Malty Pro Side

How To Set Up an FTP Server in Windows Server 2003

2010-08-19T00:17:00.000-07:00

Install Internet Information Services and the FTP Service

Because FTP depends on Microsoft Internet Information Services (IIS), IIS and the FTP Service must be installed on the computer. To install IIS and the FTP Service, follow these steps.

NOTE: In Windows Server 2003, the FTP Service is not installed by default when you install IIS. If you already installed IIS on the computer, you must use the Add or Remove Programs tool in Control Panel to install the FTP Service.

Click Start, point to Control Panel, and then click Add or Remove Programs.
Click Add/Remove Windows Components.
In the Components list, click Application Server, click Internet Information Services (IIS) (but do not select or clear the check box), and then click Details.
Click to select the following check boxes (if they are not already selected):
Common Files
File Transfer Protocol (FTP) Service
Internet Information Services Manager
Click to select the check boxes next to any other IIS-related service or subcomponent that you want to install, and then click OK.
Click Next.
When you are prompted, insert the Windows Server 2003 CD-ROM into the computer's CD-ROM or DVD-ROM drive or provide a path to the location of the files, and then click OK.
Click Finish.

Configure The FTP Service

To configure the FTP Service to allow only anonymous connections, follow these steps:

Start Internet Information Services Manager or open the IIS snap-in.
Expand Server_name, where Server_name is the name of the server.
Expand FTP Sites
Right-click Default FTP Site, and then click Properties.
Click the Security Accounts tab.
Click to select the Allow Anonymous Connections check box (if it is not already selected), and then click to select the Allow only anonymous connections check box.

When you click to select the Allow only anonymous connections check box, you configure the FTP Service to allow only anonymous connections. Users cannot log on by using user names and passwords.
Click the Home Directory tab.
Click to select the Read and Log visits check boxes (if they are not already selected), and then click to clear the Write check box (if it is not already cleared).
Click OK.
Quit Internet Information Services Manager or close the IIS snap-in.

The FTP server is now configured to accept incoming FTP requests. Copy or move the files that you want to make available to the FTP publishing folder for access. The default folder is drive:\Inetpub\Ftproot, where drive is the drive on which IIS is installed.

Installing and Configuring Microsoft ISA Server 2004 SP2

2010-06-09T22:29:00.000-07:00

Installing and Configuring Microsoft ISA Server 2004 SP2

ISA Server 2004 Service Pack 2 has been available for public download since 2006/01/31. SP2 is available for ISA Server 2004 Standard and ISA Server 2004 Enterprise.

ISA Server 2004 SP2 contains several hotfixes after ISA Server 2004 SP1 was released. For a complete list of all hotfixes click here.

Microsoft recommends deploying ISA Server 2004 SP2 ASAP. You should test ISA Server 2004 SP2 in your lab environment and after that you should deploy SP2.

What about the Branchoffice Updates for ISA?

At TechEd 2005, Microsoft announced the Branch Office Updates for ISA Server 2004 which should help Administrators to effectively connect Branch Offices with ISA Server 2004.

Now, the Branch Office Update has gone and Microsoft has put all the features of the Branch Office Update in ISA Server 2004 SP2.

ISA Server 2004 SP2 contains the following updates:

Every Software Update since ISA Server 2004 RTM or SP1 (ISA Service Packs are cumulative)
Hotfixes from Microsoft PSS
Some enhancements in CARP (Cache Array Routing Protocol) for ISA Server 2004 Enterprise Edition
New certificate alerts
Caching of BITS (Background Intelligence Updates) for Windows Updates
Diffserv for Quality of Service for HTTP/HTTPS only
HTTP compression and decompression

Important notice before SP2 installation:
It is possible to uninstall ISA Server 2004 Service Pack 2 if your system has Windows Installer 3.0 but Windows Installer 3.0 must be installed BEFORE you install ISA Server 2004 Service Pack 2.

Important notice for ISA Server 2004 Enterprise Edition:
-- ISA Server 2004 SP2 must be installed on all ISA Array Members and on the Configuration Storage Server (CSS).
-- If some ISA services on ISA Array Members don't start, try to manually start the service because there is a problem when the ISA Array members try to reach the Configuration Storage Server (CSS)

Some other pitfalls:

After installation of ISA Server 2004 SP2 an ISA Alert could come up that says that the ISA Cache couldn't be initialized. This error can be ignored safely. The ISA Cache should be initialized successfully after a second alert message.
If ISA services are installed in the machine to be updated, ISA goes into Lockdown mode and stops all services. After SP2 installation you must restart the ISA Server computer.
The Firewallclient update in ISA Server 2004 SP2 is identical to the Firewallclient Update that came with ISA Server 2004 SP1.

Installation of ISA Server 2004 SP2

First we need to download the ISA Server 2004 SP2 from here. After downloading follow the Installation Wizard instructions.

Figure 1: Start the Installation Wizard

After reading the License Agreement, accept the License Agreement and click Update.

Figure 2: Setup has finished

You must restart the computer after SP2 installation.

After rebooting the machine, a webpage automatically starts up which tells you how to secure ISA Server 2004. I hope you followed the instructions on how to protect ISA Server 2004 and how to harden the Windows Server operating system and ISA Server 2004 before or after you installed ISA Server from the Microsoft ISA Server website.

Figure 3: Setup has finished

Customer Feedback

Start the ISA Server 2004 Management Console. One of the first visual changes you will see is the Customer Experience Improvement Program. If you click the link in Figure 4 you can choose if you want to be part of the Customer Experience Program or not.

Figure 4: Customer Feedback

Click Yes or No.

Figure 5: Customer Feedback

Error Level Tracing

ISA Server 2004 SP2 provides a new feature called Error Level Tracing. With the help of Error Level Tracing, ISA Server will send critical information about problems and crashes to Microsoft. Microsoft says that no confidential and personal information will be transmitted to Microsoft.

Error Level Tracing creates a file about 400 MB in size under %windir%\debug. The filename is ISALOG.BIN.

An enabled Error Level Tracing can have a negative impact on performance so you have the option of deactivating this feature.

To modify or disable Error Level Tracing, start Regedit and navigate to HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ ISATrace.
To change the file size of the Trace file, change the value for the CircularlLogSizeMB key.
To disable Error Level Tracing change the BootTracing Value to 0 and reboot the machine.

Windows Update / BITS Caching

With ISA Server 2004 SP2 it is possible to cache Updates from Microsoft Update and Windows Server Update Services (WSUS) transmitted via BITS (Background Intelligent Transfer Service). Windows Update caching is available through a new Caching rule. Right click the Cache button and then create a new Microsoft Update Cache Rule.

Figure 6: New Microsoft Update Cache Rule

The name of the rule is predefined and cannot be changed through the GUI.

Figure 7: The name of the rule is predefined

The Microsoft Update Cache Rule Wizard automatically creates a Domain name set with the URL of the Windows Update website. The following Figure shows the Domain name set of ISA Server 2004 Enterprise. ISA Server 2004 Standard SP2 creates some more URLs in the Domain set.

Figure 8: New Microsoft Update Cache Rule

After creating the rule it is possible to disable or enable caching of content received through the Background Intelligent Transfer Service (BITS).

Figure 9: Disable or enable BITS caching

Diffserv for HTTP

With ISA Server 2000 it was possible to create Bandwith rules for limiting traffic. Bandwith rules in ISA Server 2000 were rarely used so Microsoft didn't implement this feature in ISA Server 2004.

With ISA Server 2004 SP2 it is possible to use Diffserv for HTTP because a small number of Enterprise customers requested this feature. Diffserv is an extension of the IP-protocol that uses flags in the IP Header to priorize HTTP/HTTPS traffic. To implement Diffserv you must have a good understanding of Diffserv and network protocols. Diffserv for HTTP in ISA Server 2004 uses the Diffserv Priorities configured on your routers and other network devices.

It is possible to define Diffserv Preferences in the Global HTTP Policy Settings in the Microsoft ISA Server 2004 Management Console.

Figure 10: Specify Diffserv Preferences

ISA Server 2004 uses a Diffserv Filter. You can find the Diffserv Filter in the ISA Server Management Console in the Global section under Webfilters. It is only possible to enable or disable the Diffserv Filter.

Figure 11: Diffserv Filter in the ISA Management Console

Paket Priorization in ISA Server 2004 is a global setting for all HTTP and HTTPS Traffic. The Diffserv filter scans every URL or domain and associates a packet priority based on the Diffserv priorities.

To activate Diffserv, go to the global HTTP settings in the ISA Management console and click Specify Diffserv Preferences.

Figure 12: Activate Diffserv

Please note that Diffserv doesn't support a bandwidth control based on users and groups, and that Diffserv is limited to HTTP and HTTPS if you use the Webproxy Client.

For more information about Diffserv click here.

It is possible to set Priorities based on the Diffserv Bits configured in your network infrastructure.

Figure 13: Define Priorities

You can specify different Priorities to URLs and Domains. Click Add to insert new URL or domain and an associated Priority.

Figure 14: Add Priorities to URLs

Now it is time to apply Diffserv to the Networks that should use Diffserv.

Figure 15: Apply Diffserv to networks

HTTP Compression

ISA Server 2004 SP2 allows you to use HTTP compression. HTTP compression in ISA Server 2004 SP2 is a global HTTP policy setting. It applies to all HTTP traffic that flows through ISA Server to or from a specified network. HTTP compression is based on two Web filters:

Compression Filter
Caching Compressed Content Filter

Compression Filter

The compression filter is responsible for compression and decompression of HTTP requests and responses. The filter must have a high priority because it is responsible for decompression and only after decompression can you use other webfilters.

Caching Compressed Content Filter

This filter is responsible for caching of compressed content and serving a request from the compressed content in the cache. The Compressed Content Filter has the lowest Priority because caching occurs after all other enabled webfilters in ISA Server 2004 have done their work. The configuration of the new HTTP compression filter is done in the global HTTP settings of the ISA Server 2004 Management console.

Click Add to select the networks for which you want to use the HTTP compression feature.

Figure 16: Enable HTTP compression / decompression

Click Set Compression to specify compression settings for the selected network.

Figure 17: Configure reply for compressed content

If you select Reply with compressed HTTP content, ISA Server returns compressed content when client request from the selected network ask for compression.

If you select Request compressed HTTP content from servers, ISA Server 2004 will ask for compressed content.

Figure 18: Select content types to compress

The following content types cannot be compressed:

video
audio
application/ x-tar
x-world/x-vrml
application/ zip
application/ x-gzip
application/ x-zip-compressed
application/ x-compress
application/ x-compressed
application/ x-spoon@@

It is possible to activate or deactivate the compression of incoming packets. If you disable decompressing of incoming packets, an ISA Server webfilter can't inspect the content.

Compressing and decompressing incoming packets from ISA Server 2004 can result in more workload on ISA and an increased response time.

Figure 19: Activate or deactivate HTTP Compression

Other changes

New Certificate alerts
CARP extensions

New certificate alerts

Configuring ISA Server 2004 for SSL Bridging is a time consuming task for new ISA Server Administrators because they don't know the exact way to request certificates for SSL Publishing and how to use these certificates in ISA Server. ISA Server 2004 SP2 has some enhancements for this problem in form of additional information, for example in the SSL Weblistener that can give you more information about what to do with certificates in this configuration dialogue.

CARP enhancements

In ISA Server 2004 Enterprise SP2, Microsoft changed the CARP (Cache Array Routing Protocol) hash-based routing to use the host name to determine which array member should handle the request. CARP assigns all of the requests for a particular host, such as www.it-training- grote.de, to a specific array member so that all traffic is cached for one domain on one Array member.

How to set Static/DHCP IP Address from command line

2010-06-08T22:40:00.000-07:00

To change the computer name, its:

c:>Netdom renamecomputer /NewName:

To join a computer to domain:

c:>netdom join /domain: /Userd:Administrato r /passwordD:*

To set a DNS IP in IP Configuration:

c:>Netsh interface ip set dns “local area connection” static primary

Top 10 Most Expensive Accidents in History

2010-06-08T21:18:00.000-07:00

Top 10 Most Expensive Accidents in History

Throughout history, humans have always been prone to accidents. Here are some of the truly expensive accidents. An accident is defined as "an undesirable or unfortunate happening that occurs unintentionally and usually results in harm, injury, damage, or loss".

The list of the top 10 most expensive accidents in the history of the world as measured in dollars, is listed in this email.

This includes property damage and expenses incurred related to the accident such as cleanup and industry losses. Many of these accidents involve casualties which obviously cannot be measured in dollar terms. Each life lost is priceless and is not factored into the equation. Deliberate actions such as war or terrorism and natural disasters do not qualify as accidents and therefore are not included in this list.

# 10. Titanic

$150 Million

The sinking of the Titanic is possibly the most famous accident in the world. But it barely makes our list of top 10 most expensive. On April 15, 1912, the Titanic sank on its maiden voyage and was considered to be the most luxurious ocean liner ever built. Over 1,500 people lost their lives when the ship ran into an iceberg and sunk in frigid waters. The ship cost $7 million to build ($150 million in today's dollars).

# 09. Tanker Truck vs Bridge

$358 Million

On August 26, 2004, a car collided with a tanker truck containing 32,000 liters of fuel on the Wiehltal Bridge in Germany. The tanker crashed through the guardrail and fell 90 feet off the A4 Autobahn resulting in a huge explosion and fire which destroyed the load-bearing ability of the bridge. Temporary repairs cost $40 million and the cost to replace the bridge is estimated at $318 Million.

# 08. MetroLink Crash

$500 Million

On September 12, 2008, in what was one of the worst train crashes in California history, 25 people were killed when a Metrolink commuter train crashed head-on into a Union Pacific freight train in Los Angeles. It is thought that the Metrolink train may have run through a red signal while the conductor was busy text messaging. Wrongful death lawsuits are expected to cause $500 million in losses for Metrolink.

# 07. B-2 Bomber Crash

$1.4 Billion

Here we have our first billion dollar accident (and we're only #7 on the list). This B-2 stealth bomber crashed shortly after taking off from an air base in Guam on February 23, 2008. Investigators blamed distorted data in the flight control computers caused by moisture in the system. This resulted in the aircraft making a sudden nose-up move which made the B-2 stall and crash. This was 1 of only 21 ever built and was the most expensive aviation accident in history. Both pilots were able to eject to safety.

The crash was captured on video. It shows one B-2 Bomber successfully taking off followed by the B-2 Bomber which crashes. The crash starts at 2:00

# 06. Exxon Valdez

$2.5 Billion

The Exxon Valdez oil spill was not a large one in relation to the world's biggest oil spills, but it was a costly one due to the remote location of Prince William Sound (accessible only by helicopter and boat). On March 24, 1989, 10.8 million gallons of oil was spilled when the ship's master, Joseph Hazelwood, left the controls and the ship crashed into a Reef. The cleanup cost Exxon $2.5 billion.

# 05. Piper Alpha Oil Rig

$3.4 Billion

The world's worst off-shore oil disaster. At one time, it was the world's single largest oil producer, spewing out 317,000 barrels of oil per day.. On July 6, 1988, as part of routine maintenance, technicians removed and checked safety valves which were essential in preventing dangerous build-up of liquid gas. There were 100 identical safety valves which were checked. Unfortunately, the technicians made a mistake and forgot to replace one of them. At 10 PM that same night, a technician pressed a start button for the liquid gas pumps and the world's most expensive oil rig accident was set in motion.

Within 2 hours, the 300 foot platform was engulfed in flames. It eventually collapsed, killing 167 workers and resulting in $3.4 Billion in damages.

# 04. Challenger Explosion

$5.5 Billion

The Space Shuttle Challenger was destroyed 73 seconds after takeoff due on January 28, 1986 due to a faulty O-ring. It failed to seal one of the joints, allowing pressurized gas to reach the outside. This in turn caused the external tank to dump its payload of liquid hydrogen causing a massive explosion. The cost of replacing the Space Shuttle was $2 billion in 1986 ($4.5 billion in today's dollars). The cost of investigation, problem correction, and replacement of lost equipment cost $450 million from 1986-1987 ($1 Billion in today's dollars).

# 03. Prestige Oil Spill

$12 Billion

On November 13, 2002, the Prestige oil tanker was carrying 77,000 tons of heavy fuel oil when one of its twelve tanks burst during a storm off Galicia, Spain. Fearing that the ship would sink, the captain called for help from Spanish rescue workers, expecting them to take the ship into harbour. However, pressure from local authorities forced the captain to steer the ship away from the coast. The captain tried to get help from the French and Portuguese authorities, but they too ordered the ship away from their shores. The storm eventually took its toll on the ship resulting in the tanker splitting in half and releasing 20 million gallons oil into the sea.

According to a report by the Pontevedra Economist Board, the total cleanup cost $12 billion.

# 02. Space Shuttle Columbia

$13 Billion

The Space Shuttle Columbia was the first space worthy shuttle in NASA's orbital fleet. It was destroyed during re-entry over Texas on February 1, 2003 after a hole was punctured in one of the wings during launch 16 days earlier. The original cost of the shuttle was $2 Billion in 1978. That comes out to $6.3 Billion in today's dollars. $500 million was spent on the investigation, making it the costliest aircraft accident investigation in history. The search and recovery of debris cost $300 million.

In the end, the total cost of the accident (not including replacement of the shuttle) came out to $13 Billion according to the American Institute of Aeronautics and Astronautics.

# 01. Chernobyl

$200 Billion

On April 26, 1986, the world witnessed the costliest accident in history. The Chernobyl disaster has been called the biggest socio-economic catastrophe in peacetime history. 50% of the area of Ukraine is in some way contaminated. Over 200,000 people had to be evacuated and resettled while 1.7 million people were directly affected by the disaster. The death toll attributed to Chernobyl, including people who died from cancer years later, is estimated at 125,000. The total costs including cleanup, resettlement, and compensation to victims has been estimated to be roughly $200 Billion. The cost of a new steel shelter for the Chernobyl nuclear plant will cost $2 billion alone. The accident was officially attributed to power plant operators who violated plant procedures and were ignorant of the safety requirements needed.

Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

2010-06-07T05:04:00.000-07:00

Installing and Configuring Windows Server 2003 RADIUS Support for VPN Clients – Including Support for EAP/TLS Authentication

Some organizations may prefer to not join the ISA Server firewall/VPN server to their internal network domain. The primary reason for not joining the ISA Server firewall/VPN server to the internal network domain is to prevent potential intruders from using the firewall as a launch point for an attack on the internal network domain. While the probability of the firewall being compromised is very small, it is a fact that the ISA Server firewall is a bastion host and it is exposed to direct attack from the Internet.

The only user accounts available to the machine are those configured in the local user database when the ISA Server firewall/VPN server is not joined to the internal network domain,. In this scenario, all user accounts need to be input into the local user database on the ISA Server firewall/VPN server machine. There is a lot administrative overhead when you mirror your internal network user database, including both user names and passwords, onto the ISA Server firewall/VPN server’s local SAM database.

A better solution is to use the Microsoft Windows Server 2003 Internet Authentication Service (IAS). The Microsoft IAS Server is a Remote Authentication Dial In User Service (RADIUS) server. A RADIUS server accepts authentication requests from the ISA Server firewall/VPN server and forwards them to an authentication server. In a Windows Server 2003 domain, the domain controller represents the authentication server. The authentication server confirms or denies the authentication request and forwards the result to the RADIUS server. The RADIUS server forwards it to the ISA Server firewall/VPN server.

The Microsoft IAS Server can also be used to centralize the management of Routing and Remote Access Policy. You may wish to apply the same remote access policies to each server if you have two or more ISA Server firewall/VPN servers. You could manually configure Remote Access Policy on each server using the graphical interface or the netsh command. A better way is to the Microsoft IAS Server. You create Remote Access Policy on the IAS Server and then configure the ISA Server firewall/VPN servers to use the IAS Server of your choice. The policies configured on the IAS Server are applied to incoming VPN connections to the ISA Server firewall/VPN server.

You can also use the IAS Server to support advanced authentication, such as EAP-TLS authentication for PPTP and L2TP/IPSec clients. Advanced authentication methods using EAP enhance the security of your ISA Server firewall/VPN server configuration.

We discuss the following procedures in this ISA Server 2000 VPN Deployment Kit Document:

Installing the Windows Server 2003 IAS Server
Configuring a VPN client Remote Access Policy on the IAS Server
Configuring the ISA Server firewall/VPN server to use the IAS Server for authentication and accounting
Configuring the ISA Server firewall/VPN server to support EAP-TLS authentication for PPTP and L2TP/IPSec clients

Installing and Configuring the Windows Server 2003 IAS Server

Perform the following steps to install and configure the IAS Server:

1. Click Start, point to Control Panel and click on Add or Remove Programs.
2. Click the Add/Remove Windows Components button in the Add or Remove Programs window.
3. In the Windows Components dialog box (figure 1), select the Networking Services entry and click the Details button.

Figure 1 (1712)

4. In the Networking Services dialog box (figure 2), put a checkmark in the Internet Authentication Service checkbox and then click OK. Click Next in the Windows Components dialog box.

Figure 2 (1713)

5. Click the Finish button on the Completing the Windows Components Wizard page.

Now we’ll make some basic configuration changes to the IAS Server.

1. Click Start, point to Administrative Tools and click on Internet Authentication Services.
2. In the Internet Authentication Services console, right click on the Internet Authentication Service (Local) node in the left pane of the console. Click the Register Server in Active Directory command (figure 3).

This setting allows the IAS Server to authenticate users in the Active Directory domain. Click OK in the Register Internet Authentication Server in Active Directory dialog box (figure 4).

Click OK in the Server registered: dialog box (figure 5). This dialog box informs you that the IAS Server was registered in a specific domain and if you want this IAS Server to read users’ dial-in properties from other domains, you’ll need to enter this server into the RAS/IAS Server Group in that domain.

Figure 3 (1714)

Figure 4 (1715)

Figure 5 (1716)

3. Right click on the RADIUS Clients node in the left pane of the console and click the New RADIUS Client command (figure 6).

Figure 6 (1717)

4. In the New RADIUS Client dialog box, type in a Friendly name for the the ISA Server firewall/VPN server (figure 7). You can use any name you like. In this example we’ll use the DNS host name of the ISA Server firewall/VPN server, which is MSFIREWALL1.

Type in either the FQDN or the IP address of the ISA Server firewall/VPN server in the Client address (IP or DNS) dialog box. Do not enter a FQDN if your ISA Server firewall/VPN server has not registered its internal interface IP address with your internal DNS server. You can use the Verify button to test whether the IAS Server can resolve the FQDN (figure 8). Click Next.

Figure 7 (1718)

Figure 8 (1719)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

5. On the Addition Information page (figure 9), leave the RADIUS Standard entry in the Client-Vendor drop down list box. Your ISA Server firewall/VPN server will use this setting. Type in a complex shared secret in the Shared secret text both and confirm it in the Confirm shared secret text box.

The shared secret should be a complex string consisting of upper and lower case letters, numbers and symbols. Put a checkmark in the Request must contain the Message Authenticator attribute checkbox. This option enhances the security of the RADIUS messages passed between the ISA Server firewall/VPN and IAS servers. Click Finish.

Figure 9 (1720)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Configuring a VPN Client Remote Access Policy on the IAS Server

You are ready to create a Remote Access Policy on the IAS Server. Remote Access Policies configured on the IAS Server are enforced against VPN clients calling the ISA Server firewall/VPN server. The Windows Server 2003 IAS server has a Remote Access Policy Wizard that makes it easy to create a secure VPN client Remote Access Policy.

Perform the following steps to create a VPN client Remote Access Policy on the IAS Server:

1. In the Internet Authentication Service console, right click on the Remote Access Policies node and click the New Remote Access Policy command (figure 10).

Figure 10 (1721)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

2. Click Next on the Welcome to the New Remote Access Policy Wizard page (figure 11).

Figure 11 (1722)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

3. On the Policy Configuration Method page (figure 12), select the Use the wizard to set up a typical policy for a common scenario option. In the Policy name text box, type in a name for the policy. In this example, we’ll call it VPN Access Policy. Click Next.

Figure 12 (1723)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

4. Select the VPN option on the Access Method page (figure 13). This policy is used for all VPN connections. You also have the option to create separate policies for PPTP and L2TP/IPSec VPN links. However, to create separate policies for PPTP and L2TP/IPSec connections, you need to go backwards in the Wizard and create two custom policies. In this example we apply the same policy to all VPN connections. Click Next.

Figure 13 (1724)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

5. You can grant access to the VPN server based on user or group (figure 14). The best access control method is on a per-group basis because it confers less administrative overhead. You can create a group such as VPN Users and allow them access, or all your users access. It depends on who you want to give VPN access to the network.

In this example, we will select the Group option and click the Add button. This brings up the Select Groups dialog box. Type in the name of the group in the Enter the object name to select text box and click the Check names button to confirm that you entered the name correctly. Click OK in the Select Groups dialog box and then click Nextin the User or Group Access dialog box.

Figure 14 (1725)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

6. You can select the user authentication methods to allow on the Authentication Methods page (figure 15).

You may wish to allow both Microsoft Encrypted Authentication version 2 and Extensible Authentication Protocol (EAP). Both EAP and MS-CHAP version 2 authentication are secure, so we’ll select both the Extensible Authentication Protocol (EAP) and Microsoft Encrypted Authentication version 2 (MS-CHAPv2) checkboxes.

Click the down arrow in the Type (based on method of access and network configuration) drop down list box and select the Smart Card or other certificate option then click the Configure button. In the Smart Card or other Certificate Properties dialog box, select the certificate you want the server to use to identify itself to VPN clients. The self-signed certificate appears in the Certificate issued to drop down list box. This certificate is used to identify the server when VPN client are configured to confirm the server’s validity. Click OK in the Smart Card or other Certificate Properties dialog box and then click Next.

Note:
If you do not see the certificate in the Smart Card or other Certificate Properties dialog box, then restart the RADIUS server and start over. The certificate will then appear in the dialog box after the restart.

Figure 15 (1726)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

7. Select the level(s) of encryption you want to enforce on VPN connections (figure 17). All Microsoft clients support the strongest level of encryption. If you have clients that don’t support 128 bit encryption, select lower levels, but realize that you lower the level of security provided by the encryption method used by the VPN protocol. In this example we’ll select only the Strongest encryption (IPSec Triple DES or MPPE 128-bit) Click Next.

Figure 16 (1727)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

8. Review your settings on the Completing the New Remote Access Policy Wizard page and click Finish.

Figure 17 (1728)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Configuring Remote Access Permissions

The new Remote Access Policy requires the connection be a “virtual” or VPN connection. The VPN protocol can be either PPTP or L2TP/IPSec. MS-CHAP v2 or EAP-TLS must be used to authenticate and the client must support the highest level of encryption available for the VPN protocol they use to connect. The user must belong to the Domain Users group in the domain specified in the Remote Access Policy.

The next step is to configure Remote Access Permissions. Remote Access Permissions are different than Remote Access Policies. When a user calls the ISA Server firewall/VPN server, the parameters of the connection are compared against Remote Access Policy or Policies defined on the IAS Server. Remote Access Policies are a hierarchical list The policy on top of the list is evaluated first, then the second listed policy is applied, then the third and so forth.

VPN connection parameters are compared to the conditions of the policy. In the policy we created above, there were two conditions: the connection type is a virtual connection and the user is a member of the Domain Users group. If the connection request matches both of those conditions, then the Remote Access Permission of the account logging in is determined. Remote access permissions are determined differently depending on the type of domain the user account belongs to.

Windows Server 2003 domains do not use the Mixed and Native Mode designations you might be familiar with in Windows 2000 domains. Windows Server 2003 supports domains of varying functional levels. If all the domain controllers in your domain run Windows Server 2003, the default functional level is Windows 2000 mixed. All user accounts are denied VPN (Dial up) access by default in Windows 2000 Mixed Mode functional level. In Windows 2000 Mixed Mode, you must configure each user account to have permission to log on to the VPN server. The reason is that user account permissions override Remote Access Policy permissions in Mixed Mode domains.

If you want to control Remote Access Permissions via Remote Access Policy, you must raise the domain functional level of Windows 2000 Native or Windows Server 2003. The default Remote Access Permission in Windows 2000 and Windows Server 2003 domains is Control access through Remote Access Policy. Once you are able to use Remote Access Policy to assign VPN access permission, you can take advantage of group membership to allow or deny access to the VPN server.

When a connection request matches the conditions in the Remote Access Policy and the user is granted access via either the user account Dial-in settings or Remote Access Policy, the connection parameters are compared a number of settings defined by the Remote Access Profile. If the incoming connection does not comply with the settings in the Remote Access Profile, then the next Remote Access Policy is applied to the connection. If no policy matches the incoming connection’s parameters, the connection request to the ISA Server firewall/VPN server is dropped.

The VPN Remote Access Policy you created earlier includes all the parameters required for a secure VPN connection. Your decision now centers on how you want to control Remote Access Permissions:

Allow Remote Access on a per group basis: this requires that you run in Windows 2000 Native or Windows Server 2003 functional level
Allow Remote Access on a per user basis: supported by Windows 2000 Native, Windows 2000 Mixed and Windows Server 2003 functional levels
Allow Remote Access on both a per user and per group basis: this requires Windows 2000 Native or Windows Server 2003 functional level; granular user based access control overriding group based access control is done on a per user basis

Procedures required to allow per user and per group access include:

Change the Dial-in permissions on the user account in the Active Directory to control Remote Access Permission on a per user basis
Change the domain functional level to support Dial-in permissions based on Remote Access Policy
Change the Permissions settings on the Remote Access Policy

Changing the User Account Dial-in Permissions

Perform the following steps if you want to control access on a per user basis:

Click Start, point to Administrative Tools and click on Active Directory Users and Computers.
In the Active Directory Users and Computers console (figure 18), expand your domain name and click on the User node.

Figure 18 (1729)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Double click on a user account in the right pane of the console. In the user account Properties dialog box, click on the Dial-in tab (figure 19). The default setting on the account is Deny access. You can allow VPN access for the account by selecting the Allow access option. Per user account setting override permissions set on the Remote Access Policy. Notice the Control access through Remote Access Policy option is disabled. This option is available only when the domain is at the Windows 2000 or Windows Server 2003 functional level.

Figure 19 (1730)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click Apply and then click OK to commit the Dial-in permission changes you’ve made to the account.

Changing the Domain Functional Level

If you want to control access on a per group basis, then you will need to change the default domain functional level. Perform the following steps to change the domain functional level:

On a domain controller in your domain, open the Active Directory Domains and Trusts console. Click Start, point to Administrative Tools and click on Active Directory Domains and Trusts (figure 20).

Figure 20 (1731)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

In the Active Directory Domains and Trusts console, right click on your domain and click on the Raise Domain Functional Level command (figure 21).

Figure 21 (1732)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

In the Raise Domain Functional Level dialog box (figure 22), click the down arrow in the Select an available domain functional level drop down list, select either Windows 2000 native or Windows Server 2003, depending on the type of domain functional level your network can support. Click the Raise button after making your selection.

Figure 22 (1733)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click OK in the Raise Domain Functional Level dialog box (figure 23). This dialog box explains the change affects the entire domain and after the change is made, it cannot be reversed.

Figure 23 (1734)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click OK in the Raise Domain Functional Level dialog box (figure 24) informing you that the functional level was raised successfully. Note that you do not need to restart the computer for the changes to take effect. However, the default Remote Access Permission will not change for user accounts until Active Directory replication and completed.

Figure 24 (1735)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Return to the Active Directory Users and Computers console and double click on a user account. Click on the Dial-in tab in the user’s Properties dialog box (figure 25). Notice how the Control access through Remote Access Policy option is enabled and selected by default.

Figure 25 (1736)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Controlling Remote Access Permission via Remote Access Policy

Now that you have the option to control access via Remote Access Policy, let’s see how VPN access control via Remote Access Policy is performed:

Click Start, point to Administrative Tools and click on Internet Authentication Service.
Click on the Remote Access Policies node in the left pane of the console (figure 26). You will see the VPN Access Policy you created and two other, built-in Remote Access Policies. You can delete these other Remote Access Policies if you require only VPN connections to your ISA Server firewall/VPN server. Right click on the Connections to other access servers Remote Access Policy and click Delete. Repeat with the Connections to Microsoft Routing and Remote Access server Remote Access Policy.

Figure 26 (1737)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Double click on the VPN Access Policy in the right pane of the console. In the VPN Access Policy Properties dialog box (figure 27) there are two options that control access permissions based on Remote Access Policy:

· Deny remote access permission
· Grant remote access permission

Notice that this dialog box does inform you that the user account settings override the Remote Access Permission settings: Unless individual access permissions are specified in the user profile, this policy controls access to the network. Select the Grant remote access permission to allow members of the Domain Users group access to the VPN server.

Figure 27 (1738)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click Apply and then click OK in the VPN Access Policy Properties dialog box to save the changes.

Configuring the ISA Server firewall/VPN Server to Support RADIUS and EAP-TLS Authentication for PPTP and L2TP/IPSec VPN Clients

The next step is to configure the ISA Server firewall/VPN server to support RADIUS and EAP/TLS authentication. Perform the following steps to configure the ISA Server firewall/VPN server:

Confirm that you have enabled the ISA Server firewall as a VPN Server. Please refer to ISA Server 2000 VPN Deployment Kit document Configuring the Windows Server 2003 ISA Server 2000/VPN Server for details on how to configure the ISA Server firewall as a VPN server.
Click Start, point to Administrative Tools and click on Routing and Remote Access. In the Routing and Remote Access console, right click on your server name and click the Properties command.
Click on the Security tab in the server’s Properties dialog box.

Click the Configure button that lies to the right of the Authentication provider drop down list box. In the RADIUS Authentication dialog box (figure 28), click the Add button.

In the Add RADIUS Server dialog box, type in the FQDN or IP address of your IAS Server. Make sure that your ISA Server firewall/VPN server can resolve the FQDN of the IAS Server to the correct IP address. If you are not sure if the ISA Server firewall/VPN server can correctly resolve the FQDN of the IAS Server, use the IP address instead. Click the Change button.

Type in the shared secret you configured on the IAS Server and then confirm the shared secret. Put a checkmark in the Always use message authenticator checkbox. Click OK in the Change Secret dialog box, then click OK in the Add RADIUS Server dialog box, then click OK in the RADIUS Authentication dialog box. Click Apply in the server’s Properties dialog box.

Note
You do not need to click on the Authentication Methods button that lies just under the Authentication Provider drop down list. This button allows you to configure authentication methods used by the ISA Server firewall/VPN server when using Windows Authentication instead of RADIUS Authentication.

Figure 28 (1739)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click No in the Routing and Remote Access dialog box that informs you that you selected one or more authentication methods and would you like to view the Help topic.
Click OK in the Routing and Remote Access dialog box (figure 29) informing that you must restart the Routing and Remote Access.

Figure 29 (1740)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

Click OK in the Routing and Remote Access Properties dialog box.
Right click on the Routing and Remote Access node in the left pane of the console, point to the All Tasks command and click the Restart command.

Figure 30 (1741)

اندازه این تصویر کوچک شده است. برای مشاهده اندازه اصلی روی این نوشته کلیک کنید.

The ISA Server firewall/VPN server is now ready to support VPN PPTP VPN connections using either MS-CHAP version 2 or certificate based EAP/TLS authentication. Note that while we have configured RADIUS policy to support certificate based EAP/TLS authentication, the certificate used in this policy does not support L2TP/IPSec. You must assign a machine certificate to the ISA Server firewall/VPN server, and the VPN client making the L2TP/IPSec connection request must trust that certificate

How to set Static/DHCP IP Address from command line

2010-06-05T05:17:00.000-07:00

How to set Static/DHCP IP Address from command line

In Windows Server 2008 Core installation, the only way to setup IP Address eithe Static or DHCP is from the command line. The following procedure helps setting the IP Address from the command Line using “netsh”. This procedure works in Windows Server 2008 (No core installation as well), Windows Server 2003, Windows XP, Windows Vista.

To setup Static IP Address:

From the command prompt:

1. Type

C:\Users\Administra tor> netsh interface ipv4 show interfaces
Idx Met MTU State Name
— — —– ———– ——————-
1 50 4294967295 connected Loopback Pseudo-Interface 1
10 20 1500 connected Local Area Connection

This should show the Network Connections. We are looking for the name here. On mine, I have one LAN interface and is named as “Local Area Connection”

2. To set a static IP Address type the following command

C:\Users\Administra tor>netsh interface ipv4 set address name=”Local Area Connect
ion” source=static address=192. 168.0.5 mask=255.255. 255.0 gateway=192. 168.0.1

The syntax is

netsh interface ipv4 set address name=”” source=static address= mask= gateway=

Where:
ID is the name of the LAN Connection
StaticIP is the static IP address that you are setting
SubnetMask is the subnet mask for the IP address
DefaultGateway is the default gateway

3. Now set the DNS Servers one at a time with the followind command. For each DNS server, increase the index number.

C:\Users\Administra tor>netsh interface ipv4 add dnsserver name=”Local Area Conne
ction” address=192. 168.0.1 index=1

C:\Users\Administra tor>netsh interface ipv4 add dnsserver name=”Local Area Conne
ction” address=192. 168.0.10 index=2

The syntax is

netsh interface ipv4 add dnsserver name=”” address=index=1

Where:
ID is the name of the Network Connection
DNSIP is the IP address of your DNS server

This should do. To confirm, do an “ipconfig”

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
Physical Address. . . . . . . . . : 00-1D-09-D4- 2C-8F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.0.5( Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255. 0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.1
192.168.0.10
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Set IP through DHCP Server

To set the DHCP Server, from the command line

C:\Users\Administra tor> netsh interface ipv4 set address name=”Local Area Connection” source=dhcp

Syntax is

netsh interface ipv4 set address name=”ID” source=dhcp

where ID is the name of the Network Connection

Configure SNMP Agent in Windows 2000/XP/2003 Saturday, June 5, 2010 12:17 PM

2010-06-05T04:51:00.000-07:00

Simple Network Management Protocol (SNMP) is used to manage networked devices, monitor and alert of any events on the systems that can be critical

To configure SNMP agent in Windows,

1. Click Start – Run – Type “Services.msc” and press enter. This opens the Services Management Console.

2. In the right-pane, right-click on SNMP Service and select “Properties”

3. Click the “Agent” tab, enter the name of the “Contact”, “Location” and select the services for which an event can trigger a trap or can be queried by an SNMP management server.

4. Click the “Traps” tab and enter the Community name and Trap destinations. This allows the SNMP agent to send SNMP trap messages to SNMP Management servers when an event occurs. The community name is the communityname of the SNMP management server

5. Click the Security tab, here we set the security for various communities that this agent supports and the level permissions they are allowed namely “Notify”, “READ ONLY”, “READ WRITE”, “READ CREATE”. “Read Write” is the maximum allowed permission wherein we allow the SNMP Management station to make changes to the system or even manage the system using SNMP while “READ ONLY” will only allow the SNMP server to query for event informations and cannot make any changes.

6. Also, for security reasons select “Accept SNMP Packets from these hosts” and add list of authorised servers that can poll this agent.

7. You can also check the box “Send authentication trap” to notify all SNMP servers in the list should there be an authentication failure from any other SNMP server not in the list.

8. Click Apply and OK.

8. Right-click on the service and select “restart” for the changes to take effect.

This should setup SNMP Agent as well as the Trap setup for SNMP.

Creating and Configuring FTP Sites in Windows Server 2003

2010-06-04T23:55:00.000-07:00

Creating and Configuring FTP Sites in Windows Server 2003

In this article we'll walk you through the steps of creating FTP sites in Windows Server 2003 using both Internet Services Manager and scripts. The tutorial will also will explain how to perform common administration tasks involving FTP sites and also how to implement FTP User Isolation, a new feature of Windows Server 2003 enables users to have their own separate FTP home directories.

In this article we saw that Internet Information Services 6 (IIS 6) is a powerful platform for building and hosting web sites for both the Internet and corporate intranets. IIS 6 is also equally useful for setting up FTP sites for either public or corporate use, and in this article we''ll walk through the process of creating and configuring FTP sites using both the GUI (IIS Manager) and scripts included in Windows Server 2003. The specific tasks we''ll walk through in this article are:

Creating an FTP Site
Controlling Access to an FTP Site
Configuring FTP Site Logging
Stopping and Starting FTP Sites
Implementing FTP User Isolation

For sake of interest, we''ll again explain these tasks in the context of a fictitious company called TestCorp as it deploys FTP sites for both its corporate intranet and for anonymous users on the Internet.

Preliminary Steps

As mentioned in the previous article, IIS is not installed by default during a standard installation of Windows Server 2003, and if you installed IIS using Manage Your Server as described in the previous article this installs the WWW service but not the FTP service. So before we can create FTP sites we first have to install the FTP service on our IIS machine. To do this, we need to add an additional component to the Application Server role we assigned our machine when we used Manage Your Server to install IIS.

Begin by opening Add or Remove Programs in Control Panel and selecting Add/Remove Windows Components. Then select the checkbox for Application Server:

Click Details and select the checkbox for Internet Information Services (IIS):

Click Details and select the checkbox for File Transfer Protocol (FTP) Services.

Click OK twice and then Next to install the FTP service. During installation you''ll need to insert your Windows Server 2003 product CD or browse to a network distribution point where the Windows Server 2003 setup files are located. Click Finish when the wizard is done.

Creating an FTP Site

As with web sites, the simplest approach to identifying each FTP site on your machine is to assign each of them a separate IP address, so let''s say that our server has three IP addresses (172.16.11.210, 172.16.11.211 and 172.16.11.212) assigned to it. Our first task will be to create a new FTP site for the Human Resources department, but before we do that let''s first examine the Default FTP Site that was created when we installed the FTP service on our machine. Open IIS Manager in Administrative Tools, select FTP Sites in the console tree, and right-click on Default FTP Site and select Properties:

Just like the Default Web Site, the IP address for the Default FTP Site is set to All Unassigned. This means any IP address not specifically assigned to another FTP site on the machine opens the Default FTP Site instead, so right now opening either ftp://172.16. 11.210, ftp://172.16. 11.211 or ftp://172.16. 11.212 in Internet Explorer will display the contents of the Default FTP Site.

Let''s assign the IP address 172.16.11.210 for the Human Resources FTP site and make D:\HR the folder where its content is located. To create the new FTP site, right-click on the FTP Sites node and select New --> FTP Site. This starts the FTP Site Creation Wizard. Click Next and type a description for the site:

Click Next and specify 172.16.11.210 as the IP address for the new site:

Click Next and select Do not isolate users, since this will be a site that anyone (including guest users) will be free to access:

Click Next and specify C:\HR as the location of the root directory for the site:

Click Next and leave the access permissions set at Read only as this site will only be used for downloading forms for present and prospective employees:

Click Next and then Finish to complete the wizard. The new Human Resources FTP site can now be seen in IIS Manager under the FTP Sites node:

To view the contents of this site, go to a Windows XP desktop on the same network and open the URL ftp://172.16. 11.210 using Internet Explorer:

Note in the status bar at the bottom of the IE window that you are connected as an anonymous user. To view all users currently connected to the Human Resources FTP site, right-click on the site in Internet Service Manager and select Properties, then on the FTP Site tab click the Current Sessions button to open the FTP User Sessions dialog:

Note that anonymous users using IE are displayed as IEUser@ under Connected Users.

Now let''s create another FTP site using a script instead of the GUI. We''ll create a site called Help and Support with root directory C:\Support and IP address 172.16.11.211:

Here's the result of running the script:

The script we used here is Iisftp.vbs, which like Iisweb.vbs and Iisvdir.vbs which we discussed in the previous article is one of several IIS administration scripts available when you install IIS on Windows Server 2003. A full syntax for this script can be found here. Once you create a new FTP site using this script you can further configure the site using IIS Manager in the usual way.

Note: At this point you could add structure to your FTP site by creating virtual directories, and this is done in the same way as was described in the previous article for working with web sites.

Controlling Access to an FTP Site

Just like for web sites, there are four ways you can control access to FTP sites on IIS: NTFS Permissions, IIS permissions, IP address restrictions, and authentication method. NTFS permissions are always your first line of defense but we can't cover them in detail here. IIS permissions are specified on the Home Directory tab of your FTP site's properties sheet:

Note that access permissions for FTP sites are much simpler (Read and Write only) than they are for web sites, and by default only Read permission is enabled, which allows users to download files from your FTP site. If you allow Write access, users will be able to upload files to the site as well. And of course access permissions and NTFS permissions combine the same way they do for web sites.

Like web sites, IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, an IP address in a range of addresses, or a specific DNS name. These restrictions are configured on the Directory Security tab just as they are for web sites, and this was covered in the previous article so we won't discuss them further here.

FTP sites also have fewer authentication options than web sites, as can be seen by selecting the Security Accounts tab:

By default Allow anonymous connections is selected, and this is fine for public FTP sites on the Internet but for private FTP sites on a corporate intranet you may want to clear this checkbox to prevent anonymous access to your site. Clearing this box has the result that your FTP site uses Basic Authentication instead, and users who try to access the site are presented with an authentication dialog box:

Note that Basic Authentication passes user credentials over the network in clear text so this means FTP sites are inherently insecure (they don't support Windows integrated authentication) . So if you're going to deploy a private FTP site on your internal network make sure you close ports 20 and 21 on your firewall to block incoming FTP traffic from external users on the Internet.

Configuring FTP Site Logging

As with web sites, the default logging format for FTP sites is the W3C Extended Log File Format, and FTP site logs are stored in folders named

%SystemRoot% \system32\ LogFiles\ MSFTPSVCnnnnnnnn nn

where nnnnnnnnnn is the ID number of the FTP site. And just as with web sites, you can use the Microsoft Log Parser, part of the IIS 6.0 Resource Kit Tools, to analyze these FTP site logs.

Stopping and Starting FTP Sites

If an FTP site becomes unavailable you may need to restart it to get it working again, which you can do using IIS Manager by right-clicking on the FTP site and selecting Stop and then Start. From the command-line you can type net stop msftpsvc followed by net start msftpsvc or use iisreset to restart all IIS services. Remember that restarting an FTP site is a last resort as any users currently connected to the site will be disconnected.

Implementing FTP User Isolation

Finally, let's conclude by looking at how to implement the new FTP User Isolation feature of IIS in Windows Server 2003. When an FTP site uses this feature, each user accessing the site has an FTP home directory that is a subdirectory under the root directory for the FTP site, and from the perspective of the user their FTP home directory appears to be the top-level folder of the site. This means users are prevented from viewing the files in other users' FTP home directories, which has the advantage of providing security for each user's files.

Let's create a new FTP site called Staff that makes use of this new feature, using C:\Staff Folders as the root directory for the site and 172.16.11.212 for the site's IP address. Start the FTP Site Creation Wizard as we did previously and step through it until you reach the FTP User Isolation page and select the Isolate users option on this page:

Continue with the wizard and be sure to give users both Read and Write permission so they can upload and download files.

Now let's say you have two users, Bob Smith (bsmith) and Mary Jones (mjones) who have accounts in a domain whose pre-Windows 2000 name is TESTTWO. To give these users FTP home directories on your server, first create a subfolder named \TESTTWO beneath \Staff Folders (your FTP root directory). Then create subfolders \bsmith and \mjones beneath the \Accounts folder. Your folder structure should now look like this:

C:\Staff Folders
\TESTTWO
\bsmith
\mjones

To test FTP User Isolation let's put a file name Bob's Document.doc in the \bsmith subfolder and Mary's Document.doc in the \mjones subfolder. Now go to a Windows XP desktop and open Internet Explorer and try to open ftp://172.16. 11.212, which is the URL for the Staff FTP site we just created. When you do this an authentication dialog box appears, and if you're Bob then you can enter your username (using the DOMAIN\username form) and password like this:

When Bob clicks the Log On button the contents of his FTP home directory are displayed:

Note that when you create a new FTP site using FTP User Isolation, you can't convert it to an ordinary FTP site (one that doesn't have FTP User Isolation enabled). Similarly, an ordinary FTP site can't be converted to one using FTP User Isolation.

We still need to explore one more option and that's the third option on the FTP User Isolation page of the FTP Site Creation Wizard, namely Isolate users using Active Directory. Since we've run out of IP addresses let's first delete the Help and Support FTP site to free up 172.16.11.211. One way we can do this is by opening a command prompt and typing iisftp /delete "Help and Support" using the iisftp.vbs command script. Then start the FTP Site Creation Wizard again and select the third option mentioned above (we'll name this new site Management):

Click Next and enter an administrator account in the domain, the password for this account, and the full name of the domain:

Click Next and confirm the password and complete the wizard in the usual way. You'll notice that you weren't prompted to specify a root directory for the new FTP site. This is because when you use this approach each user's FTP home directory is defined by two environment variables: %ftproot% which defines the root directory and can be anywhere including a UNC path to a network share on another machine such as \\test220\docs, and %ftpdir% which can be set to %username% so that for example Bob Smith's FTP home directory would be \\test220\docs\ bsmith and this folder would have to be created beforehand for him. You could set these environment variables using a logon script and assign the script using Group Policy, but that's beyond the scope of this present article.

hide and unhide Disk Drive Partitions

2010-06-03T22:30:00.000-07:00

hide and unhide Disk Drive Partitions

IN GUI MODE

Here is a simple way to hide and unhide Disk Drive Partitions from My Computer in any version of windows. This deosn't work with Windows OS that cannot support NTFS.
How to hide a partition in Windows?

Right-Click on My Computer [Computer in Windows Vista and Windows 7]
Click on Manage
From the list of options Click on Disk Management that will be located in the left-bottom section
All your hard disk and its partitions will be show in the right hand side
Right-Click on the partition that you want to hide and select "Change Drive Letters and Path"
Click on "Remove" and click "Yes"
Your drive will now be hidden in my computer

To unhide the drive :

Go to Disk Management Right-Click on the hidden partition [there will not be a drive letter on the hidden drive] again select "Change Drive Letters and Path"
Click on add and select an appropriate drive letter.
Click Ok
Now the drive is unhided.

IN COMMAND PROMPT

1. Click Start – Run
2. Type “cmd” in the open box
3. In command prompt window, type “diskpart” , and then press enter!

4. Type “list volume” and press enter

The above command will show hard drive volume information.
For example, your secret files are in drive E. Thus I want to hide E. From the figure above, keep in mind that drive E’s volume is “volume 2″ and drive E’s letter is “E”.

5. Type “select volume 2″ and press enter
6. Type “remove letter E” and press enter

Done! Now your drive E has been hidden, you can now exit command prompt.

How to unhide / restore your hidden disk partition?
Do all steps (1-5), on the step 6 type “assign letter E” instead

Creating and Configuring Web Sites in Windows Server 2003

2010-05-31T05:01:00.000-07:00

Creating and Configuring Web Sites in Windows Server 2003

In this article we'll walk you through the steps of creating web sites in Windows Server 2003 using both Internet Services Manager and scripts. The tutorial will also walk you through the steps for hosting content both locally and remotely using virtual directories, and will explain how to perform common administration tasks involving web servers.

Internet Information Services 6 (IIS 6) is a powerful platform for hosting web sites on both the public Internet and on private intranets. Creating and configuring web sites and virtual directories are bread-and-butter tasks for IIS Administrators, and in this article we'll walk through the process of doing this using both the GUI (IIS Manager) and using various scripts included with Windows Server 2003. The seven specific tasks we'll walk through will include:

Creating a Web Site
Creating a Local Virtual Directory
Creating a Remote Virtual Directory
Controlling Access to a Web Site
Configuring Web Site Logging
Configuring Web Site Redirection
Stopping and Starting Web Sites

For sake of interest, we'll explain these tasks in the context of a fictitious company called TestCorp as it deploys IIS for its corporate intranet.

Preliminary Steps

Unlike earlier versions of Microsoft Windows, IIS is not installed by default on Windows Server 2003. To install IIS, open Manage Your Server from the Start menu and add the Application Server role:

Note that for simple security reasons IIS should only be installed on member servers, not domain controllers. The reason is that if you install IIS on a domain controller and your web server becomes compromised, the attacker could gain access to your accounts database and wreak havoc with your network.

Creating a Web Site

The simplest approach is to use a separate IP address to identify each web site on your machine. Let's say our server has five IP addresses assigned to it from the range 172.16.11.220 through 172.16.11.224. Before we create a new Human Resources web site, let's first examine the identify of the Default Web Site. Open IIS Manager in Administrative Tools, select Web Sites in the console tree, and right-click on Default Web Site and open it's properties:

The IP address for the Default Web Site is All Unassigned. This means any IP address not specifically assigned to another web site on the machine opens the Default Web Site instead. A typical use for the Default Web Site is to edit it's default document to display general information like a company logo and how to contact the Support Desk.

Let's use IP address 172.16.11.221 for the Human Resources site and make D:\HR the folder where the home page for this site is stored. To create the HR site, right-click on the Web Sites node and select New --> Web Site. This starts the Web Site Creation Wizard. Click Next and type a description for the site:

Click Next again and specify 172.16.11.221 as the IP address for the site:

Click Next and specify D:\HR as the home folder for the site. We've cleared the checkbox to deny anonymous access to the site because this is an internal intranet so only authenticated users should be able to access it (public web sites generally allow anonymous access):

Click Next and leave only Read access enabled since the Human Resources site will initially only be used to inform employees of company policies:

Click Next and then Finish to create the new web site:

Now let's create another intranet site, this time for Help Desk, which will use IP address 172.16.11.222 and home folder D:\Help. We'll create this one using a script instead of the GUI:

And here's the result:

The script we used here is Iisweb.vbs, one of several IIS administration scripts available when you install IIS on Windows Server 2003. The basic syntax of this script is easy to figure out from the previous screenshot, and a full syntax can be found here. Note that unlike the Web Site Creation Wizard used previously. you can't use this script create a web site with anonymous access disabled. So if you want to disable anonymous access you should do it by opening the properties sheet for the Help Desk site, selecting the Directory Security tab, and clicking the Edit button under Authentication and Access Control. This opens the Authentication Methods box where you can clear the checkbox to disable Anonymous Access and leave Windows Integrated Authentication as the only authentication method available for clients on your network:

Creating a Local Virtual Directory

Let's say Human Resources keeps their policies in a folder called D:\HR Policies on your web server and you would like users to be able to use the URL http://172.16. 11.221/policies when they need to access these policies. To do this we need to create a virtual directory that associates the /policies portion of the URL, called the alias for the virtual directory, with the physical directory D:\HR Policies where these documents are actually located.

Let's do this now. Right-click on the Human Resources site and select New --> Virtual Directory to start the Virtual Directory Creation Wizard. Click Next and type the alias for the virtual directory:

Click Next and specify the physical folder on the local server to map to this alias:

Click Next and specify permissions (again we'll just leave Read enabled) and finish the wizard. Here's the result:

Let's do something similar using another IIS script named Iisvdir.vbs, only we'll create a /procedures virtual directory instead:

Open IIS Manager to display the new virtual directory:

Note the difference in the icons for the two virtual directories. That's because when the script creates a virtual directory it also creates an application starting point for that directory, while the wizard does not. This doesn't matter though, since for now we're only hosting static content in these directories. For the full syntax of Iisvdir.vbs see here.

Creating a Remote Virtual Directory

Help Desk likes to do things differently than Human Resources does, and their user manual is stored in HTML form in the share \\srv230\helpdesk on a network file server. Let's create a remote virtual directory within the Help Desk site that associates the alias /usermanual with this share. Right-click on the Help Desk site and select New --> Virtual Directory to start the Virtual Directory Creation Wizard again, specify usermanual as the alias for the directory, and type \\srv230\helpdesk as the UNC path to the share:

Click Next and a new screen appears prompting you to either specify credentials for accessing the share or use the authenticated user's credentials for this purpose (we'll use the latter):

Click Next and finish the wizard. Let's look at the result:

The Iisvdir.vbs script can similarly be used for creating remote virtual directories.

Controlling Access to a Web Site

Now that we have a couple of web sites and virtual directories created, let's look at a few administration tasks. This will be only a brief overview--you can find a much more detailed treatment of the subject in my book IIS 6 Administration (Osborne/McGraw- Hill).

First let's look at how we can control access to our web sites. There are basically four ways you can do this: NTFS Permissions, web permissions, IP address restrictions, and authentication method. NTFS permissions is your front line of defense but it's a general subject that we can't cover in detail here. Web permissions are specified on the Home Directory tab of your web site's properties:

By default only Read permission is enabled, but you can also allow Write access so users can upload or modify files on your site.

Script source access so users can view the code in your scripts (generally not a good idea), or Directory browsing so users can view a list of files in your site (also not a good idea). Web permissions apply equally to all users trying to access your site, and they are applied before NTFS permissions are applied. So if Read web permission is denied but NTFS Read permission is allowed, users are denied access to the site.

IP address restrictions can be used to allow or deny access to your site by clients that have a specific IP address, have an IP address within a range of addresses, or have a specific DNS domain name. To configure this, select the Directory Security tab and click the Edit button under IP Address and Domain Name Restrictions. This opens the following dialog, which by default does not restrict access to your site:

The main thing to watch for here is that denying access based on domain name involves reverse DNS lookups each time clients try to connect to your web site, and this can significantly impact the performance of your site.

The final way of controlling access to your sites is to use the Authentication Methods dialog box we looked at previously:

In summary, the five authentication options displayed here are:

Anonymous access. Used mainly for web sites on public (Internet) web servers.
Integrated Windows authentication. Used mainly for web sites on a private intranet.
Digest authentication. Challenge/response authentication scheme that only works with clients running Internet Explorer 5.0 or later.
Basic authentication. Older authentication scheme that transmits passwords over the network in clear text, so use this only in conjunction with SSL.
.NET Passport authentication. Allows users to use their .NET Passport for authentication.

Configuring Web Site Logging

Since web sites are prime targets for attackers, you probably want to log hits to your site to see who's visiting it. By default IIS 6 logs traffic to all content as can be seen on the bottom of the General tab of the properties for a web site or virtual directory:

The default logging format is the W3C Extended Log File Format, and clicking Properties indicates new log files are created daily in the indicated directory. It's a good idea to specify that local time be used for logging traffic as this makes it easier to interpret the logs:

The key of course is to review log files regularly to look for suspicious activity. IIS doesn't include anything for this purpose, but the IIS 6.0 Resource Kit Tools does include version 2.1 of Microsoft Log Parser, which can be used for analyzing IIS logs. You can download these tools here.

Configuring Web Site Redirection

Sometimes you need to take your web site down for maintenance, and in such cases it's a good idea to redirect all client traffic directed to your site to an alternate site or page informing users what's going on. IIS lets you redirect a web site to a different file or folder on the same or another web site or even to an URL on the Internet. To configure redirection you use the Home Directory tab and choose the redirection option you want to use:

Stopping and Starting Web Sites

Finally, if sites become available you may need to restart IIS to get them working again. Restarting IIS is a last resort as any users currently connected will be disconnected and any data stored in memory by IIS applications will be lost. You can restart IIS using IIS Manager by right-clicking on the server node:

You can also do the same from the command-line using the Iisreset command:

Type iisreset /? for the full syntax of this command. You can also start and stop individual web sites using IIS Manager or the Iisweb.vbs script. And you can stop or start individual IIS services using the net commands, for example net stop w3svc will stop the WWW services only.

Mobile Code

2010-05-26T05:18:00.000-07:00

BenQ-Siemens Secret Codes

Software version:
*#06#
to see more info, press softkey again
English menu:
*#0001#
Deutsch menu:
*#0049#

LG Secret Codes

LG all models test mode: Type 2945#*# on the main screen.
2945*#01*# Secret menu for LG
IMEI (ALL): *#06#
IMEI and SW (LG 510): *#07#
Software version (LG B1200): *8375#
Recount cheksum (LG B1200): *6861#
Factory test (B1200): #PWR 668
Simlock menu (LG B1200): 1945#*5101#
Simlock menu (LG 510W, 5200): 2945#*5101#
Simlock menu (LG 7020, 7010): 2945#*70001#

Samsung Secret Codes

Software version: *#9999#
IMEI number: *#06#
Serial number: *#0001#
Battery status- Memory capacity : *#9998*246#
Debug screen: *#9998*324# - *#8999*324#
LCD kontrast: *#9998*523#

Motorola Secret Codes

IMEI number:
*#06#
Code to lock keys. Press together *7
Note: [] (pause) means the * key held in until box appears.
Select phone line - (use this to write things below the provider name):
[] [] [] 0 0 8 [] 1 []
Add phonebook to main menu:
[] [] [] 1 0 5 [] 1 []
Add messages to main menu:
[] […]

Sony Ericsson Secret Codes

Sony Ericsson Secret Menu: -> * <- <- * <- * (-> means press joystick, arrow keys or jogdial to the right and <- means left.) You'll see phone model, software info, IMEI, configuration info, sim lock status, REAL time clock, total call time and text labels. You can also test your phones services and hardware from this […] Nokia Secret Codes On the main screen type *#06# for checking the IMEI (International Mobile Equipment Identity). *#7780# reset to factory settings. *#67705646# This will clear the LCD display(operator logo). *#0000# To view software version. *#2820# Bluetooth device address. *#746025625# Sim clock allowed status. *#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that supports WLAN […] __________________ General Nokia 8810 Secrets Codes IMEI number *#06# Software Version *#0000# more for nokia *#4357# Spelling out the word HELP you get customer service, kinda cool more of nokia On the main screen type *#06# for checking the IMEI (International Mobile Equipment Identity). *#7780# reset to factory settings. *#67705646# This will clear the LCD display(operator logo). *#0000# To view software version. *#2820# Bluetooth device address. *#746025625# Sim clock allowed status. *#62209526# - Display the MAC address of the WLAN adapter. This is available only in the newer devices that supports WLAN like N80 #pw+1234567890+1# Shows if sim have restrictions. *#92702689# - takes you to a secret menu where you may find some of the information below: 1. Displays Serial Number. 2. Displays the Month and Year of Manufacture 3. Displays (if there) the date where the phone was purchased (MMYY) 4. Displays the date of the last repair - if found (0000) 5. Shows life timer of phone (time passes since last start) *#3370# - Enhanced Full Rate Codec (EFR) activation. Increase signal strength, better signal reception. It also help if u want to use GPRS and the service is not responding or too slow. Phone battery will drain faster though. *#3370* - (EFR) deactivation. Phone will automatically restart. Increase battery life by 30% because phone receives less signal from network. *#4720# - Half Rate Codec activation. *#4720* - Half Rate Codec deactivation. The phone will automatically restart If you forgot wallet code for Nokia S60 phone, use this code reset: *#7370925538# Note, your data in the wallet will be erased. Phone will ask you the lock code. Default lock code is: 12345 Press *#3925538# to delete the contents and code of wallet. *#7328748263373738# resets security code. Default security code is 12345 Unlock service provider: Insert sim, turn phone on and press vol up(arrow keys) for 3 seconds, should say pin code. Press C,then press * message should flash, press * again and 04*pin*pin*pin# Change closed caller group (settings >security settings>user groups) to 00000 and ure phone will sound the message tone when you are near a radar speed trap. Setting it to 500 will cause your phone 2 set off security alarms at shop exits, gr8 for practical jokes! (works with some of the Nokia phones.)

Press and hold "0″ on the main screen to open wap browser.

Mobile Code Series No 2

2010-05-26T05:17:00.000-07:00

More Benq stuff

*12022243121 is code for old Siemens model, like C35, M35 , S35 etc.
That code not working with BenQ-Siemens model.
Also you can change language in Siemens and BenQ-Siemens to any language( if you have that language support in mobile phone, of course) if you put between *# and # your country code with zeros before country code (zeros and counry code must have together four digits).
When you use code for language that not support language in mobile phones turn to automatic.
Examples:
*#0033# french
*#0385# croatian
*#0030# greek
*#0039# italien etc.

Here's a couple of extras for you - apologies for any reposts

Alcatel

IMEI number: * # 0 6 #
Software version: * # 0 6 #
Net Monitor: 0 0 0 0 0 0 *

Bosch

IMEI number: * # 0 6 #
Default Language: * # 0 0 0 0 #
Net Monitor: * # 3 2 6 2 2 5 5 * 8 3 7 8 # #

Dancall

IMEI number: * # 0 6 #
Software version: * # 9 9 9 9 #
SIM card serial number: * # 9 9 9 4 #
Information about battery status: * # 9 9 9 0 #
Selftest (only Dancall HP2731): * # 9 9 9 7 #
Show version configuration: * # 9 9 9 8 #
Net Monitor: * # 9 9 9 3 #

Sony Ericsson

IMEI number: * # 0 6 #
Software version: > * < < * < *
Default Language: <>
Enter to phone menu without SimCard - after Wrong PIN: press NO: * * 0 4 * 0 0 0 0 * 0 0 0 0 * 0 0 0 0 #
Information about SIMLOCK: < * * <

Motorola

IMEI number: * # 0 6 #
Net Monitor ON: * * * 1 1 3 * 1 * [OK]
Net Monitor OFF: * * * 1 1 3 * 1 * [OK] * - press this until box shown up

Nokia

IMEI number: * # 0 6 #
Software version: * # 0 0 0 0 #
Lub * # 9 9 9 9 #
Simlock info: * # 9 2 7 0 2 6 8 9 #
Enhanced Full Rate: * 3 3 7 0 # [ # 3 3 7 0 # off]
Half Rate: * 4 7 2 0 #
Provider lock status: # p w + 1 2 3 4 5 6 7 8 9 0 + 1
Network lock status: # p w + 1 2 3 4 5 6 7 8 9 0 + 2
Provider lock status: # p w + 1 2 3 4 5 6 7 8 9 0 + 3
SimCard lock status: # p w + 1 2 3 4 5 6 7 8 9 0 + 4 1234567890 -
MasterCode which is generated from IMEI *#92702689# [*#war0anty#] Warranty code.

Philips

IMEI number: * # 0 6 #
Simlock info: * # 8 3 7 7 #
Security code: * # 1 2 3 4 # (Fizz) or * # 7 4 8 9 #

Samsung (Most models)

IMEI number: * # 0 6 #
Software version: * # 9 9 9 9 #
Albo* # 0 8 3 7 #
Net Monitor: * # 0 3 2 4 #
Changing LCD contrast: * # 0 5 2 3 #
Memory info: * # 0 3 7 7 #
Albo * # 0 2 4 6 #
Reset CUSTOM memory: * 2 7 6 7 * 2 8 7 8 #
Battery state: * # 9 9 9 8 * 2 2 8 #
Alarm beeper: * # 9 9 9 8 * 2 8 9 #
Vibra test: * # 9 9 9 8 * 8 4 2 #

Samsung (T100 Specific Codes)

Battery status (capacity, voltage, temperature): * # 8 9 9 9 * 2 2 8 #
Program status: * # 8 9 9 9 * 2 4 6 #
Change Alarm Buzzer Frequency: * # 8 9 9 9 * 2 8 9 #
Debug screens: * # 8 9 9 9 * 3 2 4 #
Watchdog: * # 8 9 9 9 * 3 6 4 #
EEPROM Error Stack: * # 8 9 9 9 * 3 7 7 #
Trace Watchdog: * # 8 9 9 9 * 4 2 7 #
Change LCD contrast: * # 8 9 9 9 * 5 2 3 #
Jig detect: * # 8 9 9 9 * 5 4 4 #
Memory status: * # 8 9 9 9 * 6 3 6 #
SIM File Size: * # 8 9 9 9 * 7 4 6 #
SIM Service Table: * # 8 9 9 9 * 7 7 8 #
RTK (Run Time Kernel) errors: * # 8 9 9 9 * 7 8 5 #
Run, Last UP, Last DOWN: * # 8 9 9 9 * 7 8 6 #
Software Version: * # 8 9 9 9 * 8 3 7 #
Test Vibrator: * # 8 9 9 9 * 8 4 2 #
Vocoder Reg: * # 8 9 9 9 * 8 6 2 #
Diag: * # 8 9 9 9 * 8 7 2 #
Reset On Fatal Error: * # 8 9 9 9 * 9 4 7 #
Last/Chk: * # 8 9 9 9 * 9 9 9 #9 9 * 9 9 9 #

Sagem

IMEI number: * # 0 6 #
Service Menu access: MENU 5 1 1 #

Siemens

IMEI number: * # 0 6 #
Software version: Take out SIM & enter: * # 0 6 # (& press LONG KEY)
Bonus screen: in phone book: + 1 2 0 2 2 2 4 3 1 2 1
Net Monitor (S4 Power):
Menu 9 8, left SoftKey, 7 6 8 4 6 6 6, Read phone, Menu 5 6

Sony

IMEI number: * # 0 6 #
Software version: * # 8 3 7 7 4 6 6 #
Show list of product creator names: + 1 2 0 2 2 2 4 3 1 2 1

SonyEricsson

IMEI number: * # 0 6 #
Software version: > * < < * < *
Default Language: <>
Enter to phone menu without SimCard - after Wrong PIN: press NO: * * 0 4 * 0 0 0 0 * 0 0 0 0 * 0 0 0 0 #
Information about SIMLOCK: < * * <

Code Description
*#06# Display the IMEI (GSM standard)
*#0000# Display the firmware version and date
*#bta0# Display the Bluetooth MAC address (models with build-in Bluetooth radio, activate first to show address)
*#mac0wlan# Display the WLAN MAC address (models with build-in Wi-fi radio)
*#opr0logo# Clear the operator logo (3310 and 3330 only)
*#pca0# Activate the GPRS PCCCH support (early GPRS models)
*#pcd0# Deactivate the GPRS PCCCH support (early GPRS models)
*#res0wallet# Reset the mobile wallet (models with mobile wallet)
*#res0# Soft-format the memory (Symbian models only)
*#rst0# Reset to factory defaults, confirmation required (DCT4 or newer)
*#sim0clock# Display the SIM clock status (DCT3 only)
*#ssn0# Display the manufacturing serial number (mid-range and premium, non-Symbian models, and those devired from them)
*#war0anty# Display the manufacturing and repair info (no exit on DCT3)
*efr0# Enable EFR encoding (pre-2003 models)
#efr0# Disable EFR encoding (pre-2003 models)
*hra0# Enable HR encoding (pre-2003 models)
#hra0# Disable HR encoding (pre-2003 models)
#pw+1234567890+n# Display the SIM lock status: (pre-2003 models)
n = 1: provider lock
n = 2: network lock
n = 3: country lock
n = 4: SIM lock
phannhatnghi is offline Add to phannhatnghi's Reputation Report Post Reply With Quote

MOBILE UNLOCK CHEAT CODE

2010-05-26T05:15:00.000-07:00

>>>>>>>>>> MOBILE UNLOCK CHEAT CODE <<<<<<<<<<
==============================================

Nokia

Code:

#06# IMEI (International Mobile Equipment Identity) information
#0000# 1st Line: software version. 2nd line: date of software release. 3rd line: phone type
#746025625# Checks if the SIM clock can be stopped. It is a kind of standby mode that will save battery. However,

the clock automatically gets activated when the phone is switched off and on
#92702689# Here is a big one! A menu will come up with six choices. First, it'll display the serial number. Second,

the month and year of manufacture. Third, the date of purchase. Fourth, the last repair date. Fifth, the option to

transfer user data if you have the hardware for it. Sixth, the number of hours the phone has been on. Some of these

dates might not be displayed if the information doesn't exist
3370# Enhanced Full Rate (EFR) codec activation
#3370# EFR codec deactivation
4370# Half Rate codec activation
#4730# Half Rate codec deactivation

EFR gives better voice quality compared to the half rate codec, but can cut down on the battery life. Your phone

will automatically restart after you feed in any of the above codecs

xx# Here is a harmless little one. This will automatically display the number at the `xx' position in your phone book

Motorola

Code:

#06# Displays IMEI
[][][] 119 [] 1 [] OK Enable EFR
[][][] 119 [] 0 [] OK Disable EFR

Samsung SGH-2100/600

Code:

#06# Displays IMEI
#9999# Software version
#0324# Technical menu
#0523# Lets you adjust the screen contrast
#0228# Battery status (capacity, voltage, temperature

Sharp Secret Codes

017638371# (01763VER0#) — Firmware Version.
017633641# (01763ENG1#) — Enable Engineer Mode hold pwr key to leave then disable.
017633640# (01763ENG0#) — Disable Engineer Mode.
017638781# (01763TST1#) — Test #1 (test early wdt looping to dump, need to remove battery from phone)
017638782# (01763TST2#) — Test #2 (test irq dis looping to switch, resets itself)

Step By Step Email Server Setup in Windows Server 2003

2010-05-25T03:30:00.000-07:00

Step By Step Email Server Setup in Windows Server 2003

Start->Programs->Administrative Tools->Manage Your Server once it opens you should see similar to the following screen here Click on Add or remove a role

This will start the Configure Your Server Wizard. Read the text and make sure you have connected all the necessary cables and all the other things it says you should do before continuing.Click on Next

We now come to the step where we add and remove roles for our server. Select Mail Server (POP3,SMTP) click Next

You will now specify the type of authentication and type the email domain name. In this tutorial we will use Windows Authentication, and we will use our domain name, windowsreference. com. You should of course use your domain name.click next

Next step shows summary of our selection click on next

Mail server is in progress

When you get prompted to insert your Windows Server 2003 CD-ROM into your CD-ROM drive, do so and click ok. If you didn’t get prompted to do that, you maybe already have it in the drive.

Copying files in progress

After completing installation you should see similar to the following screen click Finish

Configuring Email Server

Click Start—>run type server.msc click ok this will open up the POP3 Service. This is where you configure and manage the POP3 part of the mail server.Click on in the left pane and Click on Server Properties in the right pane

This brings up the Properties for our Mail Server.I will explain each setting as follows

Authentication Method

Local Windows Accounts

If your server is stand alone (not member of an Active Directory domain), and you want to have the user accounts on the same local computer as the POP3 service, this is the best option. By using this option, you will use the SAM (Security Accounts Manager) for both the email user accounts, and the user accounts on the local computer. This means that a user can use the same user name and password to be authenticated for both the POP3 service and Windows on the local computer. But there is a limitation, although you can host multiple domains on the server, there must be unique user names for all domains. So, let us say you have two users named Sandra. One working at company1.com and another one working at company2.com. Their user name used will be sachin@company1. com and sachin@company2. com. But in SAM, they will both have the same user name, sandra, so one of them must be renamed to something else (if we don’t want them to read each other’s emails).

If you create the user account when you create the mail box (by using the POP3 interface), the user will be added to the POP3 user group. Members of this group are not allowed to logon locally. The fact that the users are added to the POP3 group does not mean that you must be a member of this group to have a mailbox. You should however be careful adding mailboxes to users that are not member of the POP3 group, because the password used for email can for example be sniffed (if you are not using SPA), or someone can brute force the password and gain access to the server.

Server Port

We strongly recommend that you use port 110 because this is the standard port for the POP3 protocol. If you change this, make sure you notify all users so they can configure their email clients to use this other port. Also make sure you restart the POP3 service if you change this.

Logging Level

Four options to choose between. If you change this, remember that you must restart the POP3 service.

None – Nothing is logged.

Low – Only critical events are logged.

Medium – Both critical and warning events are logged.

High – Critical, warning and informational events are logged.

Root Mail Directory

If you don’t want to use the default Mail Directory, you can choose another one. Make sure the path is not more than 260 characters and you can also not store to the root of a partition (i.e. C:). It is strongly recommended that you use a NTFS formatted partition. You can’t use a mapped drive, but the UNC name (\\servername\ share) can be used. If you later change the store, and there are still emails in one or more boxes, you must manually move the folders in which there are emails to the new location. You must also reset the permissions on the directory by using winpop set mailroot.

SPA

Enable SPA if you want to have a secure communication between your email sever and email clients. This will send both the user name and password encrypted from the client to the server, instead of sending it in clear text. SPA supports only Local Windows Accounts and Active Directory Integrated Authentication. It is recommended to use this. Remember to restart the POP3 service if you change this.

Create a mailbox

The Setup Wizard created a domain to us, so we do not need to create this manually. If you did not use Manage Your Server to install, add the domain manually be clicking the server name in the left pane and then click New domain in the right pane.

Remember to set the properties before you add the domain.(We have completed in the above step)

Click on your domain (windowsreference. com in my case) in the left pane.Click Add Mailbox in the right pane.

This will open up the Add Mailbox window here you need to enter name and password click ok

A message will pop-up and tell you how to configure the email clients. Read this, and notice the difference when using SPA or not. click ok

After creating user you should see similar to the following screen

What we just did was not only creating a mailbox named admin, but we also created a user admin.

Configure the SMTP Server

We have to configure the SMTP part to be able to receive and send emails. A common mistake is to think that the POP3 server receives the emails. But that is not true, all the POP3 is doing is ‘pop’ the emails out to the clients. It’s the SMTP server that is communicating with other SMTP servers and receives and sends emails.

Open Computer Management,Expand Services and Applications, expand Internet Information Service
Right click Default SMTP Virtual Server and click Properties

Once it opens properties tab you should see similar to the following screen here you need to Click the Access tab Click the Authentication button

Here you need to make sure Anonymous Access and Integrated Windows Authentication is enabled.

Click the Relay button from the properties windows and make sure Allow all computers which successfully… is enabled and Only the list below is selected.

First of all, Authentication and Relay is not the same thing. We use the Authentication button to specify which authentications methods are allowed for users and other SMTP servers. So enabling Anonymous here is not a security issue, in fact, it’s required if we want our server to be able to receive emails from other servers on Internet . We also need Windows Authentication so the email clients can authenticate to the server and be able to relay (send emails).

That’s it for server side now you need to configure your email clients.

If you want users to only be allowed to relay if they are on a private network, then you can uncheck Windows Authentication as allowed authentication method, and specify the IP range for your network in the Relay Restrictions window.

Enable SPA (Secure Password Authentication)

You need to configure your network network as secure as possible, so we prefer to use SPA (Secure Password Authentication) . This will, as stated before, send the user name and password from the client encrypted, instead of clear text.

Click Start, then Run ype p3server.msc

In the right pane, right click your computer’s name and click Properties

Check the box Require Secure Password Authentication… and Click OK

You will be prompted to restart the Microsoft POP3 Service, click Yes

Installing ISA Server 2004 on Windows Server 2003

2010-05-25T01:00:00.000-07:00

Installing ISA Server 2004 on Windows Server 2003

In this ISA Server 2004 Configuration Guide document we will install the ISA Server 2004 software onto the Windows Server 2003 computer we installed and configured in Chapter 1. Installing ISA Server 2004 is straightforward as there are only a few decisions that need to be made during installation.

The most important configuration made during installation is the Internal network IP address range(s). Unlike ISA Server 2000, ISA Server 2004 does not use a Local Address Table (LAT) to define trusted and untrusted networks. Instead, the ISA Server 2004 firewall asks for the IP addresses defining a network entity known as the Internal network. The internal network contains important network servers and services such as Active Directory domain controllers, DNS, WINS, RADIUS, DHCP, firewall management stations, and others. These are services the ISA Server 2004 firewall needs to communicate with immediately after installation is complete.

Communications between the Internal network and the ISA Server 2004 firewall are controlled by the firewall’s System Policy. The System Policy is a collection of predefined Access Rules that determine the type of traffic allowed inbound and outbound to and from the firewall immediately after installation. The System Policy is configurable, which enables you can tighten or loosen the default System Policy Access Rules.

In the document we will discuss the following procedures:

Installing ISA Server 2004 on Windows Server 2003
Reviewing the Default System Policy

Installing ISA Server 2004

Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major decision you make during setup is what IP addresses should be part of the Internal network. The Internal network address configuration is important because the firewall’s System Policy uses the Internal network addresses to define a set of Access Rules.

Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:

Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.
On the Microsoft Internet Security and Acceleration Server 2004 page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the Setup and Feature Guide window. Click the Install ISA Server 2004 link.
Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter Product Serial Number. Click Next.
On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.
On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener, which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the Firewall Client Installation Share. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next.
On the Internal Network page, click the Add button. The Internal network is different from the LAT, which was used in ISA Server 2000. In the case of ISA Server 2004, the Internal network contains trusted network services the ISA Server 2004 firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network. We will look at the System Policy later in this document.
In the Internal Network setup page, click the Select Network Adapter button.
In the Select Network Adapter dialog box, remove the check mark from the Add the following private ranges… check box. Leave the check mark in the Add address ranges based on the Windows Routing Table check box. Put a check mark in the check box next to the adapter connected to the Internal network. The reason why we remove the check mark from the add private address ranges check box is that you may want to use these private address ranges for perimeter networks. Click OK.
Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table.
Click OK on the Internal network address ranges dialog box.
Click Next on the Internal Network page.
On the Firewall Client Connection Settings page, place checkmarks in the Allow non-encrypted Firewall client connections and Allow Firewall clients running earlier versions of the Firewall client software to connect to ISA Server check boxes. These settings will allow you to connect to the ISA Server 2004 firewall using downlevel operating systems and from Windows 2000/Windows XP/Windows Server 2003 operating systems running the ISA Server 2000 version of the Firewall client. Click Next.
On the Services page, click Next.
Click Install on the Ready to Install the Program page.
On the Installation Wizard Completed page, click Finish.
Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.
Log on as Administrator after the machine restarts

Viewing the System Policy

By default, ISA Server 2004 does not allow outbound access to the Internet from any protected network and it does not allow Internet hosts access the firewall or any networks protected by the firewall. However, a default firewall System Policy is installed that allows network management tasks to be completed.

Note:
A protected network is any network defined by the ISA Server 2004 firewall that is not part of the default External network.

Perform the following steps to see the default firewall System Policy:

Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA Server Management.
In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server node in the scope pane (left pane) and click the Firewall Policy node. Right-click the Firewall Policy node, point to View and click Show System Policy Rules.
Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow (the little blue arrow on the left edge of the task pane on the right side of the console). Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are processed from top to bottom, which is a significant departure from how ISA Server 2000 processed Access Policy. The System Policy represents a default list of rules controlling access to and from the ISA Server 2004 firewall by default. Note that the System Policy Rules are ordered above any custom Access Policies you will create, and therefore are processed before them. Scroll down the list of System Policy Rules. Notice that the rules are defined by:
Order number
Name
Action (Allow or Deny)
Protocols
From (source network or host)
To (destination network or host)
Condition (who or what the rule applies to)
You may want to widen the Name column to get a quick view rule the rule descriptions. Notice that not all the rules are enabled. Disabled System Policy Rules have a tiny down-pointing red arrow in their lower right corner. Many of the disabled System Policy Rules will become automatically enabled when you make configuration changes to the ISA Server 2004 firewall, such as when you enable VPN access.
Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS servers on all networks.
You can change the settings on a System Policy Rule by double-clicking the rule.
Review the System Policy Rules and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the pressed (pushed in) button seen in the following figure.

The following table includes a complete list of the default, built-in System Policy:

Table 1: System Policy Rules

Order	Name	Action	Protocols	From	To	Condition
1	Allow access to directory services for authentication purposes	Allow	LDAP LDAP(GC) LDAP(UDP) LDAPS LDAPS(GC)	Local Host	Internal	All Users
2	Allow Remote Management using MMC	Allow	Microsoft Firewall Control RPC(all interfaces) NetBIOS Datagram NetBIOS Name Service NetBIOS Session	Remote Management Computers	Local Host	All Users
3	Allow Remote Management using Terminal Server	Allow	RDP(Terminal Services)	Remote Management Computers	Local Host	All Users
4	Allow remote logging to trusted servers using NetBIOS	Allow	NetBIOS Datagram NetBIOS Name Service NetBIOS Session	Local Host	Internal	All Users
5	Allow RADIUS authentication from ISA Server to trusted RADIUS servers	Allow	RADIUS RADIUS Accounting	Local Host	Internal	All Users
6	Allow Kerberos authentication from ISA Server to trusted servers	Allow	Kerberos-Sec( TCP) Kerberos-Sec( UDP)	Local Host	Internal	All Users
7	Allow DNS from ISA Server to selected servers	Allow	DNS	Local Host	All Networks	All Users
8	Allow DHCP requests from ISA Server to all networks	Allow	DHCP(request)	Local Host	Anywhere	All Users
9	Allow DHCP replies from DHCP servers to ISA Server	Allow	DHCP(reply)	Anywhere	Local Host	All Users
10	Allow ICMP (PING) requests from selected computers to ISA Server	Allow	Ping	Remote Management Computers	Local Host	All Users
11	Allow ICMP requests from ISA Server to selected servers	Allow	ICMP Information Request ICMP Timestamp Ping	Local Host	All Networks	All Users
121	Allow VPN client traffic to ISA Server	Allow	PPTP	External	Local Host	All Users
132	Allow VPN site-to-site to ISA Server	Allow		External IPSec Remote Gateways	Local Host	All Users
142	Allow VPN site-to-site from ISA Server	Allow		Local Host	External IPSec Remote Gateways	All Users
15	Allow Microsoft CIFS protocol from ISA Server to trusted servers	Allow	Microsoft CIFS(TCP) Microsoft CIFS(UDP)	Local Host	Internal	All Users
167	Allow Remote logging using Microsoft SQL protocol from firewall to trusted servers	Allow	Microsoft SQL(TCP) Microsoft SQL(UDP)	Local Host	Internal	All Users
17	Allow HTTP/HTTPS requests from ISA Server to specified sites	Allow	HTTP HTTPS	Local Host	System Policy Allowed Sites	All Users
183	Allow HTTP/HTTPS requests from ISA Server to selected servers for HTTP connectivity verifiers	Allow	HTTP HTTPS	Local Host	All Networks	All Users
198	Allow access from trusted computers to the Firewall Client installation share on ISA Server	Allow	Microsoft CIFS(TCP) Microsoft CIFS(UDP) NetBIOS Datagram NetBIOS Name Service NetBIOS Session	Internal	Local Host	All Users
209	Allow remote performance monitoring of ISA Server from trusted servers	Allow	NetBIOS Datagram NetBIOS Name Service NetBIOS Session	Remote Management Computers	Local Host	All Users
21	Allow NetBIOS from ISA Server to trusted servers	Allow	NetBIOS Datagram NetBIOS Name Service NetBIOS Session	Local Host	Internal	All Users
22	Allow RPC from ISA Server to trusted servers	Allow	RPC(all interfaces)	Local Host	Internal	All Users
23	Allow HTTP/HTTPS from ISA Server to specified Microsoft Error Reporting sites	Allow	HTTP HTTPS	Local Host	Microsoft Error Reporting sites	All Users
244	Allow SecurID protocol from ISA Server to trusted servers	Allow	SecurID	Local Host	Internal	All Users
255	Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent	Allow	Microsoft Operations Manager Agent	Local Host	Internal	All Users
266	Allow HTTP from ISA Server to all networks for CRL downloads	Allow	HTTP	Local Host	All Networks	All Users
27	Allow NTP from ISA Server to trusted NTP servers	Allow	NTP(UDP)	Local Host	Internal	All Users
28	Allow SMTP from ISA Server to trusted servers	Allow	SMTP	Local Host	Internal	All Users
29	Allow HTTP from ISA Server to selected computers for Content Download Jobs	Allow	HTTP	Local Host	All Networks	System and Network Service

1 This policy is disabled until the VPN Server component is activated

2 These two policies are disabled until a site to site VPN connection is configured

3 This policy is disabled until a connectivity verifier that uses HTTP/HTTPS is configured

4 This policy is disabled until the SecureID filter is enabled

5 This policy must be manually enabled

6 This policy is disabled by default

7 This policy is disabled by default

8 This policy is automatically enabled when the Firewall client share is installed

9 This policy is disabled by default

At this point, the ISA Server 2004 firewall is ready to be configured to allow inbound and outbound access through the firewall. However, before you start creating Access Policies, you should back up the default configuration. This allows you to restore the ISA Server 2004 firewall to its post-installation state. This is useful for future troubleshooting and testing.

Backing Up the Post-Installation Configuration

Perform the following steps to back up the post installation configuration:

Open the Microsoft Internet Security and Acceleration Server 2004 management console and right-click the server name in the left pane of the console. Click the Back Up command.
In the Backup Configuration dialog box, enter a name for the backup file in the File name text box. Be sure to note where you are saving the file by checking the entry in the Save in drop-down list. In this example we will call the backup file backup1. Click the Backup button.
In the Set Password dialog box, enter a password and confirm the password in the Password and Confirm password text boxes. The information in the backup file is encrypted because it can potentially contain passwords and other confidential information that you do not want others to access. Click OK.
Click OK in the Exporting dialog box when you see the The configuration was successfully backed up message.

Make sure to copy the backup file to another location on the network after the backup is complete. The backup file should be stored offline on media that supported NTFS formatting so that you can encrypt the file

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed the procedures required to install the ISA Server 2004 software on a Windows Server 2003 computer. We also examined the firewall System Policy that is created during installation. Finally, we finished up with step by step procedures required to back up the post-installation firewall configuration. In the next document in this ISA Server 2004 Configuration Guide series, we will enable the VPN remote access server.

How to Break a BIOS Password

2010-05-17T05:33:00.000-07:00

How to Break a BIOS Password ?

Methods of breaking password for Desktop PC and for laptop is quite different. We would explain each.

Break BIOS Password for Desktop :
If it's a desktop PC, erasing the cmos memory will usually clear it.

Steps:

1. Power off the computer and make sure that it is unplugged.
2. Open up your computer case. You need physical access to the motherboard to complete this procedure.
3. Find a circular, (mostly) silver metallic object on the motherboard. This is the CMOS battery.
4. CAREFULLY remove the CMOS battery and leave it out for about 120- 180 seconds. This will flush the CMOS memory which stores the BIOS password and all other configuration. (See Warnings)
5. Set the battery back into place and power on the computer.
6. The computer should then warn you that the CMOS configuration could not be found. You can either reconfigure it yourself or restore defaults. Restoring the default configuration should be fine.
7. You will notice that the BIOS password has been cleared and you can boot without it. You may reset the BIOS password to something else by going into the BIOS configuration and setting a new User Password.

Alternate Methos: (More Dificult)

Remove a jumper: There's a jumper on your motherboard that you'll need to identify and remove. Most motherboards make your job easier by actually labeling the correct jumper as "BIOS config" or something similar. (it looks like a small plastic thingy on 2 pins with 1 pin beside it, within a 1" of the battery). If you're having trouble looking for it, look in the motherboard manual.After you have found it, carefuly pull straight up on it, and place it on the 2-3 pins(it was on the 1-2 pins). With the battery removed and the jumper moved, turn the computer on, and check to see if you can get into the bios. If you are able to, turn the computer off, put the jumper back on pins 1-2, and put the battery back in. Lastly put the case together and you are done.

Note: Don't forget to configure the BIOS (if you know how) after this process. If you you don't know how, just hold the "delete" button when starting your PC and when the blue screen appears, find the load safe defaults settings and press:

* ENTER button
* Y button
* F10 button

Break BIOS Password for Laptop :

Remember that laptops can be trickier, especially if it's a newer model. If it has a security chip on the motherboard forget about it. You either have to physically remove the chip or contact the mfg for the "master" password. If you can boot up off of a cd or floppy try any of these methods:

1. Create a Win98SE bootable media "or anything that lets you boot into MS-DOS" and boot off of it.
2. When the A:\> prompt appears type debug and press enter.
3. You will then only see a "-".
4. Type o 70 2E "include the spaces" and press Enter.
5. Type o 71 ff "include the spaces" and press Enter.
6. Type q and press Enter.
7. Here are a list of common mfg backdoor passwords
* AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC,
* AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder

Softwares to Break BIOS Password:

If your system boots but the BIOS password is still in place, there are several programs you can load that are designed to crack the passwords or clear them altogether. The encryption on BIOS passwords is not very complex. Following are links to a few of these free programs:

1. CmosPwd 4.8

Thanks and Best Regards

How to install and configure a Virtual Private Network server in Windows Server 2003

2010-04-21T00:34:00.000-07:00

How to install and configure a Virtual Private Network server in Windows Server 2003

This step-by-step article describes how to install virtual private networking (VPN) and how to create a new VPN connection in servers that are running Windows Server 2003.

With a virtual private network, you can connect network components through another network, such as the Internet. You can make your Windows Server 2003-based computer a remote-access server so that other users can connect to it by using VPN, and then they can log on to the network and access shared resources. VPNs do this by "tunneling" through the Internet or through another public network in a manner that provides the same security and features as a private network. Data is sent across the public network by using its routing infrastructure, but to the user, it appears as if the data is sent over a dedicated private link.

Back to the top
Overview of VPN
A virtual private network is a means of connecting to a private network (such as your office network) by way of a public network (such as the Internet). A VPN combines the virtues of a dial-up connection to a dial-up server with the ease and flexibility of an Internet connection. By using an Internet connection, you can travel worldwide and still, in most places, connect to your office with a local call to the nearest Internet-access phone number. If you have a high-speed Internet connection (such as cable or DSL) at your computer and at your office, you can communicate with your office at full Internet speed, which is much faster than any dial-up connection that uses an analog modem. This technology allows an enterprise to connect to its branch offices or to other companies over a public network while maintaining secure communications. The VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.

Virtual private networks use authenticated links to make sure that only authorized users can connect to your network. To make sure data is secure as it travels over the public network, a VPN connection uses Point-to-Point Tunneling Protocol (PPTP) or Layer Two Tunneling Protocol (L2TP) to encrypt data.

Back to the top
Components of a VPN
A VPN in servers running Windows Server 2003 is made up of a VPN server, a VPN client, a VPN connection (that portion of the connection in which the data is encrypted), and the tunnel (that portion of the connection in which the data is encapsulated) . The tunneling is completed through one of the tunneling protocols included with servers running Windows Server 2003, both of which are installed with Routing and Remote Access. The Routing and Remote Access service is installed automatically during the installation of Windows Server 2003. By default, however, the Routing and Remote Access service is turned off.
The two tunneling protocols included with Windows are:

* Point-to-Point Tunneling Protocol (PPTP): Provides data encryption using Microsoft Point-to-Point Encryption.
* Layer Two Tunneling Protocol (L2TP): Provides data encryption, authentication, and integrity using IPSec.

Your connection to the Internet must use a dedicated line such as T1, Fractional T1, or Frame Relay. The WAN adapter must be configured with the IP address and subnet mask assigned for your domain or supplied by an Internet service provider (ISP). The WAN adapter must also be configured as the default gateway of the ISP router.

NOTE: To turn on VPN, you must be logged on using an account that has administrative rights.

Back to the top
How to install and Turn on a VPN Server
To install and turn on a VPN server, follow these steps:

1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. Click the server icon that matches the local server name in the left pane of the console. If the icon has a red circle in the lower-left corner, the Routing and Remote Access service has not been turned on. If the icon has a green arrow pointing up in the lower-left corner, the Routing and Remote Access service has been turned on. If the Routing and Remote Access service was previously turn on, you may want to reconfigure the server. To reconfigure the server:
1. Right-click the server object, and then click Disable Routing and Remote Access. Click Yes to continue when you are prompted with an informational message.
2. Right-click the server icon, and then click Configure and Enable Routing and Remote Access to start the Routing and Remote Access Server Setup Wizard. Click Next to continue.
3. Click Remote access (dial-up or VPN) to turn on remote computers to dial in or connect to this network through the Internet. Click Next to continue.
3. Click to select VPN or Dial-up depending on the role that you intend to assign to this server.
4. In the VPN Connection window, click the network interface which is connected to the Internet, and then click Next.
5. In the IP Address Assignment window, click Automatically if a DHCP server will be used to assign addresses to remote clients, or click From a specified range of addresses if remote clients must only be given an address from a pre-defined pool. In most cases, the DHCP option is simpler to administer. However, if DHCP is not available, you must specify a range of static addresses. Click Next to continue.
6. If you clicked From a specified range of addresses, the Address Range Assignment dialog box opens. Click New. Type the first IP address in the range of addresses that you want to use in the Start IP address box. Type the last IP address in the range in the End IP address box. Windows calculates the number of addresses automatically. Click OK to return to the Address Range Assignment window. Click Next to continue.
7. Accept the default setting of No, use Routing and Remote Access to authenticate connection requests, and then click Next to continue. Click Finish to turn on the Routing and Remote Access service and to configure the server as a Remote Access server.

Back to the top
How to Configure the VPN Server
To continue to configure the VPN server as required, follow these steps.
How to Configure the Remote Access Server as a Router
For the remote access server to forward traffic properly inside your network, you must configure it as a router with either static routes or routing protocols, so that all of the locations in the intranet are reachable from the remote access server.

To configure the server as a router:

1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. Right-click the server name, and then click Properties.
3. Click the General tab, and then click to select Router under Enable this computer as a.
4. Click LAN and demand-dial routing, and then click OK to close the Properties dialog box.

How to Modify the Number of Simultaneous Connections
The number of dial-up modem connections is dependent on the number of modems that are installed on the server. For example, if you have only one modem installed on the server, you can have only one modem connection at a time.

The number of dial-up VPN connections is dependent on the number of simultaneous users whom you want to permit. By default, when you run the procedure described in this article, you permit 128 connections. To change the number of simultaneous connections, follow these steps:

1. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
2. Double-click the server object, right-click Ports, and then click Properties.
3. In the Ports Properties dialog box, click WAN Miniport (PPTP), and then click Configure.
4. In the Maximum ports box, type the number of VPN connections that you want to permit.
5. Click OK, click OK again, and then close Routing and Remote Access.

How to Manage Addresses and Name Servers
The VPN server must have IP addresses available to assign them to the VPN server's virtual interface and to VPN clients during the IP Control Protocol (IPCP) negotiation phase of the connection process. The IP address assigned to the VPN client is assigned to the virtual interface of the VPN client.

For Windows Server 2003-based VPN servers, the IP addresses assigned to VPN clients are obtained through DHCP by default. You can also configure a static IP address pool. The VPN server must also be configured with name resolution servers, typically DNS and WINS server addresses, to assign to the VPN client during IPCP negotiation.

How to Manage Access
Configure the dial-in properties on user accounts and remote access policies to manage access for dial-up networking and VPN connections.

NOTE: By default, users are denied access to dial-up networking.

Access by User Account
To grant dial-in access to a user account if you are managing remote access on a user basis, follow these steps:

1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Right-click the user account, and then click Properties.
3. Click the Dial-in tab.
4. Click Allow access to grant the user permission to dial in. Click OK.

Access by Group Membership
If you manage remote access on a group basis, follow these steps:

1. Create a group with members who are permitted to create VPN connections.
2. Click Start, point to Administrative Tools, and then click Routing and Remote Access.
3. In the console tree, expand Routing and Remote Access, expand the server name, and then click Remote Access Policies.
4. Right-click anywhere in the right pane, point to New, and then click Remote Access Policy.
5. Click Next, type the policy name, and then click Next.
6. Click VPN for Virtual Private Access access method, or click Dial-up for dial-up access, and then click Next.
7. Click Add, type the name of the group that you created in step 1, and then click Next.
8. Follow the on-screen instructions to complete the wizard.

If the VPN server already permits dial-up networking remote access services, do not delete the default policy. Instead, move it so that it is the last policy to be evaluated.

Back to the top
How to Configure a VPN Connection from a Client Computer
To set up a connection to a VPN, follow these steps. To set up a client for virtual private network access, follow these steps on the client workstation:

NOTE: You must be logged on as a member of the Administrators group to follow these steps.

NOTE: Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.

1. On the client computer, confirm that the connection to the Internet is correctly configured.
2. Click Start, click Control Panel, and then click Network Connections. Click Create a new connection under Network Tasks, and then click Next.
3. Click Connect to the network at my workplace to create the dial-up connection. Click Next to continue.
4. Click Virtual Private Network connection, and then click Next.
5. Type a descriptive name for this connection in the Company name dialog box, and then click Next.
6. Click Do not dial the initial connection if the computer is permanently connected to the Internet. If the computer connects to the Internet through an Internet Service Provider (ISP), click Automatically dial this initial connection, and then click the name of the connection to the ISP. Click Next.
7. Type the IP address or the host name of the VPN server computer (for example, VPNServer.SampleDom ain.com).
8. Click Anyone's use if you want to permit any user who logs on to the workstation to have access to this dial-up connection. Click My use only if you want this connection to be available only to the currently logged-on user. Click Next.
9. Click Finish to save the connection.
10. Click Start, click Control Panel, and then click Network Connections.
11. Double-click the new connection.
12. Click Properties to continue to configure options for the connection. To continue to configure options for the connection, follow these steps:
* If you are connecting to a domain, click the Options tab, and then click to select the Include Windows logon domain check box to specify whether to request Windows Server 2003 logon domain information before trying to connect.
* If you want the connection to be redialed if the line is dropped, click the Options tab, and then click to select the Redial if line is dropped check box.

To use the connection, follow these steps:

1. Click Start, point to Connect to, and then click the new connection.
2. If you do not currently have a connection to the Internet, Windows offers to connect to the Internet.
3. When the connection to the Internet is made, the VPN server prompts you for your user name and password. Type your user name and password, and then click Connect.
Your network resources must be available to you in the same way they are when you connect directly to the network.NOTE: To disconnect from the VPN, right-click the connection icon, and then click Disconnect.

Back to the top
Troubleshooting
Troubleshooting Remote Access VPNs
Cannot Establish a Remote Access VPN Connection

* Cause: The name of the client computer is the same as the name of another computer on the network.

Solution: Verify that the names of all computers on the network and computers connecting to the network are using unique computer names.
* Cause: The Routing and Remote Access service is not started on the VPN server.

Solution: Verify the state of the Routing and Remote Access service on the VPN server.

See Windows Server 2003 Help and Support Center for more information about how to monitor the Routing and Remote Access service, and how to start and stop the Routing and Remote Access service. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: Remote access is not turned on on the VPN server.

Solution: Turn on remote access on the VPN server.

See the Windows Server 2003 Help and Support Center for more information about how to turn on the remote access server. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: PPTP or L2TP ports are not turned on for inbound remote access requests.

Solution: Turn on PPTP or L2TP ports, or both, for inbound remote access requests.

See the Windows Server 2003 Help and Support Center for more information about how to configure ports for remote access. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The LAN protocols used by the VPN clients are not turned on for remote access on the VPN server.

Solution: Turn on the LAN protocols used by the VPN clients for remote access on the VPN server.

See the Windows Server 2003 Help and Support Center for more information about how to view properties of the remote access server. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: All of the PPTP or L2TP ports on the VPN server are already being used by currently connected remote access clients or demand-dial routers.

Solution: Verify that all of the PPTP or L2TP ports on the VPN server are already being used. To do so, click Ports in Routing and Remote Access. If the number of PPTP or L2TP ports permitted is not high enough, change the number of PPTP or L2TP ports to permit more concurrent connections.

See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN server does not support the tunneling protocol of the VPN client.

By default, Windows Server 2003 remote access VPN clients use the Automatic server type option, which means that they try to establish an L2TP over IPSec-based VPN connection first, and then they try to establish a PPTP-based VPN connection. If VPN clients use either the Point-to-Point Tunneling Protocol (PPTP) or Layer-2 Tunneling Protocol (L2TP) server type option, verify that the selected tunneling protocol is supported by the VPN server.

By default, a computer running Windows Server 2003 Server and the Routing and Remote Access service is a PPTP and L2TP server with five L2TP ports and five PPTP ports. To create a PPTP-only server, set the number of L2TP ports to zero. To create an L2TP-only server, set the number of PPTP ports to zero.

Solution: Verify that the appropriate number of PPTP or L2TP ports is configured.

See the Windows Server 2003 Help and Support Center for more information about how to add PPTP or L2TP ports. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common authentication method.

Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common authentication method.

See the Windows Server 2003 Help and Support Center for more information about how to configure authentication. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN client and the VPN server in conjunction with a remote access policy are not configured to use at least one common encryption method.

Solution: Configure the VPN client and the VPN server in conjunction with a remote access policy to use at least one common encryption method.

See the Windows Server 2003 Help and Support Center for more information about how to configure encryption. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN connection does not have the appropriate permissions through dial-in properties of the user account and remote access policies.

Solution: Verify that the VPN connection has the appropriate permissions through dial-in properties of the user account and remote access policies. For the connection to be established, the settings of the connection attempt must:
o Match all of the conditions of at least one remote access policy.
o Be granted remote access permission through the user account (set to Allow access) or through the user account (set to Control access through Remote Access Policy) and the remote access permission of the matching remote access policy (set to Grant remote access permission).
o Match all the settings of the profile.
o Match all the settings of the dial-in properties of the user account.
See the Windows Server 2003 Help and Support Center for an introduction to remote access policies, and for more information about how to accept a connection attempt. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The settings of the remote access policy profile are in conflict with properties of the VPN server.

The properties of the remote access policy profile and the properties of the VPN server both contain settings for:
o Multilink.
o Bandwidth allocation protocol (BAP).
o Authentication protocols.
If the settings of the profile of the matching remote access policy are in conflict with the settings of the VPN server, the connection attempt is rejected. For example, if the matching remote access policy profile specifies that the Extensible Authentication Protocol - Transport Level Security (EAP-TLS) authentication protocol must be used and EAP is not enabled on the VPN server, the connection attempt is rejected.

Solution: Verify that the settings of the remote access policy profile are not in conflict with properties of the VPN server.

See the Windows Server 2003 Help and Support Center for more information about additional information about multilink, BAP and authentication protocols. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The answering router cannot validate the credentials of the calling router (user name, password, and domain name).

Solution: Verify that the credentials of the VPN client (user name, password, and domain name) are correct and can be validated by the VPN server.
* Cause: There are not enough addresses in the static IP address pool.

Solution: If the VPN server is configured with a static IP address pool, verify that there are enough addresses in the pool. If all of the addresses in the static pool have been allocated to connected VPN clients, the VPN server cannot allocate an IP address, and the connection attempt is rejected. If all of the addresses in the static pool have been allocated, modify the pool. See the Windows Server 2003 Help and Support Center for more information about TCP/IP and remote access, and how to create a static IP address pool. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN client is configured to request its own IPX node number and the VPN server is not configured to permit IPX clients to request their own IPX node number.

Solution: Configure the VPN server to permit IPX clients to request their own IPX node number.

See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN server is configured with a range of IPX network numbers that are being used elsewhere on your IPX network.

Solution: Configure the VPN server with a range of IPX network numbers that is unique to your IPX network.

See the Windows Server 2003 Help and Support Center for more information about IPX and remote access. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The authentication provider of the VPN server is improperly configured.

Solution: Verify the configuration of the authentication provider. You can configure the VPN server to use either Windows Server 2003 or Remote Authentication Dial-In User Service (RADIUS) to authenticate the credentials of the VPN client.

See the Windows Server 2003 Help and Support Center for more information about authentication and accounting providers, and how to use RADIUS authentication. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN server cannot access Active Directory.

Solution: For a VPN server that is a member server in a mixed-mode or native-mode Windows Server 2003 domain that is configured for Windows Server 2003 authentication, verify that:
o The RAS and IAS Servers security group exists. If not, create the group and set the group type to Security and the group scope to Domain local.
o The RAS and IAS Servers security group has Read permission to the RAS and IAS Servers Access Check object.
o The computer account of the VPN server computer is a member of the RAS and IAS Servers security group. You can use the netsh ras show registeredserver command to view the current registration. You can use the netsh ras add registeredserver command to register the server in a specified domain.

If you add (or remove) the VPN server computer to the RAS and IAS Servers security group, the change does not take effect immediately (because of the way that Windows Server 2003 caches Active Directory information) . To immediately effect this change, restart the VPN server computer.
o The VPN server is a member of the domain.
See the Windows Server 2003 Help and Support Center for more information about how to add a group, how to verify permissions for the RAS and IAS security group, and about netsh commands for remote access. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: A Windows NT 4.0-based VPN server cannot validate connection requests.

Solution: If VPN clients are dialing in to a VPN server running Windows NT 4.0 that is a member of a Windows Server 2003 mixed-mode domain, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the following command:
"net localgroup "Pre-Windows 2000 Compatible Access""
If not, type the following command at a command prompt on a domain controller computer, and then restart the domain controller computer:
net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
See the Windows Server 2003 Help and Support Center for more information about Windows NT 4.0 remote access server in a Windows Server 2003 domain. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: The VPN server cannot communicate with the configured RADIUS server.

Solution: If you can reach your RADIUS server only through your Internet interface, do one of the following:
o Add an input filter and an output filter to the Internet interface for UDP port 1812 (based on RFC 2138, "Remote Authentication Dial-In User Service (RADIUS)"). –or-
o Add an input filter and an output filter to the Internet interface for UDP port 1645 (for older RADIUS servers), for RADIUS authentication and UDP port 1813 (based on RFC 2139, "RADIUS Accounting") . -or-

o -or- Add an input filter and an output filter to the Internet interface for UDP port 1646 (for older RADIUS servers) for RADIUS accounting.
See the Windows Server 2003 Help and Support Center for more information about how to add a packet filter. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: Cannot connect to the VPN server over the Internet using the Ping.exe utility.

Solution: Because of the PPTP and L2TP over IPSec packet filtering that is configured on the Internet interface of the VPN server, Internet Control Message Protocol (ICMP) packets used by the ping command are filtered out. To turn on the VPN server to respond to ICMP (ping) packets, add an input filter and an output filter that permit traffic for IP protocol 1 (ICMP traffic).

See the Windows Server 2003 Help and Support Center for more information about how to add a packet filter. Click Start to access the Windows Server 2003 Help and Support Center.

Cannot Send and Receive Data

* Cause: The appropriate demand-dial interface has not been added to the protocol being routed.

Solution: Add the appropriate demand-dial interface to the protocol being routed.

See the Windows Server 2003 Help and Support Center for more information about how to add a routing interface. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: There are no routes on both sides of the router-to-router VPN connection that support the two-way exchange of traffic.

Solution: Unlike a remote access VPN connection, a router-to-router VPN connection does not automatically create a default route. Create routes on both sides of the router-to-router VPN connection so that traffic can be routed to and from the other side of the router-to-router VPN connection.

You can manually add static routes to the routing table, or you can add static routes through routing protocols. For persistent VPN connections, you can turn on Open Shortest Path First (OSPF) or Routing Information Protocol (RIP) across the VPN connection. For on-demand VPN connections, you can automatically update routes through an auto-static RIP update. See Windows Server 2003 online Help for more information about how to add an IP routing protocol, how to add a static route, and how to perform auto-static updates. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: A two-way initiated, the answering router as a remote access connection is interpreting router-to-router VPN connection.

Solution: If the user name in the credentials of the calling router appears under Dial-In Clients in Routing and Remote Access, the answering router may interpret the calling router as a remote access client. Verify that the user name in the credentials of the calling router matches the name of a demand-dial interface on the answering router. If the incoming caller is a router, the port on which the call was received shows a status of Active and the corresponding demand-dial interface is in a Connected state.

See Windows Server 2003 online Help for more information about how to check the status of the port on the answering router, and how to check the status of the demand-dial interface. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: Packet filters on the demand-dial interfaces of the calling router and answering router are preventing the flow of traffic.

Solution: Verify that there are no packet filters on the demand-dial interfaces of the calling router and answering router that prevent the sending or receiving of traffic. You can configure each demand-dial interface with IP and IPX input and output filters to control the exact nature of TCP/IP and IPX traffic that is permitted into and out of the demand-dial interface.

See Windows Server 2003 online Help for more information about how to manage packet filters. Click Start to access the Windows Server 2003 Help and Support Center.
* Cause: Packet filters on the remote access policy profile are preventing the flow of IP traffic.

Solution: Verify that there are no configured TCP/IP packet filters on the profile properties of the remote access policies on the VPN server (or the RADIUS server if Internet Authentication Service is used) that are preventing the sending or receiving of TCP/IP traffic. You can use remote access policies to configure TCP/IP input and output packet filters that control the exact nature of TCP/IP traffic permitted on the VPN connection. Verify that the profile TCP/IP packet filters are not preventing the flow of traffic.

See Windows Server 2003 online Help for more information about how to configure IP options. Click Start to access the Windows Server 2003 Help and Support Center.

Disk Management in Exp

2010-04-02T02:13:00.000-07:00

Disk Management
Normally, you will need to be a local administrator to perform most system configuration functions (even just taking a look at the current configuration settings) on a Windows XP Professional system, and in some cases, there may be a local policy set by some other administrator or if your system is in a Domain, a Domain policy setting which may prevent you from performing some actions.

To open the Disk Management MMC, you can select Start, right-click My Computer, and then click Manage, which will open the Computer Management MMC. Under the Storage icon, click Disk Management to open the Disk Management MMC.

You can also type compmgmt.msc in the RUN box or from a command line to launch the Computer Management MMC.

[NOTES FROM THE FIELD] - What your Start Menu options look like all depend on how you have the menu set. If you are using the Classic Start Menu, you would not see My Computer as a selection to right click on. Your options would be to click Start, select Administrative Tools and then select Computer Management. Not a whole lot different, but perhaps just enough to confuse you.

The Windows XP Professional exam rarely tests you on Classic anything. You need to know how to get from Windows XP Professional settings to Classic and back, but in 90% of the cases you're going to find instructions laid out in the Windows XP Professional vein. I will do my best to point out alternatives in the [NOTES FROM THE FIELD] section as I have done here.

If you want to directly open the Disk Management MMC you can type diskmgmt.msc from the RUN box or from a command line. This will run the tool independently from the Computer Management MMC.

As you can see from the image above, we have a number of basic physical and logical drives on the system, as well as two CD-ROM drives (not shown in the above image).

If there were removable drives on this system, such as Jaz or ORB drives and the like, they would appear here as well. The removable drives, as well as the CD-ROM drives, will either show "no media" when they are empty (or some error is preventing them from seeing inserted media) or the file system of the installed media.

(When I inserted a CD-ROM in my DVD drive, the Disk Management MMC automatically detected the change, refreshed it's view, and displayed the data. The Compact Disk File System (CDFS) is file system of the inserted disk and is displayed.)

When you select a drive in the upper window (which is currently set to the default Volume List View) by left clicking on it once, not only will it become highlighted (in blue), but it will also become shaded in the lower part of the window (which is currently set to the default Graphical List View).

You can change the appearance of both the top and bottom window views by selecting VIEW from the menu and then selecting whichever (or both) views you wish to change. Top and Bottom, along with Settings and Drive Paths are controlled here.

You can change the colors and wallpaper for volumes and disk regions by selecting VIEW and then SETTINGS. The APPEARANCE tab shows all of the current default colors for the available disk regions. Even disk regions that are not currently installed on the system are set with specific colors by default.

You can change how disk sizes are displayed on the SCALING tab. The default settings are shown below.

That's the five cent tour of the Disk Management MMC.

DiskPart
The command line tool, DiskPart, is available in Windows XP Professional, which allows the administrator to handle disk administrative tasks from a command prompt.

You start your session at the command prompt by typing the following:

H:\Documents and Settings\JZANDRI>diskpart

Microsoft DiskPart version 1.0
Copyright (C) 1999-2001 Microsoft Corporation.
On computer: P42GHZ

DISKPART>

This will put you into the DiskPart program session. If you needed to get a little more information on DiskPart before starting your session and tried the standard :\diskpart /?, this is all you would get:

H:\Documents and Settings\JZANDRI>diskpart /?

Microsoft DiskPart version 1.0
Copyright (C) 1999-2001 Microsoft Corporation.
On computer: P42GHZ

Microsoft DiskPart syntax:
diskpart [/s