redes e sua forma de comunicação

7/18/2019 Redes e sua forma de comunicao

1/207

The MH DeskReferenceVersion 1.2

Written/Assembled by

The Rhino9 Team

Table of Contents

=Part One==Essential background Knowledge=

!.!.!" #reface!.!.1" The Rhino9 Team!.!.2" Disclaimer!.!.$" Thanks and %reets

1.!.!" #reface To &et'()*

1.!.1" What is &et'()*+1.!.2" &et'()* &ames1.!.$" &et'()* *essions1.!.," &et'()* Data-rams1.!." &et'0( lained1.!.3" &et'()* *coes

1.2.!" #reface to *M'4s1.2.1" What are *M'4s+1.2.2" The Redirector

2.!.!" What is T5#/(#+2.!.1" 6T# lained2.!.2" Remote 7o-in2.!.$" 5om8ter Mail2.!.," &etork 6ile *ystems2.!." Remote #rintin-2.!.3" Remote ec8tion2.!.:" &ame *er;ers2.!.


2/207

2.1.2" The (# le;el2.1.$" The thernet le;el2.1.," Well=>non *ockets And The Alications 7ayer2.1." )ther (# #rotocols2.1.3" Domain &ame *ystem2.1.:" Ro8tin-2.1.ey Disc8ssion$.!.$" 0nderstandin- Hi;es$.!.," Defa8lt Re-istry *ettin-s

,.!.!" (ntrod8ction to ##T#,.!.1" ##T# and Virt8al #ri;ate &etorkin-,.!.2" *tandard ##T# Deloyment,.!.$" ##T# 5lients

,.!.," ##T# Architect8re,.!." 0nderstandin- ##T# *ec8rity,.!.3" ##T# and the Re-istry,.!.:" *ecial *ec8rity 0date

.!.!" T5#/(# 5ommands as Tools.!.1" The Ar 5ommand.!.2" The Tracero8te 5ommand.!.$" The &etstat 5ommand.!.," The 6in-er 5ommand.!." The #in- 5ommand.!.3" The &btstat 5ommand.!.:" The (5onfi- 5ommand

.!.


3/207

3.2.1" #rotectin- the Re-istry3.2.2" *ec8re ;ent7o- Viein-3.2.$" *ec8re #rint Dri;er (nstallation3.2.," The *ched8le *er;ice @AT 5ommand3.2." *ec8re 6ile *harin-3.2.3" A8ditin-3.2.:" Threat Action3.2.


4/207


5/207

11.1.$" What abo8t soofin D&* a-ainst &T+11.1.," What abo8t defa8lt shared folders+11.1." Ho do ( -et aro8nd a acket filter=based fireall+11.1.3" What is &T6*+11.1.:" Are there are ;8lnerabilities to &T6* and access controls+11.1.


6/207

12.,.," kerberos rea8th12.,." kerberos realm12.,.3" kerberos ser;er12.,.:" kerberos sr;tab entry12.,.


7/207

1$.1.!" chan-e .! #assord 5achin-1$.1.1" 5rashin- &T 8sin- &T6*1$.1.2" The %etAdmin loit1$.1.$" *G8id #roy *er;er Hole1$.1.," (nternet (nformation *er;er Do* attack1$.1." #in- )f Death ((1$.1.3" &T *er;er4s D&* Do* Attack1$.1.:" (nde *er;er oses *ensiti;e Material1$.1.


8/207

13.1.2" Mental Hackin- once yo8 kno a 8sername

1:.!.!" Makin- a DD( from a Motorola 'rick hone

1 6A hich as 8sed in the makin- of this doc8ment.Thanks to 5isco *ystems for makin- s8ch s8erior eG8iment. Thanks to the -8y from 78centTechnolo-ies hose tet file as 8sed d8rin- one of the &T *ec8rity sections @if yo8 see thiscontact me so ( can -i;e yo8 roer credit. *ecial ros -o o8t to Virt8al of 5ybrids for hisinformation on 5ell#hones and #a-ers. *ecial ros to #hreak=! for his 0ni contrib8tions. Madros to Hellmaster for the Va info. Thanks to Rloley and the rest of I=Treme for helin- iththe distrib8tion and ad;ertisin- of this doc8ment. Thanks to Merlin, for bein- the marketin- im
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]


9/207

that he is. %reetin-s to 5ybrids (ntercore I=Treme 7!ht 5odePero @-rins 23!! Ma-aLine@thanks for yo8r ;i-ilance on the Mitnick case.

")$#$#% Preface to NetB.OS

'efore yo8 be-in readin- this section 8nderstand that this section as ritten for the no;ice tothe concet of &et'()* b8t = it also contains information the ;eteran mi-ht find ed8cational. ( amrefacin- this so that ( do not -et e=mail like QWhy did yo8 start yo8r &et'()* section off sobasic+Q = *imle its ritten for eole that may be comin- from an en;iroment that does not 8se&et'()* so they o8ld need me to start ith basics thanks.

")$#$)% /hats is NetB.OS0

&et'()* @&etork 'asic (n8t/)8t8t *ystem as ori-inally de;eloed by ('M and *ytek as anAlication #ro-rammin- (nterface @A#( for client softare to access 7A& reso8rces. *ince itscreation &et'()* has become the basis for many other netorkin- alications. (n its strictestsense &et'()* is an interface secification for acessin- netorkin- ser;ices.

&et'()* a layer of softare de;eloed to link a netork oeratin- system ith secific

hardare as ori-inally desi-ned as TH netork controller for ('M4s &etork 7A&. &et'()*has no been etended to allo ro-rams ritten 8sin- the &et'()* interface to oerate on the('M token rin- architect8re. &et'()* has since been adoted as an ind8stry standard and no itis common to refer to &et'()*=comatible 7A&s.

(t offers netork alications a set of QhooksQ to carry o8t inter=alication comm8nication anddata transfer. (n a basic sense &et'()* allos alications to talk to the netork. (ts intention isto isolate alication ro-rams from any tye of hardare deendancies. (t also sares softarede;eloers the task of de;eloin- netork error reco;ery and lo le;el messa-e addressin- orro8tin-. The 8se of the &et'()* interface does alot of this ork for them.

&et'()* standardiLes the interface beteen alications and a 7A&s oeratin- caabilities. Withthis it can be secified to hich le;els of the )*( model the alication can rite to makin- the

alication transortable to other netorks. (n a &et'()* 7A& en;iroment com8ters are knonon the system by a name. ach com8ter on the netork has a ermanent name that isro-rammed in ;ario8s different ays. These names ill be disc8ssed in more detail belo.

#54s on a &et'()* 7A& comm8nicate either by establishin- a session or by 8sin- &et'()*data-ram or broadcast methods. *essions allo for a lar-er messa-e to be sent and handle errordetection and correction. The comm8nication is on a one=to=one basis. Data-ram and broadcastmethods allo one com8ter to comm8nicate ith se;eral other com8ters at the same time b8tare limited in messa-e siLe. There is no error detection or correction 8sin- these data-ram orbroadcast methods. Hoe;er data-ram comm8nication allos for comm8nication itho8t ha;in-to establish a session.

All comm8nication in these en;iroments are resented to &et'()* in a format called &etork

5ontrol 'locks @&5'. The allocation of these blocks in memory is deendant on the 8serro-ram. These &5'4s are di;ided into fields these are reser;ed for in8t and o8t8tresecti;ely.

&et'()* is a ;ery common rotocol 8sed in todays en;iroments. &et'()* is s8orted onthernet TokenRin- and ('M #5 &etorks. (n its ori-inal ind8ction it as defined as only aninterface beteen the alication and the netork adater. *ince then transort like f8nctionsha;e been added to &et'()* makin- it more f8nctional o;er time.


10/207

(n &et'()* connection @T5# oriented and connectionless @0D# comm8nication are boths8orted. (t s8orts both broadcasts and m8lticastin- and s8orts three distinct ser;ices?&amin- *ession and Data-ram.

")$#$*% NetB.OS Na(es

&et'()* names are 8sed to identify reso8rces on a netork. Alications 8se these names tostart and end sessions. Co8 can confi-8re a sin-le machine ith m8ltile alications each ofhich has a 8niG8e &et'()* name. ach #5 that s8orts an alication also has a &et'()*station name that is 8ser defined or that &et'()* deri;es by internal means.

&et'()* can consist of 8 to 13 alhan8meric characters. The combination of characters m8stbe 8niG8e ithin the entire so8rce ro8tin- netork. 'efore a #5 that 8ses &et'()* can f8llyf8nction on a netork that #5 m8st re-ister their &et'()* name.

When a client becomes acti;e the client ad;ertises their name. A client is considered to bere-istered hen it can s8ccessf8lly ad;ertise itself itho8t any other client claimin- it has thesame name. The stes of the re-istration rocess is as follos?

1. 0on boot 8 the client broadcasts itself and its &et'()* information anyhere from 3 to 1! to

ens8re e;ery other client on the netork recei;es the information.

2. (f another client on the netork already has the name that &et'()* client iss8es its onbroadcast to indicate that the name is in 8se. The client ho is tryin- to re-ister the already in 8sename sto all attemts to re-ister that name.

$. (f no other client on the netork obBects to the name re-istration the client ill finish there-istration rocess.

There are to tyes of names in a &et'()* en;iroment? 0niG8e and %ro8. A 8niG8e name m8stbe 8niG8e across the netork. A -ro8 name does not ha;e to be 8niG8e and all rocesses thatha;e a -i;en -ro8 name belon- to the -ro8. ach &et'()* node maintains a table of allnames c8rrently oned by that node.

The &et'()* namin- con;ention allos for 13 characters in a &et'()* name. Microsofthoe;er limits these names to 1 characters and 8ses the 13th character as a &et'()* s8ffi. A&et'()* s8ffi is 8sed by Microsoft &etorkin- softare to indentify the f8nctionality installed orthe re-istered de;ice or ser;ice.

8ick&ote? *M' and &'T @&et'()* o;er T5#/(# ork ;ery closely to-ether and both 8se orts1$: 1$


11/207

Scom8tername 2! 0 6ile *er;er *er;iceScom8tername 21 0 RA* 5lient *er;iceScom8tername 22 0 chan-e (nterchan-eScom8tername 2$ 0 chan-e *toreScom8tername 2, 0 chan-e DirectoryScom8tername $! 0 Modem *harin- *er;er *er;iceScom8tername $1 0 Modem *harin- 5lient *er;iceScom8tername ,$ 0 *M* 5lient Remote 5ontrolScom8tername ,, 0 *M* Admin Remote 5ontrol ToolScom8tername , 0 *M* 5lient Remote 5hatScom8tername ,3 0 *M* 5lient Remote Transfer Scom8tername ,5 0 D5 #athorks T5#(# *er;iceScom8tername 2 0 D5 #athorks T5#(# *er;iceScom8tername

folloin- &'T*TAT command?

nbtstat =A iaddress"nbtstat Xa host"

")$#$,% NetB.OS Sessions

The &et'()* session ser;ice ro;ides a connection=oriented reliable f8ll=d8le messa-eser;ice to a 8ser rocess. &et'()* reG8ires one rocess to be the client and the other to be theser;er. &et'()* session establishment reG8ires a reordained cooeration beteen the to


12/207

stations. )ne alication m8st ha;e iss8ed a 7isten command hen another alication iss8es a5all command. The 7isten command references a name in its &et'()* name table @or W(&*ser;er and also the remote name an alication m8st 8se to G8alify as a session artner. (f therecei;er @listener is not already listenin- the 5all ill be 8ns8ccessf8l. (f the call is s8ccessf8leach alication recei;es notification of session establishment ith the session=id. The *end andRecei;e commands the transfer data. At the end of a session either alication can iss8e aHan-=0 command. There is no real flo control for the session ser;ice beca8se it is ass8med a7A& is fast eno8-h to carry the reG8ired traffic.

")$#$1% NetB.OS +atagra(s

Data-rams can be sent to a secific name sent to all members of a -ro8 or broadcast to theentire 7A&. As ith other data-ram ser;ices the &et'()* data-rams are connectionless and8nreliable. The *endFData-ram command reG8ires the caller to secify the name of thedestination. (f the destination is a -ro8 name then e;ery member of the -ro8 recei;es thedata-ram. The caller of the Recei;eFData-ram command m8st secify the local name for hich itants to recei;e data-rams. The Recei;eFData-ram command also ret8rns the name of thesender in addition to the act8al data-ram data. (f &et'()* recei;es a data-ram b8t there are noRecei;eFData-ram commands endin- then the data-ram is discarded.

The *endF'roadcastFData-ram command sends the messa-e to e;ery &et'()* system on thelocal netork. When a broadcast data-ram is recei;ed by a &et'()* node e;ery rocess thathas iss8ed a Recei;eF'roadcastFData-ram command recei;es the data-ram. (f none of thesecommands are o8tstandin- hen the broadcast data-ram is recei;ed the data-ram is discarded.

&et'()* enables an alication to establish a session ith another de;ice and lets the netorkredirector and transaction rotocols ass a reG8est to and from another machine. &et'()* doesnot act8ally mani8late the data. The &et'()* secification defines an interface to the netorkrotocol 8sed to reach those ser;ices not the rotocol itself. Historically has been aired ith anetork rotocol called &et'0( @netork etended 8ser interface. The association of theinterface and the rotocol has sometimes ca8sed conf8sion b8t the to are different.

&etork rotocols alays ro;ide at least one method for locatin- and connectin- to a artic8lar

ser;ice on a netork. This is 8s8ally accomlished by con;ertin- a node or ser;ice name to anetork address @name resol8tion. &et'()* ser;ice names m8st be resol;ed to an (# addressbefore connections can be established ith T5#/(#. Most &et'()* imlementations for T5#/(#accomlish name address resol8tion by 8sin- either broadcast or 7MH)*T* files. (n a Microsoften;iroment yo8 o8ld robably also 8se a &et'()* &amer *er;er knon as W(&*.

")$#$2% NetBE3. E45lained

&et'0( is an enhanced ;ersion of the &et'()* rotocol 8sed by netork oeratin- systems. (tformaliLes the transort frame that as ne;er standardiLed in &et'()* and adds additionalf8nctions. The transort layer dri;er freG8ently 8sed by Microsofts 7A& Mana-er. &et'0(imlements the )*( 7752 rotocol. &et'0( is the ori-inal #5 netorkin- rotocol and interfacedesi-ned by ('M for the 7anMan-er *er;er. This rotocol as later adoted by Microsoft for their

netorkin- rod8cts. (t secifies the ay that hi-her le;el softare sends and recei;es messa-eso;er the &et'()* frame rotocol. This rotocol r8ns o;er the standard

")$#$6% NetB.OS Sco5es

A &et'()* *coe (D ro;ides an etended namin- ser;ice for the &et'()* o;er T5#/(# @>nonas &'T mod8le. The rimary 8rose of a &et'()* scoe (D is to isolate &et'()* traffic on asin-le netork to only those nodes ith the same &et'()* scoe (D. The &et'()* scoe (D is acharacter strin- that is aended to the &et'()* name. The &et'()* scoe (D on to hosts


13/207

m8st match or the to hosts ill not be able to comm8nicate. The &et'()* *coe (D also alloscom8ters to 8se the same com8ter namee as they ha;e different scoe (Ds. The *coe (Dbecomes a art of the &et'()* name makin- the name 8niG8e.

")$*$#% Preface to S7B8s

The reason ( decided to rite this section as beca8se recently the rhino9 team has been -i;in-seeches and lect8res. The to G8estions e most freG8ently come across is QWhat is&et'()*+Q and QWhat are *M's+Q. Well ( hoe ( ha;e already ansered the &et'()* G8estionith the section abo;e. This artic8lar section is bein- ritten to better hel eole 8nderstand*M'4s.

")$*$)% /hat are S7B9s0

*er;er Messa-e 'locks are a tye of Qmessa-in- rotocolQ that 7A& Mana-er @and &T clientsand ser;ers 8se to comm8nicate ith each other. *M'4s are a hi-her le;el rotocol that can betransorted o;er &et'0( &et'()* o;er (#I and &et'()* o;er T5#/(# @or &'T.

*M's are 8sed by Windos $.I Win9 Wint&T and )*/2. When it comes to sec8rity and thecomromise of sec8rity on an &T netork the one thin- to remember abo8t *M's is that it

allos for remote access to shared directories the re-istry and other system ser;ices makin- ita deadly rotocol in the eyes of sec8rity conscience eole.

The *M' rotocol as ori-inally de;eloed by ('M and then Bointly de;eloed by Microsoft and('M. &etork reG8ests that are sent 8sin- *M'4s are encoded as &etork 5ontrol 'locks @&5'data str8ct8res. The &5' data str8ct8res are encoded in *M' format for transmission across thenetork. *M' is 8sed in many Microsoft and ('M netorkin- softare?

M*=&et

('M #5 &etork

('M 7A& *er;er

M* 7A& Mana-er

7A& Mana-er for 0ni

D5 #athorks

M* Windos for Work-ro8s

0n-ermann='ass &et/1

&T &etorks thro8-h s8ort for 7A& Mana-er

*M' Messa-es can be cate-oriLed into fo8r tyes?

*ession 5ontrol? 0sed to establish or discontin8e Redirector connections ith a remote netorkreso8rce s8ch as a directory or rinter. @The redirector is elained belo

6ile? 0sed to access and mani8late file system reso8rces on the remote com8ter.

#rinter? 0sed by the Redirector to send rint data to a remote rinter or G8e8e and to obtain thestat8s of remote rint de;ices.

Messa-e? 0sed by alications and system comonents to send 8nicast or broadcast messa-es.

")$*$*% The &edirector


14/207

The Redirector is the comonent that enables a client com8ter to -ain access to reso8rces onanother com8ter as if the remote reso8rces ere local to the client com8ter. The Redirectorcomm8nicates ith other com8ters 8sin- the rotocol stack.

The Redirectors rimary f8nction is to format remote reG8ests so that they can be 8nderstood bya remote station @s8ch as a file ser;er and send them on their ay thro8-h the netork.

The Redirector 8ses the *er;er Messa-e 'lock @*M' str8ct8re as the standard ;ehicle forsendin- these reG8ests. The *M' is also the ;ehicle by hich stations ret8rn resonses toRedirector reG8ests.

ach *M' contains a header consistin- of the command code @hich secifies the task that theredirector ants the remote station to erform and se;eral en;ironment and arameter fields@hich secify ho the command sho8ld be carried o8t.

(n addition to the header the last field in the *M' may contain 8 to 3,> of data to be sent to theremote station.

"*$#$#% /hat is TCP:.P0

T5#/(# is a set of rotocols de;eloed to allo cooeratin- com8ters to share reso8rces acrossa netork. (t as de;eloed by a comm8nity of researchers centered aro8nd the AR#Anet@Ad;anced Research #roBects A-ency. 5ertainly the AR#Anet is the best=knon T5#/(# netork.Hoe;er as of K8ne


15/207

"*$#$)% ;ile Transfer The file transfer rotocol @6T# allos a 8ser on any com8terto -et files from another com8ter or to send files to anothercom8ter. *ec8rity is handled by reG8irin- the 8ser to secify a 8sername and assord for the other com8ter or lo--in- into a system thatallos for Anonymo8s lo-ins. #ro;isions are made forhandlin- file transfer beteen machines ith different character setend of line con;entions etc. This is not G8ite the same thin- as morerecent Qnetork file systemQ or Q&et'()*Q rotocols hich ill bedescribed belo. Rather 6T# is a 8tility that yo8 r8n any time yo8ant to access a file on another system. Co8 8se it to coy the fileto yo8r on system. Co8 then ork ith the local coy. @*ee R65 99for secifications for 6T#.

"*$#$*% &e(ote


16/207

be-innin- to chan-e. &o many installations ha;e se;eral kinds of com8ters incl8din-microcom8ters orkstations minicom8ters and mainframes. These com8ters are likely to beconfi-8red to erform secialiLedtasks. Altho8-h eole are still likely to ork ith one secific com8ter that com8ter ill call onother systems on the net for secialiLed ser;ices. This has led to the Qser;er/clientQ model ofnetork ser;ices. A ser;er is a system that ro;ides a secific ser;ice for the rest of the netork.

A client is another system that 8ses that ser;ice. @&ote that the ser;er and client need not be ondifferent com8ters. They co8ld be different ro-rams r8nnin- on the same com8ter.

Here are the kinds of ser;ers tyically resent in a modern com8ter set8. &ote that thesecom8ter ser;ices can all be ro;ided ithin the frameork of T5#/(#.

"*$#$1% Network ;ile Sste(s This allos a system to access files on another com8ter in asomehat more closely inte-rated fashion than 6T#. A netork filesystem ro;ides the ill8sion that disks or other de;ices from onesystem are directly connected to other systems. There is no need to8se a secial netork 8tility to access a file on another system. Co8rcom8ter simly thinks it has some etra disk dri;es. These etraQ;irt8alQ dri;es refer to the other system4s disks. This caability is

8sef8l for se;eral different 8roses. (t lets yo8 8t lar-e disks ona fe com8ters b8t still -i;e others access to the disk sace. Asidefrom the ob;io8s economic benefits this allos eole orkin- onse;eral com8ters to share common files. (t makes system maintenanceand back8 easier beca8se yo8 don4t ha;e to orry abo8t 8datin- andbackin- 8 coies on lots of different machines. A n8mber of ;endorsno offer hi-h=erformance diskless com8ters. These com8ters ha;e nodisk dri;es at all. They are entirely deendent 8on disks attached tocommon Qfile ser;ersQ. @*ee R654s 1!!1 and 1!!2 for a descrition of#5=oriented &et'()* o;er T5#. (n the orkstation and minicom8terarea *8n4s &etork 6ile *ystem is more likely to be 8sed. #rotocolsecifications for it are a;ailable from *8n Microsystems.

"*$#$2% &e(ote Printing This allos yo8 to access rinters on other com8ters as ifthey ere directly attached to yo8rs. @The most commonly 8sed rotocolis the remote linerinter rotocol from 'erkeley 0ni. 0nfort8natelythere is no rotocol doc8ment for this. Hoe;er the 5 code is easilyobtained from 'erkeley so imlementations are common.

"*$#$6% &e(ote E4ecution This allos yo8 to reG8est that a artic8lar ro-ram be r8n ona different com8ter. This is 8sef8l hen yo8 can do most of yo8r orkon a small com8ter b8t a fe tasks reG8ire the reso8rces of a lar-ersystem. There are a n8mber of different kinds of remote eec8tion.*ome oerate on a command by command basis. That is yo8 reG8est that

a secific command or set of commands sho8ld r8n on some secificcom8ter. @More sohisticated ;ersions ill choose a system thathaens to be free. Hoe;er there are also Qremote roced8re callQsystems that allo a ro-ram to call a s8bro8tine that ill r8n onanother com8ter. @There are many rotocols of this sort. 'erkeley0ni contains to ser;ers to eec8te commands remotely? rsh andreec. The man a-es describe the rotocols that they 8se. The8ser=contrib8ted softare ith 'erkeley ,.$ contains a Qdistrib8tedshellQ that ill distrib8te tasks amon- a set of systems deendin-8on load. Remote roced8re call mechanisms ha;e been a toic for


17/207

research for a n8mber of years so many or-aniLations ha;eimlementations of s8ch facilities. The most idesreadcommercially=s8orted remote roced8re call rotocols seem to beIero4s 5o8rier and *8n4s R#5. #rotocol doc8ments are a;ailable fromIero and *8n. There is a 8blic imlementation of 5o8rier o;er T5# asart of the 8ser=contrib8ted softare ith 'erkeley ,.$. Animlementation of R#5 as osted to 0senet by *8n and also aears asart of the 8ser=contrib8ted softare ith 'erkeley ,.$.

"*$#$% Na(e Servers (n lar-e installations there are a n8mber of differentcollections of names that ha;e to be mana-ed. This incl8des 8sers andtheir assords names and netork addresses for com8ters andacco8nts. (t becomes ;ery tedio8s to kee this data 8 to date on allof the com8ters. Th8s the databases are ket on a small n8mber ofsystems. )ther systems access the data o;er the netork. @R65


18/207

8sin- T5#/(# B8st as normal T5#/(# alication rotocols are. *ince the rotocol definitions arenot considered rorietary and since commercially=s8ort imlementations are idely a;ailableit isreasonable to think of these rotocols as bein- effecti;ely art of the (nternet s8ite.

Also note that the list abo;e is simly a samle of the sort of ser;ices a;ailable thro8-h T5#/(#.Hoe;er it does contain the maBority of the QmaBorQ alications. The other commonly=8sedrotocols tend to besecialiLed facilities for -ettin- information of ;ario8s kinds s8ch as ho is lo--ed in the time ofday etc. Hoe;er if yo8 need a facility that is not listed here e enco8ra-e yo8 to look thro8-hthe c8rrent edition of (nternet #rotocols @c8rrently R65 1!11 hich lists all of the a;ailablerotocols and also to look at some of the maBor T5#/(# imlementations to see hat ;ario8s;endors ha;e added.

"*$)$#% -eneral descri5tion of the TCP:.P 5rotocols

T5#/(# is a layered set of rotocols. (n order to 8nderstand hat this means it is 8sef8l to look atan eamle. A tyical sit8ation is sendin- mail. 6irst there is a rotocol for mail. This defines aset of commands hich one machine sends to another e.-. commands to secify ho the senderof the messa-e is ho it is bein- sent to and then the tet of the messa-e. Hoe;er this

rotocol ass8mes that there is a ay to comm8nicate reliably beteen the to com8ters. Maillike other alication rotocols simly defines a set of commands and messa-es to be sent. (t isdesi-ned to be 8sed to-ether ith T5# and (#.

T5# is resonsible for makin- s8re that the commands -et thro8-h to the other end. (t keestrack of hat is sent and retransmits anythin- that did not -et thro8-h. (f any messa-e is toolar-e for onedata-ram e.-. the tet of the mail T5# ill slit it 8 into se;eral data-rams and make s8re thatthey all arri;e correctly. *ince these f8nctions are needed for many alications they are 8tto-ether intoa searate rotocol rather than bein- art of the secifications for sendin- mail. Co8 can think ofT5# as formin- a library of ro8tines that alications can 8se hen they need reliable netorkcomm8nications ith another com8ter.

*imilarly T5# calls on the ser;ices of (#. Altho8-h the ser;ices that T5# s8lies are needed bymany alications there are still some kinds of alications that don4t need them. Hoe;er thereare someser;ices that e;ery alication needs. *o these ser;ices are 8t to-ether into (#. As ith T5# yo8can think of (# as a library of ro8tines that T5# calls on b8t hich is also a;ailable to alicationsthat don4t 8se T5#. This strate-y of b8ildin- se;eral le;els of rotocol is called Qlayerin-Q. Wethink of the alications ro-rams s8ch as mail T5# and (# as bein- searate QlayersQ each ofhich calls on the ser;ices of the layer belo it. %enerally T5#/(# alications 8se , layers? analication rotocol s8ch as mail a rotocol s8ch as T5# that ro;ides ser;ices need by manyalications (# hich ro;ides the basic ser;ice of -ettin- data-rams to their destination therotocols needed to mana-e a secific hysical medi8m s8ch as thernet or a oint to oint line.

T5#/(# is based on the Qcatenet modelQ. @This is described in more detail in (& ,


19/207

address that looks like 12


20/207

in small netorks that is tr8e. Hoe;er in the (nternet simly -ettin- a data-ram to its destinationcan be a comle Bob. A connection may reG8ire the data-ram to -o thro8-h se;eral netorks atR8t-ers a serial line to the Kohn ;on &e8man *8ercom8ter 5enter a co8le of thernetsthere a series of 3>ba8d hone lines to another &*6net site and more thernets on anothercam8s. >eein- track ofthe ro8tes to all of the destinations and handlin- incomatibilities amon- different transort mediat8rns o8t to be a comle Bob.

&ote that the interface beteen T5# and (# is fairly simle. T5# simly hands (# a data-ram itha destination. (# doesn4t kno ho this data-ram relates to any data-ram before it or after it. (tmayha;e occ8rred to yo8 that somethin- is missin- here. We ha;e talked abo8t (nternet addressesb8t not abo8t ho yo8 kee track of m8ltile connections to a -i;en system. 5learly it isn4teno8-h to -et adata-ram to the ri-ht destination. T5# has to kno hich connection this data-ram is art of.

This task is referred to as Qdem8ltilein-.Q (n fact there are se;eral le;els of dem8ltilein--oin- on in T5#/(#. The information needed to do this dem8ltilein- is contained in a series ofQheadersQ. A header is simly a fe etra octets tacked onto the be-innin- of a data-ram bysome rotocol in order to kee track of it. (t4s a lot like 8ttin- a letter into an en;eloe and 8ttin-

an address on the o8tside of the en;eloe. cet ith modern netorks it haens se;eraltimes. (t4s like yo8 8t the letter into a littleen;eloe yo8r secretary 8ts that into a somehat bi--er en;eloe the cam8s mail center 8tsthat en;eloe into a still bi--er one etc.

Here is an o;er;ie of the headers that -et st8ck on a messa-e that asses thro8-h a tyicalT5#/(# netork?

We start ith a sin-le data stream say a file yo8 are tryin- to send to some other com8ter?

T5# breaks it 8 into mana-eable ch8nks. @(n order to do this T5# has to kno ho lar-e adata-ram yo8r netork can handle. Act8ally the T5#4s at each end say ho bi- a data-ram theycan handle and then they ick the smallest siLe.

T5# 8ts a header at the front of each data-ram. This header act8ally contains at least 2! octetsb8t the most imortant ones are a so8rce and destination Qort n8mberQ and a QseG8encen8mberQ. The ortn8mbers are 8sed to kee track of different con;ersations. *8ose $ different eole aretransferrin- files. Co8r T5# mi-ht allocate ort n8mbers 1!!! 1!!1 and 1!!2 to these transfers.When yo8 are sendin- a data-ram this becomes the Qso8rceQ ort n8mber since yo8 are theso8rce of the data-ram. )f co8rse the T5# at the other end has assi-ned a ort n8mber of itson for the con;ersation. Co8r T5# has to kno the ort n8mber 8sed by the other end as ell.@(t finds o8t hen the connection starts as e ill elain belo. (t 8ts this in the QdestinationQort field. )f co8rse if the other end sends adata-ram back to yo8 the so8rce and destination ort n8mbers ill be re;ersed since then it illbe the so8rce and yo8 ill be the destination.

ach data-ram has a seG8ence n8mber. This is 8sed so that the other end can make s8re that it-ets the data-rams in the ri-ht order and that it hasn4t missed any. @*ee the T5# secification fordetails. T5# doesn4t n8mber the data-rams b8t the octets. *o if there are !! octets of data ineach data-ram the first data-ram mi-ht be n8mbered ! the second !! the net 1!!! the net1!!etc.

6inally ( ill mention the 5hecks8m. This is a n8mber that is com8ted by addin- 8 all theoctets in the data-ram @more or less = see the T5# sec. The res8lt is 8t in the header. T5# at


21/207

the other end com8tes the checks8m a-ain. (f they disa-ree then somethin- bad haened tothe data-ram in transmission and it is thron aay.

The indo is 8sed to control ho m8ch data can be in transit at any one time. (t is not racticalto ait for each data-ram to be acknoled-ed before sendin- the net one. That o8ld slothin-s dontoo m8ch. )n the other hand yo8 can4t B8st kee sendin- or a fast com8ter mi-ht o;err8n thecaacity of a slo one to absorb data. Th8s each end indicates ho m8ch ne data it is c8rrentlyreared toabsorb by 8ttin- the n8mber of octets in its QWindoQ field. As the com8ter recei;es data theamo8nt of sace left in its indo decreases. When it -oes to Lero the sender has to sto. Asthe recei;er rocesses the data it increases its indo indicatin- that it is ready to accet moredata. )ften the same data-ram can be 8sed to acknoled-e receit of a set of data and to -i;eermission foradditional ne data @by an 8dated indo.

The Q0r-entQ field allos one end to tell the other to ski ahead in its rocessin- to a artic8laroctet. This is often 8sef8l for handlin- asynchrono8s e;ents for eamle hen yo8 tye a controlcharacter or other command that interr8ts o8t8t. The other fields are beyond the scoe of thisdoc8ment.

"*$)$*% The .P level

T5# sends each of these data-rams to (#. )f co8rse it has to tell (# the (nternet address of thecom8ter at the other end. &ote that this is all (# is concerned abo8t. (t doesn4t care abo8t hat isin thedata-ram or e;en in the T5# header. (#4s Bob is simly to find a ro8te for the data-ram and -et itto the other end. (n order to allo -ateays or other intermediate systems to forard thedata-ram itadds its on header.

The main thin-s in this header are the so8rce and destination (nternet address @$2=bit addresseslike 12


22/207

this sho8ld be imossible b8t ell=desi-ned netorks are b8ilt to coe ith QimossibleQconditions.

At this oint it4s ossible that no more headers are needed. (f yo8r com8ter haens to ha;e adirect hone line connectin- it to the destination com8ter or to a -ateay it may simly sendthedata-rams o8t on the line @tho8-h likely a synchrono8s rotocol s8ch as HD75 o8ld be 8sedand it o8ld add at least a fe octets at the be-innin- and end.

"*$)$,% The Ethernet level

Most of o8r netorks these days 8se thernet. *o no e ha;e to describe thernet4s headers.0nfort8nately thernet has its on addresses. The eole ho desi-ned thernet anted tomake s8re that no to machines o8ld end 8 ith the same thernet address. 68rthermorethey didn4t ant the 8ser to ha;e to orry abo8t assi-nin- addresses. *o each thernet controllercomes ith an addressb8iltin from the factory. (n order to make s8re that they o8ld ne;er ha;e to re8se addresses thethernet desi-ners allocated ,< bits for the thernet address. #eole ho make therneteG8iment ha;e tore-ister ith a central a8thority to make s8re that the n8mbers they assi-n don4t o;erla any

other man8fact8rer.

thernet is a Qbroadcast medi8mQ. That is it is in effect like an old arty line telehone. When yo8send a acket o8t on the thernet e;ery machine on the netork sees the acket. *o somethin-is neededto make s8re that the ri-ht machine -ets it. As yo8 mi-ht -8ess this in;ol;es the thernet header.;ery thernet acket has a 1,=octet header that incl8des the so8rce and destination thernetaddress anda tye code. ach machine is s8osed to ay attention only to ackets ith its on thernetaddress in the destination field. @(t4s erfectly ossible to cheat hich is one reason that thernetcomm8nications are not terribly sec8re.

&ote that there is no connection beteen the thernet address and the (nternet address. ach

machine has to ha;e a table of hat thernet address corresonds to hat (nternet address. @Weill describe hothis table is constr8cted a bit later. (n addition to the addresses the header contains a tyecode. The tye code is to allo for se;eral different rotocol families to be 8sed on the samenetork. *o yo8 can8se T5#/(# D5net Iero &* etc. at the same time. ach of them ill 8t a different ;al8e inthe tye field. 6inally there is a checks8m. The thernet controller com8tes a checks8m of theentireacket. When the other end recei;es the acket it recom8tes the checks8m and thros theacket aay if the anser disa-rees ith the ori-inal. The checks8m is 8t on the end of theacket not in theheader.

When these ackets are recei;ed by the other end of co8rse all the headers are remo;ed. Thethernet interface remo;es the thernet header and the checks8m. (t looks at the tye code.*ince the tyecode is the one assi-ned to (# the thernet de;ice dri;er asses the data-ram 8 to (#. (#remo;es the (# header. (t looks at the (# rotocol field. *ince the rotocol tye is T5# it assesthe data-ram8 to T5#. T5# no looks at the seG8ence n8mber. (t 8ses the seG8ence n8mbers and otherinformation to combine all the data-rams into the ori-inal file. The ends o8r initial s8mmary ofT5#/(#. There are


23/207

still some cr8cial concets e ha;en4t -otten to so e4ll no -o back and add details in se;eralareas. @6or detailed descritions of the items disc8ssed here see R65 :9$ for T5# R65 :91 for(# and R654s


24/207

connection 1 12


25/207

described here. 6irst the common netork reresentation? T5#/(# is intended to be 8sable onany com8ter. 0nfort8nately not all com8ters a-ree on ho data is reresented. There aredifferences incharacter codes @A*5(( ;s. '5D(5 in end of line con;entions @carria-e ret8rn line feed or areresentation 8sin- co8nts and in hether terminals eect characters to be sent indi;id8allyor a lineat a time. (n order to allo com8ters of different kinds to comm8nicate each alicationsrotocol defines a standard reresentation.

&ote that T5# and (# do not care abo8t the reresentation. T5# simly sends octets. Hoe;erthe ro-rams at both ends ha;e to a-ree on ho the octets are to be interreted. The R65 foreach alication secifies the standard reresentation for that alication. &ormally it is Qnet

A*5((Q. This 8ses A*5(( characters ith end of line denoted by a carria-e ret8rn folloed by aline feed. 6or remotelo-in there is also a definition of a Qstandard terminalQ hich t8rns o8t to be a half=d8leterminal ith echoin- haenin- on the local machine. Most alications also make ro;isions forthe tocom8ters to a-ree on other reresentations that they may find more con;enient. 6or eamle#D#=1!4s ha;e $3=bit ords. There is a ay that to #D#=1!4s can a-ree to send a $3=bit binaryfile. *imilarly

to systems that refer f8ll=d8le terminal con;ersations can a-ree on that. Hoe;er eachalication has a standard reresentation hich e;ery machine m8st s8ort.

>ee in mind that it has become common ractice for some cororations to chan-e a ser;icesort n8mber on the ser;er side. (f yo8r client softare is not confi-8red ith the same ortn8mber connection ill not be s8ccessf8l. We ill disc8ss later in this tet ho yo8 can erformort scannin- on an entire (# address to see hich orts are acti;e.

"*$)$2% Other .P Protocols#rotocols other than T5#? 0D# and (5M#

*o far e ha;e described only connections that 8se T5#. Recall that T5# is resonsible forbreakin- 8 messa-es into data-rams and reassemblin- them roerly. Hoe;er in many

alications e ha;emessa-es that ill alays fit in a sin-le data-ram. An eamle is name look8. When a 8serattemts to make a connection to another system he ill -enerally secify the system by namerather than (nternetaddress. His system has to translate that name to an address before it can do anythin-.%enerally only a fe systems ha;e the database 8sed to translate names to addresses. *o the8ser4s system ill ant to send a G8ery to one of the systems that has the database. This G8ery is-oin- to be ;ery short. (t ill certainly fit in one data-ram. *o ill the anser. Th8s it seems sillyto 8se T5#. )f co8rse T5# doesmore than B8st break thin-s 8 into data-rams. (t also makes s8re that the data arri;es resendin-data-rams here necessary. '8t for a G8estion that fits in a sin-le data-ram e don4t need allthecomleity of T5# to do this. (f e don4t -et an anser after a fe seconds e can B8st ask

a-ain. 6or alications like this there are alternati;es to T5#.

The most common alternati;e is 0D# @Q8ser data-ram rotocolQ. 0D# is desi-ned foralications here yo8 don4t need to 8t seG8ences of data-rams to-ether. (t fits into the systemm8ch like T5#. There is a0D# header. The netork softare 8ts the 0D# header on the front of yo8r data B8st as it o8ld8t a T5# header on the front of yo8r data. Then 0D# sends the data to (# hich adds the (#header 8ttin-


26/207

0D#4s rotocol n8mber in the rotocol field instead of T5#4s rotocol n8mber. Hoe;er 0D#doesn4t do as m8ch as T5# does. (t doesn4t slit data into m8ltile data-rams. (t doesn4t keetrack of hat it hassent so it can resend if necessary. Abo8t all that 0D# ro;ides is ort n8mbers so that se;eralro-rams can 8se 0D# at once. 0D# ort n8mbers are 8sed B8st like T5# ort n8mbers. Thereare ell=knon ortn8mbers for ser;ers that 8se 0D#. &ote that the 0D# header is shorter than a T5# header. (t stillhas so8rce and destination ort n8mbers and a checks8m b8t that4s abo8t it. &o seG8encen8mber since it is not needed. 0D# is 8sed by the rotocols that handle name look8s @see (&113 R65


27/207

M(T here the ser;er for 75* is and finally yo8 o8ld ask one of the 75* ser;ers abo8t ')RAI.The final res8lt o8ld be the (nternet address for ')RAI.75*.M(T.D0. ach of these le;els isreferred to asa QdomainQ. The entire name ')RAI.75*.M(T.D0 is called a Qdomain nameQ. @*o are thenames of the hi-her=le;el domains s8ch as 75*.M(T.D0 M(T.D0 and D0.

6ort8nately yo8 don4t really ha;e to -o thro8-h all of this most of the time. 6irst of all the rootname ser;ers also haen to be the name ser;ers for the to=le;el domains s8ch as D0. Th8sa sin-leG8ery to a root ser;er ill -et yo8 to M(T. *econd softare -enerally remembers ansers that it-ot before. *o once e look 8 a name at 75*.M(T.D0 o8r softare remembers here to findser;ers for75*.M(T.D0 M(T.D0 and D0. (t also remembers the translation of ')RAI.75*.M(T.D0.ach of these ieces of information has a Qtime to li;eQ associated ith it. Tyically this is a fedays. After thatthe information eires and has to be looked 8 a-ain. This allos instit8tions to chan-e thin-s.

The domain system is not limited to findin- o8t (nternet addresses. ach domain name is a nodein a database. The node can ha;e records that define a n8mber of different roerties. amlesare

(nternet address com8ter tye and a list of ser;ices ro;ided by a com8ter. A ro-ram canask for a secific iece of information or all information abo8t a -i;en name. (t is ossible for anode in thedatabase to be marked as an QaliasQ @or nickname for another node. (t is also ossible to 8se thedomain system to store information abo8t 8sers mailin- lists or other obBects.

There is an (nternet standard definin- the oeration of these databases as ell as the rotocols8sed to make G8eries of them. ;ery netork 8tility has to be able to make s8ch G8eries sincethis is no the official ay to e;al8ate host names. %enerally 8tilities ill talk to a ser;er on theiron system. This ser;er ill take care of contactin- the other ser;ers for them. This kees donthe amo8nt of code that has to be in each alication ro-ram.

The domain system is artic8larly imortant for handlin- com8ter mail. There are entry tyes to

define hat com8ter handles mail for a -i;en name to secify here an indi;id8al is to recei;email and todefine mailin- lists. @*ee R654s


28/207

netork to the other. That is if a machine on netork 12


29/207

-ateay desi-n and ro8tin-. Hoe;er ri.doc is robably a better introd8ction to the s8bBect. (tcontains some t8torial material and a detailed descrition of the most commonly=8sed ro8tin-rotocol.

"*$)$>% Subnets and BroadcastingDetails abo8t (nternet Addresses? *8bnets and 'roadcastin-

As indicated earlier (nternet addresses are $2=bit n8mbers normally ritten as , octets @indecimal e.-. 12


30/207

! and 2 ha;e secial meanin-s. ! is reser;ed for machines that don4t kno their address. (ncertain circ8mstances it is ossible for a machine not to kno the n8mber of the netork it is onor e;en itson host address. 6or eamle !.!.!.2$ o8ld be a machine that kne it as host n8mber 2$b8t didn4t kno on hat netork.

2 is 8sed for QbroadcastQ. A broadcast is a messa-e that yo8 ant e;ery system on the netorkto see. 'roadcasts are 8sed in some sit8ations here yo8 don4t kno ho to talk to. 6or eamles8oseyo8 need to look 8 a host name and -et its (nternet address. *ometimes yo8 don4t kno theaddress of the nearest name ser;er. (n that case yo8 mi-ht send the reG8est as a broadcast.There are also cases here a n8mber of systems are interested in information. (t is then lesseensi;e to send a sin-le broadcast than to send data-rams indi;id8ally to each host that isinterested in the information. (n order to send a broadcast yo8 8se an address that is made by8sin- yo8r netork address ith all ones in the art of the address here the host n8mber -oes.6or eamle if yo8 are on netork 12


31/207

that the to ends don4t necessarily kno abo8t all of the stes in beteen. 6or eamle hensendin- data beteen R8t-ers and 'erkeley it is likely that both com8ters ill be on thernets.Th8s they ill both be reared to handle 1!!=octet data-rams. Hoe;er the connection ill atsome oint end 8 -oin- o;er the Aranet. (t can4t handle ackets of that siLe. 6or this reasonthere are ro;isions to slit data-rams 8 into ieces. @This is referred to as Qfra-mentationQ. The(# header contains fields indicatin- the data-ram has been slit and eno8-h information to letthe ieces be 8t back to-ether. (f a -ateay connects an thernetto the Aranet it m8st be reared to take 1!!=octet thernet ackets and slit them into iecesthat ill fit on the Aranet. 68rthermore e;ery host imlementation of T5#/(# m8st be rearedto accet ieces and 8t them back to-ether. This is referred to as QreassemblyQ.

T5#/(# imlementations differ in the aroach they take to decidin- on data-ram siLe. (t is fairlycommon for imlementations to 8se :3=byte data-rams hene;er they can4t ;erify that the entireath is able tohandle lar-er ackets. This rather conser;ati;e strate-y is 8sed beca8se of the n8mber ofimlementations ith b8-s in the code to reassemble fra-ments. (mlementors often try to a;oide;er ha;in- fra-mentation occ8r. Different imlementors take different aroaches to decidin-hen it is safe to 8se lar-e data-rams. *ome 8se them only for the local netork. )thers ill 8sethem for any netork on the same cam8s. :3 bytes is a QsafeQ siLe hich e;eryimlementation m8st s8ort.

"*$*$#% Ethernet enca5sulationA @&P

There as a brief disc8ssion earlier abo8t hat (# data-rams look like on an thernet. Thedisc8ssion shoed the thernet header and checks8m. Hoe;er it left one hole? (t didn4t say hoto fi-8re o8that thernet address to 8se hen yo8 ant to talk to a -i;en (nternet address. (n fact there is asearate rotocol for this called AR# @Qaddress resol8tion rotocolQ. @&ote by the ay that AR#is not an (# rotocol. That is the AR# data-rams do not ha;e (# headers.

*8ose yo8 are on system 12


32/207

8date their knoled-e abo8t other hosts on the netork e;en if the reG8est isn4t for them. &otethat ackets hose (# address indicates broadcast @e.-. 2.2.2.2 or 12

The indos re-istry ro;ides for a somehat sec8re 8nified database that stores confi-8rationinformation into a hierarchical model. 0ntil recently confi-8ration files s8ch as W(&.(&( ere theonly ay to confi-8re indos alications and oeratin- system f8nctions. (n todays &T ,en;ironment the re-istry relaces these .(&( files. ach key in the re-istry is similar to bracketedheadin-s in an .(&( file.

)ne of the main disad;anta-es to the older .(&( files is that those files are flat tet files hich are8nable to s8ort nested headin-s or contain data other than 8re tet. Re-istry keys can contain

nested headin-s in the form of s8bkeys. These s8bkeys ro;ide finer details and a -reater ran-eto the ossible confi-8ration information for a artic8lar oeratin- system. Re-istry ;al8es canalso consist of eec8table code as ell as ro;ide indi;id8al references for m8ltile 8sers of thesame com8ter. The ability to store eec8table code ithin the Re-istry etends its 8sa-e tooeratin- system system and alication de;eloers. The ability to store 8ser=secific rofileinformation allos one to tailor the en;ironment for secific indi;id8al 8sers.

To ;ie the re-istry of an &T ser;er one o8ld 8se the Re-istry ditor tool. There are to;ersions of Re-istry ditor?

.?Re-edt$2.ee has the most men8 items and more choices for the men8 items. Co8 can searchfor keys and s8bkeys in the re-istry.

.?Re-edit.ee enables yo8 to search for strin-s ;al8es keys and s8bkeys and eort keys to

.re- files. This feat8re is 8sef8l if yo8 ant to find secific data.

6or ease of 8se the Re-istry is di;ided into fi;e seerate str8ct8res that reresent the Re-istrydatabase in its entirety. These fi;e -ro8s are knon as >eys and are disc8ssed belo?

",$#$*% .n +e5th Ke +iscussion

KEDC3&&ENTD3SE&This re-istry key contains the confi-8ration information for the 8ser that is c8rrently lo--ed in. The8sers folders screen colors and control anel settin-s are stored here. This information is knonas a 0ser #rofile.

KED3SE&S(n indos&T $. 8ser rofiles ere stored locally @by defa8lt in thesystemrootEsystem$2Econfi- directory. (n &T,.! they are stored in the systemrootErofilesdirectory. 0ser=*ecific information is ket there as ell as common system ide 8serinformation.

This chan-e in stora-e location has been bro8-ht abo8t to arallel the ay in hich Windos9handles its 8ser rofiles. (n earlier releases of &T the 8ser rofile as stored as a sin-le file =either locally in the Econfi- directory or centrally on a ser;er. (n indos&T , the sin-le 8serrofile has been broken 8 into a n8mber of s8bdirectories located belo the Erofiles directory.


33/207

The reason for this is mainly d8e to the ay in hich the Win9 and Win&T, oeratin- systems8se the 8nderlyin- directory str8ct8re to form art of their ne 8ser interface.

A 8ser rofile is no contained ithin the &t0ser.dat @and &t0ser.dat.lo- files as ell as thefolloin- s8bdirectories?

Alication Data? This is a lace to store alication data secific to this artic8lar 8ser.

Deskto? #lacin- an icon or a shortc8t into this folder ca8ses the that icon or shortc8t to

aear on the deskto of the 8ser.

6a;orites? #ro;ides a 8ser ith a ersonliLed stora-e lace for files shortc8ts and other

information.

&etHood? Maintains a list of ersonliLed netork connections.

#ersonal? >ees track of ersonal doc8ments for a artic8lar 8ser.

#rintHood? *imilar to &etHood folder #rintHood kees track of rinters rather than netork

connections.

Recent? 5ontains information of recently 8sed data.

*endTo? #ro;ides a centraliLed store of shortc8ts and o8t8t de;ices.

*tart Men8? 5ontains confi-8ration information for the 8sers men8 items.

Temlates? *tora-e location for doc8ment temlates.

KEDCF7)5A7FMA5H(& is robably the most imortant key in the re-istry and it contains fi;es8bkeys?

Hardare? Database that describes the hysical hardare in the com8ter the ay de;ice

dri;ers 8se that hardare and main-s and related data that link kernel=mode dri;ers ith;ario8s 8ser=mode code. All data in this s8b=tree is re=created e;erytime the system isstarted.

*AM? The sec8rity acco8nts mana-er. *ec8rity information for 8ser and -ro8 acco8nts and

for the domains in &T , ser;er.

*ec8rity? Database that contains the local sec8rity olicy s8ch as secific 8ser ri-hts. This

key is 8sed only by the &T , sec8rity s8bsystem.

*oftare? #re=com8ter softare database. This key contains data abo8t softare installed

on the local com8ter as ell as confi-8ration information.

*ystem? Database that controls system start=8 de;ice dri;er loadin- &T , ser;ices and )*

beha;ior.

.nfor(ation about the KED


34/207

This s8btree contains the 8ser and -ro8 acco8nts in the *AM database for the local com8ter.6or a com8ter that is r8nnin- &T , this s8btree also contains sec8rity information for thedomain. The information contained ithin the *AM re-istry key is hat aears in the 8serinterface of the 0ser Mana-er 8tility as ell as in the lists of 8sers and -ro8s that aear henyo8 make 8se of the *ec8rity men8 commands in &T, elorer.

.nfor(ation about the KED


35/207

EE denotes a maBor hi;e Edenotes a s8bkey of the rior maBor hi;e

EEH>CF7)5A7FMA5H(&

Admin=68ll 5ontrol;eryone=Read Access*ystem=68ll 5ontrol

EHARDWAR


E*AM


E*50R(TC

Admin=*ecial @Write DA5 Read 5ontrol*ystem=68ll 5ontrol

E*)6TWAR

Admin=68ll 5ontrol5reator )ner=68ll 5ontrol;eryone=*ecial @8ery *et 5reate n8merate &otify Delete Read*ystem=68ll 5ontrol

E*C*TM

Admin=*ecial @8ery *et 5reate n8merate &otify Delete Read;eryone=Read Access*ystem=68ll 5ontrol

EEH>CF50RR&TF0*R

Admin=68ll 5ontrol58rrent 0ser=68ll 5ontrol*ystem=68ll 5ontrol

EEH>CF0*R*

Admin=68ll 5ontrol58rrent 0ser=68ll 5ontrol*ystem=68ll 5ontrol

EEH>TF57A***FR))T

Admin=68ll 5ontrol5reator )ner=68ll 5ontrol;eryone=*ecial @8ery *et 5reate n8merate &otify Delete Read*ystem=68ll 5ontrol


36/207

EEH>CF50RR&T 5)&6(%

Admin=68ll 5ontrol5reator )ner=68ll 5ontrol;eryone=Read Access*ystem=68ll 5ontrol

"1$#$#% .ntroduction to PPTP

#oint=To=#oint T8nnelin- #rotocol @##T# is a rotocol that allos the sec8re echan-e of datafrom a client to a ser;er by formin- a Virt8al #ri;ate &etork @V#& ;ia a T5#/(# based netork.The stron- oint of ##T# is its ability to ro;ide on demand m8lti=rotocol s8ort o;er eistin-netork infrastr8ct8re s8ch as the (nternet. This ability o8ld allo a comany to 8se the (nternetto establish a ;irt8al ri;ate netork itho8t the eense of a leased line.

The technolo-y that makes ##T# ossible is an etension of the remote access #oint=To=#oint#rotocol @###= hich is defined and doc8mented by the (nternet n-ineerin- Task 6orce in R6511:1. ##T# technolo-y encas8lates ### ackets into (# data-rams for transmission o;erT5#/(# based netorks. ##T# is c8rrently a rotocol draft aaitin- standardiLation. The

comanies in;ol;ed in the ##T# for8m are Microsoft Ascend 5omm8nications $5om/#rimaryAccess 5( Telematics and 0* Robotics.

"1$#$)% PPTP and Girtual Private Networking

The #oint=To=#oint T8nnelin- #rotocol is acka-ed ith Windos&T ,.! *er;er and Workstation.#54s that are r8nnin- this rotocol can 8se it to sec8rely connect to a ri;ate netork as aremote access client 8sin- a 8blic data netork s8ch as the (nternet.

A maBor feat8re in the 8se of ##T# is its s8ort for ;irt8al ri;ate netorkin-. The best art ofthis feat8re is that it s8orts V#&4s o;er 8blic=sitched telehone netorks @#*T&s. 'y 8sin-##T# a comany can -reatly red8ce the cost of deloyin- a ide area remote access sol8tionfor mobile 8sers beca8se it ro;ides sec8re and encryted comm8nications o;er eistin- netork

str8ct8res like #*T&s or the (nternet.

"1$#$*% Standard PPTP +e5lo(ent

(n -eneral ractice there are normally three com8ters in;ol;ed in a deloyment?

a ##T# client

a &etork Access *er;er

a ##T# *er;er

note? the netork access ser;er is otional and if &)T needed for ##T# deloyment. (n normaldeloyment hoe;er they are resent.

(n a tyical deloyment of ##T# it be-ins ith a remote or mobile #5 that ill be the ##T# client.This ##T# client needs access to a ri;ate netork by 8sin- a local (nternet *er;ice #ro;ider@(*#. 5lients ho are r8nnin- the Windos&T *er;er or Workstation oeratin- systems ill 8seDial=8 netorkin- and the #oint=To=#oint rotocol to connect to their (*#. The client ill thenconnect to a netork access ser;er hich ill be located at the (*# @&etork Access *er;ers arealso knon as 6ront=nd #rocessors @6#s or #oint=)f=#resence ser;ers @#)#s. )nceconnected the client has the ability to echan-e data o;er the (nternet. The &etork Access*er;er 8ses the T5#/(# rotocol for the handlin- of all traffic.


37/207

After the client has made the initial ### connection to the (*# a second Dial=0 netorkin- callis made o;er the eistin- ### connection. Data sent 8sin- the second connection is in the formof (# data-rams that contain ### ackets referred to as encas8lated ###. (t is this second callthat creates the ;irt8al ri;ate netork connection to a ##T# ser;er on the ri;ate comanynetork. This is called a t8nnel.

T8nnelin- is the rocess of echan-in- data to a com8ter on a ri;ate netork by ro8tin- themo;er some other netork. The other netork ro8ters cannot access the com8ter that is on theri;ate netork. Hoe;er t8nnelin- enables the ro8tin- netork to transmit the acket to anintermediary com8ter s8ch as a ##T# ser;er. This ##T# ser;er is connected to both thecomany ri;ate netork and the ro8tin- netork hich is in this case the (nternet. 'oth the##T# client and the ##T# ser;er 8se t8nnelin- to sec8rely transmit ackets to a com8ter on theri;ate netork.

When the ##T# ser;er recei;es a acket from the ro8tin- netork @(nternet it sends it acrossthe ri;ate netork to the destination com8ter. The ##T# ser;er does this by rocessin- the##T# acket to obtain the ri;ate netork com8ter name or address information hich isencas8lated in the ### acket.

quick noteAThe encas8lated ### acket can contain m8lti=rotocol data s8ch as T5#/(#

(#I/*#I or &et'0(. 'eca8se the ##T# ser;er is confi-8red to comm8nicate across the ri;atenetork by 8sin- ri;ate netork rotocols it is able to 8nderstand M8lti=#rotocols.

##T# encas8lates the encryted and comressed ### ackets into (# data-rams fortransmission o;er the (nternet. These (# data-rams are ro8ted o;er the (nternet here they reachthe ##T# ser;er. The ##T# ser;er disassembles the (# data-ram into a ### acket and thendecryts the acket 8sin- the netork rotocol of the ri;ate netork. As mentioned earlier thenetork rotocols that are s8orted by ##T# are T5#/(# (#I/*#I and &et'0(.

"1$#$,% PPTP Clients

A com8ter that is able to 8se the ##T# rotocol can connect to a ##T# ser;er to differentays?

'y 8sin- an (*#4s netork access ser;er that s8orts inbo8nd ### connections.

'y 8sin- a hysical T5#/(#=enabled 7A& connection to connect to a ##T# ser;er.

##T# clients attemtin- to 8se an (*#4s netork access ser;er m8st be roerly confi-8red itha modem and a V#& de;ice to make the seerate connections to the (*# and the ##T# ser;er.The first connection is dial=8 connection 8tiliLin- the ### rotocol o;er the modem to an (nternet*er;ice #ro;ider. The second connection is a V#& connection 8sin- ##T# o;er the modem andthro8-h the (*#. The second connection reG8ires the first connection beca8se the t8nnel beteenthe V#& de;ices is established by 8sin- the modem and ### connections to the internet.

The ecetion to this to connection rocess is 8sin- ##T# to create a ;irt8al ri;ate netorkbeteen com8ters hysically connected to a 7A&. (n this scenario the client is alreadyconnected to a netork and only 8ses Dial=0 netorkin- ith a V#& de;ice to create theconnection to a ##T# ser;er on the 7A&.

##T# ackets from a remote ##T# client and a local 7A& ##T# client are rocessed differently.A ##T# acket from a remote client is laced on the telecomm8nication de;ice hysical mediahile the ##T# acket from a 7A& ##T# client is laced on the netork adater hysical media.

"1$#$1% PPTP @rchitecture


38/207

This net area disc8sses the architect8re of ##T# 8nder Windos &T *er;er ,.! and &TWorkstation ,.!. The folloin- section co;ers?

### #rotocol

##T# 5ontrol 5onnection

##T# Data T8nnelin-

Architect8re );er;ie?The sec8re comm8nication that is established 8sin- ##T# tyically in;ol;es three rocesseseach of hich reG8ires s8ccessf8l comletion of the re;io8s rocess. This ill no elain theserocesses and ho they ork?

### 5onnection and 5omm8nication? A ##T# client 8tiliLes ### to connect to an (*# by 8sin- astandard telehone line or (*D& line. This connection 8ses the ### rotocol to establish theconnection and encryt data ackets.

##T# 5ontrol 5onnection? 0sin- the connection to the (nternet established by the ### rotocolthe ##T# rotocol creates a control connection from the ##T# client to a ##T# ser;er on the(nternet. This connection 8ses T5# to establish comm8nication and is called a ##T# T8nnel.

##T# Data T8nnelin-? The ##T# rotocol creates (# data-rams containin- encryted ###ackets hich are then sent thro8-h the ##T# t8nnel to the ##T# ser;er. The ##T# ser;erdisassembles the (# data-rams and decryts the ### ackets and the ro8tes the decrytedacket to the ri;ate netork.

### #rotocol?

The are ill not co;er in deth information abo8t ### it ill co;er the role ### lays in a ##T#en;ironment. ### is a remote access rotocol 8sed by ##T# to send data across T5#/(# basednetorks. ### encas8lates (# (#I and &et'0( ackets beteen ### frames and sends theencas8lated ackets by creatin- a oint=to=oint link beteen the sendin- and recei;in-com8ters.

Most ##T# sessions are started by a client dialin- 8 an (*# netork access ser;er. The ###rotocol is 8sed to create the dial=8 connection beteen the client and netork access ser;erand erforms the folloin- f8nctions?

stablishes and ends the hysical connection. The ### rotocol 8ses a seG8ence defined in

R65 1331 to establish and maintain connections beteen remote com8ters.

A8thenticates 0sers. ##T# clients are a8thenticated by 8sin- ###. 5lear tet encryted or

M* 5HA# can be 8sed by the ### rotocol.

5reates ### data-rams that contain encryted (#I &et'0( or T5#/(# ackets.

##T# 5ontrol 5onnection?

The ##T# rotocol secifies a series of messa-es that are 8sed for session control. Thesemessa-es are sent beteen a ##T# client and a ##T# ser;er. The control messa-es establishmaintain and end the ##T# t8nnel. The folloin- list resent the rimary control messa-es 8sedto establish and maintain the ##T# session.

Messa-e Tye #8rose##T#F*TARTF***()&FR0*T *tarts *ession##T#F*TARTF***()&FR#7C Relies to *tart *ession ReG8est##T#F5H)FR0*T Maintains *ession


39/207

##T#F5H)FR#7C Relies to Maintain *ession ReG8est##T#FWA&FRR)RF&)T(6C Reorts an error in the ### connection##T#F*TF7(&>F(&6) 5onfi-8res ##T# 5lient/*er;er 5onnection##T#F*T)#F***()&FR0*T nds *ession##T#F*T)#F***()&FR#7C Relies to nd *ession ReG8est

The control messa-es are sent inside of control ackets in a T5# data-ram. )ne T5# connectionis enabled beteen the ##T# client and *er;er. This ath is 8sed to send and recei;e controlmessa-es. The data-ram contains a ### header a T5# Header a ##T# 5ontrol messa-e andaroriate trailers. The constr8ction is as follos

===================================### Deli;ery Header===================================(# Header===================================##T# 5ontrol Messa-e===================================Trailers===================================

##T# Data Transmission

After the ##T# T8nnel has been created 8ser data is transmitted beteen the client and ##T#ser;er. Data is sent in (# Data-rams containin- ### ackets. The (# data-ram is created 8sin- amodified ;ersion of the %eneric Ro8tin- ncas8lation @%R rotocol @%R is defined in R651:!1 and 1:!2. The str8ct8re of the (# Data-ram is as follos?

===================================================### Deli;ery Header===================================================(# Header===================================================

%R Header===================================================### Header===================================================(# Header===================================================T5# Header===================================================Data===================================================

'y ayin- attention to the constr8ction of the acket yo8 can see ho it o8ld be able to betransmitted o;er the (nternet as headers are stried off. The ### Deli;ery header ro;ides

information necessary for the data-ram to tra;erse the (nternet. The %R header is 8sed toencas8late the ### acket ithin the (# Data-ram. The ### acket is created by RA*. The### #acket is encryted and if interceted o8ld be 8nintelli-ible.

"1$#$2% 3nderstanding PPTP Securit

##T# 8ses the strict a8thentication and encrytion sec8rity a;ailable to com8ters r8nnin- RA*8nder Windos&T *er;er ;ersion ,.!. ##T# can also rotect the ##T# ser;er and ri;atenetork by i-norin- all b8t ##T# traffic. Desite this sec8rity it is easy to confi-8re a fireall toallo ##T# to access the netork.


40/207

A8thentication? (nitial dial=in a8thentication may be reG8ired by an (*# netork access ser;er. (fthis A8thentication is reG8ired it is strictly to lo- on to the (*# it is not related to Windos &Tbased A8thentication. A ##T# ser;er is a -ateay to yo8r netork and as s8ch it reG8iresstandard Windos&T based lo-on. All ##T# clients m8st ro;ide a 8ser name and assord.Therefore remote access lo-on 8sin- a #5 r8nnin- 8nder &T ser;er or Workstation is as sec8reas lo--in- on from a #5 connected to a 7A& @theoretically. A8thentication of remote ##T#clients is done by 8sin- the same ### a8thentication methods 8sed for any RA* client dialin-directly into an &T *er;er. 'eca8se of this it f8lly s8orts M*=5HA# @Microsoft 5hallen-eHandshake A8thentication #rotocol hich 8ses the MD, hash as ell as earlier 7A& Mana-ermethods.

Access 5ontrol? After A8thentication all access to the ri;ate 7A& contin8es to 8se eistin- &Tbased sec8rity str8ct8res. Access to reso8rces on &T6* dri;es or to other netork reso8rcesreG8ire the roer ermissions B8st as if yo8 ere connected directly to the 7A&.

Data ncrytion? 6or data encrytion ##T# 8ses the RA* Qshared=secretQ encrytion rocess. (tis referred to as a shared=secret beca8se both ends of the connection share the encrytion key.0nder MicrosoftOs imlementation of RA* the shared secret is the 8ser assord @)thermethods incl8de 8blic key encrytion. ##T# 8ses the ### encrytion and ### comression

schemes. The 55# @5omression 5ontrol #rotocol is 8sed to ne-otiate the encrytion 8sed. The8sername and assord is a;ailable to the ser;er and s8lied by the client. An encrytion key is-enerated 8sin- a hash of the assord stored on both the client and ser;er. The R*A R5,standard is 8sed to create this ,!=bit @12


41/207

>C? H>CF7)5A7FMA5H(&E*C*TME58rrent5ontrol*etE*er;icesESadater nameE #arametersETci

Val8es? DontAddDefa8lt%ateay DataTye R%FW)RD Ran-e ! = 1 Defa8lt 1

When ##T# is installed a defa8lt ro8te is made for each 7A& adater. This arameter illdisable the defa8lt ro8te on the cororate 7A& adater.

##T#6ilterin- >ey? Sadatername.E#aramtersEtci Val8eTye? R%FW)RD Valid Ran-e? ! = 1 Defa8lt !

This arameter controls hether ##T# filterin- is enabled or not.

##T#TcMaDataRetransmissions

>ey? TciE#arameters Val8eTye? R%FW)RD = &8mber of times to retransmit a ##T# acket. Valid Ran-e? ! = !66666666 Defa8lt? 9

This settin- control ho many times ##T# ill retransmit a acket.

"1$#$% S5ecial Securit 35date

*#5(A7 RV(*()&? As a last min8te re;ision to the lect8re. A fla has been disco;ered in the##T# architect8re. (t t8rns o8t that if yo8 send a that if yo8 send a t start session reG8est ithan in;alid acket len-th in the t acket header that it ill crash an &T bo and ca8se the &Tser;er to do a 5oreD8m. 6ra-ments of code for a Do* attack acka-e are flyin- and the rhino9

team sho8ld ha;e a comleted Do* Attack ro-ram released soon. This ro-ram is released ofco8rse for netork administrators antin- to kno ho the b8- orks.

"2$#$#% TCP:.P Co((ands as Tools

This is list of the most commonly 8sed T5#/(# command line tools that are 8sed toelore and find o8t information from a netork. These tools ill be referred to later on in thisdoc8ment so its 8sa-e and f8nction ill not be elained later. #lease note that not all of thesesitches remain the same across different T5#/(# stacks. The Microsoft T5#/(# stack is almostalays different than most sitches 8sed on 0ni systems.

"2$#$)% The @r5 Co((and

The ar command ill dislay internet to ethernet @(# to MA5 address translations hich isnormally handled by the ar rotocol. When the hostname is the only arameter this commandill dislay the c8rrect AR# entry for that hostname.

0sa-e? ar hostname

*itches? =a Dislays c8rrent AR# entries by interro-atin- the c8rrent rotocol data. (f inetFaddr is secified the (# and #hysical addresses for only the secified com8ter are dislayed. (f more than one netork interface 8ses AR# entries for each AR#


42/207

table are dislayed. =- *ame as =a. inetFaddr *ecifies an internet address. =& ifFaddr Dislays the AR# entries for the netork interface secified

by ifFaddr. =d Deletes the host secified by inetFaddr. =s Adds the host and associates the (nternet address inetFaddr

ith the #hysical address ethFaddr. The #hysical address is -i;en as 3 headecimal bytes searated by hyhens. The entry is ermanent.

ethFaddr *ecifies a hysical address. ifFaddr (f resent this secifies the (nternet address of the

interface hose address translation table sho8ld be modified. (f not resent the first alicable interface ill be 8sed.

"2$#$*% The Traceroute Co((and

The tracero8te command is 8sed to trace the ro8te that a acket takes to reach its destination.This command orks by 8sin- the time to li;e @TT7 filed in the (# acket.

0sa-e? tracert IP or Hostname

*itches? =d Do not resol;e addresses to hostnames. =h maim8mFhos Maim8m n8mber of hos to search for tar-et. =B host=list 7oose so8rce ro8te alon- host=list. = timeo8t Wait timeo8t milliseconds for each rely.

"2$#$,% The Netstat Co((and

This command is 8sed to G8ery the netork s8bsystem re-ardin- certain tyes of information.Different tyes of information ill be recei;ed deendin- on the sitches 8sed in conB8nction iththis command.

0sa-e? netstat sitch"

*itches? =A *hos the addresses of any associated rotocol control blocks. =a Will sho the stat8s of all sockets. *ockets associated ith netork ser;er rocesses are normally not shon. =i *hos the state of the netork interfaces. =m #rints the netork memory 8sa-e. =n 5a8ses netstat to sho act8al addresses as oosed to hostnames or netork names. =r #rints the ro8tin- table. =s Tells netstat to sho the er rotocol statistics. =t Relaces the G8e8e len-th information ith timer information.

"2$#$1% The ;inger Co((and

'y defa8lt fin-er ill list the lo-in name f8ll name terminal name and rite stat8s @shon as aQZQ before the terminal name if rite ermission is denied idle time lo-in time office locationand hone n8mber @if knon for each c8rrent 8ser connected to the netork.

0sa-e? fin-er username@domain

*itches? =b 'rief o8t8t format


43/207

=f *8resses the rintin- of the header line. =i #ro;ides a G8ick list of 8sers ith idle time. =l 6orces lon- o8t8t format. = *8resses rintin- of the .lan file @if resent =G #ro;ides a G8ick list of 8sers. =s 6orces short o8t8t form. = 6orces narro o8t8t form.

"2$#$2% The Ping Co((and

The in- @#acket (nternet %roer is 8sed to send (5M# @(nternet 5ontrol Messa-e #rotocolackets from one host to another. #in- transmits ackets 8sin- the (5M# 5H)FR0*Tcommand and eects an (5M# 5H)FR#7C.

0sa-e? in- IP address or Hostname

*itches? =t #in- the secifed host 8ntil interr8ted. =a Resol;e addresses to hostnames. =n co8nt &8mber of echo reG8ests to send. =l siLe *end b8ffer siLe.

=f *et Don4t 6ra-ment fla- in acket. =i TT7 Time To 7i;e.

=; T)* Tye )f *er;ice. =r co8nt Record ro8te for co8nt hos. =s co8nt Timestam for co8nt hos. =B host=list 7oose so8rce ro8te alon- host=list. =k host=list *trict so8rce ro8te alon- host=list. = timeo8t Timeo8t in milliseconds to ait for each rely.

"2$#$6% The Nbtstat Co((and

5an be 8sed to G8ery the netork concernin- &et'()* information. (t can also be 8sef8l for8r-in- the &et'()* cache and reloadin- the 7MH)*T* file. This one command can be

etremely 8sef8l hen erformin- sec8rity a8dits. When one knos ho to interret theinformation it can re;eal more than one mi-ht think.

0sa-e? nbtstat =a Remote&ame" =A (#Faddress" =c" =n" =R" =r" =*" =s" inter;al"

*itches =a 7ists the remote com8ter4s name table -i;en its host name.=A 7ists the remote com8ter4s name table -i;en its (# address.=c 7ists the remote name cache incl8din- the (# addresses.

7ists the remote name cache incl8din- the (# addresses 7ists local&et'()*

names. 7ists names resol;ed by broadcast and ;ia W(&* #8r-es andreloads the

remote cache name table 7ists sessions table ith the destination (#

addresses 7ists sessions table con;ertin- destination (# addresses to host names ;iathe

hosts file.

=n 7ists local &et'()* names.=r 7ists names resol;ed by broadcast and ;ia W(&*.=R #8r-es and reloads the remote cache name table.=* 7ists sessions table ith the destination (# addresses.


44/207

=s 7ists sessions table con;ertin- destination (# addresses to host names ;iathe

hosts file.inter;al This ill redislay the selected statistics a8sin- for the n8mber of

seconds yo8 choose as Qinter;alQ beteen each listin-. #ress 5TR7Y5 to sto.

Notes on NBTST@T

The col8mn headin-s -enerated by &'T*TAT ha;e the folloin- meanin-s?

(n8t&8mber of bytes recei;ed.

)8t8t&8mber of bytes sent.

(n/)8tWhether the connection is from the com8ter @o8tbo8nd or from another system to

the local com8ter @inbo8nd.7ife

The remainin- time that a name table cache entry ill Qli;eQ before yo8r com8ter

8r-es it.7ocal &ame

The local &et'()* name -i;en to the connection.Remote Host

The name or (# address of the remote host.Tye

A name can ha;e one of to tyes? 8niG8e or -ro8.The last byte of the 13 character &et'()* name often means somethin- beca8se

the same name can be resent m8ltile times on the same com8ter. This shos the last byte of the name con;erted into he.*tate

Co8r &et'()* connections ill be shon in one of the folloin- QstatesQ?

*tate Meanin-

Accetin- An incomin- connection is in rocess. Associated The endoint for a connection has been created and yo8r com8ter hasssociated it ith an (# address. 5onnected This is a -ood state[ (t means yo84re connected to the remote reso8rce. 5onnectin- Co8r session is tryin- to resol;e the name=to=(# address main- of thedestination reso8rce. Disconnected Co8r com8ter reG8ested a disconnect and it is aitin- for the remotecom8ter to do so. Disconnectin- Co8r connection is endin-. (dle The remote com8ter has been oened in the c8rrent session b8t is c8rrently

not accetin- connections. (nbo8nd An inbo8nd session is tryin- to connect. 7istenin- The remote com8ter is a;ailable. )8tbo8nd Co8r session is creatin- the T5# connection. Reconnectin- (f yo8r connection failed on the first attemt it ill dislay this state as it triesto reconnect.

&ame &8mber Tye 0sa-eScom8tername !! 0 Workstation *er;ice


45/207

Scom8tername !1 0 Messen-er *er;iceSEEFM*'R)W*F !1 % Master 'roser Scom8tername !$ 0 Messen-er *er;iceScom8tername !3 0 RA* *er;er *er;iceScom8tername 16 0 &etDD *er;iceScom8tername 2! 0 6ile *er;er *er;iceScom8tername 21 0 RA* 5lient *er;iceScom8tername 22 0 chan-e (nterchan-eScom8tername 2$ 0 chan-e *toreScom8tername 2, 0 chan-e DirectoryScom8tername $! 0 Modem *harin- *er;er *er;iceScom8tername $1 0 Modem *harin- 5lient *er;iceScom8tername ,$ 0 *M* 5lient Remote 5ontrolScom8tername ,, 0 *M* Admin Remote 5ontrol ToolScom8tername , 0 *M* 5lient Remote 5hatScom8tername ,3 0 *M* 5lient Remote Transfer Scom8tername ,5 0 D5 #athorks T5#(# *er;iceScom8tername 2 0 D5 #athorks T5#(# *er;iceScom8tername


46/207

0sa-e? iconfi- /+ \ /all \ /release adater" \ /rene adater""

*itches? /+ Dislay this hel messa-e. /all Dislay f8ll confi-8ration information. /release Release the (# address for the secified adater. /rene Rene the (# address for the secified adater.

"2$#$>% The Telnet Co((and

Technically telnet is a rotocol. This means it is a lan-8a-e that com8ter 8se to comm8nicateith one another in a artic8lar ay. 6rom yo8r oint of ;ie Telnet is a ro-ram that lets yo8lo-in to a site on the (nternet thro8-h yo8r connection to Teleort. (t is a terminal em8lationro-ram meanin- that hen yo8 connect to the remote site yo8r com8ter f8nctions as aterminal for that com8ter.

)nce the connection is made yo8 can 8se yo8r com8ter to access information r8n ro-ramsedit files and otherise 8se hate;er reso8rces are a;ailable on the other com8ter. What isa;ailable deends on the com8ter yo8 connect to. Most of the times if yo8 tye 4+4 or 4hel4 yo8o8ld normally recei;e some tye of information men8 otions etc.

Note? telnet connections -i;e yo8 command=line access only. (n other ords instead of bein- able to 8se b8ttons and men8s as yo8 do ith a -rahical interface yo8 ha;e to tye commands. Hoe;er telnet allos yo8 to 8se certain 8tilities and reso8rces yo8 cannot access ith yo8r other (nternet alications.

0sa-e? telnet hostname or IP address port(optional)

"6$#$#% NT Securit

"6$#$)% The @or ressin- enter the Win7o-on rocesss8lies the information to the sec8rity s8bsystem hich in t8rn comares the information to the


47/207

*ec8rity Acco8nts Mana-er @*AM. (f the information is comliant ith the information in the*AM an access token is created for the 8ser. The Win7o-on takes the access token and assesit onto the Win$2 s8bsytem hich in t8rn starts the oeratin- systems shell. The shell as ell asall other saned rocesses ill recei;e a token. This token is not only 8sed for sec8rity b8t alsoallos &Ts a8ditin- and lo--in- feat8res to track 8ser 8sa-e and access of netork reso8rces.

NoteAAll of the lo-on comonents are located in a file knon as the %rahical (ndetification andA8thentication @%(&A mod8le secifically M*%(&A.D77. 0nder certain conditions this file canbe relaced hich is ho yo8 o8ld chan-e the *A* key combination.

6or fine t8nin- of the Win7o-on rocess yo8 can refer to the re-istry. All of the otions for theWin7o-on rocess are contained in theH>CF7)5A7FMA5H(&E*)6TWAREMicrosoftEWindos&TE58rrentVersionEWinlo-on area.Co8 can also fine t8ne the rocess by 8sin- the #olicy ditor.

7o--in- on to a Domain

(f an &T machine is a articiant on a Domain yo8 o8ld not only need to lo-in to the localmachine b8t the Domain as ell. (f a com8ter is a member of a Domain the Win7o-on rocessis relaced by the &et7o-on rocess.

"6$#$*% Securit @rchitecture Co(5onents

7ocal *ec8rity A8thority @7*A? Also knon as the sec8rity s8bsystem it is the central ortion of&T sec8rity. (t handles local sec8rity olicies and 8ser a8thentication. The 7*A also handles-eneratin- and lo--in- a8dit messa-es.

*ec8rity Acco8nts Mana-er @*AM? The *AM handles 8ser and -ro8 acco8nts and ro;ides8ser a8thentication for the 7*A.

*ec8rity Reference Monitor @*RM? The *RM is in char-e of enforcin- and ass8rin- access;alidation and a8ditin- for the 7*A. (t references 8ser acco8nt information as the 8ser attemts toaccess reso8rces.

"6$#$,% .ntroduction to Securing an NT Bo4

@bstractMicrosoft Windos &T oeratin- system ro;ides se;eral sec8rity feat8res. Hoe;er the defa8lto8t=of=the=bo confi-8ration is hi-hly relaed esecially on the Workstation rod8ct. This isbeca8se the oeratin- system is sold as a shrink=raed rod8ct ith an ass8mtion that ana;era-e c8stomer may not ant to orry abo8t a hi-hly restrained b8t sec8re system on theirdeskto.

A artic8lar installation4s reG8irements can differ si-nificantly from another. Therefore it isnecessary for indi;id8al c8stomers to e;al8ate their artic8lar en;ironment and reG8irementsbefore imlementin- a sec8rity confi-8ration. This is also beca8se imlementin- sec8rity settin-s

can imact system confi-8ration. 5ertain alications installed on Windos &T may reG8iremore relaed settin-s to f8nction roerly than others beca8se of the nat8re of the rod8ct.58stomers are therefore ad;ised to caref8l e;al8ate recommendations in the contet of theirsystem confi-8rations and 8sa-e.

(f yo8 install a Windos &T machine as a eb ser;er or a fireall yo8 sho8ld ti-hten 8 thesec8rity on that bo. )rdinary machines on yo8r internal netork are less accessible than amachine the (nternet. A machine accessible from the (nternet is more ;8lnerable and likely to beattacked. *ec8rin- the machine -i;es yo8 a bastion host. *ome of the thin-s yo8 sho8ld doincl8de?


48/207

Remo;e all rotocol stacks ecet T5#/(# since (# is the only rotocol that r8ns on the

(nternet

Remo;e 8nnecessary netork bindin-s

Disable all 8nnecessary acco8nts like -8est

Remo;e share ermissions and defa8lt shares

Remo;e netork access for e;eryone @0ser Man-er = #olicies =0ser ri-hts QAccess

this com8ter from the netorkQ

Disable 8nnecessary ser;ices

nable a8dit lo--in-

Track the a8dit information

"6$#$1% Phsical Securit ConsiderationsTake the reca8tions yo8 o8ld ith any iece of ;al8able eG8iment to rotect a-ainst cas8altheft. This ste can incl8de lockin- the room the com8ter is in hen no one is there to kee aneye on it or 8sin- a locked cable to attach the 8nit to a all. Co8 mi-ht also ant to establishroced8res for mo;in- or reairin- the com8ter so that the com8ter or its comonents cannot

be taken 8nder false retenses.

0se a s8r-e rotector or oer conditioner to rotect the com8ter and its eriherals fromoer sikes. Also erform re-8lar disk scans and defra-mentation to isolate bad sectors and tomaintain the hi-hest ossible disk erformance.

As ith minimal sec8rity the com8ter sho8ld be rotected as any ;al8able eG8iment o8ld be.%enerally this in;ol;es keein- the com8ter in a b8ildin- that is locked to 8na8thoriLed 8sersas most homes and offices are. (n some instances yo8 mi-ht ant to 8se a cable and lock tosec8re the com8ter to its location. (f the com8ter has a hysical lock yo8 can lock it and keethe key in a safe lace for additional sec8rity. Hoe;er if the key is lost or inaccessible ana8thoriLed 8ser mi-ht be 8nable to ork on the com8ter.

Co8 mi-ht choose to kee 8na8thoriLed 8sers aay from the oer or reset sitches on thecom8ter artic8larly if yo8r com8ter4s ri-hts olicy denies them the ri-ht to sh8t don thecom8ter. The most sec8re com8ters @other than those in locked and -8arded rooms eoseonly the com8ter4s keyboard monitor mo8se and @hen aroriate rinter to 8sers. The 5#0and remo;able media dri;es can be locked aay here only secifically a8thoriLed ersonnelcan access them.

"6$#$2% Backu5sRe-8lar back8s rotect yo8r data from hardare fail8res and honest mistakes as ell as from;ir8ses and other malicio8s mischief. The Windos &T 'ack8 8tility is described in 5hater 3Q'ackin- 0 and Restorin- &etork 6ilesQ in Microsoft Windows NT Server Concepts andPlannin!6or roced8ral information see Hel.

)b;io8sly files m8st be read to be backed 8 and they m8st be ritten to be restored. 'ack8ri;ile-es sho8ld be limited to administrators and back8 oerators]eole to hom yo8 arecomfortable -i;in- read and rite access on all files.

"6$#$6% Networks and Securit(f the netork is entirely contained in a sec8re b8ildin- the risk of 8na8thoriLed tas is minimiLedor eliminated. (f the cablin- m8st ass thro8-h 8nsec8red areas 8se otical fiber links rather thantisted air to foil attemts to ta the ire and collect transmitted data.

"6$#$% &estricting the Boot Process


49/207

Most ersonal com8ters today can start a n8mber of different oeratin- systems. 6or eamlee;en if yo8 normally start Windos &T from the 5? dri;e someone co8ld select another ;ersionof Windos on another dri;e incl8din- a floy dri;e or 5D=R)M dri;e. (f this haens sec8rityreca8tions yo8 ha;e taken ithin yo8r normal ;ersion of Windos &T mi-ht be circ8m;ented.

(n -eneral yo8 sho8ld install only those oeratin- systems that yo8 ant to be 8sed on thecom8ter yo8 are settin- 8. 6or a hi-hly sec8re system this ill robably mean installin- one;ersion of Windos &T. Hoe;er yo8 m8st still rotect the 5#0 hysically to ens8re that noother oeratin- system is loaded. Deendin- on yo8r circ8mstances yo8 mi-ht choose toremo;e the floy dri;e or dri;es. (n some com8ters yo8 can disable bootin- from the floydri;e by settin- sitches or B8mers inside the 5#0. (f yo8 8se hardare settin-s to disablebootin- from the floy dri;e yo8 mi-ht ant to lock the com8ter case @if ossible or lock themachine in a cabinet ith a hole in the front to ro;ide access to the floy dri;e. (f the 5#0 is ina locked area aay from the keyboard and monitor dri;es cannot be added or hardare settin-schan-ed for the 8rose of startin- from another oeratin- system. Another simle settin- is toedit the boot.ini file s8ch that the boot timeo8t is ! seconds this ill make hard for the 8ser toboot to another system if one eists.

)n many hardare latforms the system can be rotected 8sin- apower"on password!A oer=on assord re;ents 8na8thoriLed ersonnel from startin- an oeratin- system other than

Windos &T hich o8ld comromise system sec8rity. #oer=on assords are a f8nction ofthe com8ter hardare not the oeratin- system softare. Therefore the roced8re for settin-8 the oer=on assord deends on the tye of com8ter and is a;ailable in the ;endor4sdoc8mentation s8lied ith the system.

"6$#$>% Securit Ste5s for an NT O5erating Sste(

"6$#$'% .nstall


50/207

Val8e? Whate;er yo8 ant for the title of the messa-e boHi;e? H>CF7)5A7FMA5H(&E*)6TWAR>ey? MicrosoftEWindos &TE58rrent VersionEWinlo-on&ame? 7e-al&oticeTetTye? R%F*PVal8e? Whate;er yo8 ant for the tet of the messa-e bo

The chan-es take effect the net time the com8ter is started. Co8 mi-ht ant to 8date themer-ency Reair Disk to reflect these chan-es.E4a(5leA

Welcome to the ICP (nformation >iosk7o- on 8sin- acco8nt name %8est and assord ICP5or.

A8thoriLed 0sers )nlyThis system is for the 8se of a8thoriLed 8sers only. (ndi;id8als 8sin- this com8tin- system

itho8t a8thority or in ecess of their a8thority are s8bBect to ha;in- all of their acti;ities on thissystem monitored and recorded by system ersonnel. (n the co8rse of monitorin- indi;id8als

imroerly 8sin- this system or in the co8rse of system maintenance the acti;ities of a8thoriLed8sers may be monitored. Anyone 8sin- this system eressly consents to s8ch monitorin- and is

ad;ised that if s8ch monitorin- re;eals ossible e;idence of criminal acti;ity system ersonnelmay ro;ide the e;idence of s8ch monitorin- to la enforcement officials.

"6$)$)% &ena(e @d(inistrative @ccountsCo(5leted Not i(5le(ented Not a55licable

ST@T3S

(t is a -ood idea to rename the b8ilt=in Administrator acco8nt to somethin- less ob;io8s. Thisoerf8l acco8nt is the one acco8nt that can ne;er be locked o8t d8e to reeated failed lo- onattemts and conseG8ently is attracti;e to hackers ho try to break in by reeatedly -8essin-assords. 'y renamin- the acco8nt yo8 force hackers to -8ess the acco8nt name as ell asthe assord.

Make the folloin- chan-es?

Remo;e ri-ht Q7)% )& 6R)M TH &TW)R>Q from Administrator4s -ro8

Add ri-ht Q7)% )& 6R)M TH &TW)R>Q for indi;id8als ho are administrators

na

redes e sua forma de comunicação

Documents