Silver jewelry

Configuring Authentication for Web Users  920-221  70-299  70-541

Active Directory is a perfect way to store credentials for internal users because it can provide single sign-on authentication for a variety of network resources, including Web servers. If your organization provides an internal Web site, the Web site should authenticate users by using their existing Active Directory user accounts. If the Web site accesses information on the user’s behalf, such as querying a database to retrieve confidential benefits information, the Web site should access that information by using the user’s own credentials.

Active Directory is not the ideal way to store credentials for external users. Many organizations invite customers, potential customers, and partners outside the organization to access information, files, and data. Today, information is usually shared with external users by means of a Web site. If the Web site allows anyone on the Internet to access content, these Web users will be considered anonymous. However, the anonymous user’s requests must still be issued in the context of a valid security principal in order to access files and data.

Enabling anonymous authentication for earlier applications 70-643 156-215.1 642-444
Anonymous authentication allows users and network clients to be authenticated (but not necessarily authorized to access network resources) without providing any credentials. Unlike earlier Windows operating systems, in Windows Server 2003, anonymous users are not considered to be members of the Everyone group and therefore will not be authorized to use any network resources. However, there are some scenarios in which anonymous access needs to be granted to provide compatibility with systems prior to Windows 2000. Situations in which this access might be necessary include:
Remote Access Server (RAS) servers on Windows NT 4.0 use anonymous access to determine dial-in permissions.
Windows NT 4.0 might use anonymous access to enumerate shares or gather information from domain controllers.
Anonymous access might be used to enumerate shares and users in a one-way cross-forest trust.
Earlier operating systems might use anonymous access to change passwords in Active Directory. This is accomplished through the Pre–Windows 2000–compatible access group.
If you have earlier systems in your Windows Server 2003 domain, you will need to determine which resources need anonymous access. You can then enable anonymous access by performing one of the following tasks:
Add the Anonymous Logon security principal to the ACL that needs access. This is the preferred method for enabling anonymous access to resources because it is the most granular.
Enable the Network Access: Share That Can Be Accessed Anonymously security policy setting. This security policy setting contains a list of shares that can be accessed and is useful for enabling anonymous access to a specific share on multiple computers.
Enable the Network Access: Let Everyone Permissions Apply To Anonymous Users security policy setting. This setting causes unauthenticated users to be considered members of the Everyone group, which might authorize users to access network resources without being authenticated as valid users. This setting should only be enabled when absolutely necessary, because it creates a significant, exploitable vulnerability.
Caution Apply the Anonymous Logon, Network Access: Share That Can Be Accessed Anonymously, Network Access: Let Everyone Permissions Apply To Anonymous Users settings only to the OU or server that needs them. Enabling these settings at the domain level will decrease network security.
Using Multifactor Authentication
As described earlier in this chapter, multifactor authentication significantly increases authentication security. Windows Server 2003 supports multifactor authentication by using smart cards and can support a variety of other authentication mechanisms using non-Microsoft hardware and software.
Smart cards can be required for all users in an organization. However, because of the additional cost, smart cards are often assigned only for specific users. Often network administrators are required to use smart cards because their privileges on the network would provide an attacker significant opportunity. 70-631 MB7-515 642-811 70-643
To require a smart card for interactive logon, launch the Active Directory Users And Computers console. Double-click the user account to view the properties, and click the Account tab. In the Account Options list, select Smart Card Is Required For Interactive Logon.
Requiring smart cards for authentication can cause problems with existing applications. However, if an application includes the Certified for Windows Server 2003 logo, the application has been tested to ensure that it meets Microsoft security standards for Windows Server 2003. From a security perspective, an application that is identified as Certified for Windows Server 2003 meets the following criteria:
Support smart card logons. The application should work correctly with smart card authentication and will allow smart card authentication to a terminal service.
Provide secure credential management. Ensures that users will get appropriate prompting for credentials and storing credentials. Also means that the application can use Kerberos, NTLM, and Secure Sockets Layer (SSL) protocols. A user can also log on using a user principal name (UPN) format.
Can be run in a highly secure configuration. Applications can perform all primary functions in a highly secure configuration. In a highly secure configuration, applications cannot use the unsafe communication protocol NTLM; strong authentication and account policies are set; and group membership is restricted. A highly secure configuration is a system with a clean installation of Windows and with the predefined security template Hisecws.inf applied.
Provide secure network connections. Applications using network connections must not depend on protocols that are known to have vulnerabilities.
Practice: Adjusting Authentication Options
In this practice, you will secure authentication on a Windows 2003 Server by using security policy. You must be logged on to Computer1.cohowinery.com with an account that has administrative credentials to create and modify the default domain controller security policy. 642-061 70-526 MB7-517
Your company has recently updated its security policy. The new security policy specifically forbids using the LM authentication protocol to authenticate users in the cohowinery.com domain. To comply with the updated security policy, you will use the Domain Controller Security Policy console to ensure that LM authentication is not used on any cohowinery.com domain controller.

Analyzing the Existing DNS Implementation 350-001 156-915.65 642-642
Unless you are tasked with building a network infrastructure from the ground up, most
network administrators have to understand and work with DNS infrastructures that are
already in place. This lesson includes an overview of the DNS components and discusses
some of the terminology you will need to understand before you can design
and implement a DNS strategy for your company.
The first step in analyzing a company’s network infrastructure is to perform an analysis
of the company itself. As discussed in Chapter 2, understanding how a company works
and how its information flows lays a critical foundation for the rest of your network
design. In this lesson, you learn to gather information regarding the DNS infrastructure
that is in place.
DNS Overview
Most human beings do not like working with numbers or having to memorize Internet
Protocol (IP) addresses to connect to a resource on the network. It’s a lot easier to
memorize www.microsoft.com as an address than 172.16.45.67. When a Fully Qualified
Domain Name (FQDN) such as www.microsoft.com is entered by a user on a network,
there must be a method or component that takes that name and resolves it to an IP
number. DNS does exactly that. As you saw in Chapter 1, this name resolution process
can be quite involved. In this section, you will look at the various components that
make it all happen.
Components of DNS
Because you have already gathered all of the information pertaining to the physical
locations of the various departments and divisions of your company, and have created
network diagrams of the present infrastructure, you are almost ready to analyze the
DNS structure of the company. The diagrams you have created illustrate where all
servers, routers, switches, and so on are located. This information, combined with the
locations and total amount of hosts, subnets, and routers, will help you to understand
how the present DNS infrastructure is configured.
DNS Zones
A zone is defined as a contiguous portion of a DNS tree that is administered as a
separate entity by a DNS server. It can store information about one or more domains.
A zone contains resource records associated with a particular domain. For example,
Contoso’s DNS namespace for the domain contoso.com may have originally been
configured as a single zone, but as the domain grows and many subdomains are
added—such as ftp.contoso.com, www.contoso.com, marketing.contoso.com, and so
on—you can assign different zones to each subdomain.
Windows Server 2003 allows you to choose between several different zone types (as
shown in Figure 6-1).
Primary zone Contains a local copy of the DNS zone where resource records
are created and updated. VCP-310 640-802 190-848
Secondary zone A read-only copy of a DNS zone. It can be updated only through
replication from a primary zone, and is used for redundancy and load balancing.
Active Directory integrated zone A primary zone stored in Active Directory.
Stub zone A copy of a zone that contains only the resource records needed to
identify authoritative DNS servers, thereby simplifying DNS administration and
improving name resolution.

Designing a WINS Server Placement Strategy 156-215.1 70-643 NS0-201
Your goal, when designing a WINS strategy for your network infrastructure, is to have
the WINS service available to client workstations when they need it. Availability is at
risk when there is only one WINS server configured to support a large number of users.
If that server should fail, all of the users will now need to resolve NetBIOS names using
one of the other methods covered earlier: Lmhosts files or broadcasts. In situations in
which a slow link exists between two subnets, it is highly recommended that a WINS
server be placed in both subnets to maximize performance of client name-resolution
requests.
Just as much thought had to go into deciding where to place your DNS servers, you
can see that placing your WINS servers in the right location can also influence performance.
For example, a remote site that has several thousand users may warrant placing
a WINS server there to avoid the prospect of sending the traffic generated from name
registrations over a 128Kb frame relay connection. Once again, your network topology
diagrams are critical in making such decisions.
Fault Tolerance 70-237 70-445 70-271
When designing your WINS infrastructure, you should consider the possibility of something
going wrong—because it usually does. Having only one WINS server on a routed
network, regardless of how small the network is, can create problems if a WINS server
unexpectedly crashes due to hardware failure or is inadvertently shut down for maintenance
by a junior network administrator who is not aware that the server is running
WINS. By placing secondary WINS servers throughout your network infrastructure, you
reduce the effects of one server being unavailable for your clients. If cost is a factor
preventing you from implementing this, Lmhosts files configured with #PRE-tag entries
for critical servers are a good way of ensuring that clients can access network resources
in the event of a downed router or WINS server.
Non-Routed Networks
On a small LAN with one WINS server, you will not see as much of a problem with a
WINS server crashing as you would in a routed network. Users on the LAN would be
able to access all network resources located on the LAN using broadcast requests.
However, they may see a noticeable degredation in performance on low-bandwidth
networks.
Routed Networks
On a routed network, where users on a remote segment rely on the WINS server across
the router to perform NetBIOS name resolution, a WINS server that is made unavailable
could prevent users from doing their jobs. For example, all applications that relied
on NetBIOS name resolution would not function. Access to servers and printers may
not be possible for all remote users. Another possible problem could arise if the router
connecting to the subnet containing the WINS server failed. In designing your WINS
infrastructure, all of these scenarios must be considered. 70-642 642-373 642-415

Creating DataSet Objects NS0-201 70-643 156-215.1
DataSet objects are available in the System.Data namespace and are used as an in-memory cache of the data being used in your application. DataSet objects contain DataTable objects that can be related with DataRelation objects much like the structure of a relational database.
DataSet Objects
Datasets are objects that you use to temporarily store the data that is used in your application. There are basically two distinct kinds of DataSet objects: typed, and untyped. Untyped DataSets are the standard generic instances of the DataSet class where you manually build up the DataSet definition (schema) by creating DataTable objects (untyped DataTables) and adding them to the Tables collection in the DataSet. You can access untyped DataTable and DataColumn objects through their collection indices. Typed DataSet objects derive their schema from an .xsd file and contain explicitly typed collections (such as a specific CustomersTable object).
There are three distinct ways to create DataSet objects in Visual Studio:
Declare a new DataSet object programmatically in the code editor, which results in an empty DataSet that requires creating DataTable and optional DataRelation objects to be added to the DataSet.
Use design-time tools such as the DataSet Designer and the Data Source Configuration Wizard which assists in the creation of typed DataSet objects by stepping you through the process of selecting or creating a data connection and then allowing you to select database objects available from that connection to build up a typed DataSet and have most, if not all, of the necessary code generated for you.
Drag a DataSet object from the Toolbox onto a form and use the Table and Column
Collection editors to build up the schema of your DataSet. 642-444 70-631 MB7-515
Merging DataSet Contents
You can take the contents from one DataSet (the source dataset) and merge it with the contents of another DataSet (the target dataset) using the DataSet.Merge method.
When merging datasets, the actual data is combined depending on whether a similar record exists in the DataSet into which it will be merged. For example, if you merge two datasets that both contain a record with the same primary key, the values in the target DataSet will be overwritten with the new values in the source DataSet. You can control this behavior and restrict changes from being made in the target DataSet by passing in a true or false value to the PreserveChanges flag in the Merge method. In addition to merging the actual data, when you merge two DataSets that have tables with differing schema, you can pass an optional MissingSchemaAction parameter to the Merge method that controls the behavior of the merge when the source DataSet has objects that are not currently in the target DataSet. The following are valid values for the MissingSchemaAction parameter:
Add (default) All schema items in the source DataSet are added to the target DataSet and populated.
AddWithKey All schema items and primary key settings are added to the target DataSet.
Error An exception will be thrown when the schemas in the source and target DataSets do not match.
Ignore All schema inconsistencies between the source and target DataSets are ignored.
In the following code example, the contents of the OldSalesDataSet are merged into the contents of the SalesHistoryDataSet. The PreserveChanges parameter is set to True and any schema differences will be ignored. 642-811 642-061 70-526

ToolStrip controls can host a wide range of functionality. ToolStripItems duplicate the functionality of several other Windows Forms controls as well as combine some Windows Forms functionality with menu functionality.000-297 ex0-103 190-801
Tool strips support rafting, merging, rearrangement of controls, and overflow of controls.
MenuStrip controls are used to create menus for forms and host ToolStripMenu-Item controls, which represent menu entries and commands.
The ContextMenuStrip control is used for creating context menus. You can associate a context menu with a control by setting the ContextMenuStrip property.
The Properties window can be used to create default event handlers or to assign preexisting methods to handle events.
A variety of mouse and keyboard events are raised in response to user actions. The MouseEventArgs parameter in many of the mouse events provides detailed information regarding the state of the mouse, and the KeyEventArgs and KeyPressEvent-Args parameters provide information regarding the state of the keyboard.
Event handlers can be created at run time and used to dynamically associate events with methods.
Typically, most real-world applications use databases as a store for the data in that application. For example, inventory systems, contact management systems, and airline reservation systems store data in a database and then retrieve the necessary records into the application as needed. In other words, the data used by an application is stored in a database external to the actual application, and it is retrieved into the application as required by the program.
When creating applications that work with data, the Microsoft .NET Framework provides many classes that aid in the process. The classes that you use for common data tasks such as communicating, storing, fetching, and updating data are all located in the System.Data namespace. The classes in the System.Data namespace make up the core data access objects in the .NET Framework. These data access classes are collectively known as ADO.NET.
Before you can begin working with data in an application, you must first establish and open a connection and communicate with the desired data source. This chapter describes how to create the various connection objects that are used to connect applications to different data sources and sets the basis for working with data in the following chapters. After learning to establish connections to databases in this chapter, we will move on to Chapter 6, “Working with Data in a Connected Environment,” which provides instructions for running queries, saving data, and creating database objects directly between your application and a database. Chapter 7, “Create, Add, Delete, and Edit Data in a Disconnected Environment,” describes how to create DataSet and DataTable objects that allow you to temporarily store data while it is being used in a running application. Finally, Chapter 8, “Implementing Data-Bound Controls,” provides information on binding data to be displayed and worked with in Windows Forms controls.
Typically, data sources are relational databases such as Microsoft SQL Server and Oracle, but, additionally, you can connect to data in files such as Microsoft Office Access (.mdb) and SQL Server (.mdf) database files. The connection object you use is based on the type of data source your application needs to communicate with. 190-712 640-553 190-623

The ToolStrip control is a host for ToolStripMenuItem controls that can be used to create toolbar-style functionality for your forms. Toolbars provide support for item reordering, rafting, and overflow of items onto the overflow button.646-204 225-030 000-253

Many tool strip items duplicate functionality of full-size Windows Forms controls such as ToolStripLabel, ToolStripButton, ToolStripTextBox, ToolStripComboBox, and ToolStripProgressBar. Tool strip controls that do not have analogous Windows Forms controls include ToolStripSeparator, ToolStripDropDownButton, and Tool-StripSplitButton.
You can display images on the ToolStripItems control with the Image property.
The ToolStripContainer control allows you to create forms that include support for rafting toolbars.

The ToolStripManager class is a static class that exposes methods for tool strip management. You can use the ToolStripManager.Merge method to merge tool strips.
Lesson Review
You can use the following questions to test your knowledge of the information in this lesson. The questions are also available on the companion CD if you prefer to review them in electronic form.

Creating and Configuring Menus 190-803 BI0-122 640-863
Menus have always been a part of Windows Forms applications. They give the user quick and easy access to important application commands in an easy-to-understand, easy-to-browse interface. The .NET Framework version 2.0 introduced MenuStrips, which allow the rapid creation of Forms menus as well as context menus (also known as shortcut menus, which appear when the user right-clicks an object). In this lesson, you will learn how to create menus and context menus and configure them for use in your application.

Creating Access Keys
Access keys enable you to access menu items by defining keys that, when pressed in combination with the Alt key, will execute the menu command. For example, if a File menu defines the F key as an access key, when Alt+F is pressed, the File menu will open. Menus that contain sub-menus open when the access key combination is pressed, and menus that invoke commands will invoke those commands. Note that the menu item must be visible for the access key to function. Thus, if you define an access key for an Open menu item that exists in the File sub-menu, the File menu must be opened first for the access key combination to function.
You can create an access key for a menu by preceding the letter you want to define the access key for with an ampersand (&) symbol. For example, to create an Alt+F access key combination for the File menu, you would set the FileToolStripMenuItem’s Text property to &File.
Creating Shortcut Keys
Unlike access keys, shortcut keys are a combination of keystrokes that allow direct invocation of a menu item whether the menu item is visible or not. For example, you might define the Ctrl+E key combination to be a shortcut key for the Exit menu command in the File menu. Even if the File menu is not open, Ctrl+E will cause the Exit menu command to be executed. Also, unlike access keys, you cannot create shortcut keys for top-level menus—you can create them only for items in sub-menus. 000-731 ex0-100 70-620
You can create a shortcut key at design time by setting the ShortcutKeys property in the Properties window. Clicking the ShortcutKeys property launches a visual interface than enables you to define a key combination. This interface is shown in Figure 4-5.
If you want to display the shortcut key combination next to the menu item, you can set the ShowShortcutKeys property of the ToolStripMenuItem control to True. You can also define a custom text to be shown instead of the key combination. If you want to define a custom text, you can set it in the ShortcutKeyDisplayString property.

The ToolStrip control is a host for ToolStripMenuItem controls that can be used to create toolbar-style functionality for your forms. Toolbars provide support for item reordering, rafting, and overflow of items onto the overflow button.646-204 225-030 000-253

Many tool strip items duplicate functionality of full-size Windows Forms controls such as ToolStripLabel, ToolStripButton, ToolStripTextBox, ToolStripComboBox, and ToolStripProgressBar. Tool strip controls that do not have analogous Windows Forms controls include ToolStripSeparator, ToolStripDropDownButton, and Tool-StripSplitButton.
You can display images on the ToolStripItems control with the Image property.
The ToolStripContainer control allows you to create forms that include support for rafting toolbars.

The ToolStripManager class is a static class that exposes methods for tool strip management. You can use the ToolStripManager.Merge method to merge tool strips.
Lesson Review
You can use the following questions to test your knowledge of the information in this lesson. The questions are also available on the companion CD if you prefer to review them in electronic form.

Creating and Configuring Menus 190-803 BI0-122 640-863
Menus have always been a part of Windows Forms applications. They give the user quick and easy access to important application commands in an easy-to-understand, easy-to-browse interface. The .NET Framework version 2.0 introduced MenuStrips, which allow the rapid creation of Forms menus as well as context menus (also known as shortcut menus, which appear when the user right-clicks an object). In this lesson, you will learn how to create menus and context menus and configure them for use in your application.

Creating Access Keys
Access keys enable you to access menu items by defining keys that, when pressed in combination with the Alt key, will execute the menu command. For example, if a File menu defines the F key as an access key, when Alt+F is pressed, the File menu will open. Menus that contain sub-menus open when the access key combination is pressed, and menus that invoke commands will invoke those commands. Note that the menu item must be visible for the access key to function. Thus, if you define an access key for an Open menu item that exists in the File sub-menu, the File menu must be opened first for the access key combination to function.
You can create an access key for a menu by preceding the letter you want to define the access key for with an ampersand (&) symbol. For example, to create an Alt+F access key combination for the File menu, you would set the FileToolStripMenuItem’s Text property to &File.
Creating Shortcut Keys
Unlike access keys, shortcut keys are a combination of keystrokes that allow direct invocation of a menu item whether the menu item is visible or not. For example, you might define the Ctrl+E key combination to be a shortcut key for the Exit menu command in the File menu. Even if the File menu is not open, Ctrl+E will cause the Exit menu command to be executed. Also, unlike access keys, you cannot create shortcut keys for top-level menus—you can create them only for items in sub-menus. 000-731 ex0-100 70-620
You can create a shortcut key at design time by setting the ShortcutKeys property in the Properties window. Clicking the ShortcutKeys property launches a visual interface than enables you to define a key combination. This interface is shown in Figure 4-5.
If you want to display the shortcut key combination next to the menu item, you can set the ShowShortcutKeys property of the ToolStripMenuItem control to True. You can also define a custom text to be shown instead of the key combination. If you want to define a custom text, you can set it in the ShortcutKeyDisplayString property.

■ When designing a system that sy0-101 enables your company to have access to the Internet,
you might want to consider having more than one link to connect to the Internet,
especially if your company relies on the connectivity to do business. Relying on the
uptime of an ISP for sales and electronic communications can be a high risk for any
company.
■ Before designing redundanc y into your connectivity design, you should verify that
redundancy is required. If your company CompTIA Security+ does not require connectivity to the
Internet to do its business, you can spend your IT budget in other areas.
■ You should determine the cost to the company if downtime occurs. It is very
important that you be able to quantify the cost associated with downtime as it
relates to Internet connectivity problems. That is, how much could the company
afford to lose for each minute remote users or company employees cannot connect
to the Internet?
■ In designing redundancy into your network, you should identify any hardware
components that might become 642-901 points of failure to your network because they are
the only means by which users can do their jobs. For example, if the dial-in server
available for remote users to connect to the company’s network becomes unavailable,
what will happen?
■ Before selecting an ISP for the implementation of your VPN or connectivity to the
Internet, you should consider how reliable the ISP’s Internet uplink is, how stable
the vendor is financially, and whether the CCNP vendor offers your company any guarantees
or service-level agreements, such as 99 percent uptime. You should also
determine if your ISP offers any security features, such as intrusion detection systems
or firewalls, and if the ISP gives your company reports showing daily or
weekly usage of bandwidth that will help you plan for growth.

that the clock speed of a central processing unit (CPU) would exponentially increase
over the next 20 years, was accurate almost to the megahertz. Memory, another hardware
component that has increased at a 70-647 phenomenal rate, is not the bottleneck in our
high-tech world of today. It seems that bandwidth is still our biggest liability; we don’t
have enough of it. In this lesson, you look at bandwidth and how your design must
take into account the bandwidth requirements to make your connectivity to the Internet
productive.Just as airlines overbook flights, most ISPs oversubscribe bandwidth. By oversubscribing
bandwidth, the ISP is counting on all of their customers not simultaneously
using 100 percent of the bandwidth they are allocated, in the same way
airlines count on some customers not using their plane tickets.
■ You will most likely be sharing your company’s available bandwidth among many
network services. It is very important that a thorough analysis be made of the type
of traffic that will be using any links.
■ When calculating the  MCITP bandwidth requirements for a VPN, you should know how
many users will need to access the network, if VoIP, e-mail, or Web servers will
also use the VPN bandwidth, and how much bandwidth these additional services
will require.
■ You should look at the traffic your network is transmitting during peak hours, and
determine if that traffic can be transmitted during periods of low bandwidth usage.
For example, employees can be directed to perform certain transfers of data during
nonpeak usage hours.

Network Address Translation (NAT) is a protocol that enables a private network to
connect to the Internet. A mapping table is created on the NAT server that maps
all internal IP addresses with port numbers and the external 642-642 IP address chosen by
the company.
■ NAT was created as a temporary solution to the problem of a shortage of IP
addresses available to handle the large number of users requesting them from the
InterNIC.
■ The NAT server forwards packets from Internet-based users to the computers on
the company’s private network. The NAT server drops packets that do not have a
matching port number in the session mapping table.
■ NAT Traversal technology enables an application to detect that a NAT server is
being used on the network, 640-816 automatically configures the port mappings, and
dynamically opens and closes the ports without user intervention.