Either 1) acquire MicrosoftWindows XP Professional before the launch of MicrosoftWindows Server Terminal Services and receive a MicrosoftWindows Server 2003 Terminal Services CAL, or 2) acquire a CAL for MicrosoftWindows Server 2003 Terminal Services
Just because you can edit keys' ACLs doesn't mean you should, however. Messing with your registry's security is not a good idea unless you have a specific reason to do so. At best, you will make a change that's irrelevant, but at worst, you can prevent MicrosoftWindows XP from working properly. So why am I including security in this book at all? There are cases in which IT professionals must change the registry's default permissions to deploy software. That is a totally different story than tinkering with your registry's security out of curiosity. For example, you might have an application that users can run only when they log on to the operating system as a member of the Administrators group. Ouch. In a corporate environment, you don't want to dump all your users in this group. The solution is to deploy Windows XP with custom permissions so users can run those programs as a member of the Power Users or Users group. This is the most common scenario, and it's the primary focus of this chapter.
All Smartphones offer similar functionality, but they’re not all alike. This book focuses on Smartphones that utilize the MicrosoftWindows Mobile operating system. These phones have been developed by several different phone manufactures (like Motorola and Samsung) and each offers a unique design, plus features that set them apart. Furthermore, the various Smartphones are compatible only with certain cellular and wireless data service providers (such as AT&T Wireless, Verizon Wireless, Sprint PCS, Cingular, T-Mobile, etc.), and each of these service providers make different features and functions available to the phone at different price points, based upon the service plan you choose and the contract you sign with the service provider.
Chapters 6 and 7 permit me to explain how TCP/IP works, both in a general sense and in the specific sense of configuring Server 2003 to use it. In Server 2003, Microsoft has taken another baby step toward making the NT platform an IP-only platform, as NetBEUI is no longer even an option for protocols. Chapter 6 explains the basics: how to get on an internet; how IP addresses, subnet masks, and routing work; and how to use a Server 2003 as a router. Chapter 7 then explains the three basic TCP/IP services that every Microsoft network needs: DHCP, WINS, and DNS. Server 2003 doesn’t really do much that’s new in DHCP and WINS, but DNS now offers several new features, all of which the chapter covers. The biggest changes in the chapter, however, are in the structure of the DNS section, which now spans almost 200 pages. It’s not only a primer on DNS; in this edition I completely reoriented the discussion and the examples around building not just any DNS infra- structure, but a more secure infrastructure, using split-brain DNS techniques—and if you don’t know what that means, don’t worry, the chapter covers it all. You’ll also see in Chapters 6 and 7 that I’ve worked hard to unify the step-by-step examples so that they all fit together, allowing you to follow along and build a small network that is then completely ready for Active Directory…which is the next chapter’s topic.
Putting the server in production often means recovering information, including security settings from another server, and migrating it to the new model, unless, of course, the server is designed to offer a new role within the network. Once this step is performed, the server officially enters its production cycle. IT management for the server becomes focused on routine administrative tasks, software updates, and service pack application, as well as performance and capacity monitoring. All are performed on a scheduled basis. This phase will also include physical server repairs or expansion, if required. Though most every task will aim for remote operation, some repairs may require shutdown and physical access to the server. For example, it is hard to upgrade server memory remotely. Administrators that have worked with Windows Server 2003 will know that all shutdowns must be documented and justified through a verbose shutdown dialog box, the Shutdown Event Tracker. While this was less than useful in WS03, it has now become the core of the Reliability Monitor in WS08. The Reliability Monitor tracks the server’s reliability level from the moment it is introduced into the network to the moment it is retired, providing continuous data about the server’s status. The Reliability Monitor can be found within the Server Manager.
Country Estates is a well-established local estate agency in the United Kingdom, spanning three locations and employing 60 staff members with 40 workstations. They currently use a Windows NT 4.0 workstation peer-to-peer solution Although it’s capable of offering a reason- ably good solution for what they wanted up to now, they are having problems with occasional data loss, the distribution of important company information, and the lack of individual con- trol on workstations (leading to a much higher overhead for total cost of ownership for each user access device). The managing director is constantly worried about corporate security because this is one of the most worrisome concerns for any uncontrolled network. As a result of a recent audit, the managing director employed a business consultant for five days to help him identify where the business could be improved. As a result, he has a fully defined business process analysis that needs updating with technology. He was advised to purchase MicrosoftWindows Small Business Server 2003 as the best fit for his company’s needs.
Layered on top of the system services is the common language runtime. The runtime loads and runs code written in any language that targets the runtime. Code targeted to the runtime is called managed code. (I’ll describe managed code in detail later in this chapter.) The runtime also provides integrated, pervasive security. Previous Win32 environments provided security only for file systems and network resources, if at all. For example, file security on MicrosoftWindows NT and MicrosoftWindows 2000 is available only for volumes formatted using NTFS. The runtime provides code access security that allows developers to specify the permissions required to run the code. At load time and as methods are called, the runtime can determine whether the code can be granted the access required. Developers can also explicitly specify limited permissions, meaning that code designed to do something simple and not very dangerous can seek the minimal permissions. Compare this situation to today’s VBScript-enabled mail readers, such as Microsoft Outlook, that have been targeted by virus developers. Even on a secure system, if a user with Administrator rights opens a VBScript virus, the script can do whatever the administrator can do. The role-based security that the runtime provides allows permissions to be set based on the user on whose behalf the code is running. Relying on the runtime are the .NET Framework classes. The .NET Framework classes provide classes that can be called from any .NET-enabled programming language. The classes follow a coherent set of naming and design guidelines in mind, making it easier for developers to learn the classes quickly. We’ll introduce the class libraries in Chapter 3; they cover virtually all the areas a developer would expect, from data access services to threading and networking.
Global Information Assurance Certification (GIAC) is an independent certification program designed to vali date the knowledge and experience of practitioners in different areas of system and network security. GIAC certifications cover a wide range of topics, including intrusion detection and analysis, firewalls, incident and response handling, auditing, and forensics. Certifica tions are also offered for MicrosoftWindows and UNIX security administrators to independently validate exper tise on these platforms. The GIAC Security Engineer (GSE) is a group of certifications for individuals dem onstrating mastery in a wide range of security areas. GIAC certifications have two components: a certifica tion exam and a written assignment demonstrating practical experience with security issues, tools, and pro cedures. SANS requires that GIAC-certified individuals recertify every few years to ensure competency in the latest security standards and practices. GIAC has been widely recognized in the security community since its inception in 1999 as a valuable tool for ensuring that security professionals meet minimum standards of tech nical competency.
Microsoft Visual Studio is an integrated development environment (IDE) from Microsoft. It is used to develop computer programs for MicrosoftWindows, as well as web sites, web apps, web services and mobile apps. Visual Studio uses Microsoft software development platforms such as Windows API, Windows Forms, Windows Presentation Foundation, Windows Store and Microsoft Silverlight. It can produce both native code and managed code.
Rick Kingslan (email@example.com) is a Senior Systems Engineer and MicrosoftWindows Server MVP. If you've ever posted a question to an Active Directory newsgroup or discussion forum, odds are Rick participated in the thread. His uncanny ability to provide useful feedback on just about any Active Directory problem helped ensure I covered all the angles with each recipe. Gil Kirkpatrick (firstname.lastname@example.org) is the Executive Vice President & CTO of NetPro (http://www.netpro.com/). Gil is also the author of Active Directory Programming from MacMillan. His extensive knowledge of the underpinnings of Active Directory helped clarify several issues I did not address adequately the first time through.
Active Directory is a grand repository for information about such entities as users, domains, computers, domain controllers, shared resources (such as files and printers), and security. Active Directory lets you log into very large domains and use resources across the domain with ease. All objects in Active Directory are protected by a security system based on Kerberos, an industry−standard secret− key encryption network authentication protocol developed at the Massachusetts Institute of Technology. (For more on Kerberos, see http://web.mit.edu/kerberos/www.) Windows Server 2003 controls who can see each object in Active Directory, what attributes each user can see, and what actions a user can perform on an object. The Windows 2003 permissions model is richer and more complex under the hood than NT's, but it's quite easy to manage at the user interface level. Windows 2003 group policies are also a significant improvement over NT 4's policies: For example, they enable you to set a range of policies for users and computers, determine what software can be installed on a computer, and tie the application of specific policies to Windows 2003 security groups. Figure 2.2 shows the Properties dialog box for my Windows 2003 user account with the three major tools (Microsoft Management Console snap−ins) for Active Directory management: Active Directory Users and Computers, Active Directory Domains and Trusts, and Active Directory Sites and Services.
In the interest of cosmopolitanism, Office gives you the opportunity to make foreign languages a part of Word documents, PowerPoint presentations, Publisher publications, and Outlook messages. To enter and edit text in a foreign language, you start by installing proofing tools for the language. With the tools installed, you tell Office where in your file a foreign language is used. After that, you can spell check text written in the language. To spell check text written in anguages apart from English, you have to obtain the additional proofing tools from Microsoft. These can be obtained at the Microsoft Product Information Center at www.microsoft.com/ products (enter proofing tools in the Search box). Proofing tools include a spell checker, grammar checker, thesaurus, hyphenator, AutoCorrect list, and translation dictionary, but not all these tools are available for every language.
Basic Windows Forms I f you have actually read part 1 of this book, then you have a good idea where we are going here. Chapter 2 constructed our program using Visual Studio .NET and extended the discussion of the .NET architecture and Windows Forms programming provided in chapter 1. Here we pick up where chapter 2 left off and provide a some- what systematic discussion of basic Windows Forms development. The goal here is to cover the essential concepts and classes needed in most Windows Forms applications. Following our practice in chapter 2, the complete steps required to create each example are provided. For the most part, the MyPhotos application is used through- out the book. In a couple places we create alternate applications to provide variety and because I felt the topics were better presented separately.
My special thanks go to the co-authors of Chapter 25, Ira Brown and Roger Butler of Project Assistants. Ira is the Executive Vice President, CTO, and co-founder of Project Assistants, Inc, a Premier Microsoft Project Partner and Solution Provider specializing in implementation services, integration, training, and custom software development for Microsoft Project. He has extensive project management and application devel- opment experience, and is recognized as a leading authority in developing custom solutions for Microsoft Project and Microsoft Project Server. Roger is a Senior Solution Architect with Project Assistants who specializes in custom software development for Microsoft Project and Microsoft Project Web Access and is an integration expert to a variety of third party project management related applications. Ira can be contacted by phone at (800) 642-9259, or email at email@example.com. Roger can be contacted by phone at (610) 305-4572, or email at roger@project assistants.com. For more information about Project Assistants, visit their Web site at www.projectassistants.com .
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
You could now be asking yourself, which is better to implement, clustering or load balancing? You can decide this for yourself after you finish this book, when you know all the details necessary to implement either solution. To give you a quick rundown of the high-level pros and cons to each technology, consider the following. With clustering, you depend on the actual clustered nodes to make a decision about the state of the network and what to do in a failure. If Node A in a cluster senses a problem with Node B (Node B is down), then Node A comes online. This is done with heartbeat traffic, which is a way for Node A to know that Node B is no longer available and it must come online to take over the traffic. With load balancing, a single device (a network client) sends traffic to any available node in the load-balanced group of nodes. Load balancing uses heartbeat traffic as well but, in this case, when a node comes offline, the “load” is recalculated among the remaining nodes in the group. Also, with clustering (not load balancing), you’re normally tied down or restricted to a small number of participating nodes. For example, if you want to implement a clustered solution with Windows 2000 Advanced Server, you might use a two-node cluster. With load balancing, you can implement up to 32 nodes and, if you use a third-party utility, you can scale way beyond that number. You can even mix up the operating system (OS) platforms, if needed, to include Sun Solaris or any other system you might be running your services on. Again, this is something that’s thoroughly explained as you work your way through the book. This section is simply used to give you an idea of your options. Finally, you have the option to set up tiered access to services and to mix both architectures
The many charts and graphs available on the Internet depicting various browser capabilities and fea- tures point to one conclusion—knowing your client can help you provide a better experience for the user. For example, if you find that a client doesn’t support I-frames (inline frames that let you embed data from multiple sources as objects in a Web page, instead of using multiple pages accessed from a master page as standard frames use), you can use standard frames or tables for organizational needs instead. A client that doesn’t support graphics could use text descriptions instead. The possibilities are endless. The point is that you have to know something about the client to obtain the information. The problem is that many users now run special applications that block your access to information about the client. You can’t determine anything about the client because the user wants to remain com- pletely anonymous. It’s not that the user is being contrary or trying to make your life hard. Many Web sites prey on users by detecting them and following them wherever they go. The user ends up with tons of unwanted spam email, pop-ups, pop-unders (windows that appear under the browser in an attempt to be less intrusive), and, in some cases, even identity theft. For many users, your act of cus- tomization is a kind thought, but they’d rather not have it at the cost of their identity.
Remote Installation is the most promising automated installation method for medium to large organizations because it provides the ability to repair a system as well as install it and captures a disk image of the installation. Unlike the System Preparation disk image though, it does not store the image in a single-special format file, it simply copies required files to a special shared folder located on a remote installation server. Since Windows Server 2003 supports not only the hosting of Remote Installation Service (RIS), but also the installation of servers through RIS, it is highly recommended that if you have PXE-enabled network cards, you should focus on RIS almost exclusively. In addition, WS03 includes a Single Instance Store (SIS) service that will eliminate duplicate files from a RIS or other servers. This service significantly reduces the amount of space required to store RIS images. Finally, RIS can also work with Emergency Management Services. This means that you can reboot a server remotely, use EMS to activate the RIS installation process and repair a server with a RIS image, all without having to leave the comfort of your desk.
Your first decision is what kind of check to order. Checks are printed on sheets and loaded into your printer like sheets of paper. As shown in Figure 7-1, the choices are wallet-size, standard business, or voucher checks. Checks and check envelopes are available in standard as well as European sizes. Most companies that make checks offer the opportunity to print company logos on checks and customize the checks in other ways. Table 7-1 compares and con- trasts the three types of checks that you can print with Money. These prices come from Microsoft Money Checks by Deluxe, the Microsoft affiliate that offers checks for use with Money.
A large problem with the Windows 3.1 registry was the manner in which the operating system used it, or rather, didn’t use it. There was no particular sense of urgency about keeping the registration database up-to-date and accurate. Applications could write to it, or not. No “oversight committee” standards were built into the operating system to ensure that a software application told the registry the same thing it told its own .ini files, or the system .ini files. If software configuration, .ini files, and the registration database had matching information, it was frequently a coincidence. In addition, the communication methods to query and write to the registry were cumbersome and required quite a bit of overhead, frequently slowing down the system. Lastly, user settings didn’t exist, so multiple users on the same computer lived with the settings left behind by the last user.