levels of the configuration hierarchy to be managed by other users, such as site administrators or application developers. In a standard configuration, the default delegation state limits write access to most configuration settings to machine administrators only, and you must explicitly modify the delegation settings to grant write access to others.

IIS Manager and other graphical tools provide just about everything you need to work with IIS 7.0. Still, there are times when you might want to work from the command line, especially if you want to automate installation or administration tasks. To help you with all your command-line needs, IIS 7.0 includes the IIS command-line administration tool (AppCmd.exe). AppCmd.exe is located in the %SystemRoot%\System32\Inetsrv directory. By default, this directory is not in your command path. Because of this, you'll need either to add this directory to the default path or change to this directory each time you want to use this tool. Add this directory temporarily to your default path by typing the following at an elevated command prompt:

path %PATH%;%SystemRoot%\System32\inetsrv

Then add this directory permanently to your default path by typing the following at an elevated command prompt:

setx PATH %PATH%;%SystemRoot%\System32\inetsrv

Note

You use Path to temporarily update the command path for the current window. You use SETX PATH to permanently update the command path for future command windows.

Summary of the core set of administration objects for the IIS command-line administration tool.

Administration Objects for the IIS Command-Line Administration Tool
Object Type	Description	Related Commands
APP	Allows you to create and manage Web application settings by using related list, set, add, and delete commands	list, set, add, and delete
APPPOOL	Allows you to create and manage application pools by using related list, set, add, delete, start, stop, and recycle commands	list, set, add, delete, start, stop, and recycle
BACKUP	Allows you to create and manage backups of your server configuration by using list, add, delete, and restore commands	list, add, delete, and restore
CONFIG	Allows you to manage general configuration settings by using related list, set, search, lock, unlock, clear, reset, and migrate commands	list, set, search, lock, unlock, clear, reset, and migrate
MODULE	Allows you to manage IIS modules by using related list, set, add, delete, install, and uninstall commands	list, set, add, delete, install, and uninstall
REQUEST	Allows you to list current HTTP requests by using a related list command	list
SITE	Allows you to create and manage virtual sites by using related list, set, add, delete, start, and stop commands	list, set, add, delete, start, and stop
TRACE	Allows you to manage failed request tracing by using related list, configure, and inspect commands	list, configure, and inspect
VDIR	Allows you to create and manage virtual directory settings by using related list, set, add, and delete commands	list, set, add, and delete
WP	Allows you to list running worker processes by using a related list command	list

The basics of working with the IIS command-line administration tool are straightforward. Most administration objects support these basic commands:

ADD Creates a new object with the properties you specify.

DELETE Deletes the object you specify.

LIST Displays a list of related objects. Optionally, you can specify a unique object to list, or you can type one or more parameters to match against object properties.

SET Sets parameters on the object specified.

Some objects support other commands, including:

RECYCLE Recycles the object you specify by deleting it and then re-creating it

START Starts the object you specify if it is stopped

STOP Stops the object you specify if it is started or otherwise active

To type commands, use the following basic syntax:

appcmd Command 

where Command is the action to perform, such as list, add, or delete, and Object-type is the object on which you want to perform the action, such as app, site, or vdir. Following this, if you wanted to list the configured sites on a server, you could type the following command at an elevated command prompt:

appcmd list site

Because the IIS command-line administration tool will also accept plural forms of object names, such as apps, sites, or vdirs, you could also use:

appcmd list sites

In either case, the resulting output is a list of all configured sites on the server with their related properties, such as:

SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)

IIS 7.0 Web Administration Tools

Managing Resources by Using Key Administration Tools

Many tools are available for managing Web resources. Most of these tools are available on the Administrative Tools menu. Click Start and choose All Programs, Administrative Tools, and then the tool you want to use. You can use all the tools listed in the table to manage local and remote resources. For example, if you connect to a new computer in IIS Manager, you can manage all its sites and services remotely from your system.

Quick Reference for Key Web Administration Tools
Administration Tool	Purpose
Active Directory Users and Computers	Manages domain user, group, and computer accounts.
Computer Management	Manages services, storage, and applications. The Services And Applications node provides quick access to Indexing Service catalogs and IIS sites and servers.
Data Sources (ODBC)	Configures and manages Open Database Connectivity (ODBC) data sources and drivers. Data sources link Web front ends with database back ends.
DNS	Public Internet sites must have fully qualified domain names (FQDNs) to resolve properly in browsers. Use the Domain Name System (DNS) administrative snap-in to manage the DNS configuration of your Windows DNS servers.
Event Viewer	Allows you to view and manages events and system logs. If you keep track of system events, you'll know when problems occur.
Internet Information Services (IIS) 6.0 Manager	Manages Web and application server resources that were designed for IIS 6. This tool is included for backward compatibility only.
Internet Information Services (IIS) Manager	Manages Web and application server resources that were designed for IIS 7.0.
Web Management Service (WMSVC)	Allows you to use the IIS Manager to manage Web and application server resources on remote servers.
Reliability and Performance Monitor	Tracks system reliability and performance allowing you to pinpoint performance problems.
Services	Views service information, starts and stops system services, and configures service logons and automated recoveries.

When you add services to a server, the tools needed to manage those services are automatically installed. If you want to manage these servers remotely, you might not have these tools installed on your workstation. In that case, you need to install the administration tools on the workstation you're using.

*.* Source of Information : Microsoft Press Internet Information Services (IIS) 7.0 Administrator's Pocket Consultant

IIS 7.0 Editions and Windows

IIS 7.0 is available for both desktop and server editions of Windows. On Windows Vista, IIS 7.0 offers Web administrators and Web developers a complete platform for building and testing dynamic Web sites and Web applications. IIS 7.0 running on Windows Vista also enables process activation, process management, and the necessary HTTP infrastructure for creating WCF–based applications.

The way IIS 7.0 works on Windows Vista depends on the edition of Windows Vista you are using. On Windows Vista Starter and Home Basic editions, IIS 7.0 cannot be used to host Web sites, Web applications, or Windows SharePoint Services. On these editions, a limited set of IIS features are available, such as Windows Activation Service components that are used to enable WCF-based applications. Users who install WCF-based applications will not need to install these components. The necessary components are installed automatically by WCF. With these editions, the simultaneous request execution limit for IIS is three, meaning that an application or a group of running applications could make up to three simultaneous requests for Web content through the installed IIS components.

On Windows Vista Home Premium, most of the IIS 7.0 features required for Web site development are available. The available features should allow most casual or hobbyist administrators and developers to build and test dynamic Web sites and Web applications. Many advanced features are missing, however, including advanced authentication components, advanced logging components, and FTP server components. As with Starter and Home Basic editions of Windows Vista, the simultaneous request execution limit for IIS is three for Windows Vista Home Premium, meaning you or running applications could make up to three simultaneous requests for Web content through the installed IIS components.

For Windows Vista Business, Enterprise, and Ultimate editions, all IIS 7.0 features are available. This means that professional Web administrators and Web developers have everything necessary to design, build, and test Web sites and Web applications. The simultaneous request execution limit is ten for these editions of Windows Vista, meaning you or running applications could make up to ten simultaneous requests for Web content through the installed IIS components.

With server editions of Windows, you can use IIS to host Web servers, Web applications, and Windows SharePoint Services. All features of IIS 7.0 are available on all editions of Windows Server 2008. On Windows Server operating systems, IIS 7.0 has no request execution limit. This means that an unlimited number of simultaneous requests can be made to the IIS 7.0 server core.

*.* Source of Information : Microsoft Press Internet Information Services (IIS) 7.0 Administrator's Pocket Consultant

IIS 7.0 and Your Hardware

Before you deploy IIS 7.0, you should carefully plan the server architecture. As part of your planning, you need to look closely at pre-installation requirements and the hardware you will use. IIS 7.0 is no longer the simple solution for hosting Web sites that it once was. It now provides the core infrastructure for hosting Web servers, Web applications, and Windows SharePoint Services.

Guidelines for choosing hardware for Internet servers are much different from those for choosing other types of servers. A Web hosting provider might host multiple sites on the same computer and might also have service level agreements that determine the level of availability and performance required. On the other hand, a busy e-commerce site might have a dedicated Web server or even multiple load-balanced servers. Given that Internet servers are used in a wide variety of circumstances and might be either shared or dedicated, here are some guidelines for choosing server hardware:

Memory. The amount of random access memory (RAM) that's required depends on many factors, including the requirements of other services, the size of frequently accessed content files, and the RAM requirements of the Web applications. In most installations, I recommend that you use at least 1 gigabyte (GB) of RAM. High-volume servers should have a minimum of 2 to 4 GB of RAM. More RAM will allow more files to be cached, reducing disk requests. For all IIS installations, the operating system paging file size should at least equal the amount of RAM on the server.

Note

Don't forget that as you add physical memory, virtual paging to disk grows as well. With this in mind, you might want to ensure that the Pagefile.sys file is on the appropriate disk drive, one that has adequate space for the page file to grow, along with providing optimal input/output (I/O) performance.

CPU. The CPU processes the instructions received by the computer. The clock speed of the CPU and the size of the data bus determine how quickly information moves among the CPU, RAM, and system buses. Static content, such as HTML and images, place very little burden on the processor, and standard recommended configurations should suffice. Faster clock speeds and multiple processors increase the performance scalability of a Web server, particularly for sites that rely on dynamic content. 32-bit versions of Windows run on Intel x86 or compatible hardware. 64-bit versions of Windows run on the x64 family of processors from AMD and Intel, including AMD64 and Intel Extended Memory 64 Technology (Intel EM64T). IIS provides solid benchmark performance on Intel Xeon, AMD Opteron, and AMD Athlon processors. Any of these CPUs provide good starting points for the typical IIS server. You can achieve significant performance improvements with a large processor cache. Look closely at the L1, L2, and L3 cache options available—a larger cache can yield much better performance overall.

SMP. IIS supports symmetric multiprocessors (SMPs) and can use additional processors to improve performance. If the system is running only IIS and doesn't handle dynamic content or encryption, a single processor might suffice. You should always use multiple processors if IIS is running alongside other services, such as Microsoft SQL Server or Microsoft Exchange Server.

Disk drives. The amount of data storage capacity you need depends entirely on the size of content files and the number of sites supported. You need enough disk space to store all your data plus workspace, system files, and virtual memory. I/O throughput is just as important as drive capacity. However, disk I/O is rarely a bottleneck for Web sites on the public Internet—generally, bandwidth limits throughput. High-bandwidth sites should consider hardware-based redundant array of independent disks (RAID) solutions using copper or fiber channel–based small computer system interface (SCSI) devices.

Data protection. Unless you can tolerate hours of downtime, you should add protection against unexpected drive failures by using RAID. Hardware RAID implementations are always preferred over software RAID implementations. RAID 0 (disk striping without parity) offers optimal read/write performance, but if a drive fails, IIS won't be able to continue operation until the drive is replaced and its contents are restored from backup. Because of this, RAID 0 isn't the recommended choice. RAID 1 (disk mirroring) creates duplicate copies of data on separate physical drives, allowing the server to remain operational when a drive fails, and even while the RAID controller rebuilds a replacement drive in a failed mirror. RAID 5 (disk striping with parity) offers good protection against single-drive failure but has poor write performance. Keep in mind that if you've configured redundant load-balanced servers, you might not need RAID. With load balancing, the additional servers might offer the necessary fault tolerance.

UPS. Sudden power loss and power spikes can seriously damage hardware. To prevent this, get an uninterruptible power supply (UPS). A properly configured UPS system allows the operating system to automatically shut down the server gracefully in the event of a power outage, and it's also important in maintaining system integrity when the server uses write-back caching controllers that do not have on-board battery backups. Professional hosting providers often offer UPS systems that can maintain power indefinitely during extended power outages.

Windows Vista File System Formats, Partitions, and Volumes

Managing the file systems, partitions, and volumes are key in the setup of Windows Vista. Without an understanding of these concepts, you can’t even install an operating system from scratch. In this section, we will cover the file systems supported by Windows Vista, the types of partitions available, and volumes. Continuing on with our previous example, we must decide on what file system to choose, what type of partition(s) will be created, and the type of volume used so we will can into practice what we learn. Before doing so, we must define a file system, a partition, and a volume. We must also be familiar with the choices we have in each. For example, when we create a partition with the new drive, should we create a primary partition or create an extended one? Or should we do a combination of both? As you can see, there is a lot to think about. Before moving on, we should first define some important terms and concepts.

Disk Management Terms

File System. A system for storing and organizing folders and files on a storage medium making it easy to find and access them—for example, FAT32, NTFS, and so on.

Format. Prepares a disk for storage using a particular file system. Partition Used to segment hard drives into isolated sections. Each partition is treated by the operating system as a separate drive.

Volume. Can be a disk or a subdivision of a disk that is formatted and available for storage.

Partitions and Volumes

The terms partitions and volumes are used interchangeably. After you install a new disk, you must create at least one partition on the new disk. Windows Vista supports two types of volumes:

■ Basic volumes

■ Dynamic volumes

Basic volumes are partitions on a basic disk. The storage for a basic volume must reside on a single physical disk. Basic volumes can only be simple volumes. So a basic volume is made up of:

■ Primary partitions (Master Boot Record [MBR] and Globally Unique Identifier Partition Table [GPT types])

■ Logical drives within extended partitions (only available with MBR partition styles)

Dynamic volumes reside on dynamic disks and include simple and spanned volumes. Simple volume types under dynamic volumes are the equivalent of primary partitions. Some rules to be aware of with simple volumes on dynamic disks:

■ If only one dynamic disk exists, you can only create simple volumes.

■ Simple volumes can be increased in size to include any unallocated space on a physical dynamic disk or even on a separate disk.

Spanned volumes are able to combine areas of unallocated space from two or more disks into one logical volume. The areas of unallocated space do not have to be the same size. In other words, you can have one drive that is 100GB and another that is 50GB created as a spanned volume and appearing as one logical volume. When implementing spanned volumes, keep these points in mind:

■ NTFS or unformatted volumes can only be extended.

■ After the creation of a spanned volume, you cannot delete any portion of it without

deleting the entire volume.

■ You cannot stripe spanned volumes.

■ Spanned volumes do not provide fault tolerance.

What we need to do now is explore the different types of partitions available to us in Windows Vista so we make the best decision possible for our own scenarios.We know that a basic disk that can only contain basic volumes can have up to four partitions, but if we go further, we see that this limitation actually applies to those disks that use a Master Boot Record (MBR). Basic disks using GUID Partition Tables (GPT) can have as many as 128 partitions, but more about partition styles later. The following are descriptions of the partition types available in Windows Vista.

■ Primary Partition. The partition on a drive that holds and starts the operating system. Multiple primary partitions can reside on a disk, but not all have to hold an operating system.

■ Extended Partition. A partition that does not hold a drive letter in itself but can be divided into logical drives. An extended partition is not formatted; the logical drives that reside on it are instead.

■ Active Partition. The partition from which x86-based systems start up. The active partition must be on the first physical drive (Disk 0).

■ Boot Partition. The partition where the Windows system files are located.

■ System Partition. The partition that contains the bootstrap files that Windows uses to start the system. The system partition displays the boot menu.

Now that we’ve reviewed volumes and partitions and the types available, we must define what partition styles are and discuss the two varieties available.

Partition Style

Most administrators who have not installed Windows 2003 Server with Service Pack 1 or the 64-bit version of Windows XP Professional will find the concept of partition styles a bit foreign. A partition style is the method that Windows Vista uses to organize partitions on a disk. Windows XP Professional only supported MBR partition styles on x86 computers while also supporting GPT on its 64-bit version. Windows Vista supports both on the x86 architecture.

Master Boot Record

The Master Boot Record (MBR) is the traditional partition style. The MBR contains a partition table that describes where the partitions are located on the disk. Before Windows 2003 SP1 and XP Professional 64-bit, administrators never had to worry about choosing the MBR, it was the only style supported. MBR disks can support up to four primary partitions or three primaries and one extended. Within the extended partition you can create unlimited logical drives.

Globally Unique Identifier Partition Table

The Globally Unique Identifier Partition Table (GPT) provides a more flexible way of partitioning disks than the older MBR scheme. It was introduced as part of Intel’s Extensible Firmware Interface (EFI).This specification defines a new model for the interface between operating systems and platform firmware. You can find more information about EFI at www.intel.com/technology/efi. Although it may seem a bit more confusing with the use of GPT, this partition style can reside on either basic disks or dynamic disks. GPT in Windows Vista supports up to 18 exabytes and 128 partitions per disk. Since GPT does not limit administrators to four primary partitions, extended partitions and logical drives are not available with it.

File Systems

A file system by definition is the structure in which files are named and where they are placed logically for storage and retrieval. File systems specify conventions for naming files. This includes the maximum number of characters in a filename and which characters are allowed. For a file system to be placed on a volume, the operating system must format it.

An allocation unit (or cluster) is the smallest amount of disk space that can be allocated to hold a file. All file systems under Windows Vista organize their drives based on allocation units. This is determined by the number of sectors the allocation unit contains. An example would be a disk that uses 512 byte sectors: a 512-byte allocation unit contains one sector, whereas a 4KB allocation unit contains eight sectors. Each file system under Windows Vista uses different allocation unit sizes depending on the size of the volume, plus each file system has a maximum number of allocation units it can support. The smaller the allocation unit size the more efficient a disk stores information.

This is because the unused space within an allocation unit cannot be used by another file. So the smaller the cluster size (or allocation unit) the more efficient the file system.

Let’s examine the different file systems supported by Windows Vista:

■ File Allocation Table (FAT)

■ File Allocation Table 32 (FAT32)

■ New Technology File System (NTFS)

■ Universal Disk Format (UDF)

■ CD-ROM File System (CDFS)

Selecting which file system is best depends on the type of media you are formatting. With hard disks, you have the option of choosing FAT, FAT32, or NTFS. Optical media such as DVDs or CDs can be formatted using UDF or CDFS. Windows Vista provides you with choices that should fit any file system needs. We will now go over each of the file systems Windows Vista supports.

FAT

File Allocation Table (FAT), sometimes referred to as FAT16, has its origins back in the days of DOS, so it’s been around a long time. FAT is a 16-bit file system. It can support volume sizes of up to 4GBs, although in today’s world that wouldn’t even be ideal for holding the operating system, much less the pagefile that accompanies it. It does not provide any file system security. FAT is appropriate for floppy disks or very small hard drive partitions. It supports the old 8.3 filename format. FAT’s allocation unit size can grow to 64KB, which on drives up to 4GB in size wastes a lot of space.

FAT32

Introduced with Windows 95 OSR2, FAT32 provides better support for users. FAT32 supports long filenames (LFN) of up to 255 characters. In theory, FAT32 supports volumes up to 8TB (8 terabytes), but under Windows Vista, you are forced to use NTFS for volumes larger than 32GB. Just like its predecessor, FAT32 does not include any file system security. The size of a FAT32 allocation unit is determined by the system, and can range in size from 1 sector (512 bytes) to 128 sectors (64KB). FAT32 is ideal for USB flash drives.

NTFS

One could actually write an entire book on NTFS—in fact, some have. What you need to know about NTFS is it is the preferred file system of Windows Vista. NTFS is a true 64-bit file system. It always has been ever since NT 3.1. NTFS can support drives up to 16TBs (minus 64KBs) in size. It uses a Master File Table (MFT), which is the first file located on an NTFS drive. The MFT keeps records of each file and directory on the drive. NTFS is also a recoverable file system guaranteeing the consistency of a volume by using transaction logging and recovery techniques. More detailed information about NTFS and its architecture is available on the Internet, but is beyond the scope of this book. If you convert either a FAT or FAT32 drive to NTFS, you cannot convert it back. If you need to change the drive back to the previous file system, you would need to reformat the drive.

NTFS Features

Indexing Service. Provides the ability to perform searches on directories located on the system.

File and Folder Permissions. Provides the ability to set permissions on files and folders. Can specify which users or groups have access.

Encryption. Provided by the BitLocker Drive Encryption or the Encrypted File System (EFS). BitLocker encrypts entire hard drives while EFS can encrypt individual files and directories.

Disk Quotas. Controls disk space usage on NTFS volumes.

File Compression. Provides the ability to compress individual files, files in a directory, and even entire NTFS volumes.

Mounted Drives. Volumes attached to an empty folder on an NTFS drive. Functionality is similar to other volumes except that mounted drives are assigned labels and not drive letters.

Distributed Link Tracking. Ensures that OLE (Object Linking and Embedding) links shell shortcuts continue to work even after the target file is moved or renamed.

Sparse Files. Used by the Indexing Service, sparse files provide a method of saving disk space for files containing meaningful data.

POSIX Compliance. Available in Vista only after the Subsystem for Unix-based Applications feature is enabled.

NTFS Change Journal. Provides a persistent log of changes made to files on an NTFS volume. Is used to track information about files that are added, deleted, and/or modified.

Compact Disc File System

Compact Disc File System (CDFS) is the file system used on compact discs. Windows Vista is able to read from, and write to, compact discs that are formatted in the ISO 9660 standard. CDFS is considered an old format and has been all but replaced by UDF.

Universal Disk Format

Universal Disk Format (UDF) is a file system defined by the Optical Storage Technology Association. UDF is based on ISO 13346 and is the successor to the ISO 9660 (CDFS) format. UDF is used for removable media like DVDs and CDs. Windows Vista is able to read and write to versions 1.02, 1.50, 2.0x, and 2.50. It can read, but not write to, 2.60.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

Windows Vista Implementing Local and Network File System Security

No other issue has dominated the PC industry like that of security. Data theft is one of the biggest concerns companies have today, whether it’s someone physically stealing a laptop, an internal employee gaining unauthorized access to information, computer viruses and network worms, or unauthorized copying of confidential data onto removable media security, the risks are high and numerous. All of this seems extremely overwhelming, but Microsoft provides incredible tools and features to help you in securing your systems. The subject of security is large enough to create a volume of books, but for our purposes we will be focusing on implementing local and network file system security. We will briefly cover four features that Windows Vista provides in aiding you in securing the file system.

■ Windows Rights Management Service

■ User Account Control (UAC)

■ BitLocker

■ Encrypted File System (EFS)

Windows Rights Management Service

Have you ever received an e-mail from someone that had a notice at the bottom saying that the message was for the recipient only and that any reproduction of the e-mail was strictly prohibited? We all have received e-mails like this; many of us have confidentiality notices at the bottom of our e-mails just like it. So what is to prevent you or whomever from forwarding the e-mail on or even printing it out? Microsoft has moved toward allowing users to better control the use of the content they send by means of Windows Rights Management Services (RMS).Windows Vista comes with an RMS client installed.This enables Windows Vista PCs to open RMS-encrypted documents and enforce whatever restrictions have been placed on them. To use RMS, you must have an RMS infrastructure in place and applications that support it. An RMS infrastructure consists of a server running the RMS service, an RMS client (Windows Vista), and supporting applications such as Microsoft Office. When in place, RMS can:

■ Allow a user to view a document, but not save a copy of it, print it, or forward it.

■ Restrict users from copying and pasting text within a document.

■ Make it difficult to open a document using a client that does not enforce RMS protection.

User Account Control

Many threats to the operating system have occurred in the context of the user having administrative privileges. Viruses, worms, spyware, Trojan horses, and now most recently malware have been the biggest threats so far. To combat this, Microsoft recommends using accounts with limited privileges. The logic is this: If a user lacks the permission to install a new application to the %systemroot%\Program Files directory, any malware the user accidentally runs is prevented from installing.

For years now, we’ve been making users members of the local administrators group of their PCs because of the limitations of having a limited user account such as those in Windows XP. UAC provides the best of both worlds. It offers the benefits of a standard user account from a security standpoint without the limitations of previous versions of Windows. The following are three advantages of using UAC.

■ All users including administrators run limited privileges by default, therefore reducing security risks.

■ Standard users are able to perform most common tasks without having to provide administrative credentials.

■ UAC enables most applications that required administrative privileges in Windows XP to run with no problems under standard user accounts.

BitLocker

Using Windows Vista’s BitLocker volume encryption can reduce the risk of important data being removed if a user’s laptop is stolen. BitLocker provides a full-volume encryption and is especially useful against “offline” attacks. An offline attack is one where another user attempts to gain access to the data on the hard drive. One way of doing this is to install another operating system on that drive to gain access to the data. It seals the symmetric encryption key in a Trusted Platform Module or TPM chip. BitLocker can also store the key on a USB flash drive as well. There are two TPM modes.

TPM only. Transparent to the user and does not change the user’s logon procedure. If missing or altered, BitLocker will go into recovery mode. To gain access to the drive, you will need a recovery key or PIN. This provides protection from hard disk theft.

TPM with startup key. The user must have a startup key to log on to the system. The key can be stored on a USB flash drive or can even be a password.

BitLocker provides the following for users:

■ Causes great difficulty for an attacker to gain access to data from a stolen system or drive

■ Encrypts the entire volume, including the hibernation file, page file, and temporary files

■ Allows users to easily recycle or reuse drives by simply deleting the encryption keys

BitLocker, on the other hand, does NOT do the following:

■ Protect data from network attacks

■ Protect data while Windows is running

■ Protect data on volumes other than the Windows partition

Encrypting File System

Supported only on NTFS volumes, Encrypting File System (EFS) has been with us since Windows 2000. Just like BitLocker, EFS also protects against offline attacks. To the end user, EFS is transparent. They still access files just as they did before EFS was implemented, as long as they have the correct decryption key—without it, any files that have been encrypted are impossible to open.

EFS uses a symmetric key encryption along with public key technology in protecting files and folders of the system. Users of EFS are issued a digital certificate with a public and private key pair. It then uses these keys to encrypt and decrypt files for the logged-on user. Files are encrypted using a single symmetrical key. That key is then encrypted twice: once with the user’s EFS public key, and once with the recovery agent’s key to allow for data recovery. Windows Vista includes two new features in its EFS implementation.

■ The ability to store both user and recovery keys on smart cards

■ The ability to encrypt pagefile.sys

BEST PRACTICES ACCORDING TO MICROSOFT

Microsoft recommends using both BitLocker and EFS together. BitLocker is able to encrypt all files on the system partition, including the system files, while EFS is able to encrypt volumes that are outside of the system partition, which BitLocker cannot touch. Together they provide a solid solution.

SOME INDEPENDENT ADVICE

Encrypt the pagefile, this is one of the new features of EFS within Windows Vista. By encrypting it, you make reading the pagefile practically impossible for thieves.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

Windows Vista Managing Basic and Dynamic Disks

Throughout the years, storage requirements and drive sizes have changed, increasing in both cases. In the early ‘90s, it was nearly unheard of for personal computers to use more than one physical hard drive. Now it doesn’t seem so strange. Requirements such as fault tolerance, multiple partitions, and quick accessibility are some of the necessities today. In years past, no one would have ever thought more than 50 to 100MB would be needed on a hard drive. Now we see laptops alone with close to 200GB drives. With these new requirements and drive sizes comes the need to better manage data storage.

Since Windows 2000, we’ve had two different disk types: basic disks and dynamic disks. A basic disk is one that can be accessed by MS-DOS and previous versions of Windows, depending on the file system installed. Basic disks use the same structure as previous versions of Windows, so if you have a system that’s a multiboot system with an older version of Windows NT 4.0, you will want to have a basic disk. Basic disks can contain up to four primary partitions, or three primaries and one extended. Partitions on a basic disk cannot share or split data with other partitions.

Dynamic disks offer options not available on basic disks. They allow greater flexibility than basic disks because they use a hidden database to track information about dynamic volumes on the physical disk, as well as information about other dynamic disks on the system. Since each dynamic disk in a PC stores a replica of the dynamic disk database, Windows Vista can repair a corrupted database on one dynamic disk by using the database on another dynamic disk. The location of the database is determined by the partition style chosen (we will cover this later). Dynamic disks can contain an unlimited number of dynamic volumes that behave like primary partitions on basic disks. One of the biggest differences between basic disks and dynamic disks is that dynamic disks can split or share data across two or more dynamic hard disks on a computer. Disk management is accessed by going to Start Button | Control Panel | Administrative Tools | Computer Management | Storage | Disk Management. Once in Disk Management, you can see the disk drives on your system.

Basic disks can be converted into dynamic disks by going into Disk Management under Storage within Computer Management, and then right-clicking the disk you want converted and choosing Convert to Dynamic Disk.

You also have the option of using the command line to convert a basic disk to a dynamic disk. The utility you would use is diskpart.exe. DiskPart can do everything Disk Management can in the user interface. This command can be invaluable to administrators who use scripts.

A Quicker Way to Access Computer Management

A quicker way to get to Computer Management is to click the Start button, right-click Computer, and then select Manage.

NOTE

Laptop computers are not allowed to convert basic disks to dynamic. This is further explained in the Microsoft Knowledge Base article located at http://support.microsoft.com/default.aspx/kb/232463 .

BEST PRACTICES ACCORDING TO MICROSOFT

Microsoft recommends ALL administrators become familiar with diskpart.exe. If you are ever in a situation where you are in the Windows Recovery Environment (WinRE), the only way you’ll be able to manage the disks is by using diskpart.exe.

SOME INDEPENDENT ADVICE

Practice using diskpart.exe in a controlled environment (such as a lab) and test it in a simulated WinRE situation. By doing so, you will not find yourself being forced to learn how to use the command while trying to troubleshoot a serious problem for a user. This will save you and the user a great deal of time and make your efforts look more professional. As a result, users’ confidence in your skills will increase.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

Increasing File System Performance

When we talk about increasing or improving file system performance, we have to talk about the hard drive. On new systems today with such fast processors, the biggest bottleneck is the performance of the hard drive itself. All Windows operating systems use virtual memory. They do this by a process referred to as paging. Paging is the process of moving virtual memory back and forth between physical memory and the hard drive. By optimizing the performance of the file system on the hard drive, we in essence improve the performance of the system itself.There are ways in Windows Vista to improve file system performance. Some are through regular maintenance, and others are through settings within the operating system. We will go over seven different ways of improving file system performance.

■ Disk defrag

■ Cluster size adjustment

■ Short filenames

■ Folder structure

■ Compression

■ Relocate pagefile.sys

Disk Defrag

File system fragmentation is the inability of the file system to lay out related data contiguously. Thus, the hard drive works harder during seeks, which hinders performance. Defragging hard drives is an effort to improve performance and has been going on for years regardless of the file system. In the early days of NTFS, very little talk about fragmentation came up. So little was the subject brought up that some quite mistakenly believed that NTFS couldn’t be fragmented. This is not the case at all. NTFS can and does become fragmented the longer a system is used and the more data that is put on the drive.

Cluster Size (Allocation Unit) Adjustment

As you’ve seen, the performance of NTFS can be affected by disk fragmentation. NTFS performance can also be affected by cluster size (allocation unit). As discussed earlier, regardless whether a file is smaller than the cluster size, the size of that cluster will fill the drive, which means if you don’t choose the right cluster size when creating a volume, you could face a significant performance hit. Some things to think about when creating an NTFS volume and determining the cluster size:

■ Will the files typically be about the same size?

■ Will the files be smaller than the default cluster size?

■ Will the files on the drive remain about the same size or will they grow larger and by how much?

Files that are smaller than the default cluster size, and stay relatively the same size, should use the default size to reduce disk space. The caveat to smaller clusters though is that they tend to fragment much easier and more often than larger cluster sizes. If the files you will be storing on the drive tend to be large (for example, CAD drawings), then you may want to use 16 or 32KB clusters instead of the default 4KB size.

Short Filenames

On NTFS volumes, each time a user creates a file with a long filename, Windows Vista creates a second file entry that has a similar 8.3 short filename. Remember the old 8.3 limitation of FAT12 and FAT16? No? Well, filenames back then could only have a maximum of eight characters for the filename itself, plus a three-character extension. An example would have been genedoc1.doc.With restrictions like that, it was very difficult to know what file contained what without a decent description in the filename. This all changed in the Windows world when NTFS came on. Now we have a maximum of 256 characters for our filenames.

On systems with a large number of files with long filenames that contain the same initial characters, the time required to create the files increases, thus file system performance is hurt. This is because NTFS bases the 8.3 filename on the first six characters of the long name. When you have a large number of files with similar long names under the same folder, this can cause problems. To reduce the time required to create files, use the FSUTIL command, as shown next, to disable the 8.3 short filename service. After disabling 8.3, don’t forget to restart the system.

fsutil behavior set disable8dot3 1

Folder Structure

One of the advantages of NTFS is its ability to support volumes that contain large numbers of files and folders. Some guidelines, however, can improve performance by altering your folder structure. First, do not put a large number of files into a single folder. Users that have programs that quickly open and close file frequently can cause a performance hit. Try separating the files into folders that will distribute the workload on multiple folders at a time. If this is not possible, keep the files in one folder, and just like we did previously in this section, disable the 8.3 filename structure.

Compression

It’s no secret that file compression causes a performance hit. This is because on a compressed NTFS file it is decompressed, copied, and then recompressed as a new file, even if it’s copied onto the same computer. Systems that are CPU-bound should not use compression.

Relocating Pagefile.sys

Another way to improve file system performance is to relocate pagefile.sys to another physical drive and dedicate that drive to it. By relocating the page file to a separate dedicated hard drive, you take advantage of the spindles of that drive and speed up the process of paging. This improves system performance and limits the amount of fragmenting on each physical drive.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

Windows Vista Sharing File Systems

Ever since the release of Windows for Workgroups in the early 90s, users have been able to share files across the network in a peer-to-peer setup. Sharing resources with others across the network is pretty straightforward. You decide what you want to share with other users, whether it is files or printers, you enabling sharing if it isn’t enabled already, you create the share, and then decide who has access to the resources and the type of access they have. Windows Vista provides a new capability in that users can actually share individual files from within their own Users directory. Versions before Windows Vista were only capable of sharing folders and not individual files. Windows Vista provides two ways of sharing:

1. Public folder sharing

2. Any folder sharing

Each method provides easy ways of collaborating with other users, whether across the network or locally on the system itself. Public folder sharing provides users with an easy way of sharing files without having to create a share. The public folder is designed specifically for sharing files. As you already know, Windows Vista (just like XP and NT) is a multi-user operating system. Multiple users can share the same system and log on with their own IDs, thereby having their own separate profiles on one PC.

Public Folder Sharing

Users who share a single system can share files amongst themselves. In Windows XP, this was done using the Shared Documents folder. Now in Windows Vista, you have a Public folder that automatically allows all users of the local system to access files in this folder. Microsoft has replaced the old Documents And Settings folder, which housed the user profiles, with the Users folder instead, where the Public folder resides. Notice that the Public folder is also listed in the Favorite Links section in the left window pane. This provides quicker access to all users on the system.

Now let’s say you want to share the contents of your Public folder with users on the network.You must do two things:

1. Turn on file sharing.

2. Turn on sharing for the Public folder.

You must enable file sharing in Windows Vista to share both the Public folder and any other folders you decide to make available to users across the network. To do this, go to Control Panel | Network and Sharing Center. In the Network and Sharing Center, you will see an area called Sharing and Discovery.

Sharing and Discovery contains five sharing settings:

■ Network discovery

■ File sharing

■ Public folder sharing

■ Printer sharing

■ Media sharing

Notice that all sharing is disabled by default. First, we must turn on file sharing. To do so, just click the down arrow button to the right of it and select Turn on file sharing. This allows us to share any files we want. User Access Control (UAC) will prompt you for the administrator’s password if it is still enabled.

Turning on file sharing shares the %SystemDrive%\Users folder. After we’ve enabled file sharing, we must enable Public folder sharing so that we can make available any documents or files we place there for network users. As we did when turning on file sharing, click the right down-arrow button besides Public file sharing, you have three options:

■ Turn on sharing so anyone with network access can open files

■ Turn on sharing so anyone with network access can open, change, and create files

■ Turn off sharing (people logged on to this computer can still access this folder)

Any Folder Sharing

We’ve just shown how users can use Public folder sharing amongst local and network users. Now, what if you need to share different folders throughout your system and not just the Public folder? Windows Vista provides two ways of sharing other files and folders. One way is to use the Advanced Sharing Interface. This is the same method you’ve come to know and love that allows you to manually configure share permissions on the folder. The other method is running through the new File Sharing Wizard.

The File Sharing Wizard can be used to share files and folders in a workgroup or domain environment. The shared files and folders can be stored outside the users profile if need be. Though the sharing of individual folders with files in them can be shared outside the user’s directory, the ability to share an individual file is lost and the user cannot share an individual file that resides outside their user directory.

BEST PRACTICES ACCORDING TO MICROSOFT

When in a domain environment, turn off Network Discovery. It can generate unnecessary network traffic. Use Group Policies to prevent users on Vista systems from sharing files from their user profiles unless they are local administrators.

SOME INDEPENDENT ADVICE

After turning off Network Discovery, be sure to publish any shared folders in Active Directory. This will make it easier for users throughout the domain to find them.

*.* Source of Information : Syngress How to Cheat at Microsoft Vista Administration

Windows Server 2008 Active Directory - Groups

The point of groups is to make assigning attributes to larger sets of users easier on administrators. Picture a directory with 2,500 users. You create a new file share and need to give certain employees permissions to that file share—for example, all accounting users. Do you want to take a hard-copy list of all members of the accounting department and hand-pick the appropriate users from your list of 2,500? Of course you don't. Groups allow you to create an object called Accounting and insert all the appropriate users into that group. So, instead of selecting each individual user from a large list, you can pick the Accounting group, and all members of that group will have the same permissions on the file share.

There are four different scopes of groups within Windows Server 2008 and AD DS, and each scope can nest groups differently. Let's outline the group scopes first, and then bear with me as I explain the concepts of each:

Machine local groups

Machine local groups contain objects that pertain only to the local computer (or more specifically, to objects contained within the local computer's SAM database). These types of groups can have members that are global groups, domain local groups from their own domain, and universal or global groups from their own domain or any other domain that they trust.

Domain local groups

Domain local groups can be created only on a domain controller, so ordinary client computers or member servers of a domain cannot host domain local groups. Domain local groups can be put inside machine local groups within the same domain (this is a process called nesting). They can contain global groups from a domain that trusts the current domain and other domain local groups from the same domain. As you will see later in the chapter, they are of limited utility unless you are working in a larger, multidomain environment.

Domain global groups

Like domain local groups, domain global groups can be created only on a domain controller, but domain global groups can be put into any local group of any machine that is a member of the current domain or a trusted domain. Domain global groups can also be nested in other global groups; however, all nested domain global groups must be from the same domain. Domain global groups are great tools that contain all the functionality of domain local groups, and more, and they are the most common type of group used across a domain.

Universal groups

Universal groups are a sort of "do-it-all" type of group. Universal groups can contain global and universal groups, and those nested groups can be from any domain in your AD DS forest.

Briefly, I'll also mention that there are two types of groups: a security group is used for the purposes of assigning or denying rights and permissions, and a distribution group is used for the sole purpose of sending email. A security group, though, can also act as a distribution group.

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

Windows Server 2008 Active Directory - Sites

Sites are great ways to manage the use of bandwidth for AD DS replication across WAN links. All domain controllers in an AD DS domain must stay in contact with one another at regular intervals to acquire and transmit the changes that have occurred to their databases since the last update. Otherwise, information becomes "stale" and the directory is no good to anyone. However, this replication traffic can be costly if you have domain controllers in different countries and you use slow WAN links to keep in contact with your various offices.

By designating different sites with AD DS, a process we'll cover later in the replication section of this chapter, you can tell AD DS to compress the replication traffic to allow it to be transmitted more quickly, and you can give preferences to certain WAN links over others by using the "cost" feature, specifying a higher value for a connection you want to use less often and a lower value for a connection you'd like to use the most often. It's a great way to manage your telecommunications expenses while still taking advantage of the better management features of AD DS.

In a domain environment, the Distributed File System, also uses AD DS's site structure to control file replication traffic.

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide

Windows Server 2008 Active Directory - Organizational Units

A domain can be an awfully big, comprehensive unit to manage, and most environments benefit from some mechanism to separate that large, unitary domain into smaller, more manageable chunks. An organizational unit is AD DS's way of doing that. Organizational units, or OUs, act like folders on a regular client's operating system, containing every type of object that AD DS supports. You might choose to separate your domain into OUs in one of these ways:

• A university might create a domain with a name corresponding to the entire university (ncsu.edu, for example), with each college in that institution getting an OU (biology, physics, mathematics, etc.).

• A medium-size business might use one domain for all of its AD DS needs, but segregate objects into their geographical locations—an OU for the Los Angeles office, an OU for the Birmingham office, and an OU for the Richmond office.

• Larger corporations might want to divide their domain by department. Within business.com, for example, an OU could be created each for Sales, Support, Marketing, Development, and Q/A.

• An administrator also could decide to create OUs based on the type of objects contained therein—for example, a Computers OU, a Printers OU, and so on.

A particularly interesting feature of OUs is the ability to delegate administrative control over them to a subset of users in AD DS. Take, for instance, the third example in the previous list. Perhaps you, as the domain administrator, want to designate one technically savvy person in each department as the official Password Change Administrator, to reduce your administrative load. You can delegate the authority to modify users' passwords to each user over only their respective OU, thereby both allowing them power but finely controlling it over certain areas of your AD DS infrastructure. This ability is called delegation, and you'll find an entire section devoted to it later in this chapter.

OUs are designed to be containers in AD DS—their purpose is to hold objects and to have contents. You can apply GPs to the objects within a specific OU, controlling users' desktops, locking them out of potentially dangerous system modification settings, and creating a consistent user experience across your domain.

*.* Source of Information : O'Reilly Windows Server 2008: The Definitive Guide