信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
一、 Windows 2000 Professional
Windows 2000 Professional improves the capabilities of previous versions of Windows in five main areas: ease of use, simplified management, increased hardware support, enhanced file management, and enhanced security features.
Some of the ease-of-use improvements include enhancements to the user interface, such as a customized Start menu that presents only the programs that you use most often, and improved Log On and Shut Down dialog boxes. Windows 2000 Professional includes support for the latest laptop technologies based on APM and ACPI, and provides a Network Connection wizard and VPN support. It provides Offline Folders that allow you to copy documents stored on the network to your local computer for access when you are offline; and it provides Synchronization Manager—which compares items on the network to items that you opened or updated while working offline—and synchronizes them.
Printing in Windows 2000 Professional has also been improved. IPP allows users to print to a URL over an intranet or the Internet, view printer and job- related information in HTML format from any browser, and download and install printer drivers over the Internet. The Windows 2000 Add Printer wizard simplifies the process of connecting to local and network printers from within a program, and Image Color Management 2 allows you to send high-quality color documents to a printer or another computer with greater speed and reliability than ever before.
Windows 2000 also simplifies the process of setting up a computer. The Windows 2000 System Preparation tool allows you to create an image of a computer's hard disk so that you can use a third-party tool to duplicate the hard disk on similarly configured computers. The Setup Manager wizard guides you through the process of creating answer files for unattended installation scripts.
Microsoft Windows 2000 Professional now supports more than 7,000 hardware devices, such as infrared devices, scanners, digital cameras, and advanced multimedia devices. Other enhancements to hardware support include the following: an Add/Remove Hardware wizard that allows you to add, remove, troubleshoot, and upgrade computer peripherals; a Win32 Driver Model that allows device drivers written to the WDM to work in both Windows 98 and Windows 2000; enhanced Plug and Play support; power options that prevent unnecessary power drains on your system by directing power to devices as they need it; and support for DirectX 7. Windows 2000 Professional also supports symmetric multiprocessing, which means it is capable of running on computers containing more than one processor.
Windows 2000 Professional enhancements to file management capabilities include a disk defragmenter utility and an NTFS file system that supports file encryption, distributed link tracking, and per-user disk quotas to monitor and limit disk space use. A Backup utility allows you to back up data to a wide variety of storage media: tape drives, external hard disks, zip disks, recordable CD-ROMs, and logical drives.
Windows 2000 Professional is the most secure Windows desktop operating system for either a stand-alone computer or any type of public or private network. Security features and enhancements in Windows 2000 Professional include support for Kerberos 5; Encrypting File System, which strengthens security by encrypting files on your hard disk; and IPSec, which encrypts TCP/IP traffic and provides the highest levels of security for VPN traffic across the Internet.
二、 Windows 2000 Workgroups and Domains
A Windows 2000 workgroup is a logical grouping of networked computers that share resources, such as files and printers. Workgroups are referred to as peer-to-peer networks because all computers in the workgroup can share resources as equals (peers), without a dedicated server. Security and administration aren't centralized in a workgroup because each computer maintains a list of user accounts and resource security information for that computer.
A Windows 2000 domain is a logical grouping of network computers that share a central directory database that contains user accounts and security information for the domain. This directory database is known as the Directory and is the database portion of Active Directory directory services, which is the Windows 2000 directory service. In a domain, security and administration are centralized because the Directory resides on domain controllers, which manage all security-related aspects of user/domain interactions. To create a domain, at least one computer must be running a Windows 2000 server product and must have Active Directory directory services installed on it.
三、 Getting Started
This lesson identified the preinstallation tasks you must understand and complete before you install Windows 2000. The first task is to identify the hardware requirements for installing Windows 2000 Professional and to ensure that your hardware meets these requirements. You learned about the Windows 2000 hardware compatibility list and that your hardware should be on the HCL so that it's compatible with Windows 2000.
After you have determined that your hardware is on the HCL, you must decide how you want to partition the hard disk on which you are going to install Windows 2000. You must also determine whether you are going to format the partition as NTFS so that you can have better security and a richer feature set, or as FAT or FAT32 so that other operating systems can access the data on the installation partition.
In addition, you learned about Client Access Licenses (CALs) and that a CAL gives client computers—for example, a computer running Windows 2000 Professional—the right to connect to computers running Windows 2000 Server. You learned that you must select Per Seat or Per Server licensing on the server. With Per Seat licensing mode, a separate CAL is required for each client computer that accesses a Windows 2000 Server. When a client computer has a CAL, it can be used to access any computer running Windows 2000 Server on the enterprise network. With Per Server licensing, CALs are assigned to a particular server. Each CAL allows one connection per client computer to the server, and you must have at least as many CALs that are dedicated to the server as the maximum number of client computers that will be used to concurrently connect to that server at any time.
You also learned that during installation, your computer must join a domain or a workgroup. If your computer is the first one installed on the network, or if for some other reason no domain is available for your computer to join, you can have the computer join a workgroup and then have the computer join a domain after the installation. This lesson also provided a checklist of preinstallation tasks that you can complete to help ensure a successful installation of Windows 2000.
四、 Introducing the Microsoft Management Console
In this lesson, you learned that one of the primary administrative tools that you use to manage Windows 2000 is the Microsoft Management Console. The MMC provides a standardized method to create, save, and open administrative tools, which are called consoles. Consoles hold one or more applications called snap-ins, which you use to perform administrative tasks and troubleshoot problems locally and on remote computers. By default, Windows 2000 saves custom console files (with an .MSC extension) in the Administrative Tools folder of the user who created it.
You learned that every console has a console tree. The console tree displays the hierarchical organization of the snap-ins that are contained within that console. This allows you to easily locate a specific snap-in. The details pane lists the contents of the active snap-in. You also learned about the two types of snap-ins: stand-alone snap-ins and extension snap-ins. A stand-alone snap-in is usually referred to simply as a snap-in and provides one function or a related set of functions. An extension snap-in is usually referred to as an extension, and it provides additional administrative functionality to a snap-in. An extension is designed to work with one or more stand-alone snap-ins, based on the function of the stand-alone snap-in.
Finally, in this lesson you learned about console options. You use console options to determine how each console operates by selecting the appropriate console mode. The two available console modes are Author mode and User mode. When you save a console in Author mode, you enable full access to all MMC functionality, which includes modifying the console. You save the console using Author mode to allow those using it to add or remove snap-ins, create new windows, view all portions of the console tree, and save consoles. Usually, if you plan to distribute a console to other administrators, save the console in User mode. When you set a console to User mode, users can't add snap-ins to, remove snap-ins from, or save the console.
五、 Configuring Operating System Settings
Enhancing Performance
You can enhance your system's performance in several ways. First, if your computer has multiple hard disks, you can create a paging file for each disk. Distributing information across multiple paging files improves performance because the hard disk controller can read from and write to multiple hard disks simultaneously. When attempting to write to the paging file, VMM tries to write the page data to the paging file on the disk that is the least busy.
Second, you can enhance your system's performance by moving the paging file off the drive that contains the Windows 2000 systemroot folder (by default, the Winnt folder). Moving the paging file off the drive containing the boot partition avoids competition between the various reading and writing requests. If you place a paging file on the Windows 2000 system partition to facilitate recovery, you can still increase performance by creating multiple paging files. Because the VMM alternates write operations between paging files, the paging file on the boot partition is accessed less frequently.
Third, you can enhance your system's performance by setting the initial size of the paging file to the value displayed in the Virtual Memory dialog box's Maximum Size box. This eliminates the time required to enlarge the file from the initial size to the maximum size.
How Windows 2000 Sets Environment Variables
Windows 2000 sets the environment by first searching the Autoexec.bat file, if it exists, and setting any environment variables. Next the system environment variables are set. If any conflicts exist with the environment variables set from the search of the Autoexec.bat file, the system environment variables override them. Finally the user environment variables are set. If any conflicts exist with environment variables set from the search of the Autoexec.bat file or from the system environment variables, the user environment variables override them.
六、 Introduction to Disk Management
In this lesson, you learned that before you can store data on a new hard disk, you must use the Disk Management snap-in to initialize the disk with a storage type. Windows 2000 supports basic storage and dynamic storage. A basic disk can contain primary partitions, extended partitions, and logical drives. All versions of Microsoft Windows, MS-DOS, and Windows 2000 support basic storage. For Windows 2000, basic storage is the default, so all disks are basic disks until you convert them to dynamic storage.
You also learned that dynamic storage creates a single partition that includes the entire disk. You divide dynamic disks into volumes, which can consist of a portion, or portions, of one or more physical disks. A dynamic disk can contain simple volumes, spanned volumes, and striped volumes. Dynamic storage doesn't have the restrictions of basic storage; for example, you can size and resize a dynamic disk without restarting Windows 2000.
Then you learned that after you create partitions on a basic disk or create volumes on a dynamic disk, you must format the partition or volume with a specific file system such as NTFS, FAT, or FAT32. The file system that you choose affects disk operations. This includes how you control user access to data, how data is stored, how much hard disk capacity you have, and which operating systems can gain access to the data on the hard disk. You use the Disk Management snap-in to configure and manage your network storage space.
七、 Understanding Active Directory Directory Services
Active Directory directory services are the directory services included in the Microsoft Windows 2000 Server products. Active Directory directory services are not included in Windows 2000 Professional, but if your Windows 2000 Professional clients are in a Windows 2000 domain, the features and benefits provided by Active Directory directory services are also available on the clients.
A directory service is a network service that identifies all resources on a network and makes them accessible to users and applications. Active Directory directory services include the Directory, which stores information about network resources, such as user data, printers, servers, databases, groups, computers, and security policies. The Directory can scale from a small installation with a few hundred objects to a huge installation with millions of objects.
Active Directory directory services use DNS as their domain naming and location service. Therefore, Windows 2000 domain names are also DNS names. Windows 2000 Server uses DDNS, so clients with dynamically assigned addresses can register directly with a server running the DNS Service and dynamically update the DNS table. In a homogeneous environment, DDNS eliminates the need for other Internet naming services, such as WINS.
八、 Administering Printers Using a Web Browser
This lesson showed you one benefit of using a Web browser to administer printers: it allows you to administer printers from any computer running a Web browser, regardless of whether the computer is running Windows 2000 or has the correct printer driver installed.
Accessing Printers Using a Web Browser
If you want to gain access to all printers on a print server by using a Web browser, open the Web browser, and then in the Address box, type
http://print_server_name/printers
If you want to gain access to a specific printer by using a Web browser, open the Web browser, and then in the Address box, type
http://server_name/printer_share_name
九、 Copying and Moving Files and Folders
In this lesson, you learned that when you copy or move files and folders, the permissions you set on the files or folders might change. Rules control how and when permissions change. For example, when you copy files or folders from one folder to another folder, or from one volume to another volume, permissions change. Windows 2000 treats the file or folder as a new file or folder, and therefore, it takes on the permissions of the destination folder.
You also learned that you must have Write permission for the destination folder to copy files and folders. When you copy a file, you become the CREATOR OWNER of the file. When you move a file or folder within a single NTFS volume, the file or folder retains the original permissions. However, when you move a file or folder between NTFS volumes, the file or folder inherits the permissions of the destination folder.
十、 Managing NTFS Compression
Copying and Moving Compressed Files and Folders
Specific rules determine whether the compression state of files and folders is retained when you copy or move them within and between NTFS and FAT volumes. The following list describes how Windows 2000 treats the compression state of a file or folder when you copy or move a compressed file or folder within or between NTFS volumes or between NTFS and FAT volumes.
· Copying a file within an NTFS volume. When you copy a file within an NTFS volume (shown as A in Figure 18.2), the file inherits the compression state of the target folder. For example, if you copy a compressed file to an uncompressed folder, the file is automatically uncompressed.
Moving a file or folder within an NTFS volume. When you move a file or folder within an NTFS volume (shown as B in Figure 18.2), the file or folder retains its original compression state. For example, if you move a compressed file to an uncompressed folder, the file remains compressed.
Copying a file or folder between NTFS volumes. When you copy a file or folder between NTFS volumes (shown as C in Figure 18.2), the file or folder inherits the compression state of the target folder.
Moving a file or folder between NTFS volumes. When you move a file or folder between NTFS volumes (shown as C in Figure 18.2), the file or folder inherits the compression state of the target folder. Because Windows 2000 treats a move as a copy and then a delete, the files inherit the compression state of the target folder.
Moving or copying a file or folder to a FAT volume. Windows 2000 supports compression only for NTFS files. Because of this, when you move or copy a compressed NTFS file or folder to a FAT volume, Windows 2000 automatically uncompresses the file or folder.
Moving or copying a compressed file or folder to a floppy disk. When you move or copy a compressed NTFS file or folder to a floppy disk, Windows 2000 automatically uncompresses the file or folder.
十一、Understanding How to Back Up and Restore Data
An effective backup strategy is likely to combine different backup types. Some backup types require more time to back up data but less time to restore data. Conversely, other backup types require less time to back up data but more time to restore data. If you combine backup types, markers are critical. Incremental and differential backup types check for and rely on the markers.
The following are some examples of combining different backup types:
· Normal and differential backups. On Monday a normal backup is performed, and on Tuesday through Friday, differential backups are performed. Differential backups don't clear markers, which means that each backup includes all changes since Monday. If data becomes corrupt on Friday, you need to restore only the normal backup from Monday and the differential backup from Thursday. This strategy takes more time to back up but less time to restore.
Normal and incremental backups. On Monday a normal backup is performed, and on Tuesday through Friday, incremental backups are performed. Incremental backups clear markers, which means that each backup includes only the files that changed since the previous backup. If data becomes corrupt on Friday, you need to restore the normal backup from Monday and all incremental backups, from Tuesday through Friday. This strategy takes less time to back up but more time to restore.
Normal, differential, and copy backups. This strategy is the same as the first example that used normal and incremental backups, except that on Wednesday, you perform a copy backup. Copy backups include all selected files and do not clear markers or interrupt the usual backup schedule. Therefore, each differential backup includes all changes since Monday. The copy backup type done on Wednesday is not part of the Friday restore. Copy backups are helpful when you need to create a snapshot of your data.
十二、Monitoring Network Resources
In this lesson, you learned that monitoring network resources helps you to determine whether the network resource is still needed and whether it is secure. Monitoring resources also helps you to plan for future growth. Windows 2000 includes the Computer Management and Shared Folders snap-ins so that you can easily monitor access to network resources. You can monitor resources on the local computer or on a remote computer. To monitor resources on a remote computer, you specify the computer on which you want to monitor resources when you add either the Computer Management or Shared Folders snap-in to a custom console.
You also learned that in a workgroup, only members of the Administrators group or the Power Users group can monitor resources for the local computer or for a remote computer in the workgroup. In a domain, only members of the Administrators group or the Server Operators group for the domain can monitor resources on all the computers in the domain.
十三、Understanding the New Authentication Protocols in Windows 2000
The Layer Two Tunneling Protocol
The Layer Two Tunneling Protocol (L2TP) is similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network. L2TP differs from PPTP in that it provides tunneling but not encryption. L2TP provides a secure tunnel by cooperating with other encryption technologies such as IPSec. IPSec doesn't require L2TP, but its encryption functions complement L2TP to create a secure VPN solution.
Both PPTP and L2TP use PPP to provide an initial envelope for the data and then append additional headers for transport through the transit internetwork. Some of the key differences between PPTP and L2TP are as follows:
· PPTP requires an IP-based transit internetwork. L2TP requires only that the tunnel media provide packet-oriented, point-to-point connectivity. L2TP can use User Datagram Protocol (UDP), Frame Relay permanent virtual circuits (PVCs), X.25 VCs, or asynchronous transfer mode (ATM) VCs to operate over an IP network.
L2TP supports header compression; PPTP does not. When header compression is enabled, L2TP operates with 4 bytes of overhead, as compared with 6 bytes for PPTP.
L2TP supports tunnel authentication, while PPTP does not. However, when either PPTP or L2TP is used in conjunction with IPSec, IPSec provides tunnel authentication so that layer two tunnel authentication isn't necessary.
PPTP uses PPP encryption. L2TP requires IPSec for encryption.
In this lesson, you learned that Windows NT version 4 included support for several authentication protocols used to verify the credentials of users connecting to the network. These protocols included the following: PAP, CHAP, MS-CHAP, SPAP, and PPTP, which provides tunneling capabilities.
You also learned that Windows 2000 includes support for these and several additional protocols that drastically increase your authentication, encryption, and multilinking options. These include EAP, an extension to PPP that works with dial-up, PPTP, and L2TP clients; RADIUS, which allows user authentication to be vendor-independent and provides highly scaleable authentication designs for performance and fault-tolerant designs for reliability; IPSec, a framework of open standards for ensuring secure private communications over IP networks by using cryptographic security services; L2TP, which is similar to PPTP in that its primary purpose is to create an encrypted tunnel through an untrusted network, but different from PPTP in that it provides tunneling but not encryption; and BAP and BACP, which enhance multilinked devices by dynamically adding or dropping links on demand.
十四、Control Sets in the Registry
In this lesson, you learned that a control set contains configuration data used to control the system, such as a list of which device drivers and services to load and which to start. Control sets are stored as subkeys of the registry key HKEY_LOCAL_MACHINE\SYSTEM, and a typical Windows 2000 installation contains the following control sets: Clone, ControlSet001, ControlSet002, and CurrentControlSet. The registry might contain several other control sets, depending on how often you have changed or had problems with system settings.
You also learned that if you make incorrect changes to a computer's configuration, you might have problems restarting your computer. If you can't restart your computer because of a configuration change, Windows 2000 provides the last known good process so that you don't have to reinstall your Windows 2000 software to restart your computer. You can boot your computer using the LastKnownGood control set. The LastKnownGood control set contains the configuration settings from the last successful restart and logon to your computer. After restarting your computer using the LastKnownGood control set, you can reconfigure the computer. The last known good process uses the LastKnownGood control set, stored in the registry, to restart Windows 2000.
In this lesson, you learned that the advanced boot options available in Windows 2000 include Safe Mode, Safe Mode With Networking, and Safe Mode With Command Prompt; Enable Boot Logging; Enable VGA Mode; Last Known Good Configuration; Directory Services Restore Mode; and Debugging Mode. These options allow you to attempt to restart your computer when a problem occurs with a normal boot. The Directory Services Restore Mode and Debugging Mode options aren't available for Windows 2000 Professional. The Boot Normally advanced boot option allows you to bypass these options and proceed with a normal boot.
