The Internet Printing Protocol
Windows Server 2003 enables users to print to printers over the Internet or an intranet. Users have to
know the URL for the printer so that they can connect to it via their Web browsers. For servers run-
ning Windows 2000 Server or Windows Server 2003, the URL http://server/printers shows the
printers available on the server.At this URL, users can connect to a printer, review the queue, and
manage printers and jobs for which they have permissions. Figure 2.10 shows an example of viewing a
queue using a Web page. Internet Printing requires Internet Information Services (IIS) to be running
on the server. Internet Printing is installed by default on Windows 2000, but on Windows Server 2003
it has to be specifically installed, as does IIS (which is also not installed by default).
Using the Graphical Interface
Most of the time, you will use the graphical interface for managing services.You can start it in a
number of ways:
■
Select Start | Programs | Administrative Tools | Computer Management. In the
Computer Management window, expand Services and Applications, and then click
Services.
■
Create a custom Microsoft Management Console that contains the Services snap-in.
■
Select Start | Programs | Administrative Tools | Services.
Using New Command-Line Utilities
In addition to the graphical interface, Windows Server 2003 has a number of command-line-based
programs to manage and troubleshoot services and perform a few other server tasks.These are exe-
cutable programs rather than scripts, so they do not need to be run with the cscript command. In the
following sections, we examine each program.
46 Chapter 2 • Using Server Management Tools
Figure 2.10 Viewing a Printer Queue using a Web Page
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 46
Sc.exe
The sc.exe program communicates with the Service controller and has twenty-four different options.
We won’t examine them all here, but you can refer to the online help for more information. In gen-

eral, sc is used to configure services and manage their status, name, and permissions. For example, sc
stop <servicename> is used to stop a service but <servicename> must be the name as stored in the
registry and not the display name. Use sc getkeyname to determine the registry name of the service.
Figure 2.11 shows how to find the registry name for the Telnet service, how to check the service’s
current status, and how to stop the Telnet service.
Schtasks.exe
You use schtasks to set programs to run at scheduled intervals, delete or change existing scheduled
tasks, and stop or run a scheduled task immediately.Table 2.6 lists the six options for schtasks. Schtasks
doesn’t provide as much control over scheduled tasks as using the graphical interface.
Table 2.6 Options for the schtasks Command
Schtasks option Use
schtasks create Create a new scheduled task.
schtasks change Change the properties of a scheduled task but not the actual schedule.
schtasks run Run a scheduled task immediately.
schtasks end Stop a scheduled task that is currently running.
schtasks delete Delete a scheduled task.
schtasks query List all the scheduled tasks on the local or a remote computer.
Using Server Management Tools • Chapter 2 47
Figure 2.11 Stopping the Telnet Service Using sc
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 47
Setx.exe
You use setx to configure environment variables for either the user (the variables apply only to a
specific user) or the system environment (variables apply to all users).You can set variables explicitly
by specifying their value or using the value of a registry key or the contents of a file. Setx is the only
way to permanently (i.e., remembered between reboots) set a variable name via the command line.
Shutdown.exe
Use the shutdown command to shut down or restart local or remote computers.You can also use it
for shutting down several computers at once using the /i option. With this option, a new window
appears where you add the names of the computers that you want to shut down or restart. Figure
2.12 shows the dialog box for the /i option.

Tasklist.exe
Tasklist shows all the tasks that are running on the local or remote computer. Tasklist is a really useful
command given its many options as shown in Table 2.7.
■
The /S option connects to a remote computer.You might also have to specify the /U
option to connect as a particular user and the /P option to specify the password for that
user.
■
The /M option lists all the dll modules that a process has loaded. However, you can also
use this option to list all the processes that have loaded a particular module by specifying
/M module name. For example, to list all processes that have loaded the user32.dll module,
use tasklist /M user32.dll.
■
The /FI option is particularly useful for restricting the output to list only the tasks that
are of interest.This option is used with a variety of filters, which can, for example, be used
48 Chapter 2 • Using Server Management Tools
Figure 2.12 The Remote Shutdown Dialog Box
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 48
to display tasks with a particular name, process number, or processes that have used more
than a certain amount of CPU time. As an example, to list all processes that start with H,
use the command tasklist /FI “IMAGENAME eq H*”.
■
The /FO option controls how the output is displayed.There are three formats:Table, List,
or CSV.
■
The /V option adds information to the output.
Table 2.7 Some of the Options for the tasklist Command
Tasklist Option Use
Tasklist /S Connect to a remote computer (system).
Tasklist /M List modules loaded by processes.

Tasklist /FI filter Display only processes that match the filter.
Tasklist /FO format Specify how the output is displayed.
Tasklist /V Display verbose information.
Taskkill.exe
Use taskkill to terminate processes on the local or a remote computer.You need to use tasklist first
to identify the process that needs to be terminated. Taskkill has many options and if used without
care you could end up ending more processes than you expected.
■
The /S option connects to a remote computer.You might also have to specify the /U
option to connect as a particular user and the /P option to specify the password for that
user.
■
The /F option forcefully terminates a process. Without the /F option a process might not
actually terminate, particularly if it raises a dialog box asking whether changes should be
saved.The /F option overrides this but there is a risk of losing the user’s work.
■
Use the /FI option with extreme care, because it can terminate all processes that match a
given filter. For example taskkill /FI “IMAGENAME eq H*” terminates all processes
that start with H.
■
The /PID option terminates a process with a specific process number.
■
The /T option terminates a process and all child processes that it started.
■
The /IM option is functionally the same as /FI with IMAGENAME in that it terminates
processes with a specific name or names.You can use wildcards to specify the process names.
Using Server Management Tools • Chapter 2 49
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 49
Table 2.8 Some of the Options for the taskkill Command
Taskkill Option Use

Tasklist /S Connect to a remote computer (system).
Tasklist /F Forcefully terminate a process.
Tasklist /FI filter Terminate processes that match the filter. Use
with care!
Tasklist /PID process id Terminate the process with this ID.
Tasklist /T Terminate a process and all its child processes.
Tasklist /IM process name Terminate all processes that match the given
image name.
Using Wizards to
Configure and Manage Your Server
A lot of effort has been made in Windows Server 2003 to make administrative tasks easy for the
administrator through the use of wizards. A key wizard is the Configure Your Server Wizard,
which, in conjunction with the Manage Your Server tool, guides an administrator through the
most common administrative tasks.
Using the Configure Your
Server Wizard and Manage Your Server
Windows Server 2003 introduces the concept of server roles, which brings related administrative
tasks together for management purposes. We’ll examine each of these roles in the next chapter.
Figure 2.20 shows the server role page of the Configure Your Server Wizard.This page shows
whether a role has been configured.
You must install server roles using the Configure Your Server Wizard before you can manage
them using Manage Your Server. In the rest of this section we’ll look at each of the roles in more
detail.The Configure Your Server Wizard and Manage Your Server can be found in Start |
Programs | Administrative Tools.
Note that the use of server roles is completely optional and there is no reason you can’t perform
server administrative tasks without setting up server roles.
50 Chapter 2 • Using Server Management Tools
301_BD_W2k3_02.qxd 5/12/04 10:54 AM Page 50
Planning Server
Roles and Server Security

In this chapter:
■
Understanding server roles
■
Planning a server security strategy
■
Planning baseline security
■
Customizing server security
Introduction
Planning an effective security strategy for Windows Server 2003 requires an under-
standing of the roles that different servers play on the network and the security needs of
different types of servers based on the security requirements of your organization.
Securing the servers is an important part of any network administrator’s job.
In this chapter, we will first review server roles and ensure that you have an under-
standing of the many roles Windows Server 2003 can play on the network. We will dis-
cuss domain controllers; file and print servers; DHCP, DNS, and WINS servers; Web
servers; database servers; mail servers; certification authorities; and terminal servers.Then
we will delve into how to plan a server security strategy. We will examine how to
choose the right operating system according to security needs, how to identify min-
imum security requirements for your organization, and how to identify the correct con-
figurations to satisfy those security requirements.
Next, we’ll review how to plan baseline security on both client and server machines.
We will cover planning the secure baseline installation parameters and enforcing default
security settings on new computers. We will look at how to customize server security,
securing your servers according to their roles.Then we will walk through the process of
creating custom security templates and how to deploy security configurations.
Chapter 3
51
301_BD_w2k3_03.qxd 5/12/04 10:56 AM Page 51

Understanding Server Roles
When Windows Server 2003 is installed on a computer, it provides a wide variety of tools and func-
tionality. However, additional features may still need to be installed on the server to bring clients the
services they need.The server may need to supply file and print services, authenticate users, or sup-
port a local intranet Web site. Until Windows Server 2003 is configured to supply these services,
clients will be unable to use the server in a manner that is required by the organization.
Server roles are profiles that are used to configure Windows Server 2003 to provide specific
functionality to the network. When you set up a server to use a specific role, various services and
tools are enabled or installed, and the server is configured to provide additional services and
resources to network clients. Roles are applied to machines using the Configure Your Server Wizard
and managed using the Manage Your Server tool.
As shown in Figure 3.1, Manage Your Server provides information about the roles that are cur-
rently configured for a server, and it provides the ability to add and remove roles from a server.
Depending on your server’s settings, this tool will start automatically upon logon. If you’ve checked
the Don’t display this page at logon check box at the bottom of this window, Manage Your
Server will not start automatically.You can start it manually by selecting Start | Administrative
Tools | Manage Your Server.
As shown in Figure 3.1, there are a variety of items in Manage Your Server’s main window.The
left side of the window lists the roles currently configured for the server. Beside each entry, there are
buttons that relate to the corresponding role.These buttons differ from role to role, and they are
used to invoke other tools for managing the role or to view information on additional steps that can
be taken to configure, administer, and maintain the role.
Near the top of the Manage Your Server window are three buttons.Two of these are used to
obtain additional information about roles and remote administration.The other button, labeled Add
or remove a role, is used to invoke the Configure Your Server Wizard.You can also start the
Wizard by selecting Start | Administrative Tools | Configure Your Server.
52 Chapter 3 • Planning Server Roles and Server Security
Figure 3.1 The Main Manage Your Server Window
301_BD_w2k3_03.qxd 5/12/04 10:56 AM Page 52
When the Configure Your Server Wizard starts, it informs you of possible preliminary steps that

need to be taken before a new role is added. As shown in Figure 3.2, these steps include ensuring
that network and Internet connections are set up and active for the server, peripherals are turned
on, and your Windows Server 2003 installation CD is available. When you finish reading this infor-
mation, click the Next button to have the Wizard test network connections and continue to the
next step.
In the next window, shown in Figure 3.3, roles that are available to add and remove through the
Wizard are listed in the Server Role column; the Configured column indicates whether the role
has been previously installed. If you want to install a role that isn’t listed here, click the Add or
Remove Programs link to open the Add or Remove Programs applet (in the Windows Control
Panel), where you can configure additional services.
In Figure 3.3, you can see that there are 11 different roles that can be applied to Windows
Server 2003 through the Configure Your Server Wizard.These roles are as follows:
Planning Server Roles and Server Security • Chapter 3 53
Figure 3.2 Preliminary Steps of the Configure Your Server Wizard
Figure 3.3 Configuring Server Roles
301_BD_w2k3_03.qxd 5/12/04 10:56 AM Page 53
■
Domain controller This role is used for authentication and installs Active Directory on
the server.
■
File server This role is used to provide access to files stored on the server.
■
Print server This role is used to provide network printing functionality.
■
DHCP server This role allocates IP addresses and provides configuration information to
clients.
■
DNS server This role resolves IP addresses to domain names (and vice versa).
■
WINS server This role resolves IP addresses to NetBIOS names (and vice versa).

■
Mail server This role provides e-mail services.
■
Application server This role makes distributed applications and Web applications avail-
able to clients.
■
Terminal server This role provides Terminal Services for clients to access applications
running on the server.
■
Remote access/VPN server This role provides remote access to machines through
dial-up connections and virtual private networks (VPNs).
■
Streaming media server This role provides Windows Media Services so that clients can
access streaming audio and video.
After you select the role to add to the server, click Next to step through the process of setting up
that role. Each set of configuration windows is different for each server role. Also, although multiple
roles can be installed on Windows Server 2003, only one role at a time can be configured using the
Configure Your Server Wizard.To install additional roles, you need to run the Wizard again.
Before setting up a server role, it is important to understand each of the roles that can be
applied to Windows Server 2003 so you select the roles most appropriate for the server’s use and for
your organization. In the sections that follow, we will discuss these roles in greater detail and
examine how they are installed with the Configure Your Server Wizard and other tools.
Domain Controllers (Authentication Servers)
Domain controllers are a fundamental part of a Microsoft network because they are used to manage
domains. An important function of a domain controller is user authentication and access control. By
combining authentication and access control, a domain controller can permit or deny access to net-
work services and resources on a user by user basis.
Active Directory
To perform these functions, the domain controller must have information about users and other
objects in a domain. In Windows 2000 and Windows Server 2003, this data is stored in Active

Directory (AD), which is a directory service that runs on domain controllers.
When AD is installed, the server becomes a domain controller. Until this time, it is a member
server that cannot be used for domain authentication and management of domain users or other
domain-based objects.This does not mean, however, that AD can be installed on every version of
54 Chapter 3 • Planning Server Roles and Server Security
301_BD_w2k3_03.qxd 5/12/04 10:56 AM Page 54
Windows Server 2003. It can be installed on Standard Edition, Enterprise Edition, and Datacenter
Edition, but servers running the Web Edition of Windows Server 2003 cannot be domain con-
trollers. Web Edition servers can be only stand-alone or member servers that provide resources and
services to the network.
A Windows Server 2003 computer can be changed into a domain controller by using the
Configure Your Server Wizard or by using the Active Directory Installation Wizard (DCPROMO).
DCPROMO is a tool that promotes a member server to domain controller status. During the instal-
lation, a writable copy of the AD database is placed on the server’s hard disk.The file used to store
directory information is called NTDS.dit and, by default, is located in %systemroot%\NTDS. When
changes are made to the directory, they are saved to this file.
Each domain controller retains its own copy of the directory, containing information about the
domain in which it is located. If one domain controller becomes unavailable, users and computers
can still access the AD data store on another domain controller in that domain.This allows users to
continue logging on to the network, even though the domain controller that is normally used is
unavailable. It also allows computers and applications that require directory information to continue
functioning while one of these servers is down. When a change is made on one domain controller,
the changes are replicated, so every domain controller continues to have an accurate copy of AD.
This type of replication is called multi-master, because each domain controller contains a full
read/write copy of the AD database.
Operations Master Roles
In Windows Server 2003, all domain controllers are relatively equal by default. However, there are
still some operations that need to be performed by a single domain controller in the domain or
forest.To address these, Microsoft created the concept of operations masters. Operations masters serve
many purposes. Some control where components of AD can be modified; others store specific infor-

mation that is key to the healthy function of AD at the domain level. Because only one domain
controller in a domain or forest fulfills a given role, these roles are also referred to as Flexible Single
Master of Operations (FSMO) roles. Some FSMO roles are unique to each domain; others are unique
to the forest.
There are five different types of master roles, each serving a specific purpose.Two of these
master roles are applied at the forest level (forest-wide roles), and the others are applied at the
domain level (domain-wide roles).The following are the forest-wide operations master roles:
■
Schema master A domain controller that is in charge of all changes to the AD schema.
The schema determines which object classes and attributes are used within the forest. If
additional object classes or attributes need to be added, the schema is modified to accom-
modate these changes.The schema master is used to write to the directory’s schema, which
is then replicated to other domain controllers in the forest. Updates to the schema can be
performed only on the domain controller acting in this role.
■
Domain naming master A domain controller that is in charge of adding new domains
and removing unneeded ones from the forest. It is responsible for any changes to the
domain namespace.This role prevents naming conflicts, because such changes can be per-
formed only if the domain naming master is online.
Planning Server Roles and Server Security • Chapter 3 55
301_BD_w2k3_03.qxd 5/12/04 10:56 AM Page 55