The following are the installation requirements for a Windows 2000 Professional workstation:
- 133 MHz or higher Pentium-compatible processor
- 64MB minimum; 4GB maximum)
- 2GB hard drive with a minimum of 650 MB of free space(Additional free hard disk space is required if you are installing over a network).
- Windows 2000 Professional supports up to 2 processors.
Always check the HCL before beginning any installation. Installations can be created on any type of partition-FAT, FAT32, or NTFS. NTFS is recommended, but use FAT or FAT 32 for dual booting. Upgrades can be performed on Windows 9x machines and NT 3.51 and higher OS’s. To upgrade a Windows 3.1 or NT 3.5, first upgrade to Windows 9x or NT 4.0, respectively. To Install over a network, install a distribution server first. Slipstreaming is the ability to install Windows 2000 and the service packs at the same time, and can be done using a distribution image for many computers. There are four logs for troubleshooting failed installations: Setupact.log, Setuperr.log, Setupapi.log and Setuplog.txt.
The following table lists some of the common switches available for use with WINNT.EXE
|/e: command||Executes a command before the last phase of setup.|
|/r: foldername||Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders.|
|/rx: foldername||Creates a folder to be copied as a part of setup – into the Windows 2000 directory, but the folder IS DELETED as setup finishes.|
Use Winnt32.exe for a clean installation or upgrade from Windows 9.x or NT Workstation. There are a number of switches that can be used with winnt32.exe. Below are a couple of the important ones:
|/copydir: foldername||Creates an additional folder in the folder where the Windows 2000 files are installed. The folder IS NOT DELETED after Setup finishes. You can use additional /r switches to install additional folders. Same as /r for winnt.exe.|
|/copysource: foldername||Creates a folder to be copied as a part of setup – into the Windows 2000 directory, but the folder IS DELETED as setup finishes. Same as /rx for winnt.exe.|
|/cmd:||Executes a command before the last phase of setup. Same as /e: for winnt.exe.|
|/cmdcons||Installs the appropriate files to restart the system in command-line non-graphical mode for repair purposes.|
|/syspart||Prepares a hard disk to be transferred to another computer system. This switch installs setup files and marks the partition active. Requires the use of /tempdrive switch.|
|/tempdrive||Specifies which drive to install Windows 2000 temporary files during setup.|
|/makelocalsource||Copies all of the Windows 2000 source files to the target drive during installation.|
|/noreboot||Avoids reboot after installation so that another command can be run.|
|/checkupgradeonly||Checks your system for incompatibilities that will prevent a successful upgrade.|
|/unattend||Upgrades your previous version of Windows by using unattended Setup mode. All user settings are taken from the previous installation so that no user intervention is required during Setup. You can also use this command in an unattended installation by specifying the [seconds][:answer_file] variables.|
Windows 2000 Professional supports unattended installations. The /U switch is used for unattended installations and is followed by the location of the answer and installation files. Unattended installations can be done for clean installs as well as upgrades. Unattended installations can be fully automated. The default answer file that ships with Win2K is called unattend.txt and can be modified. Setup Manager can also create answer files. For more in depth information about unattended installations, read our tutorial Windows 2000 Unattended Installations.
Windows 2000 comes with a variety of tools that can be helpful during installations. Understand the following concepts:
- Disk duplication is used when the computers have identical hardware configurations, and is only used for clean installs.
- Sysprep is used when you need to prepare an image of a computer for cloning but does not provide the actual distribution of this image. That is done with third-party tools.
- To use Remote Installation Service(RIS), there must be DHCP server service, DNS server service, and AD running on the network.
- Scripting is used when computers have different hardware configurations and when disk duplication cannot be used. Answer files offer information that is normally manually input into installation dialog boxes like user name, password, domain name, time zones, etc.
Backup and Recovery
Now that you have installed Windows 2000, you should immediately take steps to protect your installation by installing the Recovery Console. Recovery Console is similar to the emergency repair disk in NT 4.0, but with many functionality enhancements. Recovery Console will allow you to You can start and stop services, read and write data on a local drive (including drives formatted with the NTFS file system), copy data from a floppy disk or CD, format drives, fix the boot sector or master boot record, and perform other administrative tasks. With Windows NT 4.0, many administrators would create a FAT partition that would allow them to boot to a DOS prompt. The recovery console eliminates the need to create a FAT partition for this purpose.
Recovery Console is set up as follows:
Insert the installation CD and switch to the I386 directory. Type C:\>winnt32 /cmdcons. When asked for confirmation, answer “yes”. The file will be copied to the hard disk. After rebooting the computer you will be able to select “Microsoft Windows 2000 Command Console” and start Windows 2000 in command mode. You will be prompted for a Windows 2000 installation that you wish to repair and will be prompted for the Adminstrator password. Once you are in, there is a wide variety of commands that you will be able to perform. Type HELP for a list of all of the commands. Some of the more important commands are:
- DISKPART - Similar to fdisk
- LISTSVC - Lists services
- ENABLE/DISABLE - Enable/disable service or driver
- FIXBOOT - Create a new boot sector on the system partition
- FIXMBR - Repairs master boot record
- MAP - Shows a list of drives and ARC paths.
- LOGON - Choose which installation to work with
The Backup program has been greatly enhanced in order to support Active Directory and a much wider variety of backup media including removable disks, network drives, logical drives and tape devices are now supported. Another nice feature is that an integrated scheduling option has been added which relieves the need to use AT or other scheduling utility. For more in depth information on backing up Windows 2000, read our tutorial Backing Up and Restoring Windows 2000.
Windows 2000 has several other utilities to aid in the event of a failure, many of which are included in “Advanced Options” which are accessed by pressing F8 at the boot menu. In order to troubleshoot failures, it is a good idea to understand the boot process which occurs in the following steps:
- Power-on self test (POST)
- Initial startup
- Bootstrap loader process
- Select operating system
- Detecting hardware
- Selecting a configuration
- Loading and initializing the kernel(Ntoskrnl.exe)
- Log on
The boot process requires the following files:
|| Active Partition
|| Active Partition
|| Active Partition
| SYSTEM key
| Device drivers
Ntbootdd.sys is required only if you are using a SCSI-controlled boot partition, and the SCSI adapter does not have a SCSI BIOS enabled. Bootsect.dos is required only for multiple booting.
When working with the boot.ini file, you need to understand ARC naming conventions. ARC is an architecture-independant way of naming drives for x86, risc, alpha, etc. NT uses this convention in its boot.ini file to determine which disk holds the OS. The table below will explain the different options.
|Multi(x)||Specifies an EIDE disk or a SCSI disk if the bios is enabled to detect it. Can only be used on x86 systems. “x” is the number of the controller.|
|SCSI(x)||Defines a SCSI controller if the BIOS is not enabled to do so. Again, “x” is the number of the controller.|
|Disk(x)||Defines which SCSI disk the OS is on. If SCSI(x) was used then x=the SCSI ID of the drive. If Multi(x) was used then x=0.|
|Rdisk(x)||Defines disk which the OS is on when it is on an EIDE disk. x=0-1 if on primary controller. x=2-3 if on multi-channel EIDE controller.|
|Partition(x)||Specifies the partition that the operating system is located on. (x)=the partition’s number.|
Below are the various recovery tools included in Windows 2000.
- Enable VGA Mode – Located in the advanced options menu, this utility allows one to fix display settings or drivers that have caused the display to become unviewable.
- Last Known Good Configuration – Tells Windows 2000 to forget any changes that you have made since the previous boot, by looking for the last configuration that did not cause system critical errors at boot. Good to try if you have made a change to the system and then rebooted with problems.
- Safe Mode – Loads a minimal version of Windows 2000 with only the drivers needed to boot the computer. Because this option does not load any network services or drivers, it is a good tool to use when you suspect that the problem lies in this area.
- Safe Mode With Networking – Same as Safe Mode, but includes networking support.
- Safe Mode With Command Prompt – Safe Mode in which EXPLORER.EXE is replaced by CMD.EXE. From the command prompt it is still possible to run Explorer and other GUI applications from a command line. No networking support in this mode.
Disk Manager is the old Disk Administrator and is a snap-in. It can be used to defragment, create, and manage volumes and disks. Disk systems now support FAT32, NTFS, and FAT. The convert.exe utility can be used to convert a FAT or FAT32 partition to NTFS. NTFS partitions cannot be converted to FAT or FAT32. If such a need exists, the partition must be deleted and recreated as FAT or FAT32.
The NTFS file system has many new capabilities as follows:
- EFS – Encrypted File System. Windows 2000 NTFS volumes have the ability to encrypt data on the disk itself. This is based on public key and private key encryption procedures. Private keys are used to encrypt and decrypt files, and the key can be placed on a floppy disk for transport to other machines. The CIPHER command can be used for encrypting from a command line. Only the user that stored the file can open it again or a recovery agent. Taking ownership of an encrypted file will not let you read it. Cipher.exe is a command line utility that allows for bulk or scripted file encryption. To enable a folder to have any new contents encrypted, simply view the property page for the folder and select “Encrypt contents to secure data”.
- Disk Quotas – Provides the ability to set space limitations on users on a per volume basis. The ownership of a file determines which user to charge the space used against. You must enable quota management from the properties dialog – quota tab of a given disk. You can then set thresholds for individual users including a warning level when their files exceed a certain amount of storage that is approaching their quota limit.
Defragmentation – Windows 2000 now includes a disk defragmenter that can be used on NTFS partitions.
- Volume Mount Points – Provides the ability to add new volumes to the file system without having to assign a drive letter to them. This feature is only available on an NTFS partitions.
The Distributed File System has also been enhanced. There are two types of DFS implementations: Stand-alone and Fault Tolerant. Stand-alone DFS stores the configuration information on a single node (server). Child nodes can only go one level below root, and can exist on any server. Fault Tolerant DFS stores the DFS configuration information in Active Directory. There can be two identical shares on different servers configured as a single child node to provide fault tolerance. You can have multiple levels of child volumes and file replication is supported. Clients must have DFS software installed. Windows NT4, Windows 2000 and Windows 98 include this software while Windows 95 clients must download the appropriate DFS client software from Microsoft.com
Windows 2000 features a new storage type is called “dynamic disks”. Dynamic disks’ advantages include an unlimited number of volumes created per disk. NTFS Volumes can be extended and we can now include space from different disks. Perhaps the most important item is that the disk configuration is stored on the disk itself. This means that we can move disks between computers (within reason) and have the data available with little additional effort. Dynamic volumes are not supported for Zip disks or laptops. Basic disks can be upgraded to dynamic disks without restarting the computer, but backward conversion causes all data to be lost. Simple volumes are created on dynamic disks and are made up of one physical disk. Spanned volumes combines many physical disks(up to 32), and are written to sequentially until all are full. Striped volumes are created from multiple disks(up to 32) and are written to concurrently. There are no fault tolerant disk configurations available in Windows 2000 Professional.
Plug and play is now supported in Windows 2000. Both APM and ACPI are supported for power management. Must be supported by computer’s BIOS. ACPI is new, APM is legacy. Device Manager is still used for the usual activities: troubleshooting, updating drivers, etc. and still have the familiar red and yellow warnings. Changes to network adapters no longer require the computer be rebooted, and if they are plug and play, are automatically configured.
NTFS and Share Permissions
We recently upgraded our permissions section and it became too long to list here so we have made it a separate study guide. Read Windows 2000/2003 NTFS and Share Permissions for more information.
A Printer is a physical piece of equipment (AKA print device), a logical printer is what the user sees on the screen of the local computer (AKA software), print processor, print router, and printer pools are all self-explanatory. Print spools hold documents until they are ready to be printed. Printers can be located in AD and can be found by querying the location of a printer that can staple, print on specific papers, or can be chosen by printer type to name a few. Windows 2000 Professional automatically downloads the drivers for clients running Windows 2000, Windows NT 4/3.51 and Windows 9x.
Print Pooling allows jobs to be dispersed across more than one printer, making them behave as one. Printer pools must contain printers that use the same driver.
If a printer experiences a jam in the middle of a job, you can select “resume” to continue where you left off.
|HKEY_CURRENT_USER||Contains the root of the configuration information for the user who is currently logged on and contains their profile.|
|HKEY_USERS||Contains the root of all user profiles on the computer. HKEY_CURRENT_USER is an alias for a subkey in the HKEY_USERS subtree.
|HKEY_LOCAL_MACHINE||Contains configuration information particular to the computer(for any user).|
|HKEY_CLASSES_ROOT||A subkey of HKEY_LOCAL_MACHINE \Software. The information stored here ensures that the correct program opens when you open a file by using Windows Explorer.|
|HKEY_CURRENT_CONFIG||Contains information about the hardware profile used by the local computer at system startup.|
The registry editors included with Windows 2000 include Regedt32 and Regedit. Each registry editor has advantages and disadvantages. You can perform most tasks with either registry editor, but certain tasks are easier with one registry editor. The following are advantages of Regedt32:
- Using the Security menu, you can check for and apply access permissions to subtrees, keys, and individual subkeys.
- Each subtree is displayed in its own dedicated window, reducing clutter.
- You can set an option to work in read-only mode.
- You can edit values longer than 256 characters.
- You can easily edit REG_MULTI_SZ entry values.
- You can load multiple registry files at the same time.
The following are advantages of Regedit:
- Regedit has more powerful search capabilities.
- All the keys are visible in one Windows Explorer like window.
- You can bookmark favorite subkeys for fast access later on.
- Regedit reopens to the subtree that was last edited.
- You can export the registry to a text file.
- You can import a registry file from the command line.
Optimization and Tuning
Performance Monitor is included in Windows 2000 and is an MMC snap-in. Just as in NT 4.0, there are performance counters that can be used to determine the source of performance problems. The following is a list of important counters and suggested thresholds.
- Object = Processor. Counter = % Processor Time – If this value is consistently at or above 80% and disk and network counter values are low, a processor upgrade may be necessary
- Object = System. Counter = % Processor Queue Length – A sustained processor queue length that is over 2 may indicate a processor bottleneck.
- Object = Memory. Counter = Pages/sec – If value is consistently over 20 the system may need a memory upgrade.
- Object = Memory. Counter = Commited bytes – Should be less than amount of RAM in the computer.
- Object = PhysicalDisk. Counter = % Disk Time – If over 90%, add more disk drives and partition the files among all of the drives.
- Object = PhysicalDisk. Counter = Disk Queue Length – If consistently over 2 drive access may be a bottleneck.
- Object = PhysicalDisk. Counter = Disk Queue Length – If consistently over 2 drive access may be a bottleneck.
- Object = Server. Counter = Bytes Total/sec – If the sum of Bytes Total/sec for all servers is about equal to the max transfer rates of your network, the network may need to be further segmented.
Windows 2000 Performance Monitor has several different logging methods. Many 3rd party performance applications utilize the Trace log feature. Counter logs allow you to log performance values at a designated interval for local or remote Win2K computers. Alert logs can send a message or run a script/program when a pre-determined threshold has been surpassed.
Performance Monitor now offers more flexibility for exporting data as it can now be saved in HTML, binary, binary circular, .csv, and .tsv.
A paging file(pagefile.sys) is responsible for managing virtual memory and stores data that is not resident in RAM. There is a lot of conflicting information on Microsoft’s website regarding the recommended size of the paging file and we are not sure which is correct. Some references say that it should be 1.5x the amount of physical RAM and others say that it should be physical RAM +12mb as in NT 4.0. You can see the conflicting recommendations in the following support articles:
What you will more likely see on the exam are questions that attempt to see if you understand situations in which the page file should be increased rather than memorizing recommended settings. One such situation is when SQL Server is employed. In this case it is recommended that the paging file be set to 1.5x the amount of physical RAM. http://www.microsoft.com/TechNet/sql/Technote/sql7prep.asp
For better performance, the paging file should be distributed across multiple drives that do not contain system or boot files.
Driver signing is the verification by MS that the drivers you are installing have been tested and will work. You can set limits on users for installing drivers by choosing Warn, Ignore or Block if the driver isn’t signed properly. Use the System File Checker (SFC /scannow) to check the digital signatures of drivers on a computer. Other options include /quiet, /scanboot, /scanonce, /cancel, and others.
User profiles are used to keep users’ desktop settings and preferences available to them each time they log on. Roaming user profiles will keep this information on the network server so users can access their profile from any computer on the network. Ntuser.dat and Ntuser.man are the same as in NT 4.0 for creating mandatory profiles. Local profiles are stored in C:\Documents and Settings\username.
Offline files can be configured to allow users to cache network information normally stored on servers. The Synchronization Manager is used to manage those files once it is set up. Offline files are stored in the systemroot\CSC directory. Offline files supports 3 types of caching as follows:
- manual caching for documents – This setting requires users to specify the documents that they would like cached.
- automatic caching for documents – As you might expect, this option will cache all files that a user opens.
- automatic caching for programs – Reduces network traffic as the network versions of the documents or programs are only stored once. After it is cached, the offline copies are used.
There are 24 localized versions of Win2K. UNICODE is a character set that supports world-wide communications and has characters for French, Russian, and other foreign languages. RTL and API allow developers to create a single program for an application and allow these programs to be used correctly in other languages. Locales are localized language and customs settings and are listed below:
Software can be efficiently deployed, updated and removed using Group Policies and two technologies built into Windows 2000 – Windows Installer and Software Installation and Maintenance.
Windows Installer will replace Setup.exe for many applications. Its advantages include the ability to build custom installations, enable programs to “repair” themselves if a critical file is missing or corrupt and to remove themselves very cleanly when necessary. Software Installation and Maintenance combines Group Policies and Active Directory technologies to enable an administrator to install, manage and remove software across the network. This is only available for Windows 2000 clients.
When you deploy software, you can choose to assign it or publish it. Assigned software can be targeted at users or computers. If you assign an application to a USER, the icons show up on the desktop and/or start menu, but the program is only installed when the user runs it for the first time. If it is assigned to a COMPUTER, it’s installed the next time the system is restarted.
If you publish an application, the user can install it through Add/Remove Programs or through opening a file that requires that particular program(a file association). Published programs cannot self repair, cannot be published to computers and are not advertised on the users’ desktop or start menu – only through add/remove programs.
Assigned applications require a windows installer file(.msi) while published applications can use Windows Installer files or ZAP files. A .ZAP file is an administrator created text file that specifies the parameters of the program to be installed and the file extensions associated with it. Installations that utilize .ZAP files cannot self repair or install with higher privileges and will typically require user intervention to completely install.
You can deploy upgrades using GPO’s simply by specifying which program is to be upgraded and whether or not it is a mandatory upgrade. You can apply service packs or patches by “re-deploying” an existing Group Policy with the new information regarding the service pack.
Windows 2000 Professional ships with built-in fax support with a single user license. Faxing is managed via the Fax Service Management tool which will be installed when a fax device is installed on the computer. The “virtual” fax machine will appear as an icon in the printers folder. In order for faxes to be sent, the user must have appropriate permissions to send them. These permissions can be viewed by finding the fax icon in the printer folder and viewing the Security tab in the properties. In order to receive faxes, the “Enable to Receive” must be selected.
Windows 2000 supports many industry standard protocols including:
The same tools are still in use for troubleshooting TCP/IP: PING, IPCONFIG, TRACERT, ARP, NBSTAT, NETSTAT, ROUTE, etc. PATHPING is new and can be used to troubleshoot lost data packets.
Like Windows 98, Windows 2000 supports a new feature called Automatic Private IP Addressing. When “Obtain An IP Address Automatically” is enabled, but the client cannot obtain an IP address from a DHCP server, Automatic Private IP addressing assigns an address in the form of 169.254.x.x and a class B subnet mask of (255.255.0.0). The computer broadcasts this address to its local subnet and if no other computer responds to the address, the computer allocates this address to itself. Remember that a computer that picks up one of these addresses will only be able to communicate with other computers have compatible addresses and subnet masks.
RAS Policies are a new feature in Windows 2000. Now it is possible to build an entire set of rules called a RAS Policy to dictate several conditions that must exist before a user can connect. It allows the flexibility to require that a user must be dialing from a specific IP address or from a range of addresses, during the right time of day, from the appropriate caller id location using the appropriate protocol. We can restrict access by group membership or the type of service requested. All of these are configurable and optional. Once the user has met all of the conditions, we can apply a profile, which can include items such as the IP address to use for this session, the authentication type that is allowed, any restrictions such as idle time and the rules for BAP with multilink sessions.
Windows 2000 now provides support for VPNs. A virtual private network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. With a VPN, you can create a connection between two computers across a shared or public network that emulates a point-to-point private link. Windows 2000 supports a couple of different VPN protocols. Point to Point Tunneling Protocol(PPTP) creates an encrypted “tunnel” through an untrusted network and is supported by Windows 95/98/NT4/2000. Layer Two Tunneling Protocol(L2TP) works like PPTP in that it creates a “tunnel”, but uses IPSec encryption in order to support non-IP protocols and authentication. The table below illustrates the features of each:
| Transmits over IP-based
| Transmits over UDP, Frame
Relay, X.25 or ATM
- Windows 98 supported Internet Connections Sharing(ICS) which is now also supported in Windows 2000. ICS allows multiple PCs to share a single connection with the aid of Network Address Translation(NAT) and is intended for small office/home office(SOHO) environments. When you enable ICS, the network adapter connected to the network is given a new static IP address configuration. Existing TCP/IP connections on the computer are lost and need to be re-established.NAT can be configured separately from ICS and provides the following features and benefits that do not exist when used with ICS alone:
- Configurable address range – NAT allows manual configuration of IP addresses and subnet masks, whereas ICS uses a fixed IP address range. Any range of IP addresses can be configured using the NAT properties in Routing and Remote Access Manager. A DHCP allocator provides the mechanism for distributing IP addresses, the same way that DHCP does this. NAT can also use IP addresses distributed from a DHCP server by selecting the Automatically assign IP addresses by using DHCP check box in the NAT properties sheet.
- DNS and WINS proxy – Name resolution can be established by using either DNS or WINS. You can configure this by selecting the appropriate check boxes in the NAT properties sheet under the Name Resolution tab.
- Multiple network interfaces – You can distribute NAT functionality on more than one network interface by adding the interface to NAT in the Routing and Remote Access Manager.
RAS has changed rather dramatically. Several new RAS protocols are now available to make our communications over dial up lines or the Internet much more secure and more flexible. These new protocols include Extensible Authentication Protocol (EAP), Layer Two Tunneling Protocol (L2TP), Bandwidth Allocation Protocol (BAP), Internet Protocol Security (IPSec) and Remote Authentication Dial-In User Service (RADIUS).
EAP gives the ability to use Transport Level Security, another encryption methodology for usernames and passwords.
L2TP enables to create a tunnel through a public network that is authenticated on both ends, uses header compression, and relies on IPSec for encryption of data passed through the tunnel.
Bandwidth Allocation Protocol allows to set up Multilink capabilities, but if a user isn’t using the bandwidth of multiple lines, we can drop one of the lines assigned to that user and use it for another user.
IPSec is essentially a driver at the IP layer that provides encryption very low down in the protocol stack.
RADIUS is an RFC based standard that allows us to provide authentication services from the corporate network to a client that is attaching to an ISP that wants access to our server. The ISP’s dial up server that hosts the client is a client to the Radius Server Service (IAS) on the corporate network. The IAS server allows the user to connect.
Local user accounts are managed from the Computer Management Snap-in while domain accounts are managed from the Active Directory User and Computers snap-in. Local accounts only give access to local resources. In a domain model, if a user wishes to access network resources, they will need to have an account in the directory with appropriate permissions to the resources that they are trying to access. There are 2 local user accounts that are created during installation which are Administrator and Guest(disabled by default).
There are 2 types of groups in Windows 2000 – Security and Distribution. It is not recommended to use local groups in a domain environment. There are several built-in local groups as follows:
|Administrators||Can manage all functions on the local system.|
|Backup Operators||Are able to backup and restore files on local system regardless of permissions on files and directories being backed up. May also grant permissions to other users to perform backup operations.|
|Guests||Provides limited access to system resources.|
|Power Users||Can create and administer user accounts and groups. Can only manage users that they created. Can install and remove applications and share resources.|
|Replicator||Used to replicate content between DCs|
|Users||The default group that a new user is added to. Can run applications installed by administators or power users, but not other local users.|
Local Group Policy
Group policy is managed using the Group Policy snap-in. Group Policy allows one to control specific rights to local groups and edit administrative templates. Below are the common security templates for Windows 2000 Workstation.
|Basic(basicwk.inf)||The default security configuration. Does not cover user rights.|
|Compatible(compatws.inf)||For allowing compatibility with non-Windows 2000 application installations.|
|Highly Secure(hisecws.inf)||Limits workstation’s ability to communicate with non-Windows 2000 operating systems. Best used in native environments.|
Templates only work on NTFS partitions. The Security Configuration and Analysis tool will compare current security settings to recommended settings based on a security template.
Local Account and Lockout Policies
Allow administrators to manage user’s password and lockout configurations including password length, complexity, lockout threshold, duration, etc.
Like its predecessors, Windows 2000 is still using the Event Viewer to monitor security, system and application events. Event Viewer is accessed through the Computer Management snap-in. The security log writes events to the logs based on audit policy. Auditing is disabled by default as it can slow system performance. The following table shows the different security events that can be added to an audit policy.
|Account Logon||Logs each logon attempt.|
|Logon Events||Logs network logon attempts including interactive or service logons.|
|Account Management||Logs every instance of changes(management) of user accounts.|
|Directory Service||Logs Active Directory Service events.|
|Policy Change||Logs changes in policies.|
|Process Tracking||Tracks all programs and processes initiated by a user in order to monitor their activities.|
|Object Access||Tracks a users attempts to access resources in the Active Directory.|
|Priveledge Use||Logs when a user utilizes special access priveledges.|
|System Event||Logs configured system events such as startup/shutdown, etc.|
Acronyms you really must know(not including the ones you already know!)
1. ACL – access control list
2. ACPI – advanced configuration and power interface
3. AD – active directory
4. APM – advanced power management
5. APIPA – automatic private internet protocol addressing
6. CA – certificate authority
7. CAL – client access license
8. DHCP – dynamic host configuration protocol
9. DNS – domain name system
10. EAP – extensible authentication protocol
11. EFS – encrypting file system
12. FEK – file encryption key
13. GPO – group policy object
14. GPT – group police template
15. HCL – hardware compatibility list
16. IAS – internet authentication services
17. ICS – internet connection sharing
18. IPSec – internet protocol security
19. L2TP – layer two tunneling protocol
20. LDAP – lightweight directory access protocol
21. LPD – line printer daemon
22. MMC – microsoft management console
23. NAT – network address translation
24. NTFS – NT file system
25. ODBC – open database connectivity
26. OSI – open systems interconnection (model)
27. OU – organizational unit
28. PCMCIA – personal computer memory card interface adapter
29. PPP – point to point protocol
30. PPTP – point to point tunneling protocol
31. PXE – preboot execution environment
32. RAS – remote access service
33. RIPrep – remote installation preparation
34. RIS – remote installation services
35. RRAS – routing and remot access service
36. SAM – security accounts manager
37. SMP – symmetric multiprocessing
38. SMS – systems management server
39. Sysprep – system preparation
40. TFTP – trivial file transfer protocol
41. UDF – unique database file
42. UNC – universal naming convention
43. VPN – virtual private network
44. WDM – windows32 driver model