Windows 7 Resource Kit- P26

Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
60
lượt xem
2
download

Windows 7 Resource Kit- P26

Mô tả tài liệu
  Download Vui lòng tải xuống để xem tài liệu đầy đủ

Tham khảo tài liệu 'windows 7 resource kit- p26', công nghệ thông tin, hệ điều hành phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:
Lưu

Nội dung Text: Windows 7 Resource Kit- P26

  1. As with other versions of Windows, server-side support for SMB (sharing files and printers) is provided by the Server service, and client-side support (connecting to shared resources) is provided by the Workstation service . Both services are configured to start automatically, and you can safely disable either service if you don’t require it . The security risks presented by having the Server service running are minimized because Windows Firewall will block incom- ing requests to the Server service on public networks by default . Strong Host Model When a unicast packet arrives at a host, IP must determine whether the packet is locally destined (its destination matches an address that is assigned to an interface of the host) . IP implementations that follow a weak host model accept any locally destined packet, regardless of the interface on which the packet was received . IP implementations that follow the strong host model accept locally destined packets only if the destination address in the packet matches an address assigned to the interface on which the packet was received . The current IPv4 implementation in Windows XP and Windows Server 2003 uses the weak host model . Windows Vista and Windows 7 support the strong host model for both IPv4 and IPv6 and are configured to use it by default . However, you can revert to the weak host model using Netsh . The weak host model provides better network connectivity, but it also makes hosts susceptible to multihome-based network attacks . To change the host model being used, use the following Netsh commands (and specify the name of the network adapter) . Netsh interface IPv4 set interface "Local Area Connection" WeakHostSend=enabled Ok. Netsh interface IPv4 set interface "Local Area Connection" WeakHostReceive=enabled Ok. To return to the default settings, use the same command format but disable the WeakHostSend and WeakHostReceive parameters . Wireless Networking In Windows Server 2003 and Windows XP, the software infrastructure that supports wireless connections was built to emulate an Ethernet connection and can be extended only by supporting additional Extensible Authentication Protocol (EAP) types for 802 .1X authentication . In Windows Vista and Windows 7, the software infrastructure for 802 .11 wireless connections, called the Native Wi-Fi Architecture (also referred to as Revised Native Wi-Fi MSM, or RMSM), has been redesigned for the following: n IEEE 802 .11 is now represented inside of Windows as a media type separate from IEEE 802 .3 . This allows hardware vendors more flexibility in supporting advanced features of IEEE 802 .11 networks, such as a larger frame size than Ethernet . Core Networking Improvements CHapTER 25 1203 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  2. n New features in the Native Wi-Fi Architecture perform authentication, authorization, and management of 802 .11 connections, reducing the burden on hardware vendors to incorporate these functions into their wireless network adapter drivers . This makes the development of wireless network adapter drivers much easier . n The Native Wi-Fi Architecture supports APIs to allow hardware vendors the ability to extend the built-in wireless client for additional wireless services and custom capabili- ties . Extensible components written by hardware vendors can also provide customized configuration dialog boxes and wizards . In addition, Windows Vista and Windows 7 include several important changes to the behavior of wireless auto configuration . Wireless auto configuration is now implemented in the WLAN AutoConfig service, which dynamically selects the wireless network to which the computer will connect automatically, based either on your preferences or on default settings . This includes automatically selecting and connecting to a more preferred wireless network when it becomes available . The changes include: n Single sign-on To enable users to connect to protected wireless networks before logon (and thus, allow wireless users to authenticate to a domain), administrators can use Group Policy settings or the new Netsh wireless commands to configure single sign-on profiles on wireless client computers . After a single sign-on profile is config- ured, 802 .1X authentication will precede the computer logon to the domain and users are prompted for credential information only if needed . This feature ensures that the wireless connection is placed prior to the computer domain logon, which enables scenarios that require network connectivity prior to user logon, such as Group Policy updates, execution of login scripts, and wireless client domain joins . n Behavior when no preferred wireless networks are available In earlier versions of Windows, Windows created a random wireless network name and placed the network adapter in infrastructure mode if no preferred network was available and automatically connecting to nonpreferred networks was disabled . Windows would then scan for pre- ferred wireless networks every 60 seconds . Windows Vista and Windows 7 no longer creates a randomly named network; instead, Windows “parks” the wireless network adapter while periodically scanning for networks, preventing the randomly generated wireless network name from matching an existing network name . n Support for hidden wireless networks Earlier versions of Windows would always connect to preferred wireless networks that broadcast a Service Set Identifier (SSID) before connecting to preferred wireless networks that did not broadcast that identifier, even if the hidden network had a higher priority . Windows Vista and Windows 7 con- nect to preferred wireless networks based on their priority, regardless of whether they broadcast an SSID . n WPA2 support Windows Vista and Windows 7 support Wi-Fi Protected Access 2 (WPA2) authentication options, configurable by either the user (to configure the stan- dard profile) or by AD DS domain administrators using Group Policy settings . Windows Vista and Windows 7 support both Enterprise (IEEE 802 .1X authentication) and Personal 1204 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  3. (preshared key authentication) modes of operation for WPA2 and can connect to ad hoc wireless networks protected by WPA2 . n Integration with NAP WPA2-Enterprise, WPA-Enterprise, and dynamic WEP connections that use 802 .1X authentication can use the NAP platform to prevent wireless clients that do not comply with system health requirements from gaining unlimited access to a private network . In addition, troubleshooting wireless connection problems is now easier because wireless connections do the following: n Support the Network Diagnostics Framework, which attempts to diagnose and fix common problems n Record detailed information in the event log if a wireless connection attempt fails n Prompt the user to send diagnostic information to Microsoft for analysis and improvement For more information about troubleshooting wireless networks, see Chapter 31 . For more information about configuring wireless networks, see the section titled “How to Configure Wireless Settings” later in this chapter . Improved APIs Windows Vista and Windows 7 also include improved APIs that will enable more powerful networked applications . Systems administrators will not realize immediate benefits from these improved APIs; however, developers can use these APIs to create applications that are more robust when running on Windows Vista and Windows 7 . This enables developers to create applications faster and to add more powerful features to those applications . Network awareness More applications are connecting to the Internet to look for updates, download real-time information, and facilitate collaboration between users . However, creating applications that can adapt to changing network conditions has been difficult for developers . Network Awareness enables applications to sense changes to the network to which the computer is connected, such as closing a mobile PC at work and then opening it at a coffee shop wireless hotspot . This enables Windows Vista and Windows 7 to alert applications of network changes . The application can then behave differently, providing a seamless experience . For example, Windows Firewall with Advanced Security can take advantage of Network Awareness to automatically allow incoming traffic from network management tools when the computer is on the corporate network but block the same traffic when the computer is on a home network or wireless hotspot . Network Awareness can therefore provide flexibility on your internal network without sacrificing security when mobile users travel . Improved APIs CHapTER 25 1205 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  4. Applications can also take advantage of Network Awareness . For example, if a user discon- nects from a corporate internal network and then connects to his or her home network, an application could adjust security settings and request that the user establish a VPN connec- tion to maintain connectivity to an intranet server . New applications can go offline or online automatically as mobile users move between environments . In addition, software vendors can integrate their software into the network logon process more easily because Windows Vista and Windows 7 enable access providers to add custom connections for use during logon . Network Awareness benefits only applications that take advantage of the new API and does not require any management or configuration . For Network Awareness to function, the Network Location Awareness and Network List Service services must be running . Improved peer Networking Windows Peer-to-Peer Networking, originally introduced with the Advanced Networking Pack for Windows XP and later included in Windows XP SP2, is an operating system platform and API in Windows Vista and Windows 7 that allow the development of peer-to-peer (P2P) applications that do not require a server . Windows Vista and Windows 7 include the following enhancements to Windows Peer-to-Peer Networking: n New, easy-to-use API APIs to access Windows Peer-to-Peer Networking capabilities such as name resolution, group creation, and security have been highly simplified in Windows Vista and Windows 7, making it easier for developers to create P2P applications . n New version of PNRP Peer Name Resolution Protocol (PNRP) is a name resolution protocol, like DNS, that functions without a server . PNRP uniquely identifies comput- ers within a peer cloud . Windows Vista and Windows 7 include a new version of PNRP (PNRP v2) that is more scalable and uses less network bandwidth . For PNRP v2 in Windows Vista and Windows 7, Windows Peer-to-Peer Networking applications can access PNRP name publication and resolution functions through a simplified PNRP API that supports the standard name resolution methods used by applications . For IPv6 addresses, applications can use the getaddrinfo() function to resolve the fully qualified domain name (FQDN) name .prnp .net, in which name is the peer name being resolved . The pnrp.net domain is a reserved domain for PNRP name resolution . The PNRP v2 protocol is incompatible with the PNRP protocol used by computers running Windows XP . Microsoft is investigating the development and release of an update to the Windows Peer-to-Peer Networking features in Windows XP to support PNRP v2 . n People Near Me People Near Me is a new capability of Windows Peer-to-Peer Networking that allows users to dynamically discover other users on the local subnet and their registered People Near Me–capable applications, as well as to invite users into a collaboration activity easily . The invitation and its acceptance start an applica- tion on the invited user’s computer, and the two applications can begin participating in a collaboration activity such as chatting, photo sharing, or game playing . 1206 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  5. PNRP v2 is not backward compatible with earlier versions of the protocol . Although PNRP v2 can coexist on a network with earlier versions, it cannot communicate with PNRP v1 clients . Services Used by peer-to-peer Networking Windows Peer-to-Peer Networking uses the following services, which by default start manually (Windows will start services automatically as required): n Peer Name Resolution Protocol (PNRP) n Peer Networking Grouping n Peer Networking Identity Manager n PNRP Machine Name Publication Service If these services are disabled, some P2P and collaborative applications might not function . Managing peer-to-peer Networking Windows Peer-to-Peer Networking is a set of tools for applications to use, so they don’t provide capabilities without an application . You can manage Windows Peer-to-Peer Networking using the Netsh tool or by using Group Policy settings: n Netsh tool Commands in the Netsh p2p context will be used primarily by developers creating P2P applications . Systems administrators should not need to troubleshoot or manage Windows Peer-to-Peer Networking directly, so that aspect of the Netsh tool is not discussed further here . n group Policy settings You can configure or completely disable Windows Peer-to- Peer Networking by using the Group Policy settings in Computer Configuration \Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services . You should need to modify the configuration only if an application has specific, nondefault requirements . HoW it WoRKS Peer-to-Peer Name Resolution I n p2p networking, peers use pNRp names to identify computers, users, groups, services, and anything else that should be resolved to an Ip address. peer names can be registered as unsecured or secured. Unsecured names are just automatically generated text strings that are subject to spoofing by a malicious computer that registers the same name. Unsecured names are therefore best used in private or otherwise secure networks. Secured names are signed digitally with a certificate and thus can be registered only by the owner. pNRp IDs are 256 bits long and are composed of the following: Improved APIs CHapTER 25 1207 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  6. n The high-order 128 bits, known as the peer-to-peer ID, are a hash of a peer name assigned to the endpoint. n The low-order 128 bits are used for the service location, which is a generated number that uniquely identifies different instances of the same ID in a cloud. The 256-bit combination of peer-to-peer ID and service location allows multiple pNRp IDs to be registered from a single computer. For each cloud, each peer node manages a cache of pNRp IDs that includes both its own registered pNRp IDs and the entries cached over time. When a peer needs to resolve a pNRp ID to the address, protocol, and port number, it first examines its own cache for entries with a matching peer ID (in case the client has resolved a pNRp ID for a different service location on the same peer). If that peer is found, the resolving client sends a request directly to the peer. If the resolving client does not have an entry for the peer ID, it sends requests to other peers in the same cloud, one at a time. If one of those peers has an entry cached, that peer first verifies that the requested peer is connected to the network before resolving the name for the requesting client. While the pNRp request mes- sage is being forwarded, its contents are used to populate caches of nodes that are forwarding it. When the response is sent back through the return path, its contents are also used to populate node caches. This name resolution mechanism allows clients to identify each other without a server infrastructure. EapHost architecture For easier development of EAP authentication methods for IEEE 802 .1X-authenticated wireless connections, Windows Vista and Windows 7 support a new EAP architecture called EAPHost . EAPHost provides the following features that are not supported by the EAP implementation in earlier versions of Windows: n Network Discovery EAPHost supports Network Discovery as defined in the “Identity selection hints for Extensible Authentication Protocol (EAP)” Internet draft . n RFC 3748 compliance EAPHost will conform to the EAP State Machine and address a number of security vulnerabilities that are specified in RFC 3748 . In addition, EAPHost will support additional capabilities such as Expanded EAP Types (including vendor- specific EAP methods) . n EAP method coexistence EAPHost allows multiple implementations of the same EAP method to coexist simultaneously . For example, the Microsoft version of Protected EAP (PEAP) and the Cisco Systems, Inc . version of PEAP can be installed and selected . n Modular supplicant architecture In addition to supporting modular EAP methods, EAPHost also supports a modular supplicant architecture in which new supplicants can be added easily without having to replace the entire EAP implementation . 1208 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  7. For EAP method vendors, EAPHost provides support for EAP methods already developed for Windows Server 2003 and Windows XP, as well as an easier method of developing new EAP methods . Certified EAP methods can be distributed with Windows Update . EAPHost also allows better classification of EAP types so that the built-in 802 .1X- and PPP-based Windows supplicants can use them . For supplicant method vendors, EAPHost provides support for modular and pluggable supplicants for new link layers . Because EAPHost is integrated with NAP, new supplicants do not have to be NAP aware . To participate in NAP, new supplicants only need to register a con- nection identifier and a callback function that informs the supplicant to re-authenticate . For more information, read “EAPHost in Windows” at http://technet.microsoft.com/en-us /magazine/cc162364.aspx . Layered Service provider (LSp) The Windows Sockets (Winsock) Layered Service Provider (LSP) architecture resides between the Winsock dynamic-link library (DLL), which applications use to communicate on the network, and the Winsock kernel-mode driver (Afd .sys), which communicates with network adapter drivers . LSPs are used in several categories of applications, including: n Proxy and firewalls . n Content filtering . n Virus scanning . n Adware and other network data manipulators . n Spyware and other data-monitoring applications . n Security, authentication, and encryption . Windows Vista and Windows 7 include several improvements to LSPs to enable more powerful network applications and better security: n Adding and removing LSPs is logged to the System Event Log . Administrators can use these events to determine which application installed an LSP and to troubleshoot failed LSP installations . n A new installation API (WSCInstallProviderAndChains) provides simpler, more reliable LSP installations . n New facilities categorize LSPs and allow critical system services to bypass LSPs . This can improve reliability when working with flawed LSPs . n A diagnostics module for the Network Diagnostics Framework allows users to selectively remove LSPs that are causing problems . Windows Sockets Direct path for System area Networks Windows Sockets Direct (WSD) enables Winsock applications that use TCP/IP to obtain the performance benefits of system area networks (SANs) without application modifications . SANs are a type of high-performance network often used for computer clusters . Improved APIs CHapTER 25 1209 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  8. WSD allows communications across a SAN to bypass the TCP/IP protocol stack, taking advantage of the reliable, direct communications provided by a SAN . In Windows Vista and Windows 7, this is implemented by adding a virtual switch between Winsock and the TCP/IP stack . This switch has the ability to examine traffic and pass communications to a SAN Winsock provider, bypassing TCP/IP entirely . Figure 25-13 illustrates this architecture . Application Winsock User Switch SAN Winsock Base Winsock Provider Provider SAN Winsock TCP/IP Driver Kernel SAN NDIS MiniPort SAN Network Adapter FIgURE 25-13 WSD enables improved performance across SANs by selectively bypassing TCP/IP using a virtual switch . How to Configure Wireless Settings Users want to stay constantly connected to their networks, and wireless LANs and wireless WANs are beginning to make that possible . However, managing multiple network connections can be challenging, and users often have difficulty resolving connectivity problems . As a result, users place more calls to support centers, increasing support cost and user frustration . You can reduce this by configuring client computers to connect to preferred wireless networks . Windows will connect automatically to most wired networks . Wireless networks, however, require configuration before Windows will connect to them . You can connect Windows com- puters to wireless networks in three different ways: n Manually Windows 7 includes a new user interface that makes it simple to connect to wireless networks . You can use this interface to manually configure intranet-based computers running Windows 7; users can use this method to connect to public net- works when they travel . 1210 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  9. n Using group Policy Group Policy settings are the most efficient way to configure any number of computers running Windows in your organization to connect to your internal wireless networks . n From the command line or by using scripts Using the Netsh tool and commands in the netsh wlan context, you can export existing wireless network profiles, import them into other computers, connect to available wireless networks, or disconnect a wireless network . After a wireless network is configured, the Wireless Single Sign-On feature executes 802 .1X authentication at the appropriate time based on the network security configuration, while simply and seamlessly integrating with the user’s Windows logon experience . The following sections describe each of these configuration techniques . Configuring Wireless Settings Manually Windows 7 makes it very easy to connect to a wireless network using the enhanced View Available Networks (VAN) feature included in the platform . For example, to configure a wireless network that is currently available, follow these steps: 1. Click the networking icon in the notification area . note The WLaN autoConfig service must be started for wireless networks to be available. This service by default is set to start automatically. 2. Click the network to which you want to connect and then click Connect, as shown in Figure 25-14 . FIgURE 25-14 The Network Connection Details dialog box provides graphical access to IP configuration settings . How to Configure Wireless Settings CHapTER 25 1211 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  10. note a network that is configured not to broadcast an SSID will appear as an Unnamed Network, allowing you to connect to the network. 3. If the network is encrypted, provide the encryption key . Why Disabling SSID Broadcasting Doesn’t Improve Security W ireless networks broadcast an SSID that specifies the network name to help users who have not connected to the network previously find it. However, disabling the SSID broadcast does not increase security, because the tools that a malicious attacker might use to find and connect to your wireless network do not rely on SSID broadcasts. The SSID broadcast does make it easier for legitimate users to find and connect to your wireless networks. So by disabling the broadcast of the SSID, you can negatively affect the people whom you do want to be able to connect. Using Group policy to Configure Wireless Settings In AD DS environments, you can use Group Policy settings to configure wireless network policies . For best results, you should have Windows Server 2003 SP1 or later installed on your domain controllers because Microsoft extended support for wireless Group Policy settings when they released SP1 . Before you can use Group Policy to configure wireless networks, you need to extend the AD DS schema using the 802 .11Schema .ldf file included on this book’s companion media . If you do not have access to the companion media, you can copy the schema file from http://technet.microsoft.com/en-us/library/bb727029.aspx . To extend the schema, follow these steps: 1. Copy the 802 .11Schema .ldf file to a folder on a domain controller . 2. Log on to the domain controller with Domain Admin privileges and open a command prompt . 3. Select the folder containing the 802 .11Schema .ldf file and run the following com- mand (where Dist_Name_of_AD_Domain is the distinguished name of the AD DS domain whose schema is being modified; an example of a distinguished name is DC=wcoast,DC=microsoft,DC=com for the wcoast .microsoft .com AD DS domain) . ldifde -i -v -k -f 802.11Schema.ldf -c DC=X Dist_Name_of_AD_Domain 4. Restart the domain controller . After you extend the schema, you can configure a wireless network policy by following these steps: 1. Open the Active Directory GPO in the Group Policy Object Editor . 1212 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  11. 2. Expand Computer Configuration, Windows Settings, Security Settings, and then click Wireless Network (IEEE 802 .11) Policies . 3. Right-click Wireless Network (IEEE 802 .11) Policies and then click Create A New Windows Vista Policy . The Wireless Network Properties dialog box appears . 4. To add an infrastructure network, click Add and then click Infrastructure to open the Connection tab of the New Profile Properties dialog box . In the Network Names list, click NEWSSID and then click Remove . Then, type a valid internal SSID in the Network Names box and click Add . Repeat this to configure multiple SSIDs for a single profile . If the network is hidden, select the Connect Even If The Network Is Not Broadcasting check box . 5. On the New Profile Properties dialog box, click the Security tab . Use this tab to config- ure the wireless network authentication and encryption settings . Click OK . note This resource kit does not cover how to design wireless networks. However, you should avoid using Wired Equivalent privacy (WEp) whenever possible. WEp is vulnerable to several different types of attack, and WEp keys can be difficult to change. Whenever pos- sible, use Wpa or Wpa2, which both use strong authentication and dynamic encryption keys. The settings described in the previous process will configure client computers to connect automatically to your internal wireless networks and to not connect to other wireless networks . Configuring Wireless Settings from the Command Line or a Script You can also configure wireless settings using commands in the netsh wlan context of the Netsh command-line tool, which enables you to create scripts that connect to different wireless networks (whether encrypted or not) . To list available wireless networks, run the following command . Netsh wlan show networks Interface Name : Wireless Network Connection There are 2 networks currently visible SSID 1 : Litware Network Type : Infrastructure Authentication : Open Encryption : None SSID 1 : Contoso Network Type : Infrastructure Authentication : Open Encryption : WEP How to Configure Wireless Settings CHapTER 25 1213 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  12. Before you can connect to a wireless network using Netsh, you must have a profile saved for that network . Profiles contain the SSID and security information required to connect to a network . If you have previously connected to a network, the computer will have a profile for that network saved . If a computer has never connected to a wireless network, you need to save a profile before you can use Netsh to connect to it . You can save a profile from one computer to an Extensible Markup Language (XML) file and then distribute the XML file to other computers in your network . To save a profile, run the following command after manu- ally connecting to a network . Netsh wlan export profile name="SSID" Interface profile "SSID" is saved in file ".\Wireless Network Connection-SSID.xml" successfully. Before you can connect to a new wireless network, you can load a profile from a file . The following example demonstrates how to create a wireless profile (which is saved as an XML file) from a script or the command line . Netsh wlan add profile filename="C:\profiles\contoso1.xml" Profile contoso1 is added on interface Wireless Network Connection To connect to a wireless network quickly, use the netsh wlan connect command and specify a wireless profile name (which must be configured or added previously) . The following examples demonstrate different but equivalent syntaxes for connecting to a wireless network with the Contoso1 SSID . Netsh wlan connect Contoso1 Connection request is received successfully Netsh wlan connect Contoso1 interface="Wireless Network Connection" Connection request is received successfully Note that you need to specify the interface name only if you have multiple wireless net- work adapters—an uncommon situation . You can use the following command to disconnect from all wireless networks . Netsh wlan disconnect Disconnection request is received successfully 1214 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  13. You can use scripts and profiles to simplify the process of connecting to private wireless networks for your users . Ideally, you should use scripts and profiles to save users from ever needing to type wireless security keys . You can also use Netsh to allow or block access to wireless networks based on their SSIDs . For example, the following command allows access to a wireless network with the Contoso1 SSID . Netsh wlan add filter permission=allow ssid=Contoso networktype=infrastructure Similarly, the following command blocks access to the Fabrikam wireless network . Netsh wlan add filter permission=block ssid=Fabrikam networktype=adhoc To block all ad hoc networks, use the Denyall permission, as the following example demonstrates . Netsh wlan add filter permission=denyall networktype=adhoc To prevent Windows from automatically connecting to wireless networks, run the follow- ing command . Netsh wlan set autoconfig enabled=no interface="Wireless Network Connection" You can also use Netsh to define the priority of user profiles (but not Group Policy pro- files) . Group Policy profiles always have precedence over user profiles . The following example demonstrates how to configure Windows to connect automatically to the wireless network defined by the Contoso profile before connecting to the wireless network defined by the Fabrikam profile . Netsh wlan set profileorder name=Contoso interface="Wireless Network Connection" priority=1 Netsh wlan set profileorder name=Fabrikam interface="Wireless Network Connection" priority=2 Netsh has many other commands for configuring wireless networking . For more informa- tion, run the following at a command prompt . Netsh wlan help note When troubleshooting problems connecting to wireless networks, open Event Viewer and browse the applications and Services Logs\Microsoft\Windows \WLaN-autoConfig event log. You can also use this log to determine the wireless networks to which a client is connected, which might be useful when identifying the source of a security compromise. For more information, see Chapter 31. How to Configure Wireless Settings CHapTER 25 1215 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  14. How to Configure TCP/IP You can use several different techniques to configure TCP/IP . Most environments use DHCP to provide basic settings . Alternatively, you can configure TCP/IP settings manually using graphical tools . Finally, some settings are configured most easily using scripts that call command-line tools such as Netsh . You can use logon scripts to automate command-line configuration . The following sections describe each of these configuration techniques . note For wireless networks, you will need to first connect the wireless adapter to the wireless network and then configure the TCp/Ip settings. However, wireless networks almost always have a DHCp server available. DHCp Almost all client computers should be configured using DHCP . With DHCP, you configure a DHCP server (such as a computer running Windows Server 2003) to provide IP addresses and network configuration settings to client computers when they start up . Windows 7 and all recent Windows operating systems are configured to use DHCP by default, so you can configure network settings by simply setting up a DHCP server and connecting a computer to the network . As the number of mobile computers, traveling users, and wireless networks has increased, so has the importance of DHCP . Because computers may have to connect to several differ- ent networks, manually configuring network settings would require users to make changes each time they connected to a network . With DHCP, the DHCP server on the local network provides the correct settings when the client connects . Some of the configuration settings you can configure with DHCP include the following: n IP address Identifies a computer on the network n Default gateway Identifies the router that the client computer will use to send traffic to other networks n DNS servers Internet name that servers use to resolve host names of other computers n WINS servers Microsoft name that servers use for identifying specific computers on the network n Boot server Used for loading an operating system across the network when config- uring new computers or starting diskless workstations Clients use the following process to retrieve DHCP settings: 1. The client computers transmit a DHCPDiscover broadcast packet on the local network . 1216 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  15. 2. DHCP servers receive this broadcast packet and send a DHCPOffer broadcast packet back to the client computer . This packet includes the IP address configuration informa- tion . If more than one DHCP server is on the local network, the client computer might receive multiple DHCPOffer packets . 3. The client computer sends a DHCPRequest packet to a single DHCP server request- ing the use of those configuration settings . Other DHCP servers that might have sent a DHCPOffer broadcast will see this response and know that they no longer need to reserve an IP address for the client . 4. Finally, the DHCP server sends a DHCPACK packet to acknowledge that the IP address has been leased to the client for a specific amount of time . The client can now begin using the IP address settings . In addition, client computers will attempt to renew their IP addresses after half the DHCP lease time has expired . By default, computers running Windows Server 2003 have a lease time of eight days . Therefore, client computers running Windows attempt to renew their DHCP settings after four days and will retrieve updated settings if you have made any changes to the DHCP server . Because client computers retrieve new DHCP settings each time they start up, connect to a new network, or a DHCP lease expires, you have the opportunity to change configuration settings with only a few days’ notice . Therefore, if you need to replace a DNS server and you want to use a new IP address, you can add the new address to your DHCP server settings, wait eight days for client computers to renew their DHCP leases and acquire the new settings, and then have a high level of confidence that client computers will have the new server’s IP address before shutting down the old DNS server . If a client computer does not receive a DHCP address and an alternate IP address configu- ration has not been manually configured, Windows client computers automatically configure themselves with a randomly selected Automatic Private IP Addressing (APIPA) address in the range of 169 .254 .0 .1 to 169 .254 .255 .255 . If more than one computer running Windows on a network has an APIPA address, the computers will be able to communicate . However, APIPA has no default gateway, so client computers will not be able to connect to the Internet, to other networks, or to computers with non-APIPA addresses . For information about IPv6, refer to Chapter 28 . You can use the following techniques to determine whether a client has been assigned an IP address and to troubleshoot DHCP-related problems: n IPConfig From a command line, run IPConfig /all to view the current IP configura- tion . If the client has a DHCP-assigned IP address, the DHCP Enabled property will be set to Yes, and the DHCP Server property will have an IP address assigned, as the fol- lowing example demonstrates . How to Configure TCP/IP CHapTER 25 1217 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  16. Ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : Win7 Primary Dns Suffix . . . . . . . : hq.contoso.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : contoso.com Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : contoso.com Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller Physical Address. . . . . . . . . : 00-15-C5-08-82-F3 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::a1f2:3425:87f6:49c2%10(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.242(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Sunday, August 20, 2006 11:12:44 PM Lease Expires . . . . . . . . . . : Monday, August 28, 2006 11:12:44 PM Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.210 DNS Servers . . . . . . . . . . . : 192.168.1.210 NetBIOS over Tcpip . . . . . . . . . . : Enabled note If you are troubleshooting a client connectivity problem and notice that the Ip address begins with 169.254, the DHCp server was not available when the client com- puter started. Verify that the DHCp server is available and the client computer is prop- erly connected to the network. Then, issue the ipconfig /release and ipconfig /renew commands to acquire a new Ip address. For more information about troubleshooting network connections, see Chapter 31. n Network And Sharing Center In Network And Sharing Center, click the name of the connection (such as Local Area Connection) to open the connection status . Then, click Details to open the Network Connection Details dialog box, as shown in Figure 25-15 . This dialog box provides similar information to that displayed by the IPConfig /all command . 1218 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  17. FIgURE 25-15 The Network Connection Details dialog box provides graphical access to IP configuration settings . n Event Viewer Open Event Viewer and browse the Windows Logs\System Event Log . Look for events with a source of Dhcp-Client for IPv4 addresses or DHCPv6-Client for IPv6 addresses . Although this technique is not useful for determining the active configuration, it can reveal problems that occurred in the past . Configuring Ip addresses Manually The alternative to using DHCP is to configure IP address settings manually . However, because of the time required to configure settings, the likelihood of making a configuration error, and the challenge of connecting new computers to a network, manually configuring IP addresses is rarely the best choice for client computers . To configure an IPv4 address manually, follow these steps: 1. Click the network icon in the notification area and then click Open Network And Sharing Center . 2. Click Change Adapter Settings . 3. Right-click the network adapter and then click Properties . 4. In the Properties dialog box, click Internet Protocol Version 4 (TCP/IPv4) and then click Properties . How to Configure TCP/IP CHapTER 25 1219 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  18. 5. If you always want to use manually configured network settings, click the General tab and then click Use The Following IP Address . If you want to use manually configured network settings only when a DHCP server is not available, click the Alternate Configu- ration tab and then click User Configured . Then, configure the computer’s IP address, default gateway, and DNS servers . 6. Click OK twice . The configuration changes will take effect immediately, without requir- ing you to restart the computer . You should rarely need to configure an IPv6 address manually because IPv6 is designed to configure itself automatically . For more information about IPv6 autoconfiguration, refer to Chapter 28 . To configure an IPv6 address manually, follow these steps: 1. Click the network icon in the notification area and then click Open Network And Sharing Center . 2. Click Change Adapter Settings . 3. Right-click the network adapter and then click Properties . 4. In the Properties dialog box, click Internet Protocol Version 6 (TCP/IPv6) and then click Properties . 5. Click Use The Following IPv6 Address and configure the computer’s IP address, subnet prefix length, default gateway, and DNS servers . TCP/IPv6 does not support an alternate configuration, as TCP/IPv4 does . 6. Click OK twice . The configuration changes will take effect immediately, without requiring you to restart the computer . You can prevent users from accessing these graphical tools . Most important settings require administrative credentials, so simply not giving users local administrator access to their computers will prevent them from making most important changes . You can also use the Group Policy settings located in User Configuration\Policies\Administrative Templates \Network\Network Connections to restrict the user interface further (but this will not neces- sarily prevent a user from using other tools to make changes) . Command Line and Scripts You can also configure network settings from the command line or from a script using the Netsh tool and commands in the Netsh interface ipv4 or Netsh interface ipv6 contexts . For example, to configure the standard network interface to use DHCP and to use the DNS servers provided by DHCP, you could issue the following commands . Netsh interface ipv4 set address "Local Area Connection" dhcp Netsh interface ipv4 set dnsserver "Local Area Connection" dhcp 1220 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  19. note Windows Xp also included the Netsh tool. However, the Windows Xp version of Netsh uses different commands. For example, you would use netsh interface ip set dns to configure DNS settings for a computer running Windows Xp instead of netsh interface ipv4 set dnsserver, which you use to configure DNS settings for a computer running Windows Vista or Windows 7. However, Netsh in Windows Vista and Windows 7 is backward compat- ible and will accept the older, Windows Xp–compatible syntax. Because DHCP is the default setting for network adapters, it is more likely that you will need to use Netsh commands to configure a static IP address . The following command demonstrates how to do this for IPv4 . Netsh interface ipv4 set address "Local Area Connection" source=static address=192.168.1.10 mask=255.255.255.0 gateway=192.168.1.1 Netsh interface ipv4 set dnsserver "Local Area Connection" source=static address=192.168.1.2 register=primary The following commands demonstrate configuring a static IP address and DNS server configuration for IPv6 . Netsh interface ipv6 set address "Local Area Connection" address=2001:db8:3fa8:102a::2 anycast Netsh interface ipv6 set dnsserver "Local Area Connection" source=static address=2001:db8: 3fa8:1719::1 register=primary You should avoid using scripts to configure production client computers because they are not tolerant of varying hardware configurations and because DHCP provides most of the configuration capabilities required for production networks . However, scripts can be useful for quickly changing the network configuration of computers in lab environments . Instead of manually writing Netsh commands, you can configure a computer using graphical tools and use the Netsh tool to generate a configuration script . note You can generate a configuration script that can be run from within Netsh by run- ning the command netsh interface dump > script_filename. You can then apply that script using the command netsh –f script_filename. Netsh provides the ability to configure almost any aspect of Windows 7 networking . For detailed instructions, refer to Windows Help And Support or run the following command from a command prompt . Netsh ? How to Configure TCP/IP CHapTER 25 1221 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
  20. diReCt FRoM tHe SoURCe Automate Network Interface Card Configuration Using Netsh Don Baker, premier Field Engineer Windows Platform D uring the years I worked as a consultant, it was not uncommon to connect my laptop to several different networks in the same day. In some cases, they were DHCp-enabled, so connection was easy. For others, I would have to configure the network adapter manually. Ugh! Enter the Netsh commands. You can use the Netsh command to modify the network configuration on computers running Windows 2000 and later versions. It’s not the friendliest syntax to use, but it is a real time-saver once you learn to use it. The fol- lowing sample scripts use Netsh to set STaTIC Ip entries on an adapter and to set the adapter back to DHCp mode so the settings can be obtained automatically. To use the code, type it into a batch file, modify "name=" to the name of the adapter in quotation marks, and change the Ip addresses. Static IP netsh interface ipv4 set address name="Wireless Network Connection" source=static addr=192.168.0.100 mask=255.255.255.0 gateway=192.168.0.250 gwmetric=0 netsh interface ipv4 set dnsserver name="Wireless Network Connection" source=static addr=192.168.0.2 register=NONE REM netsh interface ipv4 set wins name="Wireless Network Connection" source=static addr=10.217.27.9 REM OR if no WINS server netsh interface ipv4 set winsserver name="Wireless Network Connection" source=dhcp ipconfig /all DHCP netsh interface ipv4 set address name="Wireless Network Connection" source=dhcp netsh interface ipv4 set dnsserver name="Wireless Network Connection" source=dhcp netsh interface ipv4 set winsserver name="Wireless Network Connection" source=dhcp ipconfig /renew "Wireless Network Connection" ipconfig /all 1222 CHapTER 25 Configuring Windows Networking Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Đồng bộ tài khoản