Computer Software Guide & Tips

Automatic SQL Server Backup

2010-07-25T22:26:00.001-07:00

Today I wanted to talk about how to setup an automatic SQL Server backup solution and also how to back it up online with SecureBackup. I am using Microsoft SQL Server 2008 Express but you should be able to use these instructions for all versions of Microsoft SQL Server 2005 and Microsoft SQL Server 2008.

In my case, the database files are located in the following directory:

C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\DATA

As you may already know, you cannot backup the *.MDF and *.LDF database files directly because they are attached to the SQL Server. You could detach them, back them up, and then re-attach them but then your database will be offline for a period of time.

To solve this problem, we first need to create a SQL file that can be used later to automate our database backup. Here’s how we can do that:

CREATE AN SQL FILE
Login to Microsoft SQL Server Management Studio.
Right click on your database from the “Databases” node.
Select “Tasks” -> “Back up…”
You are now presented with the “Back up Database” window. In this window you can specify your backup settings. At a minimum, you need to create a destination for your backup. Click the “Add” button and specify a full path name for your database backup in the “File name” field. You will need to use this path name later, so let’s take note of it.
You can choose any other backup options that are important to you. Over on the left hand side is “Options”. I would click on that and decide whether you want to use “append to an existing backup set” or “overwrite all existing backup sets”.
Once you are finished with your settings, you need to create an SQL file which will be used later for the automated database backup. To create that SQL file, click on the arrow next to “Script” at the top of the window. There will be an option for “Script action to File”. Go ahead and select that option. You will then be able to save your SQL Server Script File. Take note of where you have saved this file as well.
CREATE A BATCH FILE
Now that we have created the SQL file, we need to create a batch file that can be automatically executed by the Task Scheduler. To create this file, do the following:

Open Notepad and enter the following:
sqlcmd -S .\SQLEXPRESS -i "C:\Users\Administrator\Documents\Backup.sql"
Of course, substitute the pathname with the pathname of where you saved your SQL file.
Save this file and take note of where you saved it.
Now, using Windows Explorer, go to the directory of where you created this file and rename it to have a .bat filename extension instead of .txt.
SET BATCH FILE TO RUN IN WINDOWS TASK SCHEDULER
We are now ready to add the batch file to the Task Scheduler. Rather than using the Task Scheduler GUI, I prefer to do it on the command line. You can open a command prompt as Administrator or if you are already running as Administrator, you can use Start -> Run. Either way, enter the following:

schtasks /create /sc Daily /st 03:30:00 /tn "MyTask" /tr "cmd /c C:\Users\Administrator\Desktop\Backup.bat"

Again, substitute the pathname above with that of your batch file.

Also, set the time specified to something that is desirable for you. In the above example, we run this task at 3:30 AM.

SET SECUREBACKUP TO BACKUP YOUR DATABASE
The time specified in the Task Scheduler step above is important because you need have SecureBackup automatically backup the database file after the task is complete. Since the backup took place at 3:30, you can setup SecureBackup to run the backup at say, 4:00 AM. This way you will have the most recent backup.

From within the SecureBackup software, you need to create or edit an existing Backup Job and include the location of the backup file that you chose in step 4 of “CREATE AN SQL FILE” above. If the file isn’t listed and you can’t select it from within SecureBackup, it’s because Windows Task Scheduler has not run your batch file yet. To run the batch file, simply double click on it from within Windows Explorer. It may take anywhere from 10 seconds to, possibly, a few hours depending on how large your database is. Once complete, you will have your database backup file and can select that file from within SecureBackup. You will also be able to schedule the Backup Job around how long it took for that batch file to complete.

You now have an automated backup solution for your Microsoft SQL database complete with a secure online storage solution. I hope this post was helpful to you.

To Create another User account with 'root' privileges

2010-05-14T02:12:00.000-07:00

To create another root user account, we need to replicate the 'root' user account characteristic, then make one account that have the same characteristic and capabilities of the 'root' user account.

Let begin by check the 'root' user account.

1. Check user id for ‘root’ user account:
[root@fedora ~]# id root
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Explanations of the command output:

A. uid=0(root) The user id for user 'root' user is 0.
B. gid=0(root) the group id for user ‘root’ is 0.
C. groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) The user ‘root’ is belong in groups; root, bin, daemon, sys, adm, disk and wheel.

2. Now we take a look at the passwd, shadow and group files that contain ‘root’ user information:

[root@fedora ~]# less /etc/passwd
root:x:0:0:root:/root:/bin/bash
[root@fedora ~]# less /etc/shadow
root:$1$B2BEWv4X$Gb.QPb6I3RwCkEkz13ow21:13080:0:99999:7:::
[root@fedora ~]# less /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin,adm
adm:x:4:root,adm,daemon
tdisk:x:6:root
wheel:x:10:root

From the information gather above, to create a user that have the same power (superuser power) as a ‘root’ user in Linux system, we need to create a user with same root user uid, gid and group.

3. To create user account that has the same ability (super user) as the ‘root’ user, issue this command:
[root@fedora ~]# adduser -u 0 -o -g 0 -G 0,1,2,3,4,6,10 -M root2
Adduser command explanations:
adduser
-u 0 -o
-g 0
-G 0,1,2,3,4,6,10
-M
root2
Using Linux adduser command to create a new user account or to update default new user information.
Set the value of user id to 0.
Set the initial group number or name to 0
Set supplementary group to:
0 = root
1 = bin
2 = daemon
3 = sys
4 = adm
6 = disk
10 = wheel
'home directory' not created for the user.
User name of the new user account.

Note: you need to have the administrative privilege on the system in order to issue 'adduser' command above.

4. Now add a password for user ‘root2’ by issue the ‘passwd root2’ command, see example below:

[root@fedora ~]# passwd root2
Changing password for user root2.
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.

Note: you need to have the administrative privilege on the system in order to issue 'passwd' command above.

5. Check id for user root2 by issue the ‘id root2’ command, see example below:
[root@fedora ~]# id root2
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

6. Now recheck the passwd, shadow and group files that contain ‘root2’ user informations to confirm the changes:
[root@fedora ~]# less /etc/passwd
root:x:0:0:root:/root:/bin/bash
root2:x:0:0::/home/root2:/bin/bash

[root@fedora ~]# less /etc/shadow
root:$1$B2BRWv4X$Gb.MPc6I3RwCkEkT13ow21:13080:0:99999:7:::
root2:$1$bQHGH4cX$TtsV/WVdFe5cIsHWjzc.N1:13112:0:99999:7:::

[root@fedora ~]# less /etc/group
root:x:0:root,root2
bin:x:1:root,bin,daemon,root2
daemon:x:2:root,bin,daemon,root2
sys:x:3:root,bin,adm,root2
adm:x:4:root,adm,daemon,root2
disk:x:6:root,root2
wheel:x:10:root,root2

7. Everything should be ok, now try to login to system with newly created ‘root2’ account, see example:

login as: root2
root2@10.7.0.211's password:
Last login: Thu Nov 24 23:48:49 2005 from 10.7.0.112
Could not chdir to home directory /home/root2: No such file or directory

-bash-3.00#

-bash-3.00#

-bash-3.00# su –

[root@fedora ~]#

8. Make sure that you execute the su command with hyphen ( su - ) to get the PATH of the user that you become to... below is the example of the su command with hyphen and without hyphen.

Loggin in as user tenouk, then execute $PATH as example below.
[tenouk@fedora ~]$ $PATH
-bash: /usr/lib/qt-3.3/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/ tenouk/bin: No such file or directory

[tenouk@tenouk ~]$

Use the su command to change to root user as example below and then execute $PATH as example below.

[tenouk@fedora ~]$ su root
Password:
[root@fedora tenouk]# $PATH

bash: /usr/kerberos/sbin:/usr/lib/qt-3.3/bin:/usr/kerberos/bin:/usr/local/bin:/b in:/usr/bin:/home/tenouk/bin: No such file or directory

[root@fedora tenouk]#

Then try use the su - command and verify with the $PATH as example below.
[root@tenouk tenouk]# su - root
[root@tenouk ~]# $PATH

-bash: /usr/lib/qt-3.3/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin: /usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin: No such file or director y

[root@tenouk ~]#

Note: The execution of su command, without the hypen ( - ) you inherit the PATH of the current user. Use the su command, with hyphen ( su - ) to get the default PATH of the root user.

Step-by-step how to procedure above tested on:
Operating System: GNU/Linux Fedora Core 4
Kernel Name: Linux
Kernel Release: 2.6.11-1.1369_FC4
Kernel Version: #1 Thu Jun 2 22:55:56 EDT 2005
Machine Hardware: i686
Machine Processor: i686
Hardware Platform: i386
Shell: GNU bash, version 3.00.16(1)-release (i386-redhat-linux-gnu)
Installation Type: Full Installation (Custom)
SELinux: Disable

Keywords: root user, create root user account, add root user, create root user, adding root user account, root user account, add root user account.

How to Extend IBM Websphere 7 Trial Period

2010-05-03T03:53:00.001-07:00

I would like to introduce two simple ways to extend (or eliminate) the Websphere Application Server trial period:

I. Delete the /properties/was.license file (when restarting the WAS7 server, the file will be recreated and the eval period restarts)

II. Use the java code below to generate your own license file… (the generated license file will never expire)

import java.io.File;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.util.Date;
public class WAS7LicGen {
public static void main(String[] args) throws Exception {
Date creationDate= new Date();
Date expirationDate=new Date();
FileOutputStream fos = new FileOutputStream(new File("./was.license"));
ObjectOutputStream oos = new ObjectOutputStream(fos);
oos.writeInt(0);
oos.writeObject(creationDate);
oos.writeObject(expirationDate);
oos.close();
fos.close();
}
}

How to re-create the Show desktop icon on the Quick Launch toolbar in Windows XP

2010-04-04T22:20:00.000-07:00

To re-create the Show desktop icon yourself, follow these steps:
Click Start, click Run, type notepad in the Open box, and then click OK.
Carefully copy and then paste the following text into the Notepad window:
[Shell]
Command=2
IconFile=explorer.exe,3
[Taskbar]
Command=ToggleDesktop
On the File menu, click Save As, and then save the file to your desktop as "Show desktop.scf". The Show desktop icon is created on your desktop.
Click and then drag the Show desktop icon to your Quick Launch toolbar.
Information for advanced users

The Quick Launch toolbar uses the files in the following folder:

%userprofile%\Application Data\Microsoft\Internet Explorer\Quick Launch

Segmenting Your Network

2010-02-23T08:55:00.000-08:00

Tweak your physical infrastructure to improve performance

Windows NT Magazine - March, 1999

When I think about performance tuning, I always see images of car-racing pit crews using precision instruments to make subtle adjustments to their cars' engine, tires, and chassis. To get the maximum performance from their cars, pit crews tweak their cars' parts to suit environmental factors such as track condition and air temperature. Similarly, Windows NT administrators continually apply patches and tweak settings on their networks in an ongoing effort to squeeze as much performance as possible out of their systems. This issue of Windows NT Magazine provides many suggestions to help you improve the responsiveness of the systems you administer. As you make performance improvements to your individual machines, don't forget to maintain a sound physical network infrastructure. A poorly designed physical network can completely negate any performance improvements you make on a server, just as flat tires would restrain a finely tuned Indy-car engine. Use the following tips and techniques to properly segment your network and maximize the benefits of performance tuning your systems.

What Is Network Segmenting?

Segmenting at its most basic level is the process of separating certain portions of network traffic, either for performance, security, or reliability reasons. You can use a bridge, a switch, or a router to separate your network's devices into segments.

Performance tuning is at once a science and an art. Knowing your options for grouping various devices to form a network is the science of network segmenting. However, successful networking requires you to choose your segmentation points wisely, considering all the devices on your network—this requirement is the art of network segmenting. To master this art, you must understand the types of traffic on your network and the path each type of traffic takes. Then, you must minimize the number of devices between the source and destination points of each packet.

NT Servers Between Segments

Many administrators use NT servers as routers between their network's segments because of budget constraints or because adding NICs to an existing server is easier than restructuring a network.

Figure 1 depicts a network with two servers—each of which has two NICs—and two user segments. This network might seem simplistic, but many companies employ this type of network configuration—sometimes with hundreds of user workstations. This segmenting scheme places a performance burden on the two servers. The servers not only provide standard user services, but they are also responsible for routing packets between network segments. In addition, both servers in this network design must be available for users on one segment to be able to access the other segment. If one server goes down, users on that server's segment are unable to access the failed server and are also unable to access resources on the other segment.

To maximize performance, this network's administrators need to place a bridge between the two segments, as Figure 2 depicts.

In Figure 2, each server is on the segment on which it gets the most use. Bridges don't retransmit packets that don't need to pass through them, so this configuration reduces network traffic without introducing routing overhead onto the servers. In addition, Figure 2's users won't lose access to the other network segment if one server crashes; the bridge will route traffic, so users on both sides of the network will still have access to the functional server. Bridges occasionally crash, and a bridge failure would prevent users on each segment from accessing the other segment. But most bridges crash far less often than servers crash, and in the event of a bridge crash, users on each side of the network can access the server on their segment.

Switched Environments

Suppose your network has grown to the point that you don't want to keep all your devices on one physical segment anymore. Switches provide the easiest and most common way to segment traffic. Switches and bridges behave similarly; both devices accept traffic on any of their ports, examine each packet for destination information, and transmit the packet only to the port on which the target device resides. The primary difference between a switch and a bridge is that switches work on a larger scale. Switches usually have at least a dozen ports, but bridges usually have only two ports.

Unlike switches and bridges, a hub transmits packets to all of its active ports. Many people refer to hubs as shared media because every device that connects to the hub has to share its bandwidth with all the other devices that connect to the hub. If you connect too many hubs, you end up with a shared network too large to let users work effectively.

To design a switching layout for your network, start with a switch on the central backbone of your enterprise network. This switch must extend to hubs or more switches. Users on some networks connect to the network through those secondary switches; this configuration is commonly referred to as a switched-to-the-desktop setup. This setup is becoming more common as low-cost switches are becoming more prevalent. This configuration provides more security and better performance for each user than any other network segmenting configuration, but it costs more per port than any other segmenting method.

Most companies still connect their user workstations to hubs. If your central switch connects to hubs or groups of hubs for user workstations, you can take several steps to improve your network's performance. Keeping in mind how traffic flows on your network, use the following guidelines to improve your network performance in a switched-and-shared environment.

Group frequently talking partners together. Consider keeping some servers on the same network segment as the servers' most frequent users. This concept runs contrary to the typical centralized-IS mentality, which encourages you to keep all major servers in a common area, but it might increase your network's performance. For example, if 90 percent of a server's traffic relates to your graphic arts department's production work, you might want to place that server on the graphic arts department's physical network segment. This server placement would reduce traffic on the central switch and shorten the path that the production work's packets take to get to their destination.

Give many-to-one devices their own port. When you install a switch, you know that some devices—such as servers and hubs—need their own ports on the central switch. But what about other devices that many users will attempt to access, such as an Internet connection? In general, if more than a few users routinely access a device, it needs a separate port on the switch.

Load-balance bytes on each switch port. Experts debate how many devices can and should be on each network segment. Most experts think that running between 24 and 48 devices on the same physical 10Mbps Ethernet network segment is acceptable. However, the number of devices a segment can hold depends on how much traffic each device generates. When you determine how many users to place on each logical segment of your network, consider the amount and type of traffic each user generates rather than simply balancing the number of users on each switch port. Some users (e.g., a graphic arts department) might use much more bandwidth than other users. Therefore, if you use one switch port to connect to a 24-port hub for most of your users, consider purchasing two 12-port hubs for your high-bandwidth users and connecting each hub to a separate port on the switch. This configuration will increase the high-bandwidth users' performance.

Avoid overloading your devices. One of the primary reasons for implementing switching on a network is to reduce performance bottlenecks. However, if you don't design your network properly, your network segmenting might introduce new bottlenecks. Consider the network diagram in Figure 3.

This network switch has 12 ports, 8 of which link to 10Mbps hubs and 4 of which connect directly to servers. Suppose that during peak periods, users on each of Figure 3's 8 hubs create 2Mbps to 3Mbps of bandwidth for the servers. This situation would result in a total of 16Mbps to 24Mbps heading to the network's servers. If the servers have only 10Mbps connections to the switch, one server might become overloaded if it received half the network's traffic. Make sure your network can handle user loads during periods of peak traffic.

Segmenting via Routers

Although routers commonly connect geographically dispersed networks, you can use them to segment local networks. However, because administrators usually use routers to route traffic across WAN links, bandwidth between routers is usually limited and expensive. Minimizing router traffic is a key goal of performance tuning a network that uses routers.

To reduce the bandwidth they use, most routers don't retransmit broadcast packets by default. However, you might want your router to retransmit broadcasts to improve the success rate of one of NT networks' primary housekeeping chores—name resolution. By understanding how Windows Internet Naming Service (WINS) clients resolve names on your network, you might be able to reduce traffic across your WAN links.

WINS clients have four methods for resolving a network device's name. First, they can send a broadcast packet looking for the name of the machine. If a machine with a matching name doesn't respond to the broadcast, WINS assumes that no such device exists on the network. Second, a WINS client can send a directed packet to a WINS server requesting a name resolution. If the WINS server knows the IP address of the target machine, it passes that information to the client. The other two ways that WINS clients resolve NetBIOS names are combinations of the first two methods: broadcast first, then send a directed packet if the broadcast is unsuccessful (known as mixed node), and send a directed packet first, then broadcast if the directed packet is unsuccessful (known as hybrid node). For more information about NetBIOS name resolutions, see Mark Minasi, "Inside a NetBIOS Name Resolution," March 1997.

Because broadcast packets don't typically cross routers, broadcast name resolution doesn't work if the device the client is trying to access is on another network segment. Therefore, directed packets are the primary mechanism for resolving NetBIOS names on routed networks. However, broadcasts might be useful in the network Figure 4, page 69, depicts.

As you can see, the network has two primary offices (Office B and Office C), which connect via a high-speed T1 circuit, and two satellite offices (Office A and Office D), which connect to the network via slower, 56Kbps connections. Office B and Office C include WINS servers that are replication partners. If users in Office A typically access only other devices in their office, their workstations shouldn't have to send directed requests to a WINS server across a WAN link to find local devices. If users primarily use local devices and don't have a local WINS server, you'll probably want to let them broadcast first to resolve addresses and send directed packets only when the broadcast fails. Setting client machines to mixed node might improve performance by reducing communications across the WAN link and allowing local clients to resolve the names of local devices quickly.

You might have considered another alternative that I've carefully avoided mentioning: putting a WINS server in each satellite office so that WINS servers in every office can resolve names locally without broadcasts. I don't usually recommend such a configuration; adding WINS servers to your network usually increases the number of replication partners each system has, and therefore increases the amount of replication traffic on your network. Depending on your WINS servers' replication configurations, the additional WINS servers might increase your replication traffic exponentially. You might actually reduce your network's speed by adding WINS servers. Let me put into perspective the potential for delays on a network with too many WINS servers: Microsoft had only about a dozen WINS servers on its corporate network last time I checked.

Multi-NIC, Multiprotocol Environments

Suppose budget constraints have forced you to expand your network by adding NICs to your server, and you now have a large server that contains five NICs—four NICs for user segments and one NIC for a dedicated Internet connection, as Figure 5 shows.

Also suppose that you have to leave IPX and NetBEUI running on the server to support some old DOS or Windows clients. If you accepted the NT defaults when you added all those protocols to your server, you bound each protocol (TCP/IP, NetBEUI, and IPX) to each of your five adapters. Binding each protocol to every NIC lets you plug in devices that use any of the three protocols anywhere on your network, so this approach might seem like a good time-saver for overworked administrators.

However, because of how Microsoft browsing works, binding each protocol to each NIC adds a lot of unnecessary broadcast overhead to your network. Microsoft clients and servers find out about other devices on the network through browsing. In case some of the devices on your network have only one protocol installed (e.g., an old IPX client), the server responsible for maintaining the browse list must broadcast its information to each network segment in every protocol that segment uses.

Therefore, in a multi-NIC, multiprotocol environment, you can get better network performance if you group machines by protocol, then unbind the unnecessary protocols from each server's NICs to prevent the server from sending out unnecessary broadcasts. You don't need your server to send IPX and NetBEUI browser announcements through the adapter for your Internet connection. Examine where your clients are and what protocols they're running. If you can run all your machines under one protocol, do so. But if you need multiple protocols on your network, try to group clients that use the same protocol on a network segment, then bind only the protocols necessary for each segment to that segment's NIC.

Get the Tools

Just like an Indy-car pit crew, you need the right tools to understand the traffic that travels across your network. By making subtle changes to your network's traffic patterns and reducing unnecessary traffic, you can tweak your network for maximum performance. I highly recommend getting familiar with a network-monitoring tool such as Network Monitor, a limited version of which comes with NT, or a more robust program such as McAfee's Sniffer Basic (formerly NetXRay—for information, see Michael P. Deignan, "NetXRay 3.0," January 1998), HP OpenView NetMetrix, or Concord's Network Health. (For more information about network monitoring, see Toby J. Velte, "Application Testing with Network Monitor," September 1998, and "Simulating Your NT Network," January 1999.) With the right tools in hand, you'll be well on your way to squeezing every last drop of performance out of your network.

Basics of Network Segmentation: Switching and Bridging

2010-02-23T08:47:00.001-08:00

In previous articles, I explored the inner workings of the OSI Network Reference model, layer 2, the datalink layer, and one of its protocols, Ethernet. This week I'm going to significantly expand our simple two-host network -- one Macintosh and one e-mail server -- to include many hosts.

Our imaginary network example, the small sprocket manufacturing business, has suddenly taken off, and Mr. Spacely has hired seventy new employees. Each employee is required to have a host on the local network. All the devices are sharing the same media. The architecture is one Ethernet LAN segment.

Now the question arises, how do 72 hosts share one Ethernet LAN segment? The original Macintosh host must now share the wire with many other devices. The Ethernet protocol uses mechanisms at the LLC sub-layer of layer 2 for flow control. The network card will listen to the physical wire (layer 1) for a moment where there are no electrical pulses (transmissions). If the wire is quiet, as would be the case for our original two-host network, the Macintosh could easily place its Ethernet frame on the wire.

Consuming bandwidth on a single segment

Now, there are 71 other devices on the network that the Macintosh must contend with for frame transmission. If the Macintosh Ethernet adapter senses a transmission on the wire, the adapter will wait to transmit. After the wait period has expired, the network card will attempt once more to transmit the frame onto the wire. If the wire is still busy by another device, the Ethernet adapter will wait once more before attempting to transmit. The Ethernet adapter uses a back-off counter to tally these attempts. If the back-off counter exceeds 15 tries, the adapter will assume the wire is too busy to send the frame. It will then clean the frame from its memory.

Frame collisions

In the event two network devices transmit simultaneously, a packet collision occurs. When a collision occurs and is detected, the Ethernet adapter will generate an alarm on the wire to signal other stations of the event. If the collisions occur continuously, the adapter would dump the frame and not attempt to transmit. Such a condition would arise if too many devices were on one network segment. A scenario could occur where a faulty network card could transmit continuously, causing collisions on the network.

If we have too many hosts on the Sprocket network, it is time to break up the segment into other, smaller network segments. The primary reason for segmenting is to increase bandwidth and to span the network over greater distances. The Ethernet 10-Base T topology has a distance limitation of 100 meters in transmission.

Repeaters

The Sprockets manufacturing floor quickly outgrew the space available in the basement of the founder's parents' farmhouse. The old barn started looking pretty appealing in size and cost of space per square footage. However, the old barn was about 90 meters away from the basement corporate site.

Mr. Spacely's mother, now the VP of IT at Sprockets, knew this distance was too close to the 100-meter limitation of the existing Ethernet 10-Base T network. When Momma Spacely was baking some cookies for the quarterly company meeting, she came to the conclusion that a signal repeater was needed to bridge the extended network between the corporate site and the new manufacturing facility.

Figure 1. A repeater is an OSI model layer-1 hardware component that transmits frames from one wire and places them on another. Repeaters are a simple way to extend a LAN segment.

A repeater is a layer-1, physical-layer device that simply repeats the signal from one wire onto another wire. This is a simple way to solve the Ethernet distance limitations for the Sprockets corporation, but it does have its drawbacks. For instance, if a lot of collisions are occurring in the corporate side of the network, they will be forwarded to the manufacturing network. Hubs, which are essentially repeaters with multiple ports, would be a more common solution to the Sprockets problem. A repeater is just a means for extending the existing network.

Bridging hardware

At the weekly managers meeting, Mr. Spacely Sr., Spacely's father, who is also VP of manufacturing, expresses his concern for the numerous network outages his group is experiencing. The congested finance network in the basement facility is interfering with the manufacturing robots' access to the Oracle database servers in the family room. The VP of IT decides it is time to segment the corporate networks with layer-2 bridging devices.

Figure 2. A bridge is an OSI model layer-2 hardware component that is used to connect multiple segments.

Bridges use MAC addresses to handle traffic flow. A bridge can also filter by MAC address, a feature that makes the bridge more attractive than a repeater. This style of filtering on Ethernet is called transparent bridging

For the Sprocket network a filter can be set in place to keep the chatty corporate frames off the manufacturing and database server network segments. Likewise, in the event bad frames are blasting across the corporate network, the transparent bridging will not forward these to other network segments.

Bridging hardware has ports on it, called an interface, where a network segment connects. Filters are handled by software in the bridging device. The bridging cache maintains a MAC address table, similar to an ARP cache, but includes a database of which interface on the bridge the MAC address resides on. This table is crucial for the filtering software.

If an Ethernet frame contains a source MAC address (SA) and a destination MAC address (DA) from a network segment on the same interface, then the frame is not forwarded to the rest of the network. The bridging software can make this distinction by using the MAC address and interface lookup table.

Local and remote bridging

Layer-2 bridging hardware is primarily used for two distinct topologies: local and remote bridged networks. The Sprocket LAN is an example of a local bridging topology. The bridge is used for connecting multiple networks into one big network.

A remote bridge topology is used when two networks are separated geographically. For instance, Sprockets may wish to extend its network to cousin Fred's machine shop in another state. Fred may require access to the database server for quality assurance and ISO 9000 certification. The Sprockets LAN can be extended with bridging hardware and a few leased lines from the phone company. Filters would definitely need to be in place for cousin Fred. You wouldn't want to tie up his two T1 leased lines with noise from the corporate office computers.

Frame flooding

When a bridge receives a broadcast from one interface, it will forward the frame to all interfaces. There are pros and cons to layer-2 frame flooding and bridging. For example, in cousin Fred's shop, floor robots' software may use broadcasts to update all the robots simultaneously with new instructions. This ensures that all robots receive the same notification and updates. The downside is that the finance network will be receiving the robot's frames since finance is sharing the same bridged network. The network can easily become overwhelmed.

The layer-2 switch

Five years have gone by since Mr. Spacely Jr. started Sprockets. It has now evolved into a large corporation with manufacturing partners in the Pacific island rim. Cousin Fred is VP of computer-integrated manufacturing as well as a proud recipient of CCIE, MSCE, and Linux certifications. All this to keep his manufacturing robots operating on a 7x24 schedule. Cousin Fred now has high-speed ATM WAN connections between his Uncle Spacely Sr.'s family room and his automated shop floor.

Figure 3. A layer-2 LAN switch is a complex bridge that provides connectivity for mixed-media.

The family room, now a humble data center supporting finance, marketing, and engineering, has raised flooring and a climate-controlled environment for an IBM mainframe, five Linux servers, and two Windows 2000 servers. The family room, which Mr. Spacely Sr. aptly refers to as his hobby room, has a fast Ethernet LAN segment and a token ring network. Finance is wired into a token ring, to the data center mainframe, while the local manufacturing floor in the barn is the legacy 10-Base T Ethernet network. There are now mixed layer-2 media that must operate seamlessly.

Momma Spacely, the VP of IT, makes a bold move once more to introduce cutting edge hardware. She opts to use a layer-2 switch to connect her growing mixed-media network. A layer-2 switch is essentially a super bridging device. Instead of connecting via interfaces as Sprockets did with a bridge, the connection medium of a switch is a port, just like a port on a simple hub (repeater). Unlike a hub, a port on a switch can be configured to belong to a specific network.

The Sprocket corporate network is Ethernet using TCP/IP protocols. The token ring network is also using TCP/IP. However, token ring layer 2 and Ethernet layer 2 are entirely different frames. And don't forget cousin Fred's ATM WAN connection which uses LANE (LAN Emulation for Ethernet and Token Ring). The Sprockets network has a switch with interface cards that support all these styles of ports. The ATM switch is a special piece of hardware that works in conjunction with the layer-2 switch they use for the network. All this functionality is handled primarily at the hardware level of the switch.

VLANs

The primary layer-3 protocol in the Sprockets network is IP. The layer-2 protocols are a mixture of token ring, Ethernet, and ATM LANE. Our network-knowledgeable VP of IT decides to carve up her mixed-media and workgroup infrastructure into virtual LANs (VLANs). The physical ports of the layer-2 switch can be configured to belong to a logical network. Recall the MAC address table for the bridge we discussed earlier? Now a MAC address table is maintained with an associated VLAN. What the switch is doing is carving up the really big and flat network into manageable isolated network segments. Finance can have its own VLAN using token ring. Cousin Fred and his ATM LANE Ethernet traffic flows can be moved over to a manufacturing VLAN and so forth.

Figure 4. A layer-3 switch, called a router, is required for exchanging layer-2 frames across different broadcast domains or VLANs.

From the figure you can see that the Sprockets network topology is easily carved into three distinct virtual networks: manufacturing, finance, and a server farm. The technical definition of a VLAN is a virtual bridge that segments a physical broadcast domain inside of a switch. The rule of thumb is that one VLAN can not explicitly pass traffic to another. Therefore, finance traffic is now kept inside the finance token ring and Ethernet networks. Manufacturing has its own VLAN extended across an ATM LANE link. This is a good solution for managing the bandwidth, but a small problem has surfaced. How can users access the server farm if it's off on its own VLAN? The solution is a layer-3 switch, called a router, which we'll discuss in a future segment. The point that needs to be made is that the layer 2 switch will provide the ability to carve up your network into broadcast domains. To make these broadcast domains share traffic across VLANs requires a layer-3 switch (router).

Jumping through loops

The Sprockets corporation has experienced a wealth of prosperity in the past five years. The VPs at Sprockets have clearly understood the necessity of their network and have expanded it accordingly, to meet the demands of their business needs. The network certainly has come a long way since the original Macintosh client and single Intel server that once sat in the basement. The network isn't perfect yet; our heroine, Momma Spacely, the VP of IT, has added a significant amount of switches to her corporate network to accommodate the company's explosive rate of hiring. Now network path loops have surfaced and our IT warrior must come up to speed fast on the spanning-tree bridging protocol. Stay tuned for the next installment where we'll see how Momma Sprocket tackles the bridging protocol.

Michael J. Norton is a software engineer at Cisco Systems.

Ethernet Networking Explained

2010-02-23T03:33:00.001-08:00

A Local Area Network (LAN) has been an essential tool for business computing for many years, and great fun for gaming for not quite so long. And setting up a basic small LAN is now a very easy task. But networking catalogues are full of bridges and switches and hubs and routers, making it hard for the beginner to figure out what's going on. What do you need, and what do you not?

This Web page will tell you. The first half is the stuff you need to know to knock together a basic Windows network for playing games or ordinary small business use. It tells you how the common kinds of Ethernet differ, and what to do to make your network work and keep it working. After that, there's the more technical information for people who are working with larger networks, or are just curious. Jump to the technical stuff.

Three flavours

This document will deal only with the three most popular kinds of PC networks, 10Base2, 10BaseT and 100BaseT. A number of the terms used here have different meanings when applied to older and more esoteric networking systems, but only these three flavours are currently in use for home and small business – and, often, large business – applications.

10Base2 is also called thin Ethernet or "cheapernet". 10BaseT looks to the computer like 10Base2, but offers more flexible layout. Both of these are Ethernet; the term refers both to the kind of cable used in a network, and the kind of signals sent on the cable. 100BaseT is a ten-times-faster version of 10BaseT, using the newer "Fast Ethernet" system.

The "10" in the names of the two slower flavours of Ethernet indicates that these versions have a signalling speed of 10MHz, giving a maximum useful data throughput, from the user's point of view, of about half a megabyte per second. 100BaseT uses 100MHz signalling and is commensurately faster. The "Base" in the names means they're "baseband" networks, which means that they have only one channel for data transmission, so only one device can transmit at a time. This is important; as baseband networks get more and more machines on them, it's more and more likely that two machines will try to transmit at once, causing a "collision". After a collision, the machines that caused it each wait a brief randomly chosen period of time and try again. This means that even severely congested baseband networks still work, but they get slower and slower as more and more machines are added. Special devices like switches, bridges and routers exist to deal with this problem.

The "2" in 10Base2 indicates the maximum segment length in hundreds of metres – the maximum aggregate length of cables you can use, with up to 30 computers connected, before you have to start using routers, bridges or switches, of which more later. In the real world, the maximum reliable 10Base2 segment length is 185 metres.

Just to be awkward, the "T" in 10BaseT and 100BaseT has nothing to do with cable lengths; it indicates that these systems use unshielded twisted pair (UTP) telephone-type cable, against the "RG-58" 50 ohm coaxial cable used by 10Base2.

Cables and connectors

Coaxial cable, as used in 10Base2, has a single centre conductor covered with a layer of insulation, a braided and/or aluminium foil second conductor and then the outer jacket. It's used in various versions for all sorts of high frequency applications. The old thick "10Base5" Ethernet cabling has lower loss than RG-58, and is much thicker, much more expensive and much less flexible. It's technically incompatible with 10Base2, but will generally work and can be used in a pinch.

The "twisted pair" cabling used for 10BaseT uses pairs of conductors twisted around each other to reduce susceptibility to induced currents. 10BaseT uses unshielded twisted pair (UTP) cabling, which is cheap, and comes in different "levels" or "categories"; the higher the category, the better the data carrying ability. Level 3 cable is all 10BaseT requires, though many current installations are using Level 4 or Level 5 in anticipation of faster network standards in the future.

10BaseT does not have a distinct maximum cable length – 100 to 150 metres is the generally accepted limit, but high grade low loss cable can extend this. This maximum length is the distance each computer can be from its hub, not the total cable length in the system, so a single $200 17-port hub makes it easy to cable up a good-sized office.

"RJ-45" stands for Registered Jack 45. "BNC" variously stands for Bayonet Navy Connector, British Naval Connector, Bayonet Neill Concelman, or Bayonet Nut Connection, depending on who you ask.

10BaseT's dual-twisted-pair cables have RJ-45 modular connectors at the end. RJ-45s look similar to the RJ-11 modular telephone connectors which are valiantly attempting to replace the antiquated giant Australian phone plugs, but have eight pins instead of the RJ-11's six. 10Base2's twist-on BNC connectors violate the standard rule of computer connectors which states that they should snag as many other cables as they can when pulled through a mess of wiring. Fortunately, most RJ-45's redress the balance; the plastic clip on the back of the connector is not only very good at catching other cables, but impressively fragile as well, and a broken clip renders the connector very unreliable.

BNCs, however, can be very unreliable when not obviously damaged at all. Frequent plugging and unplugging can make the centre pin terminal a loose fit, and corrosion can also cause problems. RJ-45 connectors at least generally LOOK wrong when they're broken.

Setting it up

The step by step procedure for installing a basic small business or game-playing LAN is now, usually, very simple – install your network cards like any other card, hook up the cable, and as soon as your operating system knows about it, it works. In Windows 95 or 98, all you've got to do is make sure you've got your workgroup name set the same as that of the people you want to connect to, and that all the computers on the network share at least one network protocol.

About the only problem you're likely to have in setting up a small network is making the cards work – a standard NE2000-compatible network card needs an IRQ and a few I/O addresses, and setting one up on a packed machine may require some resource juggling. This, however, is not a problem peculiar to networks, and since you can now get dirt cheap Plug and Play network cards, setup is often effortless. (If it's not, check out my Step By Step column on troubleshooting Plug and Play problems, here.)

There are, however, some basic facts about networks which it helps to know.

Topology?!

Topology is, for network purposes, the layout of computers and cables and other gadgets in the network. The basic topology for 10Base2 and 10BaseT is simple.

A 10Base2 segment (a segment, in this case, is a network with no bridges or switches or other fancy devices in it) contains two or more computers, each with a network card (NIC) fitted with a T-piece which accepts two network cables, or a network cable and a 50 ohm terminating resistor. Each end of the network must have a terminator and a cable connected, and everything else has two cables connected. The T-piece must go right on the network card – you can't use extension cords between the card and the T-piece.

You can take a computer out of the network by disconnecting its T-piece from the network card, leaving the cables connected to the T-piece's two arms. Disconnect in any other way, or remove either terminator, and the network stops working until you plug it back together. Every machine has to be at least 50 centimetres of cable away from every other machine, too.

How to wire a 10BaseT crossover cable, for connecting two, but only two, machines together without a hub. This is the same kind of cable that is used to "cascade" multiple hubs into one network. The pin numbers are as you look at the contact side of the plug, with the cable running away from you.

10BaseT, on the other hand, requires a special piece of hardware called a "hub" if you want to use more than two computers. Two machines can hook together with a simple crossover cable, but otherwise every machine on the network must have its own single lead to a port on the hub, which must therefore have enough ports to support the number of machines you wish to network. Multiple hubs can be connected together to allow larger networks; see here for more information on hubs.

Both approaches have their pros and cons. Both offer really, really cheap network cards – $40 (Australian dollars) gets you a vanilla NE2000-clone card with both 10Base2 and 10BaseT connectors. And, for 10Base2, that's pretty much where the spending stops; the network cards come with T-pieces, so all you need are enough cables and a couple of terminators, and you're in business.

For 10BaseT, you have to buy a hub as well, and this will set you back about $100 for a five port hub, or around twice as much for 17 ports. 10BaseT hubs are available in various sizes and can be "cascaded" to add more ports to your network.

So why should you bother with 10BaseT? Well, in the 10Base2 configuration, one dud cable, dodgy T-piece, duff terminator or poor connection makes the whole network stone dead until the defective component or connection is fixed – or, worse yet, just interrupts the network every now and then. Intermittent problems are the most annoying. Finding the defective component in 10Base2 is a process of elimination – you just start somewhere, anywhere, and then "divide and conquer" – cut the network in two and reterminate the two halves, then see which half still has the problem and divide it again, and so on, until you locate the source of the failure.

In 10BaseT, on the other hand, one bum cable or network adapter will only remove one machine from the segment. A dead hub will kill the network for every machine directly connected to that hub, but hubs are much more reliable and less prone to accidental damage than 10Base2 cables, T-pieces and terminators.

Repeaters, routers and hubs – the basics

Each 10Base2 segment can only be 185 metres in length, and can only accommodate 30 computers. For many applications, this is fine, and so you can get away with a $40-or-less network card in each machine and a few ten buck cables. But 185 metres can be used up surprisingly quickly in standard into-the-wall-and-up through-the-ceiling cable installations.

If you need more length, a repeater lets you join 10Base2 segments together. The Ethernet spec allows for up to four repeaters in a network – which, for the mathematically disinclined, means five segments – but only three of these segments can be "populated" – have computers connected to them. So your maximum 10Base2 cable length using repeaters is 925 metres, with 555 metres of that being useable for up to 90 computers.

This rule applies to 10BaseT, as well, because every 10BaseT hub acts as a repeater. This can result in rather complex layout diagrams, but the basic rule is easy to remember – the path between any two computers must not include more than four repeaters or hubs, or more than three populated cable segments.

Having 90 computers connected via Ethernet, though, is not a good idea unless each of them doesn't use the network much. With only 10 megabits per second shared between 90 machines, all of them trying to move data at once gives each computer a theoretical maximum bandwidth available to it of about 14 kilobytes per second. Since there'd be collisions galore from all that simultaneous chatter, the real bandwidth would be much lower, and the network would grind to a halt.

What you need to do to cut down the chatter is either increase the total shareable bandwidth by switching to Fast Ethernet (which won't actually help all that much if you've got 90 computers talking at once; the network will probably still be painfully slow), or chop the network up into smaller segments, with traffic only escaping a segment when it's actually addressed to a computer on the outside. Dividing your LAN up like this is called "internetworking", and allows big networks to be both faster and physically larger, as it overcomes the maximum cable run problems.

To get around the maximum number of repeaters problem, you have to use bridges. Bridges are more expensive than repeaters, but they let you extend your network without breaking the rules, by intelligently filtering and forwarding data based on the machine it's intended for – the bridge has enough brains to know what machine addresses are on each side of it, and block the passage of traffic addressed to a section of network which does not contain the intended recipient of the data. When calculating legal routes, you can reset your repeater count to zero if the data path goes through a bridge. The Ethernet specification allows no more than seven bridges on a network. Bridges can have multiple ports, and so connect to more than two network segments; by using multi-port bridges, you can build huge networks, because each collision domain can have up to 1024 nodes on it. In practice, any normal computers will generate enough network traffic that 1000 computers in one collision domain will hopelessly clog the network, but if they're really, really quiet, you can do it.

Routers are like bridges, only more so. They do the same data filtering, but can also connect completely different networks to each other, allowing, for example, an office network to be connected to the Internet. With the use of routers, there's no practical limit to how many machines you can network together.

Setting up Windows networking

One of Windows 95’s big selling points was that it finally made PC networking simple enough for anyone to set up. Provided your network card is correctly addressed by Windows – an automatic procedure, for current Plug and Play cards – all you have to do is add the network protocols of your choice in Network Properties.

Windows 98 doesn’t change much in this department. If you’ve set up 95’s networking, you can set up 98’s. Once your network card is working with Windows, add the clients and protocols you need in Network Properties (accessible from Control Panel, or by right-clicking the Network Neighbourhood icon and selecting Properties). For most small business networks and Internet access, all you’ll need is the Client for Microsoft Networks, the NetBEUI protocol for your network card and TCP/IP for your Dial-Up Adapter; you only need to install the first yourself, since the Internet Connection Wizard takes care of the dial-up stuff.

NetBEUI is a fast protocol that works well on networks with fewer than 50 machines, which covers the majority of situations. If your network uses IPX and/or TCP/IP, install them for your network card too; if you only want them for multiplayer gaming, turn off all of the bindings in their Properties windows, and say no to the dialogue box asking if you’d like to change your mind. The bindings let Windows use these protocols for regular network communication as well as the raw data transfer the games want, and redundant bindings slow down your network.

If you’ve got a Windows 95 computer with TCP/IP set up for its network card and leave it on the default "automatically obtain an IP address" setting, the network the computer’s connected to must have what’s called a Dynamic Host Configuration Protocol (DHCP) server connected to it to dole out an address. Without such a server, any 95 machines without addresses will fail to communicate over TCP/IP, and will furthermore slow the network down as they periodically yodel down the wire, hoping a server’s shown up.

Windows 98 does a bit better than this. Machines set to automatically obtain an address which don’t find a server will give themselves an address in the "LINKLOCAL network" IP address space, which means an address starting with 169.254 and with two more arbitrary numbers on the end. The LINKLOCAL space is a "class B network", which means the network ID is the first two numbers. All 169.254.X.X computers can see each other provided they each have a different combination of the last two numbers, and since the last two numbers can be from 0 to 255 and from 1 to 254 respectively, up to 64,515 computers can be on this network at once and address clashes are unlikely.

169.254 addresses are not, however, valid for networks connected to the Internet. Rest assured that calling your ISP and connecting with TCP/IP for the Dial-Up Adapter does not constitute "connecting to the Internet" in this sense.

Earthing 10Base2

Got a 10Base2 terminator with a little dangly thing hanging off it? It's a ground chain – or strap, or wire. If you screw the lug at the end of the chain, strap or wire to the chassis of the computer with any convenient mounting screw, you earth the shield conductor of the network cable.

This may or may not be a good thing.

The 10Base2 spec says the network "may" be grounded in one (and ONLY one) place, and doing this may reduce network errors. Grounding the network in more than one place WILL cause errors and may damage equipment thanks to potential differences between different "grounds". So don't do that.

This is especially bad if you run a 10Base2 cable between buildings, which is something you're not meant to do. Different buildings often have markedly different earth potentials, and if the cable's grounded at both ends, a hefty current can flow through the shield, causing lots of network errors and, possibly, starting fires. If some hapless person at the other end unplugs the network connector, or even just touches it if it happens to be grounded at the far end but not the near one, they can receive an electric shock.

If your network works fine without grounding, there's no need to change. If it's grounded and you're getting errors, try ungrounding it, or grounding it at the other end.

If your network has a repeater on one end of a segment, it probably automatically grounds that end. So don't ground the other one.

That's it for the basic stuff...

...now here's the more complex info.

How much is a megabit?

Computer-savvy people know that the kilo-, mega- and giga- prefixes, in computer usage, don’t mean 1,000, 1,000,000 and 1,000,000,000, as they do normally. Computers use binary arithmetic, so everything’s in powers of two, and the three prefixes indicate 1,024, 1,048,576 and 1,073,741,824 – two to the power of ten, two to the power of twenty and two to the power of thirty, respectively. Easy, right?

Well, sometimes.

RAM (Random Access Memory) is specified in these "proper" megabytes; a 64 megabyte RAM module has exactly 67,108,864 bytes of storage space, disregarding error-checking bits, if they’re present. But when it comes to hard disk sizes, manufacturers tend to specify their drives’ raw (unformatted) capacity in nice round millions and billions of bytes. Unfortunately, they call these measurements "megabytes" and "gigabytes", in order to make their drives sound bigger.

So a "6.4 gigabyte" hard drive actually has a capacity of about 5.96 real gigabytes, before you format it and lose another few per cent. You can thank the marketing people for this.

And now to network speeds. Data communication is specified not in kilobytes and megabytes, but kilobits and megabits per second – kBps and MBps, respectively, although there’s terrible inconsistency in the use of the upper and lower case "B" to indicate bits and bytes, just to annoy you further.

A bit is one-eighth of a byte – nobody’s ever decimalised the byte, because making it 10 bits would make things look smaller and slower, which the marketing people find less attractive for some reason. So, logically, you’d expect one megabyte per second to be eight megabits per second, right?

Ha! No such luck. Like hard disk capacities, network speeds are expressed in round numbers, not powers of two. A "64 kilobit" ISDN line moves exactly 64,000 bits per second, or a megabyte (the real kind, not the hard disk kind) every two minutes and eleven seconds. "10 megabit" Ethernet is good for exactly ten million bits per second, or 1.192 megabytes per second. And so on.

Bridges, switches and routers in detail

Once upon a time, you could point to a gadget that hooked network segments together and say, with confidence, what it was. Well, so I’m told, anyway. Today, there are all sorts of devices designed to move data from one network to another, with all kinds of fancy features, and their names are a highly unreliable guide to what sort of device they actually are. The three basic categories of network-joining device are switches, bridges and routers, but those definitions blur into each other so much that defining them separately is impossible. The words mean different things to different companies. You just have to look at the specification sheets and decide whether a given device is what you need. Here’s how to tell.

Bridges

A bridge, officially, is a stand-alone device or specially configured computer that connects different LANs, and allows them to act as segments of one LAN.

A bridge can only connect networks which are using an identical network protocol, like, for example, Ethernet. A bridge with appropriate connections can connect networks which are using the same protocol on different kinds of connection – bridges that have a collection of 10BaseT ports and a 10Base2 coaxial connector are common, for instance. But, canonically, if it can connect networks of different kinds, like Token Ring to Ethernet, it isn’t a bridge.

Since bridges only operate at OSI Layer 2, they cannot connect network segments which couldn’t be connected WITHOUT the bridge there, disregarding media differences. If you’re talking TCP/IP, that means that all segments connected to a bridge must have the same subnet mask – the second xxx.xxx.xxx.xxx number, subsidiary to the IP address, which determines what subnet a computer is on. Computers on different subnets can’t see each other.

Bridges, unlike simple repeaters, do not retransmit a frame until they’ve received the whole thing. This means devices on either side of a bridge can transmit simultaneously without causing collisions, and so you can use a bridge to segment a network into smaller chunks to reduce collisions and improve performance. This, indeed, is the major function of the bridge – chopping up big ungainly networks into smaller "collision domains", so the overall chatter level doesn’t bog the network down. The tiny single frame delay introduced by the bridging system is a small price to pay.

All modern bridges are "learning" bridges. This means they have the ability to figure out, by looking at where data are coming from, what machines are connected to which of their ports. They can therefore restrict packet retransmission to only the port they know connects to the network node to which the frame’s addressed. If a frame isn’t addressed to a machine the bridge knows about, it retransmits it on all ports except the one it came from, because everything on the segment the frame came from heard it at the same time the bridge did. If a given address doesn’t transmit for a given period of time, the bridge removes it from its address table, so as not to fill its table (which has a limited size) with addresses for machines which may not necessarily even be on the network any more.

Bridges can even handle being connected up in loops. If this situation were left uncorrected, it would cause instant and hopeless congestion as every bridge retransmitted every packet to every other bridge in the loop, and then got it retransmitted back, ad infinitum. The bridges deal with this by arranging themselves into what’s known as a "spanning tree"; they very quickly shut down connections between bridges until all of the loops are eliminated. This allows redundant network wiring; if one cable is cut, the bridges sort out the problem and create a new tree using a previously ignored cable.

Switches

A switch is, essentially, a bridge with knobs on. Or a really smart kind of hub. Or, in its simplest form, maybe just a multi-port bridge. Essentially, switches are a creation of marketing departments; there may be some under-the-surface differences between them and previous devices, but from an operational point of view they’re the same as earlier bridges and routers, only faster. Perhaps. A LAN with a switch joining its segments is referred to as a "switched LAN".

Like a bridge, a switch connects networks and filters packets, only sending on packets to a given network segment if they’re addressed to a device on that segment. Also like a bridge, your basic switch operates at OSI Layer 2 – it cannot change the data it’s sending, to route information from one network flavour to another. Everything connected to a Layer 2 switch has to be configured as if it were on the one network – like a bridge, these switches can only connect network segments that could be connected anyway, as far as the computer settings go. Each port on a switch can support a whole LAN or a single station. If only one station is connected to a switch port, it is said to have a "dedicated LAN".

Classier switches can do Layer 3 routing, and are thus called "Layer 3" or "Multi-layer" switches. They can connect network segments on different subnets, by routing between them. They can also create "broadcast firewalls" between ports or groups of ports (and, thus, between any devices you attach to those ports). These groups are called "bridged groups" or "virtual LANs", and each behave like a bridged network. This allows devices on one Virtual LAN to use one IP subnet (or IPX network number, or Appletalk network number range), and devices on others to use other setups. If the switch is smart enough, it can give each virtual LAN access to the others as if it were a router.

But, remember, all sorts of things are called "switches" these days. Bear in mind that something referred to as a switch can also fairly be described as a bridge or a router.

Switching, the underlying technology that gives switches their name, can be done in two basic ways – cut-through and store-and-forward. Cut-through is the newer technology whose introduction, as much as anything, can be said to have spurred the creation of the "switch" as a distinct gadget. Cut-through switches do nothing but look at the MAC addresses of the frame headers and forward the frames accordingly. A cut-through switch doesn’t care if the packet inside the frame is valid or not, and so it will cut network traffic when all is well, but won’t prevent malfunctioning software or hardware from paralysing the network with tons of rubbish packets. Cut-through forwarding is impossible between media of different speeds, so switches which support, say, 10BaseT and 100BaseT, do not use cut-through when data moves between ports of different speeds.

Store-and-forward switching is the older way of doing it. It actually looks at the packets before sending them on, which means the packets stay in the switch a little longer, but broken ones are weeded out. Under high loads, cut-through switches buffer data and hence run no faster than store-and-forward ones, but they’ve got a slight performance edge in normal operation.

An overloaded switch can make network congestion even worse than it would be without the switch, in some cases. If the switch is receiving data for a given port faster than it can pump it out of that port, it will buffer the data until it runs out of memory and then start dropping packets – throwing them away. The machines sending the data don’t know that it isn’t getting through until the network protocol sorts it out – fragmentary data causes receiving machines to request resends. This is worse than a plain old collision, because in a collision situation all of the sending machines know about the problem at once and resend practically immediately, whereas the resend requests created by a choked switch have to traverse the network path back from the receiving machine to the sender before anything can happen.

Routers

A router is a device that connects networks together, like a bridge, but is a great deal smarter. Routers operate at OSI layer 3, which means they understand both logical and physical addresses when moving data around, unlike bridges, which work at layer 2 and only understand physical addresses.

Routers analyse incoming packets and modify them, if necessary, so they’re redirected to another router or to their initially intended destination. This allows routers to send packets from one kind of network across another kind of network on their way to a destination network which can be of yet another kind, via more routers if necessary. As long as the routers know what computers live where, they can figure out the necessary route themselves.

Routers maintain a database of addresses which allows them to correctly route data among the hundreds of millions of in-use addresses accessible via the Internet. The can do this because their ability to send data to other routers lets them pay attention only to the "network number", the part of the address that indicates the network to which the computer they’re sending data to is connected, and ignore the details of the "host number", the exact machine they’re aiming at. The router at the other end can handle getting the data to the exact right machine; the sending router only has to get it to the right network.

Routers further reduce the number of addresses they need to know about by "summarising" entries together when a lot of addresses share the same route. Typical Internet routing tables contain only several tens of thousands of routes, rather than the hundreds of millions a "dumb" routing strategy would require.

It is this ability that makes routers the life-blood of the Internet, and similarly important to many other networks, but it also makes them slower than "layer 3 switches", which can generally only do limited routing within the devices directly connected to them, and do not understand multiple layer 3 protocols.

A truly "Internet-capable" switch has full routing abilities in addition to the quick address lookup capabilities of a regular switch. If it has to send data to somewhere it hasn’t recently received data from (the arriving data bringing with it routing information for replies), the switch behaves like a router. This requires much more processing power than switching and is thus slower. "Slower" in this case is a relative term; router-speed operation, even from older and cheaper models, can still provide packets much faster than a T-1 line (1.544 megabits per second) can handle. These cheaper routers’ speed of operation roughly matches the available throughput from a T-3 line (43 megabits per second). Routers are getting faster every year, too; top-of-the-line products can handle a great deal more data.

There is only any point in using a switch/router like this if some large percentage of the network traffic comes from the same places over and over again – local addresses, in other words. A switch connected to the Internet for public access as well as to a local network must also be able to preferentially cache routes to local addresses, or its address table will be rapidly filled with useless once-only Internet access routes from Net surfers.

Routers can communicate with other routers to provide better traffic management and avoid slow connections; they can, together, determine the best route through a complex WAN. Many routers are used for Media Access conversions – linking networks with different physical connections as well as different Layer 3 protocols, like for example Token Ring and Ethernet. Many routers also support scads of Layer 3 protocols, but they don’t have to in order to qualify as a router.

Some network protocols are inherently unroutable – SNA (IBM’s Systems Network Architecture, originally a set of mainframe networking protocols), NetBIOS (Network Basic Input Output System, the basis for Microsoft’s popular NetBEUI) and LAT (Digital Equipment Corporation’s Local Area Transport protocol), for instance, none of which have the innate ability to work with routers. Some of these, like SNA and NetBIOS, can sort-of-kind-of be routed by being "encapsulated" inside other, routable protocols, but these solutions are slow and inelegant. Modern routers can work wonders at integrating disparate kinds of network, such as tend to develop in large companies, but the elimination of excess protocols is still highly desirable to make management simpler, even when every protocol on the WAN is routable.

"Static" routers must have their routing tables manually updated. "Dynamic" routers build and update their own tables.

Bandwidth, and how to get more of it

A network’s bandwidth is how much data it can move per second. In a plain 10 megabit Ethernet LAN, that bandwidth is, unsurprisingly, ten megabits per second, or a bit more than a megabyte per second. The actual amount of real data throughput is considerably lower, because a lot of bandwidth is taken up by the extra formatting information tacked onto the data to be sent. But if you just look at the bits being sent, the total number per second, assuming no collisions, is ten million (if you’re wondering why this is a round number and not a power of two, check here).

Things get more complicated when you start playing with bridges and switches on larger networks. Both of these devices, after a brief learning period, forward traffic only to network segments that actually contain the computer to which the traffic is addressed.

Depending on the network, you may get a larger performance gain from segmenting a 10 megabit network than from upgrading it to 100 megabit.

If you have a 10BaseT network with, say, 32 computers on it, you could add an eight port bridge or switch with a four port hub hanging off each port. This chops the network into eight segments of four computers each, which means that each computer can yammer all it likes to its three segment companions without cutting into the 10 megabit bandwidth of any of the other segments at all. If a given computer DOES talk to a machine on a different segment, it will only take up bandwidth on those two segments, leaving half of the network untouched.

Segmented networks can therefore offer impressive "aggregate bandwidth" – the total amount of data that can be moved around the network by various machines talking to each other at once. High aggregate bandwidth does not, in this case, indicate higher bandwidth available to any one network conversation. But this is usually OK, as for most operations the transfer rate provided by a 10 megabit network is adequate, provided you can get most or all of it for yourself.

If two machines conduct a 10 megabit conversation between two ports on the bridge or switch that segments this 32 computer network, and another two conduct a similar conversation on each of the other three pairs of ports, the network will be saturated (any extra traffic will produce collisions and slow the LAN down) and an aggregate bandwidth of only 40 megabits per second will have been achieved. On the other hand, if computers on the network happen only to talk to other computers on their own segment, the lack of inter-segment network pollution means the aggregate bandwidth available will be 80 megabits per second. The worst case scenario arises if three segments all want to talk to the fourth at once; in this situation they have to share the fourth segment’s bandwidth, and the network’s aggregate bandwidth drops back to 10 megabits per second.

In this situation, an eight-segment 10MBps network clearly offers significantly less bandwidth, under all circumstances, than an unsegmented 100MBps LAN. But if you double the number of segments to 16, so each one serves only two computers, the aggregate bandwidth figures in the above examples jump to 80 and 160 megabits per second respectively, and the chance of everyone concentrating on one segment falls.

If there’s one computer that commonly attracts lots of traffic – a file server, for instance – that one computer can be given a segment to itself, and can even be given a 100BaseT network card and be connected to a 10/100MBps dual-mode switch or bridge. This gives the high-demand computer a dedicated 100 megabit connection, probably full duplex, to the whole of the rest of the network, even though any given other computer can only move ten megabits per second. If the 31 other computers all try to access the file server now, they’re sharing 100 megabits per second between them instead of 10, and will still receive data at a decent rate. Because bridges and switches prevent collisions between traffic originating on different network segments, if ten 10MBps computers simultaneously request data from the 100MBps server (and everything else happens to shut up), they’ll each get data about as fast as their network cards can handle it, without a single collision. They will, in fact, perform just as well in this situation as if they were networked to the server with 100BaseT all the way.

When there are no switches or bridges or routers to worry about, but only repeaters (remember, a standard 10BaseT hub is a repeater), network performance is easy to work out. Everything shares. It’s not quite as simple as that – in a collision situation NO data gets sent by anyone, so when the network is saturated the total useful throughput is less than the total bandwidth of the network – but at least it doesn’t matter who’s talking to who. A given number of connections will result in a given aggregate bandwidth.

Another important factor is the internal or "backplane" bandwidth of your bridge or switch. To avoid causing bottleneck problems at moments of high network use, you need a backplane bandwidth equal to the aggregate bandwidth of all of a device’s ports. If a bridge, switch or router has this much backplane bandwidth, all of its ports can be operating at full speed all of the time, and the "data pipe" inside the device is wide enough to let all of the data through.

Other definitions

ATM: The modern heir to packet switching and circuit switching, Asynchronous Transfer Mode aims to provide the efficiency and fault-tolerance of the former and the guaranteed delivery of the latter. Today’s network switches are the technological precursors to ATM; switches work with relatively large data packets of variable length, whereas ATM uses small, equal-sized "cells" of data and promises far greater speeds than current LANs over short or long distances. ATM looks, to the connected machines, like a circuit switched system – when they want to transfer data, nothing can impinge upon the 51 or 155 megabit per second pipe assigned to them. The ATM system installed has to be fast enough, of course, to handle as many concurrent pipes as are needed.

Broadcast: A "broadcast packet", in Ethernet, is a packet that will be received by every node on a LAN – it’s not addressed to anyone in particular, but to everyone in general. This leads to the concept of the "broadcast domain", which is every node that will be reached by a broadcast from any given node. Routers segment broadcast domains – broadcast packets don’t get past them.

Bus: A kind of network topology. The bus configuration, as used by 10Base2, has all of the devices on the network connected in parallel to one cable. This "cable" is really made up of separate cable segments joined at the T-pieces, but electrically speaking it can be treated as one wire. Any computer can be disconnected from this bus without affecting connectivity for everything else, but if the cable is interrupted anywhere, the whole network goes down.

Category: Twisted pair cable such as is used by 10BaseT and 100BaseT is available in various specification levels or "categories". 100BaseT requires Category 5 cable, often referred to as "Cat 5". 10BaseT will work with lower grade, thinner cable, but a lot of installers use Cat 5 cable anyway because it costs little more and makes it easy to upgrade. Make sure the cable you use really is Category 5 cable, not just something labelled "Category 5 quality".

Collision: When two devices on a baseband network like Ethernet try to send data at once, they talk over each other and cause a collision. When a collision occurs, every device that’s trying to send data pauses for a brief, random period and tries again. This simple system works less and less well as you get more and more computers on a network, which is why segmenting big networks with bridges and/or switches is a good idea. Bridges and switches are thus said to segment the "collision domain"; the group of nodes with whose transmissions it is possible for a given node’s transmissions to collide.

Duplex: In computer communications, there are three kinds of connection between two devices. The first is simplex, in which data can only flow one way. Half duplex is the system used by regular Ethernet; data can flow either way, but only one way at a time. Full duplex allows data flow in both directions at once. Ethernet supports full duplex operation, but only between two devices over twisted pair cables. Regular 10BaseT or 100BaseT cable has two physical pairs of wires in it, which in full duplex operation can be used for full bandwidth data transfer in both directions – one wire pair per direction. This works because when there are only two devices involved, so collisions are impossible. The second wire pair is normally needed for collision detection.

Full duplex doubles the aggregate bandwidth of a connection, but doesn’t greatly increase performance unless both devices send a lot of data. Many network transactions involve a lot of data going one way and only a little going the other, so there’s not much performance difference.

Hub: A hub is a common connection point for network devices. The simplest form of hub is completely passive – it contains no electronics, it’s just a collection of connected ports, and exists only to make wiring more convenient. This sort of hub doesn’t work with 10BaseT or 100BaseT Ethernet, and isn’t very practical for larger 10Base2 networks because of 10Base2’s rather limited segment length.

These days, when someone talks about a "passive" hub they probably mean one like the currently available cheap 10BaseT models. These hubs act as a simple repeater – they copy every packet received at any one of their multiple ports to all of the other ports, which keeps every hub-to-computer connection as a separate network segment.

The most common kind of hub used in small networks is the "stand-alone" variety. Despite their name, stand-alone hubs can usually be connected together with regular twisted pair cable or thick 10Base5 coaxial, so you can add more ports to your basic hub if your networking needs grow.

"Intelligent" or "manageable" hubs include features so an administrator can monitor traffic and configure, enable and disable the ports remotely. They still just copy everything they get to everywhere. The cheap 10BaseT hubs in your local computer store are probably NOT manageable, which is OK for small networks where no user is likely to be more than a 30 second walk from the hub anyway. If you’ve got hubs, bridges, switches and routers all over the place, though, being able to immediately see what’s stopped working is an obvious advantage.

"Stackable" hubs are designed from the outset to be linked together, and when you link them they act as one unit for management purposes. Linked stand-alone hubs don’t do this. Stackable hubs provide a cost-effective option for businesses starting with a medium sized network but with higher aspirations, since many models allow you to include just one more expensive manageable hub in the stack, and have it provide management access to all of the others.

The next step up the ladder, only of interest to builders of large networks, are modular hubs. These use one chassis or "card cage" into which cards, each of which provides several hub ports, are installed. The cards are cheaper per port than stackable hubs, because the power supply and casing are provided by the chassis. Cards can be installed for various different network types as needed, and a management unit may or may not be installed, according to preference.

"Switching" hubs are smart enough to know what devices are connected to what ports (figuring it out in the same way as learning bridges), and only copy packets addressed to those devices, and thus act as a limited kind of bridge – they work like a bridge, but they only have one device connected to each port.

To avoid or at least reduce confusion, the actual word "hub" is generally only used when you’re talking about Ethernet wiring. If you’re talking token ring networks instead, you should call call the conceptually similar token ring device a "multistation access unit", or MAU.

MAC address: Every node on a network has a Media Access Control address, which uniquely identifies it. On Ethernet networks, every computer’s network card has a unique MAC address. Blocks of MAC addresses (the addresses are 48 bit numbers, so there are more than 281 trillion of them available) are assigned to network card manufacturers and used sequentially, the result of which should be that no network card has the same MAC address as any other. In the real world, things like reprogrammable cards can result in two machines with the same address on one network, which can cause problems utterly mystifying to the network novice. These problems are, fortunately, extremely rare. MAC addresses are the identification system used by OSI layer 2.

Network Interface Card: Normally shortened to NIC, this is the technical term for what everyone else just calls a network card. The NIC is the board you put in your computer so you can connect the computer to a network. They’re almost always made for a particular kind of network and media, although Ethernet cards commonly have connectors for 10Base2 and 10BaseT, and may also support 100BaseT.

Node: The correct word for a processing location on a network. Things other than computers can be connected to networks – printers, traffic handling devices and so on. Every node has a unique hardware address – see MAC address.

OSI layers: The seven Open System Interconnection layers are the International Standards Organisation networking framework definition. Fortunately, users don’t need to know anything about them, except that the lower the layer number, the closer you are to the hardware. In network communication, control passes from the higher levels to the lower ones at one end, over the network connection to the next network station, and back up the levels again. All seven layers put together make up the entire network system from your application software to the wires, and how each layer actually works in the real world is defined by a plethora of other protocols. For example, Ethernet and Token Ring are two different ways of providing the services defined by OSI layers 1 and 2, the Physical and Data Link layers.

OSI layer	Name	Function
7	Application Layer	Communication between programs. This is the layer that user programs talk to.
6	Presentation Layer	Data representation conversions; this layer translates data, between what the network requires and what the computers at each end expect.
5	Session Layer	Establishes and maintains communications channels, so program on different computers can establish a link. Often combined with the Transport Layer.
4	Transport Layer	Responsible for end-to-end data transmission integrity. Makes sure that the data actually gets there, with no errors, in the right order, regardless of transmission problems.
3	Network Layer	Routes data from one network node to another. This layer translates "logical" device names and addresses into their network hardware equivalents, and does routing, if necessary, for devices that are more than one network link away.
2	Data Link Layer	Takes care of moving data from one network node to another, not more than one link away.
1	Physical Layer	Translates the bits generated by all the other layers into signals to send through the network, and translates them back into bits at the other end.

Packet: A chunk of data transmitted over a packet-switching network. Packet-switching is any protocol in which data is broken up into these packets and can then follow various routes to its destination – different packets which together comprise one message may travel via different paths and are assembled when they arrive. Packets therefore, of necessity, contain a destination address as well as the data to be transmitted. Packets are often confused with "frames"; frames are the data structures used by the physical network hardware to move the data. Information that needs to be sent is parcelled up into a packet by the computer, and the packets are parcelled up by the network hardware into frames.

Packet switching, as used by the TCP/IP protocol on which the Internet is built, can be compared with simple "circuit switching", as used by the phone network, where a dedicated link is established from point to point whenever one device needs to communicate with another. Circuit switching is faster, works with much lower-tech equipment and guarantees that data will arrive in the same order it was sent, important for live audio and video. Packet switching is more efficient and can tolerate slower and much less reliable connections.

Repeater: A repeater is the dumbest kind of active network-connecting device. It just takes network traffic in one port and spews it out of one or more others, exactly as it gets it, but louder. This helps overcome cable losses, and lets cable runs be longer. Repeaters send while they receive, without waiting for the end of each packet to see if it’s intact or reduce collisions. Repeaters are, hence, useless as a cure for network congestion. Ordinary 10BaseT and 100BaseT hubs are, in fact, multi-port repeaters.

WAN: Wide Area Network. Any computer network that covers a large geographical area, and is composed, typically, of more than one Local Area Network. A WAN can be composed of a multiplicity of network systems. The Internet is the biggest WAN in the world, both in geographical extent and number of nodes.

Ethernet Standards Quick Reference

10BaseT

10MBps data rate, star wired bus topology, baseband signalling on unshielded twisted pair (UTP) cable. 10baseT cables can be up to 100 metres (328 feet) long, with a minimum cable run between nodes of 2.5 metres (about 8 feet). Maximum of 1,024 nodes per network.

100BaseT

100BaseT, also known as "fast Ethernet", is essentially like 10BaseT, but run at 100MBps instead of 10MBps. It requires category 5 UTP cable.

100Mbps Ethernet specifications
100baseT4	4-pair Category 3, 4 or 5 UTP or STP
100baseTX	2-pair Category 5 UTP or STP
100baseFX	2-strand fibre-optic cable

10Base2

Thin Ethernet, or "Thinnet". 10Mbps data rate, bus topology, baseband signalling. The maximum segment length is 185 metres (607 feet). 10Base2 uses RG-58 coaxial cable, and allows 30 nodes per segment, and 90 nodes per network. The total length of the network must be less than 925 metres (3033 feet).

10Base5

Thick Ethernet, or "Thicknet". The original "standard Ethernet", now supplanted in popularity by 10Base2. Typically 10Mbps data rate, baseband signalling, with a maximum segment length of 500 metres (1650 feet). Uses thick coaxial cable, RG-8 and RG-11. 100 nodes per segment are permitted, and 300 nodes per network. A maximum of four repeaters and 100 taps are permitted.

10BaseFL

Fibre Link Ethernet. 2GBps maximum data transfer, although normally restricted by hardware capabilities to 100MBps. Uses baseband signalling over fibre optic cable. Maximum segment length is 2000 metres (6557 feet).

How to troubleshoot the "NTLDR Is Missing" error message in Windows 2000

2009-11-20T01:43:00.001-08:00

How to Troubleshoot the "NTLDR Is Missing" Error Message

When you start your Windows 2000-based computer, you may receive the following error message:

NTLDR is missing
Press any key to restart

This problem may occur if the basic input/output system (BIOS) on your computer is outdated, or if one or more of the following Windows boot files are missing or damaged:

Ntldr
Ntdetect.com
Boot.ini

To resolve this issue, verify that the BIOS on your computer is current, and then use one or more of the following methods, as appropriate to your situation, to repair the Windows 2000 startup environment.

IMPORTANT: Microsoft recommends that you fully back up your data on a regular basis. This is the best defense against data loss, and it must be a part of any disaster recovery plan.

Verify That the BIOS on the Computer Is Current

Make sure that the latest revision for BIOS is installed on the computer. Contact the computer manufacturer to inquire about how to obtain, and then install the latest BIOS update that is available for the computer.

For information about how to configure and how to verify the correct BIOS settings for the computer, see the computer documentation or contact the manufacturer of the computer. For information about how to contact your computer manufacturer, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base:

65416 (http://support.microsoft.com/kb/65416/ ) Hardware and software vendor contact information, A-K

60781 (http://support.microsoft.com/kb/60781/ ) Hardware and software vendor contact information, L-P

60782 (http://support.microsoft.com/kb/60782/ ) Hardware and software vendor contact information, Q-Z

For more information about how to contact BIOS manufacturers, click the following article numbers to view the articles in the Microsoft Knowledge Base:

243909 (http://support.microsoft.com/kb/243909/ ) List of BIOS manufacturer Web sites Part 1

243971 (http://support.microsoft.com/kb/243971/ ) List of BIOS manufacturer Web sites Part 2

To repair the Windows startup environment, use one or more of the following methods, as appropriate to your situation.

Method 1: Use a Boot Disk to Start the Computer

Create a Windows 2000 boot disk that contains the following files:
Ntldr
Ntdetect.com
Boot.ini
Ntbootdd.sys
For more information about how to create a boot disk, click the following article numbers to view the articles in the Microsoft Knowledge Base:
301680 (http://support.microsoft.com/kb/301680/ ) How to create a boot disk for an NTFS or FAT partition in Windows
101668 (http://support.microsoft.com/kb/101668/ ) How to use a Windows boot disk to prevent boot failure
Modify the Boot.ini file to point to the correct hard disk controller and to the correct volume for your Windows installation. For more information about how to create a boot disk, click the following article number to view the article in the Microsoft Knowledge Base:
311578 (http://support.microsoft.com/kb/311578/ ) How to edit the Boot.ini file in Windows 2000
Insert the boot disk into the computer's floppy disk drive, and then restart the computer.
Copy the Ntldr file, the Ntdetect.com file, and the Boot.ini file from the boot disk to the system partition of the local hard disk.

Method 2: Use the Recovery Console

Use the Windows 2000 Setup disks to restart the computer, or use the Windows 2000 CD-ROM to restart the computer.
At the Welcome to Setup screen, press R to repair the Windows 2000 installation.
Press C to repair the Windows 2000 installation by using the Recovery Console.
Type the number that corresponds to the Windows installation that you want to repair, and then press ENTER. For example, type 1, and then press ENTER. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
229716 (http://support.microsoft.com/kb/229716/ ) Description of the Windows Recovery Console
Type the Administrator password, and then press ENTER.
Type map, and then press ENTER. Note the drive letter that is assigned to the CD-ROM drive that contains the Windows 2000 CD-ROM.
Type the following commands, pressing ENTER after you type each one, where drive is the drive letter that you typed in step 4 of "Method 2: Use the Recovery Console," of this article:
copy drive:\i386\ntldr c:\

copy drive:\i386\ntdetect.com c:\
If you are prompted to overwrite the file, type y, and then press ENTER.

NOTE: In these commands, there is a space between the ntldr and c:\, and between ntdetect.com and c:\.
Type the following command, and then press ENTER:
type c:\Boot.ini
A list similar to the following list appears:
```
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
      
```
If you receive the following message, the Boot.ini file may be missing or damaged:
The system cannot find the file or directory specified.
If the Boot.ini file is missing or damaged, create a new one. To do so, follow these steps:
1. Use a text editor, such as Notepad or Edit.com, to create a boot loader file similar to the following boot loader file:
```
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT

[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect
      
```
  For more information, click the following article number to view the article in the Microsoft Knowledge Base:
  102873 (http://support.microsoft.com/kb/102873/ ) Boot.ini and ARC path naming conventions and usage
  301680 (http://support.microsoft.com/kb/301680/ ) How to create a boot disk for an NTFS or FAT partition in Windows
2. Save the file to a floppy disk as Boot.ini.
  
  NOTE: If you used Notepad to create the file, make sure that the .txt extension is not appended to the Boot.ini file name.
3. Type the following command at the Recovery Console command prompt to copy the Boot.ini file from the floppy disk to the computer:
  copy a:\Boot.ini c:\
Type exit, and then press ENTER. The computer restarts.

Method 3: Use the Windows 2000 CD-ROM

Insert the Windows 2000 CD-ROM into the computer's CD-ROM drive or DVD-ROM drive, and start Windows 2000 Setup.
On the Welcome to Setup page, press R.
On the Windows 2000 Repair Options page, press R.
When you are prompted to select one of the repair options, press M.
Press the UP ARROW, press the UP ARROW again, to select Verify Windows 2000 system files, and then press ENTER to clear the selection.
Press the DOWN ARROW to select Continue (perform selected tasks), and then press ENTER. The following message appears:
You need an Emergency Repair disk for the Windows 2000
installation you want to repair.
Do one of the following, as appropriate to your situation:
- If you have an Emergency Repair Disk, follow these steps:
  1. Press ENTER.
  2. Insert the Emergency Repair Disk into the computer's floppy disk drive, and then press ENTER.
  3. Follow the instructions to repair the installation, and then restart the computer.
  -or-
- If you do not have an Emergency Repair Disk, follow these steps:
  1. Press L. You receive a message similar to the following:
    Setup has found Windows 2000 in the following folder:
    drive:\WINNT "Microsoft Windows 2000"
  2. Press ENTER.
    
    Setup examines the disks, and then completes the repair process.
For more information about the emergency repair feature, click the following article number to view the article in the Microsoft Knowledge Base:
231777 (http://support.microsoft.com/kb/231777/ ) How to create an Emergency Repair Disk in Windows 2000

If Setup Cannot Locate Windows 2000

If you do not have a Windows 2000 Emergency Repair Disk, and if Setup cannot locate the Windows 2000 installation, follow these steps:

Start Windows 2000 Setup.
On the Setup will install Windows 2000 on partition page, select Leave the current file system intact (no changes), and then press ENTER.
Press ESC to install Windows 2000 to a new folder.
In the Select the folder in which the files should be copied box, type \tempwin, and then press ENTER.

Setup installs a new copy of Windows 2000.
Log on to the new copy of Windows 2000.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type drive:, where drive is the boot drive of the computer, and then press ENTER. For example, type c:, and then press ENTER.
Type attrib -h -r -s Boot.ini, and then press ENTER.

Type edit Boot.ini, and then press ENTER.

Edit.com opens a Boot.ini file that is similar to the following file:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\TEMPWIN="Microsoft Windows 2000 Professional" /fastdetect

Replace all instances of TEMPWIN with WINNT. The Boot.ini file that appears is similar to the following file:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Professional" /fastdetect

Press ALT+F, and then press S.
Press ALT+F, and then press X.
Type attrib +h +r +s Boot.ini, and then press ENTER.
Type exit to quit the command prompt.
Restart the computer.
At the Please select the operating system to start screen, use the ARROW keys to select Microsoft Windows 2000, and then press ENTER.
Start Windows Explorer, locate the following folders, and then delete them:
Tempwin
All Users.Tempwin

Back to the top

Additional Resources

For more information about how to troubleshoot the "NTLDR is Missing" error message, click the following article numbers to view the articles in the Microsoft Knowledge Base:

255220 (http://support.microsoft.com/kb/255220/ ) "NTLDR is missing" error message when you upgrade or install Windows 2000 over Windows 95, Windows 98 or Windows Millennium Edition

228004 (http://support.microsoft.com/kb/228004/ ) Changing active partition can make your system unbootable

883275 (http://support.microsoft.com/kb/883275/ ) You cannot start your computer after you modify the permissions in Windows Server 2003, in Windows XP, or in Windows 2000

Back to the top

Perform a Parallel Installation of Windows 2000

If you cannot resolve the behavior described in the "Symptoms" section of this article by using any of the methods discussed in this article or by viewing the Knowledge Base articles in the Additional Resources section of this article, perform a parallel installation of Windows 2000, and then use Windows Explorer to copy the data that you want to recover from your original Windows installation.

For more information about how to perform a parallel installation of Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base:

266465 (http://support.microsoft.com/kb/266465/ ) How to perform a parallel installation of Windows 2000 or Windows Server 2003

How to Enter Windows XP Recovery Console

2009-11-18T09:47:00.000-08:00

Boot From the Windows XP CD

To enter Recovery Console in Windows XP, you will need to boot from the Windows XP CD.

Watch for a Press any key to boot from CD... message similar to the one shown above.
Press a key to force the computer to boot from the Windows CD. If you do not press a key, your PC will continue to boot to the Windows XP installation that's currently installed on your hard drive. If this happens, simply reboot and try to boot to the Windows XP CD again.

Allow Windows XP to Begin the Setup Process

Windows XP Recovery Console - Step 2 of 6

No user intervention is required in this step. Windows XP is loading a number of files in preparation for either a reinstallation of Windows XP or for use of the Recovery Console.

Note: Do not press a function key if asked to do so during this process. Those options are only necessary when installing Windows XP or reinstalling Windows XP and only then in certain circumstances.

Press R to Enter Recovery Console

Windows XP Recovery Console - Step 3 of 6

When the Windows XP Professional/Home Setup screen appears, press R to enter Recovery Console.

Choose the Windows Installation

Windows XP Recovery Console - Step 4 of 6

The Recovery Console is now loading but needs to know which Windows installation to access. Most users only have a single Windows XP installation so the choice is usually clear.

To the Which Windows installation would you like to log onto question, press 1 and then Enter.

Enter the Administrator Password

Windows XP Recovery Console - Step 5 of 6

The Recovery Console now needs to know the administrator password for this Windows XP installation. Unless you are using a PC in a sizable business network, the administrator password is most likely the same password you use to access Windows XP on a daily basis.

Still not sure what the administrator password is? Offline NT Password & Registry Editor, a free program typically used to reset lost Windows passwords, also has the ability to transform standard user accounts into administrator accounts, all without needing access to a working Windows installation!

To the Type the Administrator password request, enter the password and press Enter.

Note: If you do not have a password or Windows XP normally starts without asking for one, simply press Enter.

Make Necessary Changes in Windows XP Recovery Console

Windows XP Recovery Console - Step 6 of 6

The Recovery Console is now fully loaded and the cursor should be sitting at the prompt, ready for a command, as shown in the screen shot above.

Make any changes necessary in the Windows XP Recovery Console. When complete, take out the Windows XP CD and type exit to restart the computer.

Note: A limited number of commands are available for use from within Recovery Console. See the complete list of Recovery Console commands for more information.

Windows XP Professional Resource Kit Errata

2009-11-18T04:55:00.001-08:00

•	Windows XP Professional Resource Kit Errata Updates and corrections to Microsoft Windows XP Professional Resource Kit Documentation.

•	Windows XP Professional Resource Kit Errata Updates and corrections to Microsoft Windows XP Professional Resource Kit Documentation.

•	Windows XP Professional Resource Kit Errata Updates and corrections to Microsoft Windows XP Professional Resource Kit Documentation.

•	Windows XP Professional Resource Kit The Group Policy Object Settings spreadsheet provides a comprehensive list of the default Group Policy object settings, with information about which settings are new for Windows XP Professional.

•	Windows XP Professional Resource Kit Script samples for configuring and operating System Restore (locally & remotely) on computers running Windows XP Professional.

Download Windows XP Reskit Tools

2009-11-18T04:53:00.002-08:00

Where can I get the Windows XP Support Tools?

The Windows XP Resource Kit Tools are a set of software tools for administrators, developers, and power users to manage Active Directory, Group Policy, TCP/IP Networks, Registry, Security, Scalability and many other areas of the Windows XP operating system.

Note: I recommend using the Windows Server 2003 Support Tools instead, as they are newer than the XP ones and include a few new tools.

The Windows Support Tools for Windows XP can be installed only on a computer that is running the Windows XP operating system. The Windows Support Tools for Windows XP cannot be used to upgrade Microsoft Windows NT or Microsoft Windows 2000 Support Tools installed on Windows NT or Windows 2000.

Since Windows XP SP2 came out, a newer version of the Support Tools is available for download, see link below.

The following Support Tools have been updated in Service Pack 2:

bitsadmin.exe
extract.exe
httpcfg.exe
iadstools.dll
ipseccmd.exe
netdom.exe
replmon.exe

Note: The original XP Reskit tools are available on the XP installation CD in the 'support'tools directory.

Supported Operating Systems:

Windows Server 2003, Windows XP
Windows XP 2600
Windows XP SP1 and SP2
Windows Server 2003 family (3790)

Plus, 30 MB of free disk space are needed for the installation.

Download the Windows XP Support Tools (4.8mb - smaller download from Microsoft, missing the Deployment Tools and some features)

Download the Windows XP Support Tools (12.5mb)

Download the Windows XP Support Tools (12.5mb - local download - slow)

You may find these related articles of interest to you:

Create your own user-defined services Windows NT/2000/XP/2003

2009-11-18T04:53:00.001-08:00

The Windows NT/2000 Resource Kit provides two utilities that allow you to create a Windows user-defined service for Windows applications and some 16-bit applications (but not for batch files).

Whats needed for Windows NT/2000:
Instrsrv.exe installs and removes system services from Windows NT/2000
Srvany.exe allows any Windows application to run as a service.
You can download both files here srvany.zip

This zip includes three files. The two you need srvany.exe and instsrv.exe to install the services and also srvany.wri which documents everything you can do with the program.
Note: Make sure the Services Manager is closed while running the DOS commands.

You will need to put these files in a directory called reskit At a MS-DOS command prompt(Start | Run | "cmd.exe"), type the following command:
\reskit\INSTSRV.EXE "Service Name" \reskit\SRVANY.EXE
This creates the service in the Services manager and the registry keys to setup what program to run.

Next open regedit.exe Start | run | regedit.exe
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

Next navigate to this registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\service name

From the Edit menu, click Add Key and name it Parameters
Next from the Edit menu, click Add Value and type this information.
Value Name: Application
Data Type : REG_SZ
String : \

Now you can start your service from the Service Manager

With this same program you can remove the service also. Just run this command from command prompt.
\reskit\INSTSRV.EXE "Service Name" REMOVE

HowTo Mount your NTFS Filesystem/Partition for Read/Write Access in openSUSE 10, 11

2009-11-13T23:45:00.001-08:00

Index of Topics (in-page links):

Internal and external NTFS partitions are different: NTFS partitions don't mount read-write by default. You can arrange for an internal drive to mount read-write permanently by making a permanent entry in the file system table (fstab). You can't do that for an external NTFS partition because if it's switched off when the system boots, the entry in fstab will cause an error condition. So we apply different tweaks for internal and external drives.

↑↑↑↑Identify your NTFS partitions: You can see your NTFS partitions in the response you get when you call an fdisk listing in a console with this command:

sudo /sbin/fdisk -l

Look for the lines contining "NTFS" in the output, like this one from my computer:

/dev/sdb1 * 1 1306 10490413+ 7 HPFS/NTFS

That identifies an NTFS partition on device sdb1, the first partition on the second internal drive. If it's mounted, you'll see it in the response to the console command mount, in KDE's "My Computer" link on the Desktop or in Gnome's Nautilus under the Computer --> Filesystem Icon (provided you know the mount point).

Alternatively you can see a good summary of all the above information in Yast's Partitioner --> System --> Partitioner.

Software FYI: You need applications ntfs-3g and libfuse2 (or fuse which brings libfuse2 with it). These are usually installed by default. You can optionally have ntfs-config which allows one-click switching on/off of read permissions for ordinary users on internal ntfs partitions; warning -- do not use ntfs-config for external drives unless you are at least an intermediate user.

Internal Drives

↑↑↑↑Suse's default treatment of NTFS on Internal Drives: If you accepted the defaults for NTFS partitions suggested during installation of openSUSE, then the install program will create entries in fstab that mount NTFS partitions permanently using the ntfs-3g driver. Root can read and write whereas users can only read.

If you negate/refuse the suggestion for mounting an existing NTFS partition made by Yast's partitioner during installation of openSUSE -- or if you create a new NTFS partiton on an internal drive after installation, then the partition/s will not be mounted at all thereafter until you actively make it happen.

There are two types of mounts: temporary mounts made from the command line interface using a console and permanent mounts made by inserting mount instructions into the file system table using either the CLI or one of several GUI devices.

↑↑↑↑Permanent Mounts for Internal Drives

Suppose that you want to mount a partition permanently in a folder you create for it (e.g. mount_point), located anywhere you like in your filesystem, say at /path_to/mount_point.

To mount your NTFS partition permanently, add your version of the following line into the file system table, fstab. make sure you leave no line spaces, except the last entry must be a blank line. Recommended option for world-writeable mount:

/dev/sda2 /path_to/mount_point ntfs-3g defaults 0 0

When you reboot, the partion will mount into the folder /path_to/mount_point with permissions drwxrwxrwx, i.e with read/write access for everybody, in the style of Microsoft's insecure filesystems.

Here's an alternate option for fstab: If you want the permissions to be linux-like, you can specify a particular owner for the mount folder and its contents with this sort of line in fstab. Recommended option for sole-owner mount:

/dev/sda2 /path_to/mount_point ntfs-3g uid=1000,gid=100,umask=0022 0 0

In this example the "umask" with octal value 0022 produces permissions drwxr-xr-x on folder /path_to/mount_point, for the owner/user with uid=1000, just like a standard linux user. Of course, uid values run 1000, 1000, 1002,.... as the case may be.

Here's yet another alternative for the entry, widely quoted, which is why I include it. Recommended against because it can cause errors:

/dev/sda2 /path_to/mount_point ntfs-3g user,users,gid=users,umask=0002 0 0

In this example the owner is root, the group is users and the octal value 0002 for umask produces permissions drwxrwxr-x. The options "user" and "users" imply that the disk is mountable (and unmountable) by ordinary users. Caution: that can lead to a "dirty" filesystem which will no longer mount until a consistency check is performed in Windows. Also, in reality, mounting the partition as an ordinary user can be problematic. I recommend strongly against using this last formulation.

↑↑↑↑The locale option: If the partition contains files with a national character set that has not been set (by the operating system) before the partition is mounted, those files can be invisible and appear to have vanished; very disconcerting. Setting the locale option can render them visible again; e.g. add locale=en_US.UTF-8 for us English, utf8 or locale=cs_CZ.utf8 for Czech, etc. To see them all on openSUSE enter this command in a console: locale -a. Most people do not need to include the locale option.

↑↑↑↑The force option: If the partition is unmounted in a disorderly fashion, e.g. power failure, unmounted improperly by a user, etc, then the so-called "dirty" bit remains set and a consistency check (e.g. by booting to Windows and running chkdsk) is needed before the drive can be mounted again. You can bypass this requirement by including the force option. Just add the word force into the comma-separated list of options in either of the recommended mounting lines above, which will become "defaults,force" or "uid=1000,gid=100,umask=0022,force" depending which you are using.

↑↑↑↑Failed Mounts -- Resetting the "dirty" bit: Sometimes the drive will fail to mount, as mentioned immediately above. You might get a messages like this one beginning "$LogFile indicates unclean shutdown. Mount is denied because NTFS is marked to be in use.......". These are symptomatic of disorderly processes previously interrupting a clean dismount or shutdown. If you have Windows (2000 or higher) installed or handy, boot the drive in that and allow Windows to right the situation either automatically by running a consistency check on booting or by running chkdsk /f yourself from the command prompt. Alternatively you can run chkdsk /p from the repair facility after you boot from the Windows install CD and run to the end where you select to repair the installed system. Failing that you can use the force option outlined just above, but that's not the preferred option.

↑↑↑↑Temporary Mounts for Internal Drives: I'm making this section brief, hoping you will refer above to the section on permanent mounts for the fuller details.

If you want to mount the NTFS partition temporarily, then you don't put an entry into fstab. Instead you just execute the command line versions of either of the recommended mounts discussed earlier. Don't forget these must be issued as root, so enter su first to get rootly powers.

Here is the recommended form for a world-writeable temporary mount:

hostname:~ # mount -t ntfs-3g /dev/sda2 /path_to/mount_point

Note that the directory "mount_point" automagically changes permissions during the mount process to drwxrwxrwx, regardles of where and what it was before..

Here is the recommended form to simulate Linux-like permissions in a temporary mount:

hostname:~ # mount -t ntfs-3g -o rw,uid=1000,gid=100,umask=0022 /dev/sda2 /path_to/mount_point

This alternate command-line version produces permissions drwxr-xr-x on folder /path_to/mount_point, for the owner/user with uid=1000, which is the normal situation for a Linux first user's home folders. You can of course use other values of uid, depending who needs to own the mount.

↑↑↑↑Automounting external (USB) NTFS partitions in read-write mode

OpenSUSE from version 11.1 inclusive: The openSUSE devs arranged for external (USB) NTFS partitions to automount read-write with permissions drwxrwxrwx beginning version 11.1. Prior to that the automount was read-only. See the next paragraph for earlier releases.

OpenSUSE pre version 11.1: When you plug a USB NTFS drive into openSUSE it automounts read-only by design of the openSUSE developers. If you want it mounted read-write, you can either unmount it and then remount it using one of the CLI commands I've outlined above or you can change the system default way of automounting NTFS drives so they will always automount read-write. To do that you essentially put a link into the directory /sbin that redirects the automount process to the ntfs-3g driver. The following command will create the permanent adjustment:

sudo ln -s /sbin/mount.ntfs-3g /sbin/mount.ntfs

If at some later stage you want to revert back to the default of automounting USB drives read-only, simply delete the link mount.ntfs located at /sbin/mount.ntfs. Finally, read what was said above about how to fix a failure to mount.

Appendix: Bits and Pieces

With regard to the Linux-like permissions you get when you use the second options I've listed above, you may adjust adjust the folder, document or user permissions quite widely. You should read the man pages. Check out the umask, dmask and fmask options. Here's a handy little table of octal permissions to use for directory permissions:

owner=rwx group=rwx other=rwx; i.e for drwxrwxrwx use umask=0000
owner=rwx group=rwx other=r-x; i.e for drwxrwxr-x use umask=0002
owner=rwx group=rwx other=---; i.e for drwxrwx--- use umask=0007
owner=rwx group=r-x other=r-x; i.e for drwxr-xr-x use umask=0022
owner=rwx group=--- other=---; i.e for drwx------ use umask=0077

↑↑↑↑The GUI application ntfs-config: openSUSE comes with the RPM ntfs-config, although it's not installed by default. You have to start it with this command in a console issued as root (enter su first): ntfs-config. It brings up a GUI that shows all your NTFS partitions and allows you to mount them as read-only or as read-write filesystems with simple one-click actions. You should not use this application on external drives because ntfs-config writes an entry to fstab for a permanent mount. If you reboot with that entry still remaining in fstab, you will have an error situation that will prevent booting to a Desktop Manager if the USB drive is not powered on when next you reboot.

Credits - I adopted this info and these methods after reading the following and much more:

• the man pages (man mount.ntfs-3g)
• Search on "+ntfs +mount" in the old Suse Linux Support Forums and SuseForums.net
• Crashoverride's article: How To Get Full Read And Write Support For Ntfs
• OpenSuse article: How to Install NTFS Write Support

Cheers
Swerdna June 07; latest update August 08

Enable / Disable Change Of Date And Time On Windows XP Read more: http://www.troublefixers.com/enable-disable-change-of-date-and-time-on-windows-xp/#

2009-11-13T01:05:00.001-08:00

There can be more than one ways of disabling the editing of Date and Time, but we tell you one easy and convenient way of doing it on a computer which is stand alone and is not a part of any active directory.

Fix:

To disable editing, you can set up a user with limited access, not Administrator access. Now with the method we describe below, you can allow only users with Administrator rights to edit thedate and time, so the limited user will not be able to change the System date and time.

Follow the steps below:

1. Go to Start > Control Panel > Administrative Templates

2. Open Local Security Policy

3. Go to Local Policy > User Rights Assignments > Change the System time , double click to open it.

4. In the below window, you will see the options to add and remove user groups. Remove the limited users from this list and those limited users will not be able to editdate and time of this computer.

You can revert the above settings to allow the users to change the date and time.

Using Software Restriction Policies to Protect Against Unauthorized Software

2009-11-06T06:05:00.001-08:00

Published: January 01, 2002 | Updated: May 25, 2004

Abstract

Software restriction policies are a new feature in Microsoft® Windows® XP and Windows Server 2003. This important feature provides administrators with a policy-driven mechanism for identifying software programs running on computers in a domain, and controls the ability of those programs to execute. Software restriction policies can improve system integrity and manageability—which ultimately lowers the cost of owning a computer.

Introduction
Software Restriction Policies—An Overview
Software Restriction Policy Architecture
Software Restriction Policy Options
Software Restriction Policy Design
Step-by-Step Guide for Designing a Software Restriction Policy
Step-by-Step Guide for Creating Additional Rules
Commonly Overlooked Rules
Scenarios
Deployment Considerations
Troubleshooting Software Restriction Policies
Appendix
Summary
Related Links

Introduction

Software restriction policies are a part of Microsoft's security and management strategy to assist enterprises in increasing the reliability, integrity, and manageability of their computers. Software restriction policies are one of many new management features in Windows XP and Windows Server 2003.

This article provides an in-depth look at how software restriction policies can be used to:

Fight viruses
Regulate which ActiveX controls can be downloaded
Run only digitally signed scripts
Enforce that only approved software is installed on system computers
Lockdown a machine

Expanded Management Capabilities

Windows 2000 brought significant management capabilities to the Windows platform. In Windows 2000, you could manage the software for your machines in the following ways:

Application settings allowed you to customize an application once through Group Policy, and then distribute that customization to all domain users who required it.
The Software Installation snap-in provided a means to centrally manage software distribution in your organization. When the user selected an application from the Start menu for the first time, it set up automatically, and then opened. You could also publish applications to groups of users, making the application available for users to install.
Security settings defined a security configuration within a Group Policy Object (GPO). Security configuration consisted of settings for: account policies, local policies, event log, registry, file system, public key policies, and other policies.

Windows XP and Windows Server 2003 expand the management capabilities of Windows 2000 by adding the following features:

Better diagnostic and planning information through Resultant Set of Policies (RSOP). For more information, see the article Windows 2000 Group Policy
Ability to use Windows Management Instrumentation (WMI) filtering. In Windows 2000 you could apply policies based on organizational information in Active Directory®. In Windows XP you can use WMI information to apply group policies to, for example, machines with a certain build or service pack level of Windows.

Software restriction policies integrate with the operating system and common scripting runtimes to control the running of software at execution. In Windows 2000 you could hide access to applications by removing them from the Start menu or hiding the Run command. New software restriction policies go beyond this by simply removing the common access points for software.

Top of page

Software Restriction Policies—An Overview

This section discusses the behavior of hostile code and problems associated with unknown code.

Hostile Code Has More Ways to Get In

With the increased use of networks and the Internet in daily business computing, the potential for encountering hostile code is higher than ever before. People collaborate in more sophisticated ways by using e-mail, instant messaging, and peer-to-peer applications. As these collaboration opportunities increase, so does the risk of viruses, worms, and other hostile code invading your systems. Remember: e-mail and instant messaging can transport unsolicited hostile code. Hostile code can take many forms. It can range from native Windows executables (.exe), to macros in word processing documents (.doc), to scripts (.vbs).

Viruses and worms often use social engineering to trick users into activating them. With the sheer number and variety of forms that code can take, it can be difficult for users to know what is safe to run and what is not. When activated, hostile code can damage content on a hard disk, flood a network with a denial-of-service attack, send confidential information out to the Internet, or compromise the security of a machine.

The Problem with Unknown Code

Hostile code is not the only threat—many non-malicious software applications also cause problems. Any software not known and supported by an organization can conflict with other applications or change crucial configuration information. Software restriction policies were designed to help organizations control not just hostile code, but any unknown code—malicious or otherwise.

Responding to Unknown Code

Software restriction policies help a business respond to unknown code by:

Providing a way to define a list of what is trusted code versus what is not.
Providing a flexible, policy-based approach for regulating scripts, executables, and ActiveX controls.
Enforcing the policy automatically.

Top of page

Software Restriction Policy Architecture

Figure 1 below shows the three components of a software restriction policy:

An administrator creates the policy by using the Group Policy Microsoft Management Console (MMC) snap-in for a particular Active Directory container site, domain, or organizational unit.
The policy is downloaded and applied to a machine. User policies apply the next time a user logs on. Machine policies apply when a machine starts up.
When a user starts a program or script, the operating system or scripting host checks the policy and enforces it.

Unrestricted or Disallowed

A software restriction policy is created using the MMC Group Policy snap-in. A policy consists of a default rule about whether programs are allowed to run, and exceptions to that rule. The default rule can be set to Unrestricted or Disallowed—essentially run or don't run.

Setting the default rule to Unrestricted allows an administrator to define exceptions; for example, the set of programs that are not allowed to run. A more secure approach is to set the default rule to Disallowed and specify only the programs that are known and trusted to run.

Default Security Level

There are two ways to use software restriction policies:

If an administrator knows all of the software that should run, then a software restriction policy can be applied to control execution to only this list of trusted applications.
If all the applications that users might run are not known, then administrators can step in and disallow undesired applications or file types as needed.

Four Rules Identify Software

The purpose of a rule is to identify one or more software applications, and specify whether or not they are allowed to run. Creating rules largely consists of identifying software that is an exception to the default rule. Each rule can include descriptive text to help communicate why the rule was created.

A software restriction policy supports the following four ways to identify software:

Hash—A cryptographic fingerprint of the file.
Certificate—A software publisher certificate used to digitally sign a file.
Path—The local or universal naming convention (UNC) path of where the file is stored.
Zone—Internet Zone

Hash Rules

A hash rule is a cryptographic fingerprint that uniquely identifies a file regardless of where it is accessed or what it is named. An administrator may not want users to run a particular version of a program. This may be the case if the program has security or privacy bugs, or compromises system stability. With a hash rule, software can be renamed or moved into another location on a disk, but it will still match the hash rule because the rule is based on a cryptographic calculation involving file contents.

A hash rule consists of three pieces of data, separated by colons:

MD5 or SHA-1 hash value
File length
Hash algorithm ID

It is formatted as follows:

[MD5 or SHA1 hash value]:[file length]:[hash algorithm id]

Files that are digitally signed will use the hash value contained in the signature, which may be SHA-1 or MD5. Files that are not digitally signed will use an MD5 hash.

Example: The following hash rule matches a file with a length of 126 bytes and with contents that match the MD5 (denoted by the hash algorithm identifier of 32771) hash of 7bc04acc0d6480af862d22d724c3b049—

7bc04acc0d6480af862d22d724c3b049:126:32771

Certificate Rules

A certificate rule specifies a code-signing, software publisher certificate. For example, a company can require that all scripts and ActiveX controls be signed with a particular set of publisher certificates. Certificates used in a certificate rule can be issued from a commercial certificate authority (CA) such as VeriSign, a Windows 2000/Windows Server 2003 PKI, or a self-signed certificate.

A certificate rule is a strong way to identify software because it uses signed hashes contained in the signature of the signed file to match files regardless of name or location. If you wish to make exceptions to a certificate rule, you can use a hash rule to identify the exceptions.

Path Rules

A path rule can specify a folder or fully qualified path to a program. When a path rule specifies a folder, it matches any program contained in that folder and any programs contained in subfolders. Both local and UNC paths are supported.

Using Environment Variables in Path Rules. A path rule can use environment variables. Since path rules are evaluated in the client environment, the ability to use environment variables (for example, %WINDIR%) allows a rule to adapt to a particular user's environment.

Important: Environment variables are not protected by access control lists (ACL). If users can start a command prompt they can redefine an environment variable to a path of their choosing.

Using Wildcards in Path Rules. A path rule can incorporate the '?' and '*' wildcards, allowing rules such as "*.vbs" to match all Visual Basic® Script files. Some examples:

"\\DC-??\login$" matches \\DC-01\login$, \\DC-02\login$
"*\Windows" matches C:\Windows, D:\Windows, E:\Windows
"c:\win*" matches c:\winnt, c:\windows, c:\windir

Registry Path Rules. Many applications store paths to their installation folders or application directories in the Windows registry. You can create a path rule that looks up these registry keys. For example, some applications can be installed anywhere on the file system. These locations may not be easily identifiable by using specific folder paths, such as C:\Program Files\Microsoft Platform SDK, or environment variables, such as %ProgramFiles%\Microsoft Platform SDK. If the program stores its application directories in the registry, you can create a path rule that will use the value stored in the registry, such as %HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PlatformSDK\Directories\Install Dir%.

This type of path rule is called a registry path rule. The registry path is formatted as follows:

%[Registry Hive]\[Registry Key Name]\[Value Name]%

Note: Any registry path rule suffix should not contain a \ character immediately after the last % sign in the rule.

The registry path must be enclosed in percent signs ("%").
The registry value must be a REG_SZ or REG_EXPAND_SZ. You cannot use HKLM as an abbreviation for HKEY_LOCAL_MACHINE, or HKCU as an abbreviation for HKEY_CURRENT_USER.
If the registry value contains environment variables, these will be expanded when the policy is evaluated.
A registry path rule can also contain a suffix path such as %HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK* This registry path rule identifies the folder that Microsoft Outlook XP uses to store attachments before launching them. The attachment folder always starts with the letters "OLK" so the rule uses wildcard matching. As an example, this rule matches the following path: C:\Documents and Settings\username\Local Settings\Temporary Internet Files\OLK4

Important When you set a path rule, you should check the access control list (ACL) entries on the path. If users have write access to a path, they can modify its contents. For example, if you allow C:\Program Files, any power user on the machine can copy software into the Program Files folder.

Path Rule Precedence. When there are multiple matching path rules, the most specific matching rule takes precedence.

The following is a set of paths, from highest precedence (more specific match) to lowest precedence (more general match).

Drive:\Folder1\Folder2\FileName.Extension
Drive:\Folder1\Folder2\*.Extension
*.Extension
Drive:\Folder1\Folder2\
Drive:\Folder1\

Zone Rules

A rule can identify software from the Internet Explorer zone from which it is downloaded. These zones are:

Internet
Intranet
Restricted Sites
Trusted Sites
My Computer

Currently this applies to only Windows Installer (*.MSI) packages. It does not apply to software downloaded in Internet Explorer.

When to Use Each Rule

Note: Each rule has a globally unique identifier (GUID) associated with it. An example GUID is {f8c2c158-e1af-4695-bc93-07cbefbdc594}. Two identical rules will have two different GUIDs. GUIDs help you troubleshoot to determine the specific rule in the specific policy that is being used. See the Troubleshooting section later in this article for more information.

Table 1 When to Use Each Rule

Task	Recommended Rule
You want to allow or disallow a specific version of a program	Hash rule Browse to file to create hash
You want to identify a program that is always installed in the same place	Path rule with environment variables %ProgramFiles%\Internet Explorer\iexplore.exe
You want to identify a program that can be installed anywhere on client machines	Registry path rule %HKEY_LOCAL_MACHINE\SOFTWARE\ ComputerAssociates\InoculateIT\6.0\Path\HOME%
You want to identify a set of scripts on a central server	Path rule \\SERVER_NAME\Share
You want to identify a set of scripts on a set of servers, DC01, DC02, and DC03	Path rule with wildcards \\DC??\Share
You want to disallow all .vbs files, except those in a login script directory	Path rule with wildcards .VBS set to Disallowed \\LOGIN_SRV\Share\.VBS set to Unrestricted
You want to disallow a file installed by a virus that is always called flcss.exe	Path rule flcss.exe, set to Disallowed
You want to identify a set of scripts that can be run anywhere	Certificate rule Certificate used to digitally sign the scripts
You want to allow software to be installed from trusted Internet zone sites	Zone rule Trusted Sites set to Unrestricted

Rule Precedence

Rules are evaluated in a specific order. The rules that more specifically match a program win over rules that more generally match a program.

Hash rule
Certificate rule
Path rule
Internet zone rule
Default rule

Table 2 and the following examples illustrate how rules are processed when a program is started.

Table 2 Understanding Rule Precedence


Default Security Level: Unrestricted
Hash Rules
Rule 1	Hash of pagefileconfig.vbs	Disallowed
Certificate Rules
Rule 2	IT Management Certificate	Unrestricted
Path Rules
Rule 3	%WINDIR%\System32\*.VBS	Unrestricted
Rule 4	*.VBS	Disallowed
Rule 5	%WINDIR%	Unrestricted

Program being started: C:\WINDOWS\SYSTEM32\EventQuery.vbs

This program matches the following rules:

Rule 3 because it is a .vbs file in the System32 folder.
Rule 4 because it has a .vbs extension.
Rule 5 because it is stored in a subfolder of the Windows directory.

Rule 3 is the most specific match for this program. Because Rule 3 has a security level of Unrestricted, the program is allowed to run.

Program being started: C:\WINDOWS\SYSTEM32\pagefileconfig.vbs

This program matches the following rules:

Rule 1 because the hash in the rule matches the hash of the file.
Rule 3 because it is a .vbs file in the System32 folder.
Rule 4 because it has a .vbs extension.
Rule 5 because it is stored in a subfolder of the Windows directory.

Rule 1 is the most specific match for this program. Because Rule 1 has a security level of Disallowed, the program is disallowed.

Program being started: \\LOGIN_SRV\Scripts\CustomerScript1.vbs

This program matches the following rules:

Rule 2 because it is digitally signed by the certificate belonging to the customer's IT management group.
Rule 4 because it has a .vbs extension.

Rule 2 is the most specific match for this program. Because Rule 2 has a security level of Unrestricted, the program is allowed to run.

Program being started: C:\Documents and Settings\user1\LOVE-LETTER-FOR-YOU.TXT.VBS

This program matches Rule 4 because it has a .vbs extension.

Rule 4 is the most specific match for this program. Because the Rule 4 has a security level of Disallowed, the program is disallowed.

Top of page

Software Restriction Policy Options

This section discusses the various options that influence the behavior of a software restriction policy. These options alter the scope of enforcement behavior or the Authenticode trust settings for digitally signed files.

Enforcement Options

There are two enforcement options: DLL checking and Skip Administrators.

DLL Checking

A program, such as Internet Explorer consists of an executable file, iexplore.exe, and many supporting dynamic link libraries (DLL). By default, software restriction policy rules are not enforced against DLLs. This is the recommended option for most customers for three reasons.

Disallowing the main executable file prevents the program from running, so there is no need to disallow all of the constituent dynamic link libraries.
DLL checking results in performance degradation. If a user runs 10 programs during a logon session, the software restriction policy is evaluated 10 times. If DLL checking is turned on, the software restriction policy is evaluated for each DLL load within each program. If each program uses 20 DLLs, this results in 10 executable program checks plus 200 DLL checks, so the software restriction policy is evaluated 210 times.
If the default security level is set to Disallowed, then not only does the main executable file have to be identified to allow it to run, but all of its constituent DLLs also must be identified, which can be burdensome.

DLL checking is provided as an option for environments that want the highest assurance possible when running programs. While viruses primarily target executables for infection, some target DLLs. To ensure that a program has not been infected by a virus, you can use a set of hash rules that identify the executable and all of its required DLLs.

To turn on DLL checking:

Select the following option in the Enforcement Properties dialog box, as shown in Figure 2 below:

Apply software restriction policies to the following > All software files

Figure 2: Setting Enforcement Properties

Skip Administrators

An administrator may want to disallow the running of programs for most users, but allow administrators to run anything. For example, a customer may have a shared machine that multiple users connect to using Terminal Server. The administrator may want users to be able to run only specific applications on the machine, but allow members of the local administrators group to run anything. To do this, use the Skip Administrators option.

If the software restriction policy is created in a GPO attached to an object in Active Directory, the preferred way to skip administrators is to deny the Apply Group Policy permission on the GPO to a group containing the administrators. This way less network traffic is consumed downloading GPO settings that do not apply to administrators. However, software restriction policies defined in Local Security Policy objects have no way to filter based on users. In this case the Skip Administrators option should be used.

To turn on Skip Administrators:

Select the following option in the Enforcement Properties dialog box as shown in Figure 2 above:

Apply software restriction policies to the following users > All users except local administrators

Note: Setting the Skip Administrators option is only valid for machine policies.

Defining Executables

The Designated File Types dialog box shown in Figure 3 below lists the file types to which the software restriction policy applies. The designated file types are file types that are considered executable. For example, a screen saver file (SCR), is considered executable because when double-clicked in Windows Explorer it is loaded as a program.

The rules in a software restriction policy only apply to the file types listed in the Designated File Types dialog box. If your environment uses a file type that you want to be able to set rules on, add it to the list. For example, if you use Perl scripting files, you may choose to add .pl and other file types associated with the Perl engine to the Designated File Types list.

Figure 3: Designated File Types dialog box

Trusted Publishers

The Trusted Publishers options shown in Figure 4 below allow you to configure settings related to ActiveX® controls and other signed content.

Figure 4: Setting Trusted Publishers options

Table 3 shows Trusted Publisher options related to the use of ActiveX controls and other signed content.

Table 3 Trusted Publisher Tasks and Settings

Task	Setting
To allow only domain administrators to make decisions regarding signed active content	Enterprise Administrators
To allow local machine administrators to make all decisions regarding signed active content	Local computer Administrators
To allow any user to make decisions regarding signed active content	End Users
To ensure that the certificate used by the software publisher has not been revoked.	Publisher
To ensure that the certificate used by the organization that time-stamped the active content has not been revoked.	Timestamp

Scope of Software Restriction Policies

Software restriction policies do not apply to the following:

Drivers or other kernel mode software.
Any program run by the SYSTEM account.
Macros inside of Microsoft Office 2000 or Office XP documents.
Programs written for the common language runtime. (These programs use the Code Access Security Policy.)

Top of page

Software Restriction Policy Design

This section covers how software restriction policies are administered using Group Policy snap-ins, things to be concerned about when editing a policy for the first time, and what's involved in applying a software restriction policy to a group of users.

Integration with Group Policy

Software restriction policies are administered using the following Group Policy snap-ins:

Domain Policy

To set up a domain policy

Click Start, then Run; type dsa.msc and click OK.
Right-click on domain or OU, then click Properties > Group Policy tab >New/Edit.

Local Security Policy

To set up a security policy

Click Start, then Run.
Type secpol.msc, then click OK.

If editing a GPO, you can set User and Machine software restriction policies as shown in Figure 5 below.

Figure 5: Setting User and Machine software restriction policies

If editing the local security policy, the software restriction policy settings are located as indicated in Figure 6 below.

Figure 6: Editing Local Security Policy

First-time Considerations

The first time you edit a policy you will see the message in Figure 7 The message is warning you that creating a policy will define default values. These default values can override settings from other software restriction policies.

Figure 7: Warning message when creating a new policy

To create a policy:

Select Create New Policies from the Action menu.

Applying a Software Restriction Policy to a Group of Users

A software restriction policy is delivered through Group Policy to a site, domain, or organizational unit. However, an administrator may want to apply a software restriction policy to a group of users within a domain. To do this, the administrator can use GPO filtering.

For more information on GPO filtering see the article Windows 2000 Group Policy at http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Terminal Servers

Software restriction policies are an integral part of securing a Windows Server 2003 terminal server. Terminal server administrators can now thoroughly lock down software access on a terminal server. Software restriction policies are even more imperative on a terminal server because of the potentially vast number of users on a single machine. On a single-user Windows XP client, running a bad application inconveniences only one user, whereas running the same application on a terminal server could inconvenience more than 100 users. Software restriction policies prevent this problem. This service also removes the need for such applications as appsec.exe to govern software execution on a Windows Server 2003 terminal server.

In addition, Microsoft recommends that you view 278295 (How to Lock Down a Windows 2000 Terminal Server Session) to further lock down the client sessions on a terminal server.

Sometimes, several terminal servers have the same software installed on them, but their administrator wants to grant a certain group of users access to some software and a different group of users access to different software. Some software will be shared between the groups.For example, a law firm hosts its applications across a farm of terminal servers. The servers all have the same software installed. The access rules to the software are as follows:

Any employee can use Microsoft Office and Internet Explorer. All employees are members of the AllEmployees group.
Any accounting employee can use the Accounting Software. Accounting employees are members of the AccountingEmployees group.
Any Lawyer can use the Law Research software. Lawyers are members of the Lawyers group.
Any mailroom employee can use the Mail Room Processing software. Mailroom employees are members of the MailRoomEmployees group.
Any executive can access all software available to all other employees. Executives are members of the Executives group.
GPOs do not affect Administrators.

To achieve this software access, the administrator creates five Group Policy objects with customized software restriction policies. Each GPO is filtered so that only the users in the AllEmployees, AccountingEmployees, Lawyers, MailRoomEmployees, and Executives groups receive the GPO intended for them.

Because only executives should be able to access any software on their local workstations, as well as on the terminal servers, the administrator uses the loopback feature of Group Policy. The loopback feature allows an administrator to apply policy to a user based on the computer the user is logging onto. In loopback replace mode, the computer GPO settings are reapplied during user login, and the user GPO settings are ignored. See the Group Policy white paper for more information on how to configure loopback.


User GPO: A1 Linked with Law Domain
Filter:Law Domain Computers have Apply Group Policy permission
Default Security Level
Disallowed
Path Rules
%WINDIR%	Unrestricted
%PROGRAMFILES%\Common Files	Unrestricted
%PROGRAMFILES%\Internet Explorer	Unrestricted
%PROGRAMFILES%\Windows NT	Unrestricted
%PROGRAMFILES%\Microsoft Office	Unrestricted


User GPO: A2 Linked with Law Domain
Filter: LawDomain Computers and AccountingEmployees have Apply Group Policy permission
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\Accounting Software	Unrestricted


User GPO: A3 Linked with Law Domain
Filter: Law Domain Computers and MailRoomEmployees have Apply Group Policy permission
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\Mailroom Processing	Unrestricted


User GPO: A4 Linked with Law Domain
Filter: Law Domain Computers and Lawyers have Apply Group Policy permission
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\Law Research Software	Unrestricted


User GPO: A5 Linked with Lab Resource Domain
Filter: Law Domain Computers and Executives have Apply Group Policy permission
Enable Loopback in Replace Mode
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\Law Research Software	Unrestricted
%PROGRAMFILES%\Mail Room Program	Unrestricted
%PROGRAMFILES%\Accounting Software	Unrestricted

Top of page

Step-by-Step Guide for Designing a Software Restriction Policy

This section outlines the steps to follow when designing a software restriction policy.

Items to Address

When designing a policy, decisions need to be made regarding the following items:

GPO or local security policy
User or machine policy
Default security level
Additional rules
Policy options
Linking the policy to a site, domain, or organizational unit

Stepping Through the Process

Step 1. GPO or Local Security Policy

Should the policy apply to many machines or users in a domain or organizational unit, or should it only apply to the local machine?

If the policy should apply to many machines or users in a domain or other Active Directory container, use a GPO.
If your policy should only apply to the local machine, use the Local Security Policy.

Step 2. User or Machine Policy

Should the policy apply to users regardless of where they log in, or to a machine regardless of who logs in?

If you want the policy to apply to a specific group of users, for example the Marketing Department domain group, then you need a user policy.
If you want the policy to apply to a set of machines and all the users that log on to those machines, then you need a machine policy.

Step 3. Default Security Level

Do you know all of the software your users will be running, or can they install any software they choose?

If you know all of the software your users will be running, you should set the default security level to Disallowed.
If users can install any software they want, set the default security level to Unrestricted.

Step 4. Additional Rules

Identify the applications you choose to allow or disallow using the four rule types outlined in the Software Restriction Policy Architecture section above.

To see which rules make sense for your policy, refer to Table 1. When to Use Each Rule, above.
To create additional rules, refer to the Step-by-step Guide for Creating Additional Rules, below.

Step 5. Policy Options

There are several policy options:

If you are using a local security policy, and do not want the policy to apply to administrators on the machine, set the Skip Administrators option.
If you want to check DLLs in addition to executables and scripts, turn on the DLL checking option.
If you want to set rules on file types that are not in the default list of designated file types, then add additional file types.
If you want to change who can make decisions about downloading ActiveX controls and other signed content, set Trusted Publishers options.

Step 6. Linking the Policy to a Site, Domain, or Organizational Unit

To link a GPO to a site.

Use the Active Directory Sites and Services snap-in.
Right-click the site, domain, or OU to which you want to link the GPO, and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.

To link a GPO to a domain or OU,

Use the Active Directory Users and Computers snap-in.
Right-click the site, domain, or OU to which you want to link the GPO, and select Properties.
Select the Group Policy tab, to create, edit, and manage GPOs.

Filtering

GPO filtering can be done at this stage. You can have a portion of an OU receive a GPO by filtering based on group membership. You can also filter based on a WMI query.

Testing A Policy

If you want to test your policy immediately, instead of waiting for the next Group Policy refresh interval, run gpupdate.exe and log on again to test your policy.

Top of page

Step-by-Step Guide for Creating Additional Rules

The following steps are helpful when creating additional rules. To illustrate the principles behind the steps, each one illustrates an example of creating rules for Microsoft Office XP.

Step 1. List the Software Applications

List the software you are trying to identify. For our Office XP example, the software consists of Microsoft Word, Excel, PowerPoint®, and Outlook®.

Step 2. Decide Rule Type

Refer to Table 1. When to Use Each Rule, above, to decide which rule type to use. Also determine the security level for your rule. For our example, we use path rules set to the Unrestricted security level.

Step 3. Record the Folders Where the Software is Installed

List the paths where the software is installed. Three ways to do this include:

You can look at the Target property of a shortcut to the file.
- You can start each program by clicking Start, Run, and then typing msinfo32.exe. From msinfo32, select Software Environment and then Running Tasks.
- You can use the following command: wmic.exe process get "ExecutablePath, ProcessID"

For our example, you will see the following tasks running:

"C:\Program Files\Microsoft Office\Office10\WINWORD.EXE"
"C:\Program Files\Microsoft Office\Office10\EXCEL.EXE"
"C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE"
"C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE"

Step 4. Identify Dependent Programs

Some programs launch other programs to perform tasks. Your software application may depend on one or more supporting programs. For example, Microsoft Word launches the Microsoft Clip Organizer to manage clipart. The Microsoft Clip Organizer uses the following programs:

C:\Program Files\Microsoft Office\Office10\MSTORDB.EXE
C:\Program Files\Microsoft Office\Office10\MSTORE.EXE

Microsoft Office also uses files in the C:\Program Files\Common Files folder

Step 5. Generalize the Rules

In this step you should group related rules together to create a more general rule. Consider using environment variables, wild cards, and registry path rules.

Continuing our example, each program is stored in C:\Program Files\Microsoft Office\Office10, so it is sufficient to use one path rule for that folder instead of four separate path rules. Also, if Office is always installed in the Program Files folder on your machines, use an environment variable instead of an explicit path. Thus, our proposed rules are:

%ProgramFiles%\Microsoft Office\Office10
%ProgramFiles%\Common Files

Step 6. Have You Allowed Too Much?

This is the step where you look at what else is allowed by the rules you have proposed. Creating a rule that is too general may allow programs to run that you did not intend. The Office10 folder in our example also contains:

FINDER.EXE
OSA.EXE
MCDLC.EXE
WAVTOASF.EXE

Because these programs are acceptable to run, we do not have to change our rules.

Top of page

Commonly Overlooked Rules

When designing a policy, consider the following areas when creating rules.

Login Scripts

Login scripts are stored on a central server. Often this central server can change with each login. If your default rule is Disallowed, be sure to create rules that identify the locations of your log on scripts. Consider using wildcards to identify these locations if the log on servers have similar names.

System File Protection

System File Protection contains backup copies of many system programs in a folder named dllcache. These programs can be started by a user who knows the full path to the backup copy. If you want to disallow users running programs contained in the backup folder, you may want to create the following rule: %WINDIR%\system32\dllcache, Disallowed

Common Startup Locations

Windows has many locations that contain links to programs that run at start up. If you don't make provisions for these programs, users will receive error messages when they log in.

Common startup locations include:

%USERPROFILE%\Start Menu\Programs\Startup
%ALLUSERSPROFILE%\Start Menu\Programs\Startup
Win.ini, System.ini lines beginning with "run=" and "load="
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Virus Scanning Programs

Most anti-virus software has a real-time scanner program that starts when the user logs in and scans all files accessed by the user, looking for possible virus contamination. Make sure your rules allow your virus scanning programs to run.

Top of page

Scenarios

This section examines some typical problems and how software restriction policies can be used to solve them.

Block Malicious Scripts

An organization wants to be protected from script-based viruses. The LoveLetter virus, technically called a worm, was estimated to have caused between $6 and $10 billion in damage. This worm, which has more than 80 variants, continues to be encountered frequently.

The LoveLetter worm, written in the Visual Basic Script language (VBS), is encountered as LOVE-LETTER-FOR-YOU.TXT.VBS. A software restriction policy blocks this worm simply by disallowing any .vbs file from running.

However, many organizations use VBS files for systems management and logon scripts. Blocking all VBS files from running protects an organization, but a VBS can no longer be used for legitimate purposes. A software restriction policy overcomes this handicap by blocking the undesirable VBS, while allowing legitimate ones to run.

This policy can be created using the rules in Table 4.

Table 4 Rules for Blocking Malicious Scripts


Default Security Level: Unrestricted
Path Rules
*.VBS	Disallowed
*.VBE	Disallowed
*.JS	Disallowed
*.JSE	Disallowed
*.WSF	Disallowed
*.WSH	Disallowed
Certificate Rules
IT Department Certificate	Unrestricted

This policy prevents all scripting files associated with the Windows Scripting Host from running, except those that are digitally signed by the IT Department certificate. See Appendix below for how to obtain a certificate and digitally sign files.

Manage Software Installation

You can configure your organization's machines so that only approved software can be installed. For software that uses Windows Installer technology, this can be accomplished by the policy shown in Table 5.

Table 5 Rules for Managing Software Installation


Default Security Level: Unrestricted
Path Rules
*.MSI	Disallowed
\\products\install\PROPLUS.MSI	Unrestricted
Certificate Rules
IT Department Certificate	Unrestricted

This policy prevents all Windows Installer packages from installing. It allows MSI files digitally signed by the IT department certificate and the OWC10.MSI package located at \\products\install to be installed. See the Appendix below for how to obtain a certificate and digitally sign files.

This policy also shows how you can use the precedence of the path and certificate rules to allow just the software you want. For any other package that your organization cannot or does not want to digitally sign, you can create hash rules, or fully qualified path rules, to make exceptions for them.

Line-of-Business PC

In some cases an administrator may want to manage all of the software that runs on a machine. This is because even when users have insufficient rights to replace system files or files in shared folders such as Program Files, if they have a place on the file system they can write to, then they can also copy a program there and start it up.

Viruses contracted this way can damage the system by modifying operating system settings and files; they can also cause great damage by misusing the user's privileges. For example, mass-mailer worms can be spread by accessing the user's address book and sending mail. Even normal users on a system are vulnerable to this kind of attack.

As long as users are not administrators on their local machines, the policy in Table 6 protects them from accidentally running malicious code. Because users cannot modify the contents of the Program Files or Windows folders, they can only run software installed by an administrator.

Table 6 Policy for Managing all Software on a Machine


Default Security Level: Disallowed
Apply software restriction policies to the following users:
All users except administrators
Path Rules
%WINDIR%	Unrestricted
%PROGRAMFILES%	Unrestricted

This policy disallows all software on the user's machine, except that installed in the Windows directory, Program Files directory, or their respective subfolders. It does not apply to administrators.

If a user receives a virus attachment in an e-mail, for example WORM.vbs, the mail program will copy it to the profile directory (%USERPROFILE%) and launch it from there. Because the profile directory is not a subfolder of the Windows folder or the Program Files folder, programs launched from there will not run.

If all the programs a user needs are not installed in %WINDIR% or %PROGRAMFILES%, or there are programs in those folders that the administrator does not want the user running, the administrator can make additional exceptions as shown in Table 7.

Table 7 Exceptions for Managing all Software on a Machine


Path Rules
%WINDIR%\regedit.exe	Disallowed
%WINDIR%\system32\cmd.exe	Disallowed
\\CORP_DC_??\scripts	Unrestricted
%HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates \InoculateIT\6.0\Path\HOME%	Unrestricted

The effects of these exceptions are:

Both the command prompt (cmd.exe) and the registry editor (regedit.exe) are disallowed.
An exception is created to allow login scripts to run on the user's machine.
The use of the "?" wildcard allows the rule to match \\CORP_DC_01, \\CORP_DC_02, and others.
A registry path rule is added that allows the anti-virus software on the machine to run.

Different Policies for Different Users

In this scenario, there are machines that are shared by many users. The machines have the same software installed on them, but the administrator wants to grant a certain group of users access to some software, and a different group of users access to other software. There also will be software that is shared between the groups.

Example

A computer lab at a university runs 15 machines with identical software. They have Microsoft Office, computer-aided design (CAD) software, and the Microsoft Visual C++® compiler. For licensing reasons, the administrators of the computer lab want to ensure the following:

Any student can use Microsoft Office—all students are members of the AllStudents group.
Any engineering student can use the CAD software—engineering students are members of the EngStudents group.
Any computer science student can use the Microsoft Visual C++ compiler—computer science students are members of the CSStudents group.

To achieve the objectives of the above scenario, the administrator creates three Group Policy objects with customized software restriction policies. Each GPO is filtered so that only the users in AllStudents, EngStudents, and CSStudents receive the GPO intended for them.

Because the administrator wants the students to receive the policy when logged on to the lab computers, but not when the students log on to their personal computers, he uses the Group Policy loopback feature. The loopback feature allows an administrator to apply policy to a user based on the computer the user is logging on to. In loopback replace mode, the machine GPOs are reapplied during user logon, skipping the normal user policies.

Refer to Tables 8, 9 and 10, and Figure 8 below.

For more information on how to configure loopback, see the article Windows 2000 Group Policy at http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Table 8 A1 Linked with Lab Resource Domain


User GPO: A1 Linked with Lab Resource Domain
Filter: Domain Computers have Apply Group Policy permission
Default Security Level
Disallowed
Path Rules
%WINDIR%	Unrestricted
%PROGRAMFILES%\Common Files	Unrestricted
%PROGRAMFILES%\Messenger	Unrestricted
%PROGRAMFILES%\Internet Explorer	Unrestricted
%PROGRAMFILES%\Windows Media Player	Unrestricted
%PROGRAMFILES%\Windows NT	Unrestricted

Figure 8: Group Policy Organization for Computer Lab

Table 9 A2 Linked with Lab Resource Domain


User GPO: A2 Linked with Lab Resource Domain
Filter: Domain Computers and CSStudents have Apply Group Policy permission
Enable Loopback in Replace Mode
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\Microsoft Visual Studio	Unrestricted


User GPO: A3 Linked with Lab Resource Domain
Filter: Domain Computers and EngStudents have Apply Group Policy permission
Enable Loopback in Replace Mode
Default Security Level
Disallowed
Path Rules
%PROGRAMFILES%\CAD Application	Unrestricted

Top of page

Deployment Considerations

This section covers a variety of issues that need to be considered when deploying software restriction policies.

Best Practices

Best practices to be followed when deploying software restriction policies include:

Always create a separate GPO for software restriction policies. If you create a separate GPO for your policy settings, you can disable it in an emergency without affecting the rest of your security settings.

Never modify the default domain policy. If you do not edit the default policy, you always have the option of reapplying it

Never link to a software restriction policy in another domain. Linking to a Group Policy object in another domain can result in poor performance.

Thoroughly test new policy settings in test environments before applying the policy settings to your domain. New policy settings might act differently than you originally expected. Testing diminishes the chance of encountering a problem when you deploy policy settings across your network.

You can set up a test domain, separate from your organization's domain, in which to test new policy settings.
You can also test the policy settings by creating a test GPO and linking it to an OU. When you have thoroughly tested the policy settings with test users, you can link the test GPO to your domain.
Typing mistakes, or incorrectly entered information, can result in a policy setting that does not perform as expected. Testing new policy settings before applying them can prevent unexpected behavior.
Do not disallow programs or files without testing to see what the effect might be. Restrictions on certain files can seriously affect the operation of your computer or network.

Group Policy Processing

The following information needs to be considered when working with Group Policy objects:

Use security groups to filter the scope of the Group Policy object. You can further refine which groups of computers and users a particular GPO influences by using Windows 2000 security groups.

Use the Security property page of a given GPO to set access permissions (Discretionary Access Control Lists or DACLs) to allow or deny access to the GPO by specified groups.

For more information on GPO filtering, see the article Windows 2000 Group Policy at http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Use WMI to filter the scope of the Group Policy object. Windows XP clients support WMI filtering of GPOs. This allows a client to skip processing a GPO based on WMI information available on the client.

Use the WMI Filter property page of a given GPO to add a WMI filter. For example, you can create a WMI filter so that a GPO only applies to machines with a certain service pack.

For more information on WMI filtering, see the article Windows 2000 Group Policy http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp

Order of Group Policy application. By default, Group Policy is inherited and cumulative, and it affects all computers and users in an Active Directory container. Group Policy objects are processed according to the following order:

Local GPO is applied
GPOs linked to sites
GPOs linked to domain
GPOs linked to OUs. (In the case of nested OUs, GPOs associated with parent OUs are processed prior to GPOs associated with child OUs.)

This order of GPO processing (local ? site ? domain ? OU) is significant because policy applied later overwrites policy applied earlier.

No Override and Block Policy Inheritance Options. You can enforce the Group Policy settings in a specific Group Policy object by using the No Override option so that GPOs in lower-level Active Directory containers are prevented from overriding that policy.

You can also block inheritance of Group Policy from parent Active Directory containers by using the Block policy inheritance option.

See the article Windows 2000 Group Policy— http://www.microsoft.com/windows2000/techinfo/howitworks/management/grouppolwp.asp for more information.

Mixed Domain Deployments

It is possible to use software restriction policies in a mixed-mode deployment. That is, you do not have to upgrade your Windows 2000 domain controllers to take advantage of software restriction policies. You can use a Windows XP Professional computer to edit the Group Policy object and configure your software restriction policy. Windows XP and Windows Server 2003 computers that download the GPO will enforce the software restriction policy. Computers running Windows 2000 will ignore the settings.

Merging Semantics for Multiple Software Restriction Policies

Whenever two or more Group Policy objects apply to a user or machine, the policies are merged. When two or more software restriction policies are merged, the following occurs:

The GPO with the highest precedence sets the following values:
- Default Security Level
- Designated File Types
- Skip Administrators
- DLL Checking
The rules from multiple GPOs are always merged. Thus, all additional rules from all GPOs are preserved.

A software restriction policy can be set for user scope and machine scope. The following semantics are observed when merging user and machine scope:

The more restrictive default security level is chosen.
The list of designated file types in the machine policy, if present, is used. If not present, the list of designated file types in the user policy is used.
The Skip Administrators value is always chosen from the machine policy.
If DLL checking is enabled in either policy, then it is enabled.
All the rules between user and machine policies are merged.

Top of page

Troubleshooting Software Restriction Policies

This section includes information for troubleshooting problems with software restriction policies.

Default Settings for a Software Restriction Policy

The default settings for a software restriction policy include the following:

Default Security Level: Unrestricted
Enforcement options:
- Apply to Files: All software files except libraries (such as DLLs)
- Apply to Users: All users
Additional Rules: none
Designated File Types: See Table 11. Default Designated File Types in the Appendix below.
Trusted Publishers:
- Select Trusted Publishers: End Users
- Publisher Certificate Revocation Checking: Not selected
- Timestamp Certificate Revocation Checking: Not selected

Error Message

When a program is disallowed due to a software restriction policy, an error code is received by the launching program. If the launching program returns the system message for this error code, you will see the following message:

"Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator," as shown in Figure 9 below.

Figure 9: Error message received in the Windows Explorer

Some programs display one error message for many possible error codes. For example, the Windows command prompt displays the following message when a program is restricted by a software restriction policy:

"The system cannot execute the specified program," as shown in Figure 10 below.

Figure 10: Error message received in command prompt

Rule GUIDs

Each path, hash, or zone rule has an associated globally unique identifier (GUID). Even two identical rules, for example two disallowed hash rules on the same program, have a different GUID associated with each. This GUID is stored in the registry along with the rule data. Various logging and troubleshooting tools reveal these GUIDs. A rule GUID enables you to determine GPOs where a rule is defined.

The Case of the Missing Calculator

To see how the GUID can aid troubleshooting, consider an example where a user attempts to start the program called calc.exe, the Windows calculator. The user receives the error that it has been prevented by a software restriction policy. Thinking this a mistake, the user places a call into the help desk call center. The support professional checks the event log and sees the following software restriction policy event.

Access to C:\WINDOWS\system32\calc.exe has been restricted by your Administrator by location with policy rule {91ecff50-2ff4-4672-a182-b0f07a74b2df} placed on path C:\WINDOWS\system32\calc.exe

The event log entry detail shows the GUID {91ecff50-2ff4-4672-a182-b0f07a74b2df}. The support professional runs the gpresult.exe tool and sees the following entry:

GPO: DisallowedPolicy
Setting:Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{91ecff50-2ff4-4672-a182-b0f07a74b2df}
State: Enabled

The support professional opens up the GPO named DisallowedPolicy in the Group Policy editor. Examining the rules, the support professional sees a path rule for calc.exe. The description in the rule indicates that it is supposed to disable the program cacls.exe, which is used to display or modify access control lists (ACLs) of files. The support professional concludes that a typo was made in the rule, where calc.exe was entered instead of cacls.exe, and follows up with the appropriate IT administrator.

Event Log

Software restriction policies can generate the following event log entries:

Event Log: System
Event Type:   Warning
Event Source:   Software Restriction Policy
Event Category:    None
Event ID:   865
Date:      6/6/2001
Time:      2:50:29 PM
User:      bob
Computer:   EXAIR-1
Description:
Access to C:\Program Files\Messenger\msmsgs.exe has been restricted by your
Administrator by the default software restriction policy level.
This event is logged when a user starts a program that is disallowed by the default
security level.
Event Log:    System
Event Type:   Warning
Event Source:   Software Restriction Policy
Event Category:    None
Event ID:   866
Date:      6/6/2001
Time:      2:50:29 PM
User:      bob
Computer:   EXAIR-1
Description:  
Access to C:\Program Files\Messenger\msmsgs.exe has been restricted by your
Administrator by location with policy rule {79d2f45e-5d93-4138-9608-dde4afc8ac64}
placed on path C:\Program Files\Messenger\msmsgs.exe
This event is logged when a user starts a program that is disallowed by a path rule.
The rule GUID, {79d2f45e-5d93-4138-9608-dde4afc8ac64} in this example, can be used in
conjunction with gpresult.exe to find the GPO this rule came from.
Event Log:    System
Event Type:   Warning
Event Source:   Software Restriction Policy
Event Category:    None
Event ID:   867
Date:      6/6/2001
Time:      2:50:29 PM
User:      bob
Computer:   EXAIR-1
Description:
Access to C:\Program Files\Messenger\msmsgs.exe has been restricted by your
Administrator by software publisher policy.
This event is logged when a user starts a program that is disallowed by a
certificate rule.
Event Log:    System
Event Type:   Warning
Event Source:   Software Restriction Policy
Event Category:    None
Event ID:   868
Date:      6/6/2001
Time:      2:50:29 PM
User:      bob
Computer:   EXAIR-1
Description:
Access to C:\Program Files\Messenger\msmsgs.exe has been restricted by your
Administrator by policy rule {79d2f45e-5d93-4138-9608-dde4afc8ac64}.
This event is logged when a user starts a program that is disallowed by a zone rule or
hash rule.

The following command line will query for all software restriction policy events. To refine the query, consult the usage of EventQuery by typing "

EventQuery /?

" at the command line.

EventQuery -l System -fi "ID ge 865" -fi "ID le 868" -v -fo list

Advanced Logging

When creating rules or troubleshooting a machine displaying problems, an administrator may want a log of every software restriction policy evaluation. This can be done by enabling advanced logging.

To enable advanced logging:

Create the following registry key:

KEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers

String Value: LogFileName,

Enabling and Disabling Logging From the Command Line

The following commands can be used to enable and disable logging from the command line.

Enable logging:

reg.exe add
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /d saferlog.txt
Disable logging:

reg.exe delete
"HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers" /v LogFileName /f
A log file entry is formatted as follows:

parent process (Process ID) identified Path to launched program as Rule Level using Rule Type, GUID = GUID of rule
Example entry:

winlogon.exe (PID = 396) identified C:\Windows\system32\userinit.exe as Unrestricted using path rule, Guid = {f8c2c158-e1af-4695-bc93-07cbefbdc594}

This entry shows that the winlogon process, running with process ID 396, launched the program C:\Windows\system32\userinit.exe. The rule that matched the program had a GUID of {f8c2c158-e1af-4695-bc93-07cbefbdc594}. The security level for this rule was Unrestricted. The matching rule was a path rule.

Note: When not performing advanced logging be sure to turn it off by deleting the registry value. Using advanced logging over a long period of time can consume a large amount of disk space and slow system performance.

Group Policy Troubleshooting

The following tools are used to troubleshoot Group Policy problems.

Resultant Set of Policy (RSOP)

RSOP is an infrastructure and tool in the form of MMC snap-ins, enabling administrators to determine and analyze the current set of policies in two modes: logging mode and planning mode. In logging mode, administrators assess what has been applied to a particular target. In planning mode, administrators can see how policies would be applied to a target, and then examine the results before deploying a change to Group Policy.

To view RSOP data for the current user

Click Start, Run, and type rsop.msc

gpupdate.exe

Gpupdate is a utility for Group Policy. It can cause a refresh of Group Policy on the client machine and can be used for software restriction policies in the following ways:

gpupdate /target:Computer [/Force] This command refreshes the machine-based software restriction policy settings. The /Force switch, if present, instructs the machine to reapply all settings, regardless of whether they have changed since the last Group Policy refresh.
gpupdate /target:User [/Force] This command refreshes the user-based software restriction policy settings. The /Force switch, if present, instructs the machine to reapply all settings, regardless of whether they have changed since last Group Policy refresh.
gpupdate [/Force] This command refreshes the user- and machine-based software restriction policy settings. The /Force switch, if present, instructs the machine to reapply all settings, regardless of whether they have changed since the last Group Policy refresh.

After refreshing software restriction policy settings, only new programs started will enforce the policy. Some long-lived programs like explorer.exe, the Windows shell, will not pick up the new policy. To force all programs to enforce the policy, the user should log in again.

gpresult.exe

Gpresult.exe is a Group Policy utility for examining the settings applied during Group Policy refresh. It utilizes Resultant Set of Policy (RSOP) data. It can be used for software restriction policies in the following ways:

gpresult. This command displays basic user and machine information. It lists the group policies that apply to the logged in user on the current machine.

Command Sample

The following is sample output from the command: gpresult /scope user /v /user bob.

Microsoft® Windows® XP Operating System Group Policy Result tool v2.0
Copyright® Microsoft Corp. 1981-2001
Created On 8/1/2001 at 3:07:34 PM
RSOP results for EXAIR-70\bob on EXAIR-7 : Logging Mode
OS Type:   Microsoft Windows XP Server
OS Configuration:  Primary Domain Controller
OS Version:   5.1.3524
Domain Name:   EXAIR-70
Domain Type:   Windows 2000
Site Name:   Default-First-Site-Name
Roaming Profile:
Local Profile:  C:\Documents and Settings\bob
Connected over a slow link?: No
User Settings  
CN=bob,OU=Product Group,DC=EXAIR-7,DC=nttest,DC=microsoft,DC=com
Last time Group Policy was applied: 8/1/2001 at 2:49:28 PM
Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Applied Group Policy Objects
DisallowedPolicy
Software Restriction Policy
Default Domain Policy

Note: The Applied Group Policy Objects shows you the GPOs that are applied for this user.

The following GPOs were not applied because they were filtered out:
Local Group Policy
Filtering: Not Applied (Empty)
The user is a part of the following security groups:
Domain Users
Everyone
BUILTIN\Users
BUILTIN\Pre-Windows 2000 Compatible Access
LOCAL
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

Note: The group membership is listed here for troubleshooting GPO filtering scenarios.

Resultant Set Of Policies for User:
Software Installations:  N/A
Public Key Policies: N/A
Administrative Templates
GPO: Software Restriction Policy
Setting:
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\
{593905cd-1a5b-4c56-93a6-ecf1c8a78c04}
State: Enabled

Note: The rule detail is not displayed, but the GUID corresponding to the rule is displayed. The name of the GPO the setting comes from is also displayed.

  GPO: DisallowedPolicy
Setting:
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{094a935d-a2b8-
48be-a50b-0fe3174e9ced}
State: Enabled
 GPO: DisallowedPolicy
Setting:
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\262144\Paths\{bba39f11-e1a9-
406a-8296-3b2cbcb1f144}
State: Enabled
 GPO: Software Restriction Policy
Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{c0193a34-
594d-452b-b3e6-edc0d593f345}
State: Enabled
 GPO: DisallowedPolicy
 Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
 State: Enabled
 GPO: Software Restriction Policy
Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{a5c5639e-
4ee7-4882-aa80-560bbecaca22}
State: Enabled
 GPO: Software Restriction Policy
Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{f63296b7-
4b0a-4318-ae8d-5d070b44b4ec}
State: Enabled
 GPO: DisallowedPolicy
 Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
 State: Enabled
 GPO: Software Restriction Policy
Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{8e85c506-
2964-4745-8f4e-3c2efe02f509}
State: Enabled
 GPO: Software Restriction Policy
Setting: Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{739c2db8-
8ef5-4b2d-b210-d84d7b697603}
State: Enabled
Folder Redirection: N/A
Internet Explorer Browser User Interface: N/A
Internet Explorer Connection: N/A
Internet Explorer URLs: N/A
Internet Explorer Security: N/A
Internet Explorer Programs: N/A

Recovery Options

When you start Windows in safe mode and log in as local administrator, the software restriction policy is not applied. Safe mode will let you fix a policy that is causing problems.

To fix a policy that is causing problems

Use the Group Policy snap-in to fix the policy.
Run gpupdate.exe.
Restart Windows and log in normally.

Top of page

Appendix

This section includes a list of default designated file types, registry formats and a how-to guide for digitally signing files with test certificates,

Table 11 Default Designated File Types

File Extension	File Description
. ADE	Microsoft Access Project Extension
. ADP	Microsoft Access Project
. BAS	Visual Basic® Class Module
. BAT	Batch File
. CHM	Compiled HTML Help File
. CMD	Windows NT® Command Script
. COM	MS-DOS® Application
. CPL	Control Panel Extension
. CRT	Security Certificate
. EXE	Application
. HLP	Windows Help File
. HTA	HTML Applications
. INF	Setup Information File
. INS	Internet Communication Settings
. ISP	Internet Communication Settings
. JS	JScript® File
. JSE	JScript Encoded Script File
. LNK	Shortcut
. MDB	Microsoft Access Application
. MDE	Microsoft Access MDE Database
. MSC	Microsoft Common Console Document
. MSI	Windows Installer Package
. MSP	Windows Installer Patch
. MST	Visual Test Source File
. PCD	Photo CD Image
. PIF	Shortcut to MS-DOS Program
. REG	Registration Entries
. SCR	Screen Saver
. SCT	Windows Script Component
. SHS	Shell Scrap Object
. URL	Internet Shortcut (Uniform Resource Locator)
. VB	VBScript File
. VBE	VBScript Encoded Script File
. VBS	VBScript Script File
. WSC	Windows Script Component
. WSF	Windows Script File
. WSH	Windows Scripting Host Settings File

Registry Format

After a policy is applied, the software restriction policy configuration is stored in the system registry. The security access control list (ACL) protecting these registry keys allows only administrators and the SYSTEM account to change them.

User Policy

User policy is stored under the following key:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\

Machine Policy

Machine policy is stored under the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\

Registry Format Explained

[HKCU or HKLM]\SOFTWARE\Policies\Microsoft\Windows\Safer

CodeIdentifiers

DefaultLevel, DWORD (40000 for Unrestricted, 0 for Disallowed)

ExecutableTypes, REG_MULTI_SZ (list of extensions for Designated File Types)

TransparentEnabled, DWORD, (0 for No Enforcement, 1 for Skip DLLs, 2 for all files)

PolicyScope, DWORD, (0 for All Users, 1 for Skip Administrators) HKLM only

[Optional registry values. These must be set manually]

AuthenticodeEnabled, DWORD, (1 for Apply Certificate Rules to EXE's) HKLM only

LogFileName, REG_SZ (Path to log file, turns on advanced logging) HKLM only

Note: Entries under this key are Disallowed rules

Hashes

{0140090a-6e4d-4dc3-b1fa-27563cc91fda}

Note: Each number in braces is a GUID. Each GUID is unique.

Description, REG_SZ (text description)

FriendlyName, REG_SZ (File version information)

ItemData, REG_BINARY, (Hash value)

ItemSize, QWORD, (Size of the file)

HashAlg, DWORD, (32771 is MD5, 32772 is SHA1)

LastModified, QWORD, (Timestamp)

SaferFlags, DWORD, (not used)

Path

{5c03dc31-e128-426e-bad6-9223ee92d0b8}

Description, REG_SZ (text description)

ItemData, REG_SZ (Path entry)

ItemData, REG_EXPAND_SZ

Note: REG_EXPAND_SZ is used with path rules using environment variables and registry path rules

LastModified, QWORD, (Timestamp)

SaferFlags, DWORD, (not used)

UrlZones

{dda3f824-d8cb-441b-834d-be2efd2c1a33}

ItemData, DWORD (Identifier for zone)

LastModified, QWORD, (Timestamp)

SaferFlags, DWORD, (not used)

262144

Note: Entries under this key are Unrestricted Rules

Hashes

{0140090a-6e4d-4dc3-b1fa-27563cc91fda}

Paths

{302fe78d-0b85-484a-b16f-0ae6262b7969}

Certificate Rules

Certificate rules are stored in a separate key in the registry.

Certificate rules for user software restriction policies are stored in this registry key:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\SystemCertificates

Certificate rules for machine software restriction policies are stored in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates

[HKCU or HKLM]\SOFTWARE\Policies\Microsoft\Windows\SystemCertificates

TrustedPublishers

Note: Entries under this key are Unrestricted rules

Certificates

D4C408A1F8EF6B49F837C54E5F697DC11EEB3F53

Note: This is a hash of the certificate

Blob, REG_BINARY (binary value of certificate)

Disallowed

Note: Entries under this key are Disallowed rules

Certificates

C9902A94036312086FFAD974760D96CA93284555

Note: This is a hash of the certificate

Blob, REG_BINARY (binary value of certificate)

Default Settings

[HKCU or HKLM]\SOFTWARE\Policies\Microsoft\Windows\Safer

CodeIdentifiers

DefaultLevel, DWORD (40000)

ExecutableTypes, REG_MULTI_SZ (WSC,VB,URL,SHS, SCR, REG,PIF,PCD, OCX, MST,MSP, MSI, MSC, MDE,MDB,LNK, ISP,INS,INF,HTA,HLP,EXE, CRT, CPL,COM,CMD,CHM, BAT,BAS,ADP,ADE)

TransparentEnabled, DWORD, (1 for Skip DLLs)

PolicyScope, DWORD, (0)

Path

{dda3f824-d8cb-441b-834d-be2efd2c1a33}

Description, REG_SZ

ItemData, REG_EXPAND_SZ

%HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache%OLK*

LastModified, QWORD, (Timestamp)

SaferFlags, DWORD, (0)

Step-by-Step Guide to Digitally Signing Files with Test Certificates

This section examines tools and processes for digitally signing files used with certificate rules.

Step 1: Download the Tools

Download the Authenticode for Internet Explorer 5.0. These tools are used to sign and verify files using Authenticode signatures.

http://msdn.microsoft.com/downloads/default.aspx

Step 2: Enrolling for a Code-signing Certificate

The next step is to obtain a certificate that's valid for code-signing. There are three ways to do this:

Enroll for a code-signing certificate from a commercial certificate authority such as VeriSign. If you want the digital signatures of your files to be valid outside of your organization, you should choose this option.
Set up a Windows 2000 or Windows Server 2003 certificate authority. Enroll for a certificate against this CA. If only people in your organization use your digitally signed files, you should choose this option.
Create a self-signed certificate for test purposes. After downloading the Authenticode tools, run the following two commands:
- makecert.exe -n "cn=TEST CERTIFICATE (FOR TEST PURPOSES ONLY!)" -ss my -eku 1.3.6.1.5.5.7.3.3
- Setreg.exe 1 true

The setreg.exe command instructs the local computer to trust the Test Root Agency certificate that issues your test code-signing certificate. You should not trust the test root certificate on production machines.

Step 3: Signing a File

Create a test VB Script file called hello.vbs with the following contents:

msgbox "hello world"

Sign and timestamp this file by running the following command:

signcode.exe -cn "TEST CERTIFICATE (FOR TEST PURPOSES ONLY!)" -t http://timestamp.verisign.com/scripts/timstamp.dll hello.vbs

If the signing and time stamping operation is successful, the tool will print "Succeeded" at its completion. The script will have a Base 64 encoded digital signature section added to it as shown in Figure 11 below.

Figure 11: Visual Basic Script file with a digital signature

You can verify that the file was signed properly by running the following command:

chktrust.exe hello.vbs

The dialog box in Figure 12 will appear.

Figure 12: Verifying a signed file

Step 4: Create Certificate and Path Rules

Edit the local security policy—secpol.msc. Create two rules:

New Path Rule: Type "*.VBS" in the edit box labeled Path. Set the security level to Disallowed
New Certificate Rule: Create a certificate rule for your test publisher certificate with a security level set to Unrestricted.

Run the following command to export the certificate to a file. Browse to this file when creating the certificate rule.

certmgr.exe -put -c -v -n "TEST CERTIFICATE (FOR TEST PURPOSES ONLY!)" -s my mytestcert.cer

These two rules combine to disallow any VB Script file; except those that are signed by this test certificate.

Your policy should look like the example shown in Figure 13 below.

Figure 13: Software restriction policy showing certificate and path rules

Step 5: Re-login and Test the Software Restriction Policy

Log off, then log back on to ensure your machine is using the new rules.
Run hello.vbs. You should see a message box appear. This indicates the script was signed by the appropriate certificate and complied to the rules of the software restriction policy.
Edit hello.vbs with notepad and change the script to print "Hello world. This script has been changed." Save it, leaving the digital signature portion of the script intact.
Run the script again. You will notice that it is prevented from running because the digital signature on the script no longer verifies.

Top of page

Summary

Software restriction policies provide administrators with a policy-driven mechanism to identify software running on computers in a domain, and control its ability to execute. Policies can be used to block malicious scripts, help lockdown a computer, or prevent unwanted applications from running. They can be used in standalone mode or managed through Group Policy, and can be tailored to meet the needs of a set of users or computers. Software restriction policies promote improved system integrity and manageability—and ultimately lower the cost of owning a computer.

Top of page

Clear up network congestion

2009-11-05T22:03:00.001-08:00

Do you have network congestion? If you don't now, you probably have before, or you likely will in the future. How do you fight network congestion? While there isn't one quick-hit solution, you have several available options. Let's look at how you can begin troubleshooting network congestion and discuss some possible solutions.

Ask these questions

Before we begin troubleshooting, you need to answer some questions about your network. Even if you think you already know the answers, you still need to use tools to validate them.

Start off with these questions:

What does your network look like? Do you have a diagram?
What size are the network links?
What types of applications are running on the network?
What are the characteristics of those applications? Are they latency-sensitive or latency-insensitive? How much traffic do they generate? What are their traffic patterns?
When did the congestion start? Was it all of the sudden, or has it slowly developed over time?
Is the congestion constant, or does it come and go? Does it happen at a certain time of the day, week, or month?
Has anything recently changed that could have caused the congestion (e.g., new applications, hardware changes, applied patches, etc.)?

Validate your answers

Using your answers to these questions, you may think that you know what's causing the congestion. However, you need to use tools to verify these deductions.

So how do you corroborate that the congested link is really the one you think it is? On a Cisco router, this may be as simple as using the show interfacecommand. Here's an example:

Router# show interface s3/0
Serial3/0 is up, line protocol is up
Hardware is QUICC with integrated T1 CSU/DSU
Internet address is 10.0.100.2/30
MTU 1500 bytes, BW 512 Kbit, DLY 20000 usec,
  reliability 255/255, txload 36/255, rxload 255/255
Encapsulation HDLC, loopback not set
Keepalive set (10 sec)
Last input 00:00:00, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 1/75/0/0 (size/max/drops/flushes); Total output drops: 4281
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 498000 bits/sec, 400 packets/sec
5 minute output rate 73000 bits/sec, 110 packets/sec
  148239286 packets input, 3250920677 bytes, 0 no buffer
  Received 536509 broadcasts, 0 runts, 5 giants, 0 throttles
  31566 input errors, 2219 CRC, 14502 frame, 0 overrun, 0 ignored, 14840 abort
  148886376 packets output, 1823664299 bytes, 0 underruns
  0 output errors, 0 collisions, 200 interface resets
  0 output buffer failures, 0 output buffers swapped out
  17 carrier transitions
  DCD=up  DSR=up  DTR=up  RTS=up  CTS=up

Router#

As you can see, the receive load on this 512K circuit is high, and so is the 5-minute input rate. These results show that this circuit is indeed congested.

You can also use Paessler's PRTG—an easy, graphical tool for monitoring utilization—to validate your answers. However, while these tools can help you make sure you're on the right track, neither PRTG nor the show interface command can tell you where the traffic is coming from or what traffic it is.

Determine what the traffic is

To get a better idea of the traffic, you'll need to take a packet capture or use a tool such as Packeteer, Network General Sniffer, or Network Instruments Observer. These tools sport remote hardware that can capture those packets and bring them back to a decoding station (such as your desktop). They then decrypt the traffic to be able to explain it. (Packeteer can also block traffic.)

Or, if you're local to the site with the congestion, determining the problematic traffic could be as simple as mirroring the port on the switch going to that router and using a PC with Ethereal to view the traffic. There are a lot of ways to find out what that traffic is, so choose a method you're comfortable and familiar with.

Decide how to deal with the traffic

Once you've determined what the traffic is, you basically have two options. You can stop the traffic, or you can choose to allow the traffic.

If you're lucky, opting to stop the traffic should resolve the congestion. You can stop it with an access control list, or you can terminate it at the source.

On the other hand, if you choose to allow the traffic, you then have a few choices for how to deal with the congestion. Of course, there are pros and cons to each option.

Add more bandwidth.
Perform quality of service (QoS) on the traffic.
Compress the traffic.

Weigh your options

Adding more bandwidth (at least on a WAN link) means you can expect to pay a higher price per month. In some cases, however, this is your only option.

For example, if you have 25 users who are all trying to use Citrix over a 56-K dedicated frame-relay circuit, no amount of QoS or compression will resolve the extreme slowness. You just need more bandwidth.

On the other hand, let's say you already have a reasonable amount of bandwidth for your Citrix and VoIP traffic, but users complain of periodic slowness. This slowness happens when users print 10-MB PDF files over the 256-K WAN link. In this case, you need to perform QoS.

This solution goes back to the question about the requirements of the applications running on your network (in this case, latency-sensitive vs. non-latency-sensitive). The non-latency-sensitive print jobs are slowing down the latency-sensitive traffic, and the latency-sensitive traffic needs higher priority. Most users won't notice if their print job takes a little longer to print out, but they will notice if their phone call sounds bad or their Citrix session is slow.

As for the third option, you can use compression in place of additional bandwidth. However, keep in mind that there are several caveats that go along with compression.

One big stipulation is that this solution doesn't always work. Compression only works for certain types of traffic, and it can cause delay on other types of traffic. In addition, compression can be expensive if you have several locations because you'll need a compression unit at each one.

While Cisco routers can carry out compression, it does cause a bit of delay and a larger increase in CPU utilization. Cisco routers can also perform QoS, but it isn't very friendly to configure—nor is it easy to see what's going on.

Although a dedicated QoS device like Packeteer will cost you, in my opinion, it's far superior to trying to perform QoS inside a Cisco router. As much as I love Cisco routers and try to use them as much as possible, sometimes you need to take the "best-of–breed" approach.

Miss a column?

Check out the Cisco Routers and Switches Archive, and catch up on David Davis' most recent columns.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

- Finding duplex mismatches in copper based networks

2009-11-05T22:02:00.002-08:00

Description

TECHNICAL FIELD

Embodiments of the invention relate generally to network systems, and more particularly to an apparatus and method for finding duplex mismatches in copper based networks.

BACKGROUND

Many local area network (LAN) products today use a medium formed by copper wire pairs for the transmission and reception of data. A network that used the copper wire pairs is defined as a copper based network. Existing technology based on thecopper wire pairs include, for example, 10BASE-T, 100BASE-TX, and 1000BASE-T. All of these technologies have the ability to negotiate speed, duplex mode (half duplex or full duplex), flow-control, and other important aspects of a link operation by usinglow frequency pulses to communicate the desired state of operation for the link prior to actually engaging in the specific link signaling. This negotiation process is called "auto-negotiation".

During link negotiation between two nodes in a link in a network, as an example, a port of a first node may be set in the auto-negotiation mode, while a port of the second node is not set in the auto-negotiation mode. As a result, the first nodewill be made to negotiate at half-duplex. For example, the first node (which is in auto-negotiation mode) will be set to negotiate at 100 half-duplex or full-duplex, while the second node (which is not in auto-negotiation mode) will be set to 100full-duplex. As known to those skilled in the art, full-duplex data transmission means that data can be transmitted in both directions on a signal carrier at the same time. For example, on a local area network with a technology that has full-duplextransmission, one workstation can be sending data on the line while another workstation is receiving data. As also known to those skilled in the art, half-duplex data transmission means that data can be transmitted in both directions on a signalcarrier, but not at the same time. For example, on a local area network using a technology that has half-duplex transmission, one workstation can send data on the line and then receive data on the line once its data has been received by the linkpartner.

The above-mentioned duplex operation mismatch (duplex mismatch) can lead to degraded performance between the two nodes and result in trouble calls by the-customer to the network support center of a node vendor. In a 10BASE-T/100BASE-T network,duplex mismatch problems is the most fielded calls by support engineers from customers and is thus the most costly product issue. Current technology does not provided the ability for the customer to know and detect a duplex mismatch condition, does notreduce the countless support calls to the support engineers from customers, and does not lead to reductions in costs for the node vendor.

A current port configuration method from Cisco Corporation only provides settable flags that indicate network error, as disclosed in the link However, this previous port configuration method does not provide specific guidance to the customer onidentifying the network problem and simply shuts down the port and informs the customer that an error has occurred.

Therefore, the current technology is limited in its capabilities and suffers from at least the above constraints and deficiencies.

SUMMARY OF EMBODIMENTS OF THE INVENTION

In an embodiment of the invention, a method for finding duplex mismatches in a copper based network, includes:

detecting late collisions and cyclic redundancy check (CRC) errors;

if a port is in auto-negotiation and up in half-duplex and over threshold late collisions have been detected, then informing the user of a duplex mismatch and suggesting to the user to set the port to full duplex; and

if the port is in forced full-duplex mode and over threshold CRC errors have been detected, then informing the user of a duplex mismatch and suggesting to the user to set the port to auto-negotiations mode.

These and other features of an embodiment of the present invention will be readily apparent to persons of ordinary skill in the art upon reading the entirety of this disclosure, which includes the accompanying drawings and claims.

BRIEFDESCRIPTION OF THE DRAWINGS

Non-limiting and non-exhaustive embodiments of the present invention are described with reference to the following figures, wherein like reference numerals refer to like parts throughout the various views unless otherwise specified.

FIG. 1 is a block diagram of an apparatus (system), in accordance with an embodiment of the invention.

FIG. 2 is a block diagram of a method in accordance with an embodiment of the invention.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

In the description herein, numerous specific details are provided, such as examples of components and/or methods, to provide a thorough understanding of embodiments of the invention. One skilled in the relevant art will recognize, however, thatan embodiment of the invention can be practiced without one or more of the specific details, or with other apparatus, systems, methods, components, materials, parts, and/or the like. In other instances, well-known structures, materials, or operationsare not shown or described in detail to avoid obscuring aspects of embodiments of the invention.

FIG. 1 is a block diagram of an apparatus (system) 100 that can implement an embodiment of the invention. The apparatus 100 includes two nodes 105A and 105B (generally, node 105) that are connected by a link 110. The nodes 105A and 105B arenetwork devices such as, for example, network switches. The nodes 105A and 105B includes fault finders 115A and 115B, duplex mismatch detect module 120A and 120B, event log message generator module 125A and 125B, processors 130A and 130B, and PHY(physical link layer) 135A and 135B (generally, PHY 135), respectively, as shown in FIG. 1. The PHYs 135A and 135 include port 140A and 140B, respectively, and include other suitable standard hardware components in network devices and permit thetransmission of data over the link 110. For example, a PHY 135 typically includes an MDI (medium dependent interface) which is the connection to the link (medium) 110 (i.e., the direct physical and electrical connection to the link).

Auto-negotiation automatically configures duplex and speed. It is also possible to turn off auto-negotiation and forced both speed and duplex.

The duplex mismatch detect module 120 and event log message generator 125 can be integrated into a single module which can be called as a duplex mismatch finder.

The fault finders 115A and 115B, duplex mismatch detect module 120A and 120B, and event log message generator module 125A and 125B are typically implemented in software and are stored in a memory (e.g., memory 132A and 132B) in the nodes 105. The fault finders 115A and 115B, duplex mismatch detect module 120A and 120B, and event log message generator module 125A and 125B are typically programmed in a suitable programming language, such as, for example, C, and are created by use of known codeprogramming techniques.

The processors 130A and 130B (generally, processor 130) execute the fault finders 115A and 115B (generally, fault finder 115), duplex mismatch detect module 120A and 120B (generally, module 120), and event log message generator module 125A and125B (generally, module 125), respectively, and also execute other software or firmware in a node 105.

The fault finder 115 is a module that detects for fault conditions in a network. A fault condition can include, for example, a loop configuration in the network. A fault condition can also include over threshold late collisions and overthreshold cyclic redundancy check errors, as described below. An embodiment of the fault finder 115 is implemented in, for example, the PROCURVE 5304 and 5308 switches and other switches which are commercially available from HEWLETT-PACKARD COMPANY.

The fault finder 115A will check the error counters 145A and 150A, while fault finder 115B will check the error counters 145B and 150B. The fault finder 115A will generate an event log message 155A, based upon the values in the late collisioncounter 145A and CRC error counter 150A exceeding threshold values that are set by the user and based upon whether the port is set to forced mode or auto-negotiation mode, as discussed below. When the collision counter 145A exceeds a threshold value (auser-settable boundary), the fault finder 115A sets a flag 155A. When the CRC error counter 150A exceeds a threshold value (a user-settable boundary), the fault finder 115A sets a flag 160A. The flags 155A and 160A are typically values that are set ina memory (e.g., memory 132A) in the node 105A.

Similarly, the fault finder 115B will generate an event log message 155B, based upon the values in the late collision counter 145B and CRC error counter 150B exceeding threshold values that are set by the user, as discussed below. When thecollision counter 145B exceeds a threshold value (a user-settable boundary), the fault finder 115B sets a flag 155B. When the CRC error counter 150B exceeds a threshold value (a user-settable boundary), the fault finder 115B sets a flag 160B. The flags155B and 160B are typically values that are set in a memory (e.g., memory 132B) in the node 105B.

Various parameters are then checked by the duplex mismatch detect modules 120 and event log message generator 125 (i.e., parameters are checked by the duplex mismatched finder) in order to detect a duplex mismatch, as discussed below, inaccordance with an embodiment of the invention.

Various standard components and/or software in the nodes 105A and 105B (and in the network 100) have been omitted in FIG. 1 for purposes of clarity and for purposes of focusing on the functionalities of embodiments of the invention.

It should be appreciated that, in alternative embodiments, the network system 100 may include components and products other than those discussed above. Moreover, the network system 100 can be implemented on different hardware. Those skilled inthe art will recognize that other alternative hardware and software environments may be used without departing from the scope of embodiments of the invention. As such, the exemplary environment in FIG. 1 is not intended to limit embodiments of theinvention.

FIG. 2 is a block diagram of a method 200 in accordance with an embodiment of the invention. In block 205, the late collision error flag 155 is set if the late collision error counter 145 exceeds a user settable threshold value, or the CRC errorflag 160 is set if the CRC error counter 150 exceeds a user settable threshold value. The threshold value for late collision error counter 145 and for the CRC error counter 150 are typically measured in errors per second and can be set to any suitablevalues depending on, for example, implementation.

The fault finder 115 checks the counters 145 and 150 and sets the flags 155 and 160 if one of the counters 145 and 150 exceeds the user settable threshold value.

Late collision error is defined in the Ethernet specification. Late collisions occur when there is a late occurrence of a collision on the link. In an Ethernet network, a collision is the result of two devices on the same Ethernet networkattempting to transmit data at exactly the same time. The network detects the "collision" of the two transmitted packets and discards them both. Late collision is a very good indication that one node is trying to transmit data, while the opposite nodein the link is transmitting data, and therefore, a duplex mismatch may be present.

CRC is a method of checking for errors in data that has been transmitted on a communications link. A sending device applies a 16-bit or 32-bit polynomial to a block of data that is to be transmitted and appends the resulting cyclic redundancycode (CRC) to the block. The receiving end applies the same polynomial to the data and compares its result with the result appended by the sender. If the devices agree, the data has been received successfully. If not, the sender can be notified toresend the block of data.

If there is a duplex mismatch, then a node 115 will see a late collision error or a CRC error, depending on whether the node 115 is set for full-duplex or half-duplex.

After the late collision error flag 155 is set (i.e., the late collisions exceeded a user settable threshold value) or CRC flag 160 is set (i.e., the CRC errors exceeded a user settable threshold value), then in block 210, a check if a node port140 is connected to a link 110. If, in block 210, the node port 140 is not connected to a link 110, then, in block 215, the flags 155 or 160 are cleared and a duplex mismatch is regarded as not present or as not possible. In block 220, the method 200returns to block 205 where the fault finder 115 will check the late collision error counter 155 and the CRC error counter 160 and set the flags 155 or 160 if the collision error counter 155 or the CRC error counter 160, respectively, exceeds a usersettable threshold value.

If, in block 210, the node port 140 is connected to a link 110, then, in block 225, the port 140 is checked if it is a 100TX port or 1000T port (i.e., the port 140 is checked if it is a copper port, since a duplex mismatch can only occur betweencopper ports). If, in block 225, the node port 140 is not a copper port, then blocks 215 and 220 are repeated as discussed above, and a duplex mismatch is regarded as not present or as not possible. Therefore, fiber ports are not checked for duplexmismatches.

If, in block 225, the node port 140 is connected to a copper port, then, in block 230, a check is performed to determine if the port 140 is connected to a gigabit link (1000T link) (i.e., the port is up in gigabit mode). A duplex mismatch willtypically not occur in gigabit mode because the gigabit Ethernet standard typically only supports full-duplex for connected device (although the gigabit Ethernet standard has the half-duplex mode, it does not use the half-duplex mode). If, in block 230,the port 140 is connected to a gigabit link, then blocks 215 and 220 are repeated as discussed above, and a duplex mismatch is regarded as not present or as not possible.

If, in block 230, the port 140 is not connected to a gigabit link, then, in block 235, a check is performed on the configuration to determine if the port is set in forced mode. The forced mode can be 10HDX (half-duplex), 10FDX (full-duplex),100HDX, or 100FDX.

If forced mode is set in block 235, then, in block 245, the is forced flag (generally flag 170, and specifically flags 170A or 170B in FIG. 1) is set by the duplex mismatch detect module 120.

If forced mode is not set in block 235, then, in block 240, a check is performed to determine if auto-negotiation was completed successfully. The duplex mismatch detect module 120 checks the PHY 135 to determine if auto-negotiation has failed. The auto-negotiation process is disclosed in the standard IEEE 802.3 clause 36, which is hereby fully incorporated herein by reference.

If auto-negotiation is not completed successfully in block 240, then blocks 215 and 220 are repeated as discussed above, and a duplex mismatch is regarded as not present or as not possible.

If auto-negotiation is completed successfully in block 240, then, in block 250, the autoHDX flag (generally flag 175, and specifically flags 175A or 175B in FIG. 1) is set by the duplex mismatch detect module 120, to indicate that the port 140 isin auto-negotiation mode and in half duplex. Note that it may be possible for a port be in auto-negotiation mode and in full duplex. However, in the embodiments described herein, the flag is looking for a possible error condition which can only occurwhen the port comes up in half duplex while in auto-negotiation mode.

The flags 170 and 175 are values that are set in memory in a node 105.

In block 255 (with the "return duplex mismatch is possible flags"), at this point it is known that a duplex mismatch is possible, so a message will be sent which includes the error condition denoted by these flags.

The duplex mismatch detect module 120 performs the above-mentioned actions in blocks 210 through 255.

The following blocks then insure that the correct counter has matched the perceived side of the duplex mismatch. When there is a duplex mismatch, one node 115 will detect the late collisions, while the opposite node 115 will detect the CRCerrors.

In block 260, if the autoHDX flag 175 is set and the late collision counter 145 has exceeded the user settable threshold, then, in block 270, the user is informed of a duplex mismatch and a suggestion is made to the user to set the port 140 tofull duplex. The autoHDX flag 175 indicates that the port 140 is currently in auto-negotiation mode and in half duplex. In block 280, the information that is generated in block 270 is provided to the user by sending an event log message 155, and themethod 200 then returns to block 205 where the fault finder 115 will check the late collision error counter 155 and the CRC error counter 160 and set the flags 155 or 160 if the collision error counter 155 or the CRC error counter 160, respectively,exceeds a user settable threshold value.

The event log message generator 125 (FIG. 1) informs the fault finder 115 to generate an event log message 155 with the information in block 270.

On the other hand, in block 260, if the autoHDX flag 175 is not set or if the late collisions counter 145 did not exceed the user settable threshold, then the method 200 proceeds to block 265.

In block 265, if the isForced flag 170 is set and the CRC error counter 150 has exceeded the user settable threshold, then, in block 275, the user is informed of a duplex mismatch and a suggestion is made to the user to set the port toauto-negotiation mode. The isForced flag 170 indicates that the port 140 is currently in forced mode. In block 280, the information that is generated in block 275 is provided to the user by sending an event log message 155, and the method 200 thenreturns to block 205 where the fault finder 115 will check the late collision error counter 155 and the CRC error counter 160 and set the flags 155 or 160 if the collision error counter 155 or the CRC error counter 160, respectively, exceeds a usersettable threshold value.

The event log message generator 125 (FIG. 1) informs the fault finder 115 to generate an event log message 155 with the information in block 275.

On the other hand, in block 265, if the isForced flag 170 is not set or if the CRC error counter 150 did not exceed the user settable threshold, then blocks 215 and 220 are repeated as discussed above, and a duplex mismatch is regarded as notpresent or as not possible.

The event log message generator 125 performs the above-mentioned actions in blocks 260 through 275.

Therefore, blocks 260 and 265 inform the user of a duplex mismatch and to set (change) the port 140 to either auto-negotiation mode or to full duplex. If the user is told to change the port 140 setting to full duplex (see block 270), then thismeans the link partner to this port 140 (i.e., where the link partner is the node 115 on the other end of link 110) is in forced mode (forced full duplex mode), and this port 140 is in auto-negotiation mode and is in half duplex due to the fact thatauto-negotiation did not complete successfully.

On the other hand, if the user is told to change the port 140 setting to auto-negotiation (see block 275), then this means the link partner to this port 140 is in auto-negotiation mode, while this port is in forced mode (forced full-duplex mode).

Based on the event log message 155 that is sent to the user of the port 140, the user can change the port 145 settings in order to eliminate the duplex mismatch.

It is also within the scope of the present invention to implement a program or code that can be stored in a machine-readable medium to permit a computer to perform any of the methods described above.

Reference throughout this specification to "one embodiment", "an embodiment", or "a specific embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least oneembodiment of the present invention. Thus, the appearances of the phrases "in one embodiment", "in an embodiment", or "in a specific embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.

Other variations and modifications of the above-described embodiments and methods are possible in light of the foregoing disclosure.

It will also be appreciated that one or more of the elements depicted in the drawings/figures can also be implemented in a more separated or integrated manner, or even removed or rendered as inoperable in certain cases, as is useful in accordancewith a particular application.

Additionally, the signal arrows in the drawings/Figures are considered as exemplary and are not limiting, unless otherwise specifically noted. Furthermore, the term "or" as used in this disclosure is generally intended to mean "and/or" unlessotherwise indicated. Combinations of components or steps will also be considered as being noted, where terminology is foreseen as rendering the ability to separate or combine is unclear.

As used in the description herein and throughout the claims that follow, "a", "an", and "the" includes plural references unless the context clearly dictates otherwise. Also, as used in the description herein and throughout the claims thatfollow, the meaning of "in" includes "in" and "on" unless the context clearly dictates otherwise.

The above description of illustrated embodiments of the invention, including what is described in the Abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed. While specific embodiments of, andexamples for, the invention are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those skilled in the relevant art will recognize.

These modifications can be made to the invention in light of the above detailed description. The terms used in the following claims should not be construed to limit the invention to the specific embodiments disclosed in the specification and theclaims. Rather, the scope of the invention is to be determined entirely by the following claims, which are to be construed in accordance with established doctrines of claim interpretation.

Other References

“Port Configuration”, [webpages] [online], retrieved on Jan. 15, 2004. Retrieved from the internet: http://www.cisco.com/univercd/cc/td/doc/product/lan/c2900xl/29_—35xp/olhelp/porthelp.htm. Total pp. 5.
Bunch, Bill; “An Introduction to Auto-Negotiation”; 1995; SCYLD Software; pp. 1-12.

Have Wireless Access, Will Work For Food

2009-11-05T22:02:00.001-08:00

Wireless networks make any area in your building a workspace, helping employees be productive in conference rooms, colleagues' offices, and the company café. It's a welcoming gesture to offer visitors wireless Internet access

Wireless networking is such an important requirement that if you don't implement it, and make it easy to use, you may find your employees doing it themselves. Unfortunately, most employees (and home users) install wireless access points with the default security settings, leaving networks wide open. Some system administrators, unaware of the risks, do the same.

Download:

Have Wireless Access, Will Work For Food

It's trivial to set up a wireless network. Setting up one that's secure and meets all the needs of your enterprise is a totally different beast. To secure a wireless network, you address the same issues that you do when you secure your wired networks. It's always a good idea to start with a policy that covers the following:

Access control: who can access your wireless network and what services they can use. You may classify users by role and allow them access to specific services as dictated by their role. Employees can access internal services, while visitors can only access the Internet. Professors can access the grading system, students can't.
Privacy: how you keep traffic on your wireless network secure so that someone in your parking lot can't view your company secrets.
Admission requirements: what protection mechanisms, such as antivirus software, spyware scanners, and vendor patches, are required before a system can be placed on your network.

Wireless Ethernet networks
Wireless networking has become popular because of standards that promote interoperability. There are lots of proprietary wireless networks, but the ones that most people actually use are based on the IEEE

802.11 specifications. The WiFi Alliance® allows the WiFi® brand to denote products that
comply with the most common standards, hence “wireless networking” and “WiFi networking” are almost synonymous these days.

Devices that follow the 802.11 specifications implement a wireless Ethernet network. The interfaces between wired and wireless Ethernet networks are known as access points. These can be con-figured as routers or bridges. Routers are often used with NAT and a DHCP server to make it easy for clients to access the network. They can be configured to work with a captive portal that redirects any Web request to an authentication page, blocking all traffic from the client until she presents the appropriate credentials.

Captive Portal Solutions
Open source:
M0n0wall /m0n0spot – http://www.tomsnetworking.com/2004/09/2 9/how_to_mono wall_portal
Wifidog – www.wifidog.org
Chilispot – www.chilispot.org
OpenSplash – www.opensplash.org
Milkeyway – http://sourceforge.net/projects/milkeyway
Nocatauth – http://nocat.net/
Commercial:
Rovingplanet – http://www.rovingplanet.com
Colubrus – http://www.colubris.com
Cisco – www.cisco.com
Proxim – www.proxim.com

Captive portals are particularly useful for guest access - not only does it make your guests feel “special” and make your organization look professional, but it also gives you a way of tracking who is using your guest access. Captive portals are available as open-source or commercial software, and some access points have them built in.

The wireless popularity contest
The first of the 802.11 standards in wide use was 802.11 b, the original 11 Mbps WiFi network. The 802. 11g standard later brought the maximum theoretical speed up to 54 Mbps. Because the two standards use the same radio frequencies, most 802.11 g-compliant devices are compatible with both b and g networks. The 802.11 a standard is the Sony Betamax of the wireless world. It is technologically superior because it uses a

Figure 1: Example wireless architecture with a single access point.

broader range of frequencies, making it easier to blanket an area with access points with less interference where the cover-age areas intersect. Unfortunately, it lost the popularity contest because it is incompatible with 802.11 b/g equipment. 802.11 a-compliant devices are still available, but they'd be a bad choice for your guest network, because most people don't own 802.11 a-compliant devices. The 802.11 n standard is projected for November 2007, and is expected to offer another six to 10-fold increase in speed (asymmetric) over 802.11 g, and up to a 50-fold improvement over 802.11 b.

That's the story at the radio-frequency level. A network's Service Set Identifier (SSID) differentiates one net-work from another, and allows clients to choose the network to which they want to connect. Some access points support multiple SSIDs, allowing them to support different networks from the same device. This can be used to separate employee and visitor or professor and student networks. Authentication mechanisms determine who gets access to your network, and what access rights they have. Encryption mechanisms make authentication secure, and they protect traffic from being observed or corrupted. Good encryption uses key rotation with a new key for every packet. Bad encryption uses the same key for all packets, making your network easy to crack.|

Alphabet soup
There are techniques to authenticate you to the network, and techniques for encrypting your network traffic, and some mechanisms do both. When you think about cryptography, consider that the access point and the client must exchange keys that drive the cipher used to encrypt your data. Both must be secure.

WEP, or Wireless Equivalent Privacy, was meant to make wireless networks as secure as wired networks, but unfortunately its designers seemed to design it without consulting cryptography experts. It uses the same key for authentication, encryption, and for every packet. It is very easy to crack, and you shouldn't consider using it for anything. Filtering clients by MAC address is another technique that you should dismiss because of how easy it is to spoof.

WPA™, or WiFi Protected Access™, was a stopgap to WEP's problems until the 802.11 i standard could be designed and WPA2™ implemented. WPA works with legacy hardware. Both use a protocol called TKIP to rotate keys for every pack-et, which is a very good thing.

WPA2 implements the mandatory parts of the 802.11i standard. It uses the AES cipher, stronger than RC4 used by WPA and WEP. Authentication methods include the following:

WPA2 Personal (or PSK mode) uses a single shared key forauthentication. Shared keys use passphrases, which are vulnerable to password guessing.
WPA2 Enterprise is based on a per-user key that an 802.11 xstandard-compliant authentication server manages.
EAP, or Extensible Authentication Protocol, is the framework used by WPA2 to authenticate users and exchange
keys. It can be supported with an 802.11 x-compliant authentication server such as RADIUS.
EAP/TLS is a flavor of EAP that uses Public-Key Encryption (PKI) to exchange keys securely. It is in wide use.
PEAP is an IETF open standard promoted by Cisco, Microsoft, and RSI that also uses server-side PKI.

The bottom line: always stay away from WEP, and use WPA2 with PEAP. This establishes a mechanism that you can use to grant rights, revoke them, and authenticate on a per-user basis. You might consider using less-secure, but more common, WPA with a pre-shared key (PSK) for your guest network, along with a cap-tive portal to control and monitor who gets access. Captive portals not only handle access control, but also their authentication pages give you a chance to present visitors with information such as a site map, an event schedule, or the daily special in the cafeteria. You've seen captive portals at work in coffee shops, hotels, and airports.
Remember that client devices that connect to your wire-less network might be infected with viruses, worms, and Trojan horses, so a firewall between the wireless and wired networks is a must.

A secure wireless architecture
The first thing you need to develop your own secure wireless architecture is a set of policies that help you to understand what you need to implement. In organizations where you need to support different classes of users, a key principle is to segment traffic, just as you do internally to separate networks such as engineering and finance. Use VLANs, firewalls, and packet filters to make sure that you can control the traffic from each segmented network.

The guest network
To support visitors to your site, you want to make it as easy as possible for them to use your network, but difficult for people at the coffee shop next door (or hackers in your parking lot). You may want to use a less secure network encryption mechanism (such as WPA) so that most visitors' devices will connect, and a captive portal to control who actually gets to use the net-work. You should provide them only with access that you give an outside Internet user.

The employee network
You want to make it as easy as possible for your employees to get onto their network, but since you have more control over the hardware they use, you can select one of the more secure mechanisms such as WPA2 with PEAP. Even these additional authentication and encryption mechanisms aren't impenetrable, and employee laptops might have picked up nasty viruses at home, so you'll want to be careful about what services you open up. Better yet, consider installing a Network Admission Control platform that can perform client posture assessment, to automatically check for protection such as antivirus and antispyware tools (as well as patches) before the system is granted access to the network. You might want to provide access to print services, but don't open up your network file servers to the wireless network.

An example architecture
Here's a simple, one-access-point wireless network that illustrates the points above (Figure 1). Enterprise-grade access points that support multiple SSIDs can funnel traffic from each SSID onto different VLANs on the wired network, giving you more control over where the traffic can go. Use a good access point with a different SSID for each of your two networks. Route your guest network traffic through your captive portal, to the firewall, and onto the Internet. Route employee network traffic onto the Internet (if that's where it's going) or to specific services that you have protected with an additional layer of security. You can do this based on role so that, for example, finance people can access their network services, including the payroll system, while engineers can access application development systems.

Implement and verify
As with your wired network, you'll want to verify that the wireless network you've implemented does what you think it should. First use a tool to verify that your wireless networks are visible and accessible as you expect them to be. Use a tool such as airsnort (airsnort.shmoo.com), netstumbler (www.netstumbler.org), or macstumbler to attempt to crack your networks. While you're at it, plan to use them on a continuing basis to watch for rogue access points.
Once you've verified wireless network security, go to the next layer and make sure that your firewall and captive portal are configured properly. Use a port-scanning tool such as nmap, and make sure that your captive portal doesn't let any traffic through until you've authenticated. Once you authenticate, make sure that you can't get to any internal services from the guest network. Then check your employee network, and verify that each of the employee roles you've defined allows the access you have granted, and no more.
Wireless networks are an important part of doing business today. Carefully implemented wireless networks are useful business tools, and they don't require you to compromise security. Carelessly implemented wireless networks are not much different than leaving your front door unlocked.

Did you know ?
Most analysts estimate that average IT server utilization is only between 20% and 30% of total capacity.

-HP Thought Leadership

Understanding DNS: Essential knowledge for all IT professionals

2009-11-05T21:53:00.000-08:00

The Domain Name System (DNS) is one of the most important components of Internet infrastructure. If DNS is unavailable, you’ll have difficulty finding resources on the Internet and, likewise, others will be unable to find you. That’s because DNS is the phone book that translates names such as www.nytimes.com to Internet protocol (IP) addresses such as 199.239.136.245, and vice versa. DNS saves us from having to remember the IP addresses of all of our favorite sites, and it allows Web pages to link to others by name, not by IP address. Finding hosts by name allows IP addresses to change over time, allowing sites to grow, change location, or reconfigure. But, DNS does a whole lot more than just name-toaddress mapping. Understanding the basic structure, function, and operations of DNS is an important foundation for all modern-day IT professionals.

Download:

Understanding DNS: Essential Knowledge for all IT professionals

DNS is a hierarchical, distributed database with delegated authority. The “delegated authority” part means that you’re responsible for providing a way for Internet users to look up an IP address associated with your organization’s domain. Many organizations let their ISPs manage DNS for them, but that’s a risky proposition at best. A configuration mistake or failure at your ISP can make your company appear offline for at least a portion of the Internet. A political issue could cause you to lose control of your domain information. And, unless you’re your ISP’s largest customer, you have to wait in line with everyone else when you need to make a change to one of your DNS records.

DNS holds the key to your existence on the Internet, which is why you want to control DNS for your domain. DNS is even more than that. DNS is an anti-phishing mechanism, it helps your organization to reject email spam, and it’s a privacy mechanism that helps to hide your internal network topology. Here are just a few ways DNS helps in these areas:

Anti-phishing. Imagine how quickly your personal information would be lost if you couldn’t trust the identity of your online bookseller or bank. When DNS is working correctly, it helps you to reach the real site, not the imitation one run by an identity thief.
Anti-spam. Do you think that you get a lot of spam? You’d be getting a lot more if DNS weren’t working for you. Your mail server can verify domain names on incoming email messages, helping to weed out spam. New DNS mechanisms, including the Sender Policy Framework (SPF, www.openspf.org) or DomainKeys (DKIM, www.dkim.org), identify who is allowed to send mail on behalf of a domain so you can reject email from imposters. Real-time blacklists (RBLs) let your mail server quickly check to see whether a sender is a known spammer or a known infected machine. RBLs such as www.spamhaus.org use DNS as a lightweight query-response mechanism for checking the addresses of email senders.
Privacy. DNS reveals to external clients only what you want the public to see about your network. Likewise, it lets internal users and servers see whatever is appropriate for them to see. DNS helps you mask addresses by giving them different names depending on whether they’re accessed from the inside or outside of your network, helping to increase your network’s security.

DNS from top to bottom
In the days before DNS, administrators managed hosts files that kept track of all known systems, a manual mechanism with limited ability to scale. The original DNS specification, and the first reference implementation, was developed at U.C. Berkeley in 1983–1984. Today, the DNS specification evolves through updates to the RFC documents. The reference implementation that the majority of organizations use is known as the Berkeley Internet Name Daemon (BIND). BIND was primarily made commercially viable through the efforts of Paul Vixie and his followers.

DNS is a distributed database. DNS maps names into IP addresses. The servers that implement DNS are distributed around the world, making the service resilient to failures and attacks, as well as making it high performance: there are mechanisms for making sure that you use the DNS servers that are closest to you from a network topology perspective.

Responsibility is delegated. The DNS architecture uses delegated authority to ensure that those who know best about mapping names to IP addresses (called “forward mapping”) are the ones responsible. When it comes to translating names to IP addresses within your domain, your organization is responsible. If your organization is large enough, you may even delegate parts of your domain into subdomains such as eng.barkingseal.com or mktg.barkingseal.com. Each subdomain, such as eng or mktg, can be managed by different servers and different parts of the organization. When it comes to mapping IP addresses back to host names (called “reverse mapping”), responsibility is delegated to the owner of the IP addresses themselves. If your ISP has assigned a set of IP addresses to you, the ISP can delegate the reverse mapping back to you. It’s important to have a consistent set of forward and reverse maps.

Naming is hierarchical. Naming in DNS is hierarchical, and names are parsed from right to left. Though the details are always hidden from users, a domain name always ends with an implicit period, or dot. This represents the root of the hierarchy that a nameserver traverses when looking up an address. A DNS server always knows where to find the root servers that can tell it the locations of servers that understand top-level domains (such as com, net, and org). Because DNS is distributed and hierarchical, looking up a domain name can take the query around the world to servers knowing answers to the query.

Some definitions
Before delving into that worldwide trip, some definitions can help make it a smooth one.

A fully-qualified host name is the name of a host plus its domain name, venus.eng.barkingseal.com, for example. The host name venus can be used within the domain eng.barkingseal.com without ambiguity because it must be unique within that domain.
A domain name is everything but the unqualified host name. In this example, take off venus and its domain is eng.barkingseal.com. When a domain has more than a top-level domain (com) and a second-level domain (barkingseal), it’s referred to as a subdomain.
An authoritative nameserver is a server that has been designated by the proper authority as providing name mapping for a particular domain. Depending on what the server’s level of the hierarchy is, the proper authority for making this determination varies.
A caching nameserver is one that stores the results of previous queries so that each request for an IP address doesn’t result in a long foray across the Internet.
A recursive nameserver is one that will traverse the hierarchical name space to resolve a query.

A nameserver can have any combination of authoritative, caching, and recursive characteristics. For example, an authoritative server that provides address mappings to the outside world usually does not allow recursive queries from the outside. Authoritative servers providing internal address mappings are often recursive and caching. Nameservers can be configured to provide different services to different users.

Name mapping example
Going through the steps of mapping a name to an IP address helps to illustrate the distributed nature of DNS, and it shows where and how delegation occurs. This example assumes that your nameserver is ns.atrust.com, and this is the first time that the address venus.eng.barkingseal.com is looked up. No server has the address cached, and the entire hierarchy has to be traversed. The sequence is portrayed graphically in Figure 1.

Your workstation contains a resolver that talks to your nameserver and provides answers to applications (such as Web browsers, email clients, and instant-messaging software) when they ask for name mappings. Your resolver asks your nameserver (let’s call it ns.atrust.com) about the address for venus.eng.barkingseal.com. The ns.atrust.com nameserver is a caching server — so that if anyone else asks for the same address, they get an immediate response. For the purpose of this example, ns.atrust.com is also recursive so it is the one that can traverse the DNS hierarchy to obtain the name mapping.

Your caching, recursive nameserver has a list of hard-coded IP addresses for the root servers (these are named [A-K].ROOT-SERVERS.NET.) These authoritative servers, distributed across the world, are able to point a nameserver to the ones that know about the top-level domain that you’re asking about (in this case, com.) Your nameserver asks one of the root servers where to find an address for venus.eng.barkingseal.com. Your server queries for the fully qualified domain name all down the hierarchy so that if one of the nameservers along the way has the answer, the query process can stop.

Note that through the magic of anycast, some root servers, such as the F root server, simultaneously exist in more than one geographic location. See RFC 3258 for more details on this clever hack.

The root server says: “I can’t help you, but why don’t you ask one of the generic toplevel domain (gTLD) servers on this list?” The answer is called a referral, and for a .com address the response includes addresses for six gTLD servers named [A-F].GTLDSERVERS.NET. The root server always responds with a referral that depends on political and business factors that are all subject to change. The gTLD servers [A-F].GTLDSERVERS.NET know about some generic top-level domains including com, while others know about TLDs such as edu. If you’re querying for a TLD that is a country code (us for the United States, jp for Japan, and so on), the query may be referred to servers run by the country in question, or by someone that’s hijacked the country’s TLD for profiteering (like Tuvalu, or .tv).
Your nameserver asks one of the gTLD servers where to find the name you’re interested in, and the gTLD server refers the request to the nameservers for barkingseal.com. Remember when you registered your domain and you had to provide the names and addresses for your nameservers? Your registration information is propagated to the appropriate gTLD servers and up to the root servers. The gTLD servers return the addresses of nameservers for barkingseal.com. This is the point in the query where the
The nameserver for barkingseal.com, perhaps named ns1.barkingseal.com, knows about names within barkingseal.com. In many small and medium-sized organizations, the query would end here, as ns1.barkingseal.com would know about all names within barkingseal.com. If barkingseal.com is a large organization, it might have subdomains such as eng and mktg delegated to other parts of the company. So for the purpose of this example, ns1.barkingseal.com responds to the query by referring your nameserver to a nameserver for the subdomain eng, in this case ns1.eng.barkingseal.com.
Your nameserver asks ns1.eng.barkingseal.com for the address, and the response is “sure, the address for venus.eng.barkingseal.com is 63.173.189.132.”

The lengthy process of traversing the hierarchy from the root servers to a domain’s own nameservers only requires a few milliseconds, but it underscores the importance of caching. Your resolver should talk to a caching nameserver that remembers previous queries. This helps to speed applications such as Web browsers, which can request name mappings for dozens of names per Web page. Caching servers should be placed closed to users; if your company has multiple locations, you should have at least two caching servers at each site.

Caching means that name-to-address mappings for your domain are stored for some period of time in caching nameservers and resolvers all around the Internet. This means that there is latency between the time you change an entry in your nameserver and when everyone on the Internet has obtained the new information. You have some control over latency by adjusting the records’ Time to Live (TTL.) Updating addresses for your authoritative nameservers requires a minimum of 72 hours under the best circumstances, as new information has to be propagated to gTLD and root servers worldwide. The bottom line is that you need to be careful and methodical when you make changes related to DNS, as it can take days to fix any problems that you inadvertently create. Once a record has been cached, its data is under the administrative control of hundreds or thousands of external entities; therefore it is not possible to “force” an instant update when you make a mistake such as forgetting to lower the Time to Live for a record ahead of a change. As a result, it’s often best to get expert advice before executing a plan to migrate your authoritative nameservers.

Reverse mapping
So far the discussion has focused on mapping names to IP addresses, or forward mapping. Reverse mapping provides the name given an IP address. It is used, for example, by a mail server doing sanity checks when another mail server connects to it. Reverse mapping works similarly to forward mapping except that (for a bunch of historical reasons) the TLD for a reverse lookup is in-addr.arpa, and the components of the IP address are reversed. So a request for the name corresponding to 216.139.219.58 would query 58.219.139.216.in-addr.arpa. Delegation can happen between the various octets in an IP address. A simplistic way to look at it is that upper octets are generally owned by large organizations and the lower ones are owned by mere mortals. This is why the octets are reversed: as the reverse lookup proceeds from right to left, the organizations to which the reverse lookups are delegated become smaller and more numerous.

If you have an entire lower octet or more allocated to your company, you should take responsibility for the reverse mapping so that you can keep both forward and reverse maps synchronized. If your ISP has allocated you less than a whole octet, your ISP can, using some tricks, delegate the reverse lookups for individual IP addresses to your nameserver (See Nemeth, et.al., Linux Administration Handbook, Second Edition, p. 400). This is important so that you can maintain consistency between what forward and reverse lookups find.

Although you should always keep your reverse lookup map up to date, don’t always trust what you get back from a reverse query. The reason is that some spammers spoof their reverse maps to make them appear trustworthy. For example, they might send a flurry of spam out from one server claiming to be something well known, such as mail.att.net, and for the duration of their spamming, the reverse maps match the From: header of their email. But do the same reverse lookup an hour later, and they may claim to be another well-known domain such as ebay.com.

Windows Active Directory
A Windows-based network typically runs Microsoft Active Directory, which provides directory services for workstations running Microsoft Windows operating systems. It provides directory services for users and their computers. It facilitates trust relationships, defining who can log in to what machines in which organizations. It defines the resources that a user is allowed to access. For Microsoft-based email, Active Directory works with Microsoft Exchange, keeping track of user mailboxes and their attributes.

DNS is a component of an Active Directory server. Your life will be easier if you support your internal Microsoft Windows systems using the DNS components of Active Directory. In addition to providing standard DNS features such as caching and recursion, Active Directory uses record types that are not part of the DNS standard, so they are not always supported (easily) in BIND.

Active Directory uses multi-master replication to provide redundancy within the Windows environment, which supplements the more traditional master-slave architecture that BIND directly implements. One nice feature of Active Directory is that, as with BIND, it supports secure dynamic updates that allow workstations to update their DNS records. This is particularly useful if you have a number of laptops that might be plugged into different networks across the company at different times. When they are given a new IP address (usually via DHCP), the laptop can tell its Active Directory server about its new location, and now its new address is registered and propagated across the company so that everyone can find it.

We recommend that Active Directory be implemented in conjunction with BIND, with Active Directory delegated naming authority for a subdomain of your internal network. Because of the large vulnerability footprint of the platform, it is not a good idea for Active Directory to provide authoritative name services on the Internet, only on internal networks. To delegate naming authority to an Active Directory server, you’ll need to set up one or more nameserver records and corresponding address records to give the servers addresses. The example delegation in the nameserver record example of Table 1 shows naming authority for the subdomain eng.barkingseal.com delegated to two servers, [ns1,ns2].eng.barkingseal.com. Later on in the zone file, A records would provide addresses corresponding to the two nameservers.

More than just naming
The introduction to this article mentioned how DNS is used for many things other than just looking up names. Here are some of the details.

Anti-phishing
Phishing emails purporting to be from your bank or your favorite auction site will almost always contain a link that, if clicked on, takes you to a phishing site identified by IP address, not by name. Use the name of your bank’s site, not an IP address provided in someone’s email, to avoid falling prey to phishing attacks.

But what if a hacker could fool your DNS into mapping a name such as www.bankofamerica.com to their phishing site? This is possible through a technique known as cache poisoning. A major DNS flaw was recently discovered (and announced in July 2008) that makes this a real possibility. Always keep your nameserver up to date to guard against such attacks, and make sure that it is directly mapped to a public (non-RFC 1918) IP address (do not use Network Address Translation for any externally-exposed caching nameserver)

Real-time blacklists
Several organizations (see www.spamhaus.org or www.spamcop.net) operate real-time blacklists that help mail servers distinguish sources of legitimate email from sources of spam. They blacklist specific IP addresses based on their own criteria, and you can have your mail server check incoming mail against one or more RBLs, rejecting any that comes from a blacklisted address.

RBLs use DNS as a query-response mechanism. When a mail server subscribing to an RBL receives a connection from another mail server, it forms a DNS query based on the IP address it detects. The query contains the reversed octets of the IP address followed by the name of the blacklist. For example, if a mail server wanted to check to see if it should accept mail from 63.173.189.1 using the RBL sbl.spamhaus.org, it would ask its nameserver for the address of 1.189.173.63.sbl.spamhaus.org. The response indicates whether or not the sender is on its blacklist. Because this is just a DNS query, all of the nice features of DNS, such as caching, come along for free.

Sender Policy Framework
SPF is a relatively new mechanism for letting others know which IP addresses are allowed to send email on your behalf. If you set up SPF in your nameserver, then other mail servers that pay attention to SPF information will reject email claiming to be coming from your domain but that is actually coming from a spammer’s machine. What this means is that if you set up SPF, as more mail servers observe them, spammers will no longer be able to spoof email to appear as if it is coming from your domain.

SPF is probably the most promising DNS-based anti-spam mechanism, and it will become more effective as more domains use it to identify the addresses authorized to send mail on their behalf. A relative of SPF, Domain Keys Identified Mail (DKIM), is not gaining the widespread acceptance that SPF is.

SPF is implemented through a TXT record (see Table 1) that allows other nameservers to retrieve arbitrary text. You can visit www.openspf.org and fill out an online form that generates the correct text to implement SFP at your site.

Putting DNS to work
Knowing how queries work, and the difference between authoritative and caching nameservers, puts you most of the way to understanding DNS best practices. The remaining important concepts are the topology of how and where you deploy DNS servers, and the configuration files that dictate how they operate.

Network topology. Redundancy helps your domain continue to exist even if a server fails or a network cable is cut somewhere in the world. BIND supports redundancy through a masterslave relationship where a master nameserver pushes its name mappings to one or more slave servers through a zone transfer.
Configuration files. BIND’s configuration is in a file named.conf. The named.conf file tells the server whether it is authoritative and/or caching, and whether it is the master or slave for a given zone. The file points to zone files that contain actual name mapping information. Zone files contain lines, or records, that define, among other things, name-to-address and address-to-name mappings for a specific domain or range of addresses. Some of the most important record types are summarized in Table 1.

You will typically have a zone file for forward mappings visible to the outside, a zone file for forward mappings visible to the inside, and reverse maps for both. One of the beauties of BIND 9 is that it supports views. Views tell BIND how to respond to requests based on where they come from. They allow you to run a single server that hands out private addresses for internal systems, and public addresses for services that you provide on the Internet.

Do you know how your DNS is configured?

Let us help monitor the health and status of your domains on a daily basis – a free service from Applied Trust. Visit barkingseal.com/dnsalerts for more information and to sign up.

Example DNS and Active Directory configuration
The best way to show how all of these concepts come together is by walking through an example. The network topology diagram shows how DNS servers might be deployed and configured for a company having anywhere from two to 10,000 employees. Our example, barkingseal.com, has two subdomains, one for engineering and one for marketing. Like most companies, it uses private (RFC 1918) addresses for its internal systems and public IP addresses for the services it provides to the outside world. It uses a combination of BIND and Microsoft Active Directory to support both Windows desktops and other servers and workstations. The network topology, along with the inside and outside forward maps, is illustrated in Figure 2. The corresponding inside and outside reverse maps are illustrated in Table 2.

External authoritative nameservers
barkingseal.com's domain registration information points to the minimum of two nameservers, in this case a master that’s in the company’s DMZ and one that’s located far away across the Internet so that a failure that takes the company offline doesn’t make the domain disappear. Always, always, have a slave nameserver on a different network (a different ISP backbone) in a different location than your master. If you don’t want to host one yourself, there are DNS hosting services that will do it for a fee. Protect your authoritative nameservers with a firewall, but don’t hide them with network address translation. You want them to be available at the same address whether accessed from inside or outside of your network, and there is a specific, serious vulnerability that can occur if you put NAT in front of a caching nameserver.

The master authoritative nameserver supports an inside view and an outside view. The outside view provides forward and reverse mappings for the following two classes of public addresses. The outside view does not support caching or recursion.

Public addresses are for externally provided services, such as Web (www.barkingseal.com) and mail (mail.barkingseal.com) servers.
Masked NAT addresses are the public addresses used when internal systems request external services. This is usually a pool of addresses that your firewall uses when passing requests from internal, private addresses to external, public ones. Network address translation masks your internal network topology, and DNS helps to support that masking. The example in Figure 1 translates internal, private addresses to one of two public addresses, nat[1,2].barkingseal.com.

Regardless of what addresses you do or don’t mask, for a variety of reasons forward and reverse maps should be an exact mirror of one another.

Internal authoritative nameservers The master authoritative nameserver supports an inside view that describes barkingseal.com's internal systems. This view allows caching and recursion. All requests for addresses from internal systems are serviced by the inside view. This view has zones including the following:

Forward and reverse mappings for public addresses such as www.barkingseal.com and mail.barkingseal.com.
Forward and reverse mappings for addresses that point to file servers, printers, internal services, and Linux desktops — anything that’s not a Windows workstation. Addresses such as fileserver.barkingseal.com resolve to private RFC 1918 addresses such as 192.168.2.21.
A delegation of authority to the subdomain eng.barkingseal.com, which is a domain controller running Windows DNS. This is done through a simple NS record and a corresponding A record as illustrated in Table 1.

The master authoritative nameserver has at least one slave in each physical location. The slave is a caching, recursive nameserver that acts as the primary nameserver for all non-Windows systems and indirectly for Windows workstations. It is placed topologically close to its clients, preferably on the same subnet. If the caching nameserver fails, the internal authoritative nameserver is the backup, at the cost of queries having to traverse the firewall, adding some latency to each request. Depending on the size of the organization, the locations of its subnets, and the importance of performance, two caching and slave authoritative servers might be provided.

Active Directory Servers
Two Windows servers run Active Directory. These servers are authoritative nameservers for the eng.barkingseal.com subdomain, which includes all Windows desktops run by engineering. Two servers are used for redundancy, and their multi-master configuration keeps the two servers synchronized. The servers accept secure dynamic updates, but they do not propagate updates to upstream BIND servers, where they will be rejected. The servers are caching, but non-recursive. Instead, they forward any queries they can’t answer to the caching nameserver, which recursively resolves requests.

Keep your eye on the ball The lessons of this example include the following:

Distribute your external authoritative nameservers across more than one ISP.
Never use a private (RFC 1918) address for a nameserver visible to the outside world (even for its inside address).
Use split views to mask internal addresses. The outside view’s forward map is a small subset of the systems on your network. Addresses are provided for services exposed to the outside world, and all others are translated to a pool of NAT addresses. In contrast to the outside view, the inside view is complete. It can include both public and private addresses.

Pay attention to security
As you put DNS to work in your organization, pay close attention to security. Put your nameserver behind a firewall and harden the server operating system, and make sure that it’s subjected to vulnerability scanning at least every 30 days. Keep your software, typically Active Directory and/or BIND, patched and up to date. Let only a small number of highly trusted administrators have access to your external authoritative nameservers, and ensure that there is a revision-control system in place that produces an audit trail. Finally, remember that a mis-typed delegation in your domain registration can make your domain disappear for a minimum of three days.

Test, test, test. DNS helps keep your internal networks secure by hiding hosts and topology from the outside world. Be vigilant about making sure that you don’t inadvertently make internal addresses visible to the outside world. Make sure that you have backups of your DNS server so that if you have a catastrophic failure, an administrator makes a blunder, or if your security is compromised, you can get back online quickly. There are standards in place for a higher-security DNS, with cryptographic zone and record signing for authentication (see www.dnssec.net/rfc). These enhancements are not in common use yet because the computational requirements of the cryptography make them impractical. There may be progress on the horizon, however, as the federal government has mandated the use of DNSSEC for the .gov TLD by January 2009.

Keep the lights on
As far as your presence on the Internet goes, having an accurate, secure, and high-performance DNS implementation is as important as having lights in your offices. Make an investment in your DNS infrastructure by taking control over your domain so that it gets care and feeding commensurate with its importance. Without DNS, the Internet is just a bunch of standalone computers that can’t find each other.

Applied Trust has engineers that have been working with DNS, BIND, and other Internet infrastructure since the mid-1980s. Call us if we can help improve your organization’s use of these technologies.

Managing Your Data Performance

2009-11-05T11:55:00.000-08:00

It happens more than you'd like to believe. A small company upgrades its storage infrastructure and puts all of its data on a high availability RAID array with dual controllers and battery backup for its write buffers. A large IT organization sets up a remote mirror of its critical storage for immediate recovery from a disaster in its local data center. Both companies are thrilled with the performance and availability that their new storage systems deliver, but neither fully considered the fact that having a Storage Area Network (SAN) and/or RAID array, even with remote mirroring, is not the same as having a comprehensive data management strategy.

Download:

Managing Your Data Performance

Then the disaster strikes. It's not the one they planned for: the single disk failure that would have left the RAID array intact, or the data center fire that would have caused a failover to the remote site. An improperly patched database management system scribbles all over the customer database. In the case of the large IT organization, the error is instantly replicated on the remote mirror. And there's no backup tape.

What was the root cause of the problem in these examples? Bad RAID technology? Not necessarily. These organizations didn't have a well-constructed data management policy. Every organization needs a policy for data performance, availability, and retention, and the technology to support it. RAID (and possibly a Storage Area Network) is one tool you'll probably need, but it's not the only one you'll need. Every data management policy must include stable-state backups on media (such as tape) that stores your data not in motion.

RAID: Just one tool in the data management shed
RAID, a Redundant Array of Inexpensive Disks, was once confined to enterprise data centers.Today you can buy a RAID device for your desktop computer for only a couple hundred dollars. RAID makes everyone feel that their data is safe. If you use RAID, you should consider what it does for you and what it doesn't do for you.

Disk drives, because they rely on moving parts, are the most fallible part of a computing system. RAID techniques allow you to use multiple, lowcost disks to create a disk subsystem that has overall higher reliability and/or performance than a single disk by itself. RAID will typically play an important role in your data performance and avail-ability strategy, but it alone does not constitute a data retention policy.

RAID can give you higher or lower reliability, and higher or lower performance than a single disk, depending on which level RAID you choose. RAID doesn't necessarily give you absolute reliability, or the highest possible performance, so it's useful to know exactly what RAID does and doesn't do for you so that you can make appropriate choices.

RAID fundamentals
All of the RAID levels that you've heard about are built using a combination of one or more of four fundamental building blocks. Surprisingly, the definition of RAID is loose enough that some RAID levels don't implement the first word of the acronym, redundant, making it even more important to know what you're getting when you buy RAID.

Concatenation
Concatenation is the simple act of using more than one disk to create a single logical volume that is larger than a single disk. Concatenation can be used to create volumes of virtually any size, making it possible, for example, to store large databases. If used by itself, concatenation reduces reliability because the failure of any one disk in logical volume means that a substantial portion of your data might be lost. Concatenation is often used in combination with redundancy to provide large amounts of storage with higher reliability.

Striping
Striping lays out data sequentially across an array of disks. Block-wise striping lays out a sequence of blocks across a set of disks, starting back at the beginning when one block has been placed on each disk. Byte-wise striping similarly lays out sequential bytes across multiple disks. Figure 1 illustrates block-wise striping
across two disks.

Striping is known as RAID 0. It improves performance by moving data from each of the disks in an array at the same time. At the lowest level, data can stream from a disk drive only as fast as the drive rotates. If data is striped across five drives, the stripe can deliver data at five times the rate of a single drive. Striping reduces reliability to that of old-fashioned Christmas tree lights, however. One light burns out, and the entire string of lights goes out. If a single drive in a stripe fails, the array cannot function.

Striping alone is used where performance is very important, but reliability isn't. It is used most often in combination with the next two techniques so that its performance benefits are also enhanced with reliability benefits.

Mirroring
Mirroring, also known as RAID 1, puts exactly the same data on more than one disk so that if any disk fails, the data can be accessed from the remaining disk(s). Mirroring is typically configured with pairs of disks, which yields half the risk of failure of a single drive. Figure 2 illustrates a mirrored pair of disks where each block is replicated on each disk.

Mirroring is so simple that it is appearing everywhere, including on desktop PCs and many external storage devices. It's known as a “poor man's” RAID because it is so simple, and it is great for relatively small amounts of data.

Parity
Parity is used in conjunction with striping in order to increase the reliability of the stripe. For each data block in a stripe (assuming block-wise striping), a parity block is created that consists of a bit-wise sum of each of the blocks with the carry bits thrown away. For example, if the first bit of each of three blocks is 1, 1, 0, the parity bit is 0. (Binary 1+ 1+0=10, and only the low-order 0 is retained). If any one of the three blocks is lost, each parity bit can be used to figure out what the missing bit was.

Where mirroring requires, at minimum, a doubling of the number of disks, using parity to increase performance requires only an incremental increase in the number of disks, with the caveat that the stripe with parity can withstand the failure of only one of its disks.This comes at a cost, however, which is that each write operation requires parity to be recalculated using data from the entire set of disks.

Byte-wise striping with parity is known as RAID 3, and block-wise striping with parity is known as RAID 5. Figure 3 illustrates a RAID 5 array with three data disks and one parity disk, which allows for the failure of any one of the four disks at the cost of only one disk for parity. Disks are labeled with a numeric stripe number and an alphabetic block number, with ‘p' denoting the parity block.

If a single disk fails, the parity bits are used to reconstruct the contents of the failed disk.This recalculation time creates a window of time during which a second disk failure can result in the loss of the entire array's worth of data. One technique for minimizing this time window is having a hot standby disk in the array that can be used to store the reconstructed data, rather than having to wait for an administrator to figure out that a failure has occurred and that a new disk needs to be plugged into the array. Figure 3 illustrates another technique, which distributes the parity data evenly across the array so that a failure does not require immediate restoration of all data blocks.

RAID in the real world
All RAID levels are based on the four building blocks of concatenation, strip-ing, mirroring, and parity. RAID 0+1 is a mirror of two stripes, as illustrated in Figure 4. RAID 1+0 (10) is a stripe of two mirrors, as Figure 5 illustrates. RAID 5+0 (50) is a stripe of RAID 5 arrays (Figure 6) and RAID 10+0 is a stripe of RAID 10 arrays (Figure 7). Striping gives you performance, while mirroring and parity give you reliability. Different combinations of these building blocks make different tradeoffs between performance, availability, and cost. Not surprisingly, each one is good for storing different types of data. Some of the most popular RAID levels and their common uses are illustrated in Table 1 on page 5.

The discussion so far has focused on abstract combinations of disks and what RAID levels they yield. In the real world, avail-ability, performance, and cost are influenced by how the disks are deployed:

RAID can be created with hardware or software; hardware is typically faster and more expensive than software. Some of the higher RAID levels are implemented using both hardware and software. For example, RAID 50 might be configured from a set of hardware RAID 5 devices with software-controlled striping across them.
Redundant controllers, power supplies, fans, and interfaces can help reduce the number of single points-of-failure that can bring down a hardware RAID array.
Battery backed-up write caches can speed performance by acknowledging disk write completion when the data is transferred to nonvolatile memory, not when it is actually written to disk. If power fails during the disk write, it can be restarted using the cached copy once power is restored.
Hot-swappable disks, power supplies, fans, and controllers allow RAID arrays to be serviced without turning their power off, and hot standby drives allow RAID controllers to press a spare disk into service without having to wait for the system administrator.

Some organizations go beyond RAID and increase their data's availability by mirroring it to a remote site. Remote replication allows the data to be accessed from the local data center through a slower, wide-area network pipe in the event that the local RAID array fails. It also allows the server infrastructure to be replicated at the remote site in the event of a disaster that takes out the entire data center. If the company's services need to be up and running in only minutes following such a failure, geographic failover can be used to reroute requests to the remote data center in the event of a disaster at the local one.

Integrating RAID into your organization
Now that you know everything about RAID, you're ready to pick one of the technologies from Table 1 and you're done, right? Not exactly. Different RAID levels are useful for different types of data, so it isn't as simple as choosing a single ‘best' RAID level and using it for all of your data.

All of your data is different, and your data can tell you how it likes to be stored. Your applications also can tell you how they like to retrieve it. Between the two of them, you're off to a good start in determining which RAID level to use for which of your data. For example:

Your Web logs probably don't need to be maintained on the most reliable storage, where cost is no object.The business impact of losing the data is not very high. Unless your application is financial trading, in which case you might be required to maintain an audit trail that includes every access to the Web application. One organization's Web logs are disposable, while another's are business critical.
Your financial information probably doesn't need the fastest devices you have available. But it had better use one of the more reliable RAID levels so that you don't lose anything between backups, and so that you meet the IRS data reten-tion requirements.

Some applications need performance above all, and RAID levels using striping are likely to give better performance. Some applications need reliability above all, and RAID variants using parity, such as RAID 5 and its variants, are likely to meet your data availability needs.

RAID implementations
When you go out to buy a RAID device, you'll find it imple-mented in many forms. You can buy USB or Firewire RAID boxes for your desktop; direct-attached RAID boxes with SCSI interfaces; network-attached storage devices that serve RAID storage over a network; and virtually every Storage Area Network (SAN) implementation supports RAID. SANs give the flexibility of network-attached storage with the performance of direct-attached devices. Logical-unit ‘masking' and various virtu-alization techniques allow different servers and applications to securely access their own dedicated portions of an enterprise-class storage system.These systems allow data centers to man-age a large, centrally located pool of storage for all of their applications. And they often have built-in capabilities such as point-in-time snapshots and remote mirroring.

RAID is not a data retention policy
One problem that some organizations get into is thinking that RAID is how they implement their data retention policy. Nothing can be further from the truth. Consider what happens when any one of a number of scenarios such as the one that introduced this article occur:

Your data center is in a floodplain and the 100-year flood occurs
Your RAID controller has silently failed and has been writing incorrect parity bits
A bug in your software corrupts your data
An administrator mistakenly deletes your root directory, deleting all files underneath i
A disgruntled employee removes drives from your array as she goes home from her last day at work
A hacker modifies your data in a way that you don't discover until six months later
All of these issues highlight the fact that RAID is only a tool, and not the only tool that you need to effectively manage your data. RAID is a tool for managing availability and performance. A comprehensive data management policy is what you need to manage data retention. You need both of them to steer clear of accidents, including the 100-year flood.

The need for data retention
The fact that you can integrate RAID into your organization and still lose all of your data points to the fact that you need to have a data management policy that includes not only data avail ability and performance, but data retention as well.Just as your applications and your data place requirements on performance and availability, your organization, legal context, and security considerations place demands on data retention. For example:

The law dictates how long you must retain business-related tax information, personal information on your employees, and, if you're involved in the health-care supply chain, your patients. You need to store this data in such a way that it can't be tampered with, and also so that it can be retrieved without error if and when it becomes necessary.The only foolproof 1 way to store a stable backup is on magnetic or optical media where the bits are no longer moving and can't be modified. Beware that even tape doesn't solve all of your needs: If you don't periodically read and re-write your tapes, you run the risk of the data on them deteriorating.
Your bank may dictate that when a customer returns an item, you credit the original credit card account on which the purchase was made. How long do you retain such data?You may wish to retain it forever, but the longer you retain it, the more of it you have, and the greater your liability if those credit card numbers are stolen. A data retention policy dictates not only the time that you need to hold your data, but also when and if you must securely destroy it. Destroying personal information and credit-card numbers on a planned basis may help to limit your liability.
Your business presence may depend on your Web site, and you need to protect against a defacement or other subtle change that might not immediately be noticed.To protect your business in cases such as this, your data retention policy might require more frequent backups so that you can return to any one of a number of points in time before the tampering occurred. You also need a baseline that can help in the incident analysis itself.
Your business-critical documents, such as engineering plans, transaction records, and product-pricing strategies, are your crown jewels.They need to be handled as such, on reliable storage, with a sufficient number of stable backup copies so that you can restore a consistent set of them at any point in time.

1There are electronic data retention vault products that are generally considered to be acceptable, but they run software written by humans. What would you trust with the "copy of last resort" of your com-pany's jewels? Physical tape in a physical vault, or the latest and greatest in electronic retention technology?

Choices for data migration
Now you're convinced that you need stable offline backups in which your data is at rest stored in a secure, off-site location where it can't be tampered with.What happens if your e-com-merce site goes down and you lose thousands of dollars per hour in revenue while you wait for the truck to fetch the back-up tapes from your secure repository?

What you need is an orderly progression, or migration, of data from its instantly available, online state, to the offline back-up tape stored in an undisclosed bunker. Your business and your applications may benefit by having a choice between the two extremes, known as nearline storage.

Nearline storage, for example a remote mirror of your online storage, and/or an online snapshot of your data taken at periodic intervals, allows you to more quickly restore your operations in the event of a catastrophic failure. A remote mir-ror allows you to access your data, although somewhat slowly, over a wide-area network connection to your remote data cen-ter. A remote mirror with geographic failover allows a remote site to take over operations within seconds. A local, online snapshot allows you to recover from the errant program or administrator that wipes out your data.

Nearline storage also gives you a way to access those old customer records or patient histories from past transactions. Data migrated to a tape library or optical jukebox can be recov-ered in minutes, rather than the hours that would be required for a migration from its off-site location.

Creating your comprehensive data-management policy
All of your data is different, and there is a wealth of technology to support the storage characteristics that your organization, application, and your data require. A comprehensive data man-agement policy is a well-thought-out plan that supports your data availability, performance, and retention require-ments, and which directs your organiza-tion to exercise your plan to be sure that those stable, offline backups really hold the data are some of the basic steps you'll need to take in implementing your own policy.

Classify your data
A good place to start is by creating a list of all of your data, and recognizing that different data needs to be treated differently. Characterize your data according to the different requirements placed upon it:

Application requirements. Different applications make different demands on their data. Online transaction processing requires a storage mechanism with good write performance. Catalog queries can sacrifice write performance in order to achieve better read performance.
Growth requirements. Does your data grow at an astronomi-cal rate, or is it fairly static? If your customer database dou-bles in size every six months, consider a RAID configuration that supports this level of scalability.
Business requirements. If you have a storage failure, what down time can you tolerate? How fast do you need to be able to access it again in case of failure? Your Web logs probably don't need to be recovered immediately, even if they are required for audit purposes. Your customer data-base probably needs to be up and running more quickly. If you choose to have a remote mirror, can you tolerate oper-ating at a degraded performance level as you access your data over a limited-bandwidth network connection?
Legal requirements.What laws dictate how you handle your data? Corporate tax information has different retention requirements than personal tax information. Adult medical records have different retention requirements than pediatric records.Take care to note whether the retention require-ment exceeds the expected lifetime of your data on your offline media, such as tape.
Security requirements.What storage will you need if you have to perform a forensic analysis of a network intrusion that occurred six months ago? What storage do you want to destroy on a scheduled basis in order to protect personal information and credit-card data?

When you undertake this exercise, what you'll find is that you have several clusters of data that need to be handled in dif-ferent ways. If you lose your Web and system logs, you'll lose the ability to analyze them later for security issues - but your business won't grid to a halt if this happens. Your crown jewels need to be stored on stable, offline storage with enough of a series of backups that you can recover a consistent set of them at any point in time that is reasonable, which may include read-ing and re-writing backup tapes on a periodic basis. System files probably have their own category, as do financial and personal data that must meet legal requirements.

Establish responsibility
Make sure that the responsibility for data management (including backups/retention) in your organization s clearly defined, and individuals are held responsible for both vigilance and execution. Don't push responsibility down to a level in your organization that does not have visibility.

Test
Test, test, and test again.Whatever online, nearline, and offline data management tools you choose, make sure they actually work.Test to be sure that they are effective and can recover your data, and do so on a regular basis. Have a third party vali－date your plans and their effectiveness.There's nothing like a third party to discover that your recovery procedures aren't adequately documented.

Avoid the trap
Don't rely on a single technology or vendor for all of your data-storage needs. Now that you clearly understand the different types of data your organization depends on, and the limitations of each technology to meet all of your needs, don't fall into the trap of believing that RAID provides more than it does. RAID is a data availability and performance mechanism. Your overall data management policy will incorporate your data retention requirements so that you retain the data that your organization works so hard to create.

Untangling Ethernet Performance Problems

2009-11-05T11:53:00.001-08:00

It's the root cause behind the most common SOS we get related to IT infrastructure performance. An organization installs a new application, maybe some new servers and switches. Suddenly network performance takes a nosedive. It's not just bad; at peak times it's abysmal.

The fact is that it doesn't take a wholesale change in an Ethernet network to cause performance problems such as these. The reason is that autonegotiation in 10 and 100 Mb/s twisted-pair networks doesn't work as advertised. Autonegotiation, sometimes known as autosensing, is the mechanism by which each end of a copper Ethernet connection decides how to talk: at what speed, and at full or half duplex. The problem is that the standards for 10 and 100 Mb/s Ethernet evolved rapidly, different manufacturers interpreted the standards differently, and some made proprietary extensions that complicated interoperability further. The problem with autonegotiation is so significant that even two different products from the same vendor won't always negotiate connections properly if they are built with two different Ethernet chipsets. That's the bad news.

Download:

Untangling Ethernet Performance Problems

The good news is that you can follow some relatively straightforward guidelines that will keep you and your network out of trouble. This article focuses on the lessons we've learned in the real world actually trying to get network hardware from different vendors to work together. Don't expect to find these lessons in your owner's manual, as in theory everything works just fine. This article focuses exclusively on twisted-pair copper networks.

A brief history
Ethernet was invented in 1973 at the Xerox Palo Alto Research Center. An industry consortium established the first standard in 1980, and the IEEE published the 802.3 standard for thick Ethernet in 1985. This standard specified a coaxial cable that was about as big around as a garden hose, with each device connected to the network through a tap that physically penetrated the cable (Figure 1).

Ethernet quickly grew in popularity. The limitations of coaxial-cable implementations were overcome with standards for star topologies that use multi-port switches and hubs connected to servers and workstations through twisted-pair cables (Figure 2).

Fiber standards were developed to overcome copper cable-length limitations. Speeds increased from 10 to 100 to 1000 megabits per second, and today, 10 gigabit Ethernet is beginning to catch on. Full-duplex standards were published in 1997 to allow devices to talk and listen simultaneously on separate twisted pairs. This allows two conversations at a time, a feat impossible with the original shared coaxialcable media.

What's the problem?
Ethernet grew too quickly for its own good. Standards for twisted-pair media were not well thought out, leaving vendors to make their own interpretations and add their own "helpful" extensions. The problem is particularly acute with autonegotiation in 10 and 100 Mb/s networks, whereas the problem is almost non-existent in 1000 Mb/s networks.

When autonegotiation or manual settings result in speed mismatches, you won't even get a link light to display. Duplex mismatches - one side half duplex and the other side full duplex - cause significant packet-loss problems. Even if both sides of the link agree on their speed and duplex settings, one end of the connection can sometimes think it needs to renegotiate, bringing the link down at random times.

It's best to conceptualize today's switched networks as a collection of smaller networks. Each link between a workstation or server and a switch, and each link between two switches, is its own network. In a switched network, each end of each link can be set to half or full duplex, and at 10, 100, and 1000 Mb/s. Incompatible settings at different ends of the link, or substan-dard cabling, can cause problems. String a set of links together to make a path between two devices, and a problem at any point along the way can hamper performance.

How to know when it's your problem
You'll know for sure that you have a network problem when you encounter a scenario like the one that begins this article, and almost every network has a problem lurking somewhere. We've seen network file operations that usually take 3-4 seconds suddenly take 7-8 minutes to complete. When the prob-lem is this severe, you'll hear users screaming in the hallways. There are, however, more subtle symptoms that you might notice beforehand:

Poor performance on the local network, including dropped packets. If you have packetloss problems, your network staff might notice higher-than-usual switch error rates, or your IT people might notice application performance glitches. Local networks should drop packets only rarely.
Peak-time performance issues. Sometimes the problems are only noticeable when the network is heavily loaded, such as peak times when everyone is in the office.
Inability to transmit large packets. Every peer on the network should be able to exchange packets up to the Maximum Transmit Unit (MTU) for the network, usually 1500 bytes.
Switch-to-switch connections fail. You might find links between switches resetting frequently, causing brief outages that affect many users. You also might find links failing completely.
Switch ports reset. Some switches have options like "port monitoring" or "port security," which only allow certain Media Access Controller (MAC) addresses to connect. These switches will sometimes automatically disable ports, shutting off specific hosts or parts of the network, indicating a problem.

Diagnostic steps
There are several ways to diagnose whether you have a speed or duplex mismatch problem:

Ping with large payloads. Use the ping command between hosts where you're noticing performance problems. Specify a large payload close to the network's MTU, typically 1500 bytes. You should not see any packet loss. Even if you see only a 10-20% loss, you have probably found a bad link.
Measure throughput. Use ttcp or Iperf (see http://dast.nlanr.net/Projects/Iperf/) to measure throughput between the same links you've tested with ping. A healthy 100 Mb/s switched link should give you 70 Mb/s or greater.
Check your logs. Monitor your switch logs for ports that change speed or duplex frequently. Watch your syslog to see if workstations or servers are doing the same.
Beware of misconfigured firewalls. This problem can cause some of the same symptoms as speed/duplex mismatches, and is another of the top 10 most-common problems we diagnose. Overzealous administrators sometimes deny Internet Control Message Protocol (ICMP) packets that are needed to support MTU discovery (ICMP Type 3, Code 4, or "packet too big"). With this mechanism disabled for packets crossing the firewall, some large packets can be improperly fragmented or dropped. When blocked ICMP packets are the problem, you'll find that 99% of hosts have no problem using the network, but a very few have signifi-cant problems.

Clean house
If you've determined that you have a problem, or you want to be proactive about problems with speed/duplex mismatch, the first step is to take stock of what's connected to your network:

If you have switches or NICs that don't allow speed and duplex to be set manually, get rid of them. This means elim inating all unmanageable switches.
Consider each link and make sure that speed and duplex is either set manually or that it is set in such a way that both ends will successfully negotiate the right settings - and not reset at random times.
Take stock of your cabling. Premade drop cables are usually pretty good, provided that they are adequate for the con-nection speed. Make sure these cables are good quality and are the ones that you've provided. Cables brought from home might not meet your standards.
Make sure you know how your offices and your datacenters are wired; often they are different. Category 5 cabling is fine for 100 Mb/s Ethernet, except if you're trying to handle full-duplex connections. For 100 Mb/s full-duplex connections, crosstalk can be an issue even with short cable lengths. Category 5e cabling is often sufficient for 1000 Mb/s Ethernet, but the standard requires you to validate each link's line quality with a network analyzer to confirm that it meets more stringent requirements than the original Category 5e specification. Often you'll find datacenter cabling to have acceptable quality, while office cabling quality is insufficient to support gigabit speeds.
Remember that patch cables (including wall-to-workstation cables), patch panels, and wall jacks must also be certified for Category 5e. Insist on seeing the manufacturer's specifi-cations when installing new jacks and panels to ensure that unwanted substitutions do not occur.

Once you have a network that allows you to configure each link manually, check each and every one of them. Configure each end of each link manually, or in such a way that both ends will successfully negotiate the right speed and duplex settings. Autonegotiation in 10/100 Mb/s networks has its place, but it is limited to conference rooms and hoteling situations where systems come and go and where autonegotiation is the lesser of many evils.

The following sections will help you make the right choice depending on whether the least common denominator speed is 10, 100, or 1000 Mb/s. Although the discussion focuses on NIC-to-switch links, the same rules of thumb apply to switch-to-switch links. The sidebars give instructions for setting in the Linux, Solaris,™ and Microsoft® Windows® XP operating systems.

Setting gigabit Ethernet links
Wouldn't it be nice to have an all-new network with switches, NICs, and cabling all up to 1000 Mb/s standards? Unfortunately, most of us don't have the luxury. The standards for gigabit Ethernet were designed with the problems of 10/100 Mb/s net-works in mind, so speed and duplex problems have nearly been eliminated. Indeed, autonegotiation is different, and full duplex is standard for 1000 Mb/s links, vastly simplifying network configuration.

The rule of thumb for 1000 Mb/s links is to let autonegotiation work by setting the NIC and the switch to autonegotiate (see Table 1). If you have Cisco switches you can manually set each side of the link to full duplex and the link will work, but this technically violates the standard.

If you set the NIC or the switch manually, and you set the other side to autonegotiate, you'll see a problem common to this combination regardless of link speed. When one side is set manually, it does not participate in the autonegotiation process. The "auto" side, seeing no response to its negotiation requests, makes an assumption about the link speed and duplex. In the case of gigabit Ethernet, the settings assumed by the "auto" side are the same as the manual setting, and each side will be set to full duplex - usually. Sometimes the "auto" side will try again to autonegotiate the link, bringing it down from time to time and causing performance glitches.

Cabling is important for 1000 Mb/s links. At a minimum, no cable can exceed 100 m in length, it must be Category 5, 5e, or 6, and it must meet 1000 Base-T standards for FEXT and return loss. Note that the standards for Category 5 and 5e cabling are not adequate for gigabit Ethernet, but cabling built to these standards often works by chance. Nevertheless, each link must be qualified using a network analyzer to be sure that it meets the ANSI/EIA/TIA-TSB-67 requirements. For any link not meet-ing these requirements, select a slower speed and duplex set-ting manually. Gigabit Ethernet will not negotiate lower speeds based on connection quality.

Setting 100 Mb/s Ethernet links
The most important thing to know about setting 100 Mb/s Ethernet links is that autonegotiation often does not work as advertised. The only safe thing to do is to set each side of the connection to half duplex manually. As Table 2 illustrates, most other settings can lead to trouble:

Setting both ends of a link to "auto" is the most risky combination of set tings, other than manually creating speed and duplex mismatches that are sure to fail.

If you set one side to "auto" and the other side to half duplex, the "auto" side will assume half duplex when it doesn't hear back from its peer during autonegotiation. Both sides will set to half duplex, but the "auto" side may periodically reset and renegotiate, dropping the link and affecting performance.
If you set one side to full duplex and one side to "auto," you'll end up with a duplex mismatch that will severely affect performance. In these cases, the "auto" side, not hearing from its peer, sets to the half-duplex default, while the other side of the link remains at full duplex.

The second most important thing to know about 100 Mb/s Ethernet is that full duplex is overrated and almost always not worth the trouble, hence the warning in Table 2. The only place where 100 Mb/s full duplex is a good idea is on very short switch-to-switch links that use high-qual ity cable. These conditions are usually found only in datacenter environments.

Remember that full duplex means the NIC and the switch can send and receive data simultaneously. This means that a number of stars have to be aligned just right to give you a perform ance advantage: the NIC must be able to send and receive at the same time, the driver and the operating system must sup-port it, and the application itself must be multi-threaded and have two threads running simultaneously. 100 Mb/s full-duplex Ethernet is very sensitive to crosstalk, and full-duplex cable lengths are limited to 25 m. A cable that works for one full-duplex link may not work with another, because even different chipsets from the same manufacturer can have different trans-mitter characteristics that affect the link.

If you really need the performance, consider upgrading to 1000 Mb/s, where you'll see a benefit from the high data rate if not from having full-duplex data paths. If you still think you need a full-duplex link, then set each end of the link manually as in Table 2.

Setting 10 Mb/s Ethernet links
10 Mb/s Ethernet has pretty much gone the way of vinyl records, but some organizations have a few old relics they must maintain. Besides the fact that it is slower, 10 Mb/s Ethernet suffers from even more autonegotiation problems than 100 Mb/s Ethernet.

The best way to manage 10 Mb/s Ethernet links is to set each side of the connection to half duplex (Table 3). Few manufacturers implemented full duplex in 10 Mb/s Ethernet correctly,

so it's a good setting to avoid. All other link-setting combina-tions have the same issues as 100 Mb/ sec Ethernet. The "auto" and half-duplex combination can result in switch or NIC resets. The "auto" and full-duplex combination results in a duplex mis-match. Both setting combinations degrade performance.

Speed mismatch
One way to tell a speed mismatch is by a link light that won't illuminate. If you follow the rules of thumb and set both ends of each link in your network man-ually, you won't have to worry about speed mismatches from a failed autone gotiation. That said, remember that autonegotiation in 1000 Mb/s links - the recommended setting - will not fall back automatically to a slower speed based on cable quality. If you need to use a slower speed because your cable does not pass muster, change the settings manually.

Speed and Duplex issues when connecting to Cisco switches

2009-11-05T01:05:00.001-08:00

Speed determination issues can result in no connectivity. However, issues with autonegotiation of duplex generally do not result in link establishment issues. Instead, autonegotiation issues mainly result in performance-related issues. The most common problems with NIC issues deal with speed and duplex configuration. The following table show all possible settings of speed and duplex for FastEthernet/Gigabit Ethernet NICs and switch ports. This is only applicable for 10/100/1000 Mbps (1000BASE-T) NICs only

NIC (Spd/Dplx	Switch (Spd/Dplx)	Resulting NIC Spd/Dpx	Resulting Catalyst Spd/Dplx	Comments
AUTO	AUTO	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Assuming maximum capability of Catalyst switch, and NIC is 1000 Mbps, full-duplex.
1000 Mbps, Full-duplex	AUTO	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Link is established, but the switch does not see any autonegotiation information from NIC. Since Catalyst switches support only full-duplex operation with 1000 Mbps, they default to full-duplex, and this happens only when operating at 1000 Mbps.
1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	1000 Mbps, Full-duplex	Correct Manual Configuration
100 Mbps, Full-duplex	1000 Mbps, Full-duplex	No Link	No Link	Neither side establishes link, due to speed mismatch
100 Mbps, Full-duplex	AUTO	100 Mbps, Full-duplex	100 Mbps, Half-duplex	Duplex Mismatch ¹
AUTO	100 Mbps, Full-duplex	100 Mbps, Half-duplex	100 Mbps, Full-duplex	Duplex Mismatch ¹
100 Mbps, Full-duplex	100 Mbps, Full-duplex	100 Mbps, Full-duplex	100 Mbps, Full-duplex	Correct Manual Configuration²
100 Mbps, Half-duplex	AUTO	100 Mbps, Half-duplex	100 Mbps, Half-duplex	Link is established, but switch does not see any autonegotiation information from NIC and defaults to half-duplex when operating at 10/100 Mbps.
10 Mbps, Half-duplex	AUTO	10 Mbps, Half-duplex	10 Mbps, Half-duplex	Link is established, but switch does not see Fast Link Pulse (FLP) and defaults to 10 Mbps half-duplex.
10 Mbps, Half-duplex	100 Mbps, Half-duplex	No Link	No Link	Neither side establishes link, due to speed mismatch.
AUTO	100 Mbps, Half-duplex	100 Mbps, Half-duplex	100 Mbps, Half-duplex	Link is established, but NIC does not see any autonegotiation information and defaults to 100 Mbps, half-duplex.
AUTO	10 Mbps, Half-duplex	10 Mbps, Half-duplex	10 Mbps, Half-duplex	Link is established, but NIC does not see FLP and defaults to 10 Mbps, half-duplex.

¹ A duplex mismatch can result in performance issues, intermittent connectivity, and loss of communication. When you troubleshoot NIC issues, verify that the NIC and switch use a valid configuration. ² Some third-party NIC cards can fall back to half-duplex operation mode, even though both the switchport and NIC configuration are manually configured for 100 Mbps, full-duplex. This is because NIC autonegotiation link detection still operates when the NIC is manually configured. This causes duplex inconsistency between the switchport and the NIC. Symptoms include poor port performance and frame check sequence (FCS) errors that increment on the switchport. In order to troubleshoot this issue, try to manually configure the switchport to 100 Mbps, half-duplex. If this action resolves the connectivity problems, this NIC issue is the possible cause. Try to update to the latest drivers for your NIC, or contact your NIC card vendor for additional support. A manual setup of the speed and duplex for full-duplex on one link partner results in a duplex mismatch. This happens when you disable autonegotiation on one link partner while the other link partner defaults to a half-duplex configuration. A duplex mismatch results in slow performance, intermittent connectivity, data link errors, and other issues. If the intent is not to use autonegotiation, both link partners must be manually configured for speed and duplex for full-duplex settings.

Computer Software Guide & Tips

Automatic SQL Server Backup

To Create another User account with 'root' privileges

How to Extend IBM Websphere 7 Trial Period

How to re-create the Show desktop icon on the Quick Launch toolbar in Windows XP

Segmenting Your Network

What Is Network Segmenting?

NT Servers Between Segments

Basics of Network Segmentation: Switching and Bridging

Consuming bandwidth on a single segment

Frame collisions

Repeaters

Bridging hardware

Local and remote bridging

Frame flooding

The layer-2 switch

VLANs

Jumping through loops

Ethernet Networking Explained

Three flavours

Cables and connectors

Setting it up

Topology?!

Repeaters, routers and hubs – the basics

Setting up Windows networking

Earthing 10Base2

How much is a megabit?

Bridges, switches and routers in detail

Bridges

Switches

Routers

Bandwidth, and how to get more of it

Other definitions

OSI layer

Name

Function

How to troubleshoot the "NTLDR Is Missing" error message in Windows 2000

How to Troubleshoot the "NTLDR Is Missing" Error Message

Verify That the BIOS on the Computer Is Current

Method 1: Use a Boot Disk to Start the Computer

Method 2: Use the Recovery Console

Method 3: Use the Windows 2000 CD-ROM

If Setup Cannot Locate Windows 2000

Additional Resources

Perform a Parallel Installation of Windows 2000

How to Enter Windows XP Recovery Console

Boot From the Windows XP CD

Allow Windows XP to Begin the Setup Process

Press R to Enter Recovery Console

Choose the Windows Installation

Enter the Administrator Password

Make Necessary Changes in Windows XP Recovery Console

Windows XP Professional Resource Kit Errata

Download Windows XP Reskit Tools

Related articles

Create your own user-defined services Windows NT/2000/XP/2003

HowTo Mount your NTFS Filesystem/Partition for Read/Write Access in openSUSE 10, 11

Enable / Disable Change Of Date And Time On Windows XP Read more: http://www.troublefixers.com/enable-disable-change-of-date-and-time-on-windows-xp/#

Using Software Restriction Policies to Protect Against Unauthorized Software

On This Page

Introduction

Expanded Management Capabilities

Software Restriction Policies—An Overview

Hostile Code Has More Ways to Get In

The Problem with Unknown Code

Responding to Unknown Code

Software Restriction Policy Architecture

Unrestricted or Disallowed

Default Security Level

Four Rules Identify Software

When to Use Each Rule

Rule Precedence

Software Restriction Policy Options

Enforcement Options

Skip Administrators

Defining Executables

Trusted Publishers

Scope of Software Restriction Policies

Software Restriction Policy Design

Integration with Group Policy