EXAM WARNING
A server without AD installed on it can still deliver a variety of services, file storage,
and access to other resources. However, until AD is installed, the server cannot
authenticate domain users or provide the other functions of a domain controller.
Once AD is installed, the member server ceases to be a member server and
becomes a domain controller.
A Windows Server 2003 computer can be changed into a domain controller by using
the Configure Your Server Wizard or by using the Active Directory Installation Wizard
(DCPROMO). DCPROMO is a tool that promotes a member server to domain controller
status. During the installation, a writable copy of the AD database is placed on the server’s
hard disk.The file used to store directory information is called NTDS.dit and, by default, is
located in %systemroot%\NTDS.When changes are made to the directory, they are saved to
this file.
Each domain controller retains its own copy of the directory, containing information
about the domain in which it is located. If one domain controller becomes unavailable,
users and computers can still access the AD data store on another domain controller in that
domain.This allows users to continue logging on to the network, even though the domain
controller that is normally used is unavailable. It also allows computers and applications that
require directory information to continue functioning while one of these servers is down.
Because a domain can have more than one domain controller, changes made to the
directory on one domain controller must be updated on others.The process of copying
these updates is called replication, which is used to synchronize information in the directory.
Without replication, features in AD would fail to function properly. For example, if you
added a user on one domain controller, the new account would be added to the directory
store on that server.This would allow the user to log on to that domain controller, but he
or she still could not log on to other domain controllers until the account was replicated.
When a change is made on one domain controller, the changes need to be replicated, so
that every domain controller continues to have an accurate copy of AD.This type of repli-
cation is called multi-master, because each domain controller contains a full read/write copy
of the AD database.
Operations Master Roles

By default, all domain controllers are relatively equal. However, there are still some opera-
tions that need to be performed by a single domain controller in the domain or forest.To
address these, Microsoft created the concept of operations masters. Operations masters serve
many purposes. Some control where components of AD can be modified; others store spe-
cific information that is key to the healthy function of AD at the domain level. Because
only one domain controller in a domain or forest fulfills a given role, these roles are also
referred to as Flexible Single Master of Operations (FSMO) roles.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 59
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 59
Some FSMO roles are unique to each domain; others are unique to the forest.A forest
is one or more domain trees that share a common schema, Global Catalog, and configura-
tion information.The schema is used to define which types of objects (classes) and attributes
can be used in AD.Without it, AD would have no way of knowing what objects can exist
in the directory or what attributes apply to each object.The Global Catalog is a subset of
information from AD. It stores a copy of all objects in its host domain, as well as a partial
copy of objects in all of the other domains in the forest.
There are five different types of master roles, each serving a specific purpose.Two of
these master roles are applied at the forest level (forest-wide roles), and the others are
applied at the domain level (domain-wide roles).The following are the forest-wide opera-
tions master roles:
■ Schema master A domain controller that is in charge of all changes to the AD
schema. As mentioned, the schema determines which object classes and attributes
are used within the forest. If additional object classes or attributes need to be
added, the schema is modified to accommodate these changes.The schema master
is used to write to the directory’s schema, which is then replicated to other
domain controllers in the forest. Updates to the schema can be performed only
on the domain controller acting in this role.
■ Domain naming master A domain controller that is in charge of adding new
domains and removing unneeded ones from the forest. It is responsible for any

changes to the domain namespace.This role prevents naming conflicts, because
such changes can be performed only if the domain naming master is online.
In addition to the two forest-wide master roles, there are three domain-wide master
roles: relative ID (RID) master, primary domain controller (PDC) emulator, and infrastruc-
ture master.These roles are described in the following sections.
Relative ID Master
The relative ID master is responsible for allocating sequences of numbers (called relative IDs,
or RIDs) that are used in creating new security principles in the domain. Security princi-
ples are user, group, and computer accounts.These numbers are issued to all domain con-
trollers in the domain.When an object is created, a number that uniquely identifies the
object is assigned to it.This number consists of two parts: a domain security ID (or com-
puter SID if a local user or group account is being created) and an RID.Together, the
domain SID and RID combine to form the object’s unique SID.The domain security ID is
the same for all objects in that domain.The RID is unique to each object. Instead of using
the name of a user, computer, or group,Windows uses the SID to identify and reference
security principles.To avoid potential conflicts of domain controllers issuing the same
number to an object, only one RID master exists in a domain.This controls the allocation
of RID numbers to each domain controller.The domain controller can then assign the
RIDs to objects when they are created.
www.syngress.com
60 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 60
PDC Emulator
The primary domain Controller (PDC) emulator is designed to act like a Windows NT PDC
when the domain is in Windows 2000 mixed mode.This is necessary if Windows NT
backup domain controllers (BDCs) still exist on the network. Clients earlier than Windows
2000 also use the PDC emulator for processing password changes, though installation of the
AD client software on these systems enables them to change their password on any domain
controller in the domain to which they authenticate.The PDC emulator also synchronizes
the time on all domain controllers the domain. For replication accuracy, it is critical for all

domain controllers to have synchronized time.
Even if you do not have any servers running as BDCs on the network, the PDC emu-
lator still serves a critical purpose in each domain.The PDC emulator receives preferred
replication of all password changes performed on other domain controllers within the
domain.When a password is changed on a domain controller, it is sent to the PDC emu-
lator. If a user changes his or her password on one domain controller, and then attempts to
log on to another, the second domain controller may still have old password information.
Because this domain controller considers it a bad password, it forwards the authentication
request to the PDC emulator to determine whether the password is actually valid. In addi-
tion, the PDC emulator initiates urgent replication so that the password change can propa-
gate as soon as possible. Urgent replication is also used for other security-sensitive
replication traffic, such as account lockouts.
This operations master is by far the most critical at the domain level. Because of this,
you should ensure that it is carefully placed on your network and housed on a high-avail-
ability, high-capacity server.
Infrastructure Master
The infrastructure master is in charge of updating changes that are made to group member-
ships.When a user moves to a different domain and his or her group membership changes,
it may take time for these changes to be reflected in the group.To remedy this, the infras-
tructure master is used to update such changes in its domain.The domain controller in the
infrastructure master role compares its data to the Global Catalog, which is a subset of
directory information for all domains in the forest and contains information on groups.The
Global Catalog stores information on universal group memberships, in which users from
any domain can be added and allowed access to any domain, and maps the memberships
users have to specific groups.When changes occur to group membership, the infrastructure
master updates its group-to-user references and replicates these changes to other domain
controllers in the domain.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 61
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 61

TEST DAY TIP
FSMO roles are an important part of a domain controller’s function on a network.
FSMO roles that are unique to a forest affect all domains within that forest. FSMO
roles that are unique to a domain apply only to that domain. There is only one
schema master and one domain naming master in a forest. There is only one RID
master, PDC emulator, and infrastructure master in a domain.
File and Print Servers
Two of the basic functions in a network are saving files in a central location on the net-
work and printing the contents of files to shared printers. Each of these functions is vital to
most environments. Most organizations require users to be able to save their work to a
shared location on the network and to print hard copies of it for others to review and/or
retain.When file server or print server roles are configured in Windows Server 2003, addi-
tional functions become available that make using and managing the server more effective.
Print Servers
Print servers are used provide access to printers across the network.A benefit of print servers
for administrators is that they provide an added level of manageability for network printing.
Print servers allow you to control when print devices can be used by allowing you to
schedule the availability of printers, set priority for print jobs, and configure printer proper-
ties. Using a browser, an administrator can also view, pause, resume, and/or delete print jobs.
By configuring Windows Server 2003 in the role of a print server, you can manage
printers remotely through the GUI and by using Windows Management Instrumentation
(WMI).WMI is a management application program interface (API) that allows you to
monitor and control printing. Using WMI, an administrator can manage components like
print servers and print devices from a command line.
Print servers also provide alternative methods of printing to specific print devices. Users
working at machines running Windows XP can print to specific printers by using a Uniform
Resource Locator (URL). If you’ve used the Internet, you’re probably already familiar with
URLs. A URL is the address that is entered to access a Web site. Using URLs, other
resources can also be accessed from remote locations, such as printers offered by Windows
Server 2003 print servers.

File Servers
File servers are used to provide access to files that are stored on the server’s hard disks. Users
are able to store files in a centralized location, rather than to their local hard disks, and share
them with other users.When a file is saved to a volume on a file server, clients who have
access to the directory in which the file was saved can access it remotely from the server.
This type of server is also important when multiple employees use network-accessible
www.syngress.com
62 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 62
applications. In such cases, data may need to be saved from the application to a shared
database, spreadsheet, or other type of file.
Administrators benefit from file servers by being able to manage disk space, control
access, and limit the amount of space that is made available to individual users. If NTFS
volumes are used, disk quotas can be set to limit the amount of space available to each user.
This prevents users from filling the hard disk with superfluous data or older information
that may no longer be needed.
In addition to these features, a file server also provides other functionality that offers
security and availability of data. File servers with NTFS volumes have the Encrypted File
System (EFS) enabled, so that any data can be encrypted using a public key system.This
makes it difficult for unauthorized users to access data, while being transparent to autho-
rized users.To make it easier for users to access shared files, the Distributed File Service (DFS)
can be used, which allows data that is located on servers throughout the enterprise to be
accessible from a single shared folder.When DFS is used, files stored on different volumes,
shares, or servers appear as if they reside in the same location.This makes it easier for users
to find the data they need, because they do not need to search through multiple locations
to access the files they are permitted to use.
DHCP, DNS, and WINS Servers
The roles of DHCP, DNS, and WINS servers are used for uniquely identifying computers
and finding them on the network. A DHCP server issues a unique number called an IP
address to a computer. DNS and WINS servers resolve this number to and from user-

friendly names that are easier for users to deal with.With Windows Server 2003 acting as a
DHCP, DNS, and/or WINS server, clients can be automatically issued a number that distin-
guishes them on the network, and find other machines and devices more effectively.
DHCP Servers
DHCP is the Dynamic Host Configuration Protocol, and it is used to issue IP addresses to
clients on networks using the Transmission Control Protocol/Internet Protocol (TCP/IP).
An IP address is a number that uniquely identifies a client when sending or receiving
packets of data.When information is sent across the network, the data is broken up into
smaller packets, which are reassembled by the receiver. Each packet contains the IP address
of who is sending the data and who should receive it.This is similar to a letter with an
address of who should receive the message and a return address of who sent it.
Because no two computers on a network can have the same IP address at the same
time, assigning these addresses to clients is an important responsibility. IP addresses can be
assigned statically, so that each computer always uses the same IP address. Allocating
addresses in this way can result in mistakes and is difficult to consistently track. Many enter-
prises use static IP addresses only for their servers and network infrastructure equipment
(switches, routers, and so on). Dynamic addresses are used for all clients. Dynamic addresses
are assigned using DHCP.When an IP address is dynamically assigned, the client contacts
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 63
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 63
the DHCP server for an IP address.The DHCP server responds by issuing an IP address
from a pool of available addresses stored in a database, as well as any configuration informa-
tion (such as the IP addresses of the default gateway, DNS server, and WINS server) that is
needed by the client.
When a DHCP server allocates an IP address to the client, it is for a limited amount of
time. Because there are only so many IP addresses available in a pool, they are often recy-
cled between computers.This can happen if a client is shut off for an extended period of
time, or if it is a laptop that is assigned to a user who is typically on the road and away from
the office. For this reason, when a DHCP lease expires, the DHCP server is free to issue

the IP address to other clients.
DNS Servers
Because remembering a series of numbers can be difficult, methods have been created to
resolve IP addresses to user-friendly names and vice versa. Imagine trying to remember
what Web site or computer the IP address 192.168.10.250 represented on a network, in
addition to all the other IP addresses you would need to remember for other sites and
computers.To remedy this situation, name resolution is used, so users can enter a name that is
translated to a corresponding IP address.
The Domain Name System (DNS) is a popular method of name resolution that is used
on the Internet and other TCP/IP networks. AD is integrated with DNS, and it uses DNS
servers to allow users, computers, applications, and other elements of the network to easily
find domain controllers and other resources on the network. DNS is a hierarchical, dis-
tributed database that maps user-friendly domain names (like syngress.com) to IP addresses.
When a user enters a DNS name into a browser or other application, it is sent to a DNS
server, which looks up the IP address for that domain.This IP address is sent back to the
client, which uses the numeric address to locate and communicate with the computer at
this address.
Figure 2.4 illustrates name resolution using DNS. In this example, a user wants to con-
nect with the syngress.com domain. As shown in step 1 of this figure, because machines use
IP addresses to locate and communicate with each other on a TCP/IP network, the client
contacts the DNS server and requests the IP address of syngress.com. In step 2, the DNS
server checks its database to find the IP address that maps to this particular domain name.
After finding it, step 3 is performed, and the DNS server sends the information back to the
client, informing it that the IP address of syngress.com is 209.164.15.58. Now that the
client has this information, the client performs step 4, by connecting to syngress.com using
the numeric address.
www.syngress.com
64 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 64
WINS Servers

The Windows Internet Name Service (WINS) is another method of name resolution that
resolves IP addresses to NetBIOS names, and vice versa. NetBIOS names are used by pre-
Windows 2000 servers and clients, and they allow users of those operating systems to log
on to Windows Server 2003 domains.They are supported in Windows Server 2003 for
backward-compatibility with these older systems. By implementing a WINS server, you
allow clients to search for computers and other resources by computer name, rather than by
IP address.
WINS is similar to DNS in that user-friendly names are mapped to IP addresses within
a database.When clients attempt to connect to a computer or resource using its NetBIOS
name, they can send a request to a WINS server to provide the IP address of that resource.
The WINS server searches its database for the name-to-address mapping and returns the IP
address to the requesting client. Once the client has this address, it can connect to and
communicate with the computer or resource.
Web Servers
Web servers allow organizations to host their own Web sites on the Internet or a local
intranet. An intranet is a local area Network (LAN) that uses the same technologies that are
used on the Internet, so that users can access Web pages and other resources using Web
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 65
Figure 2.4 Name Resolution Using DNS
Step 2 :
DNS Server checks its
database of IP
addresses, and finds
an IP address that
maps to syngress.com
Client
DNS Server
Step 1:
Client requests IP

address of
syngress.com
Step 3:
DNS Server returns
that syngress.com =
209.164.15.58
Step 4:
Client establishes
communication with the
IP address
209.164.15.58
Data
syngress.com
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 65
browsers and other Web-enabled applications. Implementing a Web server in an organiza-
tion allows users to benefit by accessing information, downloading files, and using Web-
based applications.
Web Server Protocols
Microsoft’s Windows Server 2003 Web server product is Internet Information Services (IIS) 6.0,
which is included with Windows Server 2003. IIS allows users to access information using a
number of protocols that are part of the TCP/IP suite, including the following:
■ Hypertext Transfer Protocol (HTTP) Used by the World Wide Web
Publishing service in IIS. Allows users to access Web pages using a Web browser
like Internet Explorer or other Web-enabled applications. By connecting to sites
created on your Web server, users can view and work with Web pages written in
the Hypertext Markup Language (HTML),Active Server Pages (ASP), and
Extensible Markup Language (XML).This allows users to not only view static
information, but also to benefit from Web-based programs.
■ File Transfer Protocol (FTP) Used for transferring files between clients and
servers. Using this service, clients can copy files to and from FTP sites using a Web

browser like Internet Explorer or other FTP client software. By using such soft-
ware, clients can browse through any folders they have access to on the FTP site,
and they can access any files they have permissions to use.
■ Network News Transfer Protocol (NNTP) Used for newsgroups, which are
also called discussion groups.The NNTP service in IIS allows users to post news
messages. Other users can browse through messages stored on the server, respond
to existing messages, and post new ones using a newsreader program. For
example, a group of users could have a discussion group that deals with a certain
project, so that members of the team can exchange ideas and discuss problems in a
forum that can be viewed by all members of the group. Another group could also
be created that allows employees to post messages regarding items for sale, chari-
table events, or other things that you might see on a typical bulletin board. NNTP
allows organizations to incorporate such message groups into the way that
employees exchange information with one another.
■ Simple Mail Transfer Protocol (SMTP) Used to provides e-mail capabilities
(as described in the discussion of the mail server role later in this chapter).The
SMTP service that is installed with IIS isn’t a full e-mail service, but provides lim-
ited services for transferring e-mail messages. Using this service,Web developers
can collect information from users of a Web site, such as having them fill out a
form online. Rather than storing the results of the form locally in a file, the infor-
mation can be e-mailed using this service.
www.syngress.com
66 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 66
Web Server Configuration
Although a Web server can facilitate a company’s ability to disseminate information, it isn’t
an actual role that is configured using the Configure Your Server Wizard. It is installed as
part of the application server role, which we’ll discuss later in this chapter.The Configure
Your Server Wizard provides an easy, step-by-step method of configuring Web servers
through the application server role; however, it isn’t the only way to install IIS.You can also

install IIS through the Add or Remove Programs applet in the Windows Control Panel.
Using Add or Remove Programs to install IIS takes a few extra steps, but it allows you
to perform the installation without installing other services and features available through
the application server role.To use Add or Remove Programs to install IIS, follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Click the Add/Remove Windows Components icon to display the Windows
Components Wizard, which provides a listing of available components to install.
3. In the list, select Application Server and click the Details button to view the
Application Server dialog box, shown in Figure 2.5.
4. The Application Server dialog box contains a number of subcomponents.To
install IIS, select the check box for Internet Information Services (IIS), and
either click OK to install the default components or click Details to view even
more subcomponents that can be installed within IIS.
5. When you’ve made your selections, click OK to return to the Windows
Components Wizard.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 67
Figure 2.5 Installing IIS through the Application Server Dialog Box
in the Windows Components Wizard
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 67
6. Click Next to have Windows make the configuration changes you requested from
your selection.
7. Once the Wizard has finished copying the necessary files and changing system set-
tings, click Finish to complete the installation process and exit the Wizard.
Database Servers
Database servers are used to store and manage databases that are stored on the server and to
provide data access for authorized users.This type of server keeps the data in a central loca-
tion that can be regularly backed up. It also allows users and applications to centrally access
the data across the network. A large number of the databases used in your organization can
be kept on one server or a group of servers that are specifically configured to protect data

and service client requests.
The Configure Your Server Wizard does not include a configurable role for database
servers. A database server is any server that runs a network database application and main-
tains database files, such as Microsoft SQL Server or Oracle. SQL Server is a high-perfor-
mance database management system. It is used for data storage and analysis, and it provides
users with the ability to access vast amounts of data quickly over the network. Because SQL
Server provides additional measures of security that would not otherwise be available (as
discussed in the “Securing Database Servers” section later in this chapter) and processing
occurs on the server, transactions can occur securely and rapidly.
Data stored in database management systems is generally accessed through user inter-
faces that are developed by an organization or third parties. For example, a company might
create custom applications in Visual Basic (or some other programming language), or use
ASP on the Web server to display information that is stored in a database.While the user
interacts with the data through the user interface, the data is actually stored in the SQL
Server or Oracle database located on a database server.
Mail Servers
Mail servers enable users to send and receive e-mail messages. Users send e-mail to other
users through at least one mail server.When the message arrives, the destination mail server
stores the message until it is retrieved by the user. If the mail server does not handle the e-
mail account for an intended recipient, it will transfer the message to a mail server that
does. In this way, mail servers will work together to ensure a message reaches its intended
audience.
When a server is configured to be a mail server, two protocols are enabled: SMTP and
Post Office Protocol (POP3). As shown in Figure 2.6, SMTP is used by clients and mail
servers to send e-mail. POP3 is used by clients when retrieving e-mail from their mail
server. Each of these protocols is part of the TCP/IP protocol suite and installed when
TCP/IP is installed on a computer. However, even if TCP/IP is installed on Windows
www.syngress.com
68 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 68

Server 2003, the services provided by mail servers still need to be enabled by configuring
the machine to take the role of a mail server.
E-mail addresses determine which mail server and client the e-mail should go to. Each
e-mail address uses the format of first part of the address specifies the
account the e-mail is destined to reach, and the second part specifies the domain in which
this account resides. In the example in Figure 2.6, a message destined for sales@book-
worms.ca is sent from the knightware.ca domain. Because the mail server in knightware.ca
recognizes that the message is being sent to a user in another domain, it uses the SMTP
protocol to send it to the mail server in the bookworms.ca domain.When the book-
worms.ca mail server receives this e-mail, it will see it is for the account named sales and
put it in the mailbox for that user.The client that uses the sales account can then use the
POP3 protocol to retrieve his or her e-mail from the mail server.
Certificate Authorities
Certificate authorities (CAs) are servers that issue and manage certificates. Certificates can be
used for a variety of purposes, including encryption, integrity, and verifying the identity of
an entity, such as a user, machine, or application. Certificates can be used to prove an entity
is who (or what) they claim to be, in much the same way that your birth certificate is used
to prove your identity.They are digitally signed files that contain data a wide range of infor-
mation, often including a cryptographic key, information about whom or what the key is
issued to, an expiration date, where the validity of the certificate can be checked, and which
CA signed the certificate. Certificates are typically part of a larger security process known as
a Public Key Infrastructure (PKI).
PKI
PKI is a method that uses unique identifiers called keys, which are mathematical algorithms
used for cryptography and authentication.There are two different kinds of keys used in
PKI: public keys and private keys.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 69
Figure 2.6 How E-mail Is Transmitted and Retrieved
Internet

Client sending email
mail.knightware.ca mail.bookworms.ca
Client retrieving email
mailto:

mailto:

Client sends mail to mail
server using SMTP
Mail is sent between mail
servers using SMTP
Client retrieves mail from
mail server using POP3
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 69
For data confidentiality, the public key is used to encrypt session keys and data; the pri-
vate key is used for decryption.The public key is openly available to the public.The private
key is secret and known only to the person for whom it is created.The members of a key
pair are mathematically related, but you cannot extrapolate the private key by knowing the
public key. Using the two keys together, messages can be encrypted and decrypted using PKI.
For authentication, the roles of the public and private keys are reversed.The private key
is used for encryption, and the public key is used for decryption.The private key is unique
to the person being identified, so each user has his or her own private key for authentica-
tion purposes. Because each private key has a corresponding public key, the public key is
used to decrypt information used for authenticating the user.
The public and private keys are generated at the same time by a CA.The CA creates
and manages keys, binding public and private keys to create certificates, and vouching for the
validity of public keys belonging to users, computers, services, applications, and other CAs.
In addition to a CA, a registration Authority (RA) can also be used to request and
acquire certificates for others.The RA acts as a proxy between the user and the CA, and it
relieves the CA of some of the burden of verification.When a user makes a request to a

CA, the RA can intercept the request, authenticate it, and pass it on to the CA.When the
CA responds to the request, it sends it to the RA, which forwards it to the user.
Private and public keys are created when someone or something needs to establish the
validity of his, her, or its identity.When the public and private keys are created, the private
key is given to the person or entity who wants to establish the credentials, and a public key
is stored so that anyone who wants to verify these credentials has access to it.When a
person wants to send a message using PKI with the data encrypted so that it cannot be read
by anyone but the holder of the private key, the public key is acquired from the CA and
used to encrypt the message.When a person who holds the private key receives this mes-
sage, the public key is validated with the CA. Since the CA is trusted, this validates the
authenticity of the message. After this is done, the private key is used to decrypt the message.
Conversely, if a person wants to send a message and validate that he or she is the actual
sender, that person can encrypt the message with his or her private key.Then the recipient
decrypts it with the sender’s public key, thereby proving that the message really did come
from that sender.
Certificates
Certificates use PKI by binding the value of a public key to the person or thing that holds
the private key.The certificate stores information that identifies its holder and contains a
copy of the key value.When communicating with another party that has a corresponding
key, data exchanged between the two can be securely transmitted using encryption.
Certificates may be used for a number of different purposes.Windows 2003 Server
computers acting in the role of a Web server may use certificates to authenticate users or to
authenticate Web servers themselves. In doing so, the certificate provides proof of the iden-
tity of a particular user or machine. Mail servers can also benefit from certificates, because
they are used to allow e-mail to be digitally signed.This provides proof of the integrity and
www.syngress.com
70 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 70
origin of a message. In sending secure mail, certificates are used with Secure/Multipurpose
Internet Mail Extensions (S/MIME), which allows the e-mail to be sent encrypted across a

network.
Certificates may also be used by different protocols to ensure secure communication, as
in the case of Internet Protocol Security (IPSec) or Transport Layer Security (TLS).
Encrypting communication between clients and servers with these protocols allows data to
be transmitted and users to be authenticated with little (or no) chance of others inter-
cepting and viewing the information. By using certificates for authentication,
encryption/decryption of data, and secure communication,Windows 2003 Servers
Certificate Services can provide enhanced security to a network.
Certificates can contain a variety of facts about a user’s or machine’s identity and about
the certificate itself. Data included in a certificate may include the following:
■ The value of a key issued by a CA
■ Information about the person, machine, or other entity that was issued the certifi-
cate, which may include their name, e-mail address, or other data
■ Information about who issued the certificate
■ The digital signature of the issuer, which ensures the certificate is valid
■ How long the certificate is valid
Because different systems must be able to understand the format of a certificate, specific
standards are used in the generation of a certificate.Windows 2003 Server supports X.509,
which is a standard that specifies the syntax and format of digital certificates. X.509 is a
popular standard for digital certificates, published by the International Organization for
Standardization (ISO). It dictates how information is organized in the certificate and what
information is included. An X.509 certificate includes facts about the user to whom the
certificate was issued, information about the certificate itself, and can also include informa-
tion about the issuer of the certificate (who is referred to as the CA).To prevent the certifi-
cate from being used indefinitely, it also contains information about the period for which
the certificate is valid.
Certificate Services
Certificate Services is used to create a CA on Windows Server 2003 servers in your organiza-
tion.With Certificate Services, you can create a CA, format and modify the contents of
certificates, verify information provided by those requesting certificates, issue and revoke

certificates, and publish a Certificate Revocation List (CRL).The CRL is a list of certifi-
cates that are expired or invalid, and it is made available so that network users can identify
whether certificates they receive are valid.
Certificate Services supports implementing a hierarchy of CAs, so that a single CA isn’t
responsible for providing certificates to the entire network or authenticating the entire
intranet or Internet.This isn’t to say that multiple CAs must be used in an organization, but
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 71
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 71
it is one possibility. Using a hierarchy of CAs is called chaining, where one CA certifies
others. In this hierarchy, there is a single root authority and any number of subordinate CAs.
A root authority (or root CA) resides at the top of the hierarchy. Because the hierarchy
uses a parent-child relationship, all subordinate CAs reside beneath the root authority.The
root CA is the most trusted CA in the hierarchy—any clients that trust the root CA will
also trust certificates issued by any CA below it.This makes securing a CA vital (as dis-
cussed in the “Securing CAs section later in this chapter).
Subordinate CAs are child CAs in the hierarchy.They are certified by the root authority
and bind its public key to its identity. Just as the root CA can issue and manage certificates
and certify child CAs, a subordinate CA can also perform these actions and certify CAs that
are subordinate to it in the hierarchy.
In addition to having different levels of CAs in an organization, there are also different
types of root and subordinate CAs that can be used. Enterprise CAs use AD to verify infor-
mation that is provided when requesting a certificate and to store certificates within AD.
When the certificate is needed, it is retrieved from directory services. Stand-alone CAs can
be used in environments that do not use AD (CAs do not require AD).
As with IIS, Certificate Services isn’t an actual role that can be set up with the
Configure Your Server Wizard. Instead, you must follow these steps:
1. Select Start | Control Panel | Add or Remove Programs.
2. Click Add/Remove Windows Components to display the Windows
Components Wizard, which provides a listing of available components to install.

3. In the list of available components, click the check box beside the Certificate
Services item so it is checked. A warning message will appear, stating that after
Certificate Services is installed, the name of the machine cannot be changed.This
is because the server’s name is bound to the CA information stored in AD, and
any changes to the name or domain membership would invalidate certificates
issued by this CA.
4. Click Ye s to continue with the installation. (Clicking No will cancel it.)
5. You are presented with the window shown in Figure 2.7, which allows you to
specify the type of CA that will be set up. As mentioned earlier, you have the
option of creating an enterprise root CA, an enterprise subordinate CA, a stand-
alone root CA, or a stand-alone subordinate CA.
www.syngress.com
72 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 72
6. For this example, we will assume that this is the first CA being created and AD is
used. Select Enterprise root CA and click Next
7. You are then presented with a window shown in Figure 2.8, which allows you to
provide information to identify the CA you’re creating. Enter a common name
and distinguished name suffix for the CA. Distinguished names are used to pro-
vide each object in AD with a unique name. A distinguished name represents the
exact location of an object within the directory.This is comparable to a file being
represented by the full path, showing where it is located on the hard disk.With an
object in the directory, several components are used to create this name:
■ CN, which is the common name of the object, and includes such things as
user accounts, printers, and other network elements represented in the direc-
tory.
■ OU, which is the Organizational Unit. OUs are containers in the directory,
which are used to hold objects.To continue with our example of files on a
hard disk, this would be comparable to a folder within the directory structure.
■ DC, which is a domain component.This is used to identify the name of the

domain or server, and the DNS suffix (for example .com, .net, .edu, .gov, and
so forth).
When combined, these components of a distinguished name are used to show
the location of an object. In the case of the CA being created here, the common
name is CertServer, and the distinguished name suffix is the domain components.
This makes the distinguished name CN=CertServer,DC=knightware,DC=ca,
which you can see in the preview in Figure 2.8.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 73
Figure 2.7 Choosing a CA Type in the Windows Components Wizard
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 73
8. Optionally, you can change the Validity period of certificates issued by the CA.
As shown in Figure 2.8, the default validity period is five years.You can modify
this by specifying a different number and whether the period is in Years,
Months, Weeks, or Days.
9. Click Next when you are finished entering CA identifying information.
10. This will bring you to the Certificate Database Settings window, shown in
Figure 2.9, where you can specify the location of the certificate database and log
file. By default, the database and log are named after the common name you spec-
ified for the CA, and each is stored in the System32 folder of the %systemroot%
(for example, C:\Windows\System32). Click Next to continue.
www.syngress.com
74 Chapter 2 • Planning Server Roles and Server Security
Figure 2.8 Entering CA Identifying Information
in the Windows Components Wizard
Figure 2.9 Choosing Certificate Database Settings
in the Windows Components Wizard
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 74
11. A message box will appear informing you that IIS must be stopped before instal-
lation can continue. Clicking No will return you to the previous window.

Clicking Ye s will stop the service and cause Windows to make the configuration
changes you requested from your selection. If ASP is not enabled on the machine,
a message box will interrupt the process, asking if you want to enable ASP.
Clicking Ye s will enable ASP and continue the installation.
12. After the Wizard has finished copying the necessary files and changing system set-
tings, click Finish to complete the installation process.
Application Servers and Terminal Servers
Application servers and terminal servers provide the ability for users to access applications
over the network. Rather than running solely on the client’s machine, all or parts of these
programs run on the server.This frees resources on the client machine and enables users to
benefit from newer application technologies.
Application Servers
Application servers allow users to run Web applications and distributed programs from the
server.Web applications are programs that use Internet technologies to provide functionality
and are accessible across networks and the Internet using Web browsers like Internet
Explorer.These programs are often created using ASP or XML. Applications can be created
in a wider variety of programming languages (such as Perl,Visual Basic, and Visual C++).
Distributed applications divide the program so that part of it runs on the client while the
rest runs on one or more servers. For example, a distributed program might have a user
interface that is installed on the client’s machine, which allows the user to access a SQL
Server database. In reality, the program might access a number of other network-aware pro-
grams, which correlate data from a number of different database systems and return it to the
client. By using the application server role, the server is configured to provide greater relia-
bility and performance to these applications.
Because Web applications require Internet technologies, when Windows Server 2003 is
set up as an application server, IIS subcomponents such as ASP can be installed. As
explained earlier in this chapter, IIS is a Web server that comes with Windows Server 2003
and can be used to make Web applications available to users on the network. If IIS has been
installed, the application server role will appear as a configured role in the Manage Your
Server tool.This is despite the fact that only some components for the application server

role have been installed.To modify the installed components, you can either use the
Windows Components Wizard or the Configure Your Server Wizard.
As an example of configuring a server role, in Exercise 2.1, we will set up an applica-
tion server in Windows Server 2003.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 75
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 75
E
XERCISE 2.01
ADDING AN
APPLICATION SERVER ROLE
TO
W
INDOWS SERVER 2003
1. Select Start | Administrative Tools | Manage Your Server.
2. When Manage Your Server starts, click the Add or remove a role
button.
3. When the Configure Your Server Wizard starts, read through the
information on the Preliminary Steps window, and then click Next.
4. After the Wizard checks your network settings and operating system
version, the Server Role window will appear. From the list, select
Application server (IIS, ASP.NET), as shown in Figure 2.10. Then click
Next to continue.
5. The Application Server Options window appears, as shown in Figure
2.11. Here, you can add components that are used with IIS. Note that
IIS will be installed regardless of what you select on this page. Select
the FrontPage Server Extensions check box to add Web server exten-
sions that allow content created with FrontPage, Visual Studio, and
Web Folders to be published to the IIS Web site. Select Enable ASP.NET
to allow Web-based applications created using ASP.NET to be used on

the site. After selecting the options you wish to add, click Next to
continue.
www.syngress.com
76 Chapter 2 • Planning Server Roles and Server Security
Figure 2.10 Choose the Application Server Role
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 76
6. The Summary of Selections window, shown in Figure 2.12, provides a
list of components that will be installed as part of the application
server configuration. Review these settings, and then click Next to
begin installing these components.
7. After copying files, the Windows Components Wizard will open and
continue the installation. Once it has completed, you will be returned
to the Configure Your Server Wizard. Click Finish to complete the
installation.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 77
Figure 2.11 Select Application Server Options
Figure 2.12 Review the Summary of Selections
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 77
EXAM
70-293
OBJECTIVE
1
1.1
Terminal Servers
Terminal servers allow remote access to applications using thin-client technology.This makes
the user’s machine act as a terminal emulator (similar to the concept of a dumb terminal).
The user connects to the terminal server using client software installed on their machine,
logs on to the Terminal Services session, and is presented with a user interface (normally a
Windows Server 2003 desktop). Keystrokes and mouse clicks generated by the user at the

client are sent to the terminal server. Updated screen images are sent back from terminal
server to the client system.When working in a session, the user is essentially working at the
server. All processing is occurring at the server, which is being interacted with through the
client software.
A benefit of Terminal Services is that users can run programs that they might otherwise
be unable to use. For example, a user running an older version of Windows might need to
use Office XP, but she doesn’t have the minimal requirements install it.Through Terminal
Services, she can connect and be presented with a Windows Server 2003 desktop. If Office
XP is installed on the terminal server, the user can open and use the application. Because all
processing is actually occurring on the server, the user can run applications that are impos-
sible to install on her local system.
There are a wide variety of clients that can use Terminal Services. Client software is
available for Windows 3.11 and later, as well as Macintosh and UNIX. Internet Explorer
can also be used to access a terminal server, using the Web client software.
Planning a Server Security Strategy
The only truly secure network is one that is totally inaccessible. No one would be able to
misuse applications, damage equipment, delete data, or mistakenly modify information. In
providing this level of security, however, the network would also become useless, because it
could not provide the services and resources needed by users. Security is always a trade-off
between usability and protection.When planning security, you need to find an acceptable
balance between the need to secure your network and the need for users to be able to per-
form their jobs.
In creating a security plan, it is important to realize that the network environment will
never be completely secure. If people are willing to invest enough time, effort, and money
into hacking a system, they will probably find a way in.The goal is to make it difficult for
intruders to obtain unauthorized access, so it isn’t worth their time to try or continue
attempting to gain access. It is also critical to protect servers from potential disasters and to
have methods to restore systems if they become compromised.
A good security plan considers the needs of a company and tries to balance it with
their capabilities and current technology.As you’ll see in the sections that follow, this means

identifying the minimum security requirements for an organization, choosing an operating
system, and identifying the configurations necessary to meet these needs.To develop a secu-
rity plan, you must identify the risks that potentially threaten a network, determine what
www.syngress.com
78 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 78
countermeasures are available to deal with them, figure out what you can afford financially,
and implement the countermeasures that are feasible.
Choosing the Operating System
In planning a strategy for server security, you will need to determine which operating sys-
tems will be used in the organization. Different network operating systems provide diverse
features that can be used as part of your security strategy. If you’re setting up a new net-
work and need to choose a server operating system, or you’re unfamiliar with what oper-
ating systems are used on an existing network, you will not know what features can be used
for managing and maintaining security.
Of course, there are non-Microsoft network operating systems available to use on your
server, but we will consider only the following Windows server systems here:
■ Windows NT Server 4
■ Windows 2000 Server
■ Windows 2000 Advanced Server
■ Windows 2000 Datacenter
■ Windows Server 2003 Standard Edition
■ Windows Server 2003 Enterprise Edition
■ Windows Server 2003 Datacenter Edition
■ Windows Server 2003 Web Edition
One of the first considerations for the operating system you choose will be the min-
imum system requirements for installing the operating system. Obviously, if your existing
server cannot handle a particular version of Windows, you will not be able to install it. If
this is the case, you will need to upgrade the hardware, purchase a new server to support
the operating system you want, or choose an operating system that does match the current

server’s hardware.The minimum system requirements for Windows server operating systems
are shown in Table 2.1.
NOTE
All of the Windows server operating systems also require a CD-ROM or DVD drive
(except Window NT Server 4, which does not use a DVD drive), VGA or higher reso-
lution monitor, keyboard, and mouse.
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 79
EXAM
70-293
OBJECTIVE
1.4
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 79
www.syngress.com
80 Chapter 2 • Planning Server Roles and Server Security
Table 2.1 Minimum System Requirements for Windows Server Operating Systems
Server Computer/Processor Memory (RAM) Hard Disk CPU Support
Windows NT 486/33 MHz or 16MB; Intel and compatible systems: Up to 4 CPUs (retail
Server 4 higher/Pentium, or 32MB recommended 125MB available hard disk space version); Up to 32
Pentium Pro minimum. RISC-based systems: CPUs available from
processor 160MB available hard disk space hardware vendors
Windows 2000 133 MHz or higher At least 128MB: 2GB with 1GB free space; Up to 4 CPUs
Server Pentium-compatible 256MB recommended; additional free space required
CPU 4GB maximum for installing over a network
Windows 2000 133 MHz or higher At least 128MB; 2GB with 1GB free space; Up to 8 CPUs
Advanced Pentium-compatible 256MB recommended; additional free space required
Server CPU 8GB maximum for installing over a network
Windows 2000 Pentium III Xeon 256MB 2GB with 1GB free space; 8-way capable or
Datacenter processors or higher additional free space required higher server (sup-
for installing over a network ports up to 32-way)

Windows 133 MHz 128MB 1.5GB Up to 4 CPUs
Server 2003
Standard Edition
Windows 133 MHz for 128MB 1.5GB for x86-based computers; Up to 8 CPUs
Server 2003 x86-based computers; 2GB for Itanium-based
Enterprise 733 MHz for Itanium- computers
Edition based computers
Windows 400 MHz for 512MB 1.5GB for x86-based computers; Minimum 8-way
Server 2003 x86-based computers; 2GB for Itanium-based capable machine
Datacenter 733 MHz for Itanium- computers required; maximum
Edition based computers 64
Windows 133 MHz 128MB 1.5GB Up to 2 CPUs
Server 2003
Web Edition
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 80
Beyond the minimum requirements, you will need to look at the features available in
different versions and editions of Windows, and how they can be used to enhance network
security.The progression from one version to another has offered improvements and addi-
tions to security, with Windows Server 2003 offering the most security features. By identi-
fying which features are necessary for your organization, you can create a network that
provides the necessary functionality and security.
Security Features
Windows 2000 offers a number of new security features that were not previously available
in Windows NT. Many of the features we’ll discuss next were implemented in Windows
2000 and have been updated in Windows Server 2003. In addition, new features have been
added that make Windows Server 2003 the most secure Windows server product Microsoft
has ever marketed.
Windows 2000 Server was the first version to provide encryption of data over the net-
work and in the file system. IPSec allows encryption of data across the network. EFS uses a
public key system to encrypt data on hard disks. Encryption ensures that unauthorized par-

ties are unable to view the data if they gain access to it.
Windows 2000 was also the first version to provide built-in support for smart cards.
Smart cards are generally the size of a credit card and have the ability to store data.When a
smart card is inserted into a smart card device, it provides information that can be used for
authentication and other purposes.With smart cards, the security of a network can be
greatly enhanced because it is necessary to physically possess the card to log on.
A major advance that first appeared in Windows 2000 was Kerberos authentication.
Kerberos version 5 is an industry-standard security protocol that uses mutual authentication
to verify the identity of a user or computer, as well as the network service that is being
accessed. In Windows 2000 Server and later, Kerberos is the default authentication service.
With Kerberos, each party to a transaction proves that they are who they claim to be
through the use of tickets. A Kerberos ticket is encrypted data that is issued for authentica-
tion.Tickets are issued by a Key Distribution Center (KDC), which is a service that runs on
every domain controller.When a user logs on, the user authenticates to AD using a pass-
word or smart card. Because the KDC is part of AD, the user also authenticates to the KDC
and is issued a session key called a ticket granting ticket (TGT).The TGT is generally good
for as long as the user is logged on and is used to access a ticket-granting service that pro-
vides another type of ticket: service tickets. A service ticket is used to authenticate to indi-
vidual services by providing a ticket when a particular service is needed.
As mentioned earlier in this chapter, AD is a directory service that was first introduced
in Windows 2000 Server. Because AD was not available when Windows NT 4 was released,
it cannot be installed on a Windows NT server. Once AD is installed on Windows 2000
Server or Windows Server 2003, the server becomes a domain controller that can be used
for authentication and management of user accounts and other objects in AD.
When AD is installed, a number of features and tools become available.There are three
graphical tools that can be used with Windows 2000 Server or Windows Server 2003:
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 81
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 81
■ Active Directory Users and Computers This utility allows you to administer

user and computer accounts, groups, printers, OUs, contacts, and other objects
stored in AD. Using this tool, you can create, delete, modify, move, organize, and
set permissions on these objects.
■ Active Directory Domains and Trusts This utility allows you to manage
domains and the trust relationships between them. Using this tool, you can create,
modify, and delete trust relationships; create and remove user principal name
(UPN) suffixes; raise the domain mode (Windows 2000 Server only); and raise
domain and forest functional levels (Windows Server 2003 only).
■ Active Directory Sites and Services This utility allows you to create and
manage sites, and control how the directory is replicated within a site and
between sites. Using this tool, you can specify connections between sites and how
they are to be used for replication.
EXAM WARNING
Active Directory Users and Computers, Active Directory Domains and Trusts, and
Active Directory Sites and Services are tools that are installed with AD. These tools
are not available on servers that have not been configured as domain controllers.
They are the primary tools for interacting with AD, and they allow you to configure
different aspects of the directory.
A new feature in Windows Server 2003 is that AD allows you to select multiple user
objects, so that you can change the attributes of more than one object at a time. After
selecting two or more user objects in Active Directory Users and Computers, you can bring
up the properties and modify some of the attributes that are common to each of these
objects.This makes it faster to manage users, because you do not need to make changes to
one account at a time.
Windows Server 2003 AD also provides the ability to drag and drop objects into con-
tainers.To use this feature, select an object with your mouse, hold down your left mouse
button to drag the object to another location (such as an OU), and release the button to
drop the object into the container.This ability also makes it easy to add user and group
objects to groups. Dragging and dropping a security principle’s object (user, computer, or
group) into a group adds it to the group membership.

In addition to these graphical tools,Windows Server 2003 also provides a number of
command-line utilities for managing AD. Using these tools, you can perform management
tasks through the textual interface of the command prompt.These tools allow administra-
tors to manually enter commands to run operations from a command prompt or use the
commands in batch files and scripts that can be scheduled to run at specific times.
www.syngress.com
82 Chapter 2 • Planning Server Roles and Server Security
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 82
Another new Windows Server 2003 feature is that domain controllers can be created
from backups. Backups are used to copy data to other media, such as tapes, and can be used
to restore lost data if problems arise. For example, if the hard drive on a server fails, you can
use the backup to restore the data to a new drive and have the server up and running
again.This same process can be used to restore AD to a new domain controller, so you do
not need to replicate the entire directory across the network. Allowing domain controllers
to be added to an existing domain through the use of backups is of great benefit when you
are setting up a new domain controller across a slow WAN link from the nearest existing
domain controller.
Functional Levels
When a Windows Server 2003 domain controller is created on a network, AD is installed
with a basic set of features.Additional features can be enabled, depending on the operating
systems running as domain controllers and the functional level that is configured for the
domain or forest.
NOTE
Windows 2000 contained two modes: mixed and native. In Windows Server 2003,
these are now called functional levels, but they remain unchanged. Just as
Windows 2000 installed in mixed mode, Windows Server 2003 installs in the
Windows 2000 mixed functional level. In Windows 2000, there was only one level
of forest operation. Modes existed only at the domain level. With Windows Server
2003, there are domain functional levels and separate forest functional levels. In
order to raise the forest functional level, the functional level of all domains in the

forest must be set to the appropriate level.
Domain Functional Levels
The domain functional level determines which servers are supported in a domain and the
features that are available in AD.When one or more Windows 2003 Server computers are
installed on a domain, the domain functional level can be set for AD. At lower levels, older
versions of Windows servers can still be used in the domain, but more advanced features for
AD are sacrificed.At the highest level, only Windows 2003 Server machines can be used in
the domain, and a full set of these advanced features become available. By not setting the
domain functionality to an appropriate level, you may be forfeiting a number of the features
you need for your network.
There are four different levels of functionality for AD:
■ Windows 2000 mixed Allows domains to contain Windows NT Backup
domain Controllers (BDCs) that can interact with the PDC emulator in a
Windows Server 2003 AD domain. In this level, the basic features of AD are avail-
www.syngress.com
Planning Server Roles and Server Security • Chapter 2 83
255_70_293_ch02.qxd 9/10/03 10:58 AM Page 83